Provide message level web security to JAX-WS web service - web-services

I want to provide message level security to JAX-WS web service. We have already installed certificates,so transport level security is already there.
Now we want to provide message level security. We are sending username and password in the soap header , as the web service will be used by different users. and based on username and password we need to provide relevant details for that user.
We are using IBM WebSphere and RAD for the development.
Could someone please suggest what could be the easiest way to provide message level security with minimal configuration?

So here is the post that the reviewers think will be better. Maybe it is, maybe it isn't:
Here are the get-right-down-to-it steps for configuring a UsernameToken for a JAX-WS application in WebSphere.
Since you are using RAD and applying policy/bindings with the admin console, be sure that you do not have 'use resources in workspace' turned on in your RAD server config. If you do, turn it off, then reinstall (not just redeploy) your apps.
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twbs_stand_alone_security_token.html
Configuring a policy set and bindings for a stand-alone security token (UsernameToken or LTPA Token)
You can secure web services by configuring the message-level WS-Security policy set and bindings for a stand-alone security token that is either a Lightweight Third Party Authentication (LTPA) token or a Username token.
Before you begin
This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. See the documentation on accessing samples to learn how to obtain and install this application. Specify the following trace specification on your server to enable you to debug any future configuration problems that might occur.
=info:com.ibm.wsspi.wssecurity.=all:com.ibm.ws.webservices.wssecurity.=all:
com.ibm.ws.wssecurity.=all: com.ibm.xml.soapsec.=all: com.ibm.ws.webservices.trace.=all:
com.ibm.ws.websvcs.trace.=all:com.ibm.ws.wssecurity.platform.audit.=off:
If LTPA tokens are used, you must enable the application security on the application servers that are used for both the client and the service.
About this task
This topic describes how to configure a WS-Security policy set and provider bindings for a Username token or an LTPA token. For simplicity, this procedure demonstrates how to remove the timestamp, digital signature, and encryption attributes from the policy; however, you might want to include these attributes in your final configuration. To learn more, see the documentation on configuring a policy set and bindings for Asymmetric XML digital signature or XML encryption with client and provider application specific bindings.
In this task, default provider general bindings are used for the provider application to consume the tokens. If a caller configuration is required, an application-specific binding will be added for the provider.
Procedure
Create the custom policy set.
In the administrative console, click Services > Policy sets > Application Policy sets.
Click New.
Specify Name = OneTokenPolicy.
Click Apply.
Under Policies, click Add > WS-Security.
Edit the custom policy set
Remove digital signature, encryption, and timestamp.
In the administrative console, clickWS-Security > Main Policy.
Deselect Message level protection.
Click Apply.
Add the UsernameToken or LTPA token.
Under Policy details, click Request token policies.
Select Add Token Type.
If you want to use a UsernameToken, select UserName. If you want to use an LTPA token, select LTPA.
Token name=myToken.
Click OK.
Configure the client to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
Select the web services client resource.
Click Attach Policy Set.
Select OneTokenPolicy .
Create a custom binding for the client.
Select the web services resource again.
Click Assign Binding.
Click New Application Specific Binding to create an application-specific binding
Specify the bindings configuration name. name: oneTokenClientBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' panel does not display, select WS-Security.
Edit the custom binding for the client.
Edit the identity token generator to send the identity username.
Click request:myToken.
Click Apply.
Click Callback handler. User name=(yourUserid) Password=(yourPassword)
Avoid trouble Avoid trouble: This is a userid/password that is valid on the user registry on the provider's system. If you are using LTPA tokens, the userid/password must be valid on both the consumer and provider registries.
(Optional) If configuring a UsernameToken, add the following WS-Security custom properties:
*com.ibm.wsspi.wssecurity.token.username.addNonce=true
*com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
These custom properties are added because they are specified on the UsernameToken consumer default general bindings. If we do not specify those properties here, you will either need to remove those properties from the default provider general bindings or create application-specific bindings for the provider that does not include those properties.
Click OK.
Click Save
Configure the provider to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings
Select the web services provider resource (OneTokenPolicy)
Click Attach Policy Set.
Select OneTokenPolicy
Note: Since no bindings are attached to the provider application, it will use the default provider general bindings for the token consumers.
(Optional) If you want to create a Caller configuration for the provider, create custom bindings for the provider.
Select the web services provider resource again.
Click Assign Binding
Click New Application Specific Binding to create an application-specific binding
Specify Bindings configuration name:oneTokenProvBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' Panel does not display, select WS-Security
(Optional) If a Caller configuration will be created, edit the custom bindings for the provider.
Click Caller > New. Name: myCaller.
If using a UsernameToken, enter the following:
Caller identity local name: [leave blank]
If using an LTPA token, enter the following:
Caller identity local name: LTPAv2
Caller identity local URI: http://www.ibm.com/websphere/appserver/tokentype
Click OK.
Click Save to save your configuration changes.
Restart the client provider.
Stop the client and the provider
Restart the client and the provider
Test the Service.
Point your web browser at the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo
Avoid trouble Avoid trouble: Make sure you provide the correct hostname and port if your profile is not on the same machine or the port is not 9080.
Select Message Type Synchronous Echo
Make sure Use SOAP 1.2 is not selected
Enter a message and click Send Message. The sample application should reply with JAXWS==>Message.
Results
The JaxWSServicesSamples web services application is configured to generate and consume a UsernameToken or LTPA token in the request message.

Here are the get-right-down-to-it steps for configuring a UsernameToken for a JAX-WS application in WebSphere:
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twbs_stand_alone_security_token.html
Since you are using RAD and applying policy/bindings with the admin console, be sure that you do not have 'use resources in workspace' turned on in your RAD server config. If you do, turn it off, then reinstall (not just redeploy) your apps.

Related

How to create OAuth2 Opaque(Reference) Access Tokens

How to create OAuth2 Opaque(Reference) Access Tokens in apimanager 410? I followed enter link description here, but cannot find OAUTH token type when we create applications.
I want to create this application because of the issue enter link description here. if same token is sent every time we call the token api, this will work for us. Our tests need to get the token first and use it from there. there can be different apis calling in different times and this will expire the first token.
There is a lengthy manual method that lets you to create opaque tokens in APIM 4.1.0, but our recommendation is to proceed with the JWT token-based applications. This will reduce the load at the gateway with token validation which is a huge performance gain. Even if you used the same clientID, or secret Pair, you can change the scopes set with a device scope and I believe this should give you the ability to create multiple tokens at the same time.
Having said that, you can create opaque token in the below approach, but this will remove the user experience provided in the devportal and you have to use carbon console(https://localhost:9443/carbon) if you need to change your application.
log in to admin portal (https://localhost:9443/admin)
Open Key managers --> resident key manager (or whatever the key manager you have) --> and select Out Of Band Provisioning and save.
Log in to carbon console (https://localhost:9443/carabon)
Register a service provider.
Under Inbound authentication config, select OAuth/OpenID connect configurations and configure an OAuth Applicaiton
Add you application details from here as you prefer with the listed grant types and create an application.
Make sure to select the token issuer and default. This is where you select whether the token type is JWT or Opaque.
Once you save it, you can find the client ID secret pair in here.
Log in to devportal (https://localhost:9443/devportal)
Create an application.
Under the production Keys section, now you can see a new option enabled as provide existing OAuth keys.
Add the consumer key secret pair you created in the step 8.
Now you have created an application that generates opaque tokens.
In the latest API Manager versions do not allow generating opaque access tokens. You can use the following configuration to the deployment.toml of API Manager and disable token revocation on token renewal.
[oauth.access_token]
invoke_token_revocation_event_on_renewal = false

How to programmatically create non-web-application OAuth credential in google cloud project?

Intro:
It is possible to add several types of OAuth credentials to an app (brand) for given project in the google cloud console (gcc) web UI:
Dashboard | APIs & Services | Credentials | OAuth 2.0 Client IDs
+CREATE CREDENTIALS button, OAuth client ID)
followed by a selection of Application type (like web/desktop/iOS/etc...)
It is also possible to create the brand programmatically via the Identity Aware Proxy (IAP) API, method projects.brands.create.
Via that API, it is also possible to create so called IAP Client, which partly corresponds to the mentioned OAuth credential, method projects.brands.identityAwareProxyClients.create. Unfortunately, this results in a credential:
of web application type only,
non-editable (explicitly mentioned in docs, which still might be acceptable),
with no (or unknown) parameters, like e.g. redirect URIs.
First impression of such credential is: it's just useless.
Question:
Is there any API/Method (don't insist on IAP) that would allow replication of the actions available in the gcc web UI? Which means to create OAuth credential of any of the types available and having all the parameters configurable.

Expose unsecured url via WSO2 API Manager

I have an API that I have setup in WSO2's API Manager Publisher tool. All the calls work fine when called correctly with an Access Token.
But I have one url that I want anyone to be able to call. (It is a customized Swagger UI page (different from the one built into the WSO2 tooling).)
To do this I add the Swagger UI url as a resource. But when I go there it says:
Required OAuth credentials not provided. Make sure your API invocation call has a header: 'Authorization : Bearer ACCESS_TOKEN'
Generally, I really like this default. (I want all my other API resources to require an Access Token.) But for this one I don't have an access token and don't expect to.)
Is it possible to publish one resource and not need any authentication?
Also it can be done in 2.x versions of API Manager through disabling for each endpoint the security in publisher tool. In manage tab, resources section, for each resource/endpoint set the value x-auth-type to "None". Default value is "Application & Application User". This disable security and then authentication required for accesing to the selected API resources.
This can be done as mentioned in https://stackoverflow.com/a/61133046/3176125
Basically you can turn off for one of the resources while you allow security for the rest of the resources.

How to debug Cognito's idpresponse endpoint

I'm setting up OIDC provider for Cognito User pool. The open id connect service I'm using is Paypal. At the step where paypal issues code and redirects to cognito's /oauth2/idpresponse endpoint after which cognito is supposed to exchange the code for access token, I'm receiving "Exception processing authorization code" error. As you can see the error message is not very discriptive.
I have no idea what I'm doing wrong. I did setup open id connect properly. Setup client settings in cognito and etc.
These are the endpoints I'm using for openid connect:
https://www.sandbox.paypal.com/signin/authorize
https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice
https://api.sandbox.paypal.com/v1/oauth2/token/userinfo
https://api.sandbox.paypal.com/v1/oauth2/certs
In app client settings I have auth code grant flow and implicit flow enabled. I have custom domain setup. I provided paypal client id and secret
My guess is if I'm able to somehow debug idpresponse endpoint I should be able to solve the problem. Is there any way to do that? Maybe cloudwatch?
I don't know about debugging Cognito's endpoints, but I had the same problem and fixed it by doing the following:
Go to your User Pool in AWS.
In the side navigation under Federation, select Attribute mapping.
Click the tab of the identity provider you're having issues with (in my case it was Google).
There should be three columns, Capture, Google attribute, and User pool attribute. Make sure all of the attributes that are checked in the Capture column are mapped to an attribute in the User pool attribute column.
UPDATE:
After submitting this answer, I realized that the checkboxes in the Capture column are not checked by default. If you marked any attributes as required in the Attributes section of your user pool, then you need to map those attributes to the attributes provided by your external identity providers.
For example, I marked email as a required attribute in my user pool settings. So, when I added Google as an identity provider, I had to go to Federation->Attribute mapping, click on the tab for Google, check the box in the Capture column next to email, and select Email from the dropdown box in the User pool attribute column.
After taking these steps, the sign in work-flow worked for me.
My guess is the auth flow works just fine between Cognito and your identity provider, but Cognito doesn't know how to map the attributes returned from the identity provider to the attributes you have set in your user pool (in General settings->Attributes under the Which standard attributes are required section).

How to go back to CTRL+ALT+DELETE logon page if the custom credential provider fails to do any authentication?

I have enabled CTRL+ALT+DELETE secure attention sequence (SAS) for windows logon using local security policy. (secpol.msc , Security Settings->Local Policies->Security Options->Interactive Logon: Do not require CTRL+ALT+DEL -> Disabled )
Currently the machine is using a facial based custom credential provider for login in Windows 10. In the current setup if the custom credential provider fails during authentication, it falls back to normal windows based logon (Password / Pin).
I have disabled the password, pin based mechanism through the group policy ( gpedit.msc, Computer Configuration ->Administrative Templates->System->Logon , Exclude Credential Providers ). This works fine as password and pin cannot be used for authentication. But the login page is still displayed.
How to always go back to Ctrl+Alt+Del logon page if the custom credential provider fails to do any authentication so that the user can retry ?
Is it possible to Control through group policy? Do I have to manage through the credential provider source so the fallback always goes back Ctrl+Alt+Del page.
Additional Info: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780332(v=ws.10)
Ref section - Winlogon Desktop Dialog Boxes:
In other words it is about switching from "Log On to Windows" desktop "Welcome to Windows" desktop automatically.
Additional Info on the flow:
When Winlogon.exe detects the SAS (Ctrl+Alt+Del), it launches this LogonUI.exe process,which initializes our custom credential provider.
In the normal use case , when our credential provider succeeds , user enters his credentials and the LogonUI.exe process terminates.
Now in the second case, when our custom credential provider fails, desktop becomes blank or if fast user switching is enabled, it displays the switch user button.
In the correct use case , I have to fallback to SAS (Ctrl+Alt+Del)
*pcpgsr = CPGSR_RETURN_NO_CREDENTIAL_FINISHED;
return hr; // return to LogonUI
CPGSR_RETURN_NO_CREDENTIAL_FINISHED will return from your module to windows system without accepting your security structure. Also use unadvise to cleanup while returning from Serialization call.
Do you solve your issue?
I think in the new scenario of credential providers (versus GINA) it is impossible to control this behaviour.
If ctrl+alt+del is enabled there is no legal way to eliminate and/or simulate this secure attention sequence. Have a look at this article.