IBM WebSphere DataPower Community Forum IBM Webspere DataPower XI50
September 07, 2008, 03:16:17 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: IBM WebSphere DataPower SOA Appliance Forum - Just Launched come share your knowledge!!! These forums will be a great place to build a community. This site is not associated with IBM.
 
   Home   Help Search Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Injecting WS-Security UsernameToken into SOAP headers  (Read 581 times)
sairam
Newbie
*
Offline Offline

Posts: 2


View Profile Email
« on: November 27, 2007, 11:39:50 AM »

I would like to inject WS-Security Username Token into a SOAP header. I would also like to 'digest' the password and add nonce and created elements. Is there a XSL template to do this or I have to use AAA policy.

thanks
Sairam
Logged
nmcglennon
Newbie
*
Offline Offline

Posts: 10


nmcglennon
View Profile
« Reply #1 on: November 27, 2007, 06:44:06 PM »
Sairam,

Funny, I ran into the same issue. We temporarily used the AAA Policy, which isn't ideal, since it still looks for a username (pulled from BA headers in our case).

I started working on an XSLT transformation script:

Code:
<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:date="http://exslt.org/dates-and-times"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:dp="http://www.datapower.com/extensions"
xmlns:dpconfig="http://www.datapower.com/param/config"
xmlns:dpfunc="http://www.datapower.com/extensions/functions"
xmlns:func="http://exslt.org/functions"
extension-element-prefixes="date dp dpfunc"
exclude-result-prefixes="date dp dpconfig dpfunc wsse">

<dp:summary xmlns="">
<operation>sign</operation>
<description>
Generate a UsernameToken WS-Security signature.
</description>
</dp:summary>

<xsl:output method="xml" />

<xsl:include href="store:///utilities.xsl" />

<xsl:template match="/*local-name()='Envelope'">
<xsl:variable name="body-copy">
<xsl:apply-templates select="*local-name()='Body'" />
</xsl:variable>
<xsl:copy>
<xsl:copy-of select="@*" />
<xsl:copy-of select="namespace::*" />

<soapenv:Header>
<xsl:apply-templates mode="headers"
select="*local-name()='Header'/node()" />
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<!-- Variables -->

<xsl:variable
name="wsseCreated"
select="dpfunc:zulu-time()" />

<xsl:variable
name="wsseNonce"
select="dp:encode(substring(dp:generate-uuid(), 1, 16), 'base-64')" />

<xsl:variable
name="wsseUsername"
select="$dpconfig:username" />

<xsl:variable
name="wsseKey"
select="$dpconfig:key" />

<xsl:variable
name="wssePassword"
select="dp:hash-base64('http://www.w3.org/2000/09/xmldsig#sha1', concat($wsseNonce,$wsseCreated, $wsseKey))" />

<!-- End Variables -->

<wsse:UsernameToken>
<wsse:Username>
<xsl:value-of select="$wsseUsername" />
</wsse:Username>
<wsse:Password Type="...#PasswordDigest">
<xsl:value-of select="$wssePassword" />
</wsse:Password>
<wsse:Nonce>
<xsl:value-of select="wsseNonce" />
</wsse:Nonce>
<wsse:Created>
<xsl:value-of select="wsseCreated" />
</wsse:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<xsl:copy-of select="$body-copy/*local-name()='Body'" />
<xsl:copy-of select="$body-copy" />
</xsl:copy>
</xsl:template>
</xsl:stylesheet>

I haven't fully tested it yet, but it should give you a start.  You have to create stylesheet parameters for $username and $key.  Please let me know if you change anything in order to get it to work.

