Skip to main content

developerWorks >  SOA and Web services  >  Forums  >  Enterprise Application Integration  >  developerWorks

WAS7 Identity Propagation via WS-Security UsernameToken    Point your RSS reader here for a feed of the latest messages in this thread


     
 
 
My developerWorks
 Welcome, Guest
Sign in or register
This question is not answered.

Reply to this Thread Reply to this Thread Post New Thread Post New Thread Watch list Watch list Forum settings Forum settings Help Help
Permlink Replies: 0 - Pages: 1
Ruud

Posts: 1
Registered: Feb 26, 2009 04:23:43 AM
WAS7 Identity Propagation via WS-Security UsernameToken
Posted: Feb 26, 2009 05:46:17 AM 		 
Click to report abuse...   Click to reply to this thread Reply
Attachment problem.zip (6.2 KB)
Within our company, we want to propagate a user's identity using a signed UsernameToken (without password). The identity must be included both in request and response messages. We've created a policy for this (using the WAS7 admin console); see the attached policy_200512.xml file in attached zipfile.

The first problem we encountered is that the WAS admin console doesn't allow the NoPassword assertion to be set. Also, if we manually add the NoPassword assertion, this assertion is not recognized as a valid policy element by WebSphere (results in CWWSS7257E: The policy assertion sp:NoPassword is not a valid X509Token, Kerberos or UsernameToken assertion ). This looks like a WebSphere bug, as NoPassword is a valid element in the http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512 namespace. As we require interoperability with non-WebSphere platforms, this is a major problem for us.

We also tried to create a policy using the http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 namespace (see policy_200702.xml), and here the NoPassword element is recognized correctly. However, when using this policy on the server side, a SoapSecurityException is thrown: CWWSS7247E: Target namespace http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 is not supported for service policy. The same policy does however work correctly on the client side.

Next step was to simply try the policy from policy_200512.xml without the NoPassword assertion. We have been able to create application-specific bindings for this policy that actually work, both on client and server side with the same policy (see the attached bindings_appspecific_client.xml and bindings_appspecific_server.xml).

However, we would like to create equivalent (re-usable) general bindings. These are mostly the same as the application-specific bindings, with the exception that the securityTokenReference element is not supported in a global binding. However, if we remove this element, WebSphere somehow can't relate the UsernameToken elements in the policy to the corresponding TokenGenerators in the binding: SoapSecurityException: CWWSS7328E: Did not find a token generator for the supporting token of type http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken.

On the client, we can fix this problem by using the 200702 namespace with NoPassword assertion, so in fact WebSphere actually acts on this assertion being present. However, as indicated before, this namespace cannot be used on the server side, and the NoPassword assertion is not supported in any namespace that is supported on the server side.

Does anybody know a work-around for this problem?
Pages: 1
Go Back Back to Thread List

Update your My developerWorks profile and start connecting with others.

Point your RSS reader here for a feed of the latest messages in all forums