RSS

Category Archives: Enterprise Service Bus

Apply OAuth2.0 base security for Rest endpoint with WSO2ESB 4.6.0 and WSO2IS 4.1.1 alpha


I think this would be good example for applying the security for the simple rest endpoint. Lets think we already have some rest endpoint without security but we need to expose this with the OAuth2.0 base security.

you can achieve this task with the following steps.

1. Create the custom handler to validate the Bearer token.
2. Create API element in the ESB and pointing the rest endpoint that you have
3. Include created handler to the created API element.
4. Go to IS and create the OAuth2.0 application and get the Access token form IS
5. Invoke the API with the valid access token.

Functional Scenario

Rest endpoint with security

1. Creating custom handler (Download the mvn project here)
You need to extends AbstractHandler and implements ManagedLifecycle as follows. as well I’m getting some parameters from the axis2.xml

package org.wso2.handler;

/**
 * Created with IntelliJ IDEA.
 * User: dinuka
 * Date: 4/4/13
 * Time: 3:46 PM
 * To change this template use File | Settings | File Templates.
 */
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.axis2.transport.http.HttpTransportProperties;
import org.apache.http.HttpHeaders;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO;
import org.apache.synapse.ManagedLifecycle;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.rest.AbstractHandler;

import java.util.Map;

public class SimpleOauthHandler extends AbstractHandler implements ManagedLifecycle {

    private String securityHeader = HttpHeaders.AUTHORIZATION;
    private String consumerKeyHeaderSegment = "Bearer";
    private String oauthHeaderSplitter = ",";
    private String consumerKeySegmentDelimiter = " ";
    private String oauth2TokenValidationService = "oauth2TokenValidationService";
    private String identityServerUserName = "identityServerUserName";
    private String identityServerPw = "identityServerPw";

    @Override
    public boolean handleRequest(MessageContext messageContext) {
        try{
            ConfigurationContext configCtx = ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
            //Read parameters from axis2.xml
            String identityServerUrl = messageContext.getConfiguration().getAxisConfiguration().getParameter(oauth2TokenValidationService).getValue().toString();
            String username = messageContext.getConfiguration().getAxisConfiguration().getParameter(identityServerUserName).getValue().toString();
            String password = messageContext.getConfiguration().getAxisConfiguration().getParameter(identityServerPw).getValue().toString();

            OAuth2TokenValidationServiceStub stub = new OAuth2TokenValidationServiceStub(configCtx,identityServerUrl);
            ServiceClient client = stub._getServiceClient();
            Options options = client.getOptions();
            HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator();
            authenticator.setUsername(username);
            authenticator.setPassword(password);
            authenticator.setPreemptiveAuthentication(true);

            options.setProperty(HTTPConstants.AUTHENTICATE, authenticator);
            client.setOptions(options);
            OAuth2TokenValidationRequestDTO dto = new OAuth2TokenValidationRequestDTO();
            dto.setTokenType("bearer");
            Map headers = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().
                    getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS);
            String apiKey = null;
            if (headers != null) {
                apiKey = extractCustomerKeyFromAuthHeader(headers);
            }
            dto.setAccessToken(apiKey);
            //validate passed apiKey(token)
            if(stub.validate(dto).getValid()){
                return true;
            }else{
                return false;
            }
        }catch(Exception e){
            e.printStackTrace();
            return false;
        }
    }

    public String extractCustomerKeyFromAuthHeader(Map headersMap) {

        //From 1.0.7 version of this component onwards remove the OAuth authorization header from
        // the message is configurable. So we dont need to remove headers at this point.
        String authHeader = (String) headersMap.get(securityHeader);
        if (authHeader == null) {
            return null;
        }

        if (authHeader.startsWith("OAuth ") || authHeader.startsWith("oauth ")) {
            authHeader = authHeader.substring(authHeader.indexOf("o"));
        }

        String[] headers = authHeader.split(oauthHeaderSplitter);
        if (headers != null) {
            for (int i = 0; i < headers.length; i++) {
                String[] elements = headers[i].split(consumerKeySegmentDelimiter);
                if (elements != null && elements.length > 1) {
                    int j = 0;
                    boolean isConsumerKeyHeaderAvailable = false;
                    for (String element : elements) {
                        if (!"".equals(element.trim())) {
                            if (consumerKeyHeaderSegment.equals(elements[j].trim())) {
                                isConsumerKeyHeaderAvailable = true;
                            } else if (isConsumerKeyHeaderAvailable) {
                                return removeLeadingAndTrailing(elements[j].trim());
                            }
                        }
                        j++;
                    }
                }
            }
        }
        return null;
    }

    private String removeLeadingAndTrailing(String base) {
        String result = base;

        if (base.startsWith("\"") || base.endsWith("\"")) {
            result = base.replace("\"", "");
        }
        return result.trim();
    }

    @Override
    public boolean handleResponse(MessageContext messageContext) {
      return true;
    }

    @Override
    public void init(SynapseEnvironment synapseEnvironment) {
        //To change body of implemented methods use File | Settings | File Templates.
    }

    @Override
    public void destroy() {
        //To change body of implemented methods use File | Settings | File Templates.
    }
}

2. Now I take rest unsecured endpoint as “https://www.google.lk/search?q=wso2“(You can use your own endpoint)
Lets look at how to configure the WSO2 ESB with this endpoint.

Start the ESB 4.6.0 and Sign in as admin.
Then go to Source View.
esb

Insert following xml configuration in to the source view to create the API element name as TestGoogle

  <api name="TestGoogle" context="/search">
      <resource methods="GET">
         <inSequence>
            <log level="custom">
               <property name="Test" value="Test"/>
            </log>
            <send>
               <endpoint>
                  <address uri="https://www.google.lk/search?q=wso2"/>
               </endpoint>
            </send>
         </inSequence>
      </resource>
      <handlers>
         <handler class="org.wso2.handler.SimpleOauthHandler"/>
      </handlers>
   </api>

esb2

3. We need to add the created custom handler.jar in to $ESB_HOME/repository/components/libs and go to the $ESB_HOME/repository/conf/axis2/axis2.xml and put the following parameters.

 
    <!-- OAuth2 Token Validation Service -->
    <parameter name="oauth2TokenValidationService">https://localhost:9444/services/OAuth2TokenValidationService</parameter>
    <!-- Server credentials -->
    <parameter name="identityServerUserName">admin</parameter>
    <parameter name="identityServerPw">admin</parameter>

restart the ESB.

Again go to source view and place the following xml to engage the custom handler in to the API element

 
    <handlers>
         <handler class="org.wso2.handler.SimpleOauthHandler"/>
    </handlers>


Total configuration looks like this

  <api name="TestGoogle" context="/search">
      <resource methods="GET">
         <inSequence>
            <log level="custom">
               <property name="Test" value="Test"/>
            </log>
            <send>
               <endpoint>
                  <address uri="https://www.google.lk/search?q=wso2"/>
               </endpoint>
            </send>
         </inSequence>
      </resource>
      <handlers>
         <handler class="org.wso2.handler.SimpleOauthHandler"/>
      </handlers>
   </api>

4. Start the WSO2 Identity server and create the Oauth2.0 Application

is

Request the access token from IS you need to pass the ClientID and Client Secret with the curl request.

curl -v -X POST –user <strong>R2CNjiq672f6xXQabAfWbYby2nca</strong>:<strong>QhEQi9eJv8BmSinPBnWscCFFDgsa</strong> -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=admin&password=admin" https://localhost:9444/oauth2endpoints/token

Then you will receive the access token
cmd

5. Now you can invoke the API with the received access token

curl -v -X GET -H “Authorization: Bearer ca1799fc84986bd87c120ba499838a7” http://10.100.1.198:8280/search
cmd

Advertisements
 

Tags: , ,

Authentication and Authorization with WSO2ESB and WSO2IS


This is very impotent post because I’m going to discuss how to secure the proxy service with Username Token  as well as Authorization with XACML policies.

For Authorization we are using the WSO2 Identity server and Inbuilt Entitlement mediator in WSO2 ESB.

Authentication and Authorization

You can see the high level view of the ESB and IS communication. Let me explain the scenario.

1. User going to access the proxy service with the user credentials.
2. ESB authenticate the user first
3. If the authentication pass then go to Identity Server through the Entitlement Mediator and call the get decision method with above credentials
4. Identity Server will look the XACML policies and return the decision.
5. If decision is “Permit” then proxy service allow to access the echo service
6. If decision is “Deny” or “Not applicable” proxy service not allow to access the echo service.

Lets look at the configuration of this setup. We are using ESB-4.6.0 and IS-4.1.0

1. You have to share the same User store with WSO2ESB and WSO2IS
refer the ESB user-mgt.xml and IS user-mgt.xml – this is done for Embedded LDAP coming with WSO2IS but you can configure any DB as your user store and share with both ESB and IS

2. Start the IS first and then ESB with port offset 1
3. Create “In sequence” in ESB
here you need to add the entitlement mediator as a first child of In Sequence
esb

Select the entitlement and set the entitlement server url, username and password.
entitlement server url = https://localhost:9443/services/
username = admin
password = admin
esb

Set the Fault mediators under OnReject as well as set the Send mediator under OnAccept

Set the Header mediator as follows and remove the security headers.
esb

Click on the Namespaces and put the following entry.
Prefix – wsse
URI – http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
esb

3. Create “Out sequence” in ESB
just put send and log mediators as follows
esb

4. Now we need create the proxy service for echo service already in WSO2ESB
Add new proxy -> custom proxy then you can see the following window and you have to specify the following details.
Name – EchoProxy
Publishing WSDL – Specify source URI
then put the wsdl of the echo service as “http://localhost:8281/services/echo?wsdl&#8221;
esb

Move next and select the “InSequence” that we created before.
esb

Move next again and select the “OutSequence” as well.
esb

finally click the finish
Now you have to create the new role “testRole” with admin permission and new user “testuser” with password “testuser” and assign the “testRole” because we are using this to control the access . then secure the created proxy with Username Token as follows

esb

esb

esb

Now you complete the proxy service creation and lets move to Identity server configurations.

5. In Identity server we need to add the XACML Policy
Here I’m going to create the simple User base XACML policy.

Name – EchoServicePolicy
Specify the Role name as “testRole” as well as you have to specify the action as “read” because our Entitlement mediator send the action string as “read
is

Finish the policy and enable the policy to test.
is

Now you can evaluate the policy through the Tryit.

is

But if you click on the “Evaluate with PDP” you will not get Premit because still you not promote the XACML policy to the PDP.

to promote XACML policy to the PDP you can click on the button in front of the policy “sync with PDP“. Now try to “Evaluate with PDP”.

Now we done the configuration on Identity Server.

6. Go to ESB and select the EchoProxy service and go to TryIt.
esb

Here we are using “testuser” which is under the role “testRole” so the XACML engine will permit to access the resource
is

Now go and remove the “testRole” form user “testuser” and try to access the service. Now you can see XACML engine is not permit to user to access the resource.
esb

 
 

Tags: , ,

Invoke secured service(Sign and encrypt) from SoapUI 4.0.0


Here we are using the WSO2ESB 4.0.3 and SoapUI 4.0.0

First of all you have to start the ESB and secure the “echo” service as follows

1. Click on the “List” button under “Web Service” menu and Select the “Unsecured” button to Secure the service in front of “echo” service

esb1

2. Now select “yes” from drop down and selected the policy number “5” and click Next

esb2

3. Select the “Trusted key store” and “Private key store” click Finish

esb3

4. You can see the message “Security applied successfully

esb4

Configuration part in ESB side is finished. What we have to do now is Invoke the secured service through the SoapUI

1. Open the SoapUI and go to “New SoapUI project” and give the service endpoint url with wsdl

ex/ endpoint url – http://localhost:8280/services/echo?wsdl

you can easily take the endpoint url by click on the service

esb5

Place the endpoint url with wsdl and create SoapUI project

so1

2. Click on the created project and select “Show Project View

so2

3. go to “WS-Security Configurations

so3

4. Select “Keystores / Certificates

so4

5. Add new keystore – select the “wso2carbon.jks” that you select to secure the service (you can easily find this here ${ESB_HOME}/repository/resources/security)

so5

so6

so7

6. Set Default Alias as “wso2carbon” and Alias Password as “wso2carbon

so8

7. Select tab “Incoming WS-Security Configuration

so9

Add new record name as “incoming-security

so10

Select Signature keystore as “wso2carbon.jks” and set password as “wso2carbon

so11

8. Select tab “Outgoing WS-Security Configuration

so12

Add new record name as “outgoing-security

so13

so14

Set Alias name as “wso2carbon” and password as “wso2carbon

so15

9. Add new WS Entry “TimeStamp

so16

so17

Set value as “300000

so18

9. Add another WS Entry “Signature

Keystore : wso2carbon.jks
Alias : wso2carbon
Password : wso2carbon
Key Identifier type : Binary Security Token
Signature Algorithm : http://www.w3.org/2000/09/xmldsig#rsa-sha1
Signature Canonicalization : http://www.w3.org/2001/10/xml-exc-c14n#
Digest Algorithm : sha1
Use Single certificate : true

Parts – Add a new sign part for SOAP body. For that use the following values

ID – [keep it as blank]
Name – Body
Namespace – http://www.w3.org/2003/05/soap-envelope
Encode – Content

so19

9. Add another WS Entry “Encryption

so20
Keystore : wso2carbon.jks
Alias : wso2carbon
Password : wso2carbon
Key Identifier type : Binary Security Token
Symmetric Encoding Algorithm : <Default>
Key Encryption Algorithm : <Default>
Encryption Canonicalization : <Default>
Create Encrypted Key : true
Parts – Add a new Encryption part

ID – [keep it as blank]
Name – Body
Namespace – http://www.w3.org/2003/05/soap-envelope
Encode – Content

so24

10. Save the SoapUI project and select the one of function under soap12Binding and go to request

Select “Aut” and Set the  “Outgoing WSS” and “Incoming WSS

so23

11. Invoke the service with the required parameters

so25

 
1 Comment

Posted by on December 19, 2012 in Enterprise Service Bus, java, wso2

 

Tags: ,

How to Invoke the “echo service” secured with Kerberos in WSO2 ESB


This is most useful sample to verify the echo service secured with “kerberos”

First you have to download the WSO2-ESB 4.5.0 and WSO2-IS 4.0.0
In this example IS(Identity Server) act as KDC(key distribution center) so first of all we have to configure the IS

Open the bellow mentioned files and do the required changes

1. $IS_HOME/repository/conf/embedded-ldap.xml

Download Sample embedded-ldap.xml here
under <KDCServer> and  make the property “enable” = true as follows
<Property name=”enabled”>true</Property>

add this property under <KDCServer>
<Property name=”preAuthenticationTimeStampEnabled”>false</Property>

2. $IS_HOME/repository/conf/user-mgt.xml

Download Sample user-mgt.xml here
under <ApacheDSUserStoreManager>
<Property name=”kdcEnabled”>true</Property>

3. $IS_HOME/repository/conf/security/krb5.conf

Download Sample krb5.conf here

[libdefaults]
default_realm = WSO2.ORG
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
allow_weak_crypto = true

[realms]
WSO2.ORG = {
kdc = 127.0.0.1:8000
}

[domain_realm]
.wso2.org = WSO2.ORG
wso2.org = WSO2.ORG

[login]
krb4_convert = true
krb4_get_tickets = false

4. $IS_HOME/repository/conf/security/jaas.conf

Download Sample jaas.conf here

Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
storeKey=true
useTicketCache=false
isInitiator=false
principal=”esb/localhost@WSO2.ORG“;
};

Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false;
};

Now IS is configured successfully
Go to $IS_HOME/bin and run the wso2serever.sh

If IS configured properly, when your stating the IS you can see this log in command line
“[2012-12-13 14:40:32,426] INFO {org.apache.directory.server.kerberos.kdc.KdcServer} – Kerberos service started.”

Now you have to create the Server principle that we mention in “jass.conf”

Login to IS buy using username – “admin” password -“admin” and go to configure->Service Principle and create   It

is

Register the Server Principle
Service Name : esb/localhost
Description : Test
Password : dinuka
Re Password : dinuka

Next we have to create Client Principle that means “User”

Username : dinuka
Password : dinuka
User Role : admin
is

Lets move to configure the ESB

First go to $ESB_HOME/repository/conf/security/
and place the same krb5.conf and jaas.conf files in $IS_HOME/repository/conf/security/

Open $IS_HOME/repository/conf/carbon.xml and change the offset 0 to 1 and start the ESB
Download sample carbon.xml here

Go to ESB and secure the “echo” service with kerboros

is1

Service Principle Name : esb/localhost
Service Principle Password : dinuka

is2

We are done with the configuration now we have to invoke the echo service so you can download the Java Client from here

You have to set the project dependencies for above client so point the all jars in $ESB_HOME/repository/components/plugins 

If you change username and password at the configuration time you have to make those changes on the above client also Go to policy.xml in the above client and change the following details according to your setting

<rampart:property name=”client.principal.name”>dinuka</rampart:property>
<!– Authenticating user password –>
<rampart:property name=”client.principal.password”>dinuka</rampart:property>
<!– To which service client needs to talk to –>
<rampart:property name=”service.principal.name”>esb/localhost@WSO2.ORG</rampart:property>

Finally change the ECHO_SERVICE_EPR  relevant to the your ESB and run the KerberosClient.java

Results should be

Calling Echo service with parameter – Hello World
Response : <ns:echoStringResponse xmlns:ns=”http://echo.services.core.carbon.wso2.org”><return>Hello World</return></ns:echoStringResponse>

 
1 Comment

Posted by on December 13, 2012 in Enterprise Service Bus, Identity Server, java, wso2

 
 
%d bloggers like this: