| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Mulitple Identities, SOAPInput nodes and policy sets |
« View previous topic :: View next topic » |
| Author |
Message
|
| bielesibub |
 Posted: Fri May 06, 2011 3:01 am Post subject: Mulitple Identities, SOAPInput nodes and policy sets |
 |
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Hi all,
Wonder if any of you guys have had need to deal with multiple identities within the same SOAP message.
A requirement that I'm current banging my head against a wall with goes something like this;
SOAP messages will be protected in the following ways, Kerberos, x509, and SAML2.0. Kerberos is used for user identity+signing, x509 for application identity(+signing(if not already signed)), and SAML2.0 purely for identity that is passed between flows/services.
In the case of identity authentication this is relatively easy, we can accept a request message without any security policy applied to it and extract the id token and dump it into a securityPEP node.
The problem occurs when we want to validate the integrity of a message using a policy.
If we are checking a message that has only one identity all is great, the message is verified and the identity extracted and passed through in the environment.
If we pass in a message that has multiple identities, it looks like the LAST (not the first as the documentation says) identity that matches the policy is taken, verified and passed through in the environment, while all the other identities are lost.
Is there a way to preserve this information? The only way that I can see to preserve this is to not enforce the policy in the SOAPInput node, but cobble some form of security management in a JAVACompute node - or alternatively use WAS (providing the security manager here doesn't throw away the details) as the front for all webservices.
Cheers, |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri May 06, 2011 4:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| I'd encourage you to open a dialog on this with Hursley. |
|
| Back to top |
|
|
| bielesibub |
| Posted: Mon May 09, 2011 12:28 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
| Cheers mqjeff... a service request has been raised, I'll update the thread when I hear something. |
|
| Back to top |
|
|
| bielesibub |
| Posted: Fri May 20, 2011 5:33 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
As promised, here is an update to this thread, and in the hope that this saves someone a serious amount of wasted time.
We got a response from IBM and currently WMB does not support the extraction of multiple identities. BTW... we're using the latest (7.0.0.2) version.
This has now lead me down the path of using WAS to front our web services. This hasn't been a great deal of fun either! Standing up a web service in WAS is relatively straight forward, applying a policy and a binding has been another trial (one that I've not solved - yet!!) So currently I'm not even sure if WAS will throw away all identities in the security header. I'll update again once I get more information.
Cheers, (almost the weekend!)  |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
