Authorization with Apache Rampart/C, Is It Possible?

We all know that it is possible to use the feature known as 'Username tokens' in Apache Rampart/C to "Authenticate" a user. This feature can be used to verify if a user has access to a given system or not. Security requirements of a service does not end there. A system cannot grant carte blanche access blindly to its users. It needs to be more specific on credentials. For example, both Alice and Bob are in the system but only Alice can access my personal details.

The particular requirement known as "Authorization" cannot be addressed using Apache Ramaprt/C alone, since that kind of security checking must essentially comply with the related business logic - and the business logic is found within the service implementation. Here, Malinda Kaushalye Kapuruge looks at Authorization with Apache Rampart/C.

Applies To

So then.., What Can We Do?

Though there are many ways to overcome this situation, the easiest would be to use Username tokens. But wait a second.. Apache Ramaprt/C works with Apache Axis2/C as a module. So there is no way a service writer have access to the module. Correct? And if so, then how can he/she possibly retrieve username details?

One way is to get around this, is to get it from the message itself at the service implementation level.

1. Get message context
2. Get SOAP envelope
3. Get the root node
4. Parse the document until the username token is found
5. Get username

But this is a time consuming and an inefficient way to get the job done.

There is an Easier Way Too...

Apache Rampart/C stores a few details within a message context, while processing. These include, name of the username token received, if there is any.

So how can we access this? For your convenience, I have modified sec_echo service slightly (rampart/samples/server/sec_echo). Simply copy the following files found in the archive to sec_echo directory:

1. echo.c
2. echo.h
3. echo_skeleton.c

If you open up echo.c file, you'll see the following line:

username = (axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx, RAMPART_SPR_UT_USERNAME);

And this is how you could have access to security processed results from a message context. Given the key (i.e. RAMPART_SPR_UT_USERNAME) to the property, function returns the value, i.e. the username.

Now that you know the username, it's up to you to design your service based on different user credentials. Load your principles repository and act upon the configurations.

More...

Apart from username, there are other stored values that you could get off a message context. For example, message creation time, message expiration time, nonce valuem and signature value etc. The complete listing can be found in rampart_constants.h under the section "Security processed results".

If you need to get the complete result set, then you should call the following function:

axutil_hash_t* results = NULL;
results = rampart_get_all_security_processed_results(const axutil_env_t *env,  axis2_msg_ctx_t *msg_ctx);

Here the returned value is a hash table consist of key, value pairs of the security processed results.

Author

Malinda Kaushalye Kapuruge is a Senior Software Engineer, WSO2 Inc. kaushalye at wso2 dot com