Integrating XACML into JAX-WS and WSIT

Transcription

1 Integrating XACML into JAX-WS and WSIT Prof. Dr. Eric Dubuis Berner Fachhochschule Biel May 25, 2012

2 Overview Problem and Motivation Enforcing the Access Policy JAX-WS Handler Framework WSIT Validators References May 25, 2012 Integrating XACML into JAX-WS and WSIT 2

3 Motivation: What's the Problem to Solve? trust relationship STS 2 web service STS 1 SAML+ payload Security Domain 1 requestor Problem: How can we use XACML at this point? Security Domain 2 May 25, 2012 Integrating XACML into JAX-WS and WSIT 3

4 Elements for Authorizing Access to a Service To protect a resource, we need a security handler to gather information such as user, and other parameters a Policy Enforcement Point (PEP) that delegates the decision making enforces the access decision a Policy Decision Point (PDP) knows rules We must integrate a PEP into our web service implementation May 25, 2012 Integrating XACML into JAX-WS and WSIT 4

5 Enter the World of JAX-WS Handlers JAX-WS provides a framework for handlers There are two types of handlers: Logical operate on MessageContext properties and message payloads are protocol (HTTP, SOAP) agnostic cannot affect protocol specific parts of the message implement javax.xml.ws.handler.logicalhandler Protocol operate on MessageContext properties and specific messages are specific to a protocol can change protocol specific parts of the message implement any interface derived from javax.xml.ws.handler.handler except javax.xml.ws.handler.logicalhandler of particular interest: javax.xml.ws.handler.soap.soaphandler May 25, 2012 Integrating XACML into JAX-WS and WSIT 5

6 JAX-WS Handler Architecture Endpoint +getbinding(): Binding 1 1 Binding BindingProvider 1 1 +gethandlerchain(): List +sethandlerchain(l: List): void 1 +getbinding(): Binding 0..* Proxy Dispatch Handler<T> Adapted from: JAX-WS 2.1, JSR 224, p. 112 May 25, 2012 Integrating XACML into JAX-WS and WSIT 6

7 JAX-WS Handler Class Hierarchy Handler<MessageContext> +init(map<string>, Object>): void +destroy(): void +handlemessage(messagecontext): boolean +handlefault(messagecontext):boolean +close(messagecontext): void LogicalHandler<LogicalMessageContext> MessageContext contains the SOAP message as a DOM tree SOAPHandler<SOAPMessageContext> +getheaders(): Set<QName> Adapted from: JAX-WS 2.1, JSR 224, p. 113 May 25, 2012 Integrating XACML into JAX-WS and WSIT 7

8 Configuration: Handler Ordering The service has a HandlerResolver The HandlerResolver maintains a set of Handler objects Upon Proxy or Dispatch object creation, a BindingProvider creates a Binding instance The Binding instance has a chain of Handler objects :Service :HandlerResolver :L1 :P1 :P2 :L2 :P3 :P4 :P5 :L3 :P6 :L4 :BindingProvider :Binding :L1 :L2 :L3 :L4 :P1 :P2 :P3 :P4 :P5 :P6 Adapted from: JAX-WS 2.1, JSR 224, p. 115 May 25, 2012 Integrating XACML into JAX-WS and WSIT 8

9 How Does it Work? Handler config May 25, 2012 Integrating XACML into JAX-WS and WSIT 9

10 HandlerChain Annotation The javax.jws.handlerchain [JSR-181] annotation may be used to specify the handler chain in a declarative way = some_handler_chain.xml ) public class StockQuoter {... } <jws:handler-chains xmlns:jws=" <jws:handler-chain><!-- Remember: handler order for outbound messages! --> <jws:handler> <jws:handler-class>org.example.handler.handler1</jws:handler-class> </jws:handler> <jws:handler> <jws:handler-class>org.example.handler.handler2</jws:handler-class> </jws:handler> </jws:handler-chain> </jws:handler-chains> May 25, 2012 Integrating XACML into JAX-WS and WSIT 10

11 Handler Execution When called, method handlemessage: Consult the JAX-WS API for handlefault returns true: Indicates that normal message processing should continue returns false: Indicates that normal message processing should stop See specification for the two different kinds of action that can happen throws ProtocolException of a subclass thereof: Indicates that normal message processing should stop See specification for the two different kinds of action that can happen throws any other kind of exception: Indicates that normal message processing should stop See specification for the two different kinds of action that can happen May 25, 2012 Integrating XACML into JAX-WS and WSIT 11

12 Skeleton of a Protocol Handler Here is the skeleton of a SOAP protocol handler import javax.xml.soap.soapmessage; import javax.xml.ws.handler.messagecontext; import javax.xml.ws.handler.soap.soaphandler; import javax.xml.ws.handler.soap.soapmessagecontext; public class SomeHandler implements SOAPHandler<SOAPMessageContext> { public boolean handlemessage(soapmessagecontext messagecontext) { try { SOAPMessage msg = messagecontext.getmessage(); // do normal processing here... return true; } catch (Exception ex) { return false; // or throw a ProtocolException } } } May 25, 2012 Integrating XACML into JAX-WS and WSIT 12

13 Handler Acting as PEP Introduce a handler that acts as a PEP (imports not shown): public class SomeHandler implements SOAPHandler<SOAPMessageContext> {... public boolean handlemessage(soapmessagecontext messagecontext) { try { SOAPMessage msg = messagecontext.getmessage(); Boolean outboundproperty = (Boolean) context.get(messagecontext.message_outbound_property); if (!outboundproperty) { FilePolicyModule policymodule = new FilePolicyModule(); policymodule.addpolicy("/path/to/policy-file.xml ); // hack only // compose request in terms of values in message if (response_ok) return true; else throw new ProtocolException( Some message goes here... ); } return true; } catch (Exception ex) { return false; } // or throw a ProtocolException } } May 25, 2012 Integrating XACML into JAX-WS and WSIT 13

14 WSIT: Validators WSIT is based on JAX-WS WSIT add another conceptual layer: Validators, a special kind of Callbacks JAX-WS handlers are DOM-based By default, WSIT validators are XML stream-based In general, there is no need to write your own validator, but you configure the use of existing validators (for Username tokens, for X.509 certificates, and for SAML assertions) May 25, 2012 Integrating XACML into JAX-WS and WSIT 14

15 Example of a SAML Validator Here is a skeleton of a SALM validator: import com.sun.xml.wss.impl.callback.samlassertionvalidator; import javax.xml.stream.xmlstreamexception; import javax.xml.stream.xmlstreamreader; public class SAMLValidator implements SAMLAssertionValidator { DOM... public void validate(element arg0) throws SAMLValidationException { } //... } public void validate(xmlstreamreader parser) throws SAMLValidationException { //... XML Stream Reader } allows for efficient processing... May 25, 2012 Integrating XACML into JAX-WS and WSIT 15

16 Comments for the SAML Validator Called upon the processing of a SAML assertion must be started. No other context information is available. By default, WSIT uses XML security streaming. You can specify your validator by adding the following policy to the wsit-service.xml configuration file: <wsp:all>... <sc:validatorconfiguration wspp:visibility="private" xmlns:sc=" xmlns:wspp=" > <sc:validator name="samlassertionvalidator" classname="org.example.saml.samlvalidator"/> </sc:validatorconfiguration> </wsp:all> must have that name May 25, 2012 Integrating XACML into JAX-WS and WSIT 16

17 References Technik und Informatik [XACML] extensible Access Control Markup Language (XACML) Version Sun's XACML Tutorial Sun's XACML Implementation [JSR-181] Web Services Metadata for the JavaTM Platform [JSR-224] Java API for XML-Based Web Services (JAX-WS) JAX-WS Handlers Custom Security Policy Assertions in Metro Ashutosh's Blog, Wednesday September 19, WSIT Security Configuration Demystified May 25, 2012 Integrating XACML into JAX-WS and WSIT 17