This week's book giveaway is in the Design forum.
We're giving away four copies of Design for the Mind and have Victor S. Yocco on-line!
See this thread for details.
Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to configure rampart with axis2

 
vivek kumar gupta
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,


how i provide security in webservice.

Thanks
vivek
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Check the "samples" directory that comes with Rampart; it contains examples of most basic (and not so basic) usage scenarios.

If you're looking for more hand-holding, check out the three articles I've published on WS-Security with Axis in the JavaRanch Journal.
 
Kamal Wickramanayake
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use Apache Axis2 security only for learning purposes, but not for production. WS-Security in Axis2 is broken and creators themselves say you should depend on WS-SecurityPolicy. But WS-SecurityPolicy is also broken and policy enforcement does not work well. Last time I checked, it was version 1.4.1. I doubt if the latest version (1.5.1) has fixed these - probably not. Particularly I remember the issues with time stamping, digital certificate based authentication and possible man-in-the-middle attacks.
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kamal Wickramanayake wrote:Use Apache Axis2 security only for learning purposes, but not for production. WS-Security in Axis2 is broken

Interesting. Do you have a source for this?
 
kri shan
Ranch Hand
Posts: 1462
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
mutual authentication between WebService provider and WebService consumer using digital certificate from CAs.
 
Kamal Wickramanayake
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Ulf Dittmer:

I myself found all these issues. And these issues are not that difficult to figure out if you use a proxy in the middle and replay messages after tampering. I should retry these and document somewhere for anyone interested in details.

Preference for WS-SecurityPolicy over WS-Security had been described somewhere in the axis2 web site. But I just searched in Google and couldn't locate the exact page. But here are some evidences:

"Parameter based Rampart configuration is sort of deprecated now"
http://blog.sweetxml.org/2007/12/rampart-basic-examples-how-you-add-ws.html

"The bottom line is parameter based configuration ( WSS4J handlers ) is deprecated and most of the new development happens in the policy based configuration ( Rampart handlers ). So if you are starting to use Rampart, I think is always better to use policy based configuration for all the scenarios whether it is simple or complex."
http://markmail.org/message/hxebpckqiqxpzl2g
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Kamal:

Both those references talk about the difficulty in configuring certain aspects of Rampart, and that other approaches are now preferred. Nowhere do I see any suggestion that anything is broken or should not be used in a production environment (which is what you said). Unless you have actual evidence that Rampart does not provide the security it claims to provide, I strongly suggest to stay away from the kind of advice you gave.
 
Kamal Wickramanayake
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Unless you have actual evidence that Rampart does not provide the security it claims to provide...


"WS-SecuityPolicy is preferred over WS-Security" is their statement. WS-Security was deprecated and there were reasons behind. What I don't know is if they reversed in version 1.5.

"Axis2 security is broken" is my comment. But I never said anything without facts with me. Wait for a day or two. I'll also try with their latest version.

I strongly suggest to stay away from the kind of advice you gave


"Don't do something" is as good as "do something" I know, you need evidence when the advice goes against what is generally accepted, which I am going to send.
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kamal Wickramanayake wrote:"WS-SecuityPolicy is preferred over WS-Security" is their statement. WS-Security was deprecated and there were reasons behind.

Hm, I don't see anything resembling either of these two statements in the links you posted. Also, "to prefer WS-SecurityPolicy over WS-Security" does not make sense, since WS-SecurityPolicy is used to specify how to apply WS-Security (amongst other things).
If this is just about changes in the way something is configured, then that has no impact on the actual security provided. Rampart itself is certainly not deprecated or obsolete.

I know, you need evidence when the advice goes against what is generally accepted, which I am going to send.

That would be great. It's a subject that interests me a lot.
 
Kamal Wickramanayake
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hm, I don't see anything resembling either of these two statements in the links you posted. Also, "to prefer WS-SecurityPolicy over WS-Security" does not make sense, since WS-SecurityPolicy is used to specify how to apply WS-Security (amongst other things).
If this is just about changes in the way something is configured, then that has no impact on the actual security provided. Rampart itself is certainly not deprecated or obsolete.


What you say is very correct. I got it written in the wrong way. It's a configuration matter. At the beginning there was WS-Security support which required you to configure using the previously said "parameter based approach". What they deprecated was that "parameter based approach". Then the WS-SecurityPolicy based approach was introduced. The plain and dominant approach used by many to configure WS-Security was the "parameter based approach". That's what was in my mind and the cause for my error. Thanks for pointing out.

As said, I'll send evidence showing the issues with both "parameter based approach" and WS-SecurityPolicy based approach.
 
Kamal Wickramanayake
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Was tied up with work and hence couldn't respond quickly.

Here's one issue in detail: Apache Axis2 WS-Security message signing vulnerability (Version 1.5.1)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic