RE: Questions about policy.xml, signatures, and certificates. - Nate Roe - org.apache.ws.rampart-dev

3 messages in org.apache.ws.rampart-devRE: Questions about policy.xml, signa...

From	Sent On	Attachments
Nate Roe	Mar 10, 2008 2:42 pm
Nandana Mihindukulasooriya	Mar 11, 2008 1:42 am
Nate Roe	Mar 11, 2008 5:03 pm

Subject:	RE: Questions about policy.xml, signatures, and certificates.
From:	Nate Roe (nate...@vegas.com)
Date:	Mar 11, 2008 5:03:33 pm
List:	org.apache.ws.rampart-dev

Nandana,

Thank you for this detailed response, and especially for the link to your policy
article. I spent considerable time searching for an article just like that!

I have a couple of remaining questions, but these apply to Axis2 more generally,
so I will post them in axis-user.

Thanks again, Nate

-----Original Message----- From: Nandana Mihindukulasooriya [mailto:nand...@gmail.com] Sent: Tuesday, March 11, 2008 1:43 AM To: ramp...@ws.apache.org Subject: Re: Questions about policy.xml, signatures, and certificates.

Hi Nate,

My goal is to allow access to my service only to those clients who possess a
certificate that I issued (using a self-signed CA certificate.)

Yes, this is possible. As you are already trying to do, in the security policy specify requirement that incoming SOAP messages has to be signed so only a client possessing a valid certificate can consume the service.

I also require that the client submit some unique ID -- preferably their
encryptionUser (the name that I originally created when issuing the client's
certificate.) I used the information found on this page to create my
certificates: http://wso2.org/library/174

This can be easily done too. A X509 certificate contains a lot of unique properties [1]. You can use one of them as the unique ID. For example Thumb print value , issuer serial , etc.

My final requirement is to retrieve the IP address of the connecting client.

Take a look at the KB article [2]

I have tried several different forms of policy.xml, but I've become confused.
I don't understand exactly what tags enforce a signature.

Signed Parts assertion can be used to sign body and the headers. If you want to sign arbitrary elements then you can use signed elements assertion.

I've been reading ws-securitypolicy.pdf (2005, v1.1) but I don't completely
understand it. What does the OnlySignEntireHeadersAndBody assertion do?

If that property is true, we only sign the entire headers and body and we don't sign arbitrary elements inside them. Take a look at the article [3]

How can I require a signature?

Use a Signed Parts or Signed elements assertion according to your requirement.

How can I pass the encryptionUser rather than some arbitrarily-named user
token?

I think it is better to use the properties in the certificate used to sign the message to uniquely identify the client.

How can I obtain the client's IP address?

Take a look at the KB - [2]

thanks, /nandana

[1] - http://en.wikipedia.org/wiki/X.509 [2] - http://wso2.org/library/480 [3] - http://wso2.org/library/3132

http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets