Using UsernameTokens ( With different username to cert alias ) as supporting tokens in Rampart

Recently there was few mails about problems faced when using the Username token as supporting tokens along with X509 certificates. In these scenarios we use X509 Certificate to sign the message and also attach Username Token as a supporting token. So let’s see how we can configure rampart for these scenarios. I always preferred the policy based configuration so here also I will use policy based configuration as it is more flexible ( my opinion 🙂 ) than the basic way of rampart configuration.

When we use both Username and X509 Certificate, there are 4 scenarios possible.

1. X509 Certificate ( which is used to sign ) alias and the username is the same. Cert password and Username Token password is the same.

2. X509 Certificate ( which is used to sign ) alias and the username is the same. Cert password is different from the password of the Username Token.

3. X509 Certificate ( which is used to sign ) alias and the username is different. Cert password and the Username Token password is the same.

4. X509 Certificate ( which is used to sign ) alias and the username is different. Cert password and the Username Token password is different.

Rampart can cater all these four situations. But before we look at how to configure rampart in each of these situations, let’s look at how rampart uses password callback in above situations. There are two situation we use the password callback. One is to extract user’s cert password when we want to get that key to sign the message. Second one is when we want to create a Username Token with the password.

Signature
Get the user – First check whether userCertAlias present
String user = rpd.getRampartConfig().getUserCertAlias();
// If userCertAlias is not present, use user property as Alias
if (user == null) {
user = rpd.getRampartConfig().getUser();
}
CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
WSPasswordCallback[] cb =

{ new WSPasswordCallback(user,WSPasswordCallback.SIGNATURE) };
handler.handle(cb);
password = cb[0].getPassword();

Username Token
user = rpd.getRampartConfig().getUser();
CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
WSPasswordCallback[] cb =

{ new WSPasswordCallback(user,WSPasswordCallback.USERNAME_TOKEN) };
handler.handle(cb);
password = cb[0].getPassword();

There are two important things to note. First thing is when we want to get the password of a Username Token with a given username, we set the usage of the callback to WSPasswordCallback.USERNAME_TOKEN. If what rampart want is the cert password, it sets the usage toWSPasswordCallback.SIGNATURE as you can see in the latter case. We can use this usage parameter in our callback to provide the correct password according to usage. Second thing is the before you when it is signature, we first check whether userCertAlias parameter is set and if it is set we use it as the cert alias. If it is not set Rampart will use the good old user parameter as the cert alias of the certificate used in signature.

Now lets see how can we configure Rampart in each of the above scenarios.

Scenario 1 : Say both username and cert alias is “Alice” and password is “password”.

So first we set both the username of the Username Token and the cert alias using “user” parameter in Rampart config. What are the parameters available in Rampart config can be found here.

<ramp:user>Alice</ramp:user>

and all you need is a simple callback,

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[0];

String id = pwcb.getIdentifer();

    if(“Alice”.equals(id) ) {
pwcb.setPassword(“password”);
}

}

Scenario 2 : Say both username and cert alias is “Alice”. But the password of the Username Token id “password” and password of the cert is “password2”. Here also we only need to set the “user” parameter to “Alice” in the Rampart config. But in the password callback , we have make use of the usage property to provide the correct password.

String id = pwcb.getIdentifer();

int usage = pwcb.getUsage();

if(“Alice”.equals(id) && usage == WSPasswordCallback.USERNAME_TOKEN) {
pwcb.setPassword(“password”);
}else if (“Alice”.equals(id) && usage == WSPasswordCallback.SIGNATURE) {
pwcb.setPassword(“password2);
}

Scenario 3 : Now the username of Username Token is “Alice” and alias for the cert is “Alice2”. Password for both cases is “password”. Here we can’t just do only with “user” parameter of the Rampart config. So we use both “user” parameter and “userCertAlias” parameter.

<ramp:user>Alice</ramp:user>

<ramp:userCertAlias>Alice</ramp:userCertAlias>

callback used in the scenario 1 will work for this too.

Scenario 4: Here the username of Username Token is “Alice” and alias for the cert is “Alice2”.And the password of the Username Token id “password” and password of the cert is “password2”. In this scenario we have to use the Rampart configuration used in scenario 3 and the password callback used in scenario 2.

To learn more about how to configure Rampart , go through the samples modules which are shipped with Rampart distribution. Rampart current release can be downloaded here.

Advertisements

2 Responses to “Using UsernameTokens ( With different username to cert alias ) as supporting tokens in Rampart”


  1. 1 Ronnie October 6, 2008 at 5:52 pm

    It might be helpful to include the policy files for these scenarios. I know I’ve been working for far too many days to try to get a policy file correct for scenario number 1. (still trying to determine right config for it…)

  2. 2 nandana83 October 8, 2008 at 11:20 am

    Sorry for replying late. Just saw the comment. You can find configs for above in the tutorial Password Callback Handlers Explained.

    thanks,
    nandana


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





%d bloggers like this: