ode-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jackson, Douglas" <douglas.s.jack...@siemens.com>
Subject RE: securing outbound messages
Date Mon, 16 Feb 2009 23:26:02 GMT
Hi!
I did get the inbound and outbound security working to an extent.  It puts the security in
the header anyway :).  I am wondering how to get usernames/passwords into/out of the BPEL
though.  I did see this article which I intend to try to get the username out of the rampart
security handler and from there place it in the header so it accessible to the BPEL process
via the header variable extension:
    http://www.keith-chapman.org/2008/09/axis2-rampart-access-username-used-for.html

However, on the outbound message I am not sure how to get access to the outbound message from
the password handler to get the credentials from the BPEL process into the rampart security
header.  I guess I could pass 2 sets of credentials (1 in WS-Security header and 1 outside)
but that does not seem like the best solution.

-Doug.

-----Original Message-----
From: Alexis Midon [mailto:midon@intalio.com] 
Sent: Friday, February 13, 2009 12:28 PM
To: user@ode.apache.org
Subject: Re: securing outbound messages

Hi Douglas,

yes, you can engage additional modules and set a policy for outgoing
messages.
This area of ODE has been under development lately so I'll split my answer
into 2 parts: one for the current release 1.2, one for the coming release,
1.3.

### In ODE 1.2 ####
this is done on a service basis, using the mechanism describre in the user
guide [1]
Here is an example:
let's assume you want to add a policy for outgoing messages to service {
http://douglas.com}ServiceA .
To do that, create a file named ServiceA.axis2 in the bundle directory of
your process. This file must be a service.xml document [2] containing the
policy. See [3] for example of such a file.
The ServiceA.axis2 file will get loaded when the service is invoked and
monitored for changes.
Due to Axis2 limitations, the modules eventually listed in ServiceA.axis2
won't be engaged. So you need to engage them in the global config file [4]
(and restart ODE).
Keep in mind that the modules must be available in WEB-INF/modules ;
keystores and additional classes (like callback handlers) must be in the
classpath.


### In ODE 1.3 (yet to be released) ####
In the coming release, these axis2 limitations are workarounded and modules
listed in ServiceA.axis2 are engaged (for the targeted service only).
We also optimized the policy case by adding an endpoint property
"security.policy" to specify a policy file, and engaging rampart
automatically.
See ODE user guide for details [5] and test cases [6] for live examples.

This information will be added to the User guide soon.

I hope it's clear enough. Let us know if need help.

Alexis

[1]
http://ode.apache.org/user-guide.html#UserGuide-AdditionalConfigurationforSOAPEndpoints
[2] http://ws.apache.org/axis2/1_0/axis2config.html#Service_Configuration
[3]
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/resources/TestRampartPolicy/secured-services/process-sample04_policy_in_service.xml/sample04-policy.axis2?view=log
[4]
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/main/webapp/WEB-INF/conf/axis2.xml?view=markup
[5] http://ode.apache.org/user-guide.html#UserGuide-EndpointConfiguration<https://issues.apache.org/jira/browse/ODE-388>
[6] The unit test class:
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/java/org/apache/ode/axis2/rampart/policy/
     The unit tes resources:
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/resources/TestRampartPolicy/secured-services/


On Thu, Feb 12, 2009 at 4:07 PM, Jackson, Douglas <
douglas.s.jackson@siemens.com> wrote:

> Hi!
> I am investigating security on outgoing messages from ode.  Is there a way
> to enable Rampart or some other processing on outgoing messages?
>
> As an alternative I was thinking of creating a Java XPATH extension that
> would use wss4j to create a WS-Security compatible element based on the
> credentials stored in the BPEL process that I could pass out via a header
> element in the WSDL to the targeted service.
>
> However, this would not allow for things like encryption.
>
> -Doug.
>
>


-- 

Alexis

Mime
View raw message