I'm developing a web service and I am working with Axis2 + Rampart on the server. Is it necessary to have Rampart on both ends of the web service? Or is it possible to have a client which implements WS-Security with something other than Rampart?
The examples of Rampart which I've found seem to assume Rampart on both ends. I can't tell if that's just convenient, or if it's necessary. I don't have any control over the client.
No. It is not necessary to use Rampart on the client. Rampart is basically processing the security headers in the SOAP message according to the WS-Security* Specifications. So if the client can send valid SOAP messages containing standard security headers adhering to the WS-Security* Specifications, rampart will successfully process the request and validate security.
Related
I have a few WCF Services with wsHttpBinding with TransportWithMessageCredential security. Windows credentials must be provided on each request and therefore are used for authentication (by design by AD), authorization (with AD by AZman) and to identity the user who performed the action (auditory purposes).
The thing is now I need to perform some load tests on these services, using Jmeter, and I'm strugling how can I authenticate the user for each request, I was wondering if anyone had ever mede this?
I really need to test with this security concern because the authentication and authorization processes are part of the load tests itself. I could remove them but then the load tests wouldn't be accurate.
The solutions I have in my mind are:
Ensure this is possible to achieve via JMeter
Create a WCF Routing Service on top of these services, exposed as basicHttpsBinding which then routes the requests to appropriate destination service, performing impersonation (seems to be a choise but it is not the original test case as well)
Remove security for load test purposes, but then a part of the tests would be removed as well (along with security)
Out of box JMeter doesn't support any SOAP security implementations so you might want to use i.e. WS Security for SOAP plugin
You should be able to provide your Windows credentials via SOAP Message UsernameToken
and the plugin will generate the relevant wsse:Username token
More information: Running SOAP WS-Security Load Tests in JMeter
I have a web service running outside of .net that I need to invoke from a .NET client.
I was given a .NET client written in Visual Basic to test with.
The .NET client can access the web service with a clear-text SOAP message using basicHttpBinding.
I can configure a policy/binding for the external web service to use the Kerberos token for Message Level Protection and authentication. I can access this web service from the .NET client by modifying the configuration file to use wsHttpBinding.
Now, the requirement is to use the Kerberos token for authentication only and not sign/encrypt the SOAP message. That is, I only need the tags in the SOAP header. I have this configuration working on the external web service, but now I want to modify the configuration file so the .NET client only sends the and does not sign/encrypt any part of the SOAP message.
Is it possible to modify the .net client's .config file to do this?
My understanding is that basicHttpBinding can not be modified to use a Kerberos token (only UserName/Certificate).
I've tried disabling signing/encryption in wsHttpBinding via an attribute such as "defaultProtectionLevel=Sign/SignEncrypt/None", but this isn't available in wsHttpBinding (or I can't find it). I can only disable or enable message level protection and authentication with .
I've also tried building a customBinding, but can not disable signing/encryption and use the Kerberos token for authentication only.
Does anyone have a solution or some tips that could point me in the right direction to go about solving the above issues?
I have a WCF service hosted in IIS. The service is mandated to be basicHttpBinding. There is IBM DataPower in front of the WCF service that exposes it to outside world.
I am writing a WCF client app (inheriting from ClientBase) that has to encrypt the message body using a pre-shared public key and DataPower will decrypt it and forward the message to the hosting server. As for responses, DataPower will encrypt it and the client should be able to decrypt the responses received. One way to achieve this (that I could think of) is using IClientMessageInspector and use the BeforeSendRequest() to encrypt AfterReceiveReply() to decrypt. Before going this route, I wanted to know what other options are available to achieve this?
Usually the pattern is to use SSL which is easy to work with in DataPower and WCF clients. I'm not sure how easy it is to configure message level encryption in DataPower. If you insist on message level encryption first check if DP dsupports the standard WS-Security approach, in which case configuring the WCF client is easy (basic http binding with security mode of message and client credential type of certificate or username, but of course depend if you want to configure client auth).
Yes datapower supports WS-Security standard and you can play around any part or whole of messages for encryption/decryption. The only thing you need to weight here is whether to use PKI or symmetric encryption/decryption technique while playing with message level security.
We are implementing WS-Security Policy on our web services with the following framework/module/specification.
Apache Axis2 1.6.2
Apache Rampart 1.6.2
WS-Security Policy 1.2(namespace:http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702)
We are facing the following issues while creating/consuming the service.
Axis2 wsdl generation logic ignores <sp:NoPassword/> assertion. After debugging,I realized that it is because of the logic in org.apache.ws.secpolicy.model.UsernameToken (rampart-policy-1.6.2.jar) that expects
<sp:WssUsernameToken11 /> ( or <sp:WssUsernameToken10 />) to be specified - again when I specify that, the <sp:NoPassword/> is created as child element of <sp:WssUsernameToken11 /> which was causing <sp:NoPassword/> to get ignored on the client (consumer) side.
In the implementation of org.apache.rampart.PolicyBasedResultsValidator/handleSupportingTokens method - NoPassword scenario is not considerd ; hence it always fails saying "org.apache.axis2.AxisFault: UsernameToken missing in request".
On the consumer side, for WS Security policy 1.2 to work, we had to remove rahas-1.6.2.mar from client side rampart repository;there is a JIRA ticket too - https://issues.apache.org/jira/browse/RAMPART-371
Please suggest if I missed something here.
I'm creating a simple web service using WCF. The message needs to be encrypted and the user need to be authenticated through an asp.net provider.
What binding should I use for this? WsHttpBinding or WebHttpBinding?
Can anybody point me to a good example using the asp.net provider and self signed certificates with wcf.
Thanks
You say that the message needs to be encrypted, but don't specify whether you have a specific requirement for message-level encryption or if transport encryption might be enough.
If you transport-level encryption is enough, then BasicHttpBinding + SSL would work.
Otherwise, you'd use WSHttpBinding and configure message-level encryption. Of course, the decision might also be tied to the capabilities of any clients you want to consume the service.
You also mention WebHttpBinding, but that's used only for REST-style services. Is your service REST style? If so, then your only option would be SSL and using transport-level authentication, I think.