Thanks,
Neil McGlennon
Logged
Senior Consultant
Security Practice
Ascendant Technology
nmcglennon
Newbie
*
Offline Offline

Posts: 10


nmcglennon
View Profile
« Reply #2 on: December 09, 2007, 11:54:49 PM »
How did this work out for you?
Logged
Senior Consultant
Security Practice
Ascendant Technology
sairam
Newbie
*
Offline Offline

Posts: 2


View Profile Email
« Reply #3 on: December 11, 2007, 01:59:31 PM »
I made simple modifications, I ended with the following transformation.
Code:
<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:date="http://exslt.org/dates-and-times"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:dp="http://www.datapower.com/extensions"
xmlns:dpconfig="http://www.datapower.com/param/config"
xmlns:dpfunc="http://www.datapower.com/extensions/functions"
xmlns:func="http://exslt.org/functions"
extension-element-prefixes="date dp dpfunc"
exclude-result-prefixes="date dp dpconfig dpfunc wsse wsu">

<dp:summary xmlns="">
<operation>sign</operation>
<description>
Generate a UsernameToken WS-Security signature.
</description>
</dp:summary>

<xsl:output indent="yes" method="xml" />

<xsl:include href="store:///utilities.xsl" />

<!-- Variables -->

<xsl:variable
name="wsseCreated"
select="dpfunc:zulu-time()" />

<xsl:variable
name="wsseExpires"
select="date:add($wsseCreated, 'P0DT0H5M0S')" />

<xsl:variable
name="wsseNonce"
select="dp:encode(substring(dp:generate-uuid(), 1, 16), 'base-64')" />

<xsl:param name="dpconfig:username" select="''"/>
<xsl:variable
name="wsseUsername"
select="$dpconfig:username" />

<xsl:param name="dpconfig:password" select="''"/>
<xsl:variable
name="wssePassword"
select="$dpconfig:password" />

<xsl:param name="dpconfig:key" select="''"/>
<xsl:variable
name="wsseKey"
select="$dpconfig:key" />

<xsl:variable
name="wssePassword"
select="dp:hash-base64('http://www.w3.org/2000/09/xmldsig#sha1', concat($wsseNonce,$wsseCreated, $wsseKey))" />
-->

<!-- End Variables -->

<xsl:template match="/*[local-name()='Envelope']">
<xsl:copy>
  <xsl:copy-of select="@*" />
  <xsl:copy-of select="namespace::*" />
 <xsl:call-template name="create-security-header" />
 <xsl:copy-of select="*[local-name()='Body']" /></xsl:copy>
</xsl:template>

<!-- Add security header -->
<xsl:template name="create-security-header">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1">
<wsu:Timestamp>
<wsu:Created>
<xsl:value-of select="$wsseCreated"/>
</wsu:Created>
<wsu:Expires>
<xsl:value-of select="$wsseExpires"/>
</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken>
<wsse:Username>
<xsl:value-of select="$wsseUsername"/>
</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
<xsl:value-of select="$wssePassword"/>
</wsse:Password>
<wsse:Nonce>
<xsl:value-of select="$wsseNonce"/>
</wsse:Nonce>
<wsu:Created>
<xsl:value-of select="$wsseCreated"/>
</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
</xsl:template>
</xsl:stylesheet>
Logged
nmcglennon
Newbie
*
Offline Offline

Posts: 10


nmcglennon
View Profile
« Reply #4 on: December 17, 2007, 11:42:49 AM »
Thanks for the feedback!
Logged
Senior Consultant
Security Practice
Ascendant Technology
wsguy4
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #5 on: January 14, 2008, 11:01:21 AM »
This is a great stylesheet, I was working on the same requirement and you guys made it simple. Just 1 question though,
1. I dont see zulu-time() function in dp-extension document, what firmware release you guys use, I have 3.6.0.19? -- looks like this is in the stylesheet but not documented.
2. I also need wsu:id generated and not sure how to generate it?

Thanks
« Last Edit: January 14, 2008, 01:39:55 PM by wsguy4 » Logged
nmcglennon
Newbie
*
Offline Offline

Posts: 10


nmcglennon
View Profile
« Reply #6 on: January 15, 2008, 11:51:48 AM »
I might be able to help you there, when I get around to editing the code sometime tonight. 

However, if you are interested there is an XSL stylesheet on the DP box which already has this.  You just need to include the sheet and apply the template with correct stylesheet parameters.
Logged
Senior Consultant
Security Practice
Ascendant Technology
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  



DataPower Links
Powered by SMF | SMF © 2006-2007, Simple Machines LLC
Seo4Smf © Webmaster's Talks
This Site is not associated with IBM