| Author |
Message
|
| sguruprasanna |
 Posted: Thu Sep 22, 2011 12:44 pm Post subject: Access WS-Security header fields from within a compute node |
 |
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
Hi,
I have broker 7.0.0.3 acting as a webservice provider, and the consumers sign the message using X509 certificate. Since broker does not support authorization using X509cert against LDAP, I am trying to see if I can workaround using a javacompute node.
So as first step, I need to access the BinarySecurityToken in the WS-Security header from a javacompute node after the SOAPInput node in my flow. Is this possible?
I tried to debug, and I dont see the ws-security header at all at the breakpoint right after SOAPInput node.
Please let me know...
Thanks
Guru |
|
| Back to top |
|
 |
| sguruprasanna |
| Posted: Fri Sep 23, 2011 4:07 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
| Can anyone answer me please...? Is it possible to access ws-security fields in a message flow? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 23, 2011 4:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sguruprasanna wrote: |
| Can anyone answer me please...? Is it possible to access ws-security fields in a message flow? |
It's certainly possible.
Whether or not it's possible to do so from a flow that starts with a SOAPInput node is an entirely separate question.
You appear to have started to do the necessary work to resolve this issue yourself, in that you appear to have run at least some tracing to see what is actually produced by the Broker under at least some different kinds of circumstances.
So you seem to be on the right track for solving this. |
|
| Back to top |
|
|
| bielesibub |
| Posted: Fri Sep 23, 2011 5:34 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Guru,
Yes it is possible to get the ws-security fields in a request, thats if they have been preserved by the security manager. If you've got a policy + policy binding set up, with identity propagation turned on, then the chances are the identity you are looking for is held in Properties.IdentitySourceIssuedBy for X.509 tokens, or in Properties.IdentitySourceToken for Kerberos.
Hope this helps.. |
|
| Back to top |
|
|
| sguruprasanna |
| Posted: Fri Sep 23, 2011 6:44 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
Thanks bielesibub & mqjeff... Here is what I have tried so far:
I did not have a security profile configured, so created one and added it at the flow level in the bar file. In the security profile, I have set Authentication, Authorization,Mapping to NONE, and just Propagation to True.
I am getting this error now:
| Quote: |
A compatible identity was not found for propagation. One of the following identity types is required: ('username, usernameAndPassword'). Only the following identity types were found: ('X.509').
An output node with identity propagation enabled failed to locate a compatible identity type in the Properties folder.
Ensure that all input nodes either have a security profile enabled, or point to an Identity in the incoming message and optionally map the identity to a type that is compatible with the output node. Alternatively, |
So does it mean, Broker cannot propagate the X509 token to be accessible in the flow? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 23, 2011 6:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| bielesibub |
| Posted: Fri Sep 23, 2011 7:22 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Guru,
If you want to preserve the x509 token, then you will have to turn off any security profiles on the SOAP Input node and use a SecurityPEP node with TFIM/TAM to do authentication/authorisation/mapping on the x509 token in the message. This does leave a gaping hole though, you've not checked the integrity of the message.
Or you could;
Set up x509 security on the SOAPInput node purely to check the integrity of the message.
Retrieve the full DN identity from Properties.IdentitySourceIssuedBy and pass this up to TFIM/TAM using a securityPEP node for authentication / authorisation.
Only thing is, you've now got two or more policy enforcement points in your solution. Security Profile for integrity and securityPEP nodes for authorisation/authentication/mapping. (This is the option we've used) |
|
| Back to top |
|
|
| sguruprasanna |
| Posted: Fri Sep 23, 2011 7:29 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
Thanks mqjeff,
I used the "Default Propagation" security profile at the SOAPInput node as explained here:
http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/topic/com.ibm.etools.mft.doc/ap04140_.htm
| Quote: |
| If you want to extract and propagate an identity without security enforcement or mapping, you can use the supplied security profile called Default Propagation. |
and now I am able to see the x509 token under Properties..
| Quote: |
Properties
MessageSet:CHARACTER:
MessageType:CHARACTER:
MessageFormat:CHARACTER:
Encoding:INTEGER:546
CodedCharSetId:INTEGER:437
Transactional:BOOLEAN:false
Persistence:BOOLEAN:false
IdentitySourceType:CHARACTER:X.509
IdentitySourceToken:CHARACTER:MIICaTCCAdKgAwIBAgIESZCe9TANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzELMAkGA1UECBMCRkwxE
IdentitySourcePassword:CHARACTER:
IdentitySourceIssuedBy:CHARACTER:CN=App1, OU=AppUsers, DC=intadm, DC=com, ST=FL, C=US
IdentityMappedType:CHARACTER:
IdentityMappedToken:CHARACTER:
IdentityMappedPassword:CHARACTER:
IdentityMappedIssuedBy:CHARACTER: |
Thanks bielesibub for your advise!!! |
|
| Back to top |
|
|
|
|
