ODE 1.3.2 introduces support for WS-Security: secure services can now be invoked from a process, and the process service itself might be secured. A first part will explain how to invoke a secured service, a second part how to secure the process service.
ODE has an Integration Layer based on Axis2 so using Rampart, the Axis2 security modules, goes without saying. As a result this section will only focus on Rampart integration. Rampart and WS-Security specifications won't be detailed here. Please refer to their ad-hoc documentations for further details.
As any other Axis2 module, Rampart is configurable with Axis2 Service configuration files. For instance a service.xml document, using the parameter based configuration model, might be:
<service> <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>Timestamp Signature</items> <user>client</user> <signaturePropFile>TestRampartBasic/secured-services/client.properties</signaturePropFile> <passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> </action> </parameter> <parameter name="InflowSecurity"> <action> <items>Timestamp Signature</items> <signaturePropFile>TestRampartBasic/secured-services/client.properties</signaturePropFile> </action> </parameter> </service>
Another example using WS-Security Policy based configuration model is listed below. See the full document here.
<service> <module ref="rampart"/> <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <!-- truncated, see original document ny following the link above --> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <!-- truncated, see original document ny following the link above --> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <!-- truncated, see original document ny following the link above --> </wsp:Policy> </sp:Trust10> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body/> </sp:EncryptedParts> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:user>client</ramp:user> <ramp:encryptionUser>service</ramp:encryptionUser> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04.PWCBHandler</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">TestRampartPolicy/secured-services/client.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:signatureCrypto> <ramp:encryptionCypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">TestRampartPolicy/secured-services/client.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:encryptionCypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </service>
The important thing to notice is that these documents are plain Axis2 Service configuration files. And as explained in the ODE User Guide, a mechanism to handle these files already exists. So all we have to do is reuse this mechanism, the rest is pure Rampart configuration.
Let's take an example and see the actual required steps.
Assuming your process needs to invoke the secure service {http://sample03.policy.samples.rampart.apache.org}Sample03, the first step is to prepare a service document named ${process_bundle_dir}/Sample03.axis2 and containing your desired Rampart configuration.
The second step is to to make sure the resources needed to invoke the services are available to Rampart through ODE webapp classpath. Typical resources are:
How you add these resources to ODE classpath might vary depending on your application server, your global architecture or other criteria. So it's up to you to figure this out. However typical locations are:
If you're using the policy base configuration model, an alternative is available to you: use the endpoint property mechanism to attach the policy to the service. In that configuration, ODE will engage the Rampart module and load the policy when the service is invoked.
To do so:
alias.sample03-ns=http://sample03.policy.samples.rampart.apache.org sample03-ns.sample03-policy.ode.security.policy.file=mypolicy.xml
Applying security to a process service is no different from invoking a secured service. If the process service you're exposing is {http://mycompany.com}AbscenceRequest. All you have to do is prepare a service document named ${process_bundle_dir}/AbscenceRequest.axis2 and containing your Rampart configuration. Once again, it's up to you to add the required resources in ODE webapp classpath.
You can also use the property 'security.policy.file' to secure the process service.
No. ODE comes with the following Axis2 modules (and the jars they depend on): Rampart, Rahas and Addressing.
$ cd axis2-war $ buildr test:Secure
The executed processes are generated by the build, so run the tests once, then look into the following directories. Process directories are prefixed with "process-".
The integration with Rampart described in this section is tested with a decent suite of unit tests. These unit tests are based on the Rampart samples. The related resources were imported into ODE repository.
These tests are divided into two parts: tests using the parameter base configuration model aka "basic tests" and tests using the policy base configuration model aka "policy tests".
ODE test cases reuse these test cases in two different scenarii:
These partitions lead to four resource directories:
Everything describes for TestRampartBasic applies to TestRampartPolicy. So for now on we will mention only TestRampartBasic.
For the "secured-services" scenario, the "external" web services are Axis archives deployed in an Axis2 webapp.
The corresponding unit test classes are SecuredServicesTest.java and SecuredProcessTest.java. Each test class will start a list of processes that must succeed (as many processes as Rampart samples actually).
To avoid duplication these processes are generated by the build based on two process templates: one for the secured-services case, another for the secured-processes case.
The build generates processes into: