How to dynamically configure rampart on service side - web-services

how can i dynamically configure rampart on the service side? I mean I'd like to use different service keys for different clients.
Any hint or link to a tutorial is a big help.
thanks

To clarify, you want the ability to issue a different token depending on the client credentials? This sounds a lot like Security Token Service (STS)
It is possible to accept a range of credential options. Rampart makes you implement your own callback class to verify the initial credentials.
You can implement your own TokenIssuer to customize the response (http://axis.apache.org/axis2/java/rampart/setting-up-sts.html) and either bundle that inside your service archive or externalize it. You can use whatever criteria is fit for determining the responsetoken.

Related

C++ grpc service: how to store custom session data

I want to implement a custom authentication logic and when a user authorized using special method I want to set a server side session variable which represents user id to use in other requests. How it's possible to implement the behavior in C++ GRPC server?
Could you clarify what do you need? Do you need customized authentication or authorization? Once TLS handshake completes in gRPC, you can get auth information from AuthContext and then make authorization decision.
In addition to Jiangtao's answer which is related to grpc_server_credentials, you probably also want to take a look at grpc_auth_metadata_processor, which is used on servers to process the auth metadata on the request and determine whether the request will be allowed.
From your description, it looks like you are trying to do some additional authorization decisions, besides gRPC authentication. If that's the case, it's not a bad idea to separate your authorization logic apart from gRPC. You could probably do the normal gRPC authentication, get the information from the AuthContext as Jiangtao mentioned, and then proceed with your custom logic. "Inject" the authorization logic into gRPC stack might not be a good choice here. Please let us know if you have any further questions and we are happy to help! :-)

Generate web service security using binary security token in ColdFusion

I need to access the SOAP web service methods via ColdFusion CFHTTP. I can able to access the SOAP web service method. But, It's asking Wsse security header. I need to pass the wsse security header in the SOAP request. So, I searched with Google and found there are two types of security one is basic authentication and another one is binarysecuritytoken.
I need to use binarysecuritytoken. http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-x509TokenProfile-v1.1.1-os.html
But, I'm not sure how to do that in ColdFusion.
Could you please help me to complete this?
Thanks in advance.

How to get the information of the client in rest service

I have created a Rest service. In this service I want to know which client is calling the service. Is there any method to check the properties or information of the client.
I don't know what you exactly mean by "which client". I see two things:
The terminal kind. This can be known using the User-Agent header if set.
The authenticated user using the Authorization header. The content in this header allows to get the corresponding user. This allows to authenticate requests. In this case, this link could help you: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.
Hope it helps you,
Thierry

Building an Oauth2 API service, what is the use of client_secret

Good morning, we are a little company in Europe, and we need to set up some webservice for internal and external use. We decided to implement an autentication to those webservices, and i though to implement an Oath2 authentication. The problem is the following (besides the fact that i've only used the Oauth2 standard one time) that i do not really understand the use of the "client_secret", from the point of view of the service provider. Isn't the client_id enough to identify a client? Why is the client_secret needed exactly and how is it to be implemented in the general logic of the application?
Thank you for any response.
You want to make sure that the client requesting credentials is who you think they are, and the client ID is used in requests that users can see (in the URL). Without a client secret anybody could pretend to be any client application to trick users into granting access.

WSO2 API Manager with HMAC Authentication

Does anyone know how to add HMAC based authentication for WSO2 API Manager?
Background - We're rolling out WSO2 API Manager 1.3 in front of our publicly available web services and we need JavaScript applications (once authenticated) to be able to consume the services directly (not via a service proxy on their server to handle the OAuth authentication).
Does anyone know the easiest way to get this implemented in WSO2? We've started implementing an AbstractHandler and Authenticator but this seems overkill - someone must have done this or have some pointers on this?
Thank you very much in advance.
You can write your own handler which can implement the AbstractHandler.
Signature verification can be implemented as an API handler similar to the 'APIAuthenticationHandler'. The access token that was provided earlier can be used as the Mac Identifier. The consumer secret can be used as the Mac key, which is a shared secret between the consumer and the provider used to sign the normalized request string.
I do not know if this will help you but we needed our password hashes to be in PBKDF2. So I extended the JDBCUserStoreManager overriding only the preparePassword method. Inside it changed from MessageDigest to SecretKeyFactory for the PBKDF2WithHmacSHA1 algorithm. You can use Mac i guess?
This is possible by implementing a custom mediator and engaging it to the in-flow sequence. The API exposed by API Manager would be OAuth protected, but the actual backend would be HMAC protected. You can find more information on this in the article [1].
[1] https://wso2.com/library/article/2017/10/integrating-wso2-api-manager-with-a-hmac-secured-backend/