 |
|
You are here: Wiki>Security Web>ConceptualWork>CurrentWorkflowOWS6 (11 Jun 2013, EikeJuerrens)Edit Attach
Key distribution
- client :
- client private & public key
- sts public key
- gatekeeper public key
- sts:
- sts private & public key
- client public key
- gatekeeper public key
- gateekper
- gateeekeper private & public key
- client public key
- sts public key
1. GetMetadata Request:
selected HTTP header elements
Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.xmlsoap.org/ws/2004/09/mex/GetMetadata/Request" User-Agent: Axis2
security elements
NONESOAP-Payload
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<mex:GetMetadata xmlns:mex="http://schemas.xmlsoap.org/ws/2004/09/mex">
<mex:Dialect>http://schemas.xmlsoap.org/ws/2004/09/policy</mex:Dialect>
</mex:GetMetadata>
</soapenv:Body>
</soapenv:Envelope>
2. GetMetadata Response
security elements
NONESOAP-Payload
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<mex:Metadata xmlns:mex="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:tns="http://gatekeeper.service.security.n52.org">
<mex:MetadataSection Dialect="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:geodrm="urn:ogc:ows4:geodrm:licensing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<wsp:Policy wsu:Id="IdentityPrecondition">
<wsse:RelatedService wsse:ServiceType="wsse:ServiceIP">
<wsa:EndpointReference>
<wsa:Address>
http://localhost:8080/52n-security-sts-webapp-0.1/services/STS
</wsa:Address>
</wsa:EndpointReference>
</wsse:RelatedService>
<wsse:SecurityToken wsp:Usage="wsp:Required">
<wsse:TokenType>
SAMLAssertion
</wsse:TokenType>
</wsse:SecurityToken>
</wsp:Policy>
<!-- <wsp:Policy wsu:Id="LicensePrecondition">
<wsse:RelatedService wsse:ServiceType="wsse:ServiceSTS">
<wsa:EndpointReference>
<wsa:Address>
${licbro.uri}
</wsa:Address>
</wsa:EndpointReference>
</wsse:RelatedService>
<geodrm:LicenseToken wsp:Usage="wsp:Required">
<wsse:TokenType>
SAMLAssertion
</wsse:TokenType>
</geodrm:LicenseToken>
</wsp:Policy> -->
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</mex:MetadataSection>
</mex:Metadata>
</soapenv:Body>
</soapenv:Envelope>
3. Request Security Token
selected HTTP header elements
Content-Type: application/soap+xml; charset=UTF-8; action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" User-Agent: Axis2
security elements
- WS-Security UsernameToken
- Timestamp
SOAP-Payload
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-20038146">
<wsu:Created>2009-07-06T17:02:42.109Z</wsu:Created>
<wsu:Expires>2009-07-06T17:07:42.109Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-28856183">
<wsse:Username>client</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">apache</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>http://localhost:9090/52n-security-sts-webapp/services/STS</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:9E492719DF65B450741246899762228</wsa:MessageID>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:02:42.093Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:07:42.093Z</wsu:Expires>
</wst:Lifetime>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey</wst:KeyType>
<wst:KeySize>256</wst:KeySize>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
4. Request Security Token Response
selected HTTP header elements
Content-Type: application/soap+xml; action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue";charset=UTF-8
security elements
- SOAP Message Timestamp
- WS-Trust Timestamp
- SAMLToken 1.1
- Timestamp
- embedded client certificate
- signed with sts key
SOAP-Payload
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-4964214">
<wsu:Created>2009-07-06T17:02:42.203Z</wsu:Created>
<wsu:Expires>2009-07-06T17:07:42.203Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsa:MessageID>urn:uuid:4F9B8B42EE96A7E7DC1246899762151</wsa:MessageID>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</wsa:Action>
<wsa:RelatesTo>urn:uuid:9E492719DF65B450741246899762228</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#_3f08b28b502473583ff6fb87217c12fa" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="_3f08b28b502473583ff6fb87217c12fa" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:02:42.156Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:07:42.156Z</wsu:Expires>
</wst:Lifetime>
<wst:RequestedSecurityToken>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3f08b28b502473583ff6fb87217c12fa" IssueInstant="2009-07-06T17:02:42.187Z" Issuer="STS" MajorVersion="1" MinorVersion="1">
<Conditions NotBefore="2009-07-06T17:02:42.156Z" NotOnOrAfter="2009-07-06T17:07:42.156Z"/>
<AuthenticationStatement AuthenticationInstant="2009-07-06T17:02:42.156Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<X509Certificate>MIICTDCCAbUCBEbJZMQwDQYJKoZIhvcNAQEEBQAwbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDAgFw0wNzA4MjAwOTU0MTJaGA8yMDYyMDUyMzA5NTQxMlowbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhjQp2NJRUrAEsPYIlg26m34O16E6WkyBWMbkSvy/FJQoNg2HSOtqF/DHmej7qqJCDtiHtdZqCTOo28cpyB3XJ0g6y23ADTy1v7qUjYieF4Bn3p9QFtyznUmKyZ6hK4CjGraYvcDgjRlnPkfeyVnNamkzJB7TVRaLkumRlxHgxm0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNLSbNEaGBj8GBoXWBndY3JFvblPvI2mDbtZsNiggGOCezyAufGe6RnR3s5DjR5YQqPcMiDtlskFQm4/SRN2Yh16E6l7LfsOhGQsPiPrDrci4T18pz1eDLSrtJiiBah1NdeISaD0kpoUiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==</X509Certificate>
</X509Data>
</KeyInfo>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
<AttributeStatement>
<Subject>
<NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
</Subject>
<Attribute AttributeName="urn:n52:authentication:subject:principal:role" AttributeNamespace="def">
<AttributeValue>main</AttributeValue>
<AttributeValue>bob</AttributeValue>
</Attribute>
</AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_3f08b28b502473583ff6fb87217c12fa">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>wHuGZFDFfxoOFnPZcshLlkUSye0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
IJZojCy+6BEhTkmn3OvTKpyVcVlTSe7EBWv9KHIbN450CkS30dcOcHTHx1DEmbu6fvr/os0zYMra
gQDQcTRnGNdInDZO47ZSU19gSwzgBgmyj9pihYfZ9/I4k2T50aaPfo7qCcQ7Aszdoiwje3c8rgzT
W75lJjcwCnpmH+mUwZs=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICTjCCAbcCBEbJZQEwDQYJKoZIhvcNAQEEBQAwbTELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dl
c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFy
dDEXMBUGA1UEAxMOU2FtcGxlIFNlcnZpY2UwIBcNMDcwODIwMDk1NTEzWhgPMjA2MjA1MjMwOTU1
MTNaMG0xCzAJBgNVBAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ8w
DQYDVQQKEwZBcGFjaGUxEDAOBgNVBAsTB1JhbXBhcnQxFzAVBgNVBAMTDlNhbXBsZSBTZXJ2aWNl
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDtgg6ess2lU1yOD48/iiAlWObB0WwAQtFG4bb
2KyvOE9dRF7+d/aZrHti3QWs6dtHpGkVMLgpomoq7APEq1kQnRvduk2T6ln83Jw1EpPDXH/emqeC
9OdNqHZj3eoyf34JMmgShuviYDqYaK4HkRmZMiJ13aPeZzPl60yBWydAuwIDAQABMA0GCSqGSIb3
DQEBBAUAA4GBACVcoAqNbjO7+Jbm6+3pyYagQoBpdHZLnR8EU9/CRKmUGTj5qjXqYtE+Eka6OYKB
zv/dHdYlB2X3yH3YlSx1OtA3+5xl4VIjYODlgh9Bs9Tbqj1tw0G37dLrlG97kJAVjrkfm743N9EH
KFtFaX4iF1tWbGxa4+vIbbV4CaUG5s5x
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
5. Gateeekper Request
security elements
- SOAP Message Timestamp
- WS-Trust Timestamp
- SAMLToken 1.1
- Timestamp
- embedded client certificate
- signed with sts key
- parts encrypted with gatekeeper key
selected HTTP header elements
Content-Type: multipart/related; boundary=MIMEBoundaryurn_uuid_9E492719DF65B450741246899773073; type="application/xop+xml"; start="<0.urn:uuid:9E492719DF65B450741246899773074@apache.org>"; start-info="text/xml" SOAPAction: "urn:method"
first part
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml" Content-Transfer-Encoding: binary Content-ID: <0.urn:uuid:9E492719DF65B450741246899773074@apache.org>
SOAP-Playoad
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-23426441">
<wsu:Created>2009-07-06T17:02:52.843Z</wsu:Created>
<wsu:Expires>2009-07-06T17:07:52.843Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="EncKeyId-urn:uuid:A4E69FD63028426E9B12468997728908">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Eo+pZunwGRyrQd865sPPt6wsLHgid4l2CY88qD2hb9FDXEDN4nBHJMQqbcWW6EqdHysYNTQ5k6IVtTb9pG90ivK8WDHdH43ZvemMLxuYTpOQE/HtvMcjw/w3KMDxssRVy7/iVA7pAvlQO5Bzt7Dm8ImoFauTRJhn+BYtdztuVIk=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3f08b28b502473583ff6fb87217c12fa" IssueInstant="2009-07-06T17:02:42.187Z" Issuer="STS" MajorVersion="1" MinorVersion="1">
<Conditions NotBefore="2009-07-06T17:02:42.156Z" NotOnOrAfter="2009-07-06T17:07:42.156Z"/>
<AuthenticationStatement AuthenticationInstant="2009-07-06T17:02:42.156Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<X509Certificate>MIICTDCCAbUCBEbJZMQwDQYJKoZIhvcNAQEEBQAwbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDAgFw0wNzA4MjAwOTU0MTJaGA8yMDYyMDUyMzA5NTQxMlowbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhjQp2NJRUrAEsPYIlg26m34O16E6WkyBWMbkSvy/FJQoNg2HSOtqF/DHmej7qqJCDtiHtdZqCTOo28cpyB3XJ0g6y23ADTy1v7qUjYieF4Bn3p9QFtyznUmKyZ6hK4CjGraYvcDgjRlnPkfeyVnNamkzJB7TVRaLkumRlxHgxm0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNLSbNEaGBj8GBoXWBndY3JFvblPvI2mDbtZsNiggGOCezyAufGe6RnR3s5DjR5YQqPcMiDtlskFQm4/SRN2Yh16E6l7LfsOhGQsPiPrDrci4T18pz1eDLSrtJiiBah1NdeISaD0kpoUiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==</X509Certificate>
</X509Data>
</KeyInfo>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
<AttributeStatement>
<Subject>
<NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
</Subject>
<Attribute AttributeName="urn:n52:authentication:subject:principal:role" AttributeNamespace="def">
<AttributeValue>main</AttributeValue>
<AttributeValue>bob</AttributeValue>
</Attribute>
</AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_3f08b28b502473583ff6fb87217c12fa">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>wHuGZFDFfxoOFnPZcshLlkUSye0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
IJZojCy+6BEhTkmn3OvTKpyVcVlTSe7EBWv9KHIbN450CkS30dcOcHTHx1DEmbu6fvr/os0zYMra
gQDQcTRnGNdInDZO47ZSU19gSwzgBgmyj9pihYfZ9/I4k2T50aaPfo7qCcQ7Aszdoiwje3c8rgzT
W75lJjcwCnpmH+mUwZs=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICTjCCAbcCBEbJZQEwDQYJKoZIhvcNAQEEBQAwbTELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dl
c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFy
dDEXMBUGA1UEAxMOU2FtcGxlIFNlcnZpY2UwIBcNMDcwODIwMDk1NTEzWhgPMjA2MjA1MjMwOTU1
MTNaMG0xCzAJBgNVBAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ8w
DQYDVQQKEwZBcGFjaGUxEDAOBgNVBAsTB1JhbXBhcnQxFzAVBgNVBAMTDlNhbXBsZSBTZXJ2aWNl
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDtgg6ess2lU1yOD48/iiAlWObB0WwAQtFG4bb
2KyvOE9dRF7+d/aZrHti3QWs6dtHpGkVMLgpomoq7APEq1kQnRvduk2T6ln83Jw1EpPDXH/emqeC
9OdNqHZj3eoyf34JMmgShuviYDqYaK4HkRmZMiJ13aPeZzPl60yBWydAuwIDAQABMA0GCSqGSIb3
DQEBBAUAA4GBACVcoAqNbjO7+Jbm6+3pyYagQoBpdHZLnR8EU9/CRKmUGTj5qjXqYtE+Eka6OYKB
zv/dHdYlB2X3yH3YlSx1OtA3+5xl4VIjYODlgh9Bs9Tbqj1tw0G37dLrlG97kJAVjrkfm743N9EH
KFtFaX4iF1tWbGxa4+vIbbV4CaUG5s5x
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-22150782">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#Id-24216257">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+QGzBMp3ni2Sj6YPvr6EJHWzsBo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-23426441">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>TrxGU+L0kL3CoOTAZ3Pxd3s5J+k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>5bWnz5zEUIMtJJnUexJX3MZB9TQ=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-18182194">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-7926940">
<wsse:Reference URI="#EncKeyId-urn:uuid:A4E69FD63028426E9B12468997728908" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#EncryptedKey"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<ows6:OriginalBinding xmlns:ows6="http://gatekeeper.service.security.n52.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://gatekeeper.service.security.n52.org http://52north.org/schema/security/gatekeeper/KVP2XML.xsd">Get/KVP</ows6:OriginalBinding>
<wsa:To>http://localhost:9090/52n-security-gatekeeper-webapp-0.1/services/gatekeeper</wsa:To>
<wsa:MessageID>urn:uuid:9E492719DF65B450741246899772932</wsa:MessageID>
<wsa:Action>urn:method</wsa:Action>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-24216257">
<ows6:RequestProperty xmlns:ows6="http://gatekeeper.service.security.n52.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://gatekeeper.service.security.n52.org http://52north.org/schema/security/gatekeeper/KVP2XML.xsd">
<ows6:property name="Service">WMS</ows6:property>
<ows6:property name="request">getCapabilities</ows6:property>
</ows6:RequestProperty>
</soapenv:Body>
</soapenv:Envelope>
6. Gateekper Response
security elements
- timestamps and body are signed with gatekeepers key
SOAP-Playload
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-26386186">
<wsu:Created>2009-07-06T17:02:53.437Z</wsu:Created>
<wsu:Expires>2009-07-06T17:07:53.437Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-19640307">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Id-17271278">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XzOXMv+82CDfLA5fQ0a0OWzyrCI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-26386186">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>fafth1SJrQNWol7trKzzR40dACE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cdzLGUCY3tTMVEdh8ZOPqhCLYeI7SJVdPfJEXFOq9C8o430T61sahnIt+Qclk9KTGnR6BF7+QfhF
Jha/RsIJWFUhNm8LEw3x2PEPvK2/Kyh4Yki8hqAXFD7gN1MguiFXlumH8EgZDZ0jUFi5A4aQk3iE
GDasnd6rf72lLU2Oj/k=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-19700984">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-32871353">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:Action>urn:methodResponse</wsa:Action>
<wsa:RelatesTo>urn:uuid:9E492719DF65B450741246899772932</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-17271278">
<ns:methodResponse xmlns:ns="http://gatekeeper.service.security.n52.org">
<ns:return>
<WMT_MS_Capabilities version="1.1.1">
[truncated]
</WMT_MS_Capabilities>
</ns:return>
</ns:methodResponse>
</soapenv:Body>
</soapenv:Envelope>
| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 png |
Sequence_diagram.png | manage | 35 K | 17 Jul 2009 - 07:55 | UnknownUser | current state |
| png |
Sequence_diagram2.png | manage | 26 K | 11 Jul 2009 - 12:18 | UnknownUser |
Edit | Attach | Print version | History: r14 < r13 < r12 < r11 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r13 - 11 Jun 2013, EikeJuerrens
AI_GEOSTATS
Legal Notice | Privacy Statement
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki? Send feedback
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Wiki? Send feedback