Loading ...
Sorry, an error occurred while loading the content.

WSE-Security 3.0

Expand Messages
  • jvrobert
    I ve hacked (horribly, embarassingly) a wrapper to SOAP::Lite that seems to work and allows a SOAP::Lite Perl client to connect to a WSE- Security enabled .NET
    Message 1 of 4 , Aug 7, 2006
    • 0 Attachment
      I've hacked (horribly, embarassingly) a wrapper to SOAP::Lite that
      seems to work and allows a SOAP::Lite Perl client to connect to a WSE-
      Security enabled .NET Web Service.

      It's terrible code, I'm not really experienced in Kerberos or
      SOAP::Lite, and I shamelessly copied some of the code from
      LWP::Authen::Negotiate for an example of how to encode the
      BinaryToken.

      I don't know enough about SOAP::Lite to do a real patch, so I kludged
      together a cheesy wrapper class for SOAP::Lite. It would be awesome
      if this functionality was built into SOAP::Lite at some point (that's
      why I'm posting this).

      It depends on GSSAPI. Here's an example script that uses the wrapper,
      followed by the wrapper itself.

      #!/path/to/perl

      use WSEWrap;
      #use SOAP::Lite +trace => [qw(all)];
      use MIME::Base64;

      my $soap = WSEWrap->new(ns => 'http://tempuri.org', proxy
      => 'http://mysoapserver.mycorp.com:8081/Service.asmx', on_action =>
      sub { join '/', 'http://tempuri.org', $_[1] }, debug => 1);
      if (! $soap->wse_auth()) {
      print $soap->auth_error() . "\n";
      exit(1);
      }

      my $hw = $soap->HelloWorld();
      my $whoami = $hw->result;
      print "You authenticated via kerberos as: $whoami\n";

      Here is the WSEWrap.pm code (ugly, but works for at least my casual
      needs)

      package WSEWrap;

      use SOAP::Lite;
      use MIME::Base64;
      use URI;
      use GSSAPI;

      sub new {
      my $class = shift;
      my $self = bless {}, $class;
      $self->{args} = {@_};
      $self->{soap} = SOAP::Lite->new(@_);
      my $st = "SOAP::Lite::";
      foreach my $f (keys %$st) {
      next if $f =~ /::/;
      my $sym = "$st$f";
      if (*{$sym}{CODE}) {
      $self->{delegates}->{$f} = 1;
      }
      }
      return $self;
      }

      sub auth_error {
      return $_[0]->{last_error};
      }

      sub wse_auth {
      my $self = shift;
      my $host = URI->new($self->{args}->{proxy})->host();
      my $target;
      my $status = GSSAPI::Name->import($target, "host\@$host",
      GSSAPI::OID::gss_nt_hostbased_service);
      $target->display($tname);
      # print "wse_auth: TNAME=$tname\n" if $self->{args}->{debug};
      my $ctx = GSSAPI::Context->new();
      my $imech = GSSAPI::OID::gss_mech_krb5;
      my $iflags = GSS_C_REPLAY_FLAG;
      my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
      my $creds = GSS_C_NO_CREDENTIAL;
      my $itime = 0;
      $status = $ctx->init( $creds, $target, $imech, $iflags,
      $itime,
      $bindings,undef, undef,
      $otoken, undef, undef);
      if ($status->major != GSS_S_COMPLETE) {
      $self->{last_error} = $status->specific_message;
      if ($self->{last_error} =~ /open.*: No such file or
      directory/) {
      $self->{last_error} = "ERROR: Unable to open
      token file - did you kinit?\nERROR: [$self->{last_error}]";
      }
      return 0;
      }
      # Our binary token in base64
      $self->{pw} = encode_base64($otoken, "");
      # Add some namespace declarations
      $self->{soap}->serializer()->register_ns('http://docs.oasis-
      open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
      1.0.xsd', 'wsse');
      $self->{soap}->serializer()->register_ns
      ('http://schemas.xmlsoap.org/ws/2004/08/addressing', 'wsa');
      $self->{soap}->serializer()->register_ns('http://docs.oasis-
      open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
      1.0.xsd', 'wsu');
      # Build our header additions
      my $unt = SOAP::Data->name('wsse:BinarySecurityToken')->value
      ($self->{pw})->type('');
      $unt->attr({ ValueType => 'http://docs.oasis-
      open.org/wss/oasis-wss-kerberos-token-profile-
      1.1#GSS_Kerberosv5_AP_REQ', EncodingType => 'http://docs.oasis-
      open.org/wss/2004/01/oasis-200401-wss-soap-message-security-
      1.0#Base64Binary'});
      my $sec = SOAP::Data->name('wsse:Security' => \$unt);
      $sec->mustUnderstand(1);
      my $wsa = SOAP::Data->name('wsa:Action'
      => 'http://core.intel.com/schemas/pcam/test/06-30-
      2006/kerberos/WhoAmI')->type('');
      my $wsa1 = SOAP::Data->name('wsa:ReplyTo' => \SOAP::Data->name
      ('wsa:Address'))->value('http://chsamba.org');
      my $wsa2 = SOAP::Data->name('wsa:MessageID' => 'uuid:bebff702-
      0e8d-4705-8793-7dc39efecf0c');
      my $wsa3 = SOAP::Data->name('wsa:To'
      => 'http://ch7sdev999.amr.corp.intel.com:8081/Service.asmx');
      my $h = SOAP::Header->value($sec, $wsa, $wsa2, $wsa3);
      $self->{header} = $h;
      return 1;
      }



      sub AUTOLOAD {
      my $self = shift;
      $AUTOLOAD =~ s/WSEWrap:://;
      print @{SOAP::Lite::EXPORT_OK};
      if ($self->{header} && ! $self->{delegates}->{$AUTOLOAD}) {
      unshift(@_, $self->{header});
      }
      return &{"SOAP::Lite::$AUTOLOAD"}($self->{soap}, @_);
      }

      1;
    • Cédric BOUFFLERS
      Hello, There is an implementation of WS Resource Framework (including WS-Security) in progress: http://www.sve.man.ac.uk/Research/AtoZ/ILCT Although I am not
      Message 2 of 4 , Aug 10, 2006
      • 0 Attachment
        Hello,

        There is an implementation of WS Resource Framework (including WS-Security)
        in progress:
        http://www.sve.man.ac.uk/Research/AtoZ/ILCT

        Although I am not sure it fulfils your requirements.

        Note that I am as well greatly interested with using WS-Security with my
        PERL web services, so if you had any other valuable information in that
        field, I would be very pleased if you could share them :)

        Regards,
        Cédric Boufflers

        -----Message d'origine-----
        De : soaplite@yahoogroups.com [mailto:soaplite@yahoogroups.com] De la part
        de jvrobert
        Envoyé : lundi 7 août 2006 23:33
        À : soaplite@yahoogroups.com
        Objet : [soaplite] WSE-Security 3.0

        I've hacked (horribly, embarassingly) a wrapper to SOAP::Lite that
        seems to work and allows a SOAP::Lite Perl client to connect to a WSE-
        Security enabled .NET Web Service.

        It's terrible code, I'm not really experienced in Kerberos or
        SOAP::Lite, and I shamelessly copied some of the code from
        LWP::Authen::Negotiate for an example of how to encode the
        BinaryToken.

        I don't know enough about SOAP::Lite to do a real patch, so I kludged
        together a cheesy wrapper class for SOAP::Lite. It would be awesome
        if this functionality was built into SOAP::Lite at some point (that's
        why I'm posting this).

        It depends on GSSAPI. Here's an example script that uses the wrapper,
        followed by the wrapper itself.

        #!/path/to/perl

        use WSEWrap;
        #use SOAP::Lite +trace => [qw(all)];
        use MIME::Base64;

        my $soap = WSEWrap->new(ns => 'http://tempuri.org', proxy
        => 'http://mysoapserver.mycorp.com:8081/Service.asmx', on_action =>
        sub { join '/', 'http://tempuri.org', $_[1] }, debug => 1);
        if (! $soap->wse_auth()) {
        print $soap->auth_error() . "\n";
        exit(1);
        }

        my $hw = $soap->HelloWorld();
        my $whoami = $hw->result;
        print "You authenticated via kerberos as: $whoami\n";

        Here is the WSEWrap.pm code (ugly, but works for at least my casual
        needs)

        package WSEWrap;

        use SOAP::Lite;
        use MIME::Base64;
        use URI;
        use GSSAPI;

        sub new {
        my $class = shift;
        my $self = bless {}, $class;
        $self->{args} = {@_};
        $self->{soap} = SOAP::Lite->new(@_);
        my $st = "SOAP::Lite::";
        foreach my $f (keys %$st) {
        next if $f =~ /::/;
        my $sym = "$st$f";
        if (*{$sym}{CODE}) {
        $self->{delegates}->{$f} = 1;
        }
        }
        return $self;
        }

        sub auth_error {
        return $_[0]->{last_error};
        }

        sub wse_auth {
        my $self = shift;
        my $host = URI->new($self->{args}->{proxy})->host();
        my $target;
        my $status = GSSAPI::Name->import($target, "host\@$host",
        GSSAPI::OID::gss_nt_hostbased_service);
        $target->display($tname);
        # print "wse_auth: TNAME=$tname\n" if $self->{args}->{debug};
        my $ctx = GSSAPI::Context->new();
        my $imech = GSSAPI::OID::gss_mech_krb5;
        my $iflags = GSS_C_REPLAY_FLAG;
        my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
        my $creds = GSS_C_NO_CREDENTIAL;
        my $itime = 0;
        $status = $ctx->init( $creds, $target, $imech, $iflags,
        $itime,
        $bindings,undef, undef,
        $otoken, undef, undef);
        if ($status->major != GSS_S_COMPLETE) {
        $self->{last_error} = $status->specific_message;
        if ($self->{last_error} =~ /open.*: No such file or
        directory/) {
        $self->{last_error} = "ERROR: Unable to open
        token file - did you kinit?\nERROR: [$self->{last_error}]";
        }
        return 0;
        }
        # Our binary token in base64
        $self->{pw} = encode_base64($otoken, "");
        # Add some namespace declarations
        $self->{soap}->serializer()->register_ns('http://docs.oasis-
        open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
        1.0.xsd', 'wsse');
        $self->{soap}->serializer()->register_ns
        ('http://schemas.xmlsoap.org/ws/2004/08/addressing', 'wsa');
        $self->{soap}->serializer()->register_ns('http://docs.oasis-
        open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
        1.0.xsd', 'wsu');
        # Build our header additions
        my $unt = SOAP::Data->name('wsse:BinarySecurityToken')->value
        ($self->{pw})->type('');
        $unt->attr({ ValueType => 'http://docs.oasis-
        open.org/wss/oasis-wss-kerberos-token-profile-
        1.1#GSS_Kerberosv5_AP_REQ', EncodingType => 'http://docs.oasis-
        open.org/wss/2004/01/oasis-200401-wss-soap-message-security-
        1.0#Base64Binary'});
        my $sec = SOAP::Data->name('wsse:Security' => \$unt);
        $sec->mustUnderstand(1);
        my $wsa = SOAP::Data->name('wsa:Action'
        => 'http://core.intel.com/schemas/pcam/test/06-30-
        2006/kerberos/WhoAmI')->type('');
        my $wsa1 = SOAP::Data->name('wsa:ReplyTo' => \SOAP::Data->name
        ('wsa:Address'))->value('http://chsamba.org');
        my $wsa2 = SOAP::Data->name('wsa:MessageID' => 'uuid:bebff702-
        0e8d-4705-8793-7dc39efecf0c');
        my $wsa3 = SOAP::Data->name('wsa:To'
        => 'http://ch7sdev999.amr.corp.intel.com:8081/Service.asmx');
        my $h = SOAP::Header->value($sec, $wsa, $wsa2, $wsa3);
        $self->{header} = $h;
        return 1;
        }



        sub AUTOLOAD {
        my $self = shift;
        $AUTOLOAD =~ s/WSEWrap:://;
        print @{SOAP::Lite::EXPORT_OK};
        if ($self->{header} && ! $self->{delegates}->{$AUTOLOAD}) {
        unshift(@_, $self->{header});
        }
        return &{"SOAP::Lite::$AUTOLOAD"}($self->{soap}, @_);
        }

        1;









        Yahoo! Groups Links
      • Achim Grolms
        ... If there are Kerberos (and GSSAPI) questions maybe I can help. I am not experienced in WSE 3.0 (I only used Kerberos Authentication on HTTP-Layer against
        Message 3 of 4 , Aug 12, 2006
        • 0 Attachment
          On Monday 07 August 2006 23:33, jvrobert wrote:

          > I'm not really experienced in Kerberos or
          > SOAP::Lite, and I shamelessly copied some of the code from
          > LWP::Authen::Negotiate for an example of how to encode the
          > BinaryToken.

          If there are Kerberos (and GSSAPI) questions maybe I can help.
          I am not experienced in WSE 3.0 (I only used Kerberos Authentication
          on HTTP-Layer against IIS with SOAP::Lite).

          I have read the examples on
          <http://msdn.microsoft.com/msdnmag/issues/06/02/WSE30/>
          The examples use 'HOST' (in uppercase) as servicename.
          Your code uses 'host' in lowercase as servicename.
          What standard specifies what is correct, where can I
          download that standard?

          In general: If you use GSSAPI.pm always check the returnvalues
          (GSSAPI::Name->import can fail, for example),
          many things can go wrong in the GSSAPI(Kerberos) layer,
          and if the user of your code gets no errormessages from
          Kerberossystem he will be lost...

          > I don't know enough about SOAP::Lite to do a real patch,

          Me too, but I am willing to add my knowledge on Kerberos and GSSAPI
          (If someone needs it).

          > Here's an example script that uses the wrapper,
          > followed by the wrapper itself.

          Thank you,
          Achim
        • Achim Grolms
          ... I have not found a reference to GSSAPI or Kerberos. Website http://www.sve.man.ac.uk/Research/AtoZ/ILCT says SRF::Lite from version 0.4 provides beta
          Message 4 of 4 , Aug 12, 2006
          • 0 Attachment
            On Thursday 10 August 2006 11:14, you wrote:
            > Hello,
            >
            > There is an implementation of WS Resource Framework (including WS-Security)
            > in progress:
            > http://www.sve.man.ac.uk/Research/AtoZ/ILCT

            I have not found a reference to GSSAPI or Kerberos.
            Website http://www.sve.man.ac.uk/Research/AtoZ/ILCT says

            "SRF::Lite from version 0.4 provides beta level support for signing and
            verifying SOAP messages using X509 digital certificates according to the
            OASIS standard for WS-Security. "

            I have had a look into WSRF-Lite.0.6.tar.
            and grepped for GSSAPI or Kerberos.

            Does it support GSSAPI (and Kerberos)?

            Achim
          Your message has been successfully submitted and would be delivered to recipients shortly.