[wsas-java-dev] [jira] Assigned: (WSAS-246) Programmatically set the encryption user in server's response when using symmetric key encryption

[Afkham Azeez (JIRA)]

     [ http://www.wso2.org/jira/browse/WSAS-246?page=all ]

Afkham Azeez reassigned WSAS-246:
---------------------------------

    Assignee: Ruchith Fernando  (was: Afkham Azeez)

Ruchith,
Please look into this

Thanks
Azeez

> Programmatically set the encryption user in server's response when using symmetric key encryption
> -------------------------------------------------------------------------------------------------
>
>                 Key: WSAS-246
>                 URL: http://www.wso2.org/jira/browse/WSAS-246
>             Project: WSO2 WSAS
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.1
>         Environment: Windows XP / Tomcat 5.5
>            Reporter: Konstantinos Pateras
>         Assigned To: Ruchith Fernando
>
> I am using Axis2 1.1.1 and Rampart 1.1 and I have implemented the symmetric key encryption using a known shared key between the client and the server. I use also the Username Token and a timestamp. Everything works fine if there is only one shared key between the client and the server.
> Nevertheless, there is the requirement to set a symmetric key for every user known in the server. This means that the server has a database with all the valid users and for every user there is a password (used in the Username Token) and a symmetric key (that should be used in encrypting server's response). The client also has access to a registry that stores the same information.
> I have managed to use the correct key in the client (for encrypting the request) due to dynamic configuration of Axis2 parameters in Stub:
> // Start of code
> options.setProperty( WSHandlerConstants.PW_CALLBACK_REF,
>                               new PWCBHandler(userPassword, userSessionKey) );
> options.setProperty( WSHandlerConstants.ENC_CALLBACK_REF,
>                               new PWCBHandler(userPassword, userSessionKey) );
> OutflowConfiguration ofc = new OutflowConfiguration();
> ofc.setActionItems("Timestamp Encrypt UsernameToken");
> ofc.setUser(username);
> ofc.setEncryptionPropFile("crypto.properties");
> ofc.setEncryptionKeyIdentifier("EmbeddedKeyName");
> options.setProperty(WSSHandlerConstants.OUTFLOW_SECURITY, ofc.getProperty());
> // End of code
> In the above code excerpt I set the PasswordCallbackHandler and EncryptionCallbackHandler to the same reference and pass as a parameter in the constructor, the user's password and the user's session key that should be used. Another way would be to pass the username and let the CallbackHandlers to retrieve the password and session key from the registry.
> In the server though, I cannot configure the security parameters dynamically. I cannot get the username of the user who made the request in the CallbackHandlers (the MessageContext is also null) in the response. So I can only use a single session key that would be incorporated in the CallbackHandler or be retrieved by the database but will be the same for all requesting users.
> If I had used certificates and a keystore the same effect would be possible by using the <encryptionUser>useReqSigCert</encryptionUser> parameter that identifies the requesting user and passes this information to the outflow handlers for retrieving the correct certificate (and public key) to encrypt the response.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://www.wso2.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira