10-6 Oracle Fusion Middleware Reference for Oracle Security Developer Tools
nonce and createdDate For this mechanism, the reciever should use the following
byte nonce[] = ut.getNonce; .. check against the used nonces, to make sure this is a new nonce
Date createdDate = ut.getCreated; .. check that this createdDate is within an expected clock skew
boolean valid = ut.isValiduserName, passwd, above call will recompute the digest from the passwd
and the nonce and created date, and check if this digest matches the digest in the username token
For option 4, set the salt and iteration count SecureRandom random = SecureRandom.getInstanceSHA1PRNG;
byte salt[] = new byte[15]; random.nextBytessalt; compute a 15 byte random salt
ut.setSalt1, salt; ut.setIteration1000;
SecretKey key = ut.deriveKeyIloveDogs;
Now you can use this secret key to sign or encrypt data.
10.2.3.2 Creating an X509 Token
You can either use the X509BinarySecurityToken constructor followed by the setToken method, or use the equivalent helper method WSSecurity.createBST_
X509:
WSSecurity ws = ... X509Certificate cert = ...
X509BinarySecurityToken x509token = WSSecurity.createBST_X509cert; remember to put this inside your WSSecurity header.
addX509CertificateToken puts it at the beginning, you can also use a regular DOM method appendChild or insertChild to put it in.
ws.addX509CertificateTokenx509Token; optionally add an wsu:Id, so you can refer to it
x509Token.setWsuIdMyCert;
You can also create an X509BinarySecurityToken from a CertPath object if you want to include an entire chain of certificates.
For encryption data with this certificate, you need the public key which you can obtain by using cert.getPublicKey. For signing, however, you need the private key,
which you should maintain in a keystore.
10.2.3.3 Creating a Kerberos Token
Kerberos tokens are used, as a rule, in conjunction with the Java GSS-API.
Client Side Use JAAS Authentication with Kerberos Login Module
Set up the config files and then call login to login using this module. This will cause the client to contact
the Kerberos Authentication-Service and get a ticket to talk to the Kerberos Ticket-Granting-Service
Oracle Web Services Security 10-7
LoginContext lc = new LoginContext...; lc.login;
Use JAAS Authorization to set the subject into the thread context Subject.doAslc.getSubject, action
The rest of the code should be executed as a Privileged action Create a GSSContext to talk to a particular server.
GSSManager gssManager = GSSManager.getInstance; GSSName serviceName = gssManager.createNamesvcPrincipalName, null;
GSSContext gssContext = gssManager.createContextserviceName, null, null, GSSCredential.DEFAULT_LIFETIME;
Then call initSecContext. this will cause the client to contact the Ticket-Granting-Service to obtain a ticket for talking to that
particular server. The token that is returned by the initSecContext is a GSS wrapped AP_REQ packet.
byte[] token = new byte[1]; token = gssContext.initSecContexttoken, 0, token.length;
Create a Kerberos BST using this AP_REQ packet WSSecurity ws = ...
KerberosBinarySecurityToken kbst = ws.createBST_Kerberostoken, WSSURI.vt_GSSKerberosv5;
ws.addKerberosTokenkbst; Get the sessionKey that is present inside the AP_REQ packet,
this is the session that is generated by the TGT and returned to the client in the initSecContext class
This getSessionKey call simply calls Subject.getPrivateCredentials to get a list of tickets associated with the subject, and then
iterates through them to find the one to be used for for that particular server
SecretKey sessionKey = KerberosUtils.getSessionKeylc.getSubject,svcPrincipalName;
Now you can use this secret key to sign or encrypt data.
Server Side Use JAAS Authentication and Authorization as for the client
Create GSSContext will null credentials bbr SSManager manager = GSSManager.getInstance;
GSSContext gssContext = manager.createContextGSSCredentialnull; Locate the KerberosBinarySecurityToken in the incoming WSSecurity
header. You can do this by doing a DOM search WSSecurity = ...
KerberosBinarySecurityToken kbst = ... Now extract the AP_REQ from the BST and call acceptSecContext
byte ap_req[] = kbst.getValue; gssContext.acceptSecContextap_req;
The context is now extablished. Note Mutual authentication would need one more round trip
10-8 Oracle Fusion Middleware Reference for Oracle Security Developer Tools
Now extract the session key KerberosUtils.getSession is an overloaded method, and this
particular one is meant to be used by server. Internally it decrypts the ap_req packet using the servers key or the
tgtSession key and extracts the key from the decrypted ap_req packet
Subject srvrSubject = ... SecretKey sessionKey =
KerberosUtils.getSessionKeysrvrSubject, ap_req;
Now you can decrypt or verify using this key.
10.2.3.4 Creating a SAML Assertion Token