From jbossws-commits at lists.jboss.org Thu Apr 23 08:38:26 2015
Content-Type: multipart/mixed; boundary="===============6479367211705629256=="
MIME-Version: 1.0
From: jbossws-commits at lists.jboss.org
To: jbossws-commits at lists.jboss.org
Subject: [jbossws-commits] JBossWS SVN: r19684 -
stack/cxf/trunk/modules/dist/src/main/doc.
Date: Thu, 23 Apr 2015 08:38:25 -0400
Message-ID: <201504231238.t3NCcPem015317@svn01.web.mwc.hst.phx2.redhat.com>
--===============6479367211705629256==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Author: asoldano
Date: 2015-04-23 08:38:25 -0400 (Thu, 23 Apr 2015)
New Revision: 19684
Added:
stack/cxf/trunk/modules/dist/src/main/doc/chapter-8-Build_and_testsuite_=
framework.xml
Modified:
stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml
stack/cxf/trunk/modules/dist/src/main/doc/JBossWS-CXF.xml
stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml
stack/cxf/trunk/modules/dist/src/main/doc/chapter-2-Quick_Start.xml
stack/cxf/trunk/modules/dist/src/main/doc/chapter-3-JAX_WS_User_Guide.xml
stack/cxf/trunk/modules/dist/src/main/doc/chapter-4-JAX_WS_Tools.xml
stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide.=
xml
stack/cxf/trunk/modules/dist/src/main/doc/chapter-6-JBoss_Modules.xml
Log:
Updating release documentation
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml 2015-04-22 18:3=
0:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml 2015-04-23 12:3=
8:25 UTC (rev 19684)
@@ -4,7 +4,7 @@
JBoss Web Services DocumentationJBossWS - CXF
- 4.3.0.Final
+ 5.0.0.Final
Modified: stack/cxf/trunk/modules/dist/src/main/doc/JBossWS-CXF.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/JBossWS-CXF.xml 2015-04-22 18=
:30:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/JBossWS-CXF.xml 2015-04-23 12=
:38:25 UTC (rev 19684)
@@ -10,6 +10,7 @@
+
=
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml 2015-04-=
22 18:30:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml 2015-04-=
23 12:38:25 UTC (rev 19684)
@@ -116,6 +116,20 @@
+
+ 5.0.0
+ Fri Apr 23 2015
+
+ Alessio
+ Soldano
+ alessio.soldano(a)jboss.com
+
+
+
+ JBossWS-CXF 5.0.0 documentation
+
+
+
Modified: stack/cxf/trunk/modules/dist/src/main/doc/chapter-2-Quick_Start.x=
ml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-2-Quick_Start.xml 201=
5-04-22 18:30:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-2-Quick_Start.xml 201=
5-04-23 12:38:25 UTC (rev 19684)
@@ -4,7 +4,7 @@
=
Quick Start
- JBossWS uses the JBoss Application Server as its target container. =
The following examples focus on web service deployments that leverage EJB=
3 service implementations and the JAX-WS programming models. For further =
information on POJO service implementations and advanced topics you need =
consult the
+ JBossWS uses WildFly as its target container. The following example=
s focus on web service deployments that leverage EJB3 service implementat=
ions and the JAX-WS programming models. For further information on POJO s=
ervice implementations and advanced topics you need consult the
user guide
.
@@ -197,7 +197,7 @@
=
Consuming web services
- When creating web service clients you would usually start fro=
m the WSDL. JBossWS ships with a set of tools to generate the required JAX=
-WS artefacts to build client implementations. In the following section we=
will look at the most basic usage patterns. For a more detailed introduc=
tion to web service client please consult the user guide.
+ When creating web service clients you would usually start fro=
m the WSDL. JBossWS ships with a set of tools to generate the required JAX=
-WS artifacts to build client implementations. In the following section we=
will look at the most basic usage patterns. For a more detailed introduc=
tion to web service client please consult the user guide.
=
Creating the client artifacts
@@ -368,25 +368,16 @@
org.jboss.ws.cxf:jbo=
ssws-cxf-client
- and
-
- org.jboss.ws.native:jbossws-native-client
-
- artifacts can be used for getting the whole jbossws client dep=
endency trees for the JBossWS-CXF and JBossWS-Native stacks. Users should s=
imply add a dependency on
- one
- of them (depending on the JBossWS stack in use) to their Maven=
project.
+ artifact can be used for getting the whole JBossWS client depe=
ndency. Users should simply add a dependency to it in their Maven project.
- If you're running the client out of container, It's also recom=
mended to properly setup JAXWS implementation endorsing, to use the JBossWS=
implementation of JAXWS API instead of relying on the implementation comin=
g with the JDK; this is usually done by copying the
+ If you're running the client out of container, It's also recom=
mended to properly setup JAXWS implementation endorsing, to make sure you u=
se the JBossWS
+ implementation
+ of JAXWS API instead of relying on the implementation coming w=
ith the JDK; this is usually done by copying the
org.jboss.ws.cxf.=
jbossws-cxf-factories
- (JBossWS-CXF stack)
- or
-
- org.jboss.ws=
.native:jbossws-native-factories
-
- (JBossWS-Native stack) jar into a local directory (e.g.
+ (JBossWS-CXF stack) jar into a local directory (e.g.
project.build.directory/endorsed
) and then using that for compiling and running sources, for s=
etting the
java.endorsed.dirs
@@ -458,7 +449,11 @@
- Endorsing of JAXWS API jar is used to force a API level =
different from the one included in the JDK. E.g. JAXWS 2.2 on JDK 1.6, or J=
AXWS 2.1 on JDK 1.7, etc.
+
+ Endorsing of JAX-WS
+ api
+ jar is used to force a API level different from the one incl=
uded in the JDK. E.g. JAXWS 2.2 on JDK 1.6, or JAXWS 2.1 on JDK 1.7, etc. S=
o, depending on your environment, it might not be strictly required.
+
@@ -467,10 +462,10 @@
An interesting approach for running a WS client is to leverage=
JBoss Modules, basically getting a classloading environment equivalent to =
the server container WS endpoints are run in. This is achieved by using the
jboss-modules.jar
- coming with AS 7 as follows:
+ coming with WildFly as follows:
- java -jar $JBOSS_HOME/jboss-modules.jar -mp $J=
BOSS_HOME/modules -jar client.jar
+ java -jar $WILDFLY_HOME/jboss-modules.jar -mp =
$WILDFLY_HOME/modules -jar client.jar
The
@@ -501,20 +496,54 @@
java
command or using
Ant
- ). The JBossWS testsuite can be used to derive the whole set o=
f files to be used; the testsuite can be run either using Maven (from the s=
ource distribution) or Ant (from the binary distribution). A verbose execut=
ion reveals the list of jar. As for the Maven project approach mentioned ab=
ove, properly setting
+ ). As for the Maven project approach mentioned above, properly=
setting
java.endorsed.dirs
system property is also required.
-
+
+
+ =
+ Maven archetype quick start
+
+ A convenient approach to start a new project aiming at providing a=
nd/or consuming a JAX-WS endpoint is to use the JBossWS
+ jaxws-codefirst
+ Maven Archetype. A starting project (including working build and s=
ample helloworld client and endpoint) is created in few seconds. It's simp=
ly a matter of issuing a command and answering to simple questions on the =
desired artifact and group ids for the project being generated:
+
+
+ > mvn archetype:generate -Dfilter=3Dorg.jboss.w=
s.plugins.archetypes:
+
+ The generated project includes:
+
+
+ a sample HelloWorld code-first POJO endpoint
+
+
+ an integration test that gets the WSDL contract for the ab=
ove service, builds up a client and invokes the endpoint
+
+
+ a pom.xml for creating a war archive; the project has prop=
er WS component dependencies and uses both wsprovide and wsconsume maven =
plugins for generating the contract for the code-first endpoint and then g=
enerating the client stubs for such contract
+
+
+ a plugin for deploying the archive on WildFly.
+
+
+ The project is built and tested by simply running:
+
+ > mvn wildfly:deploy
+> mvn integration-test
+
+ The build processes the various plugins and calls into the JBo=
ssWS tools to generate all the required classes for building the deploymen=
t archive and client. The user can test the sample, have a look at the pr=
oject structure and then either trash the sample endpoint and testcase and=
replace them with his own components, or modify them step-by-step to achi=
eve what he needs.
+
+
+ =
+ Appendix
+
=
- Appendix
-
- =
- Sample wsdl contract
-
-
+ Sample wsdl contract
+
+
<definitions
name=3D'ProfileMgmtService'
targetNamespace=3D'http://org.jboss.ws/samples/retail/profile'
@@ -603,8 +632,7 @@
</service>
</definitions>
-
-
+
Modified: stack/cxf/trunk/modules/dist/src/main/doc/chapter-3-JAX_WS_User_G=
uide.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-3-JAX_WS_User_Guide.x=
ml 2015-04-22 18:30:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-3-JAX_WS_User_Guide.x=
ml 2015-04-23 12:38:25 UTC (rev 19684)
@@ -201,7 +201,7 @@
// Generated Service Class
=
@WebServiceClient(name=3D"StockQuoteService", targetNamespace=3D"http://ex=
ample.com/stocks", wsdlLocation=3D"http://example.com/stocks.wsdl")
-publicclass StockQuoteService extends javax.xml.ws.Service
+public class StockQuoteService extends javax.xml.ws.Service
{
=C2=A0=C2=A0 public StockQuoteService()
=C2=A0=C2=A0 {
@@ -311,7 +311,7 @@
@WebServiceClient(name =3D "TestEndpointService"=
, targetNamespace =3D "http://org.jboss.ws/wsref",
=C2=A0=C2=A0 wsdlLocation =3D "http://localhost.localdomain:8080/jaxws-sam=
ples-webserviceref?wsdl")
=
-publicclass TestEndpointService extends Service
+public class TestEndpointService extends Service
{
=C2=A0=C2=A0=C2=A0 ...
=
@@ -347,7 +347,7 @@
To define a reference whose type is a SEI. In this case,=
the type element MAY be present with its default value if the type of the =
reference can be inferred from the annotated field/method declaration, but =
the value element MUST always be present and refer to a generated service c=
lass type (a subtype of javax.xml.ws.Service). The wsdlLocation element, if=
present, overrides theWSDL location information specified in the WebServic=
e annotation of the referenced generated service class.
- publicclass EJB3Client implements EJB3Remote
+ public class EJB3Client implements EJB3Remote
{
=C2=A0=C2=A0 @WebServiceRef
=C2=A0=C2=A0 public TestEndpointService service4;
@@ -494,9 +494,9 @@
@WebService (name=3D"PingEndpoint")
@SOAPBinding(style =3D SOAPBinding.Style.RPC)
-publicclass PingEndpointImpl
+public class PingEndpointImpl
{
-=C2=A0=C2=A0 privatestatic String feedback;
+=C2=A0=C2=A0 private static String feedback;
=C2=A0=C2=A0
=C2=A0=C2=A0 @WebMethod
=C2=A0=C2=A0 @Oneway
@@ -574,7 +574,7 @@
@WebService
@HandlerChain(file =3D "jaxws-server-source-handlers.xml")
-publicclass SOAPEndpointSourceImpl
+public class SOAPEndpointSourceImpl
{
=C2=A0=C2=A0 ...
}
Modified: stack/cxf/trunk/modules/dist/src/main/doc/chapter-4-JAX_WS_Tools.=
xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-4-JAX_WS_Tools.xml 20=
15-04-22 18:30:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-4-JAX_WS_Tools.xml 20=
15-04-23 12:38:25 UTC (rev 19684)
@@ -507,6 +507,7 @@
-l, --load-consumer Load the consumer and exit (debug utility)
-e, --extension Enable SOAP 1.2 binding extension
-a, --additionalHeaders Enables processing of implicit SOAP headers
+ -d, --encoding=3D<charset> The charset encoding to use for gene=
rated sources
-n, --nocompile =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Do not compile=
generated sources
@@ -545,7 +546,9 @@
Maven Plugin
The wsconsume tools is included in the
- org.jboss.ws.plugins:maven-jaxws-tools=
-plugin
+ org.jboss.ws.plugins:jaxws-tools-
+ maven-
+ plugin
plugin. The plugin has two goals for running the tool,
wsconsume
and
@@ -708,6 +711,17 @@
+ encoding
+
+
+ The charset encoding to use for generated sources.=
+
+
+ ${project.build.sourceEncoding}
+
+
+
+ argLine
@@ -763,7 +777,9 @@
You can use
wsconsume
in your own project build simply referencing the
- maven-jaxws-tools-plugin
+ jaxws-tools-
+ maven-
+ plugin
in the configured plugins in your pom.xml file.
The following example makes the plugin consume the test.w=
sdl file and generate SEI and wrappers' java sources. The generated source=
s are then compiled together with the other project classes.
@@ -773,8 +789,8 @@
<plugins>
<plugin>
<groupId>org.jboss.ws.plugins</groupId>
- <artifactId>maven-jaxws-tools-plugin</artifactId>
- <version>1.1.0.GA</version>
+ <artifactId>jaxws-tools-maven-plugin</artifactId>
+ <version>1.2.0.Beta1</version>
<configuration>
<wsdls>
<wsdl>${basedir}/test.wsdl</wsdl>
@@ -799,8 +815,8 @@
<plugins>
<plugin>
<groupId>org.jboss.ws.plugins</groupId>
- <artifactId>maven-jaxws-tools-plugin</artifactId>
- <version>1.1.0.GA</version>
+ <artifactId>jaxws-tools-maven-plugin</artifactId>
+ <version>1.2.0.Beta1</version>
<configuration>
<wsdls>
<wsdl>${basedir}/test.wsdl</wsdl>
@@ -833,8 +849,8 @@
<plugins>
<plugin>
<groupId>org.jboss.ws.plugins</groupId>
- <artifactId>maven-jaxws-tools-plugin</artifactId>
- <version>1.1.0.GA</version>
+ <artifactId>jaxws-tools-maven-plugin</artifactId>
+ <version>1.2.0.Beta1</version>
<configuration>
<wsdls>
<wsdl>${basedir}/test.wsdl</wsdl>
@@ -866,7 +882,7 @@
<dependency>
<groupId>org.jboss.ws.cxf</groupId>
<artifactId>jbossws-cxf-client</artifactId>
- <version>4.0.0.GA</version>
+ <version>5.0.0.Beta2</version>
</dependency>
</dependencies>
@@ -879,6 +895,15 @@
stack dependency to avoid that.
+
+
+ Up to version 1.1.2.Final, the
+ artifactId
+ of the plugin was
+ maven-jaxws-tools-plugin
+ .
+
+
@@ -975,6 +1000,17 @@
+ encoding
+
+
+ The charset encoding to use for generated sources<=
/para>
+
+
+ n/a
+
+
+
+ destdir
@@ -1175,7 +1211,9 @@
The
wsprovide
tools is included in the
- org.jboss.ws.plugins:maven-jaxws-tools=
-plugin
+ org.jboss.ws.plugins:jaxws-tools-
+ maven-
+ plugin
plugin. The plugin has two goals for running the tool,
wsprovide
and
@@ -1331,7 +1369,9 @@
You can use
wsprovide
in your own project build simply referencing the
- maven-jaxws-tools-plugin
+ jaxws-tools-
+ maven-
+ plugin
in the configured plugins in your
pom.xml
file.
@@ -1342,8 +1382,8 @@
<plugins>
<plugin>
<groupId>org.jboss.ws.plugins</groupId>
- <artifactId>maven-jaxws-tools-plugin</artifactId>
- <version>1.1.0.GA</version>
+ <artifactId>jaxws-tools-maven-plugin</artifactId>
+ <version>1.2.0.Beta1</version>
<configuration>
<verbose>true</verbose>
<endpointClass>org.jboss.test.ws.plugins.tools.wsprovide.Tes=
tEndpoint</endpointClass>
@@ -1366,8 +1406,8 @@
<plugins>
<plugin>
<groupId>org.jboss.ws.plugins</groupId>
- <artifactId>maven-jaxws-tools-plugin</artifactId>
- <version>1.1.0.GA</version>
+ <artifactId>jaxws-tools-maven-plugin</artifactId>
+ <version>1.2.0.Beta1</version>
<configuration>
<verbose>true</verbose>
<endpointClass>org.jboss.test.ws.plugins.tools.wsprovide.Tes=
tEndpoint2</endpointClass>
@@ -1398,7 +1438,7 @@
<dependency>
<groupId>org.jboss.ws.cxf</groupId>
<artifactId>jbossws-cxf-client</artifactId>
- <version>4.0.0.GA</version>
+ <version>5.0.0.Beta2</version>
</dependency>
</dependencies>
@@ -1411,6 +1451,15 @@
stack dependency to avoid that.
+
+
+ Up to version 1.1.2.Final, the
+ artifactId
+ of the plugin was
+ maven-jaxws-tools-plugin
+ .
+
+
Modified: stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User=
_Guide.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide=
.xml 2015-04-22 18:30:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide=
.xml 2015-04-23 12:38:25 UTC (rev 19684)
@@ -38,7 +38,7 @@
instance being created on the JVM.
- On JBoss AS 7, the system property is easily set by addi=
ng what follows to the standalone / domain server configuration just after =
the extensions section:
+ On WildFly, the system property is easily set by adding =
what follows to the standalone / domain server configuration just after the=
extensions section:<system-properties>
<property name=3D"org.apache.cxf.logging.enabled" value=3D"true"/>
@@ -65,7 +65,6 @@
@org.apache.cxf.annotations.Logging
).
- Finally, the interceptors and feature can also be configur=
ed using Spring descriptors when Spring is available for the JBossWS-CXF in=
tegration on the application server.
Please refer to the
Apache CXF documentation
@@ -94,7 +93,7 @@
The configuration options are part of the
webservices subsystem section
- of the JBoss Application Server 7 domain model.
+ of the WildFly domain model.
@@ -219,7 +218,7 @@
<config-file>
can be used to associate any endpoint provided in the deployment=
with a given
endpoint configuration
- . Endpoint configuration are either specified in the referenced =
config file or in the JBoss AS 7 domain model (webservices subsystem). For =
further details on the endpoint configurations and their management in the =
domain model, please see the related
+ . Endpoint configuration are either specified in the referenced =
config file or in the WildFly domain model (webservices subsystem). For fur=
ther details on the endpoint configurations and their management in the dom=
ain model, please see the related
documentation
.
@@ -359,50 +358,259 @@
on the wiki and at the examples in the sources.
+
+ =
+ WSDL system properties expansion
+
+ See
+
+ .
+
+
=
Predefined client and endpoint configurations
=
Overview
- JBossWS enables extra setup configuration data to be predefi=
ned and associated with an endpoint. Endpoint configurations can include J=
AX-WS handlers and key/value properties declarations that control JBossWS =
and Apache CXF internals. Predefined endpoint configurations can be used =
for JAX-WS client and JAX-WS endpoint setup.
+ JBossWS permits extra setup configuration data to be predefi=
ned and associated with an endpoint or a client. Configurations can includ=
e JAX-WS handlers and key/value property declarations that control JBossWS=
and Apache CXF internals. Predefined configurations can be used for JAX-=
WS client and JAX-WS endpoint setup.
- Endpoint configurations can be defined in the webservice subsyst=
em and in a deployment descriptor file within the application. There can =
be many endpoint configuration definitions in the webservice subsystem and=
in an application. Each endpoint configuration must have a name that is u=
nique within the server. Configurations defined in an application are loc=
al to the application. Endpoint implementations declare the use of a speci=
fic configuration through the use of the
+ Configurations can be defined in the webservice subsystem and i=
n an application's deployment descriptor file. There can be many configura=
tion definitions in the webservice subsystem and in an application. Each c=
onfiguration must have a name that is unique within the server. Configura=
tions defined in an application are local to the application. Endpoint imp=
lementations declare the use of a specific configuration through the use o=
f the
org.jboss.ws.api.annotation.EndpointConfig
- annotation. An endpoint configuration defined in the webservice=
s subsystem is available to all deployed applications on the server contai=
ner and can be referenced by name in the annotation. An endpoint configura=
tion defined in an application must be referenced by deployment descriptor=
file name and the configuration name in the annotation.
+ annotation. An endpoint configuration defined in the webservice=
s subsystem is available to all deployed applications on the server contai=
ner and can be referenced by name in the annotation. An endpoint configura=
tion defined in an application must be referenced by both deployment descr=
iptor file name and configuration name by the annotation.
-
- =
- Handlers
- Each endpoint configuration may be associated with zero or=
more PRE and POST handler chains. Each handler chain may include JAXWS h=
andlers. For outbound messages the PRE handler chains are executed before=
any handler that is attached to the endpoint using the standard means, s=
uch as with annotation @HandlerChain, and POST handler chains are execute=
d after those objects have executed. For inbound messages the POST hand=
ler chains are executed before any handler that is attached to the endpoi=
nt using the standard means and the PRE handler chains are executed after=
those objects have executed.
-
- * Server inbound messages
+
+ Handlers
+
+ Each endpoint configuration may be associated with zero or m=
ore PRE and POST handler chains. Each handler chain may include JAXWS han=
dlers. For outbound messages the PRE handler chains are executed before a=
ny handler that is attached to the endpoint using the standard means, suc=
h as with annotation @HandlerChain, and POST handler chains are executed =
after those objects have executed. For inbound messages the POST handle=
r chains are executed before any handler that is attached to the endpoint=
using the standard means and the PRE handler chains are executed after t=
hose objects have executed.
+
+ * Server inbound messages
Client --> ... --> POST HANDLER --> ENDPOINT HANDLERS --> PRE =
HANDLERS --> Endpoint
=
* Server outbound messages
Endpoint --> PRE HANDLER --> ENDPOINT HANDLERS --> POST HANDLERS =
--> ... --> Client
-
- The same applies for client configurations.
-
-
- =
- Properties
- Key/value properties are used for controlling both some Ap=
ache CXF internals and some JBossWS options. Specific supported values are =
mentioned where relevant in the rest of the documentation.
-
+
+ The same applies for client configurations.
+
+ Properties
+
+ Key/value properties are used for controlling both some Apac=
he CXF internals and some JBossWS options. Specific supported values are me=
ntioned where relevant in the rest of the documentation.
=
Assigning configurations
-
+ Endpoints and clients are assigned configuration through dif=
ferent means. Users can explicitly require a given configuration or rely on=
container defaults. The assignment process can be split up as follows:
+
+
+ Explicit assignment through annotations (for endpoints) =
or API programmatic usage (for clients)
+
+
+ Automatic assignment of configurations from default desc=
riptors
+
+
+ Automatic assignment of configurations from container
+
+
+
=
- Endpoint configuration assignment
-
- Annotation
- org.jboss.ws.api.annotation.EndpointConfig
- is used to assign an endpoint configuration to a JAX-WS endpo=
int implementation. When assigning a configuration that is defined in the =
webservices subsystem only the configuration name is specified. When assi=
gning a configuration that is defined in the application, the relative pat=
h to the deployment descriptor and the configuration name must be specifie=
d.
-
-
- @EndpointConfig(configFile =3D "WEB-INF/jaxws-=
endpoint-config.xml", configName =3D "Custom WS-Security Endpoint")
+ Explicit configuration assignment
+ The explicit configuration assignment is meant for develop=
er that know in advance their endpoint or client has to be setup according =
to a specified configuration. The configuration is either coming from a des=
criptor that is included in the application deployment, or is included in t=
he application server webservices subsystem management model.
+
+ =
+ Configuration Deployment Descriptor
+
+ Java EE archives that can contain JAX-WS client and endpoint=
implementations can also contain predefined client and endpoint configura=
tion declarations. All endpoint/client configuration definitions for a gi=
ven archive must be provided in a single deployment descriptor file, which=
must be an implementation of schema
+ jbossws-jaxws-config
+ . Many endpoint/client configurations can be defined in the=
deployment descriptor file. Each configuration must have a name that is =
unique within the server on which the application is deployed. The confi=
guration name can't be referred to by endpoint/client implementations outs=
ide the application. Here is an example of a descriptor, containing two end=
point configurations:
+
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi=3D=
"http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee=3D"http://java.sun=
.com/xml/ns/javaee"
+ xsi:schemaLocation=3D"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-=
jaxws-config_4_0.xsd">
+ <endpoint-config>
+ <config-name>org.jboss.test.ws.jaxws.jbws3282.Endpoint4Impl</=
config-name>
+ <pre-handler-chains>
+ <javaee:handler-chain>
+ <javaee:handler>
+ <javaee:handler-name>Log Handler</javaee:handler-name&g=
t;
+ <javaee:handler-class>org.jboss.test.ws.jaxws.jbws3282.Log=
Handler</javaee:handler-class>
+ </javaee:handler>
+ </javaee:handler-chain>
+ </pre-handler-chains>
+ <post-handler-chains>
+ <javaee:handler-chain>
+ <javaee:handler>
+ <javaee:handler-name>Routing Handler</javaee:handler-na=
me>
+ <javaee:handler-class>org.jboss.test.ws.jaxws.jbws3282.Rou=
tingHandler</javaee:handler-class>
+ </javaee:handler>
+ </javaee:handler-chain>
+ </post-handler-chains>
+ </endpoint-config>
+ <endpoint-config>
+ <config-name>EP6-config</config-name>
+ <post-handler-chains>
+ <javaee:handler-chain>
+ <javaee:handler>
+ <javaee:handler-name>Authorization Handler</javaee:hand=
ler-name>
+ <javaee:handler-class>org.jboss.test.ws.jaxws.jbws3282.Aut=
horizationHandler</javaee:handler-class>
+ </javaee:handler>
+ </javaee:handler-chain>
+ </post-handler-chains>
+ </endpoint-config>
+</jaxws-config>
+
+
+ Similarly, client configurations can be specified in des=
criptors (still implementing the schema mentioned above):
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi=3D=
"http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee=3D"http://java.sun=
.com/xml/ns/javaee"
+ xsi:schemaLocation=3D"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-=
jaxws-config_4_0.xsd">
+ <client-config>
+ <config-name>Custom Client Config</config-name>
+ <pre-handler-chains>
+ <javaee:handler-chain>
+ <javaee:handler>
+ <javaee:handler-name>Routing Handler</javaee:handler-na=
me>
+ <javaee:handler-class>org.jboss.test.ws.jaxws.clientConfig=
.RoutingHandler</javaee:handler-class>
+ </javaee:handler>
+ <javaee:handler>
+ <javaee:handler-name>Custom Handler</javaee:handler-nam=
e>
+ <javaee:handler-class>org.jboss.test.ws.jaxws.clientConfig=
.CustomHandler</javaee:handler-class>
+ </javaee:handler>
+ </javaee:handler-chain>
+ </pre-handler-chains>
+ </client-config>
+ <client-config>
+ <config-name>Another Client Config</config-name>
+ <post-handler-chains>
+ <javaee:handler-chain>
+ <javaee:handler>
+ <javaee:handler-name>Routing Handler</javaee:handler-na=
me>
+ <javaee:handler-class>org.jboss.test.ws.jaxws.clientConfig=
.RoutingHandler</javaee:handler-class>
+ </javaee:handler>
+ </javaee:handler-chain>
+ </post-handler-chains>
+ </client-config>
+</jaxws-config>
+
+
+
+
+ =
+ Application server configurations
+
+ WildFly allows declaring JBossWS client and server predefine=
d configurations in the
+ webservices
+ subsystem section of the server model. As a consequence it i=
s possible to declare server-wide handlers to be added to the chain of each=
endpoint or client assigned to a given configuration.
+
+
+ Please refer to the
+ WildFly documentation
+ for details on managing the
+ webservices
+ subsystem such as adding, removing and modifying handlers an=
d properties.
+
+
+ The allowed contents in the
+ webservices
+ subsystem are defined by the
+ s=
chema
+ included in the application server.
+
+
+ =
+ Standard configurations
+
+ Clients running in-container as well as endpoints are assi=
gned standard configurations by default. The defaults are used unless diffe=
rent configurations are set as described on this page. This enables adminis=
trators to tune the default handler chains for client and endpoint configur=
ations. The names of the default client and endpoint configurations, used i=
n the webservices subsystem are
+ Standard-Client-Config
+ and
+ Standard-Endpoint-Config
+ respectively.
+
+
+
+ =
+ Handlers classloading
+
+ When setting a server-wide handler, please note the handle=
r class needs to be available through each ws deployment classloader. As a =
consequence proper module dependencies might need to be specified in the de=
ployments that are going to leverage a given predefined configuration. A sh=
ortcut is to add a dependency to the module containing the handler class in=
one of the modules which are already automatically set as dependencies to =
any deployment, for instance
+ org.jboss.ws.spi
+ .
+
+
+
+ =
+ Examples
+
+ JBoss AS 7.2 default configurations
+
+<subsystem xmlns=3D"urn:jboss:domain:webservices:2.0">
+ <!-- ... -->
+ <endpoint-config name=3D"Standard-Endpoint-Config"/>
+ <endpoint-config name=3D"Recording-Endpoint-Config">
+ <pre-handler-chain name=3D"recording-handlers" protocol-binding=
s=3D"##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
+ <handler name=3D"RecordingHandler" class=3D"org.jboss.ws.co=
mmon.invocation.RecordingServerHandler"/>
+ </pre-handler-chain>
+ </endpoint-config>
+ <client-config name=3D"Standard-Client-Config"/>
+</subsystem>
+
+
+ A configuration file for a deployment specific ws-s=
ecurity endpoint setup
+
+<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi=3D=
"http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:javaee=3D"http://java.sun.com/xml/ns/javaee" xsi:schemaLocation=3D=
"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
+ <endpoint-config>
+ <config-name>Custom WS-Security Endpoint</config-name>
+ <property>
+ <property-name>ws-security.signature.properties</property-n=
ame>
+ <property-value>bob.properties</property-value>
+ </property>
+ <property>
+ <property-name>ws-security.encryption.properties</property-=
name>
+ <property-value>bob.properties</property-value>
+ </property>
+ <property>
+ <property-name>ws-security.signature.username</property-nam=
e>
+ <property-value>bob</property-value>
+ </property>
+ <property>
+ <property-name>ws-security.encryption.username</property-na=
me>
+ <property-value>alice</property-value>
+ </property>
+ <property>
+ <property-name>ws-security.callback-handler</property-name&=
gt;
+ <property-value>org.jboss.test.ws.jaxws.samples.wsse.policy.ba=
sic.KeystorePasswordCallback</property-value>
+ </property>
+ </endpoint-config>
+</jaxws-config>
+
+
+ JBoss AS 7.2 default configurations modified to def=
ault to SOAP messages schema-validation on
+ <subsystem xmlns=3D"urn:jboss:domain:we=
bservices:2.0">
+ <!-- ... -->
+ <endpoint-config name=3D"Standard-Endpoint-Config">
+ <property name=3D"schema-validation-enabled" value=3D"true"/>
+ </endpoint-config>
+ <!-- ... -->
+ <client-config name=3D"Standard-Client-Config">
+ <property name=3D"schema-validation-enabled" value=3D"true"/>
+ </client-config>
+</subsystem>
+
+
+
+
+ =
+ EndpointConfig annotation
+
+ Once a configuration is available to a given application, the
+ org.jboss.ws.api.annotation.EndpointConfig
+ annotation is used to assign an endpoint configuration to a=
JAX-WS endpoint implementation. When assigning a configuration that is de=
fined in the webservices subsystem only the configuration name is specifie=
d. When assigning a configuration that is defined in the application, the=
relative path to the deployment descriptor and the configuration name mus=
t be specified.
+
+
+ @EndpointConfig(configFile =3D "WEB-INF/my-e=
ndpoint-config.xml", configName =3D "Custom WS-Security Endpoint")
public class ServiceImpl implements ServiceIface
{
public String sayHello()
@@ -410,21 +618,8 @@
return "Secure Hello World!";
}
}
-
-
-
- =
- Endpoint Configuration Deployment Descriptor
-
- Java EE archives that can contain JAX-WS endpoint implementati=
ons can also contain predefined endpoint configurations. All endpoint confi=
guration definitions for a given archive must be provided in a single deplo=
yment descriptor file. The file must reside in directory WEB-INF for a web =
application and directory META-INF for a client and EJB application. The fi=
le name must end with extension .xml and be an implementation of schema
- jbossws-jaxws-config
- . Common practice is to use the file name jaxws-endpoint-confi=
g.xml but this is not required.
-
- Many endpoint configurations can be defined within the de=
ployment descriptor file. Each configuration must have a name that is uniq=
ue within the server on which the application is deployed. The configurati=
on name is not referencable by endpoint implementations outside the applic=
ation.
-
-
- =
- Client configuration assignment
+
+
=
JAXWS Feature
@@ -442,12 +637,12 @@
...
=
Service service =3D Service.create(wsdlURL, serviceName);
-Endpoint port =3D service.getPort(Endpoint.class, new ClientConfigFeature(=
"META-INF/jaxws-client-config.xml", "Custom Client Config"));
+Endpoint port =3D service.getPort(Endpoint.class, new ClientConfigFeature(=
"META-INF/my-client-config.xml", "Custom Client Config"));
port.echo("Kermit");
=
... or ....
=
-port =3D service.getPort(Endpoint.class, new ClientConfigFeature("META-INF=
/jaxws-client-config.xml", "Custom Client Config"), true); //setup properti=
es too from the configuration
+port =3D service.getPort(Endpoint.class, new ClientConfigFeature("META-INF=
/my-client-config.xml", "Custom Client Config"), true); //setup properties =
too from the configuration
port.echo("Kermit");
... or ...
=
@@ -463,9 +658,9 @@
artifact.
-
+
=
- Explicit setup
+ Explicit setup through APIAlternatively, JBossWS API comes with facility classes t=
hat can be used for assigning configurations when building a client. JAXWS=
handlers read from client configurations as follows:import org.jboss.ws.api.configuration.Client=
ConfigUtil;
@@ -476,18 +671,18 @@
Service service =3D Service.create(wsdlURL, serviceName);
Endpoint port =3D service.getPort(Endpoint.class);
BindingProvider bp =3D (BindingProvider)port;
-ClientConfigUtil.setConfigHandlers(bp, "META-INF/jaxws-client-config.xml",=
"Custom Client Config 1");
+ClientConfigUtil.setConfigHandlers(bp, "META-INF/my-client-config.xml", "C=
ustom Client Config 1");
port.echo("Kermit");
=
...
=
ClientConfigurer configurer =3D ClientConfigUtil.resolveClientConfigurer();
-configurer.setConfigHandlers(bp, "META-INF/jaxws-client-config.xml", "Cust=
om Client Config 2");
+configurer.setConfigHandlers(bp, "META-INF/my-client-config.xml", "Custom =
Client Config 2");
port.echo("Kermit");
=
...
=
-configurer.setConfigHandlers(bp, "META-INF/jaxws-client-config.xml", "Cust=
om Client Config 3");
+configurer.setConfigHandlers(bp, "META-INF/my-client-config.xml", "Custom =
Client Config 3");
port.echo("Kermit");
=
=
@@ -507,18 +702,18 @@
Service service =3D Service.create(wsdlURL, serviceName);
Endpoint port =3D service.getPort(Endpoint.class);
=
-ClientConfigUtil.setConfigProperties(port, "META-INF/jaxws-client-config.x=
ml", "Custom Client Config 1");
+ClientConfigUtil.setConfigProperties(port, "META-INF/my-client-config.xml"=
, "Custom Client Config 1");
port.echo("Kermit");
=
...
=
ClientConfigurer configurer =3D ClientConfigUtil.resolveClientConfigurer();
-configurer.setConfigProperties(port, "META-INF/jaxws-client-config.xml", "=
Custom Client Config 2");
+configurer.setConfigProperties(port, "META-INF/my-client-config.xml", "Cus=
tom Client Config 2");
port.echo("Kermit");
=
...
=
-configurer.setConfigProperties(port, "META-INF/jaxws-client-config.xml", "=
Custom Client Config 3");
+configurer.setConfigProperties(port, "META-INF/my-client-config.xml", "Cus=
tom Client Config 3");
port.echo("Kermit");
=
=
@@ -539,111 +734,69 @@
-
-
- =
- Application server configurations
-
- JBoss Application Server 7.x allows declaring JBossWS client and=
server predefined configurations in the
- webservices
- subsystem section of the server model. As a consequence it is po=
ssible to declare server-wide handlers to be added to the chain of each end=
point or client assigned to a given configuration.
-
-
- Please refer to the
- JBoss Application Server 7 documentation
- for any detail on managing the
- webservices
- subsystem to add, remove or modify handlers and properties.
-
-
- The allowed contents in the
- webservices
- subsystem are defined by the
- schema
- included in the application server.
-
-
+
=
- Standard configurations
+ Automatic configuration from default descriptors
- Clients running in-container as well as endpoints are assigned=
standard configurations by default. Those are used unless different config=
urations are set as previously described. This way administrators can tune =
default handler chains for client and endpoints developers did not assign a=
specific configuration to. The name for such default configuration, to be =
used in the JBoss AS 7 webservices subsystem are
- Standard-Client-Config
- and
- Standard-Endpoint-Config
- .
+ In some cases, the application developer might not be aware of=
the configuration that will need to be used for its client and endpoint im=
plementation, perhaps because that's a concern of the application deployer.=
In other cases, explicit usage (compile time dependency) of JBossWS API mi=
ght not be accepted. To cope with such scenarios, JBossWS allows including =
default client (
+ jaxws-client-config.xml
+ ) and endpoint (
+ jaxws-endpoint-config.xml
+ ) descriptor within the application (in its root), which are p=
arsed for getting configurations any time a configuration file name is not =
specified.
+ If the configuration name is also not specified, JBossWS a=
utomatically looks for a configuration named the same as
+
+
+ the endpoint implementation class (full qualified name=
), in case of JAX-WS endpoints;
+
+
+ the service endpoint interface (full qualified name), =
in case of JAX-WS clients.
+
+
+
+ No automatic configuration name is selected for
+ Dispatch
+ clients.
+
+
+ So, for instance, an endpoint implementation class
+ org.foo.bar.EndpointImpl
+ for which no pre-defined configuration is explicitly set will =
cause JBossWS to look for a
+ org.foo.bar.EndpointImpl
+ named configuration within a
+ jaxws-endpoint-config.xml
+ descriptor in the root of the application deployment. Similarl=
y, on client side, a client proxy implementing
+ org.foo.bar.Endpoint
+ interface (SEI) will have the setup read from a
+ org.foo.bar.Endpoint
+ named configuration in
+ jaxws-client-config.xml
+ descriptor.
+
-
+
=
- Handlers classloading
+ Automatic configuration assignment from container setup</=
title>
+ <para>JBossWS fall-backs to getting predefined configurations fr=
om the container setup whenever no explicit configuration has been provided=
and the default descriptors are either not available or do not contain rel=
evant configurations. This gives additional control on the JAX-WS client an=
d endpoint setup to administrators, as the container setup can be managed i=
ndependently from the deployed applications.</para>
+ <para>JBossWS hence accesses the webservices subsystem the same =
as explained above for explicitly named configuration; the default configur=
ation names used for look are</para>
+ <itemizedlist>
+ <listitem>
+ <para>the endpoint implementation class (full qualified name=
), in case of JAX-WS endpoints;</para>
+ </listitem>
+ <listitem>
+ <para>the service endpoint interface (full qualified name), =
in case of JAX-WS clients.</para>
+ </listitem>
+ </itemizedlist>
<para>
- When setting a server-wide handler, please note the handler cl=
ass needs to be available either through each ws deployment classloader or =
the
- <code>org.jboss.as.webservices.server.integration:main</code>
- module classloader. As a consequence proper module dependencie=
s might need to be specified either in the deployments that are going to le=
verage a given predefined configuration or directly in the previously menti=
oned AS7 module.
+ <code>Dispatch</code>
+ clients are not automatically configured. If no configuration =
is found using names computed as above, the
+ <code>Standard-Client-Config</code>
+ and
+ <code>Standard-Endpoint-Config</code>
+ configurations are used for clients and endpoints respectively
</para>
</section>
</section>
- <section id=3D"sid-41713670_Predefinedclientandendpointconfiguration=
s-Examples">
- =
- <title>Examples
-
- JBoss AS 7.2 default configurations
-
-<subsystem xmlns=3D"urn:jboss:domain:webservices:1.2">
- <!-- ... -->
- <endpoint-config name=3D"Standard-Endpoint-Config"/>
- <endpoint-config name=3D"Recording-Endpoint-Config">
- <pre-handler-chain name=3D"recording-handlers" protocol-binding=
s=3D"##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
- <handler name=3D"RecordingHandler" class=3D"org.jboss.ws.co=
mmon.invocation.RecordingServerHandler"/>
- </pre-handler-chain>
- </endpoint-config>
- <client-config name=3D"Standard-Client-Config"/>
-</subsystem>
-
-
- A configuration file for a deployment specific ws-securit=
y endpoint setup
-
-<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi=3D=
"http://www.w3.org/2001/XMLSchema-instance"
- xmlns:javaee=3D"http://java.sun.com/xml/ns/javaee" xsi:schemaLocation=3D=
"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
- <endpoint-config>
- <config-name>Custom WS-Security Endpoint</config-name>
- <property>
- <property-name>ws-security.signature.properties</property-n=
ame>
- <property-value>bob.properties</property-value>
- </property>
- <property>
- <property-name>ws-security.encryption.properties</property-=
name>
- <property-value>bob.properties</property-value>
- </property>
- <property>
- <property-name>ws-security.signature.username</property-nam=
e>
- <property-value>bob</property-value>
- </property>
- <property>
- <property-name>ws-security.encryption.username</property-na=
me>
- <property-value>alice</property-value>
- </property>
- <property>
- <property-name>ws-security.callback-handler</property-name&=
gt;
- <property-value>org.jboss.test.ws.jaxws.samples.wsse.policy.ba=
sic.KeystorePasswordCallback</property-value>
- </property>
- </endpoint-config>
-</jaxws-config>
-
-
- JBoss AS 7.2 default configurations modified to default t=
o SOAP messages schema-validation on
- <subsystem xmlns=3D"urn:jboss:domain:webservi=
ces:1.2">
- <!-- ... -->
- <endpoint-config name=3D"Standard-Endpoint-Config">
- <property name=3D"schema-validation-enabled" value=3D"true"/>
- </endpoint-config>
- <!-- ... -->
- <client-config name=3D"Standard-Client-Config">
- <property name=3D"schema-validation-enabled" value=3D"true"/>
- </client-config>
-</subsystem>
-
-
=
@@ -702,7 +855,7 @@
</jboss-web>
- The security domain as well as its the authentication and =
authorization mechanisms are defined differently depending on the JBoss App=
lication Server in use.
+ The security domain as well as its the authentication and =
authorization mechanisms are defined differently depending on the server in=
use.
=
@@ -776,7 +929,7 @@
For further information on configuring security domains in Wil=
dFly, please refer to
- here
+ here
.
@@ -876,7 +1029,7 @@
=
JBossWS integration layer with Apache CXF
- All JAX-WS functionalities provided by JBossWS on top of JBoss A=
pplication Server are currently served through a proper integration of the =
JBoss Web Services stack with most of the
+ All JAX-WS functionalities provided by JBossWS on top of WildFly=
are currently served through a proper integration of the JBoss Web Service=
s stack with most of the
Apache CXF
project modules.
@@ -888,10 +1041,10 @@
- allowing using standard webservices APIs (including JAX=
-WS) on JBoss Application Server; this is performed internally leveraging A=
pache CXF without requiring the user to deal with it;
+ allowing using standard webservices APIs (including JAX=
-WS) on WildFly; this is performed internally leveraging Apache CXF withou=
t requiring the user to deal with it;
- allowing using Apache CXF advanced features (including =
WS-*) on top of JBoss Application server without requiring the user to dea=
l with / setup / care about the required integration steps for running in =
such a container.
+ allowing using Apache CXF advanced features (including =
WS-*) on top of WildFly without requiring the user to deal with / setup / =
care about the required integration steps for running in such a container.=
In order for achieving the goals above, the JBossWS-CXF int=
egration supports the JBoss ws endpoint deployment mechanism and comes wit=
h many internal customizations on top of Apache CXF.
@@ -911,17 +1064,17 @@
cxf.xml
descriptors; those may contain any basic bean plus specific ws c=
lient and endpoint beans which CXF has custom parsers for. Apache CXF can b=
e used to deploy webservice endpoints on any servlet container by including=
its libraries in the deployment; in such a scenario Spring basically serve=
s as a convenient configuration option, given direct Apache CXF API usage w=
on't be very handy. Similar reasoning applies on client side, where a Sprin=
g based descriptor offers a shortcut for setting up Apache CXF internals.
- This said, nowadays almost any Apache CXF functionality can =
be configured and used through direct API usage, without Spring.
+ This said, nowadays almost any Apache CXF functionality can =
be configured and used through direct API usage, without Spring. As a conse=
quence of that and given the considerations in the sections below, the JBos=
sWS integration with Apache CXF does not rely on Spring descriptors.
=
Portable applications
- The JBoss Application Server is much more then a servlet c=
ontainer; it actually provides users with a fully compliant target platform=
for Java EE applications.
+ WildFly is much more then a servlet container; it actually=
provides users with a fully compliant target platform for Java EE applicat=
ions.
Generally speaking,
users are encouraged to write porta=
ble applications
by relying only on
JAX-WS specification
- whenever possible. That would by the way ensure easy migration=
s to and from other compliant platforms. Being a Java EE container, JBoss A=
pplication Server already comes with a JAX-WS compliant implementation, whi=
ch is basically Apache CXF plus the JBossWS-CXF integration layer. So users=
just need to write their JAX-WS application;
+ whenever possible. That would by the way ensure easy migration=
s to and from other compliant platforms. Being a Java EE container, WildFlt=
already comes with a JAX-WS compliant implementation, which is basically A=
pache CXF plus the JBossWS-CXF integration layer. So users just need to wri=
te their JAX-WS application;
no need for embedding any Apache CX=
F or any ws related dependency library in user deployments
. Please refer to the
@@ -937,9 +1090,6 @@
without Spring descriptors
.
-
- The following two paragraphs provide=
few directions on how to deploy or use applications explicitly relying on =
Apache CXF, users should however prefer the portable application approach w=
henever possible.
-
=
@@ -948,177 +1098,15 @@
On server side, direct Apache CXF API usage might not be alway=
s possible or end up being not very easy. For this reason, the JBossWS inte=
gration comes with a convenient alternative through customization options i=
n the
jboss-webservices.xml
- descriptor described below on this page.
+ descriptor described below on this page. Properties can be dec=
lared in
+ jboss-webservices.xml
+ to control Apache CXF internals like
+ interceptors
+ ,
+ features
+ , etc.
-
- =
- Spring descriptors usage
-
- Finally, in some cases, users might still want to consume Spri=
ng descriptors (
- discouraged approach
- ); that's possibly the case of applications developed on and b=
eing migrated from different environments. For such scenarios, the installa=
tion of Spring Framework libraries on application server is the suggested a=
pproach. That can be performed using the JBossWS-CXF installation script or=
by manually populating a
- org.springframework.spring
- JBoss AS module with the required Spring jars. For writing the
- module.xml
- descriptor for such a module please refer the relevant JBoss A=
S documentation on creating modules; in any case it would look similar to:
-
-
- <module xmlns=3D"urn:jboss:module:1.1" name=
=3D"org.springframework.spring">
- <resources>
- <!-- List references to jar resources here -->
- </resources>
- <dependencies>
- <module name=3D"javax.api" />
- <module name=3D"javax.jms.api" />
- <module name=3D"javax.annotation.api" />
- <module name=3D"org.apache.commons.logging" />
- <module name=3D"org.jboss.vfs" />
- </dependencies>
-</module>
-
-
- The other webservices modules on JBoss AS already have an opti=
onal dependency on
- org.springframework.spring
- module and will hence automatically consume it.
-
- Once the Spring module is available on target application =
server, Spring based Apache CXF buses can be built up.
-
- =
- Client side
-
- Whenever Spring is available in the current thread classload=
er (possibly as a consequence of having set a dependency to the above menti=
oned
- org.springframework.spring
- module) and the classloader can successfully locate a valid =
Spring descriptor resource, a Spring based
- Bus
- will be created if required. So user can either:
-
-
-
-
- programmatically use a
- SpringBusFactory
- (or the
- JBossWSBusFactory
- if the JBossWS additions are available) to load a Spring=
Bus from a given
- cxf.xml
- descriptor; that can include any CXF customization or cl=
ient bean;
-
-
-
-
- build a JAX-WS client and let the JAX-WS Provider implem=
entation internally build a Spring based
- Bus
- using the available
- cxf.xml
- resource retrieved from the current classloader (usually=
found in
- META-INF/cxf.xml
- ).
-
-
-
-
- Consider having a look at
- this page
- for directions on setting module dependencies, especially if=
willing to create a ws client within a Spring Bus and running in-container.
-
-
- Finally please be sure to check the section below on
- Bus
- usage any time you're building a
- Bus
- on client side.
-
-
-
- =
- Server side
- It is possible to customize the JBossWS integration wit=
h Apache CXF by incorporating a CXF configuration file into the endpoint de=
ployment archive. The convention is the following:
-
-
-
- the descriptor file name must be
- jbossws-cxf.xml
-
-
-
-
- for POJO deployments it is located in
- WEB-INF
- directory
-
-
-
-
- for EJB3 deployments it is located in
- META-INF
- directory
-
-
-
-
- The
- jbossws-cxf.xml
- is parsed similarly to a common
- cxf.xml
- in order for building up a
- Bus
- for the WS deployment; the endpoint beans included in the de=
ployment are to be specified using the
- <jaxws:endpoint>
- tag the same they would be specified in a
- cxf.xml
- descriptor (a example from the testsuite can be seen
- here
- ). The application server HTTP engine will be serving the en=
dpoints.
-
-
- If there is no
- <jaxws:endpoint>
- defined in
- jbossws-cxf.xml
- , the endpoint classes mentioned in
- WEB-INF/web.xml
- will be automatically transformed to
- <jaxws:endpoint>
- entries in the Spring configuration and loaded by JBossWS-CX=
F. This allows using the jbossws-cxf.xml to customize the bus without havin=
g to manually duplicate the endpoint information in the descriptor. The fol=
lowing is an example of configuring an endpoint through
- web.xml
- with Aegis databinding setup from
- jbossws-cxf.xml
- :
-
-
- <?xml version=3D"1.0" encoding=3D"UTF-8"?=
>
-<web-app xmlns=3D"http://java.sun.com/xml/ns/j2ee" xmlns:xsi=3D"http://=
www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=3D"http://java.sun.c=
om/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version=3D"=
2.4">
- <servlet>
- <servlet-name>AegisGroupQueryService</servlet-name>
- <servlet-class>org.jboss.test.ws.jaxws.cxf.aegis.AegisGroupQ=
ueryImpl</servlet-class>
- </servlet>
- <servlet-mapping>
- <servlet-name>AegisGroupQueryService</servlet-name>
- <url-pattern>/*</url-pattern>
- </servlet-mapping>
-</web-app>
-
-
- <beans xmlns=3D'http://www.springframewor=
k.org/schema/beans'
- xmlns:xsi=3D'http://www.w3.org/2001/XMLSchema-instance' xmlns:beans=3D'ht=
tp://www.springframework.org/schema/beans'
- xmlns:jaxws=3D'http://cxf.apache.org/jaxws'
- xsi:schemaLocation=3D'http://www.springframework.org/schema/beans http://=
www.springframework.org/schema/beans/spring-beans-2.0.xsd
- http://www.w3.org/2006/07/ws-policy http://www.w3.org/2006/07/ws-p=
olicy.xsd
- http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xs=
d'>
- <bean id=3D"aegisBean" class=3D"org.apache.cxf.aegis.databinding.Aegis=
Databinding" scope=3D"prototype" />
- <bean name=3D"{http://aegis.cxf.jaxws.ws.test.jboss.org/}AegisGroupQue=
ryImplPort.jaxws-endpoint" abstract=3D"true">
- <property name=3D"dataBinding" ref=3D"aegisBean" />
- </bean>
-</beans>
-
-
- The
- jbossws-cxf.xml
- approach can be used for the very few scenarios Apache CXF c=
an be configured for only using Spring descriptor, e.g. for some advanced W=
S-RM customizations.
-
-
-
=
@@ -1150,9 +1138,7 @@
BusFactory
,
org.jboss.wsf.stack.cxf.client.configuration.JBossWSBusF=
actory
- , that allows for automatic detection of
- Spring
- availability as well as seamless setup of JBossWS customizati=
ons on top of Apache CXF. So, assuming the JBossWS-CXF libraries are avail=
able in the current thread context classloader, the
+ , that allows for seamless setup of JBossWS customizations on=
top of Apache CXF. So, assuming the JBossWS-CXF libraries are available i=
n the current thread context classloader, the
JBossWSBusFactory
is
automatically
@@ -1161,9 +1147,7 @@
call above.
- JBossWS users willing to explicitely use functionalities of
- org.apache.cxf.bus.spring.SpringBusFactory
- or
+ JBossWS users willing to explicitly use functionalities of
org.apache.cxf.bus.CXFBusFactory,
get the same API with JBossWS additions through
@@ -1171,10 +1155,6 @@
:
- String myConfigFile =3D ...
-Bus bus =3D new JBossWSBusFactory().createBus(myConfigFile);
-
- Map<Class, Object> myExtensions =3D new =
HashMap<Class, Object>();
myExtensions.put(...);
Bus bus =3D new JBossWSBusFactory().createBus(myExtensions);
@@ -1216,7 +1196,7 @@
getThreadDefaultBus(true)
first fallback to retrieving the configured global default bus=
before actually trying creating a new instance (and the created new insta=
nce is set as global default bus if that was not set there yet).
- The drawback of this mechanism (which is basically fine i=
n JSE environment) is that when running in a JBoss AS container you need t=
o be careful in order not to (mis)use a bus over multiple applications (as=
suming the Apache CXF classes are loaded by the same classloader, which is=
currently the case with JBoss AS6, JBoss AS7 and WildFly).
+ The drawback of this mechanism (which is basically fine i=
n JSE environment) is that when running in WildFly container you need to b=
e careful in order not to (mis)use a bus over multiple applications (assum=
ing the Apache CXF classes are loaded by the same classloader, which is c=
urrently the case with WildFly).Here is a list of general suggestions to avoid problems wh=
en running in-container:
@@ -1299,7 +1279,7 @@
=
Thread context classloader bus strategy (TCCL_BUS)</tit=
le>
- <para>The last strategy is to have the bus created for serving=
the client be associated to the current thread context classloader (TCCL).=
That basically means the same Bus instance is shared by JAXWS clients runn=
ing when the same TCCL is set. This is particularly interesting as each web=
application deployment usually has its own context classloader, so this st=
rategy is possibly a way to keep the number of created Bus instances bound =
to the application number in a JBoss AS container.</para>
+ <para>The last strategy is to have the bus created for serving=
the client be associated to the current thread context classloader (TCCL).=
That basically means the same Bus instance is shared by JAXWS clients runn=
ing when the same TCCL is set. This is particularly interesting as each web=
application deployment usually has its own context classloader, so this st=
rategy is possibly a way to keep the number of created Bus instances bound =
to the application number in a WildFly container.</para>
<para>If there's a bus already associated to the current threa=
d before the JAXWS client creation, that is automatically restored when re=
turning control to the user; in other words, the bus corresponding to the =
current thread context classloader will be used only for the created JAXWS=
client but won't stay associated to the current thread at the end of the p=
rocess. If the thread was not associated to any bus before the client crea=
tion, a new bus will be created (and later user for any other client built =
with this strategy and the same TCCL in place); no bus will be associated t=
o the thread at the end of the client creation.</para>
</section>
<section id=3D"sid-3866786_ApacheCXFintegration-Strategyconfigur=
ation">
@@ -1439,7 +1419,7 @@
...
</webservices></programlisting>
</informalexample>
- <para>JBossWS-CXF integration comes with a set of allowed proper=
ty names to control Apache CXF internals. The main advantage of the propert=
y based approach is that it does not require Spring libraries.</para>
+ <para>JBossWS-CXF integration comes with a set of allowed proper=
ty names to control Apache CXF internals.</para>
<section id=3D"sid-3866786_ApacheCXFintegration-WorkQueueconfigu=
ration">
=
<title>WorkQueue configuration
@@ -1449,9 +1429,7 @@
is installed in the Bus as an extension and allows for addin=
g / removing queues as well as controlling the existing ones.
- On server side, queues can be provided through
- Spring
- based Bus declaration or by using the
+ On server side, queues can be provided by using the
cxf.queue.<queue-name>.*
properties in
jboss-webservices.xml
@@ -1553,7 +1531,7 @@
=
MBean management
- Apache CXF allows managing its MBean objects that are instal=
led into the JBoss AS MBean server. The feature is enabled on a deployment =
basis through the
+ Apache CXF allows managing its MBean objects that are instal=
led into the WildFly MBean server. The feature is enabled on a deployment b=
asis through the
cxf.management.enabled
property in
jboss-webservices.xml
@@ -1585,6 +1563,62 @@
.
+
+ =
+ Interceptors
+
+ The
+ jboss-webservices.xml
+ descriptor also allows specifying the
+ cxf.interceptors.in
+ and
+ cxf.interceptors.out
+ properties; those allows declaring interceptors to be attach=
ed to the Bus instance that's created for serving the deployment.
+
+
+ <?xml version=3D"1.1" encoding=3D"UTF-8"?=
>
+<webservices
+ xmlns=3D"http://www.jboss.com/xml/ns/javaee"
+ xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
+ version=3D"1.2"
+ xsi:schemaLocation=3D"http://www.jboss.com/xml/ns/javaee">
+
+ <property>
+ <name>cxf.interceptors.in</name>
+ <value>org.jboss.test.ws.jaxws.cxf.interceptors.BusInterceptor&l=
t;/value>
+ </property>
+ <property>
+ <name>cxf.interceptors.out</name>
+ <value>org.jboss.test.ws.jaxws.cxf.interceptors.BusCounterInterc=
eptor</value>
+ </property>
+</webservices>
+
+
+
+ =
+ Features
+
+ The
+ jboss-webservices.xml
+ descriptor also allows specifying the
+ cxf.features
+ property; that allows declaring features to be attached to a=
ny endpoint belonging to the Bus instance that's created for serving the de=
ployment.
+
+
+ <?xml version=3D"1.1" encoding=3D"UTF-8"?=
>
+<webservices
+ xmlns=3D"http://www.jboss.com/xml/ns/javaee"
+ xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
+ version=3D"1.2"
+ xsi:schemaLocation=3D"http://www.jboss.com/xml/ns/javaee">
+
+ <property>
+ <name>cxf.features</name>
+ <value>org.apache.cxf.feature.FastInfosetFeature</value>
+ </property>
+</webservices>
+
+
=
Discovery enablement
@@ -1598,10 +1632,350 @@
+
+ =
+ Apache CXF interceptors
+ Apache CXF supports declaring interceptors using one of the =
following approaches:
+
+
+
+ Annotation usage on endpoint classes (
+ @org.apache.cxf.interceptor.InInterceptor
+ ,
+ @org.apache.cxf.interceptor.OutInterceptor
+ )
+
+
+
+
+ Direct API usage on client side (through the
+ org.apache.cxf.interceptor.InterceptorProvider
+ interface)
+
+
+
+
+ Spring descriptor usage (
+ cxf.xml
+ )
+
+
+
+
+ As the Spring descriptor usage is not supported, the JBossWS int=
egration adds an additional descriptor based approach to avoid requiring mo=
difications to the actual client/endpoint code. Users can declare intercept=
ors within
+ predefined client and endpoint co=
nfigurations
+ by specifying a list of interceptor class names for the
+ cxf.interceptors.in
+ and
+ cxf.interceptors.out
+ properties.
+
+
+ <?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi=3D=
"http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee=3D"http://java.sun=
.com/xml/ns/javaee"
+ xsi:schemaLocation=3D"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-=
jaxws-config_4_0.xsd">
+ <endpoint-config>
+ <config-name>org.jboss.test.ws.jaxws.cxf.interceptors.EndpointIm=
pl</config-name>
+ <property>
+ <property-name>cxf.interceptors.in</property-name>
+ <property-value>org.jboss.test.ws.jaxws.cxf.interceptors.Endpo=
intInterceptor,org.jboss.test.ws.jaxws.cxf.interceptors.FooInterceptor</=
property-value>
+ </property>
+ <property>
+ <property-name>cxf.interceptors.out</property-name>
+ <property-value>org.jboss.test.ws.jaxws.cxf.interceptors.Endpo=
intCounterInterceptor</property-value>
+ </property>
+ </endpoint-config>
+</jaxws-config>
+
+ A new instance of each specified interceptor class will be a=
dded to the client or endpoint the configuration is assigned to. The interc=
eptor classes must have a no-argument constructor.
+
+
+ =
+ Apache CXF features
+ Apache CXF supports declaring features using one of the foll=
owing approaches:
+
+
+
+ Annotation usage on endpoint classes (
+ @org.apache.cxf.feature.Features
+ )
+
+
+
+
+ Direct API usage on client side (through extensions of the
+ org.apache.cxf.feature.AbstractFeature
+ class)
+
+
+
+
+ Spring descriptor usage (
+ cxf.xml
+ )
+
+
+
+
+ As the Spring descriptor usage is not supported, the JBossWS int=
egration adds an additional descriptor based approach to avoid requiring mo=
difications to the actual client/endpoint code. Users can declare features =
within
+ predefined client and endpoint co=
nfigurations
+ by specifying a list of feature class names for the
+ cxf.features
+ property.
+
+
+ <?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi=3D=
"http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee=3D"http://java.sun=
.com/xml/ns/javaee"
+ xsi:schemaLocation=3D"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-=
jaxws-config_4_0.xsd">
+ <endpoint-config>
+ <config-name>Custom FI Config</config-name>
+ <property>
+ <property-name>cxf.features</property-name>
+ <property-value>org.apache.cxf.feature.FastInfosetFeature</=
property-value>
+ </property>
+ </endpoint-config>
+</jaxws-config>
+
+ A new instance of each specified feature class will be added=
to the client or endpoint the configuration is assigned to. The feature cl=
asses must have a no-argument constructor.
+
+
+ =
+ Properties driven bean creation
+
+ Sections above explain how to declare CXF interceptors and featu=
res through properties either in a client/endpoint predefined configuration=
or in a
+ jboss-webservices.xml
+ descriptor. By getting the feature/interceptor class name only s=
pecified, the container simply tries to create a bean instance using the cl=
ass default constructor. This sets a limitation on the feature/interceptor =
configuration, unless custom extensions of vanilla CXF classes are provided=
, with the default constructor setting properties before eventually using t=
he super constructor.
+
+
+ To cope with this issue, JBossWS integration comes with a mechan=
ism for configuring simple bean hierarchies when building them up from prop=
erties. Properties can have bean reference values, that is strings starting=
with
+ ##
+ . Property reference keys are used to specify the bean class nam=
e and the value for for each attribute. So for instance the following prope=
rties:
+
+
+
+
+
+
+
+ Key
+ =
+
+
+
+
+ Value
+ =
+
+
+
+
+
+
+
+
+ cxf.features
+ =
+
+
+
+
+ ##foo, ##bar
+ =
+
+
+
+
+
+
+ ##foo
+ =
+
+
+
+
+ org.jboss.Foo
+ =
+
+
+
+
+
+
+ ##foo.par
+ =
+
+
+
+
+ 34
+ =
+
+
+
+
+
+
+ ##bar
+ =
+
+
+
+
+ org.jboss.Bar
+ =
+
+
+
+
+
+
+ ##bar.color
+ =
+
+
+
+
+ blue
+ =
+
+
+
+
+
+
+ would result into the stack installing two feature instances=
, the same that would have been created by
+
+ import org.Bar;
+import org.Foo;
+
+...
+
+Foo foo =3D new Foo();
+foo.setPar(34);
+Bar bar =3D new Bar();
+bar.setColor("blue");
+
+ The mechanism assumes that the classes are valid beans with =
proper getter and setter methods; value objects are cast to the correct pri=
mitive type by inspecting the class definition. Nested beans can of course =
be configured.
+
+
+ =
+ HTTPConduit configuration
+
+ HTTP transport setup in Apache CXF is achieved through
+ org.apache.cxf.transport.http.HTTPConduit
+ configurations
+ . When running on top of the JBossWS integration, conduits can b=
e programmatically modified using the Apache CXF API as follows:
+
+
+ import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
+//set chunking threshold before using a JAX-WS port client
+...
+HTTPConduit conduit =3D (HTTPConduit)ClientProxy.getClient(port).getCondui=
t();
+HTTPClientPolicy client =3D conduit.getClient();
+
+client.setChunkingThreshold(8192);
+...
+
+
+ Users can also control the default values for the most commo=
n HTTPConduit parameters by setting specific system properties; the provide=
d values will override Apache CXF defaut values.
+
+
+
+
+
+
+ Property
+ =
+
+
+
+
+ Description
+ =
+
+
+
+
+
+
+
+ cxf.client.allowChunking
+
+
+
+ A boolean to tell Apache CXF whether to allow send mes=
sages using chunking.
+ =
+
+
+
+
+
+ cxf.client.chunkingThreshold
+
+
+
+ An integer value to tell Apache CXF the threshold at w=
hich switching from non-chunking to chunking mode.
+ =
+
+
+
+
+
+ cxf.client.connectionTimeout
+
+
+
+ A long value to tell Apache CXF how many milliseconds =
to set the connection timeout to
+ =
+
+
+
+
+
+ cxf.client.receiveTimeout
+
+
+ A long value to tell Apache CXF how many milliseco=
nds to set the receive timeout to
+
+
+
+
+ cxf.client.connection
+
+
+
+ A string to tell Apache CXF to use
+ Keep-Alive
+ or
+ close
+ connection type
+ =
+
+
+
+
+
+ cxf.tls-client.disableCNCheck
+
+
+
+ A boolean to tell Apache CXF whether disabling CN host=
name check or not
+ =
+
+
+
+
+
+
+ The vanilla Apache CXF defaults apply when the system proper=
ties above are not set.
+
=
- WS-Addressing
+ Addressing
JBoss Web Services inherits full WS-Addressing capabilities from t=
he underlying Apache CXF implementation. Apache CXF provides support for 20=
04-08 and
1.0
@@ -1645,7 +2019,7 @@
specifying the =EF=BB=BF
[http://cxf.apache.org/ws/address=
ing]addressing
- feature for a given client/endpoint in an optional CXF Sprin=
g XML descriptor
+ feature for a given client/endpoint
@@ -1682,7 +2056,7 @@
=
- WS-Addressing Policy
+ Addressing PolicyThe WS-Addressing support is also perfectly integrated with =
the Apache CXF WS-Policy engine.
This basically means that the WSDL contract generation for code-=
first endpoint deployment is policy-aware: users can annotate endpoints wit=
h the
@@ -1973,6 +2347,19 @@
+
+
+ ws-security.enable.streaming
+
+
+
+ Enable
+ streaming
+ (StAX based) processing of WS-Security messages
+ =
+
+
+
@@ -2380,7 +2767,7 @@
- If you're deploying the endpoint archive to JBoss Applicat=
ion Server 7, remember to add a dependency to
+ If you're deploying the endpoint archive to WildFly, remem=
ber to add a dependency to
org.apache.ws.security
module in the MANIFEST.MF file.
@@ -2462,7 +2849,7 @@
ws-security.username
and
ws-security.callback-handler
- properties can be used similarly as shown in the signature and=
encryption example. Things become more interesting when requiring a given =
user to be authenticated (and authorized) against a security domain on the =
target JBoss Application Server.
+ properties can be used similarly as shown in the signature and=
encryption example. Things become more interesting when requiring a given =
user to be authenticated (and authorized) against a security domain on the =
target WildFly server.
On server side, you need to install two additional interce=
ptors that act as bridges towards the application server authentication lay=
er:
@@ -2481,7 +2868,7 @@
- So, here follows an example of WS-SecurityPolicy endpoint =
using Username Token Profile for authenticating through the JBoss Applicati=
on Server security domain system.
+ So, here follows an example of WS-SecurityPolicy endpoint =
using Username Token Profile for authenticating through the WildFly securit=
y domain system.
=
Endpoint
@@ -2749,7 +3136,7 @@
- If you're deploying the endpoint archive to JBoss Applicat=
ion Server 7, remember to add a dependency to
+ If you're deploying the endpoint archive to WildFly, remem=
ber to add a dependency to
org.apache.ws.security
and
org.apache.cxf
@@ -3009,7 +3396,7 @@
=
Apache CXF support
- Apache CXF is an open-source, fully featured Web services fr=
amework. The JBossWS open source project integrates the JBoss Web Service=
s (JBossWS) stack with the Apache CXF project modules thus providing WS-T=
rust and other JAX-WS functionality in the JBoss Application Server. This=
integration makes it easy to deploy CXF STS implementations, however JBos=
s Application Server can run any WS-Trust compliant STS. In addition the =
Apache CXF API provides a STSClient utility to facilitate web service requ=
ester communication with its STS.
+ Apache CXF is an open-source, fully featured Web services fr=
amework. The JBossWS open source project integrates the JBoss Web Service=
s (JBossWS) stack with the Apache CXF project modules thus providing WS-T=
rust and other JAX-WS functionality in WildFly. This integration makes it =
easy to deploy CXF STS implementations, however WildFly can run any WS-Tru=
st compliant STS. In addition the Apache CXF API provides a STSClient ut=
ility to facilitate web service requester communication with its STS.
Detailed information about the Apache CXF's WS-Trust implementat=
ion can be found
here
@@ -3338,7 +3725,7 @@
The web service provider implementation class, ServiceImpl, =
is a simple POJO. It uses the standard WebService annotation to define th=
e service endpoint. In addition there are two Apache CXF annotations, En=
dpointProperties and EndpointProperty used for configuring the endpoint fo=
r the CXF runtime. These annotations come from the
Apache WSS4J pro=
ject
- , which provides a Java implementation of the primary WS-Se=
curity standards for Web Services. These annotations are programmatically=
adding properties to the endpoint. Traditionally, these properties woul=
d be set via the <jaxws:properties> element on the <jaxws:endpoin=
t> element in the spring config, but these annotations allow the proper=
ties to be configured in the code.
+ , which provides a Java implementation of the primary WS-Se=
curity standards for Web Services. These annotations are programmatically=
adding properties to the endpoint. With plain Apache CXF, these propertie=
s are often set via the <jaxws:properties> element on the <jaxw=
s:endpoint> element in the Spring config; these annotations allow the=
properties to be configured in the code.
WSS4J uses the Crypto interface to get keys and certifi=
cates for encryption/decryption and for signature creation/verification. =
As is asserted by the WSDL, X509 keys and certificates are required for th=
is service. The WSS4J configuration information being provided by Servic=
eImpl is for Crypto's Merlin implementation. More information will be pro=
vided about this in the keystore section.The first EndpointProperty statement in the listing is d=
eclaring the user's name to use for the message signature. It is used as =
the alias name in the keystore to get the user's cert and private key for =
signature. The next two EndpointProperty statements declares the Java prop=
erties file that contains the (Merlin) crypto configuration information. =
In this case both for signing and encrypting the messages. WSS4J reads th=
is file and extra required information for message handling. The last End=
pointProperty statement declares the ServerCallbackHandler implementation c=
lass. It is used to obtain the user's password for the certificates in th=
e keystore file.
@@ -3427,7 +3814,7 @@
=
MANIFEST.MF
- When deployed on JBoss Application Server this applicati=
on requires access to the JBossWs and CXF APIs provided in module org.jbo=
ss.ws.cxf.jbossws-cxf-client. The dependency statement directs the server =
to provide them at deployment.
+ When deployed on WildFly this application requires acce=
ss to the JBossWs and CXF APIs provided in module org.jboss.ws.cxf.jbossws=
-cxf-client. The dependency statement directs the server to provide them a=
t deployment.
Manifest-Version: 1.0 =C2=A0
@@ -4001,7 +4388,7 @@
=
MANIFEST.MF
- When deployed on JBoss Application Server, this application =
requires access to the JBossWs and CXF APIs provided in modules org.jboss=
.ws.cxf.jbossws-cxf-client and org.apache.cxf. The Apache CXF internals, =
org.apache.cxf.impl, are needed to build the STS configuration in the
+ When deployed on WildFly, this application requires access =
to the JBossWs and CXF APIs provided in modules org.jboss.ws.cxf.jbossws-c=
xf-client and org.apache.cxf. The Apache CXF internals, org.apache.cxf.im=
pl, are needed to build the STS configuration in the
SampleSTS
constructor. The dependency statement directs the server to=
provide them at deployment.
@@ -4017,19 +4404,31 @@
=
Security Domain
+ The STS requires a JBoss security domain be configured. =
The jboss-web.xml descriptor declares a named security domain,"JBossWS-tru=
st-sts" to be used by this service for authentication. This security domai=
n requires two properties files and the addition of a security-domain decla=
ration in the JBoss server configuration file.
- The
- jboss-web.xml
- descriptor is used to set the security domain to be used fo=
r authentication. For this scenario the domain will need to contain user
- alice,
- password
- clarinet,
- and role
+ For this scenario the domain needs to contain user
+ alice
+ , password
+ clarinet
+ , and role
friend
- . See the listings for jbossws-users.properties and jbossws=
-roles.properties. In addition the JBoss Application Server needs to be c=
onfigured with the domain name, "JBossWS-trust-sts", and with the users and=
roles properties files. See the directions in this
- ar=
ticle
- about configuring the security domain using the CLI.
+ . See the listings below for jbossws-users.properties and jb=
ossws-roles.properties. In addition the following XML must be added to the=
JBoss security subsystem in the server configuration file. Replace "
+ SOME_PATH
+ " with appropriate information.
+
+
+ <security-domain name=3D"JBossWS-trust-sts">
+=C2=A0 <authentication>
+=C2=A0=C2=A0=C2=A0 <login-module code=3D"UsersRoles" flag=3D"required"&=
gt;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <module-option name=3D"usersProperties" =
value=3D"/SOME_PATH/jbossws-users.properties"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <module-option name=3D"unauthenticatedId=
entity" value=3D"anonymous"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <module-option name=3D"rolesProperties" =
value=3D"/SOME_PATH/jbossws-roles.properties"/>
+=C2=A0=C2=A0=C2=A0 </login-module>
+=C2=A0 </authentication>
+</security-domain>
+
+ jboss-web.xml
@@ -4176,7 +4575,7 @@
=
ClientCallbackHandler
- ClientCallbackHandler is a callback handler for the WSS4=
J Crypto API. It is used to obtain the password for the private key in th=
e keystore. This class enables CXF to retrieve the password of the user n=
ame to use for the message signature. Note that "alice" and her password =
have been provided here. This information is not in the (JKS) keystore b=
ut provided in the JBoss Application Server security domain. It was decl=
ared in file jbossws-users.properties.
+ ClientCallbackHandler is a callback handler for the WSS4=
J Crypto API. It is used to obtain the password for the private key in th=
e keystore. This class enables CXF to retrieve the password of the user n=
ame to use for the message signature. Note that "alice" and her password =
have been provided here. This information is not in the (JKS) keystore b=
ut provided in the WildFly security domain. It was declared in file jbos=
sws-users.properties.
package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared; =C2=A0
@@ -4208,9 +4607,9 @@
-
+
=
- Crypto properties and keystore files
+ Requester Crypto properties and keystore files
WSS4J's Crypto implementation is loaded and configured via a=
Java properties file that contains Crypto configuration data. The file =
contains implementation-specific properties such as a keystore location, p=
assword, default alias and the like. This application is using the Merlin=
implementation. File clientKeystore.properties contains this information.
=
@@ -4506,7 +4905,7 @@
</PicketLinkSTS>
- Finally, the PicketLink alternative approach of course req=
uires different JBoss AS module dependencies to be declared in the MANIFE=
ST.MF:
+ Finally, the PicketLink alternative approach of course req=
uires different WildFly module dependencies to be declared in the MANIFES=
T.MF:
Manifest-Version: 1.0
@@ -4543,134 +4942,134 @@
-
+
+
+ =
+ ActAs WS-Trust Scenario
+
+ The ActAs feature is used in scenarios that require composite d=
elegation. It is commonly used in multi-tiered systems where an applicati=
on calls a service on behalf of a logged in user or a service calls anothe=
r service on behalf of the original caller.
=
- ActAs WS-Trust Scenario
-
- The ActAs feature is used in scenarios that require composite =
delegation. It is commonly used in multi-tiered systems where an applica=
tion calls a service on behalf of a logged in user or a service calls anot=
her service on behalf of the original caller.
+
+
+ ActAs is nothing more than a new sub-element in the RequestSecu=
rityToken (RST). It provides additional information about the original ca=
ller when a token is negotiated with the STS. The ActAs element usually =
takes the form of a token with identity claims such as name, role, and aut=
horization code, for the client to access the service.
+ =
+
+
+ The ActAs scenario is an extension of
+ the basic WS-Trust scenario
+ . In this example the ActAs service calls the ws-service on be=
half of a user. There are only a couple of additions to the basic scenari=
o's code. An ActAs web service provider and callback handler have been a=
dded. The ActAs web services' WSDL imposes the same security policies as=
the ws-provider. UsernameTokenCallbackHandler is new. It is a utility th=
at generates the content for the ActAs element. And lastly there are a co=
uple of code additions in the STS to support the ActAs request.
+
+
+ =
+ Web service provider
+ This section examines the web service elements from the ba=
sic WS-Trust scenario that have been changed to address the needs of the =
ActAs example. The components are
+
+
+ ActAs web service provider's WSDL
+
+
+ ActAs web service provider's Interface and Implementat=
ion classes.
+
+
+ ActAsCallbackHandler class
+
+
+ UsernameTokenCallbackHandler
+
+
+ Crypto properties and keystore files
+
+
+ MANIFEST.MF
+
+
+
=
-
-
- ActAs is nothing more than a new sub-element in the RequestSe=
curityToken (RST). It provides additional information about the original =
caller when a token is negotiated with the STS. The ActAs element usually=
takes the form of a token with identity claims such as name, role, and a=
uthorization code, for the client to access the service.
- =
-
-
- The ActAs scenario is an extension of
- the basic WS-Trust scenario
- . In this example the ActAs service calls the ws-service on =
behalf of a user. There are only a couple of additions to the basic scena=
rio's code. An ActAs web service provider and callback handler have been =
added. The ActAs web services' WSDL imposes the same security policies =
as the ws-provider. UsernameTokenCallbackHandler is new. It is a utility =
that generates the content for the ActAs element. And lastly there are a =
couple of code additions in the STS to support the ActAs request.
-
-
- =
- ActAs Web service provider
- This section examines the web service elements from the =
basic WS-Trust scenario that have been changed to address the needs of the=
ActAs example. The components are
-
-
- ActAs web service provider's WSDL
-
-
- ActAs web service provider's Interface and Implement=
ation classes.
-
-
- ActAsCallbackHandler class
-
-
- UsernameTokenCallbackHandler
-
-
- Crypto properties and keystore files
-
-
- MANIFEST.MF
-
-
-
-
- =
- ActAs Web service provider WSDL
+ Web service provider WSDLThe ActAs web service provider's WSDL is a clone of the =
ws-provider's WSDL. The wsp:Policy section is the same. There are change=
s to the service endpoint, targetNamespace, portType, binding name, and s=
ervice.
<?xml version=3D"1.0" encoding=3D"UTF-8" standalone=3D"yes"?>
<definitions targetNamespace=3D"http://www.jboss.org/jbossws/ws-extensi=
ons/actaswssecuritypolicy" name=3D"ActAsService"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/actaswssecuritypolic=
y"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns=3D"http://schemas.xmlsoap.org/wsdl/"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsp=3D"http://www.w3.org/ns/ws-policy"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur=
ity-utility-1.0.xsd"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512">
-=C2=A0=C2=A0=C2=A0 <types>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd:schema>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd=
:import namespace=3D"http://www.jboss.org/jbossws/ws-extensions/actaswssecu=
ritypolicy"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 schemaLocation=3D"ActAsService_s=
chema1.xsd"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xsd:schema>
-=C2=A0=C2=A0=C2=A0 </types>
-=C2=A0=C2=A0=C2=A0 <message name=3D"sayHello">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHello"/>
-=C2=A0=C2=A0=C2=A0 </message>
-=C2=A0=C2=A0=C2=A0 <message name=3D"sayHelloResponse">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHelloResponse"/>
-=C2=A0=C2=A0=C2=A0 </message>
-=C2=A0=C2=A0=C2=A0 <portType name=3D"ActAsServiceIface">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut message=3D"tns:sayHello"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put message=3D"tns:sayHelloResponse"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
-=C2=A0=C2=A0=C2=A0 </portType>
-=C2=A0=C2=A0=C2=A0 <binding name=3D"ActAsServicePortBinding" type=3D"tn=
s:ActAsServiceIface">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#AsymmetricSAML2Policy" />
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:binding transport=3D"h=
ttp://schemas.xmlsoap.org/soap/http" style=3D"document"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:operation soapAction=3D""/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Input_Policy" />
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </in=
put>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Output_Policy" />
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </ou=
tput>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
-=C2=A0=C2=A0=C2=A0 </binding>
-=C2=A0=C2=A0=C2=A0 <service name=3D"ActAsService">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <port name=3D"ActAsServicePo=
rt" binding=3D"tns:ActAsServicePortBinding">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:address location=3D"http://@jboss.bind.address@:8080/jaxws-samples-wsse-p=
olicy-trust-actas/ActAsService"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </port>
-=C2=A0=C2=A0=C2=A0 </service>
+ xmlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/actas=
wssecuritypolicy"
+ xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
+ xmlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns=3D"http://schemas.xmlsoap.org/wsdl/"
+ xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+ xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
+ xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200=
401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolic=
y/200702"
+ xmlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512"&=
gt;
+ <types>
+ <xsd:schema>
+ <xsd:import namespace=3D"http://www.jboss.org/jbossws/ws-ex=
tensions/actaswssecuritypolicy"
+ schemaLocation=3D"ActAsService_schema1.xsd"/>
+ </xsd:schema>
+ </types>
+ <message name=3D"sayHello">
+ <part name=3D"parameters" element=3D"tns:sayHello"/>
+ </message>
+ <message name=3D"sayHelloResponse">
+ <part name=3D"parameters" element=3D"tns:sayHelloResponse"/>
+ </message>
+ <portType name=3D"ActAsServiceIface">
+ <operation name=3D"sayHello">
+ <input message=3D"tns:sayHello"/>
+ <output message=3D"tns:sayHelloResponse"/>
+ </operation>
+ </portType>
+ <binding name=3D"ActAsServicePortBinding" type=3D"tns:ActAsServiceI=
face">
+ <wsp:PolicyReference URI=3D"#AsymmetricSAML2Policy" />
+ <soap:binding transport=3D"http://schemas.xmlsoap.org/soap/http=
" style=3D"document"/>
+ <operation name=3D"sayHello">
+ <soap:operation soapAction=3D""/>
+ <input>
+ <soap:body use=3D"literal"/>
+ <wsp:PolicyReference URI=3D"#Input_Policy" />
+ </input>
+ <output>
+ <soap:body use=3D"literal"/>
+ <wsp:PolicyReference URI=3D"#Output_Policy" />
+ </output>
+ </operation>
+ </binding>
+ <service name=3D"ActAsService">
+ <port name=3D"ActAsServicePort" binding=3D"tns:ActAsServicePort=
Binding">
+ <soap:address location=3D"http://@jboss.bind.address@:8080/=
jaxws-samples-wsse-policy-trust-actas/ActAsService"/>
+ </port>
+ </service>
=
</definitions>
-
+
=
- ActAs Web Service Interface
+ Web Service InterfaceThe web service provider interface class, ActAsServiceIf=
ace, is a simple web service definition.
-package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas; =C2=A0
-=C2=A0
-import javax.jws.WebMethod; =C2=A0
-import javax.jws.WebService; =C2=A0
-=C2=A0
-(a)WebService =C2=A0
-( =C2=A0
-=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/actaswssecuritypolicy" =C2=A0
-) =C2=A0
-public interface ActAsServiceIface =C2=A0
-{ =C2=A0
-=C2=A0=C2=A0 @WebMethod =C2=A0
-=C2=A0=C2=A0 String sayHello(); =C2=A0
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas;
+
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+
+(a)WebService
+(
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/actasws=
securitypolicy"
+)
+public interface ActAsServiceIface
+{
+ @WebMethod
+ String sayHello();
}
-
+
=
- ActAs Web Service Implementation
+ Web Service Implementation
The web service provider implementation class, ActAsServiceI=
mpl, is a simple POJO. It uses the standard WebService annotation to defi=
ne the service endpoint and two Apache WSS4J annotations, EndpointPropert=
ies and EndpointProperty used for configuring the endpoint for the CXF ru=
ntime. The WSS4J configuration information provided is for WSS4J's Crypto=
Merlin implementation.
=
@@ -4678,129 +5077,129 @@
ActAsServiceImpl is calling ServiceImpl acting on behal=
f of the user. Method setupService performs the requisite configuration s=
etup.
-package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas; =C2=A0
-=C2=A0
-import org.apache.cxf.Bus; =C2=A0
-import org.apache.cxf.BusFactory; =C2=A0
-import org.apache.cxf.annotations.EndpointProperties; =C2=A0
-import org.apache.cxf.annotations.EndpointProperty; =C2=A0
-import org.apache.cxf.ws.security.SecurityConstants; =C2=A0
-import org.apache.cxf.ws.security.trust.STSClient; =C2=A0
-import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIf=
ace; =C2=A0
-import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustApp=
Utils; =C2=A0
-=C2=A0
-import javax.jws.WebService; =C2=A0
-import javax.xml.namespace.QName; =C2=A0
-import javax.xml.ws.BindingProvider; =C2=A0
-import javax.xml.ws.Service; =C2=A0
-import java.net.MalformedURLException; =C2=A0
-import java.net.URL; =C2=A0
-import java.util.Map; =C2=A0
-=C2=A0
-(a)WebService =C2=A0
-( =C2=A0
-=C2=A0=C2=A0 portName =3D "ActAsServicePort", =C2=A0
-=C2=A0=C2=A0 serviceName =3D "ActAsService", =C2=A0
-=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/ActAsService.wsdl", =C2=A0
-=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/actaswssecuritypolicy", =C2=A0
-=C2=A0=C2=A0 endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust.actas.ActAsServiceIface" =C2=A0
-) =C2=A0
-=C2=A0
-(a)EndpointProperties(value =3D { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "myactaskey"), =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D=C2=A0 "actasKeystore.properties"), =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.encr=
yption.properties", value =3D "actasKeystore.properties"), =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.actas.ActAsCallbackHandler") =C2=A0
-}) =C2=A0
-=C2=A0
-public class ActAsServiceImpl implements ActAsServiceIface =C2=A0
-{ =C2=A0
-=C2=A0=C2=A0 public String sayHello() { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D se=
tupService(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return "ActAs " + proxy.s=
ayHello(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } catch (MalformedURLException e) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 e.printStackTrace(); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return null; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 private=C2=A0 ServiceIface setupService()throws MalformedURLE=
xception { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D null; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Bus bus =3D BusFactory.newInstance().create=
Bus(); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefau=
ltBus(bus); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final String serviceURL =
=3D "http://" + WSTrustAppUtils.getServerHost() + ":8080/jaxws-samples-wsse=
-policy-trust/SecurityService"; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final QName serviceName =
=3D new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy"=
, "SecurityService"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final URL wsdlURL =3D new=
URL(serviceURL + "?wsdl"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Service service =3D Servi=
ce.create(wsdlURL, serviceName); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 proxy =3D (ServiceIface) =
service.getPort(ServiceIface.class); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
ctx =3D ((BindingProvider) proxy).getRequestContext(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.CALLBACK_HANDLER, new ActAsCallbackHandler()); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource("actasKeystore.properti=
es" )); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_USERNAME, "myactaskey" ); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource("../../META-INF/clientK=
eystore.properties" )); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_USERNAME, "myservicekey"); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D n=
ew STSClient(bus); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
props =3D stsClient.getProperties(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.USERNAME, "alice"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.ENCRYPT_USERNAME, "mystskey"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USERNAME, "myactaskey" ); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource("actasKeystore.properti=
es" )); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true"); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.STS_CLIENT, stsClient); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } finally { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return proxy; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIf=
ace;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustApp=
Utils;
+
+import javax.jws.WebService;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Map;
+
+(a)WebService
+(
+ portName =3D "ActAsServicePort",
+ serviceName =3D "ActAsService",
+ wsdlLocation =3D "WEB-INF/wsdl/ActAsService.wsdl",
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/actasws=
securitypolicy",
+ endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trus=
t.actas.ActAsServiceIface"
+)
+
+(a)EndpointProperties(value =3D {
+ @EndpointProperty(key =3D "ws-security.signature.username", value =
=3D "myactaskey"),
+ @EndpointProperty(key =3D "ws-security.signature.properties", value =
=3D "actasKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.encryption.properties", value=
=3D "actasKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.callback-handler", value =3D =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas.ActAsCallbackHandl=
er")
+})
+
+public class ActAsServiceImpl implements ActAsServiceIface
+{
+ public String sayHello() {
+ try {
+ ServiceIface proxy =3D setupService();
+ return "ActAs " + proxy.sayHello();
+ } catch (MalformedURLException e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+
+ private ServiceIface setupService()throws MalformedURLException {
+ ServiceIface proxy =3D null;
+ Bus bus =3D BusFactory.newInstance().createBus();
+
+ try {
+ BusFactory.setThreadDefaultBus(bus);
+
+ final String serviceURL =3D "http://" + WSTrustAppUtils.getServer=
Host() + ":8080/jaxws-samples-wsse-policy-trust/SecurityService";
+ final QName serviceName =3D new QName("http://www.jboss.org/jboss=
ws/ws-extensions/wssecuritypolicy", "SecurityService");
+ final URL wsdlURL =3D new URL(serviceURL + "?wsdl");
+ Service service =3D Service.create(wsdlURL, serviceName);
+ proxy =3D (ServiceIface) service.getPort(ServiceIface.class);
+
+ Map<String, Object> ctx =3D ((BindingProvider) proxy).getRe=
questContext();
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new ActAsCallbackHand=
ler());
+
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource("ac=
tasKeystore.properties" ));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myactaskey" );
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource("..=
/../META-INF/clientKeystore.properties" ));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
+
+ STSClient stsClient =3D new STSClient(bus);
+ Map<String, Object> props =3D stsClient.getProperties();
+ props.put(SecurityConstants.USERNAME, "alice");
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myactaskey" );
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource("ac=
tasKeystore.properties" ));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true=
");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+
+ } finally {
+ bus.shutdown(true);
+ }
+
+ return proxy;
+ }
+
}
-
+
=
ActAsCallbackHandlerActAsCallbackHandler is a callback handler for the WSS4J=
Crypto API. It is used to obtain the password for the private key in the=
keystore. This class enables CXF to retrieve the password of the user na=
me to use for the message signature. This class has been revised to retur=
n the passwords for this service, myactaskey and the "actas" user, alice.=
-package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas; =C2=A0
-=C2=A0
-import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler=
; =C2=A0
-import java.util.HashMap; =C2=A0
-import java.util.Map; =C2=A0
-=C2=A0
-public class ActAsCallbackHandler extends PasswordCallbackHandler { =C2=A0
-=C2=A0
-=C2=A0=C2=A0 public ActAsCallbackHandler() =C2=A0
-=C2=A0=C2=A0 { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap()); =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 private static Map<String, String> getInitMap() =C2=A0
-=C2=A0=C2=A0 { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("myactaskey", "aspass"); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("alice", "clarinet"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+import java.util.HashMap;
+import java.util.Map;
+
+public class ActAsCallbackHandler extends PasswordCallbackHandler {
+
+ public ActAsCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords =3D new HashMap<String, Strin=
g>();
+ passwords.put("myactaskey", "aspass");
+ passwords.put("alice", "clarinet");
+ return passwords;
+ }
}
-
+
=
UsernameTokenCallbackHandler
@@ -4808,168 +5207,168 @@
-package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared; =C2=A0
-=C2=A0
-import org.apache.cxf.helpers.DOMUtils; =C2=A0
-import org.apache.cxf.message.Message; =C2=A0
-import org.apache.cxf.ws.security.SecurityConstants; =C2=A0
-import org.apache.cxf.ws.security.trust.delegation.DelegationCallback; =C2=
=A0
-import org.apache.ws.security.WSConstants; =C2=A0
-import org.apache.ws.security.message.token.UsernameToken; =C2=A0
-import org.w3c.dom.Document; =C2=A0
-import org.w3c.dom.Node; =C2=A0
-import org.w3c.dom.Element; =C2=A0
-import org.w3c.dom.ls.DOMImplementationLS; =C2=A0
-import org.w3c.dom.ls.LSSerializer; =C2=A0
-=C2=A0
-import javax.security.auth.callback.Callback; =C2=A0
-import javax.security.auth.callback.CallbackHandler; =C2=A0
-import javax.security.auth.callback.UnsupportedCallbackException; =C2=A0
-import java.io.IOException; =C2=A0
-import java.util.Map; =C2=A0
-=C2=A0
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.delegation.DelegationCallback;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.Element;
+import org.w3c.dom.ls.DOMImplementationLS;
+import org.w3c.dom.ls.LSSerializer;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+import java.util.Map;
+
/**
* A utility to provide the 3 different input parameter types for jaxws pro=
perty
* "ws-security.sts.token.act-as" and "ws-security.sts.token.on-behalf-of".
* This implementation obtains a username and password via the jaxws proper=
ty
* "ws-security.username" and "ws-security.password" respectively, as defin=
ed
-* in SecurityConstants.=C2=A0 It creates a wss UsernameToken to be used as=
the
+* in SecurityConstants. It creates a wss UsernameToken to be used as the
* delegation token.
-*/ =C2=A0
-=C2=A0
-public class UsernameTokenCallbackHandler implements CallbackHandler { =C2=
=A0
-=C2=A0
-=C2=A0=C2=A0 public void handle(Callback[] callbacks) =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 throws IOException, UnsupportedCallbackExce=
ption { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 for (int i =3D 0; i < callbacks.length; =
i++) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (callbacks[i] instance=
of DelegationCallback) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Delegat=
ionCallback callback =3D (DelegationCallback) callbacks[i]; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Message=
message =3D callback.getCurrentMessage(); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String =
username =3D =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 (String)message.getContextualProperty(SecurityConstants.USERNA=
ME); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String =
password =3D =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 (String)message.getContextualProperty(SecurityConstants.PASSWO=
RD); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (use=
rname !=3D null) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 Node contentNode =3D message.getContent(Node.class); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 Document doc =3D null; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 if (contentNode !=3D null) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 doc =3D contentNode.getOwnerDocument(); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 } else { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 doc =3D DOMUtils.createDocument(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 UsernameToken usernameToken =3D createWSSEUsernameToken(userna=
me,password, doc); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 callback.setToken(usernameToken.getElement()); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } else { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 throw n=
ew UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 /**
-=C2=A0=C2=A0=C2=A0 * Provide UsernameToken as a string.
-=C2=A0=C2=A0=C2=A0 * @param ctx
-=C2=A0=C2=A0=C2=A0 * @return
-=C2=A0=C2=A0=C2=A0 */ =C2=A0
-=C2=A0=C2=A0 public String getUsernameTokenString(Map<String, Object>=
; ctx){ =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String result =3D null; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String username =3D (String)ctx.get(Securit=
yConstants.USERNAME); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String password =3D (String)ctx.get(Securit=
yConstants.PASSWORD); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameTok=
en =3D createWSSEUsernameToken(username,password, doc); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D toString(usern=
ameToken.getElement().getFirstChild().getParentNode()); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 /**
-=C2=A0=C2=A0=C2=A0 *
-=C2=A0=C2=A0=C2=A0 * @param username
-=C2=A0=C2=A0=C2=A0 * @param password
-=C2=A0=C2=A0=C2=A0 * @return
-=C2=A0=C2=A0=C2=A0 */ =C2=A0
-=C2=A0=C2=A0 public String getUsernameTokenString(String username, String =
password){ =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String result =3D null; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameTok=
en =3D createWSSEUsernameToken(username,password, doc); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D toString(usern=
ameToken.getElement().getFirstChild().getParentNode()); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 /**
-=C2=A0=C2=A0=C2=A0 * Provide UsernameToken as a DOM Element.
-=C2=A0=C2=A0=C2=A0 * @param ctx
-=C2=A0=C2=A0=C2=A0 * @return
-=C2=A0=C2=A0=C2=A0 */ =C2=A0
-=C2=A0=C2=A0 public Element getUsernameTokenElement(Map<String, Object&=
gt; ctx){ =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Element result =3D null; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameToken =3D null; =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String username =3D (Stri=
ng)ctx.get(SecurityConstants.USERNAME); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String password =3D (String)ctx.get(Securit=
yConstants.PASSWORD); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken =3D createW=
SSEUsernameToken(username,password, doc); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D usernameToken.=
getElement(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 /**
-=C2=A0=C2=A0=C2=A0 *
-=C2=A0=C2=A0=C2=A0 * @param username
-=C2=A0=C2=A0=C2=A0 * @param password
-=C2=A0=C2=A0=C2=A0 * @return
-=C2=A0=C2=A0=C2=A0 */ =C2=A0
-=C2=A0=C2=A0 public Element getUsernameTokenElement(String username, Strin=
g password){ =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Element result =3D null; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameToken =3D null; =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken =3D createW=
SSEUsernameToken(username,password, doc); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D usernameToken.=
getElement(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 private UsernameToken createWSSEUsernameToken(String username=
, String password, Document doc) { =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameToken =3D new Usernam=
eToken(true, doc, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (password =3D=3D null)? n=
ull: WSConstants.PASSWORD_TEXT); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.setName(username); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.addWSUNamespace(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.addWSSENamespace(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.setID("id-" + username); =C2=
=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (password !=3D null){ =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.setPassword=
(password); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return usernameToken; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0
-=C2=A0=C2=A0 private String toString(Node node) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String str =3D null; =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (node !=3D null) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 DOMImplementationLS lsImp=
l =3D (DOMImplementationLS) =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 node.ge=
tOwnerDocument().getImplementation().getFeature("LS", "3.0"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 LSSerializer serializer =
=3D lsImpl.createLSSerializer(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 serializer.getDomConfig()=
.setParameter("xml-declaration", false); //by default its true, so set it t=
o false to get String without xml-declaration =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 str =3D serializer.writeT=
oString(node); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return str; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
+*/
+
+public class UsernameTokenCallbackHandler implements CallbackHandler {
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i =3D 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof DelegationCallback) {
+ DelegationCallback callback =3D (DelegationCallback) callbacks=
[i];
+ Message message =3D callback.getCurrentMessage();
+
+ String username =3D
+ (String)message.getContextualProperty(SecurityConstants.USE=
RNAME);
+ String password =3D
+ (String)message.getContextualProperty(SecurityConstants.PAS=
SWORD);
+ if (username !=3D null) {
+ Node contentNode =3D message.getContent(Node.class);
+ Document doc =3D null;
+ if (contentNode !=3D null) {
+ doc =3D contentNode.getOwnerDocument();
+ } else {
+ doc =3D DOMUtils.createDocument();
+ }
+ UsernameToken usernameToken =3D createWSSEUsernameToken(use=
rname,password, doc);
+ callback.setToken(usernameToken.getElement());
+ }
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecogn=
ized Callback");
+ }
+ }
+ }
+
+ /**
+ * Provide UsernameToken as a string.
+ * @param ctx
+ * @return
+ */
+ public String getUsernameTokenString(Map<String, Object> ctx){
+ Document doc =3D DOMUtils.createDocument();
+ String result =3D null;
+ String username =3D (String)ctx.get(SecurityConstants.USERNAME);
+ String password =3D (String)ctx.get(SecurityConstants.PASSWORD);
+ if (username !=3D null) {
+ UsernameToken usernameToken =3D createWSSEUsernameToken(username,=
password, doc);
+ result =3D toString(usernameToken.getElement().getFirstChild().ge=
tParentNode());
+ }
+ return result;
+ }
+
+ /**
+ *
+ * @param username
+ * @param password
+ * @return
+ */
+ public String getUsernameTokenString(String username, String password){
+ Document doc =3D DOMUtils.createDocument();
+ String result =3D null;
+ if (username !=3D null) {
+ UsernameToken usernameToken =3D createWSSEUsernameToken(username,=
password, doc);
+ result =3D toString(usernameToken.getElement().getFirstChild().ge=
tParentNode());
+ }
+ return result;
+ }
+
+ /**
+ * Provide UsernameToken as a DOM Element.
+ * @param ctx
+ * @return
+ */
+ public Element getUsernameTokenElement(Map<String, Object> ctx){
+ Document doc =3D DOMUtils.createDocument();
+ Element result =3D null;
+ UsernameToken usernameToken =3D null;
+ String username =3D (String)ctx.get(SecurityConstants.USERNAME);
+ String password =3D (String)ctx.get(SecurityConstants.PASSWORD);
+ if (username !=3D null) {
+ usernameToken =3D createWSSEUsernameToken(username,password, doc);
+ result =3D usernameToken.getElement();
+ }
+ return result;
+ }
+
+ /**
+ *
+ * @param username
+ * @param password
+ * @return
+ */
+ public Element getUsernameTokenElement(String username, String password=
){
+ Document doc =3D DOMUtils.createDocument();
+ Element result =3D null;
+ UsernameToken usernameToken =3D null;
+ if (username !=3D null) {
+ usernameToken =3D createWSSEUsernameToken(username,password, doc);
+ result =3D usernameToken.getElement();
+ }
+ return result;
+ }
+
+ private UsernameToken createWSSEUsernameToken(String username, String p=
assword, Document doc) {
+
+ UsernameToken usernameToken =3D new UsernameToken(true, doc,
+ (password =3D=3D null)? null: WSConstants.PASSWORD_TEXT);
+ usernameToken.setName(username);
+ usernameToken.addWSUNamespace();
+ usernameToken.addWSSENamespace();
+ usernameToken.setID("id-" + username);
+
+ if (password !=3D null){
+ usernameToken.setPassword(password);
+ }
+
+ return usernameToken;
+ }
+
+
+ private String toString(Node node) {
+ String str =3D null;
+
+ if (node !=3D null) {
+ DOMImplementationLS lsImpl =3D (DOMImplementationLS)
+ node.getOwnerDocument().getImplementation().getFeature("LS", "=
3.0");
+ LSSerializer serializer =3D lsImpl.createLSSerializer();
+ serializer.getDomConfig().setParameter("xml-declaration", false);=
//by default its true, so set it to false to get String without xml-declar=
ation
+ str =3D serializer.writeToString(node);
+ }
+ return str;
+ }
+
}
-
+
=
Crypto properties and keystore files
@@ -4977,33 +5376,33 @@
-org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin =C2=A0
-org.apache.ws.security.crypto.merlin.keystore.type=3Djks =C2=A0
-org.apache.ws.security.crypto.merlin.keystore.password=3Daapass =C2=A0
-org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyactaskey =C2=A0
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Daapass
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyactaskey
org.apache.ws.security.crypto.merlin.keystore.file=3Dactasstore.jks
-
+
=
MANIFEST.MF
- When deployed on JBoss Appl=
ication Server this application requires access to the JBossWs and CXF API=
s provided in modules org.jboss.ws.cxf.jbossws-cxf-client and org.apache.c=
xf. The Apache CXF internals, org.apache.cxf.impl, are needed in handlin=
g the ActAs and OnBehalfOf extensions. The dependency statement directs t=
he server to provide them at deployment.
+ When deployed on WildFly th=
is application requires access to the JBossWs and CXF APIs provided in mod=
ules org.jboss.ws.cxf.jbossws-cxf-client and org.apache.cxf. The Apache C=
XF internals, org.apache.cxf.impl, are needed in handling the ActAs and O=
nBehalfOf extensions. The dependency statement directs the server to pro=
vide them at deployment.
-Manifest-Version: 1.0 =C2=A0
-Ant-Version: Apache Ant 1.8.2 =C2=A0
-Created-By: 1.7.0_25-b15 (Oracle Corporation) =C2=A0
+Manifest-Version: 1.0
+Ant-Version: Apache Ant 1.8.2
+Created-By: 1.7.0_25-b15 (Oracle Corporation)
Dependencies: org.jboss.ws.cxf.jbossws-cxf-client, org.apache.cxf.impl
-
+
=
- ActAs Security Token Service
+ Security Token ServiceThis section examines the STS elements from the basic WS-T=
rust scenario that have been changed to address the needs of the ActAs ex=
ample. The components are.
@@ -5013,12 +5412,12 @@
STSCallbackHandler class
-
+
=
STS Implementation class
The initial description of SampleSTS can be found
- here
+ here
.
=
@@ -5029,7 +5428,7 @@
The TokenIssueOperation requires class, UsernameTokenVa=
lidator be provided in order to validate the contents of the OnBehalfOf cl=
aims and class, UsernameTokenDelegationHandler to be provided in order to =
process the token delegation request of the ActAs on OnBehalfOf user.
-=C2=A0package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
=
import java.util.Arrays;
import java.util.LinkedList;
@@ -5052,499 +5451,2723 @@
import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvide=
r;
=
@WebServiceProvider(serviceName =3D "SecurityTokenService",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 portName =3D "UT_Port",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 targetNamespace =3D "http://docs.oasis-open=
.org/ws-sx/ws-trust/200512/",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/ws-trust-1.4=
-service.wsdl")
+ portName =3D "UT_Port",
+ targetNamespace =3D "http://docs.oasis-open.org/ws-sx/ws-trust/20051=
2/",
+ wsdlLocation =3D "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
//be sure to have dependency on org.apache.cxf module when on AS7, otherwi=
se Apache CXF annotations are ignored
@EndpointProperties(value =3D {
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "mystskey"),
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D "stsKeystore.properties"),
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.sts.STSCallbackHandler"),
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.vali=
date.token", value =3D "false") //to let the JAAS integration deal with val=
idation through the interceptor below
+ @EndpointProperty(key =3D "ws-security.signature.username", value =
=3D "mystskey"),
+ @EndpointProperty(key =3D "ws-security.signature.properties", value =
=3D "stsKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.callback-handler", value =3D =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts.STSCallbackHandler"),
+ @EndpointProperty(key =3D "ws-security.validate.token", value =3D "f=
alse") //to let the JAAS integration deal with validation through the inter=
ceptor below
})
@InInterceptors(interceptors =3D {"org.jboss.wsf.stack.cxf.security.authen=
tication.SubjectCreatingPolicyInterceptor"})
public class SampleSTS extends SecurityTokenServiceProvider
{
-=C2=A0=C2=A0 public SampleSTS() throws Exception
-=C2=A0=C2=A0 {
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super();
-=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 StaticSTSProperties props =3D new StaticSTS=
Properties();
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setSignatureCryptoProperties("stsKeys=
tore.properties");
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setSignatureUsername("mystskey");
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setCallbackHandlerClass(STSCallbackHa=
ndler.class.getName());
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setIssuer("DoubleItSTSIssuer");
-=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 List<ServiceMBean> services =3D new L=
inkedList<ServiceMBean>();
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 StaticService service =3D new StaticService=
();
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 service.setEndpoints(Arrays.asList(
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://localhost:(\\d)*/=
jaxws-samples-wsse-policy-trust/SecurityService",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[::1\\]:(\\d)*/=
jaxws-samples-wsse-policy-trust/SecurityService",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[0:0:0:0:0:0:0:=
1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
+ public SampleSTS() throws Exception
+ {
+ super();
=
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://localhost:(\\d)*/=
jaxws-samples-wsse-policy-trust-actas/ActAsService",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[::1\\]:(\\d)*/=
jaxws-samples-wsse-policy-trust-actas/ActAsService",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[0:0:0:0:0:0:0:=
1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-actas/ActAsService",
+ StaticSTSProperties props =3D new StaticSTSProperties();
+ props.setSignatureCryptoProperties("stsKeystore.properties");
+ props.setSignatureUsername("mystskey");
+ props.setCallbackHandlerClass(STSCallbackHandler.class.getName());
+ props.setIssuer("DoubleItSTSIssuer");
=
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://localhost:(\\d)*/=
jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[::1\\]:(\\d)*/=
jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService",
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[0:0:0:0:0:0:0:=
1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ));
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 services.add(service);
-=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenIssueOperation issueOperation =3D new =
TokenIssueOperation();
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.setServices(services);
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.getTokenProviders().add(new =
SAMLTokenProvider());
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 // required for OnBehalfOf
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.getTokenValidators().add(new=
UsernameTokenValidator());
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 // added for OnBehalfOf and ActAs
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.getDelegationHandlers().add(=
new UsernameTokenDelegationHandler());
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.setStsProperties(props);
-=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenValidateOperation validateOperation =
=3D new TokenValidateOperation();
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 validateOperation.getTokenValidators().add(=
new SAMLTokenValidator());
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 validateOperation.setStsProperties(props);
-=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 this.setIssueOperation(issueOperation);
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 this.setValidateOperation(validateOperation=
);
-=C2=A0=C2=A0 }
+ List<ServiceMBean> services =3D new LinkedList<ServiceMBean=
>();
+ StaticService service =3D new StaticService();
+ service.setEndpoints(Arrays.asList(
+ "http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust/Security=
Service",
+ "http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/Security=
Service",
+ "http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-tr=
ust/SecurityService",
+
+ "http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust-actas/Ac=
tAsService",
+ "http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-actas/Ac=
tAsService",
+ "http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-tr=
ust-actas/ActAsService",
+
+ "http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust-onbehalf=
of/OnBehalfOfService",
+ "http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-onbehalf=
of/OnBehalfOfService",
+ "http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-tr=
ust-onbehalfof/OnBehalfOfService"
+ ));
+ services.add(service);
+
+ TokenIssueOperation issueOperation =3D new TokenIssueOperation();
+ issueOperation.setServices(services);
+ issueOperation.getTokenProviders().add(new SAMLTokenProvider());
+ // required for OnBehalfOf
+ issueOperation.getTokenValidators().add(new UsernameTokenValidator()=
);
+ // added for OnBehalfOf and ActAs
+ issueOperation.getDelegationHandlers().add(new UsernameTokenDelegati=
onHandler());
+ issueOperation.setStsProperties(props);
+
+ TokenValidateOperation validateOperation =3D new TokenValidateOperat=
ion();
+ validateOperation.getTokenValidators().add(new SAMLTokenValidator());
+ validateOperation.setStsProperties(props);
+
+ this.setIssueOperation(issueOperation);
+ this.setValidateOperation(validateOperation);
+ }
}
-
+
=
STSCallbackHandlerThe user, alice, and corresponding password was required=
to be added for the ActAs example.
-package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts; =C2=A0
-=C2=A0
-import java.util.HashMap; =C2=A0
-import java.util.Map; =C2=A0
-=C2=A0
-import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler=
; =C2=A0
-=C2=A0
-public class STSCallbackHandler extends PasswordCallbackHandler =C2=A0
-{ =C2=A0
-=C2=A0=C2=A0 public STSCallbackHandler() =C2=A0
-=C2=A0=C2=A0 { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap()); =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 private static Map<String, String> getInitMap() =C2=A0
-=C2=A0=C2=A0 { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("mystskey", "stskpass"); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("alice", "clarinet"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+
+public class STSCallbackHandler extends PasswordCallbackHandler
+{
+ public STSCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords =3D new HashMap<String, Strin=
g>();
+ passwords.put("mystskey", "stskpass");
+ passwords.put("alice", "clarinet");
+ return passwords;
+ }
}
-
+
=
- ActAs Web service requester
+ Web service requesterThis section examines the ws-requester elements from the b=
asic WS-Trust scenario that have been changed to address the needs of the=
ActAs example. The component isActAs web service requester implementation class
-
+
=
- ActAs Web service requester Implementation
- The ActAs ws-requester, the client, uses standard proced=
ures for creating a reference to the web service in the first four lines. =
To address the endpoint security requirements, the web service's "Request=
Context" is configured via the BindingProvider. Information needed in th=
e message generation is provided through it. The ActAs user, myactaskey, i=
s declared in this section and UsernameTokenCallbackHandler is used to pro=
vide the contents of the ActAs element to the STSClient. In this example a=
STSClient object is created and provided to the proxy's request context. =
The alternative is to provide keys tagged with the ".it" suffix as was do=
ne in [the Basic Scenario client|../../../../../../../../../../../#WS-Trust=
andSTS-WebservicerequesterImplementation||||\||]. The use of ActAs is conf=
igured through the props map using the SecurityConstants.STS_TOKEN_ACT_AS k=
ey. The alternative is to use the STSClient.setActAs method.
+ Web service requester Implementation
+
+ The ActAs ws-requester, the client, uses standard procedures=
for creating a reference to the web service in the first four lines. To =
address the endpoint security requirements, the web service's "Request Co=
ntext" is configured via the BindingProvider. Information needed in the me=
ssage generation is provided through it. The ActAs user, myactaskey, is de=
clared in this section and UsernameTokenCallbackHandler is used to provide=
the contents of the ActAs element to the STSClient. In this example a ST=
SClient object is created and provided to the proxy's request context. The=
alternative is to provide keys tagged with the ".it" suffix as was done in
+ the Basic S=
cenario client
+ . The use of ActAs is configured through the props map using=
the SecurityConstants.STS_TOKEN_ACT_AS key. The alternative is to use the=
STSClient.setActAs method.
+
- final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-ex=
tensions/actaswssecuritypolicy", "ActAsService"); =C2=A0
-final URL wsdlURL =3D new URL(serviceURL + "?wsdl"); =C2=A0
-Service service =3D Service.create(wsdlURL, serviceName); =C2=A0
-ActAsServiceIface proxy =3D (ActAsServiceIface) service.getPort(ActAsServi=
ceIface.class); =C2=A0
-=C2=A0
-Bus bus =3D BusFactory.newInstance().createBus(); =C2=A0
-try { =C2=A0
-=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefaultBus(bus); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 Map<String, Object> ctx =3D proxy.getRequestConte=
xt(); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientC=
allbackHandler()); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey=
"); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclient=
key"); =C2=A0
-=C2=A0
+ final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-ex=
tensions/actaswssecuritypolicy", "ActAsService");
+final URL wsdlURL =3D new URL(serviceURL + "?wsdl");
+Service service =3D Service.create(wsdlURL, serviceName);
+ActAsServiceIface proxy =3D (ActAsServiceIface) service.getPort(ActAsServi=
ceIface.class);
+
+Bus bus =3D BusFactory.newInstance().createBus();
+try {
+ BusFactory.setThreadDefaultBus(bus);
+
+ Map<String, Object> ctx =3D proxy.getRequestContext();
+
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler(=
));
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey");
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
+
// Generate the ActAs element contents and pass to the STSClient as a =
string
-=C2=A0=C2=A0=C2=A0 UsernameTokenCallbackHandler ch =3D new UsernameTokenCa=
llbackHandler(); =C2=A0
-=C2=A0=C2=A0=C2=A0 String str =3D ch.getUsernameTokenString("myactaskey", =
null); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.STS_TOKEN_ACT_AS, str); =C2=
=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D new STSClient(bus); =C2=A0
-=C2=A0=C2=A0=C2=A0 Map<String, Object> props =3D stsClient.getProper=
ties(); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.USERNAME, "bob"); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.CALLBACK_HANDLER, new Clien=
tCallbackHandler()); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey=
"); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclie=
ntkey"); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_PROPERTIES, =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYI=
NFO, "true"); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.STS_CLIENT, stsClient); =C2=
=A0
-} finally { =C2=A0
-=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=A0
-} =C2=A0
+ UsernameTokenCallbackHandler ch =3D new UsernameTokenCallbackHandler();
+ String str =3D ch.getUsernameTokenString("alice","clarinet");
+ ctx.put(SecurityConstants.STS_TOKEN_ACT_AS, str);
+
+ STSClient stsClient =3D new STSClient(bus);
+ Map<String, Object> props =3D stsClient.getProperties();
+ props.put(SecurityConstants.USERNAME, "bob");
+ props.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandle=
r());
+ props.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclientkey");
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+} finally {
+ bus.shutdown(true);
+}
proxy.sayHello();
-
+
+
+ =
+ OnBehalfOf WS-Trust Scenario
+
+ The OnBehalfOf feature is used in scenarios that use the proxy =
pattern. In such scenarios, the client cannot access the STS directly, in=
stead it communicates through a proxy gateway. The proxy gateway authentic=
ates the caller and puts information about the caller into the OnBehalfOf =
element of the RequestSecurityToken (RST) sent to the real STS for process=
ing. The resulting token contains only claims related to the client of the=
proxy, making the proxy completely transparent to the receiver of the iss=
ued token.
=
- OnBehalfOf WS-Trust Scenario
-
- The OnBehalfOf feature is used in scenarios that use the proxy=
pattern. In such scenarios, the client cannot access the STS directly, =
instead it communicates through a proxy gateway. The proxy gateway authent=
icates the caller and puts information about the caller into the OnBehalfO=
f element of the RequestSecurityToken (RST) sent to the real STS for proce=
ssing. The resulting token contains only claims related to the client of t=
he proxy, making the proxy completely transparent to the receiver of the i=
ssued token.
+
+
+ OnBehalfOf is nothing more than a new sub-element in the RST. =
It provides additional information about the original caller when a token =
is negotiated with the STS. The OnBehalfOf element usually takes the form=
of a token with identity claims such as name, role, and authorization co=
de, for the client to access the service.
+ =
+
+
+ The OnBehalfOf scenario is an extension of
+ the basic WS-Trust scenario
+ . In this example the OnBehalfOf service calls the ws-service =
on behalf of a user. There are only a couple of additions to the basic sc=
enario's code. An OnBehalfOf web service provider and callback handler ha=
ve been added. The OnBehalfOf web services' WSDL imposes the same secur=
ity policies as the ws-provider. UsernameTokenCallbackHandler is a utility=
shared with ActAs. It generates the content for the OnBehalfOf element. =
And lastly there are code additions in the STS that both OnBehalfOf and A=
ctAs share in common.
+ =
+
+
+ Infor here [
+ Open Source Security: Apache CXF 2.5.1 STS updates
+ ]
+
+
+ =
+ Web service provider
+ This section examines the web service elements from the ba=
sic WS-Trust scenario that have been changed to address the needs of the =
OnBehalfOf example. The components are.
+
+
+ web service provider's WSDL
+
+
+ web service provider's Interface and Implementation cl=
asses.
+
+
+ OnBehalfOfCallbackHandler class
+
+
+
=
-
-
- OnBehalfOf is nothing more than a new sub-element in the RST.=
It provides additional information about the original caller when a toke=
n is negotiated with the STS. The OnBehalfOf element usually takes the fo=
rm of a token with identity claims such as name, role, and authorization =
code, for the client to access the service.
- =
-
-
- The OnBehalfOf scenario is an extension of
- the basic WS-Trust scenario
- . In this example the OnBehalfOf service calls the ws-servic=
e on behalf of a user. There are only a couple of additions to the basic =
scenario's code. An OnBehalfOf web service provider and callback handler =
have been added. The OnBehalfOf web services' WSDL imposes the same sec=
urity policies as the ws-provider. UsernameTokenCallbackHandler is a utili=
ty shared with ActAs. It generates the content for the OnBehalfOf element=
. And lastly there are code additions in the STS that both OnBehalfOf and=
ActAs share in common.
- =
-
-
- Infor here [
- Open Source Security: Apache CXF 2.5.1 STS updates
- ]
-
-
- =
- OnBehalfOf Web service provider
- This section examines the web service elements from the =
basic WS-Trust scenario that have been changed to address the needs of the=
OnBehalfOf example. The components are.
-
-
- OnBehalfOf web service provider's WSDL
-
-
- OnBehalfOf web service provider's Interface and Impl=
ementation classes.
-
-
- OnBehalfOfCallbackHandler class
-
-
-
-
- =
- OnBehalfOf Web service provider WSDL
+ Web service provider WSDLThe OnBehalfOf web service provider's WSDL is a clone of=
the ws-provider's WSDL. The wsp:Policy section is the same. There are =
changes to the service endpoint, targetNamespace, portType, binding name,=
and service.
<?xml version=3D"1.0" encoding=3D"UTF-8" standalone=3D"yes"?>
<definitions targetNamespace=3D"http://www.jboss.org/jbossws/ws-extensi=
ons/onbehalfofwssecuritypolicy" name=3D"OnBehalfOfService"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/onbehalfofwssecurity=
policy"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns=3D"http://schemas.xmlsoap.org/wsdl/"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsp=3D"http://www.w3.org/ns/ws-policy"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur=
ity-utility-1.0.xsd"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512">
-=C2=A0=C2=A0=C2=A0 <types>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd:schema>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd=
:import namespace=3D"http://www.jboss.org/jbossws/ws-extensions/onbehalfofw=
ssecuritypolicy"
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 schemaLocation=3D"OnBehalfOfService_schema1.=
xsd"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xsd:schema>
-=C2=A0=C2=A0=C2=A0 </types>
-=C2=A0=C2=A0=C2=A0 <message name=3D"sayHello">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHello"/>
-=C2=A0=C2=A0=C2=A0 </message>
-=C2=A0=C2=A0=C2=A0 <message name=3D"sayHelloResponse">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHelloResponse"/>
-=C2=A0=C2=A0=C2=A0 </message>
-=C2=A0=C2=A0=C2=A0 <portType name=3D"OnBehalfOfServiceIface">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut message=3D"tns:sayHello"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put message=3D"tns:sayHelloResponse"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
-=C2=A0=C2=A0=C2=A0 </portType>
-=C2=A0=C2=A0=C2=A0 <binding name=3D"OnBehalfOfServicePortBinding" type=
=3D"tns:OnBehalfOfServiceIface">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#AsymmetricSAML2Policy" />
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:binding transport=3D"h=
ttp://schemas.xmlsoap.org/soap/http" style=3D"document"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:operation soapAction=3D""/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Input_Policy" />
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </in=
put>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Output_Policy" />
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </ou=
tput>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
-=C2=A0=C2=A0=C2=A0 </binding>
-=C2=A0=C2=A0=C2=A0 <service name=3D"OnBehalfOfService">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <port name=3D"OnBehalfOfServ=
icePort" binding=3D"tns:OnBehalfOfServicePortBinding">
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:address location=3D"http://@jboss.bind.address@:8080/jaxws-samples-wsse-p=
olicy-trust-onbehalfof/OnBehalfOfService"/>
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </port>
-=C2=A0=C2=A0=C2=A0 </service>
-</definitions>=C2=A0
+ xmlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/onbeh=
alfofwssecuritypolicy"
+ xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
+ xmlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns=3D"http://schemas.xmlsoap.org/wsdl/"
+ xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+ xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
+ xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200=
401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolic=
y/200702"
+ xmlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512"&=
gt;
+ <types>
+ <xsd:schema>
+ <xsd:import namespace=3D"http://www.jboss.org/jbossws/ws-ex=
tensions/onbehalfofwssecuritypolicy"
+ schemaLocation=3D"OnBehalfOfService_schema1.xsd"/>
+ </xsd:schema>
+ </types>
+ <message name=3D"sayHello">
+ <part name=3D"parameters" element=3D"tns:sayHello"/>
+ </message>
+ <message name=3D"sayHelloResponse">
+ <part name=3D"parameters" element=3D"tns:sayHelloResponse"/>
+ </message>
+ <portType name=3D"OnBehalfOfServiceIface">
+ <operation name=3D"sayHello">
+ <input message=3D"tns:sayHello"/>
+ <output message=3D"tns:sayHelloResponse"/>
+ </operation>
+ </portType>
+ <binding name=3D"OnBehalfOfServicePortBinding" type=3D"tns:OnBehalf=
OfServiceIface">
+ <wsp:PolicyReference URI=3D"#AsymmetricSAML2Policy" />
+ <soap:binding transport=3D"http://schemas.xmlsoap.org/soap/http=
" style=3D"document"/>
+ <operation name=3D"sayHello">
+ <soap:operation soapAction=3D""/>
+ <input>
+ <soap:body use=3D"literal"/>
+ <wsp:PolicyReference URI=3D"#Input_Policy" />
+ </input>
+ <output>
+ <soap:body use=3D"literal"/>
+ <wsp:PolicyReference URI=3D"#Output_Policy" />
+ </output>
+ </operation>
+ </binding>
+ <service name=3D"OnBehalfOfService">
+ <port name=3D"OnBehalfOfServicePort" binding=3D"tns:OnBehalfOfS=
ervicePortBinding">
+ <soap:address location=3D"http://@jboss.bind.address@:8080/=
jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService"/>
+ </port>
+ </service>
+</definitions>
-
+
=
- OnBehalfOf Web Service Interface
+ Web Service InterfaceThe web service provider interface class, OnBehalfOfServ=
iceIface, is a simple web service definition.
-package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof; =C2=
=A0
-=C2=A0
-import javax.jws.WebMethod; =C2=A0
-import javax.jws.WebService; =C2=A0
-=C2=A0
-(a)WebService =C2=A0
-( =C2=A0
-=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/onbehalfofwssecuritypolicy" =C2=A0
-) =C2=A0
-public interface OnBehalfOfServiceIface =C2=A0
-{ =C2=A0
-=C2=A0=C2=A0 @WebMethod =C2=A0
-=C2=A0=C2=A0 String sayHello(); =C2=A0
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof;
+
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+
+(a)WebService
+(
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/onbehal=
fofwssecuritypolicy"
+)
+public interface OnBehalfOfServiceIface
+{
+ @WebMethod
+ String sayHello();
}
-
+
=
- OnBehalfOf Web Service Implementation
+ Web Service ImplementationThe web service provider implementation class, OnBehalfO=
fServiceImpl, is a simple POJO. It uses the standard WebService annotatio=
n to define the service endpoint and two Apache WSS4J annotations, Endpoi=
ntProperties and EndpointProperty used for configuring the endpoint for th=
e CXF runtime. The WSS4J configuration information provided is for WSS4J=
's Crypto Merlin implementation.OnBehalfOfServiceImpl is calling the ServiceImpl acting=
on behalf of the user. Method setupService performs the requisite config=
uration setup.
-package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof; =C2=
=A0
-=C2=A0
-import org.apache.cxf.Bus; =C2=A0
-import org.apache.cxf.BusFactory; =C2=A0
-import org.apache.cxf.annotations.EndpointProperties; =C2=A0
-import org.apache.cxf.annotations.EndpointProperty; =C2=A0
-import org.apache.cxf.ws.security.SecurityConstants; =C2=A0
-import org.apache.cxf.ws.security.trust.STSClient; =C2=A0
-import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIf=
ace; =C2=A0
-import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustApp=
Utils; =C2=A0
-=C2=A0
-import javax.jws.WebService; =C2=A0
-import javax.xml.namespace.QName; =C2=A0
-import javax.xml.ws.BindingProvider; =C2=A0
-import javax.xml.ws.Service; =C2=A0
-import java.net.*; =C2=A0
-import java.util.Map; =C2=A0
-=C2=A0
-(a)WebService =C2=A0
-( =C2=A0
-=C2=A0=C2=A0 portName =3D "OnBehalfOfServicePort", =C2=A0
-=C2=A0=C2=A0 serviceName =3D "OnBehalfOfService", =C2=A0
-=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/OnBehalfOfService.wsdl", =C2=
=A0
-=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/onbehalfofwssecuritypolicy", =C2=A0
-=C2=A0=C2=A0 endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust.onbehalfof.OnBehalfOfServiceIface" =C2=A0
-) =C2=A0
-=C2=A0
-(a)EndpointProperties(value =3D { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "myactaskey"), =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D=C2=A0 "actasKeystore.properties"), =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.encr=
yption.properties", value =3D "actasKeystore.properties"), =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.onbehalfof.OnBehalfOfCallbackHandler") =C2=A0
-}) =C2=A0
-=C2=A0
-public class OnBehalfOfServiceImpl implements OnBehalfOfServiceIface =C2=
=A0
-{ =C2=A0
-=C2=A0=C2=A0 public String sayHello() { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D se=
tupService(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return "OnBehalfOf " + pr=
oxy.sayHello(); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } catch (MalformedURLException e) { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 e.printStackTrace(); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return null; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 /**
-=C2=A0=C2=A0=C2=A0 *
-=C2=A0=C2=A0=C2=A0 * @return
-=C2=A0=C2=A0=C2=A0 * @throws MalformedURLException
-=C2=A0=C2=A0=C2=A0 */ =C2=A0
-=C2=A0=C2=A0 private=C2=A0 ServiceIface setupService()throws MalformedURLE=
xception { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D null; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Bus bus =3D BusFactory.newInstance().create=
Bus(); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefau=
ltBus(bus); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final String serviceURL =
=3D "http://" + WSTrustAppUtils.getServerHost() + ":8080/jaxws-samples-wsse=
-policy-trust/SecurityService"; =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final QName serviceName =
=3D new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy"=
, "SecurityService"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final URL wsdlURL =3D new=
URL(serviceURL + "?wsdl"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Service service =3D Servi=
ce.create(wsdlURL, serviceName); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 proxy =3D (ServiceIface) =
service.getPort(ServiceIface.class); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
ctx =3D ((BindingProvider) proxy).getRequestContext(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.CALLBACK_HANDLER, new OnBehalfOfCallbackHandler()); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource(
- "actasKeystore.properties" )); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_USERNAME, "myactaskey" ); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource(
- "../../META-INF/clientKeystore.properties" )); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_USERNAME, "myservicekey"); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D n=
ew STSClient(bus); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
props =3D stsClient.getProperties(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.USERNAME, "bob"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.ENCRYPT_USERNAME, "mystskey"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USERNAME, "myactaskey" ); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource(
- "actasKeystore.properties" )); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true"); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.STS_CLIENT, stsClient); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } finally { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return proxy; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIf=
ace;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustApp=
Utils;
+
+import javax.jws.WebService;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+import java.net.*;
+import java.util.Map;
+
+(a)WebService
+(
+ portName =3D "OnBehalfOfServicePort",
+ serviceName =3D "OnBehalfOfService",
+ wsdlLocation =3D "WEB-INF/wsdl/OnBehalfOfService.wsdl",
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/onbehal=
fofwssecuritypolicy",
+ endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trus=
t.onbehalfof.OnBehalfOfServiceIface"
+)
+
+(a)EndpointProperties(value =3D {
+ @EndpointProperty(key =3D "ws-security.signature.username", value =
=3D "myactaskey"),
+ @EndpointProperty(key =3D "ws-security.signature.properties", value =
=3D "actasKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.encryption.properties", value=
=3D "actasKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.callback-handler", value =3D =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof.OnBehalfOfCal=
lbackHandler")
+})
+
+public class OnBehalfOfServiceImpl implements OnBehalfOfServiceIface
+{
+ public String sayHello() {
+ try {
+
+ ServiceIface proxy =3D setupService();
+ return "OnBehalfOf " + proxy.sayHello();
+
+ } catch (MalformedURLException e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+
+ /**
+ *
+ * @return
+ * @throws MalformedURLException
+ */
+ private ServiceIface setupService()throws MalformedURLException {
+ ServiceIface proxy =3D null;
+ Bus bus =3D BusFactory.newInstance().createBus();
+
+ try {
+ BusFactory.setThreadDefaultBus(bus);
+
+ final String serviceURL =3D "http://" + WSTrustAppUtils.getServer=
Host() + ":8080/jaxws-samples-wsse-policy-trust/SecurityService";
+ final QName serviceName =3D new QName("http://www.jboss.org/jboss=
ws/ws-extensions/wssecuritypolicy", "SecurityService");
+ final URL wsdlURL =3D new URL(serviceURL + "?wsdl");
+ Service service =3D Service.create(wsdlURL, serviceName);
+ proxy =3D (ServiceIface) service.getPort(ServiceIface.class);
+
+ Map<String, Object> ctx =3D ((BindingProvider) proxy).getRe=
questContext();
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new OnBehalfOfCallbac=
kHandler());
+
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "actasKeystore.properties" ));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myactaskey" );
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "../../META-INF/clientKeystore.properties" ));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
+
+ STSClient stsClient =3D new STSClient(bus);
+ Map<String, Object> props =3D stsClient.getProperties();
+ props.put(SecurityConstants.USERNAME, "bob");
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myactaskey" );
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "actasKeystore.properties" ));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true=
");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+
+ } finally {
+ bus.shutdown(true);
+ }
+
+ return proxy;
+ }
+
}
-
+
=
OnBehalfOfCallbackHandlerOnBehalfOfCallbackHandler is a callback handler for the =
WSS4J Crypto API. It is used to obtain the password for the private key i=
n the keystore. This class enables CXF to retrieve the password of the us=
er name to use for the message signature. This class has been revised to =
return the passwords for this service, myactaskey and the "OnBehalfOf" user=
, alice.
-=C2=A0package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof=
; =C2=A0
-=C2=A0
-import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler=
; =C2=A0
-import java.util.HashMap; =C2=A0
-import java.util.Map; =C2=A0
-=C2=A0
-public class OnBehalfOfCallbackHandler extends PasswordCallbackHandler { =
=C2=A0
-=C2=A0
-=C2=A0=C2=A0 public OnBehalfOfCallbackHandler() =C2=A0
-=C2=A0=C2=A0 { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap()); =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
-=C2=A0=C2=A0 private static Map<String, String> getInitMap() =C2=A0
-=C2=A0=C2=A0 { =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>(); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("myactaskey", "aspass"); =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("alice", "clarinet"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("bob", "trombone"); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords; =C2=A0
-=C2=A0=C2=A0 } =C2=A0
-=C2=A0
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+import java.util.HashMap;
+import java.util.Map;
+
+public class OnBehalfOfCallbackHandler extends PasswordCallbackHandler {
+
+ public OnBehalfOfCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords =3D new HashMap<String, Strin=
g>();
+ passwords.put("myactaskey", "aspass");
+ passwords.put("alice", "clarinet");
+ passwords.put("bob", "trombone");
+ return passwords;
+ }
+
}
-
+
=
- OnBehalfOf Web service requester
+ Web service requesterThis section examines the ws-requester elements from the b=
asic WS-Trust scenario that have been changed to address the needs of the =
OnBehalfOf example. The component isOnBehalfOf web service requester implementation class<=
/para>
-
+
=
- OnBehalfOf Web service requester Implementation
+ Web service requester Implementation
The OnBehalfOf ws-requester, the client, uses standard proce=
dures for creating a reference to the web service in the first four lines. =
To address the endpoint security requirements, the web service's "Request =
Context" is configured via the BindingProvider. Information needed in the m=
essage generation is provided through it. The OnBehalfOf user, alice, is d=
eclared in this section and the callbackHandler, UsernameTokenCallbackHandl=
er is provided to the STSClient for generation of the contents for the OnBe=
halfOf message element. In this example a STSClient object is created and =
provided to the proxy's request context. The alternative is to provide keys=
tagged with the ".it" suffix as was done in
- the Basic Scenario client
+ the Basic Scenario client
. The use of OnBehalfOf is configured by the method call st=
sClient.setOnBehalfOf. The alternative is to use the key SecurityConstants=
.STS_TOKEN_ON_BEHALF_OF and a value in the props map.
-final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-ext=
ensions/onbehalfofwssecuritypolicy", "OnBehalfOfService"); =C2=A0
-final URL wsdlURL =3D new URL(serviceURL + "?wsdl"); =C2=A0
-Service service =3D Service.create(wsdlURL, serviceName); =C2=A0
-OnBehalfOfServiceIface proxy =3D (OnBehalfOfServiceIface) service.getPort(=
OnBehalfOfServiceIface.class); =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
-=C2=A0
-Bus bus =3D BusFactory.newInstance().createBus(); =C2=A0
-try { =C2=A0
-=C2=A0=C2=A0 =C2=A0
-=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefaultBus(bus); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 Map<String, Object> ctx =3D proxy.getRequestConte=
xt(); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientC=
allbackHandler()); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey=
"); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclient=
key");
+final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-ext=
ensions/onbehalfofwssecuritypolicy", "OnBehalfOfService");
+final URL wsdlURL =3D new URL(serviceURL + "?wsdl");
+Service service =3D Service.create(wsdlURL, serviceName);
+OnBehalfOfServiceIface proxy =3D (OnBehalfOfServiceIface) service.getPort(=
OnBehalfOfServiceIface.class);
=
+
+Bus bus =3D BusFactory.newInstance().createBus();
+try {
+
+ BusFactory.setThreadDefaultBus(bus);
+
+ Map<String, Object> ctx =3D proxy.getRequestContext();
+
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler(=
));
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey");
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
+
// user and password OnBehalfOf user
// UsernameTokenCallbackHandler will extract this information when cal=
led
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.USERNAME,"alice"); =C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.PASSWORD, "clarinet"); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D new STSClient(bus);
+ ctx.put(SecurityConstants.USERNAME,"alice");
+ ctx.put(SecurityConstants.PASSWORD, "clarinet");
=
- // Providing the STSClient the mechanism to create the claims contents=
for OnBehalfOf=C2=A0
-=C2=A0=C2=A0=C2=A0 stsClient.setOnBehalfOf(new UsernameTokenCallbackHandle=
r()); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 Map<String, Object> props =3D stsClient.getProper=
ties(); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.CALLBACK_HANDLER, new Clien=
tCallbackHandler()); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey=
"); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclie=
ntkey"); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_PROPERTIES, =C2=
=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
- "META-INF/clientKeystore.properties")); =C2=A0
-=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYI=
NFO, "true"); =C2=A0
-=C2=A0
-=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.STS_CLIENT, stsClient); =C2=
=A0
-=C2=A0=C2=A0 =C2=A0
-} finally { =C2=A0
-=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=A0
-} =C2=A0
+ STSClient stsClient =3D new STSClient(bus);
+
+ // Providing the STSClient the mechanism to create the claims contents=
for OnBehalfOf
+ stsClient.setOnBehalfOf(new UsernameTokenCallbackHandler());
+
+ Map<String, Object> props =3D stsClient.getProperties();
+ props.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandle=
r());
+ props.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclientkey");
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+
+} finally {
+ bus.shutdown(true);
+}
proxy.sayHello();
+
+ =
+ SAML Bearer Assertion Scenario
+
+ WS-Trust deals with managing software security tokens. A SAML =
assertion is a type of security token. In the SAML Bearer scenario, the s=
ervice provider automatically trusts that the incoming SOAP request came f=
rom the subject defined in the SAML token after the service verifies the t=
okens signature.
+ =
+
+ Implementation of this scenario has the following requiremen=
ts.
+
+
+ SAML tokens with a Bearer subject confirmation method m=
ust be protected so the token can not be snooped. In most cases, a bearer=
token combined with HTTPS is sufficient to prevent "a man in the middle" =
getting possession of the token. This means a security policy that uses a=
sp:TransportBinding and sp:HttpsToken.
+
+
+
+ A bearer token has no encryption or signing keys associated=
with it, therefore a sp:IssuedToken of bearer keyType should be used with=
a sp:SupportingToken or a sp:SignedSupportingTokens.
+ =
+
+
+
+
+ =
+ Web service Provider
+ This section examines the web service elements for the SAM=
L Bearer scenario. The components are
+
+
+ Bearer web service provider's WSDL
+
+
+ SSL configuration
+
+
+ Bearer web service provider's Interface and Implementa=
tion classes.
+
+
+ Crypto properties and keystore files
+
+
+ MANIFEST.MF
+
+
+
+ =
+ Web service provider WSDL
+ The web service provider is a contract-first endpoint. =
All the WS-trust and security policies for it are declared in WSDL, Bearer=
Service.wsdl. For this scenario a ws-requester is required to present a S=
AML 2.0 Bearer token issued from a designed STS. The address of the STS is=
provided in the WSDL. HTTPS, a TransportBinding and HttpsToken policy a=
re used to protect the SOAP body of messages that pass back and forth betw=
een ws-requester and ws-provider. A detailed explanation of the security =
settings are provided in the comments in the listing below.
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8" standalone=3D"yes"?>
+<definitions targetNamespace=3D"http://www.jboss.org/jbossws/ws-extensi=
ons/bearerwssecuritypolicy"
+ name=3D"BearerService"
+ xmlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/beare=
rwssecuritypolicy"
+ xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
+ xmlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns=3D"http://schemas.xmlsoap.org/wsdl/"
+ xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+ xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
+ xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200=
401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
+ xmlns:wsx=3D"http://schemas.xmlsoap.org/ws/2004/09/mex"
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolic=
y/200702"
+ xmlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512"&=
gt;
+
+ <types>
+ <xsd:schema>
+ <xsd:import namespace=3D"http://www.jboss.org/jbossws/ws-extensio=
ns/bearerwssecuritypolicy"
+ schemaLocation=3D"BearerService_schema1.xsd"/>
+ </xsd:schema>
+ </types>
+ <message name=3D"sayHello">
+ <part name=3D"parameters" element=3D"tns:sayHello"/>
+ </message>
+ <message name=3D"sayHelloResponse">
+ <part name=3D"parameters" element=3D"tns:sayHelloResponse"/>
+ </message>
+ <portType name=3D"BearerIface">
+ <operation name=3D"sayHello">
+ <input message=3D"tns:sayHello"/>
+ <output message=3D"tns:sayHelloResponse"/>
+ </operation>
+ </portType>
+
+<!--
+ The wsp:PolicyReference binds the security requirments on all the =
endpoints.
+ The wsp:Policy wsu:Id=3D"#TransportSAML2BearerPolicy" element is d=
efined later in this file.
+-->
+ <binding name=3D"BearerServicePortBinding" type=3D"tns:BearerIface"&g=
t;
+ <wsp:PolicyReference URI=3D"#TransportSAML2BearerPolicy" />
+ <soap:binding transport=3D"http://schemas.xmlsoap.org/soap/http" st=
yle=3D"document"/>
+ <operation name=3D"sayHello">
+ <soap:operation soapAction=3D""/>
+ <input>
+ <soap:body use=3D"literal"/>
+ </input>
+ <output>
+ <soap:body use=3D"literal"/>
+ </output>
+ </operation>
+ </binding>
+
+<!--
+ The soap:address has been defined to use JBoss's https port, 8443. This=
is
+ set in conjunction with the sp:TransportBinding policy for https.
+-->
+ <service name=3D"BearerService">
+ <port name=3D"BearerServicePort" binding=3D"tns:BearerServicePortBi=
nding">
+ <soap:address location=3D"https://@jboss.bind.address@:8443/jaxws=
-samples-wsse-policy-trust-bearer/BearerService"/>
+ </port>
+ </service>
+
+
+ <wsp:Policy wsu:Id=3D"TransportSAML2BearerPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <!--
+ The wsam:Addressing element, indicates that the endpoints of this
+ web service MUST conform to the WS-Addressing specification. The
+ attribute wsp:Optional=3D"false" enforces this assertion.
+ -->
+ <wsam:Addressing wsp:Optional=3D"false">
+ <wsp:Policy />
+ </wsam:Addressing>
+
+<!--
+ The sp:TransportBinding element indicates that security is provided by t=
he
+ message exchange transport medium, https. WS-Security policy specificat=
ion
+ defines the sp:HttpsToken for use in exchanging messages transmitted ove=
r HTTPS.
+-->
+ <sp:TransportBinding
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+<!--
+ The sp:AlgorithmSuite element, requires the TripleDes algorithm suite
+ be used in performing cryptographic operations.
+-->
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:TripleDes />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+<!--
+ The sp:Layout element, indicates the layout rules to apply when addi=
ng
+ items to the security header. The sp:Lax sub-element indicates items
+ are added to the security header in any order that conforms to
+ WSS: SOAP Message Security.
+-->
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ </wsp:Policy>
+ </sp:TransportBinding>
+
+<!--
+ The sp:SignedSupportingTokens element causes the supporting tokens
+ to be signed using the primary token that is used to sign the message.
+-->
+ <sp:SignedSupportingTokens
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+<!--
+ The sp:IssuedToken element asserts that a SAML 2.0 security token of type
+ Bearer is expected from the STS. The
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20=
0702/IncludeToken/AlwaysToRecipient">
+ attribute instructs the runtime to include the initiator's public key
+ with every message sent to the recipient.
+
+ The sp:RequestSecurityTokenTemplate element directs that all of the
+ children of this element will be copied directly into the body of the
+ RequestSecurityToken (RST) message that is sent to the STS when the
+ initiator asks the STS to issue a token.
+-->
+ <sp:IssuedToken
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-secur=
itypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <sp:RequestSecurityTokenTemplate>
+ <t:TokenType>http://docs.oasis-open.org/wss/oasis-ws=
s-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+ <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust=
/200512/Bearer</t:KeyType>
+ </sp:RequestSecurityTokenTemplate>
+ <wsp:Policy>
+ <sp:RequireInternalReference />
+ </wsp:Policy>
+<!--
+ The sp:Issuer element defines the STS's address and endpoint information
+ This information is used by the STSClient.
+-->
+ <sp:Issuer>
+ <wsaws:Address>http://@jboss.bind.address@:8080/jaxw=
s-samples-wsse-policy-trust-sts-bearer/SecurityTokenService</wsaws:Addre=
ss>
+ <wsaws:Metadata
+ xmlns:wsdli=3D"http://www.w3.org/2006/01/wsdl-instance"
+ wsdli:wsdlLocation=3D"http://@jboss.bind.address@:8080/j=
axws-samples-wsse-policy-trust-sts-bearer/SecurityTokenService?wsdl">
+ <wsaw:ServiceName
+ xmlns:wsaw=3D"http://www.w3.org/2006/05/addressing/wsd=
l"
+ xmlns:stsns=3D"http://docs.oasis-open.org/ws-sx/ws-tru=
st/200512/"
+ EndpointName=3D"UT_Port">stsns:SecurityTokenService=
</wsaw:ServiceName>
+ </wsaws:Metadata>
+ </sp:Issuer>
+
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+<!--
+ The sp:Wss11 element declares WSS: SOAP Message Security 1.1 options
+ to be supported by the STS. These particular elements generally refer
+ to how keys are referenced within the SOAP envelope. These are normal=
ly
+ handled by CXF.
+-->
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+<!--
+ The sp:Trust13 element declares controls for WS-Trust 1.3 options.
+ They are policy assertions related to exchanges specifically with
+ client and server challenges and entropy behaviors. Again these are
+ normally handled by CXF.
+-->
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</definitions>
+
+
+
+
+ =
+ SSL configuration
+ This web service is using https, therefore the JBoss ser=
ver must be configured to provide SSL support in the Web subsystem. There =
are 2 components to SSL configuration.
+
+
+ create a certificate keystore
+
+
+ declare an SSL connector in the Web subsystem of the=
JBoss server configuration file.
+
+
+
+ Follow the directions in the, "
+ Using the pure Java implementatio=
n supplied by JSSE
+ " section in the
+ SSL Setup Guide
+ .
+
+ Here is an example of an SSL connector declaration.
+
+
+<subsystem xmlns=3D"urn:jboss:domain:web:1.4" default-virtual-server=3D=
"default-host" native=3D"false">
+ .....
+ <connector name=3D"jbws-https-connector" protocol=3D"HTTP/1.1" scheme=
=3D"https" socket-binding=3D"https" secure=3D"true" enabled=3D"true">
+ <ssl key-alias=3D"tomcat" password=3D"changeit" certificate-key-fil=
e=3D"/myJbossHome/security/test.keystore" verify-client=3D"false"/>
+ </connector>
+ ...
+
+
+
+
+ =
+ Web service Interface
+ The web service provider interface class, BearerIface, i=
s a simple straight forward web service definition.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.bearer;
+
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+
+(a)WebService
+(
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/bearerw=
ssecuritypolicy"
+)
+public interface BearerIface
+{
+ @WebMethod
+ String sayHello();
+}
+
+
+
+
+ =
+ Web service Implementation
+
+ The web service provider implementation class, BearerImpl, i=
s a simple POJO. It uses the standard WebService annotation to define the=
service endpoint. In addition there are two Apache CXF annotations, Endp=
ointProperties and EndpointProperty used for configuring the endpoint for =
the CXF runtime. These annotations come from the
+ Apache WSS4J pro=
ject
+ , which provides a Java implementation of the primary WS-Se=
curity standards for Web Services. These annotations are programmatically =
adding properties to the endpoint. With plain Apache CXF, these properties=
are often set via the <jaxws:properties> element on the <jaxws=
:endpoint> element in the Spring config; these annotations allow the =
properties to be configured in the code.
+
+ WSS4J uses the Crypto interface to get keys and certifi=
cates for signature creation/verification, as is asserted by the WSDL for =
this service. The WSS4J configuration information being provided by Beare=
rImpl is for Crypto's Merlin implementation. More information will be pro=
vided about this in the keystore section.
+ Because the web service provider automatically trusts t=
hat the incoming SOAP request came from the subject defined in the SAML to=
ken there is no need for a Crypto callbackHandler class or a signature use=
rname, unlike in prior examples, however in order to verify the message si=
gnature, the Java properties file that contains the (Merlin) crypto config=
uration information is still required.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.bearer;
+
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+
+import javax.jws.WebService;
+
+(a)WebService
+(
+ portName =3D "BearerServicePort",
+ serviceName =3D "BearerService",
+ wsdlLocation =3D "WEB-INF/wsdl/BearerService.wsdl",
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/bearerw=
ssecuritypolicy",
+ endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trus=
t.bearer.BearerIface"
+)
+(a)EndpointProperties(value =3D {
+ @EndpointProperty(key =3D "ws-security.signature.properties", value =3D=
"serviceKeystore.properties")
+})
+public class BearerImpl implements BearerIface
+{
+ public String sayHello()
+ {
+ return "Bearer WS-Trust Hello World!";
+ }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+ WSS4J's Crypto implementation is loaded and configured v=
ia a Java properties file that contains Crypto configuration data. The f=
ile contains implementation-specific properties such as a keystore locati=
on, password, default alias and the like. This application is using the =
Merlin implementation. File serviceKeystore.properties contains this in=
formation.
+
+ File servicestore.jks, is a Java KeyStore (JKS) repository.=
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Dsspass
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyservicekey
+org.apache.ws.security.crypto.merlin.keystore.file=3Dservicestore.jks
+
+
+
+
+ =
+ MANIFEST.MF
+ When deployed on WildFly this application requires acc=
ess to the JBossWs and CXF APIs provided in module org.jboss.ws.cxf.jboss=
ws-cxf-client. The dependency statement directs the server to provide the=
m at deployment.
+
+
+Manifest-Version: 1.0 =C2=A0
+Ant-Version: Apache Ant 1.8.2 =C2=A0
+Created-By: 1.7.0_25-b15 (Oracle Corporation) =C2=A0
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client
+
+
+
+
+
+ =
+ Bearer Security Token Service
+ This section examines the crucial elements in providing th=
e Security Token Service functionality for providing a SAML Bearer token. =
The components that will be discussed are.
+
+
+ Security Domain
+
+
+ STS's WSDL
+
+
+ STS's implementation class
+
+
+ STSBearerCallbackHandler
+
+
+ Crypto properties and keystore files
+
+
+
+ MANIFEST.MF
+ =
+
+
+
+
+ =
+ Security Domain
+ The STS requires a JBoss security domain be configured. =
The jboss-web.xml descriptor declares a named security domain,"JBossWS-t=
rust-sts" to be used by this service for authentication. This security do=
main requires two properties files and the addition of a security-domain d=
eclaration in the JBoss server configuration file.
+
+ For this scenario the domain needs to contain user
+ alice
+ , password
+ clarinet
+ , and role
+ friend
+ . See the listings below for jbossws-users.properties and =
jbossws-roles.properties. In addition the following XML must be added to =
the JBoss security subsystem in the server configuration file. Replace "
+ SOME_PATH
+ " with appropriate information.
+
+
+
+<security-domain name=3D"JBossWS-trust-sts">
+=C2=A0 <authentication>
+=C2=A0=C2=A0=C2=A0 <login-module code=3D"UsersRoles" flag=3D"required"&=
gt;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <module-option name=3D"usersProperties" =
value=3D"/SOME_PATH/jbossws-users.properties"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <module-option name=3D"unauthenticatedId=
entity" value=3D"anonymous"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <module-option name=3D"rolesProperties" =
value=3D"/SOME_PATH/jbossws-roles.properties"/>
+=C2=A0=C2=A0=C2=A0 </login-module>
+=C2=A0 </authentication>
+</security-domain>
+
+
+ jboss-web.xml
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?> =C2=A0
+<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" ">=
; =C2=A0
+<jboss-web> =C2=A0
+=C2=A0 <security-domain>java:/jaas/JBossWS-trust-sts</security-do=
main> =C2=A0
+</jboss-web>
+
+
+ jbossws-users.properties
+
+
+# A sample users.properties file for use with the UsersRolesLoginModule =
=C2=A0
+alice=3Dclarinet
+
+
+ jbossws-roles.properties
+
+
+# A sample roles.properties file for use with the UsersRolesLoginModule =
=C2=A0
+alice=3Dfriend
+
+
+
+
+ =
+ STS's WSDL
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<wsdl:definitions
+ targetNamespace=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ xmlns:tns=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ xmlns:wstrust=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ xmlns:wsdl=3D"http://schemas.xmlsoap.org/wsdl/"
+ xmlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:wsap10=3D"http://www.w3.org/2006/05/addressing/wsdl"
+ xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss=
ecurity-utility-1.0.xsd"
+ xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+ xmlns:wst=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512"
+ xmlns:xs=3D"http://www.w3.org/2001/XMLSchema"
+ xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata">
+
+ <wsdl:types>
+ <xs:schema elementFormDefault=3D"qualified"
+ targetNamespace=3D'http://docs.oasis-open.org/ws-sx/ws-trus=
t/200512'>
+
+ <xs:element name=3D'RequestSecurityToken'
+ type=3D'wst:AbstractRequestSecurityTokenType'/>
+ <xs:element name=3D'RequestSecurityTokenResponse'
+ type=3D'wst:AbstractRequestSecurityTokenType'/>
+
+ <xs:complexType name=3D'AbstractRequestSecurityTokenType'>
+ <xs:sequence>
+ <xs:any namespace=3D'##any' processContents=3D'lax' minOccurs=
=3D'0'
+ maxOccurs=3D'unbounded'/>
+ </xs:sequence>
+ <xs:attribute name=3D'Context' type=3D'xs:anyURI' use=3D'option=
al'/>
+ <xs:anyAttribute namespace=3D'##other' processContents=3D'lax'/=
>
+ </xs:complexType>
+ <xs:element name=3D'RequestSecurityTokenCollection'
+ type=3D'wst:RequestSecurityTokenCollectionType'/>
+ <xs:complexType name=3D'RequestSecurityTokenCollectionType'>
+ <xs:sequence>
+ <xs:element name=3D'RequestSecurityToken'
+ type=3D'wst:AbstractRequestSecurityTokenType' minOcc=
urs=3D'2'
+ maxOccurs=3D'unbounded'/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:element name=3D'RequestSecurityTokenResponseCollection'
+ type=3D'wst:RequestSecurityTokenResponseCollectionType'/=
>
+ <xs:complexType name=3D'RequestSecurityTokenResponseCollectionTyp=
e'>
+ <xs:sequence>
+ <xs:element ref=3D'wst:RequestSecurityTokenResponse' minOccur=
s=3D'1'
+ maxOccurs=3D'unbounded'/>
+ </xs:sequence>
+ <xs:anyAttribute namespace=3D'##other' processContents=3D'lax'/=
>
+ </xs:complexType>
+
+ </xs:schema>
+ </wsdl:types>
+
+ <!-- WS-Trust defines the following GEDs -->
+ <wsdl:message name=3D"RequestSecurityTokenMsg">
+ <wsdl:part name=3D"request" element=3D"wst:RequestSecurityToken"/&g=
t;
+ </wsdl:message>
+ <wsdl:message name=3D"RequestSecurityTokenResponseMsg">
+ <wsdl:part name=3D"response"
+ element=3D"wst:RequestSecurityTokenResponse"/>
+ </wsdl:message>
+ <wsdl:message name=3D"RequestSecurityTokenCollectionMsg">
+ <wsdl:part name=3D"requestCollection"
+ element=3D"wst:RequestSecurityTokenCollection"/>
+ </wsdl:message>
+ <wsdl:message name=3D"RequestSecurityTokenResponseCollectionMsg">
+ <wsdl:part name=3D"responseCollection"
+ element=3D"wst:RequestSecurityTokenResponseCollection"/>
+ </wsdl:message>
+
+ <!-- This portType an example of a Requestor (or other) endpoint that
+ Accepts SOAP-based challenges from a Security Token Service -->
+ <wsdl:portType name=3D"WSSecurityRequestor">
+ <wsdl:operation name=3D"Challenge">
+ <wsdl:input message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ <wsdl:output message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+ <!-- This portType is an example of an STS supporting full protocol -=
->
+ <!--
+ The wsdl:portType and data types are XML elements defined by the
+ WS_Trust specification. The wsdl:portType defines the endpoints
+ supported in the STS implementation. This WSDL defines all operatio=
ns
+ that an STS implementation can support.
+ -->
+ <wsdl:portType name=3D"STS">
+ <wsdl:operation name=3D"Cancel">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Cancel"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/CancelFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Issue">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Issue"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TRC/IssueFinal"
+ message=3D"tns:RequestSecurityTokenResponseCollectionMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Renew">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Renew"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/RenewFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Validate">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Validate"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/ValidateFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"KeyExchangeToken">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/KET"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/KETFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"RequestCollection">
+ <wsdl:input message=3D"tns:RequestSecurityTokenCollectionMsg"/>
+ <wsdl:output message=3D"tns:RequestSecurityTokenResponseCollectio=
nMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+ <!-- This portType is an example of an endpoint that accepts
+ Unsolicited RequestSecurityTokenResponse messages -->
+ <wsdl:portType name=3D"SecurityTokenResponseService">
+ <wsdl:operation name=3D"RequestSecurityTokenResponse">
+ <wsdl:input message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+ <!--
+ The wsp:PolicyReference binds the security requirments on all the ST=
S endpoints.
+ The wsp:Policy wsu:Id=3D"UT_policy" element is later in this file.
+ -->
+ <wsdl:binding name=3D"UT_Binding" type=3D"wstrust:STS">
+ <wsp:PolicyReference URI=3D"#UT_policy"/>
+ <soap:binding style=3D"document"
+ transport=3D"http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name=3D"Issue">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Issue"/>
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI=3D"#Input_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI=3D"#Output_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Validate">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Validate"/>
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI=3D"#Input_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI=3D"#Output_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Cancel">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Cancel"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Renew">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Renew"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"KeyExchangeToken">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/KeyExchangeToken"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"RequestCollection">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/RequestCollection"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
+ <wsdl:service name=3D"SecurityTokenService">
+ <wsdl:port name=3D"UT_Port" binding=3D"tns:UT_Binding">
+ <soap:address location=3D"http://localhost:8080/SecurityTokenServ=
ice/UT"/>
+ </wsdl:port>
+ </wsdl:service>
+
+
+ <wsp:Policy wsu:Id=3D"UT_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <!--
+ The sp:UsingAddressing element, indicates that the endpoints o=
f this
+ web service conforms to the WS-Addressing specification. More=
detail
+ can be found here: [http://www.w3.org/TR/2006/CR-ws-addr-wsdl-=
20060529]
+ -->
+ <wsap10:UsingAddressing/>
+ <!--
+ The sp:SymmetricBinding element indicates that security is pro=
vided
+ at the SOAP layer and any initiator must authenticate itself b=
y providing
+ WSS UsernameToken credentials.
+ -->
+ <sp:SymmetricBinding
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <!--
+ In a symmetric binding, the keys used for encrypting and s=
igning in both
+ directions are derived from a single key, the one specifie=
d by the
+ sp:ProtectionToken element. The sp:X509Token sub-element =
declares this
+ key to be a X.509 certificate and the
+ IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-securi=
typolicy/200702/IncludeToken/Never"
+ attribute adds the requirement that the token MUST NOT be =
included in
+ any messages sent between the initiator and the recipient;=
rather, an
+ external reference to the token should be used. Lastly th=
e WssX509V3Token10
+ sub-element declares that the Username token presented by =
the initiator
+ should be compliant with Web Services Security UsernameTok=
en Profile
+ 1.0 specification. [ http://docs.oasis-open.org/wss/2004/0=
1/oasis-200401-wss-username-token-profile-1.0.pdf ]
+ -->
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-s=
ecuritypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:RequireDerivedKeys/>
+ <sp:RequireThumbprintReference/>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <!--
+ The sp:AlgorithmSuite element, requires the Basic256 algor=
ithm suite
+ be used in performing cryptographic operations.
+ -->
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <!--
+ The sp:Layout element, indicates the layout rules to appl=
y when adding
+ items to the security header. The sp:Lax sub-element indi=
cates items
+ are added to the security header in any order that conform=
s to
+ WSS: SOAP Message Security.
+ -->
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:EncryptSignature/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+
+ <!--
+ The sp:SignedSupportingTokens element declares that the securi=
ty header
+ of messages must contain a sp:UsernameToken and the token must=
be signed.
+ The attribute IncludeToken=3D"http://docs.oasis-open.org/ws-sx=
/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
+ on sp:UsernameToken indicates that the token MUST be included =
in all
+ messages sent from initiator to the recipient and that the tok=
en MUST
+ NOT be included in messages sent from the recipient to the ini=
tiator.
+ And finally the element sp:WssUsernameToken10 is a policy asse=
rtion
+ indicating the Username token should be as defined in Web Ser=
vices
+ Security UsernameToken Profile 1.0
+ -->
+ <sp:SignedSupportingTokens
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-secur=
itypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssUsernameToken10/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <!--
+ The sp:Wss11 element declares WSS: SOAP Message Security 1.1 o=
ptions
+ to be supported by the STS. These particular elements general=
ly refer
+ to how keys are referenced within the SOAP envelope. These ar=
e normally
+ handled by CXF.
+ -->
+ <sp:Wss11
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <!--
+ The sp:Trust13 element declares controls for WS-Trust 1.3 opti=
ons.
+ They are policy assertions related to exchanges specifically w=
ith
+ client and server challenges and entropy behaviors. Again the=
se are
+ normally handled by CXF.
+ -->
+ <sp:Trust13
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens/>
+ <sp:RequireClientEntropy/>
+ <sp:RequireServerEntropy/>
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id=3D"Input_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <sp:Body/>
+ <sp:Header Name=3D"To"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"From"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"FaultTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"ReplyTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"MessageID"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"RelatesTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"Action"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id=3D"Output_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <sp:Body/>
+ <sp:Header Name=3D"To"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"From"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"FaultTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"ReplyTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"MessageID"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"RelatesTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"Action"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</wsdl:definitions>
+
+
+
+
+ =
+ STS's implementation class
+
+ The Apache CXF's STS, SecurityTokenServiceProvider, is a web=
service provider that is compliant with the protocols and functionality =
defined by the WS-Trust specification. It has a modular architecture. Ma=
ny of its components are configurable or replaceable and there are many =
optional features that are enabled by implementing and configuring plug-=
ins. Users can customize their own STS by extending from SecurityTokenSe=
rviceProvider and overriding the default settings. Extensive information=
about the CXF's STS configurable and pluggable components can be found
+ here
+ .
+
+ This STS implementation class, SampleSTSBearer, is a POJ=
O that extends from SecurityTokenServiceProvider. Note that the class is=
defined with a WebServiceProvider annotation and not a WebService annot=
ation. This annotation defines the service as a Provider-based endpoint,=
meaning it supports a more messaging-oriented approach to Web services. =
In particular, it signals that the exchanged messages will be XML docum=
ents of some type. SecurityTokenServiceProvider is an implementation of =
the javax.xml.ws.Provider interface. In comparison the WebService annota=
tion defines a (service endpoint interface) SEI-based endpoint which supp=
orts message exchange via SOAP envelopes.
+ As was done in the BearerImpl class, the WSS4J annotati=
ons EndpointProperties and EndpointProperty are providing endpoint confi=
guration for the CXF runtime. The first EndpointProperty statement in the=
listing is declaring the user's name to use for the message signature. =
It is used as the alias name in the keystore to get the user's cert and p=
rivate key for signature. The next two EndpointProperty statements declar=
es the Java properties file that contains the (Merlin) crypto configurati=
on information. In this case both for signing and encrypting the messag=
es. WSS4J reads this file and extra required information for message han=
dling. The last EndpointProperty statement declares the STSBearerCallbackH=
andler implementation class. It is used to obtain the user's password fo=
r the certificates in the keystore file.
+ In this implementation we are customizing the operations=
of token issuance, token validation and their static properties.
+ StaticSTSProperties is used to set select properties for=
configuring resources in the STS. You may think this is a duplication o=
f the settings made with the WSS4J annotations. The values are the same =
but the underlaying structures being set are different, thus this inform=
ation must be declared in both places.
+ The setIssuer setting is important because it uniquely =
identifies the issuing STS. The issuer string is embedded in issued toke=
ns and, when validating tokens, the STS checks the issuer string value. =
Consequently, it is important to use the issuer string in a consistent w=
ay, so that the STS can recognize the tokens that it has issued.
+ The setEndpoints call allows the declaration of a set o=
f allowed token recipients by address. The addresses are specified as re=
g-ex patterns.
+ TokenIssueOperation has a modular structure. This all=
ows custom behaviors to be injected into the processing of messages. In =
this case we are overriding the SecurityTokenServiceProvider's default be=
havior and performing SAML token processing. CXF provides an implementat=
ion of a SAMLTokenProvider which we are using rather than writing our o=
wn.
+
+ Learn more about the SAMLTokenProvider
+ here
+ .
+
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.stsbearer;
+
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.operation.TokenIssueOperation;
+import org.apache.cxf.sts.service.ServiceMBean;
+import org.apache.cxf.sts.service.StaticService;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvide=
r;
+
+import javax.xml.ws.WebServiceProvider;
+import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
+
+(a)WebServiceProvider(serviceName =3D "SecurityTokenService",
+ portName =3D "UT_Port",
+ targetNamespace =3D "http://docs.oasis-open.org/ws-sx/ws-trust/20051=
2/",
+ wsdlLocation =3D "WEB-INF/wsdl/bearer-ws-trust-1.4-service.wsdl")
+//be sure to have dependency on org.apache.cxf module when on AS7, otherwi=
se Apache CXF annotations are ignored
+(a)EndpointProperties(value =3D {
+ @EndpointProperty(key =3D "ws-security.signature.username", value =
=3D "mystskey"),
+ @EndpointProperty(key =3D "ws-security.signature.properties", value =
=3D "stsKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.callback-handler", value =3D =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.stsbearer.STSBearerCallb=
ackHandler")
+})
+public class SampleSTSBearer extends SecurityTokenServiceProvider
+{
+
+ public SampleSTSBearer() throws Exception
+ {
+ super();
+
+ StaticSTSProperties props =3D new StaticSTSProperties();
+ props.setSignatureCryptoProperties("stsKeystore.properties");
+ props.setSignatureUsername("mystskey");
+ props.setCallbackHandlerClass(STSBearerCallbackHandler.class.getName=
());
+ props.setEncryptionCryptoProperties("stsKeystore.properties");
+ props.setEncryptionUsername("myservicekey");
+ props.setIssuer("DoubleItSTSIssuer");
+
+ List<ServiceMBean> services =3D new LinkedList<ServiceMBean=
>();
+ StaticService service =3D new StaticService();
+ service.setEndpoints(Arrays.asList(
+ "https://localhost:(\\d)*/jaxws-samples-wsse-policy-trust-bearer/=
BearerService",
+ "https://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-bearer/=
BearerService",
+ "https://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-t=
rust-bearer/BearerService"
+ ));
+ services.add(service);
+
+ TokenIssueOperation issueOperation =3D new TokenIssueOperation();
+ issueOperation.getTokenProviders().add(new SAMLTokenProvider());
+ issueOperation.setServices(services);
+ issueOperation.setStsProperties(props);
+ this.setIssueOperation(issueOperation);
+ }
+}
+
+
+
+
+ =
+ STSBearerCallbackHandler
+ STSBearerCallbackHandler is a callback handler for the W=
SS4J Crypto API. It is used to obtain the password for the private key i=
n the keystore. This class enables CXF to retrieve the password of the u=
ser name to use for the message signature.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.stsbearer;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class STSBearerCallbackHandler extends PasswordCallbackHandler
+{
+ public STSBearerCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords =3D new HashMap<String, Strin=
g>();
+ passwords.put("mystskey", "stskpass");
+ passwords.put("alice", "clarinet");
+ return passwords;
+ }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+ WSS4J's Crypto implementation is loaded and configured v=
ia a Java properties file that contains Crypto configuration data. The f=
ile contains implementation-specific properties such as a keystore locati=
on, password, default alias and the like. This application is using the =
Merlin implementation. File stsKeystore.properties contains this inform=
ation.
+
+ File servicestore.jks, is a Java KeyStore (JKS) repository.=
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin =C2=A0
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Dstsspass
+org.apache.ws.security.crypto.merlin.keystore.file=3Dstsstore.jks
+
+
+
+
+ =
+ MANIFEST.MF
+
+ When deployed on WildFly, this application requires access=
to the JBossWs and CXF APIs provided in modules org.jboss.ws.cxf.jbossws=
-cxf-client and org.apache.cxf. The Apache CXF internals, org.apache.cxf=
.impl, are needed to build the STS configuration in the
+ SampleSTS
+ constructor. The dependency statement directs the server to=
provide them at deployment.
+
+
+
+Manifest-Version: 1.0 =C2=A0
+Ant-Version: Apache Ant 1.8.2 =C2=A0
+Created-By: 1.7.0_25-b15 (Oracle Corporation) =C2=A0
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client,org.apache.cxf.impl
+
+
+
+
+
+ =
+ Web service requester
+ This section examines the crucial elements in calling a we=
b service that implements endpoint security as described in the SAML Bear=
er scenario. The components that will be discussed are.
+
+
+ Web service requester's implementation
+
+
+ ClientCallbackHandler
+
+
+ Crypto properties and keystore files
+
+
+
+ =
+ Web service requester Implementation
+ The ws-requester, the client, uses standard procedures f=
or creating a reference to the web service. To address the endpoint se=
curity requirements, the web service's "Request Context" is configured wit=
h the information needed in message generation. In addition, the STSClie=
nt that communicates with the STS is configured with similar values. Not=
e the key strings ending with a ".it" suffix. This suffix flags these se=
ttings as belonging to the STSClient. The internal CXF code assigns this=
information to the STSClient that is auto-generated for this service cal=
l.
+ There is an alternate method of setting up the STSCLien=
t. The user may provide their own instance of the STSClient. The CXF co=
de will use this object and not auto-generate one. When providing the S=
TSClient in this way, the user must provide a org.apache.cxf.Bus for it a=
nd the configuration keys must not have the ".it" suffix. This is used in=
the ActAs and OnBehalfOf examples.
+
+
+ String serviceURL =3D "https://" + getServerHost() + ":8443/jaxws-sample=
s-wsse-policy-trust-bearer/BearerService";
+
+ final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-e=
xtensions/bearerwssecuritypolicy", "BearerService");
+ Service service =3D Service.create(new URL(serviceURL + "?wsdl"), servic=
eName);
+ BearerIface proxy =3D (BearerIface) service.getPort(BearerIface.class);
+
+ Map<String, Object> ctx =3D ((BindingProvider)proxy).getRequestCon=
text();
+
+ // set the security related configuration information for the service "r=
equest"
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
+
+ //-- Configuration settings that will be transfered to the STSClient
+ // "alice" is the name provided for the WSS Username. Her password will
+ // be retreived from the ClientCallbackHander by the STSClient.
+ ctx.put(SecurityConstants.USERNAME + ".it", "alice");
+ ctx.put(SecurityConstants.CALLBACK_HANDLER + ".it", new ClientCallbackHa=
ndler());
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME + ".it", "mystskey");
+ ctx.put(SecurityConstants.STS_TOKEN_USERNAME + ".it", "myclientkey");
+ ctx.put(SecurityConstants.STS_TOKEN_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO + ".it", "true"=
);
+
+ proxy.sayHello();
+
+
+
+
+
+ =
+ ClientCallbackHandler
+
+
+
+ ClientCallbackHandler is a callback handler for the WSS4=
J Crypto API. It is used to obtain the password for the private key in t=
he keystore. This class enables CXF to retrieve the password of the user=
name to use for the message signature. Note that "alice" and her passwo=
rd have been provided here. This information is not in the (JKS) keysto=
re but provided in the WildFly security domain. It was declared in fil=
e jbossws-users.properties.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared;
+
+import java.io.IOException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import org.apache.ws.security.WSPasswordCallback;
+
+public class ClientCallbackHandler implements CallbackHandler {
+
+=C2=A0=C2=A0=C2=A0 public void handle(Callback[] callbacks) throws IOExcep=
tion,
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Unsuppo=
rtedCallbackException {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 for (int i =3D 0; i < callba=
cks.length; i++) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (cal=
lbacks[i] instanceof WSPasswordCallback) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 WSPasswordCallback pc =3D (WSPasswordCallback) callbacks=
[i];
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 if ("myclientkey".equals(pc.getIdentifier())) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("ckpass");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } else if ("alice".equals(pc.getIdentifier())) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("clarinet");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } else if ("bob".equals(pc.getIdentifier())) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("trombone");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } else if ("myservicekey".equals(pc.getIdentifier())) {=
=C2=A0 // rls test=C2=A0 added for bearer test
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("skpass");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 }
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
+=C2=A0=C2=A0=C2=A0 }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+
+
+
+ WSS4J's Crypto implementation is loaded and configured v=
ia a Java properties file that contains Crypto configuration data. The f=
ile contains implementation-specific properties such as a keystore locati=
on, password, default alias and the like. This application is using the =
Merlin implementation. File clientKeystore.properties contains this inf=
ormation.
+
+ File clientstore.jks, is a Java KeyStore (JKS) repository. =
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Dcspass
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyclientkey
+org.apache.ws.security.crypto.merlin.keystore.file=3DMETA-INF/clientstore.=
jks
+
+
+
+
+
+
+ =
+ SAML Holder-Of-Key Assertion Scenario
+
+ WS-Trust deals with managing software security tokens. A SAML =
assertion is a type of security token. In the Holder-Of-Key method, the S=
TS creates a SAML token containing the client's public key and signs the S=
AML token with its private key. The client includes the SAML token and si=
gns the outgoing soap envelope to the web service with its private key. T=
he web service validates the SOAP message and the SAML token.
+ =
+
+ Implementation of this scenario has the following requiremen=
ts.
+
+
+ SAML tokens with a Holder-Of-Key subject confirmation m=
ethod must be protected so the token can not be snooped. In most cases, =
a Holder-Of-Key token combined with HTTPS is sufficient to prevent "a man =
in the middle" getting possession of the token. This means a security pol=
icy that uses a sp:TransportBinding and sp:HttpsToken.
+
+
+ A Holder-Of-Key token has no encryption or signing keys=
associated with it, therefore a sp:IssuedToken of SymmetricKey or PublicK=
ey keyType should be used with a sp:SignedEndorsingSupportingTokens.
+
+
+
+ =
+ Web service Provider
+ This section examines the web service elements for the SAM=
L Holder-Of-Key scenario. The components are
+
+
+ Web service provider's WSDL
+
+
+ SSL configuration
+
+
+ Web service provider's Interface and Implementation cl=
asses.
+
+
+ Crypto properties and keystore files
+
+
+ MANIFEST.MF
+
+
+
+ =
+ Web service provider WSDL
+ The web service provider is a contract-first endpoint. =
All the WS-trust and security policies for it are declared in the WSDL, H=
olderOfKeyService.wsdl. For this scenario a ws-requester is required to =
present a SAML 2.0 token of SymmetricKey keyType, issued from a designed ST=
S. The address of the STS is provided in the WSDL. A transport binding p=
olicy is used. The token is declared to be signed and endorsed, sp:SignedE=
ndorsingSupportingTokens. A detailed explanation of the security setting=
s are provided in the comments in the listing below.
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8" standalone=3D"yes"?>
+<definitions targetNamespace=3D"http://www.jboss.org/jbossws/ws-extensi=
ons/holderofkeywssecuritypolicy"
+ name=3D"HolderOfKeyService"
+ xmlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/holderofke=
ywssecuritypolicy"
+ xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
+ xmlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns=3D"http://schemas.xmlsoap.org/wsdl/"
+ xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+ xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
+ xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w=
ssecurity-utility-1.0.xsd"
+ xmlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
+ xmlns:wsx=3D"http://schemas.xmlsoap.org/ws/2004/09/mex"
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+ xmlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+
+ <types>
+ <xsd:schema>
+ <xsd:import namespace=3D"http://www.jboss.org/jbossws/ws-extensio=
ns/holderofkeywssecuritypolicy"
+ schemaLocation=3D"HolderOfKeyService_schema1.xsd"/>
+ </xsd:schema>
+ </types>
+ <message name=3D"sayHello">
+ <part name=3D"parameters" element=3D"tns:sayHello"/>
+ </message>
+ <message name=3D"sayHelloResponse">
+ <part name=3D"parameters" element=3D"tns:sayHelloResponse"/>
+ </message>
+ <portType name=3D"HolderOfKeyIface">
+ <operation name=3D"sayHello">
+ <input message=3D"tns:sayHello"/>
+ <output message=3D"tns:sayHelloResponse"/>
+ </operation>
+ </portType>
+<!--
+ The wsp:PolicyReference binds the security requirments on all the =
endpoints.
+ The wsp:Policy wsu:Id=3D"#TransportSAML2HolderOfKeyPolicy" element=
is defined later in this file.
+-->
+ <binding name=3D"HolderOfKeyServicePortBinding" type=3D"tns:HolderOfK=
eyIface">
+ <wsp:PolicyReference URI=3D"#TransportSAML2HolderOfKeyPolicy" />
+ <soap:binding transport=3D"http://schemas.xmlsoap.org/soap/http" st=
yle=3D"document"/>
+ <operation name=3D"sayHello">
+ <soap:operation soapAction=3D""/>
+ <input>
+ <soap:body use=3D"literal"/>
+ </input>
+ <output>
+ <soap:body use=3D"literal"/>
+ </output>
+ </operation>
+ </binding>
+<!--
+ The soap:address has been defined to use JBoss's https port, 8443. This=
is
+ set in conjunction with the sp:TransportBinding policy for https.
+-->
+ <service name=3D"HolderOfKeyService">
+ <port name=3D"HolderOfKeyServicePort" binding=3D"tns:HolderOfKeySer=
vicePortBinding">
+ <soap:address location=3D"https://@jboss.bind.address@:8443/jaxws=
-samples-wsse-policy-trust-holderofkey/HolderOfKeyService"/>
+ </port>
+ </service>
+
+
+ <wsp:Policy wsu:Id=3D"TransportSAML2HolderOfKeyPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <!--
+ The wsam:Addressing element, indicates that the endpoints of this
+ web service MUST conform to the WS-Addressing specification. The
+ attribute wsp:Optional=3D"false" enforces this assertion.
+ -->
+ <wsam:Addressing wsp:Optional=3D"false">
+ <wsp:Policy />
+ </wsam:Addressing>
+<!--
+ The sp:TransportBinding element indicates that security is provided by t=
he
+ message exchange transport medium, https. WS-Security policy specificat=
ion
+ defines the sp:HttpsToken for use in exchanging messages transmitted ove=
r HTTPS.
+-->
+ <sp:TransportBinding
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+<!--
+ The sp:AlgorithmSuite element, requires the TripleDes algorithm suite
+ be used in performing cryptographic operations.
+-->
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:TripleDes />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+<!--
+ The sp:Layout element, indicates the layout rules to apply when addi=
ng
+ items to the security header. The sp:Lax sub-element indicates items
+ are added to the security header in any order that conforms to
+ WSS: SOAP Message Security.
+-->
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ </wsp:Policy>
+ </sp:TransportBinding>
+
+<!--
+ The sp:SignedEndorsingSupportingTokens, when transport level security le=
vel is
+ used there will be no message signature and the signature generated by t=
he
+ supporting token will sign the Timestamp.
+-->
+ <sp:SignedEndorsingSupportingTokens
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+<!--
+ The sp:IssuedToken element asserts that a SAML 2.0 security token of type
+ Bearer is expected from the STS. The
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20=
0702/IncludeToken/AlwaysToRecipient">
+ attribute instructs the runtime to include the initiator's public key
+ with every message sent to the recipient.
+
+ The sp:RequestSecurityTokenTemplate element directs that all of the
+ children of this element will be copied directly into the body of the
+ RequestSecurityToken (RST) message that is sent to the STS when the
+ initiator asks the STS to issue a token.
+-->
+ <sp:IssuedToken
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-secur=
itypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <sp:RequestSecurityTokenTemplate>
+ <t:TokenType>http://docs.oasis-open.org/wss/oasis-ws=
s-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+ <!--
+ KeyType of "SymmetricKey", the client must prove to the WS service that=
it
+ possesses a particular symmetric session key.
+ -->
+ <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust=
/200512/SymmetricKey</t:KeyType>
+ </sp:RequestSecurityTokenTemplate>
+ <wsp:Policy>
+ <sp:RequireInternalReference />
+ </wsp:Policy>
+<!--
+ The sp:Issuer element defines the STS's address and endpoint information
+ This information is used by the STSClient.
+-->
+ <sp:Issuer>
+ <wsaws:Address>http://@jboss.bind.address@:8080/jaxw=
s-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService</wsaws:=
Address>
+ <wsaws:Metadata
+ xmlns:wsdli=3D"http://www.w3.org/2006/01/wsdl-instance"
+ wsdli:wsdlLocation=3D"http://@jboss.bind.address@:8080/j=
axws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService?wsdl"&g=
t;
+ <wsaw:ServiceName
+ xmlns:wsaw=3D"http://www.w3.org/2006/05/addressing/wsd=
l"
+ xmlns:stsns=3D"http://docs.oasis-open.org/ws-sx/ws-tru=
st/200512/"
+ EndpointName=3D"UT_Port">stsns:SecurityTokenService=
</wsaw:ServiceName>
+ </wsaws:Metadata>
+ </sp:Issuer>
+
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:SignedEndorsingSupportingTokens>
+<!--
+ The sp:Wss11 element declares WSS: SOAP Message Security 1.1 options
+ to be supported by the STS. These particular elements generally refer
+ to how keys are referenced within the SOAP envelope. These are normal=
ly
+ handled by CXF.
+-->
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+<!--
+ The sp:Trust13 element declares controls for WS-Trust 1.3 options.
+ They are policy assertions related to exchanges specifically with
+ client and server challenges and entropy behaviors. Again these are
+ normally handled by CXF.
+-->
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</definitions>
+
+
+
+
+ =
+ SSL configuration
+
+
+
+ This web service is using https, therefore the JBoss ser=
ver must be configured to provide SSL support in the Web subsystem. There=
are 2 components to SSL configuration.
+
+
+ create a certificate keystore
+
+
+ declare an SSL connector in the Web subsystem of the=
JBoss server configuration file.
+
+
+
+ Follow the directions in the, "
+ Using the pure Java implementatio=
n supplied by JSSE
+ " section in the [SSL Setup Guide|../../../../../../../../..=
/../display/WFLY8/SSL+setup+guide||\||].
+
+ Here is an example of an SSL connector declaration.
+
+
+<subsystem xmlns=3D"urn:jboss:domain:web:1.4" default-virtual-server=3D=
"default-host" native=3D"false">
+.....
+ <connector name=3D"jbws-https-connector" protocol=3D"HTTP/1.1" scheme=
=3D"https" socket-binding=3D"https" secure=3D"true" enabled=3D"true">
+ <ssl key-alias=3D"tomcat" password=3D"changeit" certificate-key-fil=
e=3D"/myJbossHome/security/test.keystore" verify-client=3D"false"/>
+ </connector>
+...
+
+
+
+
+ =
+ Web service Interface
+ The web service provider interface class, HolderOfKeyIfa=
ce, is a simple straight forward web service definition.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.holderofkey;
+
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+
+(a)WebService
+(
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/holdero=
fkeywssecuritypolicy"
+)
+public interface HolderOfKeyIface {
+ @WebMethod
+ String sayHello();
+}
+
+
+
+
+ =
+ Web service Implementation
+
+ The web service provider implementation class, HolderOfKeyIm=
pl, is a simple POJO. It uses the standard WebService annotation to defin=
e the service endpoint. In addition there are two Apache CXF annotations,=
EndpointProperties and EndpointProperty used for configuring the endpo=
int for the CXF runtime. These annotations come from the
+ Apache WSS4J pro=
ject
+ , which provides a Java implementation of the primary WS-S=
ecurity standards for Web Services. These annotations are programmaticall=
y adding properties to the endpoint. With plain Apache CXF, these propert=
ies are often set via the <jaxws:properties> element on the <jax=
ws:endpoint> element in the Spring config; these annotations allow the=
properties to be configured in the code.
+
+ WSS4J uses the Crypto interface to get keys and certifi=
cates for signature creation/verification, as is asserted by the WSDL for=
this service. The WSS4J configuration information being provided by Hold=
erOfKeyImpl is for Crypto's Merlin implementation. More information will =
be provided about this in the keystore section.
+ The first EndpointProperty statement in the listing disa=
bles ensurance of compliance with the Basic Security Profile 1.1. The next =
EndpointProperty statements declares the Java properties file that contain=
s the (Merlin) crypto configuration information. The last EndpointPropert=
y statement declares the STSHolderOfKeyCallbackHandler implementation class=
. It is used to obtain the user's password for the certificates in the ke=
ystore file.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.holderofkey;
+
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+
+import javax.jws.WebService;
+
+(a)WebService
+ (
+ portName =3D "HolderOfKeyServicePort",
+ serviceName =3D "HolderOfKeyService",
+ wsdlLocation =3D "WEB-INF/wsdl/HolderOfKeyService.wsdl",
+ targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/hold=
erofkeywssecuritypolicy",
+ endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.t=
rust.holderofkey.HolderOfKeyIface"
+ )
+(a)EndpointProperties(value =3D {
+ @EndpointProperty(key =3D "ws-security.is-bsp-compliant", value =3D "fa=
lse"),
+ @EndpointProperty(key =3D "ws-security.signature.properties", value =3D=
"serviceKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.callback-handler", value =3D "or=
g.jboss.test.ws.jaxws.samples.wsse.policy.trust.holderofkey.HolderOfKeyCall=
backHandler")
+})
+public class HolderOfKeyImpl implements HolderOfKeyIface
+{
+ public String sayHello()
+ {
+ return "Holder-Of-Key WS-Trust Hello World!";
+ }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+ WSS4J's Crypto implementation is loaded and configured v=
ia a Java properties file that contains Crypto configuration data. The f=
ile contains implementation-specific properties such as a keystore locati=
on, password, default alias and the like. This application is using the =
Merlin implementation. File serviceKeystore.properties contains this in=
formation.
+
+ File servicestore.jks, is a Java KeyStore (JKS) repository.=
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Dsspass
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyservicekey
+org.apache.ws.security.crypto.merlin.keystore.file=3Dservicestore.jks
+
+
+
+
+ =
+ MANIFEST.MF
+
+
+
+ When deployed on WildFly this application requires acc=
ess to the JBossWs and CXF APIs provided in module org.jboss.ws.cxf.jboss=
ws-cxf-client. The dependency statement directs the server to provide the=
m at deployment.
+
+
+Manifest-Version:1.0
+Ant-Version: Apache Ant1.8.2
+Created-By:1.7.0_25-b15 (Oracle Corporation)
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client
+
+
+
+
+
+ =
+ Security Token Service
+ This section examines the crucial elements in providing th=
e Security Token Service functionality for providing a SAML Holder-Of-Key=
token. The components that will be discussed are.
+
+
+ Security Domain
+
+
+ STS's WSDL
+
+
+ STS's implementation class
+
+
+ STSBearerCallbackHandler
+
+
+ Crypto properties and keystore files
+
+
+ MANIFEST.MF
+
+
+
+ =
+ Security Domain
+ The STS requires a JBoss security domain be configured. =
The jboss-web.xml descriptor declares a named security domain,"JBossWS-t=
rust-sts" to be used by this service for authentication. This security do=
main requires two properties files and the addition of a security-domain d=
eclaration in the JBoss server configuration file.
+
+ For this scenario the domain needs to contain user
+ alice
+ , password
+ clarinet
+ , and role
+ friend
+ . See the listings below for jbossws-users.properties and =
jbossws-roles.properties. In addition the following XML must be added to =
the JBoss security subsystem in the server configuration file. Replace "
+ SOME_PATH
+ " with appropriate information.
+
+
+
+<security-domain name=3D"JBossWS-trust-sts">
+ <authentication>
+ =C2=A0<login-module code=3D"UsersRoles" flag=3D"required">
+ =C2=A0<module-option name=3D"usersProperties" value=3D"/SOME_PATH/j=
bossws-users.properties"/>
+ =C2=A0<module-option name=3D"unauthenticatedIdentity" value=3D"anon=
ymous"/>
+ =C2=A0<module-option name=3D"rolesProperties" value=3D"/SOME_PATH/j=
bossws-roles.properties"/>
+ =C2=A0</login-module>
+ =C2=A0</authentication>
+</security-domain>
+
+
+ jboss-web.xml
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<!DOCTYPE jboss-web PUBLIC"-//JBoss//DTD Web Application 2.4//EN" ">
+<jboss-web>
+ <security-domain>java:/jaas/JBossWS-trust-sts</security-domain&=
gt;
+</jboss-web>
+
+
+
+
+
+
+
+
+ =
+
+
+
+
+
+
+ jbossws-users.properties
+
+
+# A sample users.properties filefor use with the UsersRolesLoginModule
+alice=3Dclarinet
+
+
+
+
+
+
+
+ =C2=A0
+
+
+
+
+
+ jbossws-roles.properties
+
+
+# A sample roles.properties filefor use with the UsersRolesLoginModule
+alice=3Dfriend
+
+
+
+
+ =
+ STS's WSDL
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<wsdl:definitions
+ targetNamespace=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ xmlns:tns=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ xmlns:wstrust=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ xmlns:wsdl=3D"http://schemas.xmlsoap.org/wsdl/"
+ xmlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:wsap10=3D"http://www.w3.org/2006/05/addressing/wsdl"
+ xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss=
ecurity-utility-1.0.xsd"
+ xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+ xmlns:wst=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512"
+ xmlns:xs=3D"http://www.w3.org/2001/XMLSchema"
+ xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata">
+
+ <wsdl:types>
+ <xs:schema elementFormDefault=3D"qualified"
+ targetNamespace=3D'http://docs.oasis-open.org/ws-sx/ws-trus=
t/200512'>
+
+ <xs:element name=3D'RequestSecurityToken'
+ type=3D'wst:AbstractRequestSecurityTokenType'/>
+ <xs:element name=3D'RequestSecurityTokenResponse'
+ type=3D'wst:AbstractRequestSecurityTokenType'/>
+
+ <xs:complexType name=3D'AbstractRequestSecurityTokenType'>
+ <xs:sequence>
+ <xs:any namespace=3D'##any' processContents=3D'lax' minOccurs=
=3D'0'
+ maxOccurs=3D'unbounded'/>
+ </xs:sequence>
+ <xs:attribute name=3D'Context' type=3D'xs:anyURI' use=3D'option=
al'/>
+ <xs:anyAttribute namespace=3D'##other' processContents=3D'lax'/=
>
+ </xs:complexType>
+ <xs:element name=3D'RequestSecurityTokenCollection'
+ type=3D'wst:RequestSecurityTokenCollectionType'/>
+ <xs:complexType name=3D'RequestSecurityTokenCollectionType'>
+ <xs:sequence>
+ <xs:element name=3D'RequestSecurityToken'
+ type=3D'wst:AbstractRequestSecurityTokenType' minOcc=
urs=3D'2'
+ maxOccurs=3D'unbounded'/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:element name=3D'RequestSecurityTokenResponseCollection'
+ type=3D'wst:RequestSecurityTokenResponseCollectionType'/=
>
+ <xs:complexType name=3D'RequestSecurityTokenResponseCollectionTyp=
e'>
+ <xs:sequence>
+ <xs:element ref=3D'wst:RequestSecurityTokenResponse' minOccur=
s=3D'1'
+ maxOccurs=3D'unbounded'/>
+ </xs:sequence>
+ <xs:anyAttribute namespace=3D'##other' processContents=3D'lax'/=
>
+ </xs:complexType>
+
+ </xs:schema>
+ </wsdl:types>
+
+ <!-- WS-Trust defines the following GEDs -->
+ <wsdl:message name=3D"RequestSecurityTokenMsg">
+ <wsdl:part name=3D"request" element=3D"wst:RequestSecurityToken"/&g=
t;
+ </wsdl:message>
+ <wsdl:message name=3D"RequestSecurityTokenResponseMsg">
+ <wsdl:part name=3D"response"
+ element=3D"wst:RequestSecurityTokenResponse"/>
+ </wsdl:message>
+ <wsdl:message name=3D"RequestSecurityTokenCollectionMsg">
+ <wsdl:part name=3D"requestCollection"
+ element=3D"wst:RequestSecurityTokenCollection"/>
+ </wsdl:message>
+ <wsdl:message name=3D"RequestSecurityTokenResponseCollectionMsg">
+ <wsdl:part name=3D"responseCollection"
+ element=3D"wst:RequestSecurityTokenResponseCollection"/>
+ </wsdl:message>
+
+ <!-- This portType an example of a Requestor (or other) endpoint that
+ Accepts SOAP-based challenges from a Security Token Service -->
+ <wsdl:portType name=3D"WSSecurityRequestor">
+ <wsdl:operation name=3D"Challenge">
+ <wsdl:input message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ <wsdl:output message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+ <!-- This portType is an example of an STS supporting full protocol -=
->
+ <wsdl:portType name=3D"STS">
+ <wsdl:operation name=3D"Cancel">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Cancel"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/CancelFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Issue">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Issue"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TRC/IssueFinal"
+ message=3D"tns:RequestSecurityTokenResponseCollectionMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Renew">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Renew"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/RenewFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Validate">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/Validate"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/ValidateFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"KeyExchangeToken">
+ <wsdl:input
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
T/KET"
+ message=3D"tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
+ wsam:Action=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RS=
TR/KETFinal"
+ message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name=3D"RequestCollection">
+ <wsdl:input message=3D"tns:RequestSecurityTokenCollectionMsg"/>
+ <wsdl:output message=3D"tns:RequestSecurityTokenResponseCollectio=
nMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+ <!-- This portType is an example of an endpoint that accepts
+ Unsolicited RequestSecurityTokenResponse messages -->
+ <wsdl:portType name=3D"SecurityTokenResponseService">
+ <wsdl:operation name=3D"RequestSecurityTokenResponse">
+ <wsdl:input message=3D"tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+ <wsdl:binding name=3D"UT_Binding" type=3D"wstrust:STS">
+ <wsp:PolicyReference URI=3D"#UT_policy"/>
+ <soap:binding style=3D"document"
+ transport=3D"http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name=3D"Issue">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Issue"/>
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI=3D"#Input_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI=3D"#Output_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Validate">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Validate"/>
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI=3D"#Input_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI=3D"#Output_policy"/>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Cancel">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Cancel"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"Renew">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/Renew"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"KeyExchangeToken">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/KeyExchangeToken"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name=3D"RequestCollection">
+ <soap:operation
+ soapAction=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST=
/RequestCollection"/>
+ <wsdl:input>
+ <soap:body use=3D"literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use=3D"literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
+ <wsdl:service name=3D"SecurityTokenService">
+ <wsdl:port name=3D"UT_Port" binding=3D"tns:UT_Binding">
+ <soap:address location=3D"http://localhost:8080/SecurityTokenServ=
ice/UT"/>
+ </wsdl:port>
+ </wsdl:service>
+
+ <wsp:Policy wsu:Id=3D"UT_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsap10:UsingAddressing/>
+ <sp:SymmetricBinding
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-s=
ecuritypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:RequireDerivedKeys/>
+ <sp:RequireThumbprintReference/>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:EncryptSignature/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:SignedSupportingTokens
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-secur=
itypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssUsernameToken10/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <sp:Wss11
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens/>
+ <sp:RequireClientEntropy/>
+ <sp:RequireServerEntropy/>
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id=3D"Input_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <sp:Body/>
+ <sp:Header Name=3D"To"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"From"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"FaultTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"ReplyTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"MessageID"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"RelatesTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"Action"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id=3D"Output_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+ xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2=
00702">
+ <sp:Body/>
+ <sp:Header Name=3D"To"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"From"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"FaultTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"ReplyTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"MessageID"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"RelatesTo"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ <sp:Header Name=3D"Action"
+ Namespace=3D"http://www.w3.org/2005/08/addressing"/&g=
t;
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</wsdl:definitions>
+
+
+
+
+ =
+ STS's implementation class
+
+ The Apache CXF's STS, SecurityTokenServiceProvider, is a web=
service provider that is compliant with the protocols and functionality=
defined by the WS-Trust specification. It has a modular architecture. =
Many of its components are configurable or replaceable and there are ma=
ny optional features that are enabled by implementing and configuring =
plug-ins. Users can customize their own STS by extending from SecurityT=
okenServiceProvider and overriding the default settings. Extensive info=
rmation about the CXF's STS configurable and pluggable components can be=
found
+ here
+ .
+
+ This STS implementation class, SampleSTSHolderOfKey, is =
a POJO that extends from SecurityTokenServiceProvider. Note that the cl=
ass is defined with a WebServiceProvider annotation and not a WebService=
annotation. This annotation defines the service as a Provider-based =
endpoint, meaning it supports a more messaging-oriented approach to Web =
services. In particular, it signals that the exchanged messages will be =
XML documents of some type. SecurityTokenServiceProvider is an implem=
entation of the javax.xml.ws.Provider interface. In comparison the WebS=
ervice annotation defines a (service endpoint interface) SEI-based endpo=
int which supports message exchange via SOAP envelopes.
+ As was done in the HolderOfKeyImpl class, the WSS4J ann=
otations EndpointProperties and EndpointProperty are providing endpoint =
configuration for the CXF runtime. The first EndpointProperty statemen=
ts declares the Java properties file that contains the (Merlin) crypto c=
onfiguration information. WSS4J reads this file and extra required info=
rmation for message handling. The last EndpointProperty statement declar=
es the STSHolderOfKeyCallbackHandler implementation class. It is used to=
obtain the user's password for the certificates in the keystore file.
+ In this implementation we are customizing the operations=
of token issuance and their static properties.
+ StaticSTSProperties is used to set select properties for=
configuring resources in the STS. You may think this is a duplication =
of the settings made with the WSS4J annotations. The values are the sam=
e but the underlaying structures being set are different, thus this in=
formation must be declared in both places.
+ The setIssuer setting is important because it uniquely =
identifies the issuing STS. The issuer string is embedded in issued tok=
ens and, when validating tokens, the STS checks the issuer string value.=
Consequently, it is important to use the issuer string in a consistent =
way, so that the STS can recognize the tokens that it has issued.
+ The setEndpoints call allows the declaration of a set o=
f allowed token recipients by address. The addresses are specified as r=
eg-ex patterns.
+ TokenIssueOperation has a modular structure. This all=
ows custom behaviors to be injected into the processing of messages. In=
this case we are overriding the SecurityTokenServiceProvider's default =
behavior and performing SAML token processing. CXF provides an impleme=
ntation of a SAMLTokenProvider which we are using rather than writing =
our own.
+
+ Learn more about the SAMLTokenProvider
+ here
+ .
+
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.stsholderofkey;
+
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.operation.TokenIssueOperation;
+import org.apache.cxf.sts.service.ServiceMBean;
+import org.apache.cxf.sts.service.StaticService;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvide=
r;
+
+import javax.xml.ws.WebServiceProvider;
+import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * User: rsearls
+ * Date: 3/14/14
+ */
+(a)WebServiceProvider(serviceName =3D "SecurityTokenService",
+ portName =3D "UT_Port",
+ targetNamespace =3D "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
+ wsdlLocation =3D "WEB-INF/wsdl/holderofkey-ws-trust-1.4-service.wsdl")
+//be sure to have dependency on org.apache.cxf module when on AS7, otherwi=
se Apache CXF annotations are ignored
+(a)EndpointProperties(value =3D {
+ @EndpointProperty(key =3D "ws-security.signature.properties", value =3D=
"stsKeystore.properties"),
+ @EndpointProperty(key =3D "ws-security.callback-handler", value =3D "or=
g.jboss.test.ws.jaxws.samples.wsse.policy.trust.stsholderofkey.STSHolderOfK=
eyCallbackHandler")
+})
+public class SampleSTSHolderOfKey extends SecurityTokenServiceProvider
+{
+
+ public SampleSTSHolderOfKey() throws Exception
+ {
+ super();
+
+ StaticSTSProperties props =3D new StaticSTSProperties();
+ props.setSignatureCryptoProperties("stsKeystore.properties");
+ props.setSignatureUsername("mystskey");
+ props.setCallbackHandlerClass(STSHolderOfKeyCallbackHandler.class.ge=
tName());
+ props.setEncryptionCryptoProperties("stsKeystore.properties");
+ props.setEncryptionUsername("myservicekey");
+ props.setIssuer("DoubleItSTSIssuer");
+
+ List<ServiceMBean> services =3D new LinkedList<ServiceMBean=
>();
+ StaticService service =3D new StaticService();
+ service.setEndpoints(Arrays.asList(
+ "https://localhost:(\\d)*/jaxws-samples-wsse-policy-trust-holdero=
fkey/HolderOfKeyService",
+ "https://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-holdero=
fkey/HolderOfKeyService",
+ "https://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-t=
rust-holderofkey/HolderOfKeyService"
+ ));
+
+ services.add(service);
+
+ TokenIssueOperation issueOperation =3D new TokenIssueOperation();
+ issueOperation.getTokenProviders().add(new SAMLTokenProvider());
+ issueOperation.setServices(services);
+ issueOperation.setStsProperties(props);
+ this.setIssueOperation(issueOperation);
+
+ }
+}
+
+
+
+
+ =
+ HolderOfKeyCallbackHandler
+ STSHolderOfKeyCallbackHandler is a callback handler for =
the WSS4J Crypto API. It is used to obtain the password for the private=
key in the keystore. This class enables CXF to retrieve the password o=
f the user name to use for the message signature.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.stsholderofkey;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * User: rsearls
+ * Date: 3/19/14
+ */
+public class STSHolderOfKeyCallbackHandler extends PasswordCallbackHandler
+{
+ public STSHolderOfKeyCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords =3D new HashMap<String, Strin=
g>();
+ passwords.put("mystskey", "stskpass");
+ passwords.put("alice", "clarinet");
+ return passwords;
+ }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+ WSS4J's Crypto implementation is loaded and configured v=
ia a Java properties file that contains Crypto configuration data. The f=
ile contains implementation-specific properties such as a keystore locati=
on, password, default alias and the like. This application is using the =
Merlin implementation. File stsKeystore.properties contains this inform=
ation.
+
+ File servicestore.jks, is a Java KeyStore (JKS) repository.=
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Dstsspass
+org.apache.ws.security.crypto.merlin.keystore.file=3Dstsstore.jks
+
+
+
+
+ =
+ MANIFEST.MF
+ When deployed on WildFly, this application requires ac=
cess to the JBossWs and CXF APIs provided in modules org.jboss.ws.cxf.jbo=
ssws-cxf-client and org.apache.cxf. The Apache CXF internals, org.apache=
.cxf.impl, are needed to build the STS configuration in the SampleSTSHol=
derOfKey constructor. The dependency statement directs the server to provi=
de them at deployment.
+
+
+Manifest-Version:1.0
+Ant-Version: Apache Ant1.8.2
+Created-By:1.7.0_25-b15 (Oracle Corporation)
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client,org.apache.cxf.impl
+
+
+
+
+
+ =
+ Web service requester
+ This section examines the crucial elements in calling a we=
b service that implements endpoint security as described in the SAML Hol=
der-Of-Key scenario. The components that will be discussed are.
+
+
+ web service requester's implementation
+
+
+ ClientCallbackHandler
+
+
+ Crypto properties and keystore files
+
+
+
+ =
+ Web service requester Implementation
+ The ws-requester, the client, uses standard procedures f=
or creating a reference to the web service. To address the endpoint s=
ecurity requirements, the web service's "Request Context" is configured w=
ith the information needed in message generation. In addition, the STS=
Client that communicates with the STS is configured with similar values.=
Note the key strings ending with a ".it" suffix. This suffix flags th=
ese settings as belonging to the STSClient. The internal CXF code assig=
ns this information to the STSClient that is auto-generated for this ser=
vice call.
+ There is an alternate method of setting up the STSCLien=
t. The user may provide their own instance of the STSClient. The CXF c=
ode will use this object and not auto-generate one. When providing the =
STSClient in this way, the user must provide a org.apache.cxf.Bus for i=
t and the configuration keys must not have the ".it" suffix. This is us=
ed in the ActAs and OnBehalfOf examples.
+
+
+String serviceURL =3D "https://" + getServerHost() + ":8443/jaxws-samples-=
wsse-policy-trust-holderofkey/HolderOfKeyService";
+
+final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-ext=
ensions/holderofkeywssecuritypolicy", "HolderOfKeyService");
+final URL wsdlURL =3D new URL(serviceURL + "?wsdl");
+Service service =3D Service.create(wsdlURL, serviceName);
+HolderOfKeyIface proxy =3D (HolderOfKeyIface) service.getPort(HolderOfKeyI=
face.class);
+
+Map<String, Object> ctx =3D ((BindingProvider)proxy).getRequestConte=
xt();
+
+// set the security related configuration information for the service "req=
uest"
+ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
+ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
+ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
+
+//-- Configuration settings that will be transfered to the STSClient
+// "alice" is the name provided for the WSS Username. Her password will
+// be retreived from the ClientCallbackHander by the STSClient.
+ctx.put(SecurityConstants.USERNAME + ".it", "alice");
+ctx.put(SecurityConstants.CALLBACK_HANDLER + ".it", new ClientCallbackHand=
ler());
+ctx.put(SecurityConstants.ENCRYPT_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ctx.put(SecurityConstants.ENCRYPT_USERNAME + ".it", "mystskey");
+ctx.put(SecurityConstants.STS_TOKEN_USERNAME + ".it", "myclientkey");
+ctx.put(SecurityConstants.STS_TOKEN_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ctx.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO + ".it", "true");
+
+proxy.sayHello();
+
+
+
+
+ =
+ ClientCallbackHandler
+ ClientCallbackHandler is a callback handler for the WSS4=
J Crypto API. It is used to obtain the password for the private key in t=
he keystore. This class enables CXF to retrieve the password of the user=
name to use for the message signature. Note that "alice" and her passwo=
rd have been provided here. This information is not in the (JKS) keysto=
re but provided in the WildFly security domain. It was declared in fil=
e jbossws-users.properties.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared;
+
+import java.io.IOException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import org.apache.ws.security.WSPasswordCallback;
+
+public class ClientCallbackHandler implements CallbackHandler {
+
+=C2=A0=C2=A0=C2=A0 public void handle(Callback[] callbacks) throws IOExcep=
tion,
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Unsuppo=
rtedCallbackException {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 for (int i =3D 0; i < callba=
cks.length; i++) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (cal=
lbacks[i] instanceof WSPasswordCallback) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 WSPasswordCallback pc =3D (WSPasswordCallback) callbacks=
[i];
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 if ("myclientkey".equals(pc.getIdentifier())) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("ckpass");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } else if ("alice".equals(pc.getIdentifier())) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("clarinet");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } else if ("bob".equals(pc.getIdentifier())) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("trombone");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } else if ("myservicekey".equals(pc.getIdentifier())) {=
=C2=A0 // rls test=C2=A0 added for bearer test
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("skpass");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 }
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
+=C2=A0=C2=A0=C2=A0 }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+ WSS4J's Crypto implementation is loaded and configured v=
ia a Java properties file that contains Crypto configuration data. The f=
ile contains implementation-specific properties such as a keystore locati=
on, password, default alias and the like. This application is using the =
Merlin implementation. File clientKeystore.properties contains this inf=
ormation.
+
+ File clientstore.jks, is a Java KeyStore (JKS) repository. =
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Dcspass
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyclientkey
+org.apache.ws.security.crypto.merlin.keystore.file=3DMETA-INF/clientstore.=
jks
+
+
+
+
+
=
@@ -5725,95 +8348,116 @@
=
Additional configuration
-
- Fine-grained tuning of WS-Reliable Messaging engine requires s=
etting up proper RM features in the
- Bus
- using a Spring XML descriptor; here is an example:
-
+ Fine-grained tuning of WS-Reliable Messaging engine requir=
es setting up proper RM features and attach them for instance to the client=
proxy. Here is an example:
-<beans
- xmlns=3D"http://www.springframework.org/schema/beans"
- xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
- xmlns:cxf=3D"http://cxf.apache.org/core"
- xmlns:wsa=3D"http://cxf.apache.org/ws/addressing"
- xmlns:http=3D"http://cxf.apache.org/transports/http/configuration"
- xmlns:wsrm-policy=3D"http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
- xmlns:wsrm-mgr=3D"http://cxf.apache.org/ws/rm/manager"
- xsi:schemaLocation=3D"
- http://cxf.apache.org/core
- http://cxf.apache.org/schemas/core.xsd
- http://cxf.apache.org/transports/http/configuration
- http://cxf.apache.org/schemas/configuration/http-conf.xsd
- http://schemas.xmlsoap.org/ws/2005/02/rm/policy
- http://schemas.xmlsoap.org/ws/2005/02/rm/wsrm-policy.xsd
- http://cxf.apache.org/ws/rm/manager
- http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans.xsd">
+package org.jboss.test.ws.jaxws.samples.wsrm.client;
=
- <cxf:bus>
- <cxf:features>
- <cxf:logging/>
- <wsa:addressing/>
- <wsrm-mgr:reliableMessaging>
- <wsrm-policy:RMAssertion>
- <wsrm-policy:BaseRetransmissionInterval Milliseconds=3D"4000"=
/>
- <wsrm-policy:AcknowledgementInterval Milliseconds=3D"2000"/&g=
t;
- </wsrm-policy:RMAssertion>
- <wsrm-mgr:destinationPolicy>
- <wsrm-mgr:acksPolicy intraMessageThreshold=3D"0" />
- </wsrm-mgr:destinationPolicy>
- </wsrm-mgr:reliableMessaging>
- </cxf:features>
- </cxf:bus>
-</beans
+//...
+import javax.xml.ws.Service;
+import org.apache.cxf.ws.rm.feature.RMFeature;
+import org.apache.cxf.ws.rm.manager.AcksPolicyType;
+import org.apache.cxf.ws.rm.manager.DestinationPolicyType;
+import org.apache.cxf.ws.rmp.v200502.RMAssertion;
+import org.apache.cxf.ws.rmp.v200502.RMAssertion.AcknowledgementInterval;
+import org.jboss.test.ws.jaxws.samples.wsrm.generated.SimpleService;
+
+//...
+Service service =3D Service.create(wsdlURL, serviceName);
+
+RMFeature feature =3D new RMFeature();
+RMAssertion rma =3D new RMAssertion();
+RMAssertion.BaseRetransmissionInterval bri =3D new RMAssertion.BaseRetrans=
missionInterval();
+bri.setMilliseconds(4000L);
+rma.setBaseRetransmissionInterval(bri);
+AcknowledgementInterval ai =3D new AcknowledgementInterval();
+ai.setMilliseconds(2000L);
+rma.setAcknowledgementInterval(ai);
+feature.setRMAssertion(rma);
+DestinationPolicyType dp =3D new DestinationPolicyType();
+AcksPolicyType ap =3D new AcksPolicyType();
+ap.setIntraMessageThreshold(0);
+dp.setAcksPolicy(ap);
+feature.setDestinationPolicy(dp);
+
+SimpleService proxy =3D (SimpleService)service.getPort(SimpleService.class=
, feature);
+proxy.echo("Hello World");
- The client needs to pick up the bus configuration such as =
below:
+
+ The same can of course be achieved by factoring the feature in=
to a custom pojo extending
+ org.apache.cxf.ws.rm.feature.RMFeature
+ and setting the obtained property in a client configuration:
+
package org.jboss.test.ws.jaxws.samples.wsrm.client;
=
-import java.net.URL;
-import java.io.File;
-import javax.xml.namespace.QName;
-import javax.xml.ws.Service;
-import org.apache.cxf.Bus;
-import org.apache.cxf.BusFactory;
-import org.jboss.wsf.stack.cxf.client.configuration.JBossWSBusFactory;
-import org.jboss.test.ws.jaxws.samples.wsrm.generated.SimpleService;
+import org.apache.cxf.ws.rm.feature.RMFeature;
+import org.apache.cxf.ws.rm.manager.AcksPolicyType;
+import org.apache.cxf.ws.rm.manager.DestinationPolicyType;
+import org.apache.cxf.ws.rmp.v200502.RMAssertion;
+import org.apache.cxf.ws.rmp.v200502.RMAssertion.AcknowledgementInterval;
=
-public final class SimpleServiceTestCase
+public class CustomRMFeature extends RMFeature
{
- private static final String serviceURL =3D "http://localhost:8080/jaxws=
-samples-wsrm/SimpleService";
+ public CustomRMFeature() {
+ super();
+ RMAssertion rma =3D new RMAssertion();
+ RMAssertion.BaseRetransmissionInterval bri =3D new RMAssertion.BaseR=
etransmissionInterval();
+ bri.setMilliseconds(4000L);
+ rma.setBaseRetransmissionInterval(bri);
+ AcknowledgementInterval ai =3D new AcknowledgementInterval();
+ ai.setMilliseconds(2000L);
+ rma.setAcknowledgementInterval(ai);
+ super.setRMAssertion(rma);
+ DestinationPolicyType dp =3D new DestinationPolicyType();
+ AcksPolicyType ap =3D new AcksPolicyType();
+ ap.setIntraMessageThreshold(0);
+ dp.setAcksPolicy(ap);
+ super.setDestinationPolicy(dp);
+ }
+}
+
+
+
+ ... this is how the
+ jaxws-client-config.xml
+ descriptor would look:
+
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
=
- public static void main(String[] args) throws Exception
- {
- URL cxfConfig =3D new File("resources/jaxws/samples/wsrm/cxf.xml").t=
oURL();
- Bus bus =3D new JBossWSBusFactory().createBus(cxfConfig);
- try
- {
- BusFactory.setThreadDefaultBus(bus);
+<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi=3D=
"http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee=3D"http://java.sun=
.com/xml/ns/javaee"
+ xsi:schemaLocation=3D"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-=
jaxws-config_4_0.xsd">
=
- // create service
- QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws=
-extensions/wsrm", "SimpleService");
- URL wsdlURL =3D new URL(serviceURL + "?wsdl");
- Service service =3D Service.create(wsdlURL, serviceName);
- SimpleService proxy =3D (SimpleService)service.getPort(SimpleSer=
vice.class);
+ <client-config>
+ <config-name>Custom Client Config</config-name>
+ <property>
+ <property-name>cxf.features</property-name>
+ <property-value>org.jboss.test.ws.jaxws.samples.wsrm.client.Cu=
stomRMFeature</property-value>
+ </property>
+ </client-config>
=
- // invoke methods
- proxy.echo("Hello World!");
- }
- finally
- {
- // shutdown bus
- bus.shutdown(true);
- }
- }
-}
+</jaxws-config>
+ ... and this is how the client would set the configuration=
:
+
+
+import org.jboss.ws.api.configuration.ClientConfigUtil;
+import org.jboss.ws.api.configuration.ClientConfigurer;
+
+//...
+Service service =3D Service.create(wsdlURL, serviceName);
+SimpleService proxy =3D (SimpleService)service.getPort(SimpleService.class=
);
+
+ClientConfigurer configurer =3D ClientConfigUtil.resolveClientConfigurer();
+configurer.setConfigProperties(proxy, "META-INF/jaxws-client-config.xml", =
"Custom Client Config");
+proxy.echo("Hello World!");
+
+
@@ -5840,7 +8484,7 @@
HTTP
WS endpoints (in
war
- archives). The webservices layer of JBoss Application Server takes=
care of looking for
+ archives). The webservices layer of WildFly takes care of looking =
for
JMS
enpdoints in the deployed archive and starts them delegating to th=
e Apache CXF core similarly as with
HTTP
@@ -5932,18 +8576,6 @@
archives doesn't need any entry for JMS endpoints.
-
-
- At the time of writing, the Apache CXF support for JMS transpo=
rt requires
- Spring
- libraries to be available at runtime.
-
-
- Please make sure
- Spring
- is properly installed on the application server, perhaps using=
the JBossWS installation option for it.
-
-
=
@@ -6032,13 +8664,13 @@
HelloWorldImplPort
here is meant for using the
testQueue
- that's available by default on JBoss Application Server 7
+ that has to be created before deploying the endpoint.
At the time of writing,
java:/ConnectionFactory
- is the default connection factory JNDI location on JBoss Appli=
cation Server 7
+ is the default connection factory JNDI location.
For allowing remote JNDI lookup of the connection factory, a s=
pecific service (
@@ -6053,7 +8685,6 @@
Have a look at the application server domain for finding=
out the configured connection factory JNDI locations.
- Remote JNDI support is available starting from JBoss App=
lication Server 7.1.The endpoint implementation is a basic JAX-WS POJO using @=
WebService annotation to refer to the consumed contract:
@@ -6090,7 +8721,7 @@
archive and deploy it:
- alessio(a)inuyasha /dati/jbossws/stack/cxf/tru=
nk $ jar -tvf ./modules/testsuite/cxf-spring-tests/target/test-libs/jaxws-c=
xf-jms-only-deployment.jar
+ alessio(a)inuyasha /dati/jbossws/stack/cxf/tru=
nk $ jar -tvf ./modules/testsuite/cxf-tests/target/test-libs/jaxws-cxf-jms-=
only-deployment.jar
0 Thu Jun 23 15:18:44 CEST 2011 META-INF/
129 Thu Jun 23 15:18:42 CEST 2011 META-INF/MANIFEST.MF
0 Thu Jun 23 15:18:42 CEST 2011 org/
@@ -6109,7 +8740,7 @@
A dependency on
org.hornetq
- module needs to be added in MANIFEST.MF when deploying to JB=
oss Application Server 7.
+ module needs to be added in MANIFEST.MF when deploying to Wi=
ldFly.
Manifest-Version: 1.0
@@ -6160,7 +8791,7 @@
- Have a look at the JBoss Application Server 7 domain and mes=
saging configuration for finding out the actual security requirements. At t=
he time of writing, a user with
+ Have a look at the WildFly domain and messaging configuratio=
n for finding out the actual security requirements. At the time of writing,=
a user with
guest
role is required and that's internally checked using the
other
@@ -6355,7 +8986,7 @@
archive:
- alessio(a)inuyasha /dati/jbossws/stack/cxf/tru=
nk $ jar -tvf ./modules/testsuite/cxf-spring-tests/target/test-libs/jaxws-c=
xf-jms-http-deployment.war
+ alessio(a)inuyasha /dati/jbossws/stack/cxf/tru=
nk $ jar -tvf ./modules/testsuite/cxf-tests/target/test-libs/jaxws-cxf-jms-=
http-deployment.war
0 Thu Jun 23 15:18:44 CEST 2011 META-INF/
129 Thu Jun 23 15:18:42 CEST 2011 META-INF/MANIFEST.MF
0 Thu Jun 23 15:18:44 CEST 2011 WEB-INF/
@@ -6395,7 +9026,7 @@
Here too the MANIFEST.MF needs to declare a dependency on
org.hornetq
- module when deploying to JBoss Application Server 7.
+ module when deploying to WildFly.
Finally, the JAX-WS client can ineract with both JMS and H=
TTP endpoints as usual:
@@ -6977,4 +9608,312 @@
+
+ =
+ Published WSDL customization
+
+ =
+ Endpoint address rewrite
+
+ JBossWS supports the rewrite of the
+ <soap:address>
+ element of endpoints published in WSDL contracts. This feature =
is useful for controlling the server address that is advertised to clients =
for each endpoint. The rewrite mechanism is configured at server level thro=
ugh a set of elements in the webservices subsystem of the WildFly managemen=
t model. Please refer to the container documentation for details on the opt=
ions supported in the selected container version. Below is a list of the el=
ements available in the latest WildFly sources:
+
+
+
+
+
+
+ Name
+
+
+ Type
+
+
+ Description
+
+
+
+
+
+
+
+ modify-wsdl-address
+ =
+
+
+
+ boolean
+
+
+
+ This boolean enables and disables the address rewrite =
functionality.
+ =
+ When modify-wsdl-address is set to true and the conten=
t of <soap:address> is a valid URL, JBossWS will rewrite the URL usin=
g the values of wsdl-host and wsdl-port or wsdl-secure-port.
+ =
+ When modify-wsdl-address is set to false and the conte=
nt of <soap:address> is a valid URL, JBossWS will not rewrite the URL=
. The <soap:address> URL will be used.
+ =
+ When the content of <soap:address> is not a vali=
d URL, JBossWS will rewrite it no matter what the setting of modify-wsdl-ad=
dress.
+ =
+ If modify-wsdl-address is set to true and wsdl-host is=
not defined or explicitly set to
+ '
+ jbossws.undefined.host
+ _' _ the content of <soap:address> URL is use. =
JBossWS uses the requester's host when rewriting the <soap:address>
+ =
+ When modify-wsdl-address is not defined JBossWS uses a=
default value of true.
+ =
+
+
+
+
+
+
+ wsdl-host
+ =
+
+
+
+ string
+
+
+
+ The hostname / IP address to be used for rewriting
+ <soap:address>
+ .
+ =
+ If
+ wsdl-host
+ is set to
+ jbossws.undefined.host
+ , JBossWS uses the requester's host when rewriting the
+ <soap:address>
+ =
+ When wsdl-host is not defined JBossWS uses a default v=
alue of '
+ jbossws.undefined.host
+ '.
+
+
+
+
+
+
+ wsdl-port
+ =
+
+
+
+ int
+
+
+
+ Set this property to explicitly define the HTTP port t=
hat will be used for rewriting the SOAP address.
+ =
+ Otherwise the HTTP port will be identified by querying=
the list of installed HTTP connectors.
+
+
+
+
+
+
+ wsdl-secure-port
+ =
+
+
+
+ int
+
+
+
+ Set this property to explicitly define the HTTPS port =
that will be used for rewriting the SOAP address.
+ =
+ Otherwise the HTTPS port will be identified by queryin=
g the list of installed HTTPS connectors.
+
+
+
+
+
+ wsdl-uri-scheme
+
+
+
+ string
+ =
+
+
+
+
+ This property explicitly sets the URI scheme to use fo=
r rewriting
+ <soap:address>
+ . Valid values are
+ http
+ and
+ https
+ . This configuration overrides scheme computed by proc=
essing the endpoint (even if a transport guarantee
+ =
+ is specified). The provided values for
+ wsdl-port
+ and
+ wsdl-secure-port
+ (or their default values) are used depending on specif=
ied scheme.
+ =
+
+
+
+
+
+ wsdl-path-rewrite-rule
+
+
+
+ string
+ =
+
+
+
+
+ This string defines a SED substitution command (e.g., =
's/regexp/replacement/g') that JBossWS executes against the path component =
of each <soap:address> URL published from the server.
+ =
+ When wsdl-path-rewrite-rule is not defined, JBossWS re=
tains the original path component of each <soap:address> URL.
+ =
+ When 'modify-wsdl-address' is set to "false" this elem=
ent is ignored.
+
+
+
+
+
+
+
+ Additionally, users can override the server level configuration =
by requesting a specific rewrite behavior for a given endpoint deployment. =
That is achieved by setting one of the following properties within a
+ jboss-webservices.xml
+ descriptor:
+
+
+
+
+
+
+ Property
+
+
+ Corresponding server option
+
+
+
+
+
+
+ wsdl.soapAddress.rewrite.modify-wsdl-address
+
+
+ modify-wsdl-address
+
+
+
+
+ wsdl.soapAddress.rewrite.wsdl-host
+
+
+ wsdl-host
+
+
+
+
+ wsdl.soapAddress.rewrite.wsdl-port
+
+
+ wsdl-port
+
+
+
+
+ wsdl.soapAddress.rewrite.wsdl-secure-port
+
+
+ wsdl-secure-port
+
+
+
+
+ wsdl.soapAddress.rewrite.wsdl-path-rewrite-rule
+
+
+ wsdl-path-rewrite-rule
+
+
+
+
+ wsdl.soapAddress.rewrite.wsdl-uri-scheme
+
+
+ wsdl-uri-scheme
+
+
+
+
+
+ Here is an example of partial overriding of the default conf=
iguration for a specific deployment:
+
+ <?xml version=3D"1.1" encoding=3D"UTF-8"?>
+<webservices version=3D"1.2"
+ xmlns=3D"http://www.jboss.com/xml/ns/javaee"
+ xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation=3D"http://www.jboss.com/xml/ns/javaee">
+ <property>
+ <name>wsdl.soapAddress.rewrite.wsdl-uri-scheme</name>
+ <value>https</value>
+ </property>
+ <property>
+ <name>wsdl.soapAddress.rewrite.wsdl-host</name>
+ <value>foo</value>
+ </property>
+</webservices>
+
+
+
+ =
+ System property references
+ System property references wrapped within "@" characters are=
expanded when found in WSDL attribute and element values. This allows for =
instance including multiple WS-Policy declarations in the contract and sele=
cting the policy to use depending on a server wide system property; here is=
an example:
+
+ <wsdl:definitions ...>
+ ...
+ <wsdl:binding name=3D"ServiceOneSoapBinding" type=3D"tns:EndpointOne"=
>
+ ...
+ <wsp:PolicyReference URI=3D"#@org.jboss.wsf.test.JBWS3628TestCase.p=
olicy@"/>
+ <wsdl:operation name=3D"echo">
+ ...
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:service name=3D"ServiceOne">
+ <wsdl:port binding=3D"tns:ServiceOneSoapBinding" name=3D"EndpointOn=
ePort">
+ <soap:address location=3D"http://localhost:8080/jaxws-cxf-jbws362=
8/ServiceOne"/>
+ </wsdl:port>
+ </wsdl:service>
+
+ <wsp:Policy xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis=
-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp=3D"http://www.w3.org/ns/w=
s-policy" wsu:Id=3D"WS-RM_Policy">
+ <wsrmp:RMAssertion xmlns:wsrmp=3D"http://schemas.xmlsoap.org/ws/2005/0=
2/rm/policy">
+ ...
+ </wsrmp:RMAssertion>
+ </wsp:Policy>
+
+ <wsp:Policy xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis=
-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp=3D"http://www.w3.org/ns/w=
s-policy"
+ xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata" wsu:Id=
=3D"WS-Addressing_policy">
+ <wsam:Addressing>
+ <wsp:Policy/>
+ </wsam:Addressing>
+ </wsp:Policy>
+</wsdl:definitions>
+
+
+ If the
+
+ org.jboss.wsf.test.JBWS3628TestCase=
.policy
+
+ system property is defined and set to "
+
+ WS-Addressing_policy
+
+ ", WS-Addressing will be enabled for the endpoint defined by the=
contract above.
+
+
+
Modified: stack/cxf/trunk/modules/dist/src/main/doc/chapter-6-JBoss_Modules=
.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-6-JBoss_Modules.xml 2=
015-04-22 18:30:24 UTC (rev 19683)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-6-JBoss_Modules.xml 2=
015-04-23 12:38:25 UTC (rev 19684)
@@ -3,20 +3,20 @@
=
JBoss Modules
- The JBoss Web Services functionalities are provided by a given s=
et of modules / libraries installed on the JBoss Application Server.
+ The JBoss Web Services functionalities are provided by a given s=
et of modules / libraries installed on the server.
- On JBoss Application Server 7, those are organized into JBoss Module=
s modules. In particular the
+ On WildFly, those are organized into JBoss Modules modules. In parti=
cular the
org.jboss.as.webservices.*
and
org.jboss.ws.*
- modules belong to the JBossWS - AS7 integration. Users should not n=
eed to change anything in them.
+ modules belong to the JBossWS - WildFly integration. Users should n=
ot need to change anything in them.
- While users are of course allowed to provide their own modules f=
or their custom needs, below is a brief collection of suggestions and hints=
around modules and webservices development on JBoss Application Server 7.<=
/para>
+ While users are of course allowed to provide their own modules f=
or their custom needs, below is a brief collection of suggestions and hints=
around modules and webservices development on WildFly.
=
Setting module dependencies
- On JBoss Aplication Server 7 the user deployment classloader does =
not have any visibility over JBoss internals; so for instance you can't
+ On WildFly the user deployment classloader does not have any visi=
bility over JBoss internals; so for instance you can't
directly
use JBossWS
implementation
@@ -47,7 +47,7 @@
exports the classes from the module to any other module that mig=
ht be depending on the module implicitly created for your deployment.
- When using annotations on your endpoints / handlers such a=
s the Apache CXF ones (@InInterceptor, @GZIP, ...) remember to add the prop=
er module dependency in your manifest. Otherwise your annotations are not p=
icked up and added to the annotation index by JBoss Application Server 7, r=
esulting in them being completely and silently ignored.
+ When using annotations on your endpoints / handlers such a=
s the Apache CXF ones (@InInterceptor, @GZIP, ...) remember to add the prop=
er module dependency in your manifest. Otherwise your annotations are not p=
icked up and added to the annotation index by WildFly, resulting in them be=
ing completely and silently ignored.
=
@@ -108,15 +108,6 @@
-
- =
- Using Spring
-
- The JBossWS-CXF modules have optional dependencies to the
- org.springframework.spring
- module. So either create that manually in the application serv=
er or use the JBossWS-CXF installation scripts for doing that.
-
-
=
Annotation scanning
@@ -136,47 +127,6 @@
=
Using jboss-deployment-descriptor.xmlIn some circumstances, the convenient approach of setting mo=
dule dependencies in MANIFEST.MF might not work. An example is the need for=
importing/exporting specific resources from a given module dependency. Use=
rs should hence add a jboss-deployment-structure.xml descriptor to their de=
ployment and set module dependencies in it.
-
- =
- Spring based in-container Bus creation
-
- A noteworthy scenario requiring explicit module dependencies d=
eclaration is whenever a Spring beans descriptor based Bus is created by us=
ers in a in-container client. Spring basically resolves any beans declared =
in the descriptor (e.g.
- cxf.xml
- ), as well as any transitively referenced internal CXF descrip=
tor, using the thread context classloader. That is the classloader associat=
ed to the deployment, which is different from the classloader used by JBoss=
WS internally. As a consequence, in this scenario a
- jboss-deployment-structure.xml
- as follows is required:
- =
-
-
- <jboss-deployment-structure xmlns=3D"urn:jb=
oss:deployment-structure:1.2">
- <deployment>
- <dependencies>
- <module name=3D"org.jboss.ws.cxf.jbossws-cxf-client" servic=
es=3D"import" />
- <module name=3D"org.apache.cxf.impl">
- <imports>
- <include path=3D"META-INF"/>
- <include path=3D"META-INF/cxf"/>
- </imports>
- </module>
- <module name=3D"org.springframework.spring">
- <imports>
- <include path=3D"META-INF"/>
- </imports>
- </module>
- </dependencies>
- </deployment>
-</jboss-deployment-structure>
-
-
- The first dependency (
- org.jboss.ws.cxf.jbossws-cxf-client=
- ) loads JBossWS customizations as well as Apache CXF APIs firs=
t. The second dependency (
- org.apache.cxf.impl
- ) loads the Apache CXF internals (in particular the CXF Spring=
Bus class), required by Spring to load the Bus using the deployment classlo=
ader. Finally, the third dependency (
- org.springframework.spring
- ) is needed to allow resolution of Spring schemas when running=
offline.
-
-
Added: stack/cxf/trunk/modules/dist/src/main/doc/chapter-8-Build_and_testsu=
ite_framework.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-8-Build_and_testsuite=
_framework.xml (rev 0)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-8-Build_and_testsuite=
_framework.xml 2015-04-23 12:38:25 UTC (rev 19684)
@@ -0,0 +1,372 @@
+
+
+
+ =
+ Build and testsuite framework
+
+ =
+ Introduction
+
+ The JBossWS project build and testsuites have been completely revi=
sited in version 5.0.0.Beta3. As a result, JBossWS uses the
+ Arquillian
+ framework to run its integration tests against WildFly containers.
+
+
+ There are three test modules in JBossWS' testsuite,
+ cxf-tests
+ ,
+ shared-tests
+ and
+ cxf-spring-tests
+ . Each test module requires at least one
+ WildFly
+ container to run; multiple containers are used for modules whose t=
ests can't run at the same time on the same container. By default, containe=
rs are managed (started / stopped) by Arquillian.The JBossWS build system f=
etches a copy of the required container from the Maven repository, unpacks =
it, patches it installing the current webservices stack on it and finally h=
ands it over to Arquillian for the testsuite runs. The test framework also =
allows letting Arquillian manage an already available container instance on=
the local filesystem. Finally, it's also possible to execute single tests =
against a locally running container (non-Arquillian managed) and run the te=
sts concurrently.
+
+
+ =
+ Prerequisites and requirements
+
+
+ Maven version 3.2.2 or higher is required to build and r=
un the testsuite.
+
+
+ A unique class name for each test across the testsuite's=
three child modules; classes may have the same package name across the chi=
ld modules but the overall full-qualified name has to be unique to avoid br=
eaking concurrent tests runs.
+
+
+
+
+
+ =
+ Architecture overview
+ When the build fetches the a container from the Maven reposito=
ry, a patched copy of it is put within the target/test-server sub-directory=
of each testsuite module. For instance, you could have:
+
+
+ ./modules/testsuite/cxf-tests/target/test-server/jbossws-cxf-dis=
t-5.0.0-SNAPSHOT/wildfly-8.1.0.Final
+ =
+ ./modules/testsuite/shared-tests/target/test-server/jbossws-cxf-=
dist-5.0.0-SNAPSHOT/wildfly-8.1.0.Final
+ =
+ ./modules/testsuite/cxf-spring-tests/target/test-server/jbossws-=
cxf-dist-5.0.0-SNAPSHOT/wildfly-8.1.0.Final
+
+
+
+ Each container copy is also provided with specific standalone mode=
configuration files (
+ jbws-testsuite-SOME_IDENTIFIER.xml
+ ) in the
+ standalone/configuration
+ server directory. The actual contents of such descriptors depends =
on the tests that are to be run against such container configurations (the =
most common difference when compared to the vanilla standalone.xml is the s=
etup op additional security domains, system properties, web connectors etc.=
) Each configuration also includes logging setup to ensure logs are written=
to unique files (
+ jbws-testsuite-SOME_IDENFIFIER.log
+ ) in
+ standalone/log
+ directory.
+
+
+ =
+ Target Container Identification
+
+ JBossWS supports the current WildFly release and several back ve=
rsions for testing. See the
+ supported target containers
+ page for details.
+ =
+ Maven profiles are used to identify the target container to be u=
sed for testing. The naming convention is
+ wildflyXYZ
+ , for example
+ wildfly820
+ to mean WIldFly 8.2.0.Final.
+
+
+ To run tests against an existing local copy of a WildFly contain=
er, the user must specify the absolute path to the server implementation's =
home directory using the command line option,
+ -Dserver.home=3D/foo/bar
+ . The server is not expected to be running, as the build will cr=
eate various standalone server configurations and start multiple instances =
on different port numbers. However, if a single test of few tests are execu=
ted only, the user can have those executed against live WildFly instances p=
reviously started on the same port numbers expected by the tests. Arquillia=
n is configured to detect such scenario and use the available server.
+
+
+
+ =
+ Port Mapping
+
+ To facilitate concurrent testing a port offset has been defined =
for each of the server configurations. The offsets are defined in the
+ <properties>
+ element of the
+ modules/testsuite/pom.xml
+ file.
+
+
+
+
+ =
+ Command Line Options
+ As any other Maven-based project, JBossWS is built as follows:=
+
+ mvn -P[profile] -D[options] [phase]
+
+
+ =
+ Profile
+ JBossWS uses Maven profiles to declare the target container =
and other types of environment setup. Multiple profiles are provided as a c=
omma separated list of profile names. Only a single target container profil=
e is allowed at the same time though.
+
+
+
+
+
+ Profile
+
+
+
+ Description
+ =
+
+
+
+
+
+
+
+
+ wildflyXYZ
+ =
+
+
+
+ Designates the target container to use, where XYZ =
is WildFly's three digit version number
+
+
+
+
+
+ spring
+ =
+
+
+
+
+ Enables Spring support; this causes Spring libraries t=
o be installed on the target container and the cxf-spring-tests testsuite m=
odule to be also run
+ =
+
+
+
+
+
+
+ fast
+ =
+
+
+
+
+ Declares the tests are to be run concurrently
+ =
+
+
+
+
+
+
+ dist
+ =
+
+
+
+
+ Explicitly includes
+ dist
+ module in the build; by default this is automatically =
triggered (only) when a
+ wildflyXYZ
+ profile is set.
+ =
+
+
+
+
+
+
+ testsuite
+ =
+
+
+
+
+ Explicitly includes the testsuite modules in the build=
; by default this is automatically triggered (only) when a
+ wildflyXYZ
+ profile is set.
+
+
+
+
+
+
+
+
+ =
+ Options
+ Below is a list of the available build / test options:
+
+
+
+
+
+ Option
+
+
+
+ Description
+ =
+
+
+
+
+
+
+
+
+ server.home
+ =
+
+
+
+
+ Declares the absolute path to a given local server ins=
tance.
+ =
+
+
+
+
+
+ exclude-udp-tests
+
+
+ Force skipping the UDP tests. This option might be=
needed when running on a network that does not allow UDP broadcast.
+
+
+
+
+
+ nodeploy
+ =
+
+
+
+
+ Do not upgrade the WS stack on the target server conta=
iner.
+ =
+
+
+
+
+
+
+ noprepare
+ =
+
+
+
+ Skip integration tests preparation phase, which in=
cludes tuning of the server configurations, wsconsume/wsprovide invocations=
, etc.
+
+
+
+
+
+ debug
+ =
+
+
+
+ Turns on Surefire debugging of integration tests o=
nly. Debugging address is 5005.
+
+
+
+
+ jboss.bind.address
+
+
+ Starts the containers bound to the specified netwo=
rk interface address.
+
+
+
+
+ arquillian.deploymentExportPath
+
+
+
+ Instructs Arquillian to write the actual test deployme=
nts to disk in the specified module sub-directory.
+ =
+
+
+
+
+
+
+ test
+ =
+
+
+
+
+ Runs the testcases in the specified comma-separated li=
st of JUnit classes
+ =
+
+
+
+
+
+
+ maven.surefire.debug
+ =
+
+
+
+
+ Turns on Surefire debugging in any module including te=
sts.
+ =
+
+
+
+
+
+
+
+
+ =
+ Examples
+ Build the project, deploy the WS stack to a local copy of Wi=
ldFly 8.2.0.Final and run the testsuite:
+
+ mvn -Pwildfly820 -Dserver.home=3D/foo/wildfly-8.=
2.0.Final integration-test
+
+
+ Use
+ WildFly 8.1.0.Final
+ as the target container (letting the build fetch it), patch it w=
ith current WS stack (including Spring libraries) and run only test
+ BasicDocTestCase
+ that is located in the
+ cxf-spring-test
+ module:
+
+
+ mvn -Pwildfly810,spring integration-test -Dtest=
=3D"org/jboss/test/ws/jaxws/cxf/wsrm/BasicDocTestCase"
+
+ Build, deploy, then run the tests concurrently. Run till Mav=
en post-integration-test phase to trigger test servers shutdown and save me=
mory at the end of each testsuite module:
+
+ mvn -Pfast,wildfly810 post-integration-test
+
+ Completely clean the project:
+
+ mvn -Pdist,testsuite,spring clean
+
+ Build the WS stack and install it on a specified server inst=
ance without running the integration testsuite:
+
+ mvn -Pwildfly900 -Dserver.home=3D/foo/wildfly-9.=
0.0.Alpha2-SNAPSHOT package
+
+
+ When a server.home option is not provided, the build creates a z=
ip archive with a vanilla WildFly server patched with the current WS stack:=
the zip file path is modules/dist/target/jbossws-cxf-dist-${
+ project.version}
+ -wildflyXYZ.zip
+
+
+ mvn -Pwildfly810 package
+
+
+
+
+ =
+ Container remote debugging
+ While debugging the a testcase is simply a matter of providing=
the -Ddebug option, remote debugging the container code that runs the WS s=
tack requires few additional setup steps. The suggested approach is to iden=
tify a single test to run; before actually running the test, manually start=
a target container in debug mode and specifying the proper port offset and=
server configuration (have a look at the arquillian.xml decriptors in the =
testsuite). Then run the tests with -Dserver.home=3D... option pointing to =
the home dir for the server currently running.
+
+
Property changes on: stack/cxf/trunk/modules/dist/src/main/doc/chapter-8-Bu=
ild_and_testsuite_framework.xml
___________________________________________________________________
Added: svn:mime-type
+ text/xml
Added: svn:keywords
+ Rev Date
Added: svn:eol-style
+ native
--===============6479367211705629256==--