Can WSS4J be configured to retrieve private and public keys using XKMS instead of keystores?
This is an example keystore configuration:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepassword
org.apache.ws.security.crypto.merlin.keystore.alias=serverx509v1
org.apache.ws.security.crypto.merlin.keystore.file=keystore/server-keystore.jks
Is there a similar setup for using XKMS, or would I need to create a custom implementation of org.apache.ws.security.components.crypto.Crypto for retrieving keys using XKMS?
For the record, the answer is "yes". Apache CXF ships with a WSS4J Crypto implementation that can be used to perform locate + validate calls to an XKMS service to retrieve + validate X.509 Certificates when used with WS-Security. See here for more information:
http://cxf.apache.org/docs/xml-key-management-service-xkms.html
Colm.
Related
I am running a Spring-boot application which authenticates users via our internal LDAP with spring-security-ldap.
By default it binds with LDAP anonymously.
Property 'userDn' not set - anonymous context will be used for read-write operations
But I want the first bind to be with current username.
Where should I specify the userDn attribute?
Thank you for your advice
When using spring ldap maybe you started from one many tutorials on the web but main of them uses embedded ldap server; embdedded server uses ldif file and doesn't need the manager credetials.
When connecting to an external ldap server you need to specify userDn setting it via managerDn method. Here the snippet of code
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().contextSource().managerDn("uid=admin,ou=system")
.managerPassword("secret")
.......
}
Obviously you need to provide also all the other infos like url, port, etc (and userSearchBase like mvreijn told).
I am not the most knowledgeable person regarding Spring-boot, more so regarding LDAP.
That said, your LDAP configuration properties should be mentioned in your application.properties file and are named spring.ldap.*.
They are mentioned in the documentation here.
When initializing your authentication provider, you can pass important properties like the Base DN (root to search from) and the filter using:
.userSearchBase("ou=<your users container>").userSearchFilter("(uid={0})")
Most likely, your search filter will be uid={0} or cn={0}.
When using Spring Couchbase connector I can easily get version for optimistic locking by having this in my class:
public class MyClass {
#Version
private String version;
.... rest of class omitted ....
}
I'm now trying to find a similar way to get and be able to modify the meta data for expiration. I'm unable to find how to do this.
Can someone please give an example? Thanks!
With spring data couchbase library (until the latest Version 3.0.8.RELEASE), document expiry can be defined by using #Document(expiry = 10) or #Document(expiryExpression = "${valid.document.expiry}") on the class. There is also an optional boolean attribute touchOnRead which needs to be added with #Document, which would reset the expiry timer whenever the document is directly read. Please note that currently the expiry of an existing document cannot be read/modified directly with this library. One way would be to access the below APIs exposed by Couchbase's own java SDK (com.couchbase.client.java)
getAndTouch - allows you to retrieve a document while modifying its expiration time
touch - allows you to modify a document’s expiration time without otherwise accessing the document
You can find the method signatures of the above two here : http://docs.couchbase.com/sdk-api/couchbase-java-client-2.2.4/com/couchbase/client/java/Bucket.html
The above two APIs can be accessed via the spring data couchbase library as follows
couchbaseTemplate.getCouchbaseBucket().touch(...)
couchbaseTemplate.getCouchbaseBucket().getAndTouch(...)
The getCouchbaseBucket() method of the spring library returns a reference to com.couchbase.client.java.Bucket using which the touch and getAndTouch methods can be used.
Before I explain the issue I should say that we only need Apache Shiro for authorization and athentication is already enabled with OAuth2.
So my code to enable Shiro is exactly as the code in this link here.
I have also checked this issue. But for me if I enable LifecycleBeanPostProcessor almost most beans will be null. I made that create method in config class static as it suggests in the second link but no luck.
So my question is, is there any way to only enable authorization without registering shiro filter? If not, how to get around this issue? Because it seems ShiroFilterFactoryBean requires LifecycleBeanPostProcessor and that breaks the whole application.
We are using latest version of Spring Boot and Shiro 1.2.4
As outlined in an issue in the comments, you would need to set an already authenticated identity in the subject, which can be done with the Subject.Builder() (I'm using version 1.5.2 here).
Subject user = new Subject.Builder()
.principals(new SimplePrincipalCollection("bud", "myRealm"))
.authenticated(true)
.buildSubject();
if (user.hasRole("admin")) {
// do some authorized stuff
}
When implementing a custom realm the authentication ability can be disabled by returning false from the Realm’s supports method as described here .
I have an OAuth resource server secured with Spring cloud security.
The OAuth tokens that are used are JWT tokens, so the resource server needs a verifier key to be able to check the signature of the tokens.
In order to simplify configuration I would like the resource server to get the verifier key from the authorization provider (also a spring boot service, with an #EnableAuthorizationServer).
This works fine if I give the direct url of the authorization provider (using spring.oauth2.resource.jwt.keyUri), for example http://ip_of_authorization_provider/oauth/token_key.
The problem is when I want to give a service-id instead of an IP or DNS in that value, eg. http://authorization-provider/oauth/token_key.
It seems to me the problem is in JwtTokenServicesConfiguration, on line 225 of this file, specifically :
private RestTemplate keyUriRestTemplate = new RestTemplate();
If the keyUriRestTemplate was Autowired I could provide my own load balanced rest template, or if there was a #ConditionalOnMissingBean(JwtAccessTokenConverter.class) on the jwtAccessTokenConverter method below I could also provide my own load balanced logic.
Is there a way to do what I want without the ugly hack of recreating the whole ResourceServerTokenServicesConfiguration class in my app just to put only this small modification ?
There is a simpler and cleaner solution :
Just ditch the autoconfiguration made by spring-cloud-security and provide your own implementation of tokenServices that provide a JwtAccessTokenConverter whose key you have provided with a LoadBalanced RestTemplate. Chances are you'll eventually want to provide other specifics in your configuration anyways ...
Working with CXF STS- STS client example I followed the example at https://web-gmazza.rhcloud.com/blog/entry/cxf-sts-tutorial and my sample code is at https://github.com/sampleref/CXFSecurity for reference. On debugging I found error as below at STS provider
<<||2014-07-13 18:26:50,286||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.UsernameTokenProcessor:50||||>> Found UsernameToken list element
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.validate.UsernameTokenValidator:78||||>> UsernameToken user alice
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.validate.UsernameTokenValidator:79||||>> UsernameToken password type http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:115||||>> Found signature element
<<||2014-07-13 18:26:50,288||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:380||||>> Verify XML Signature
<<||2014-07-13 18:26:50,292||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:428||||>> XML Signature verification has failed
<<||2014-07-13 18:26:50,292||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:431||||>> Signature Validation check: false
Please provide some inputs, Its really important working for me with this. I posted more detailed error from STS Client at
CXF STS client throws Request does not contain Security header/Response message does not contain WS-Addressing properties
The problem is that you are not supplying the password for the private key in the STS. So for example, adding the following to the StsPasswordCallbackHandler makes the decryption work:
x509Passwords.put("stskeyalias", "stskeypassword");
You also need to remove the BouncyCastle dependency from the STS pom.
Colm.
I think the issues, https://issues.apache.org/jira/browse/CXF-5679 and https://issues.apache.org/jira/browse/CXF-5724 were creating problems. I used CXF version 3.0.0 and able to get SAML assertion now
Thanks