GlassFish - World's first Java EE 7 Application Server


Support For Policy-Alternatives in Metro2.1 for GlassFish 3.1 OWSM Interop

This page will describe the design for Policy-Alternatives support in Metro in order to achieve GlassFish 3.1 <-> OWSM interoperability.

  • Kumar Jayanti

1. Introduction

Product Management has defined several interop-scenarios between Metro 2.0.1/2.1 WebServices and OWSM (Oracle WebServices Manager). The detailed set of interop scenarios can be accessed here

2. Risk

Oracle (OWSM) has support for Policy Alternatives and a few of the interop scenarios require support for Policy Alternatives in the most generic sense within Metro 2.1. Metro has never supported Policy Alternatives (though the WS-Policy implementation/design is capable of dealing with alternatives). The primary reason given by the Metro WS-Policy team is that one can easily have an incoming message that matches several distinct policy alternatives and one has no way of determining which of the matching policy alternatives to apply in that case.

3. Support for Policy Alternatives

Server Side Support for Policy Alternatives

The PolicyAssertionValidators already run on the server side, so the WS-SecurityPolicy implementation in Metro has to be updated to implement the Validation/Selection logic.

Client Side Support for Policy Alternatives

In practice we have two possible scenarios for the client side :

1. Metro client supports all alternatives, so it doesn't matter which one it picks.
2. Metro client supports only some alternatives and happens to pick an unsupported one. That should not actually happen because we compute a score for each alternative based on whether the policy assertions in the alternative are known and supported. The alternative with the best score (i.e. ideally all assertions are known and supported) is
picked.

So the current thinking is that for the client, we could use the already existing PolicyAssertionValidator API. The relevant class to look at is com.sun.xml.ws.security.policy.SecurityAssertionValidator and its uses in the WSIT workspace. That could be used to assign the highest fitness to the alternative we want to choose. The validator is invoked once for every single top-level assertion of an alternative.

Updating Metro WS-Security Implementation to handle Alternatives

Once we have information on Alternatives on the Client Side, the Metro Runtime would pick one of them and pass it over to the WS-Security implementation Layer in Metro. So there is no additional work in the WS-Security runtime.

On the Server side, the Metro WS-Security implementation would have to be upgraded (especially the code that does policy verification) the PolicyResolver and PolicyVerifier interfaces to handle alternatives.

The Algorithm for doing PolicyVerification currently assumes no Alternatives and hence has to rewritten.

Policy of One of the two Interop Scenarios that require Alternatives Support

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" orawsp:provides="{http://schemas.oracle.com/ws/2006/01/policy}token.x509, {http://docs.oasis-open.org/ns/opencsa/sca/200903}authentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication.message, {http://docs.oasis-open.org/ns/opencsa/sca/200903}integrity, {http://docs.oasis-open.org/ns/opencsa/sca/200903}integrity.message, {http://docs.oasis-open.org/ns/opencsa/sca/200903}confidentiality, {http://docs.oasis-open.org/ns/opencsa/sca/200903}confidentiality.message, {http://schemas.oracle.com/ws/2006/01/policy}messageProtection" wsu:Id="wss11_saml_or_username_token_with_message_protection_service_policy">
		<wsp:ExactlyOne>
			<wsp:All>
				<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
					<wsp:Policy>
						<sp:ProtectionToken>
							<wsp:Policy>
								<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
									<wsp:Policy>
										<sp:RequireThumbprintReference/>
										<sp:WssX509V3Token11/>
									</wsp:Policy>
								</sp:X509Token>
							</wsp:Policy>
						</sp:ProtectionToken>
						<sp:AlgorithmSuite>
							<wsp:Policy>
								<sp:Basic128/>
							</wsp:Policy>
						</sp:AlgorithmSuite>
						<sp:Layout>
							<wsp:Policy>
								<sp:Lax/>
							</wsp:Policy>
						</sp:Layout>
						<sp:IncludeTimestamp/>
						<sp:ProtectTokens/>
						<sp:OnlySignEntireHeadersAndBody/>
					</wsp:Policy>
				</sp:SymmetricBinding>
				<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
					<wsp:Policy>
						<sp:SamlToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
							<wsp:Policy>
								<sp:WssSamlV11Token11/>
							</wsp:Policy>
						</sp:SamlToken>
					</wsp:Policy>
				</sp:SignedSupportingTokens>
				<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
					<wsp:Policy>
						<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
							<wsp:Policy>
								<sp:WssX509V3Token11/>
							</wsp:Policy>
						</sp:X509Token>
					</wsp:Policy>
				</sp:EndorsingSupportingTokens>
				<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
					<wsp:Policy>
						<sp:RequireSignatureConfirmation/>
						<sp:MustSupportRefEncryptedKey/>
					</wsp:Policy>
				</sp:Wss11>
			</wsp:All>
			<wsp:All>
				<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
					<wsp:Policy>
						<sp:ProtectionToken>
							<wsp:Policy>
								<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
									<wsp:Policy>
										<sp:RequireThumbprintReference/>
										<sp:WssX509V3Token11/>
									</wsp:Policy>
								</sp:X509Token>
							</wsp:Policy>
						</sp:ProtectionToken>
						<sp:AlgorithmSuite>
							<wsp:Policy>
								<sp:Basic128/>
							</wsp:Policy>
						</sp:AlgorithmSuite>
						<sp:Layout>
							<wsp:Policy>
								<sp:Lax/>
							</wsp:Policy>
						</sp:Layout>
						<sp:IncludeTimestamp/>
						<sp:OnlySignEntireHeadersAndBody/>
					</wsp:Policy>
				</sp:SymmetricBinding>
				<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
					<wsp:Policy>
						<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
							<wsp:Policy>
								<sp:WssUsernameToken10/>
							</wsp:Policy>
						</sp:UsernameToken>
					</wsp:Policy>
				</sp:SignedSupportingTokens>
				<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
					<wsp:Policy>
						<sp:RequireSignatureConfirmation/>
						<sp:MustSupportRefEncryptedKey/>
					</wsp:Policy>
				</sp:Wss11>
			</wsp:All>
		</wsp:ExactlyOne>
	</wsp:Policy>