CODEWITHSUNDEEP
wso2wso2-esb
tyfyh
tyfyh

Reputation: 333

How to enable proxy service security in WSO2 ESB 4.9.0

I have fresh installation of WSO2 ESB 4.9.0 and I’m trying to secure proxy service with HTTP Basic Authentication, but I’m failing.

I tried this tutorial from official documentation, but this approach was possible up to 4.8.1. In version 4.9.0 I can’t click Security to open the Security for the service page.

So i tried another approach:

I created policy UTOverTransport in registry (copied from 4.8.1).

<wsp:Policy wsu:Id="UTOverTransport" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
    <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
        <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
        <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
        <rampart:timestampTTL>300</rampart:timestampTTL>
        <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
        <rampart:timestampStrict>false</rampart:timestampStrict>
        <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
        <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
    </rampart:RampartConfig>
</wsp:Policy>

And in proxy service configuration I added:

   <parameter name="allowRoles">admin</parameter>
   <parameter name="ScenarioID">scenario1</parameter>
   <enableSec/>
   <policy key="conf:/repository/policies/UTOverTransport"/>

Now in management console I see that proxy service is secured but, when I’m calling this service I’m getting error: 

java.lang.ClassCastException: org.apache.axiom.om.impl.dom.ElementImpl cannot be cast to org.apache.axiom.soap.SOAPHeaderBlock
    org.wso2.carbon.security.pox.POXSecurityHandler.isSOAPWithoutSecHeader(POXSecurityHandler.java:362)
    org.wso2.carbon.security.pox.POXSecurityHandler.invoke(POXSecurityHandler.java:102)
    org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
         <wsu:Timestamp wsu:Id="TS-4">
            <wsu:Created>2015-12-09T07:15:21Z</wsu:Created>
            <wsu:Expires>2015-12-09T09:38:41Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:UsernameToken wsu:Id="UsernameToken-3">
            <wsse:Username>admin</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">byWKVY4stEATvTqaoNMswQ==</wsse:Nonce>
            <wsu:Created>2015-12-09T07:15:21.304Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body/>
</soapenv:Envelope>

I also tried to secure proxy using API with SecurityAdminService and operation applySecurity (this worked in 4.8.1) but I’m getting error org.apache.axis2.AxisFault: Service with name test not found.

Can someone help me and explain how to do this?

Upvotes: 1

Views: 1700

Answers (2)

tyfyh
tyfyh

Reputation: 333

Policy file for Basic Authentication (with username token) should look like this:

<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:TransportToken>
                    <wsp:Policy>
                        <sp:HttpsToken RequireClientCertificate="false"/>
                    </wsp:Policy>
                </sp:TransportToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic256/>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Lax/>
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp/>
            </wsp:Policy>
        </sp:TransportBinding>
        <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
            </wsp:Policy>
        </sp:SignedSupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
    <rampart:user>wso2carbon</rampart:user>
    <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
    <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
    <rampart:timestampTTL>300</rampart:timestampTTL>
    <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
    <rampart:timestampStrict>false</rampart:timestampStrict>
    <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
    <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
</rampart:RampartConfig>
<sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
    <sec:Authorization>
        <sec:property name="org.wso2.carbon.security.allowedroles">admin</sec:property>
    </sec:Authorization>
</sec:CarbonSecConfig>

In proxy service configuration add this:

<policy key="conf:/repository/policies/UTOverTransport"/>
<enableSec/>

conf:/repository/policies/UTOverTransport is path to the policy file

Developer studio is not necessary.

I hope this will help

Upvotes: 4

Ravindra Ranwala
Ravindra Ranwala

Reputation: 21124

All these Quality Of Service (QOS) features were removed from the WSO2 ESB admin console from ESB 4.9.0 release onwards. Therefore we recommend you to use WSO2 Developer Studio 3.8 version which is compatible with ESB 4.9.0 release to do those QOS related stuffs such as security, reliability etc.

Upvotes: 0

Related Questions