[wsas-java-dev] [jira] Created: (WSAS-246) Programmatically set the encryption user in server's response when using symmetric key encryption

Mon May 28 08:29:02 PDT 2007

Programmatically set the encryption user in server's response when using symmetric key encryption
-------------------------------------------------------------------------------------------------

                 Key: WSAS-246
                 URL: http://www.wso2.org/jira/browse/WSAS-246
             Project: WSO2 WSAS-Java
          Issue Type: Improvement
          Components: core
    Affects Versions: 1.1
         Environment: Windows XP / Tomcat 5.5
            Reporter: Konstantinos Pateras
         Assigned To: Afkham Azeez

I am using Axis2 1.1.1 and Rampart 1.1 and I have implemented the symmetric key encryption using a known shared key between the client and the server. I use also the Username Token and a timestamp. Everything works fine if there is only one shared key between the client and the server.

Nevertheless, there is the requirement to set a symmetric key for every user known in the server. This means that the server has a database with all the valid users and for every user there is a password (used in the Username Token) and a symmetric key (that should be used in encrypting server's response). The client also has access to a registry that stores the same information.

I have managed to use the correct key in the client (for encrypting the request) due to dynamic configuration of Axis2 parameters in Stub:

// Start of code
options.setProperty( WSHandlerConstants.PW_CALLBACK_REF,
                              new PWCBHandler(userPassword, userSessionKey) );

options.setProperty( WSHandlerConstants.ENC_CALLBACK_REF,
                              new PWCBHandler(userPassword, userSessionKey) );

OutflowConfiguration ofc = new OutflowConfiguration();
ofc.setActionItems("Timestamp Encrypt UsernameToken");
ofc.setUser(username);
ofc.setEncryptionPropFile("crypto.properties");
ofc.setEncryptionKeyIdentifier("EmbeddedKeyName");

options.setProperty(WSSHandlerConstants.OUTFLOW_SECURITY, ofc.getProperty());
// End of code

In the above code excerpt I set the PasswordCallbackHandler and EncryptionCallbackHandler to the same reference and pass as a parameter in the constructor, the user's password and the user's session key that should be used. Another way would be to pass the username and let the CallbackHandlers to retrieve the password and session key from the registry.

In the server though, I cannot configure the security parameters dynamically. I cannot get the username of the user who made the request in the CallbackHandlers (the MessageContext is also null) in the response. So I can only use a single session key that would be incorporated in the CallbackHandler or be retrieved by the database but will be the same for all requesting users.

If I had used certificates and a keystore the same effect would be possible by using the <encryptionUser>useReqSigCert</encryptionUser> parameter that identifies the requesting user and passes this information to the outflow handlers for retrieving the correct certificate (and public key) to encrypt the response.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://www.wso2.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira