From jbossws-commits at lists.jboss.org Mon Mar 17 06:40:12 2014
Content-Type: multipart/mixed; boundary="===============4387143128788065075=="
MIME-Version: 1.0
From: jbossws-commits at lists.jboss.org
To: jbossws-commits at lists.jboss.org
Subject: [jbossws-commits] JBossWS SVN: r18530 -
stack/cxf/trunk/modules/dist/src/main/doc.
Date: Mon, 17 Mar 2014 06:40:12 -0400
Message-ID: <201403171040.s2HAeC2J016632@svn01.web.mwc.hst.phx2.redhat.com>
--===============4387143128788065075==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Author: asoldano
Date: 2014-03-17 06:40:11 -0400 (Mon, 17 Mar 2014)
New Revision: 18530
Modified:
stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml
stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml
stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml
stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml
stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide.=
xml
Log:
Updating doc
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml 2014-03-17 1=
0:37:51 UTC (rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml 2014-03-17 1=
0:40:11 UTC (rev 18530)
@@ -15,4 +15,8 @@
JimMa
+
+ Rebecca
+ Searls
+
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml 2014-03-17 10:3=
7:51 UTC (rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml 2014-03-17 10:4=
0:11 UTC (rev 18530)
@@ -4,7 +4,7 @@
JBoss Web Services DocumentationJBossWS - CXF
- 4.1.1.Final
+ 4.3.0.Final
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml 2014-03-17 10:37:=
51 UTC (rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml 2014-03-17 10:40:=
11 UTC (rev 18530)
@@ -2,5 +2,5 @@
Preface
- This book covers the documentation of the current JBossWS release.=
The documentation for JBossWS 4 series, with a special focus on the JBoss =
Application Server 7.x integration, is also available online.
+ This book covers the documentation of the current JBossWS release.=
The documentation for JBossWS 4 series, with a special focus on the JBoss =
Application Server 7.x / WildFly 8.x integration, is also available online.
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml 2014-03-=
17 10:37:51 UTC (rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml 2014-03-=
17 10:40:11 UTC (rev 18530)
@@ -102,6 +102,20 @@
+
+ 4.3.0
+ Mon Mar 17 2014
+
+ Alessio
+ Soldano
+ alessio.soldano(a)jboss.com
+
+
+
+ JBossWS-CXF 4.3.0 documentation
+
+
+
Modified: stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User=
_Guide.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide=
.xml 2014-03-17 10:37:51 UTC (rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide=
.xml 2014-03-17 10:40:11 UTC (rev 18530)
@@ -365,15 +365,16 @@
=
Overview
+ JBossWS enables extra setup configuration data to be predefi=
ned and associated with an endpoint. Endpoint configurations can include J=
AX-WS handlers and key/value properties declarations that control JBossWS =
and Apache CXF internals. Predefined endpoint configurations can be used =
for JAX-WS client and JAX-WS endpoint setup.
- JBossWS comes with a concept of
- predefined configurations
- , which are kind of basic templates that can be used for both JA=
X-WS client and JAX-WS endpoint setup. Configurations can include JAX-WS ha=
ndlers as well as basic key/value properties declarations.
+ Endpoint configurations can be defined in the webservice subsyst=
em and in a deployment descriptor file within the application. There can =
be many endpoint configuration definitions in the webservice subsystem and=
in an application. Each endpoint configuration must have a name that is u=
nique within the server. Configurations defined in an application are loc=
al to the application. Endpoint implementations declare the use of a speci=
fic configuration through the use of the
+ org.jboss.ws.api.annotation.EndpointConfig
+ annotation. An endpoint configuration defined in the webservice=
s subsystem is available to all deployed applications on the server contai=
ner and can be referenced by name in the annotation. An endpoint configura=
tion defined in an application must be referenced by deployment descriptor=
file name and the configuration name in the annotation.
=
Handlers
- For each endpoint configuration, both PRE and POST handler=
chains can be specified. Each handler chain may include JAXWS handlers. Fo=
r outbound messages, PRE handler chain handlers are meant to be executed be=
fore any handler attached to the endpoints using standard JAXWS means (e.g.=
using @HandlerChain), while POST handler chain handlers are executed after=
usual endpoint handlers. For inbound messages, the opposite applies.
+ Each endpoint configuration may be associated with zero or=
more PRE and POST handler chains. Each handler chain may include JAXWS h=
andlers. For outbound messages the PRE handler chains are executed before=
any handler that is attached to the endpoint using the standard means, s=
uch as with annotation @HandlerChain, and POST handler chains are execute=
d after those objects have executed. For inbound messages the POST hand=
ler chains are executed before any handler that is attached to the endpoi=
nt using the standard means and the PRE handler chains are executed after=
those objects have executed.* Server inbound messages
Client --> ... --> POST HANDLER --> ENDPOINT HANDLERS --> PRE =
HANDLERS --> Endpoint
@@ -396,9 +397,9 @@
=
Endpoint configuration assignment
- JAX-WS endpoints can be assigned to a given configuration by a=
nnotating them with the
+ Annotation
org.jboss.ws.api.annotation.EndpointConfig
- annotation:
+ is used to assign an endpoint configuration to a JAX-WS endpo=
int implementation. When assigning a configuration that is defined in the =
webservices subsystem only the configuration name is specified. When assi=
gning a configuration that is defined in the application, the relative pat=
h to the deployment descriptor and the configuration name must be specifie=
d.
@EndpointConfig(configFile =3D "WEB-INF/jaxws-=
endpoint-config.xml", configName =3D "Custom WS-Security Endpoint")
@@ -410,30 +411,16 @@
}
}
+
+
+ =
+ Endpoint Configuration Deployment Descriptor
- The
- configFile
- attribute is used to specify which config file, if any, is to =
be used to load the configuration; if
- configFile
- is not set, the application server configurations are used.
+ Java EE archives that can contain JAX-WS endpoint implementati=
ons can also contain predefined endpoint configurations. All endpoint confi=
guration definitions for a given archive must be provided in a single deplo=
yment descriptor file. The file must reside in directory WEB-INF for a web =
application and directory META-INF for a client and EJB application. The fi=
le name must end with extension .xml and be an implementation of schema
+ jbossws-jaxws-config
+ . Common practice is to use the file name jaxws-endpoint-confi=
g.xml but this is not required.
-
- The
- configName
- attributed is used to specify the name of the configuration to=
be used.
-
-
- Alternatively, configurations can be assigned to endpoints thr=
ough the
- jboss-webservices.xml deployment=
descriptor
- .
-
-
- The configuration file, if any, needs to be included in the en=
dpoint deployment; the
- jbossws-jaxws-config schema
- defines its contents and is included in the
- jbossws-spi
- artifact.
-
+ Many endpoint configurations can be defined within the de=
ployment descriptor file. Each configuration must have a name that is uniq=
ue within the server on which the application is deployed. The configurati=
on name is not referencable by endpoint implementations outside the applic=
ation.
=
@@ -469,7 +456,7 @@
- JBossWS internally parses the specified configuration file,=
if any, after having resolved it as a resources using the current thread =
context classloader. The
+ JBossWS parses the specified configuration file. The config=
uration file must be found as a resource by the classloader of the current=
thread. The
jbossws-jaxws-config schema
defines the descriptor contents and is included in the
jbossws-spi
@@ -479,7 +466,7 @@
=
Explicit setup
- Alternatively, JBossWS API facility classes can be used =
for assigning configurations when building up a client; JAXWS handlers can =
be read from client configurations as follows:
+ Alternatively, JBossWS API comes with facility classes t=
hat can be used for assigning configurations when building a client. JAXWS=
handlers read from client configurations as follows:import org.jboss.ws.api.configuration.Client=
ConfigUtil;
import org.jboss.ws.api.configuration.ClientConfigurer;
@@ -661,19 +648,22 @@
=
Authentication
- This page explains the simplest way to authenticate a web serv=
ice user with JBossWS.
- First we secure the access to the SLSB as we would do for nor=
mal (non web service) invocations: this can be easily done through the @Ro=
lesAllowed, @PermitAll, @DenyAll annotation. The allowed user roles can be=
set with these annotations both on the bean class and on any of its busin=
ess methods.
-
- @Stateless
+
+ =
+ Authentication
+ Here the simplest way to authenticate a web service user wit=
h JBossWS is explained.
+ First we secure the access to the SLSB as we would do for n=
ormal (non web service) invocations: this can be easily done through the @=
RolesAllowed, @PermitAll, @DenyAll annotation. The allowed user roles can =
be set with these annotations both on the bean class and on any of its bus=
iness methods.
+
+ @Stateless
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
...
}
-
- Similarly POJO endpoints are secured the same way as we do for=
normal web applications in web.xml:
-
- <security-constraint>
+
+ Similarly POJO endpoints are secured the same way as we do f=
or normal web applications in web.xml:
+
+ <security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
@@ -686,44 +676,44 @@
<security-role>
<role-name>friend</role-name>
</security-role>
-
-
- =
- Specify the security domain
-
- Next, specify the security domain for this deployment. This is p=
erformed using the
- @SecurityDomain
- annotation for EJB3 endpoints
-
-
- @Stateless
+
+
+ =
+ Specify the security domain
+
+ Next, specify the security domain for this deployment. This is=
performed using the
+ @SecurityDomain
+ annotation for EJB3 endpoints
+
+
+ @Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
...
}
-
- or modifying the jboss-web.xml for POJO endpoints
-
-
+
+ or modifying the jboss-web.xml for POJO endpoints
+
+
<jboss-web>
<security-domain>JBossWS</security-domain>
</jboss-web>
-
- The security domain as well as its the authentication and au=
thorization mechanisms are defined differently depending on the JBoss Appli=
cation Server in use.
-
-
- =
- Use BindingProvider to set principal/credential
-
- A web service client may use the
- javax.xml.ws.BindingProvider
- interface to set the username/password combination
-
-
- URL wsdlURL =3D new File("resources/jaxws/sample=
s/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
+
+ The security domain as well as its the authentication and =
authorization mechanisms are defined differently depending on the JBoss App=
lication Server in use.
+
+
+ =
+ Use BindingProvider to set principal/credential
+
+ A web service client may use the
+ javax.xml.ws.BindingProvider
+ interface to set the username/password combination
+
+
+ URL wsdlURL =3D new File("resources/jaxws/samp=
les/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
QName qname =3D new QName("http://org.jboss.ws/jaxws/context", "TestEndpoi=
ntService");
Service service =3D Service.create(wsdlURL, qname);
port =3D (TestEndpoint)service.getPort(TestEndpoint.class);
@@ -731,18 +721,18 @@
BindingProvider bp =3D (BindingProvider)port;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "thefrog");<=
/programlisting>
-
-
-
- =
- Using HTTP Basic Auth for security
-
- To enable HTTP Basic authentication you use the
- @WebContext
- annotation on the bean class
-
-
- @Stateless
+
+
+
+ =
+ Using HTTP Basic Auth for security
+
+ To enable HTTP Basic authentication you use the
+ @WebContext
+ annotation on the bean class
+
+
+ @Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
@WebContext(contextRoot=3D"/my-cxt", urlPattern=3D"/*", authMethod=3D"BASI=
C", transportGuarantee=3D"NONE", secureWSDLAccess=3Dfalse)
@@ -750,18 +740,133 @@
{
...
}
+
+
+ For POJO endpoints, we modify the
+ web.xml
+ adding the auth-method element:
+
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>Test Realm</realm-name>
+</login-config>
+
+
+
+
+ =
+ JASPI Authentication
+ A Java Authentication SPI (JASPI) provider can be configured=
in WildFly security subsystem to authenticate SOAP messages:
+
+
+<security-domain name=3D"jaspi">
+ <authentication-jaspi>
+ <login-module-stack name=3D"jaas-lm-stack">
+ <login-module code=3D"UsersRoles" flag=3D"required">
+ <module-option name=3D"usersProperties" value=3D"jbos=
sws-users.properties"/>
+ <module-option name=3D"rolesProperties" value=3D"jbos=
sws-roles.properties"/>
+ </login-module>
+ </login-module-stack>
+ <auth-module code=3D"org.jboss.wsf.stack.cxf.jaspi.module.Use=
rnameTokenServerAuthModule" login-module-stack-ref=3D"jaas-lm-stack"/>
+ </authentication-jaspi>
+ </security-domain>
+
+
+
+ For further information on configuring security domains in Wil=
dFly, please refer to
+ here
+ .
+
+
- For POJO endpoints, we modify the
- web.xml
- adding the auth-method element:
+ Here
+ org.jboss.wsf.stack.cxf.jaspi.module.UsernameTokenServerAu=
thModule
+ is the class implementing
+ javax.security.auth.message.module.ServerAuthModule
+ , which delegates to the proper login module to perform authent=
ication using the credentials from WS-Security UsernameToken in the incomin=
g SOAP message. Alternative implementations of
+ ServerAuthModule
+ can be implemented and configured.
+ To enable JASPI authentication, the endpoint deployment need=
s to specify the security domain to use; that can be done in two different =
ways:
+
+
+
+ Setting the
+ jaspi.security.domain
+ property in the
+ jboss-webservices.xml
+ descriptor
+
+
+
- <login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>Test Realm</realm-name>
-</login-config>
+
+<?xml version=3D"1.1" encoding=3D"UTF-8"?>
+<webservices
+ xmlns=3D"http://www.jboss.com/xml/ns/javaee"
+ xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
+ version=3D"1.2"
+ xsi:schemaLocation=3D"http://www.jboss.com/xml/ns/javaee">
+
+ <property>
+ <name>jaspi.security.domain</name>
+ <value>jaspi</value>
+ </property>
+
+</webservices>
+
+
+
+
+ Referencing (through
+ @EndpointConfig
+ annotation) an endpoint config that sets the
+ jaspi.security.domain
+ property
+
+
+
+
+
+(a)EndpointConfig(configFile =3D "WEB-INF/jaxws-endpoint-config.xml", conf=
igName =3D "jaspiSecurityDomain")
+public class ServiceEndpointImpl implements ServiceIface {
+
+
+
+ The
+ jaspi.security.domain
+ property is specified as follows in the referenced descriptor:
+
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<jaxws-config xmlns=3D"urn:jboss:jbossws-jaxws-config:4.0"
+ xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee=3D"h=
ttp://java.sun.com/xml/ns/javaee"
+ xsi:schemaLocation=3D"urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-j=
axws-config_4_0.xsd">
+ <endpoint-config>
+ <config-name>jaspiSecurityDomain</config-name>
+ <property>
+ <property-name>jaspi.security.domain</property-name>
+ <property-value>jaspi</property-value>
+ </property>
+ </endpoint-config>
+</jaxws-config>
+
+
+
+
+ If the JASPI security domain is specified in both
+ jboss-webservices.xml
+ and config file referenced by
+ @EndpointConfig
+ annotation, the JASPI security domain specified in
+ jboss-webservices.xml
+ will take precedence.
+
+
@@ -1041,7 +1146,7 @@
BusFactory
to be used leverages the Service API, basically looking for o=
ptional configurations in
META-INF/services/...
- location using the current thread context classloader. JBossW=
S-CXF integration comes with his own implementation of
+ location using the current thread context classloader. JBossW=
S-CXF integration comes with its own implementation of
BusFactory
,
org.jboss.wsf.stack.cxf.client.configuration.JBossWSBusF=
actory
@@ -1109,9 +1214,9 @@
getThreadDefaultBus()
and
getThreadDefaultBus(true)
- first fallback to retrieving the configured global default bus=
before actually trying creating a new instance (and the created new insta=
nce is set as global default bus if that was not there set yet).
+ first fallback to retrieving the configured global default bus=
before actually trying creating a new instance (and the created new insta=
nce is set as global default bus if that was not set there yet).
- The drawback of this mechanism (which is basically fine i=
n JSE environment) is that when running in a JBoss AS container you need t=
o be careful in order not to (mis)use a bus over multiple applications (as=
suming the Apache CXF classes are loaded by the same classloader, which is=
currently the case with AS6 and 7).
+ The drawback of this mechanism (which is basically fine i=
n JSE environment) is that when running in a JBoss AS container you need t=
o be careful in order not to (mis)use a bus over multiple applications (as=
suming the Apache CXF classes are loaded by the same classloader, which is=
currently the case with JBoss AS6, JBoss AS7 and WildFly).Here is a list of general suggestions to avoid problems wh=
en running in-container:
@@ -1138,8 +1243,9 @@
keep in mind thread pooling whenever you customize a =
thread default bus instance (for instance adding bus scope interceptors, .=
..), as that thread and bus might be later reused; so either shutdown the =
bus when you're done or explicitly remove it from the BusFactory thread a=
ssociation.
+ Finally, remember that each time you explictly create a n=
ew Bus instance (factory.createBus()) that is set as thread default bus an=
d global default bus if those are not set yet.
- Finally, remember that each time you explictly create a new B=
us instance (factory.createBus()) that is set as thread default bus and gl=
obal default bus if those are not set yet. The JAXWS
+ The JAXWS
Provider
implementation also creates
Bus
@@ -1147,9 +1253,156 @@
Provider
makes sure the default bus is never internally used and inste=
ad a new
Bus
- is created if required.
+ is created if required (more details on this in the next para=
graph).
+
+ =
+ Bus selection strategies for JAXWS clients
+
+ JAXWS clients require an Apache CXF Bus to be available; the c=
lient is registered within the Bus and the Bus affects the client behavior =
(e.g. through the configured CXF interceptors). The way a bus is internally=
selected for serving a given JAXWS client is very important, especially fo=
r in-container clients; for this reason, JBossWS users can choose the prefe=
rred Bus selection strategy. The strategy is enforced in the
+ javax.xml.ws.spi.Provider
+ implementation from the JBossWS integration, being that called=
whenever a JAXWS
+ Service
+ (client) is requested.
+
+
+ =
+ Thread bus strategy (THREAD_BUS)
+ Each time the vanilla JAXWS api is used to create a Bus,=
the JBossWS-CXF integration will automatically make sure a Bus is currentl=
y associated to the current thread in the BusFactory. If that's not the cas=
e, a new Bus is created and linked to the current thread (to prevent the us=
er from relying on the default Bus). The Apache CXF engine will then create=
the client using the current thread Bus.
+ This is the default strategy, and the most straightforwa=
rd one in Java SE environments; it lets users automatically reuse a previou=
sly created Bus instance and allows using customized Bus that can possibly =
be created and associated to the thread before building up a JAXWS client.<=
/para>
+ The drawback of the strategy is that the link between th=
e Bus instance and the thread needs to be eventually cleaned up (when not n=
eeded anymore). This is really evident in a Java EE environment (hence when=
running in-container), as threads from pools (e.g. serving web requests) a=
re re-used.
+
+ When relying on this strategy, the safest approach to be sur=
e of cleaning up the link is to surround the JAXWS client with a
+ try/finally
+ block as below:
+
+
+ try {
+ Service service =3D Service.create(wsdlURL, serviceQName);
+ MyEndpoint port =3D service.getPort(MyEndpoint.class);
+ //...
+} finally {
+ BusFactory.setThreadDefaultBus(null);
+ // OR (if you don't need the bus and the client anymore)
+ =C2=A0Bus bus =3D BusFactory.getThreadDefaultBus(false);
+ bus.shutdown(true);
+}
+
+
+
+ =
+ New bus strategy (NEW_BUS)
+ Another strategy is to have the JAXWS Provider from the =
JBossWS integration create a new Bus each time a JAXWS client is built. The=
main benefit of this approach is that a fresh bus won't rely on any former=
ly cached information (e.g. cached WSDL / schemas) which might have changed=
after the previous client creation. The main drawback is of course worse p=
erformance as the Bus creation takes time.
+ If there's a bus already associated to the current threa=
d before the JAXWS client creation, that is automatically restored when ret=
urning control to the user; in other words, the newly created bus will be u=
sed only for the created JAXWS client but won't stay associated to the curr=
ent thread at the end of the process. Similarly, if the thread was not asso=
ciated to any bus before the client creation, no bus will be associated to =
the thread at the end of the client creation.
+
+
+ =
+ Thread context classloader bus strategy (TCCL_BUS)</tit=
le>
+ <para>The last strategy is to have the bus created for serving=
the client be associated to the current thread context classloader (TCCL).=
That basically means the same Bus instance is shared by JAXWS clients runn=
ing when the same TCCL is set. This is particularly interesting as each web=
application deployment usually has its own context classloader, so this st=
rategy is possibly a way to keep the number of created Bus instances bound =
to the application number in a JBoss AS container.</para>
+ <para>If there's a bus already associated to the current threa=
d before the JAXWS client creation, that is automatically restored when re=
turning control to the user; in other words, the bus corresponding to the =
current thread context classloader will be used only for the created JAXWS=
client but won't stay associated to the current thread at the end of the p=
rocess. If the thread was not associated to any bus before the client crea=
tion, a new bus will be created (and later user for any other client built =
with this strategy and the same TCCL in place); no bus will be associated t=
o the thread at the end of the client creation.</para>
+ </section>
+ <section id=3D"sid-3866786_ApacheCXFintegration-Strategyconfigur=
ation">
+ =
+ <title>Strategy configuration
+
+ Users can request a given Bus selection strategy to be used =
for the client being built by specifying one of the following JBossWS featu=
res (which extend
+ javax
+ .
+ xml
+ .
+ ws
+ .
+ WebServiceFeature
+ ):
+
+
+
+
+
+
+ Feature
+
+
+ Strategy
+
+
+
+
+
+
+
+ org.jboss.wsf.stack.cxf.client.UseThreadBusF=
eature
+
+
+
+ THREAD_BUS
+
+
+
+
+
+ org
+ .
+ jboss
+ .
+ wsf
+ .
+ stack
+ .
+ cxf
+ .
+ client.
+ UseNewBusFeature
+
+
+
+ NEW_BUS
+
+
+
+
+
+ org
+ .
+ jboss
+ .
+ wsf
+ .
+ stack
+ .
+ cxf
+ .
+ client.
+ UseTCCLBusFeature
+
+
+
+ TCCL_BUS
+
+
+
+
+
+ The feature is specified as follows:
+
+ Service service =3D Service.create(wsdlURL, =
serviceQName, new UseThreadBusFeature());
+
+
+ If no feature is explicitly specified, the system default st=
rategy is used, which can be modified through the
+ org.jboss.ws.cxf.jaxws-client.bus.strategy
+ system property when starting the JVM. The valid values for =
the property are
+ THREAD_BUS
+ ,
+ NEW_BUS
+ and
+ TCCL_BUS
+ . The default is
+ THREAD_BUS
+ .
+
+
+
=
@@ -2711,244 +2964,387 @@
=
WS-Trust overview
- The
=
WS-Trust
- specification defines extensions to WS-Security to deal with the=
issuing, renewing, and validating of security tokens; it also defines how =
to establish, assess the presence of, and broker trust relationships betwee=
n participants in a secure message exchange.
+ is a Web service specification that defines extensions to WS-Se=
curity. It is a general framework for implementing security in a distribu=
ted system. The standard is based on a centralized Security Token Service=
, STS, which is capable of authenticating clients and issuing tokens conta=
ining various kinds of authentication and authorization data. The specifi=
cation describes a protocol used for issuance, exchange, and validation of=
security tokens, however the following specifications play an important r=
ole in the WS-Trust architecture:
+ WS-SecurityPolicy 1.2
+ ,
+ SAML 2.0
+ ,
+ Username Token Profile
+ ,
+ X.509 Token Profile
+ ,
+ SAML Token Profile
+ , and
+ Kerberos Token Profile
+ .
+ =
- Complex applications spanning multiple domains typically suffer =
from the need for generating and sharing multiple keys; moreover dealing wi=
th services updates when credentials change is usually painful. With WS-Tru=
st, a trusted
- Security Token Service (STS)
- can be used to obtain security tokens which are then used as aut=
hentication / authorization. A client authenticates itself with the STS bas=
ed on policies and requirements defined by the STS; the STS then provides a=
security token (e.g. a SAML token) that the client then uses to talk to th=
e target service; the service can validate that token to make sure it reall=
y came from the trusted STS.
+ The WS-Trust extensions address the needs of applications that =
span multiple domains and requires the sharing of security keys by providi=
ng a standards based trusted third party web service (STS) to broker trust=
relationships between a Web service requester and a Web service provider=
. This architecture also alleviates the pain of service updates that requ=
ire credential changes by providing a common location for this information=
. The STS is the common access point from which both the requester and pro=
vider retrieves and verifies security tokens.
+ =
-
-
- =
- Security Token Service
- The security token service is the core of the WS-Trust exten=
sion to WS-Security; it is a service that offers some or all of the followi=
ng functionalities:
+ There are three main components of the WS-Trust specificatio=
n.
- issuing security tokens of different types depending on =
the received credentials
+ The Security Token Service (STS), a web service that iss=
ues, renews, and validates security tokens.
- validation of security tokens
+ The message formats for security token requests and resp=
onses.
- renewal of security tokens
+ The mechanisms for key exchange
-
- cancellation of security tokens
-
-
- transformation of security tokens into different type on=
es
-
- In the basic scenario, the WSDL contract for an endpoint ser=
vice will usually include a WS-Security policy stating that a particular se=
curity token type is required to access the service. Clients reading that c=
ontract will ask the STS for a security token of the required type and atta=
ch it to the message invocation to the service. The endpoint service will l=
ocally validate the received token or dispatch it to the STS for validation=
.
+
+ =
+ Security Token Service
+
+ The Security Token Service, STS, is the core of the WS-Trust sp=
ecification. It is a standards based mechanism for authentication and aut=
horization. The STS is an implementation of the WS-Trust specification's =
protocol for issuing, exchanging, and validating security tokens, based on=
token format, namespace, or trust boundaries. The STS is a web service t=
hat acts as a trusted third party to broker trust relationships between a =
Web service requester and a Web service provider. It is a common access p=
oint trusted by both requester and provider to provide interoperable secur=
ity tokens. It removes the need for a direct relationship between the two=
. Because the STS is a standards based mechanism for authentication, it h=
elps ensure interoperability across realms and between different platforms.
+ =
+
+ The STS's WSDL contract defines how other applications and =
processes interact with it. In particular the WSDL defines the WS-Trust a=
nd WS-Security policies that a requester must fulfill in order to success=
fully communicate with the STS's endpoints. A web service requester consu=
mes the STS's WSDL and with the aid of an STSClient utility, generates a m=
essage request compliant with the stated security policies and submits it =
to the STS endpoint. The STS validates the request and returns an appropr=
iate response.
+
=
Apache CXF support
+ Apache CXF is an open-source, fully featured Web services fr=
amework. The JBossWS open source project integrates the JBoss Web Service=
s (JBossWS) stack with the Apache CXF project modules thus providing WS-T=
rust and other JAX-WS functionality in the JBoss Application Server. This=
integration makes it easy to deploy CXF STS implementations, however JBos=
s Application Server can run any WS-Trust compliant STS. In addition the =
Apache CXF API provides a STSClient utility to facilitate web service requ=
ester communication with its STS.
- JBossWS inherits Apache CXF support for WS-Trust, which is fully=
integration with WS-Security Policy support. On client side, a
- STSClient
- is used to contact the STS and e.g get the security token; the
- STSClient
- can either be programmatically provided or automatically created=
by CXF runtime (through policy support) and configured through properties =
as done with plain WS-Security (keystore locations, aliases, etc.).
-
-
- Any specification compliant STS can be used; however Apache CXF =
comes with its own STS implementation, which can be deployed on JBoss Appli=
cation Server using JBossWS integration too. Detailed information on the Ap=
ache CXF STS implementation in a multiple blog post series
+ Detailed information about the Apache CXF's WS-Trust implementat=
ion can be found
here
.
-
+
=
- Example
+ A Basic WS-Trust Scenario
- Here is an example of a basic WS-Trust scenario. A service provi=
der published a WSDL with policy assertions establishing who the communicat=
ion must happen. A SAML 2.0 token issued by an STS is required to access th=
e service endpoint. The client will authenticate itself to the STS using a =
UsernameToken over the symmetric binding and the STS will issue it the desi=
red SAML 2.0 token, which the client will then forwards to the service prov=
ider endpoint. As the
- IssuedToken
- is defined as the
- InitiatorToken
- of the Asymmetric binding in the policy of the service provider,=
the client will use the associated secret key for message signing.
+ Here is an example of a basic WS-Trust scenario. It is comprise=
d of a Web service requester (ws-requester), a Web service provider (ws-=
provider), and a Security Token Service (STS). The ws-provider requires a=
SAML 2.0 token issued from a designed STS to be presented by the ws-reque=
ster using asymmetric binding. These communication requirements are decla=
red in the ws-provider's WSDL. The STS requires ws-requester credentials =
be provided in a WSS UsernameToken format request using symmetric binding.=
The STS's response is provided containing a SAML 2.0 token. These commu=
nication requirements are declared in the STS's WSDL.
+ =
-
+
+
+ A ws-requester contacts the ws-provider and consumes it=
s WSDL. Upon finding the security token issuer requirement, it creates an=
d configures a STSClient with the information it requires to generate a pr=
oper request.
+
+
+ The STSClient contacts the STS and consumes its WSDL. =
The security policies are discovered. The STSClient creates and sends an =
authentication request, with appropriate credentials.
+
+
+ The STS verifies the credentials.
+
+
+ In response, the STS issues a security token that provid=
es proof that the ws-requester has authenticated with the STS.
+
+
+ The STClient presents a message with the security token =
to the ws-provider.
+
+
+ The ws-provider verifies the token was issued by the ST=
S, thus proving the ws-requester has successfully authenticated with the S=
TS.
+
+
+ The ws-provider executes the requested service and retur=
ns the results to the the ws-requester.
+
+
+
=
- Endpoint
- The service provider is a contract-first endpoint and the =
need for WS-Trust communication is completely driven by the wsdl. It comes =
with policies requiring signature and encryption of messages and setting th=
e WS-Trust requirements (SAML 2.0 security token and STS location). WS-Addr=
essingMetadata is used to specify the wsdl location of the STS and the serv=
ive/port name in it to be used:
-
- <?xml version=3D"1.0" encoding=3D"UTF-8" st=
andalone=3D"yes"?>
+ Web service provider
+ This section examines the crucial elements in providing en=
dpoint security in the web service provider described in the basic WS-Trus=
t scenario. The components that will be discussed are.
+
+
+ web service provider's WSDL
+
+
+ web service provider's Interface and Implementation cl=
asses.
+
+
+ ServerCallbackHandler class
+
+
+ Crypto properties and keystore files
+
+
+ MANIFEST.MF
+
+
+
+ =
+ Web service provider WSDL
+ The web service provider is a contract-first endpoint. =
All the WS-trust and security policies for it are declared in the WSDL, S=
ecurityService.wsdl. For this scenario a ws-requester is required to pres=
ent a SAML 2.0 token issued from a designed STS. The address of the STS is=
provided in the WSDL. An asymmetric binding policy is used to encrypt an=
d sign the SOAP body of messages that pass back and forth between ws-reque=
ster and ws-provider. X.509 certificates are use for the asymmetric bindi=
ng. The rules for sharing the public and private keys in the SOAP request=
and response messages are declared. A detailed explanation of the securit=
y settings are provided in the comments in the listing below.
+
+
+ <?xml version=3D"1.0" encoding=3D"UTF-8" standalone=3D"yes"?>
<definitions targetNamespace=3D"http://www.jboss.org/jbossws/ws-extensi=
ons/wssecuritypolicy" name=3D"SecurityService"
- xmlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy"
- xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
- xmlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
- xmlns=3D"http://schemas.xmlsoap.org/wsdl/"
- xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
- xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
- xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-w=
ss-wssecurity-utility-1.0.xsd"
- xmlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200=
702"
- xmlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512">
- <types>
- <xsd:schema>
- <xsd:import namespace=3D"http://www.jboss.org/jbossws/ws-extensio=
ns/wssecuritypolicy" schemaLocation=3D"SecurityService_schema1.xsd"/>
- </xsd:schema>
- </types>
- <message name=3D"sayHello">
- <part name=3D"parameters" element=3D"tns:sayHello"/>
- </message>
- <message name=3D"sayHelloResponse">
- <part name=3D"parameters" element=3D"tns:sayHelloResponse"/>
- </message>
- <portType name=3D"ServiceIface">
- <operation name=3D"sayHello">
- <input message=3D"tns:sayHello"/>
- <output message=3D"tns:sayHelloResponse"/>
- </operation>
- </portType>
- <binding name=3D"SecurityServicePortBinding" type=3D"tns:ServiceIface=
">
- <wsp:PolicyReference URI=3D"#AsymmetricSAML2Policy" />
- <soap:binding transport=3D"http://schemas.xmlsoap.org/soap/http" st=
yle=3D"document"/>
- <operation name=3D"sayHello">
- <soap:operation soapAction=3D""/>
- <input>
- <soap:body use=3D"literal"/>
- <wsp:PolicyReference URI=3D"#Input_Policy" />
- </input>
- <output>
- <soap:body use=3D"literal"/>
- <wsp:PolicyReference URI=3D"#Output_Policy" />
- </output>
- </operation>
- </binding>
- <service name=3D"SecurityService">
- <port name=3D"SecurityServicePort" binding=3D"tns:SecurityServicePo=
rtBinding">
- <soap:address location=3D"http://localhost:8080/jaxws-samples-wss=
e-policy-trust/SecurityService"/>
- </port>
- </service>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0xmlns:tns=3D"http://www.jboss.org/jb=
ossws/ws-extensions/wssecuritypolicy"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0xmlns:xsd=3D"http://www.w3.org/2001/=
XMLSchema"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0xmlns:soap=3D"http://schemas.xmlsoap=
.org/wsdl/soap/"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0xmlns=3D"http://schemas.xmlsoap.org/=
wsdl/"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0xmlns:wsp=3D"http://www.w3.org/ns/ws=
-policy"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0xmlns:wsam=3D"http://www.w3.org/2007=
/05/addressing/metadata"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:wsu=3D"http://docs.oasis-=
open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:wsaws=3D"http://www.w3.or=
g/2005/08/addressing"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-o=
pen.org/ws-sx/ws-securitypolicy/200702"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:t=3D"http://docs.oasis-op=
en.org/ws-sx/ws-trust/200512">
+=C2=A0 <types>
+=C2=A0=C2=A0=C2=A0 <xsd:schema>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd:import namespace=3D"http://www.jbos=
s.org/jbossws/ws-extensions/wssecuritypolicy" schemaLocation=3D"SecuritySer=
vice_schema1.xsd"/>
+=C2=A0=C2=A0=C2=A0 </xsd:schema>
+=C2=A0 </types>
+=C2=A0 <message name=3D"sayHello">
+=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" element=3D"tns:sayHello"/&=
gt;
+=C2=A0 </message>
+=C2=A0 <message name=3D"sayHelloResponse">
+=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" element=3D"tns:sayHelloRes=
ponse"/>
+=C2=A0 </message>
+=C2=A0 <portType name=3D"ServiceIface">
+=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <input message=3D"tns:sayHello"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <output message=3D"tns:sayHelloResponse"=
/>
+=C2=A0=C2=A0=C2=A0 </operation>
+=C2=A0 </portType>
+=C2=A0 <!--
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The wsp:PolicyReference binds t=
he security requirments on all the STS endpoints.
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The wsp:Policy wsu:Id=3D"#Asymm=
etricSAML2Policy" element is defined later in this file.
+=C2=A0 -->
+=C2=A0 <binding name=3D"SecurityServicePortBinding" type=3D"tns:Service=
Iface">
+=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#AsymmetricSAML2Policy" =
/>
+=C2=A0=C2=A0=C2=A0 <soap:binding transport=3D"http://schemas.xmlsoap.or=
g/soap/http" style=3D"document"/>
+=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:operation soapAction=3D""/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <input>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/&=
gt;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#Input_Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </input>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <output>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/&=
gt;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#Output_Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </output>
+=C2=A0=C2=A0=C2=A0 </operation>
+=C2=A0 </binding>
+=C2=A0 <service name=3D"SecurityService">
+=C2=A0=C2=A0=C2=A0 <port name=3D"SecurityServicePort" binding=3D"tns:Se=
curityServicePortBinding">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:address location=3D"http://@jboss.=
bind.address@:8080/jaxws-samples-wsse-policy-trust/SecurityService"/>
+=C2=A0=C2=A0=C2=A0 </port>
+=C2=A0 </service>
+=C2=A0
+=C2=A0 <wsp:Policy wsu:Id=3D"AsymmetricSAML2Policy">
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsp:ExactlyOne>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsp:All>
+=C2=A0 <!--
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The wsam:Addressing element, in=
dicates that the endpoints of this
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 web service MUST conform to the=
WS-Addressing specification.=C2=A0 The
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 attribute wsp:Optional=3D"false=
" enforces this assertion.
+=C2=A0 -->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0<wsam:Addressing wsp:Optional=3D"false">
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0<wsp:Policy />
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0</wsam:Addressing>
+=C2=A0 <!--
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The sp:AsymmetricBinding elemen=
t indicates that security is provided
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at the SOAP layer. A public/pri=
vate key combinations is required to
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 protect the message.=C2=A0 The =
initiator will use it=E2=80=99s private key to sign
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the message and the recipient=
=E2=80=99s public key is used to encrypt the message.
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The recipient of the message wi=
ll use it=E2=80=99s private key to decrypt it and
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 initiator=E2=80=99s public key =
to verify the signature.
+=C2=A0 -->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0<sp:AsymmetricBinding>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0<wsp:Policy>
+=C2=A0 <!--
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The sp:InitiatorToken element s=
pecifies the elements required in
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 generating the initiator reques=
t to the ws-provider's service.
+=C2=A0 -->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<sp:InitiatorToken>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsp:Policy&=
gt;
+=C2=A0 <!--
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The sp:IssuedToken element asse=
rts that a SAML 2.0 security token is
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 expected from the STS using a p=
ublic key type.=C2=A0 The
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sp:IncludeToken=3D"http://docs.=
oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipien=
t">
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0attribute instructs the runtime to i=
nclude the initiator's public key
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 with every message sent to the =
recipient.
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The sp:RequestSecurityTokenTemp=
late element directs that all of the
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 children of this element will b=
e copied directly into the body of the
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 RequestSecurityToken (RST) mess=
age that is sent to the STS when the
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 initiator asks the STS to issue=
a token.
+=C2=A0 -->
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0<sp:IssuedToken
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0sp:IncludeToken=3D"http://docs.oasis-open.org/ws-s=
x/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0<sp:RequestSecurityTokenTemplate>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<t:TokenType>http://docs.=
oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenTyp=
e>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<t:KeyType>http://docs.oa=
sis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0</sp:RequestSecurityTokenTemplate>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0<wsp:Policy>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<sp:RequireInternalReference=
/>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0</wsp:Policy>
+=C2=A0 <!--
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The sp:Issuer element defines t=
he STS's address and endpoint information
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 This information is used by the=
STSClient.
+=C2=A0 -->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0<sp:Issuer>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsaws:Address>http://@jb=
oss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenSer=
vice</wsaws:Address>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsaws:Metadata xmlns:wsdli=
=3D"http://www.w3.org/2006/01/wsdl-instance"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 wsdli:wsdlLoca=
tion=3D"http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-st=
s/SecurityTokenService?wsdl">
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 <wsaw:Ser=
viceName xmlns:wsaw=3D"http://www.w3.org/2006/05/addressing/wsdl"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 xmlns:stsns=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 EndpointName=3D"UT_Port">stsns:SecurityTokenService</wsaw:S=
erviceName>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsaws:Metadata>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0=C2=A0=C2=A0 =C2=A0</sp:Issuer>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
=C2=A0</sp:IssuedToken>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsp:Policy=
>
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</sp:InitiatorToken>
+=C2=A0 <!--
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The sp:RecipientToken element a=
sserts the type of public/private key-pair
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 expected from the recipient.=C2=
=A0 The
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sp:IncludeToken=3D"http://docs.=
oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0attribute indicates that the initiat=
or's public key will never be included
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 in the reply messages. =C2=A0
=
- <wsp:Policy wsu:Id=3D"AsymmetricSAML2Policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <wsam:Addressing wsp:Optional=3D"false">
- <wsp:Policy />
- </wsam:Addressing>
- <sp:AsymmetricBinding>
- <wsp:Policy>
- <sp:InitiatorToken>
- <wsp:Policy>
- <sp:IssuedToken
- sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-securitypo=
licy/200702/IncludeToken/AlwaysToRecipient">
- <sp:RequestSecurityTokenTemplate>
- <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml=
-token-profile-1.1#SAMLV2.0</t:TokenType>
- <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/20051=
2/PublicKey</t:KeyType>
- </sp:RequestSecurityTokenTemplate>
- <wsp:Policy>
- <sp:RequireInternalReference />
- </wsp:Policy>
- <sp:Issuer>
- <wsaws:Address>http://localhost:8080/jaxws-samples-wsse-po=
licy-trust-sts/SecurityTokenService</wsaws:Address>
- <wsaws:Metadata xmlns:wsdli=3D"http://www.w3.org/2006/01/wsdl=
-instance"
- wsdli:wsdlLocation=3D"http://localhost:8080/jaxw=
s-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl">
- <wsaw:ServiceName xmlns:wsaw=3D"http://www.w3.org/2006/05=
/addressing/wsdl"
- xmlns:stsns=3D"http://docs.oasis-open.org/ws=
-sx/ws-trust/200512/"
- EndpointName=3D"UT_Port">stsns:SecurityTo=
kenService</wsaw:ServiceName>
- </wsaws:Metadata>
- </sp:Issuer>
- </sp:IssuedToken>
- </wsp:Policy>
- </sp:InitiatorToken>
- <sp:RecipientToken>
- <wsp:Policy>
- <sp:X509Token
- sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-securitypo=
licy/200702/IncludeToken/Never">
- <wsp:Policy>
- <sp:WssX509V3Token10 />
- <sp:RequireIssuerSerialReference />
- </wsp:Policy>
- </sp:X509Token>
- </wsp:Policy>
- </sp:RecipientToken>
- <sp:Layout>
- <wsp:Policy>
- <sp:Lax />
- </wsp:Policy>
- </sp:Layout>
- <sp:IncludeTimestamp />
- <sp:OnlySignEntireHeadersAndBody />
- <sp:AlgorithmSuite>
- <wsp:Policy>
- <sp:Basic256 />
- </wsp:Policy>
- </sp:AlgorithmSuite>
- </wsp:Policy>
- </sp:AsymmetricBinding>
- <sp:Wss11>
- <wsp:Policy>
- <sp:MustSupportRefIssuerSerial />
- <sp:MustSupportRefThumbprint />
- <sp:MustSupportRefEncryptedKey />
- </wsp:Policy>
- </sp:Wss11>
- <sp:Trust13>
- <wsp:Policy>
- <sp:MustSupportIssuedTokens />
- <sp:RequireClientEntropy />
- <sp:RequireServerEntropy />
- </wsp:Policy>
- </sp:Trust13>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The sp:WssX509V3Token10 element=
indicates that an X509 Version 3 token
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 should be used in the message.
+=C2=A0 -->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:R=
ecipientToken>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:X509Token
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sp:IncludeT=
oken=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeTo=
ken/Never">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Pol=
icy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:WssX509V3Token10 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:RequireIssuerSerialReference />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Po=
licy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:X509Token>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:=
RecipientToken>
+<!--
+=C2=A0=C2=A0=C2=A0=C2=A0 The sp:Layout element,=C2=A0 indicates the layout=
rules to apply when adding
+=C2=A0=C2=A0=C2=A0=C2=A0 items to the security header.=C2=A0 The sp:Lax su=
b-element indicates items
+=C2=A0=C2=A0=C2=A0=C2=A0 are added to the security header in any order tha=
t conforms to
+=C2=A0=C2=A0=C2=A0=C2=A0 WSS: SOAP Message Security.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:L=
ayout>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Lax />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:=
Layout>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:I=
ncludeTimestamp />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:O=
nlySignEntireHeadersAndBody />
+=C2=A0<!--
+=C2=A0=C2=A0=C2=A0=C2=A0 The sp:AlgorithmSuite element, requires the Basic=
256 algorithm suite
+=C2=A0=C2=A0=C2=A0=C2=A0 be used in performing cryptographic operations.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:A=
lgorithmSuite>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Basic256 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:=
AlgorithmSuite>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 </sp:AsymmetricBinding>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:Wss11 element declares WSS: SOAP Message Securit=
y 1.1 options
+=C2=A0=C2=A0=C2=A0 to be supported by the STS.=C2=A0 These particular elem=
ents generally refer
+=C2=A0=C2=A0=C2=A0 to how keys are referenced within the SOAP envelope.=C2=
=A0 These are normally
+=C2=A0=C2=A0=C2=A0 handled by CXF.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <sp:Wss11>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:M=
ustSupportRefIssuerSerial />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:M=
ustSupportRefThumbprint />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:M=
ustSupportRefEncryptedKey />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 </sp:Wss11>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:Trust13 element declares controls for WS-Trust 1=
.3 options. =C2=A0
+=C2=A0=C2=A0=C2=A0 They are policy assertions related to exchanges specifi=
cally with
+=C2=A0=C2=A0=C2=A0 client and server challenges and entropy behaviors.=C2=
=A0 Again these are
+=C2=A0=C2=A0=C2=A0 normally handled by CXF.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <sp:Trust13>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:M=
ustSupportIssuedTokens />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:R=
equireClientEntropy />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:R=
equireServerEntropy />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 </sp:Trust13>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </ws=
p:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0 <wsp:Policy wsu:Id=3D"Input_Policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp=
:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <sp:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 </sp:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <sp:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"To" Namesp=
ace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"From" Name=
space=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"FaultTo" N=
amespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"ReplyTo" N=
amespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"MessageID"=
Namespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"RelatesTo"=
Namespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"Action" Na=
mespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 </sp:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </ws=
p:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0 <wsp:Policy wsu:Id=3D"Output_Policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp=
:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <sp:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 </sp:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <sp:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"To" Namesp=
ace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"From" Name=
space=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"FaultTo" N=
amespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"ReplyTo" N=
amespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"MessageID"=
Namespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"RelatesTo"=
Namespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Header Name=3D"Action" Na=
mespace=3D"http://www.w3.org/2005/08/addressing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 </sp:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </ws=
p:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+</definitions>
+
+
+
+
+ =
+ Web service provider Interface
+ The web service provider interface class, ServiceIface, =
is a simple straight forward web service definition.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service;
=
- <wsp:Policy wsu:Id=3D"Input_Policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:EncryptedParts>
- <sp:Body />
- </sp:EncryptedParts>
- <sp:SignedParts>
- <sp:Body />
- <sp:Header Name=3D"To" Namespace=3D"http://www.w3.org/2005/08/addr=
essing" />
- <sp:Header Name=3D"From" Namespace=3D"http://www.w3.org/2005/08/ad=
dressing" />
- <sp:Header Name=3D"FaultTo" Namespace=3D"http://www.w3.org/2005/08=
/addressing" />
- <sp:Header Name=3D"ReplyTo" Namespace=3D"http://www.w3.org/2005/08=
/addressing" />
- <sp:Header Name=3D"MessageID" Namespace=3D"http://www.w3.org/2005/=
08/addressing" />
- <sp:Header Name=3D"RelatesTo" Namespace=3D"http://www.w3.org/2005/=
08/addressing" />
- <sp:Header Name=3D"Action" Namespace=3D"http://www.w3.org/2005/08/=
addressing" />
- </sp:SignedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
+import javax.jws.WebMethod;
+import javax.jws.WebService;
=
- <wsp:Policy wsu:Id=3D"Output_Policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:EncryptedParts>
- <sp:Body />
- </sp:EncryptedParts>
- <sp:SignedParts>
- <sp:Body />
- <sp:Header Name=3D"To" Namespace=3D"http://www.w3.org/2005/08/addr=
essing" />
- <sp:Header Name=3D"From" Namespace=3D"http://www.w3.org/2005/08/ad=
dressing" />
- <sp:Header Name=3D"FaultTo" Namespace=3D"http://www.w3.org/2005/08=
/addressing" />
- <sp:Header Name=3D"ReplyTo" Namespace=3D"http://www.w3.org/2005/08=
/addressing" />
- <sp:Header Name=3D"MessageID" Namespace=3D"http://www.w3.org/2005/=
08/addressing" />
- <sp:Header Name=3D"RelatesTo" Namespace=3D"http://www.w3.org/2005/=
08/addressing" />
- <sp:Header Name=3D"Action" Namespace=3D"http://www.w3.org/2005/08/=
addressing" />
- </sp:SignedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-</definitions>
-
-
- The endpoint implementation class is a POJO featuring Apache C=
XF
- @EndpointProperty
- annotations to provide
- WSS4J
- security properties:
-
-
- package org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust;
+(a)WebService
+(
+=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/wssecuritypolicy"
+)
+public interface ServiceIface
+{
+=C2=A0=C2=A0 @WebMethod
+=C2=A0=C2=A0 String sayHello();
+}
+
+
+
+
+ =
+ Web service provider Implementation
+
+ The web service provider implementation class, ServiceImpl, =
is a simple POJO. It uses the standard WebService annotation to define th=
e service endpoint. In addition there are two Apache CXF annotations, En=
dpointProperties and EndpointProperty used for configuring the endpoint fo=
r the CXF runtime. These annotations come from the
+ Apache WSS4J pro=
ject
+ , which provides a Java implementation of the primary WS-Se=
curity standards for Web Services. These annotations are programmatically=
adding properties to the endpoint. Traditionally, these properties woul=
d be set via the <jaxws:properties> element on the <jaxws:endpoin=
t> element in the spring config, but these annotations allow the proper=
ties to be configured in the code.
+
+ WSS4J uses the Crypto interface to get keys and certifi=
cates for encryption/decryption and for signature creation/verification. =
As is asserted by the WSDL, X509 keys and certificates are required for th=
is service. The WSS4J configuration information being provided by Servic=
eImpl is for Crypto's Merlin implementation. More information will be pro=
vided about this in the keystore section.
+ The first EndpointProperty statement in the listing is d=
eclaring the user's name to use for the message signature. It is used as =
the alias name in the keystore to get the user's cert and private key for =
signature. The next two EndpointProperty statements declares the Java prop=
erties file that contains the (Merlin) crypto configuration information. =
In this case both for signing and encrypting the messages. WSS4J reads th=
is file and extra required information for message handling. The last End=
pointProperty statement declares the ServerCallbackHandler implementation c=
lass. It is used to obtain the user's password for the certificates in th=
e keystore file.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service;
=
import javax.jws.WebService;
=
@@ -2957,211 +3353,538 @@
=
@WebService
(
- portName =3D "SecurityServicePort",
- serviceName =3D "SecurityService",
- wsdlLocation =3D "WEB-INF/wsdl/SecurityService.wsdl",
- targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensions/wssecur=
itypolicy",
- endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trus=
t.ServiceIface"
+=C2=A0=C2=A0 portName =3D "SecurityServicePort",
+=C2=A0=C2=A0 serviceName =3D "SecurityService",
+=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/SecurityService.wsdl",
+=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/wssecuritypolicy",
+=C2=A0=C2=A0 endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust.service.ServiceIface"
)
@EndpointProperties(value =3D {
- @EndpointProperty(key =3D "ws-security.signature.username", value =
=3D "myservicekey"),
- @EndpointProperty(key =3D "ws-security.signature.properties", value =
=3D "serviceKeystore.properties"),
- @EndpointProperty(key =3D "ws-security.encryption.properties", value=
=3D "serviceKeystore.properties"),
- @EndpointProperty(key =3D "ws-security.callback-handler", value =3D =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.ServerCallbackHandler")
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "myservicekey"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D "serviceKeystore.properties"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.encr=
yption.properties", value =3D "serviceKeystore.properties"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.service.ServerCallbackHandler")
})
public class ServiceImpl implements ServiceIface
{
- public String sayHello()
- {
- return "WS-Trust Hello World!";
- }
-}
-
-
- ... the
- serviceKeystore.properties
- file references the keystore, aliases, etc.
-
-
- org.apache.ws.security.crypto.provider=3Dorg.a=
pache.ws.security.components.crypto.Merlin
-org.apache.ws.security.crypto.merlin.keystore.type=3Djks
-org.apache.ws.security.crypto.merlin.keystore.password=3Dsspass
-org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyservicekey
-org.apache.ws.security.crypto.merlin.keystore.file=3Dservicestore.jks
-
-
- ... while
- ServerCallbackHandler
- is an usual implementation of
- CallbackHandler
- to allow Apache CXF access to the keystore:
-
-
- package org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust;
+=C2=A0=C2=A0 public String sayHello()
+=C2=A0=C2=A0 {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return "WS-Trust Hello World!";
+=C2=A0=C2=A0 }
+}
+
+
+
+
+ =
+ ServerCallbackHandler
+ ServerCallbackHandler is a callback handler for the WSS4=
J Crypto API. It is used to obtain the password for the private key in th=
e keystore. This class enables CXF to retrieve the password of the user n=
ame to use for the message signature. A certificates' password is not di=
scoverable. The creator of the certificate must record the password he as=
signs and provide it when requested through the CallbackHandler. In this =
scenario skpass is the password for user myservicekey.
+
+
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service;
=
-import java.io.IOException;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import org.apache.ws.security.WSPasswordCallback;
+import java.util.HashMap;
+import java.util.Map;
=
-public class ServerCallbackHandler implements CallbackHandler {
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
=
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- for (int i =3D 0; i < callbacks.length; i++) {
- if (callbacks[i] instanceof WSPasswordCallback) {
- WSPasswordCallback pc =3D (WSPasswordCallback) callbacks[i=
];
- if ("myservicekey".equals(pc.getIdentifier())) {
- pc.setPassword("skpass");
- break;
- }
- }
- }
- }
-}
-
-
- Assuming the
- servicestore.jks
- keystore has been properly generated and contains service prov=
ider (server) full key (private/certificate + public key) as well as the ST=
S public key, we can proceed to packaging the endpoint. Here is the expecte=
d content (the endpoint is a
- POJO
- one in a
- war
- archive, but
- EJB3
- endpoints in
- jar
- archives are of course also supported):
-
-
- alessio(a)inuyasha /dati/jbossws/stack/cxf/tru=
nk $ jar -tvf ./modules/testsuite/cxf-tests/target/test-libs/jaxws-samples-=
wsse-policy-trust.war
- 0 Thu Jun 21 14:03:24 CEST 2012 META-INF/
- 159 Thu Jun 21 14:03:22 CEST 2012 META-INF/MANIFEST.MF
- 0 Thu Jun 21 14:03:24 CEST 2012 WEB-INF/
- 0 Thu Jun 21 14:03:24 CEST 2012 WEB-INF/classes/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/
- 0 Thu Jun 21 14:03:22 CEST 2012 WEB-INF/classes/org/jboss/test/ws/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/
- 0 Thu Jun 21 14:03:22 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/jaxws/
- 705 Thu Jun 21 14:03:22 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/jaxws/SayHello.class
- 1069 Thu Jun 21 14:03:22 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/jaxws/SayHelloResponse.class
- 0 Thu Jun 21 14:03:22 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/trust/
- 1159 Thu Jun 21 14:03:22 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/trust/ServerCallbackHandler.class
- 383 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/trust/ServiceIface.class
- 1365 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/trust/ServiceImpl.class
- 0 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/wsdl/
- 6478 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/wsdl/SecurityService.wsdl
- 653 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/wsdl/SecurityService_schema1.=
xsd
- 1121 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/classes/serviceKeystore.prope=
rties
- 3350 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/classes/servicestore.jks
-
- As you can see, the jaxws classes generated by the tools a=
re of course also included. The manifest declares the JBoss Modules depende=
ncies for allowing Apache CXF annotations and WSS4J usage:
-
- Manifest-Version: 1.0
-Ant-Version: Apache Ant 1.8.2
-Created-By: 1.6.0_26-b03 (Sun Microsystems Inc.)
-Dependencies: org.apache.ws.security,org.apache.cxf
-
-
-
- =
- Client
-
- You start by consuming the published WSDL contract using the
- wsconsume
- tool on client side too. Then you simply invoke the the endpoi=
nt as a standard JAX-WS one:
-
-
- QName serviceName =3D new QName("http://www.jb=
oss.org/jbossws/ws-extensions/wssecuritypolicy", "SecurityService");
-URL wsdlURL =3D new URL(serviceURL + "?wsdl");
-Service service =3D Service.create(wsdlURL, serviceName);
-ServiceIface proxy =3D (ServiceIface) service.getPort(ServiceIface.class);
+public class ServerCallbackHandler extends PasswordCallbackHandler
+{
=
-//setup WS-Security
-Map<String, Object> ctx =3D ((BindingProvider) proxy).getRequestCont=
ext();
-ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
-ctx.put(SecurityConstants.SIGNATURE_PROPERTIES, Thread.currentThread().get=
ContextClassLoader().getResource("META-INF/clientKeystore.properties"));
-ctx.put(SecurityConstants.ENCRYPT_PROPERTIES, Thread.currentThread().getCo=
ntextClassLoader().getResource("META-INF/clientKeystore.properties"));
-ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
-ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
-ctx.put(SecurityConstants.USERNAME + ".it", "alice");
-ctx.put(SecurityConstants.CALLBACK_HANDLER + ".it", new ClientCallbackHand=
ler());
-ctx.put(SecurityConstants.ENCRYPT_PROPERTIES + ".it", Thread.currentThread=
().getContextClassLoader().getResource("META-INF/clientKeystore.properties"=
));
-ctx.put(SecurityConstants.ENCRYPT_USERNAME + ".it", "mystskey");
-ctx.put(SecurityConstants.STS_TOKEN_USERNAME + ".it", "myclientkey");
-ctx.put(SecurityConstants.STS_TOKEN_PROPERTIES + ".it", Thread.currentThre=
ad().getContextClassLoader().getResource("META-INF/clientKeystore.propertie=
s"));
-ctx.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO + ".it", "true");
-ctx.put("ws-security.sts.disable-wsmex-call-using-epr-address", "true");
+=C2=A0=C2=A0 public ServerCallbackHandler()
+=C2=A0=C2=A0 {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap());
+=C2=A0=C2=A0 }
=
-proxy.sayHello();
-
-
- As you can see, as usual the WS-Security properties are set in=
the request context. The
- ".it"
- suffix is used for properties related to communication with th=
e Security Token Service (which is described below and also includes polici=
es enforcing signed and encrypted messages). The
-
- ClientCallbackHandler
-
- is basically similar to the endpoint server one. The
- clientKeystore.properties
- file is the client side equivalent of the
- serviceKeystore.properties
- and references the
- clientstore.jks
- keystore file, which has been populated with the client full k=
ey (private/certificate + public key) as well as the server endpoint and ST=
S public keys.
-
-
- org.apache.ws.security.crypto.provider=3Dorg.a=
pache.ws.security.components.crypto.Merlin
+=C2=A0=C2=A0 private static Map<String, String> getInitMap()
+=C2=A0=C2=A0 {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("myservicekey", "skpass");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords;
+=C2=A0=C2=A0 }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+ WSS4J's Crypto implementation is loaded and configured v=
ia a Java properties file that contains Crypto configuration data. The fi=
le contains implementation-specific properties such as a keystore location=
, password, default alias and the like. This application is using the Me=
rlin implementation. File serviceKeystore.properties contains this informa=
tion.
+
+ File servicestore.jks, is a Java KeyStore (JKS) repository.=
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=3Djks
-org.apache.ws.security.crypto.merlin.keystore.password=3Dcspass
-org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyclientkey
-org.apache.ws.security.crypto.merlin.keystore.file=3DMETA-INF/clientstore.=
jks
-
- The Apache CXF WS-Policy engine will digest the security r=
equirements in the endpoint contract and ensure a valid secure communicatio=
n is in place for interacting with the server endpoint. More in details, he=
re is what will be happening:
-
+org.apache.ws.security.crypto.merlin.keystore.password=3Dsspass
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyservicekey
+org.apache.ws.security.crypto.merlin.keystore.file=3Dservicestore.jks
+
+
+
+
+ =
+ MANIFEST.MF
+ When deployed on JBoss Application Server this applicati=
on requires access to the JBossWs and CXF APIs provided in module org.jbo=
ss.ws.cxf.jbossws-cxf-client. The dependency statement directs the server =
to provide them at deployment.
+
+
+Manifest-Version: 1.0 =C2=A0
+Ant-Version: Apache Ant 1.8.2 =C2=A0
+Created-By: 1.7.0_25-b15 (Oracle Corporation) =C2=A0
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client
+
+
+
+
+
+ =
+ Security Token Service (STS)
+ This section examines the crucial elements in providing th=
e Security Token Service functionality described in the basic WS-Trust sce=
nario. The components that will be discussed are.
+
- the client get the service endpoint WSDL; the Apache C=
XF engine parses it, processes the included policy and decides to contact t=
he STS
+ STS's WSDL
- the STS client is automatically injected into the appl=
ication client and gets the STS wsdl; the Apache CXF engine processes the p=
olicy in it
+ STS's implementation class.
- a WS-Security enabled communication (as per STS advert=
ised policy) is established and the client issues a request for getting a S=
AML assertion token from the STS
+ STSCallbackHandler class
- the STS endpoint receives the request, extracts the cl=
ient identify from it and authenticates the client
+ Crypto properties and keystore files
- the SAML token is returned to the client, which uses i=
t for establishing a new connection with the service endpoint; the Apache C=
XF engine again setups signature/encryption as per endpoint advertised poli=
cy
+ MANIFEST.MF
- the service endpoint receives the token provided throu=
gh the STS and performs the required operation
+ Server configuration files
-
-
-
- =
- Apache CXF STS
-
- As mentioned above, Apache CXF comes with its own Security Tok=
en Service implementation. That is completely configurable and can be used =
as a JAX-WS
- WebServiceProvider
- endpoint running in payload service mode. An extension to the =
org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider is cre=
ated, properly annotated and included in an usual webservice endpoint deplo=
yment.
-
-
- package org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust;
+
+
+ =
+ STS WSDL
+ The STS is a contract-first endpoint. All the WS-trust =
and security policies for it are declared in the WSDL, ws-trust-1.4-servic=
e.wsdl. A symmetric binding policy is used to encrypt and sign the SOAP b=
ody of messages that pass back and forth between ws-requester and the STS.=
The ws-requester is required to authenticate itself by providing WSS Us=
ernameToken credentials. The rules for sharing the public and private key=
s in the SOAP request and response messages are declared. A detailed expla=
nation of the security settings are provided in the comments in the listin=
g below.
+
+
+ <?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<wsdl:definitions
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 targetNamespace=3D"http://docs.=
oasis-open.org/ws-sx/ws-trust/200512/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:tns=3D"http://docs.oasis-=
open.org/ws-sx/ws-trust/200512/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:wstrust=3D"http://docs.oa=
sis-open.org/ws-sx/ws-trust/200512/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:wsdl=3D"http://schemas.xm=
lsoap.org/wsdl/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:soap=3D"http://schemas.xm=
lsoap.org/wsdl/soap/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:wsap10=3D"http://www.w3.o=
rg/2006/05/addressing/wsdl"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:wsu=3D"http://docs.oasis-=
open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xmlns:wsp=3D"http://www.w3.org/=
ns/ws-policy"
+=C2=A0=C2=A0=C2=A0 xmlns:wst=3D"http://docs.oasis-open.org/ws-sx/ws-trust/=
200512"
+=C2=A0=C2=A0=C2=A0 xmlns:xs=3D"http://www.w3.org/2001/XMLSchema"
+=C2=A0=C2=A0=C2=A0 xmlns:wsam=3D"http://www.w3.org/2007/05/addressing/meta=
data">
=
+=C2=A0 <wsdl:types>
+=C2=A0=C2=A0=C2=A0 <xs:schema elementFormDefault=3D"qualified" targetNa=
mespace=3D'http://docs.oasis-open.org/ws-sx/ws-trust/200512'>
+
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
' type=3D'wst:AbstractRequestSecurityTokenType' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
Response' type=3D'wst:AbstractRequestSecurityTokenType' />
+
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:complexType name=3D'AbstractRequestS=
ecurityTokenType' >
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:any namespac=
e=3D'##any' processContents=3D'lax' minOccurs=3D'0' maxOccurs=3D'unbounded'=
/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:attribute name=3D'Contex=
t' type=3D'xs:anyURI' use=3D'optional' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:anyAttribute namespace=
=3D'##other' processContents=3D'lax' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:complexType>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
Collection' type=3D'wst:RequestSecurityTokenCollectionType' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:complexType name=3D'RequestSecurityT=
okenCollectionType' >
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=
=3D'RequestSecurityToken' type=3D'wst:AbstractRequestSecurityTokenType' min=
Occurs=3D'2' maxOccurs=3D'unbounded'/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:complexType>
+
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
ResponseCollection' type=3D'wst:RequestSecurityTokenResponseCollectionType'=
/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:complexType name=3D'RequestSecurityT=
okenResponseCollectionType' >
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element ref=
=3D'wst:RequestSecurityTokenResponse' minOccurs=3D'1' maxOccurs=3D'unbounde=
d' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:anyAttribute namespace=
=3D'##other' processContents=3D'lax' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:complexType>
+
+=C2=A0=C2=A0=C2=A0 </xs:schema>
+=C2=A0 </wsdl:types>
+
+=C2=A0 <!-- WS-Trust defines the following GEDs -->
+=C2=A0 <wsdl:message name=3D"RequestSecurityTokenMsg">
+=C2=A0=C2=A0=C2=A0 <wsdl:part name=3D"request" element=3D"wst:RequestSe=
curityToken" />
+=C2=A0 </wsdl:message>
+=C2=A0 <wsdl:message name=3D"RequestSecurityTokenResponseMsg">
+=C2=A0=C2=A0=C2=A0 <wsdl:part name=3D"response"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 element=
=3D"wst:RequestSecurityTokenResponse" />
+=C2=A0 </wsdl:message>
+=C2=A0 <wsdl:message name=3D"RequestSecurityTokenCollectionMsg">
+=C2=A0=C2=A0=C2=A0 <wsdl:part name=3D"requestCollection"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 element=
=3D"wst:RequestSecurityTokenCollection"/>
+=C2=A0 </wsdl:message>
+=C2=A0 <wsdl:message name=3D"RequestSecurityTokenResponseCollectionMsg"=
>
+=C2=A0=C2=A0=C2=A0 <wsdl:part name=3D"responseCollection"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 element=
=3D"wst:RequestSecurityTokenResponseCollection"/>
+=C2=A0 </wsdl:message>
+
+=C2=A0 <!-- This portType an example of a Requestor (or other) endpoint=
that
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Accepts SOAP-based challe=
nges from a Security Token Service -->
+=C2=A0 <wsdl:portType name=3D"WSSecurityRequestor">
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"Challenge">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input message=3D"tns:RequestSecuri=
tyTokenResponseMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output message=3D"tns:RequestSecur=
ityTokenResponseMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0 </wsdl:portType>
+
+
+=C2=A0 <!-- This portType is an example of an STS supporting full proto=
col -->
+<!--
+=C2=A0=C2=A0=C2=A0 The wsdl:portType and data types are XML elements defin=
ed by the
+=C2=A0=C2=A0=C2=A0 WS_Trust specification.=C2=A0 The wsdl:portType defines=
the endpoints
+=C2=A0=C2=A0=C2=A0 supported in the STS implementation.=C2=A0 This WSDL de=
fines all operations
+=C2=A0=C2=A0=C2=A0 that an STS implementation can support.
+-->=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0 <wsdl:portType name=3D"STS">
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"Cancel">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input wsam:Action=3D"http://docs.o=
asis-open.org/ws-sx/ws-trust/200512/RST/Cancel" message=3D"tns:RequestSecur=
ityTokenMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output wsam:Action=3D"http://docs.=
oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal" message=3D"tns:Reque=
stSecurityTokenResponseMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"Issue">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input wsam:Action=3D"http://docs.o=
asis-open.org/ws-sx/ws-trust/200512/RST/Issue" message=3D"tns:RequestSecuri=
tyTokenMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output wsam:Action=3D"http://docs.=
oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message=3D"tns:Reque=
stSecurityTokenResponseCollectionMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"Renew">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input wsam:Action=3D"http://docs.o=
asis-open.org/ws-sx/ws-trust/200512/RST/Renew" message=3D"tns:RequestSecuri=
tyTokenMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output wsam:Action=3D"http://docs.=
oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal" message=3D"tns:Reques=
tSecurityTokenResponseMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"Validate">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input wsam:Action=3D"http://docs.o=
asis-open.org/ws-sx/ws-trust/200512/RST/Validate" message=3D"tns:RequestSec=
urityTokenMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output wsam:Action=3D"http://docs.=
oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal" message=3D"tns:Req=
uestSecurityTokenResponseMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"KeyExchangeToken">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input wsam:Action=3D"http://docs.o=
asis-open.org/ws-sx/ws-trust/200512/RST/KET" message=3D"tns:RequestSecurity=
TokenMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output wsam:Action=3D"http://docs.=
oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal" message=3D"tns:RequestS=
ecurityTokenResponseMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"RequestCollection">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input message=3D"tns:RequestSecuri=
tyTokenCollectionMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output message=3D"tns:RequestSecur=
ityTokenResponseCollectionMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0 </wsdl:portType>
+
+=C2=A0 <!-- This portType is an example of an endpoint that accepts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Unsolicited RequestSecuri=
tyTokenResponse messages -->
+=C2=A0 <wsdl:portType name=3D"SecurityTokenResponseService">
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"RequestSecurityTokenResponse=
">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input message=3D"tns:RequestSecuri=
tyTokenResponseMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0 </wsdl:portType>
+
+<!--
+=C2=A0=C2=A0=C2=A0 The wsp:PolicyReference binds the security requirments =
on all the STS endpoints.
+=C2=A0=C2=A0=C2=A0 The wsp:Policy wsu:Id=3D"UT_policy" element is later in=
this file.
+-->
+=C2=A0 <wsdl:binding name=3D"UT_Binding" type=3D"wstrust:STS">
+=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#UT_policy" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0<soap:binding style=3D"document"
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0transport=3D"http://schemas.x=
mlsoap.org/soap/http" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0<wsdl:operation name=3D"Issue">
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:operation
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0soapAction=
=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Po=
licyReference
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 URI=3D"#Input_policy" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Po=
licyReference
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 URI=3D"#Output_policy" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0</wsdl:operation>
+=C2=A0 =C2=A0=C2=A0 =C2=A0<wsdl:operation name=3D"Validate">
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:operation
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0soapAction=
=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Po=
licyReference
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 URI=3D"#Input_policy" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Po=
licyReference
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 URI=3D"#Output_policy" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0</wsdl:operation>
+=C2=A0 =C2=A0=C2=A0 =C2=A0<wsdl:operation name=3D"Cancel">
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:operation
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0soapAction=
=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0</wsdl:operation>
+=C2=A0 =C2=A0=C2=A0 =C2=A0<wsdl:operation name=3D"Renew">
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:operation
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0soapAction=
=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0</wsdl:operation>
+=C2=A0 =C2=A0=C2=A0 =C2=A0<wsdl:operation name=3D"KeyExchangeToken">
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:operation
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0soapAction=
=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken" =
/>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0</wsdl:operation>
+=C2=A0 =C2=A0=C2=A0 =C2=A0<wsdl:operation name=3D"RequestCollection">
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:operation
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0soapAction=
=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"=
/>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:input>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0<soap:b=
ody use=3D"literal" />
+=C2=A0 =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0</wsdl:output>
+=C2=A0 =C2=A0=C2=A0 =C2=A0</wsdl:operation>
+=C2=A0 </wsdl:binding>
+=C2=A0
+=C2=A0 <wsdl:service name=3D"SecurityTokenService">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:port name=3D"UT_Port" binding=3D"t=
ns:UT_Binding">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:address location=
=3D"http://localhost:8080/SecurityTokenService/UT" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsdl:port>
+=C2=A0 </wsdl:service>
+=C2=A0
+=C2=A0 <wsp:Policy wsu:Id=3D"UT_policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:All>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:UsingAddressing element, indicates that the endp=
oints of this
+=C2=A0=C2=A0=C2=A0 web service conforms to the WS-Addressing specification=
.=C2=A0 More detail
+=C2=A0=C2=A0=C2=A0 can be found here: [http://www.w3.org/TR/2006/CR-ws-add=
r-wsdl-20060529]
+--> =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsa=
p10:UsingAddressing/>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:SymmetricBinding element indicates that security=
is provided
+=C2=A0=C2=A0=C2=A0 at the SOAP layer and any initiator must authenticate i=
tself by providing
+=C2=A0=C2=A0=C2=A0 WSS UsernameToken credentials.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SymmetricBinding
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+<!--
+=C2=A0=C2=A0=C2=A0 In a symmetric binding, the keys used for encrypting an=
d signing in both
+=C2=A0=C2=A0=C2=A0 directions are derived from a single key, the one speci=
fied by the
+=C2=A0=C2=A0=C2=A0 sp:ProtectionToken element.=C2=A0 The sp:X509Token sub-=
element declares this
+=C2=A0=C2=A0=C2=A0 key to be a X.509 certificate and the
+=C2=A0=C2=A0=C2=A0 IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-sec=
uritypolicy/200702/IncludeToken/Never"
+=C2=A0=C2=A0=C2=A0 attribute adds the requirement that the token MUST NOT =
be included in
+=C2=A0=C2=A0=C2=A0 any messages sent between the initiator and the recipie=
nt; rather, an
+=C2=A0=C2=A0=C2=A0 external reference to the token should be used.=C2=A0 L=
astly the WssX509V3Token10
+=C2=A0=C2=A0=C2=A0 sub-element declares that the Username token presented =
by the initiator
+=C2=A0=C2=A0=C2=A0 should be compliant with Web Services Security Username=
Token Profile
+=C2=A0=C2=A0=C2=A0 1.0 specification. [ http://docs.oasis-open.org/wss/200=
4/01/oasis-200401-wss-username-token-profile-1.0.pdf ]
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:ProtectionToken>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:X=
509Token
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-securitypo=
licy/200702/IncludeToken/Never">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireDerivedKeys />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireThumbprintReference />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:WssX509V3Token10 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:=
X509Token>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:ProtectionToken>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:AlgorithmSuite element, requires the Basic256 al=
gorithm suite
+=C2=A0=C2=A0=C2=A0 be used in performing cryptographic operations.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:AlgorithmSuite>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:B=
asic256 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:AlgorithmSuite>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:Layout element,=C2=A0 indicates the layout rules=
to apply when adding
+=C2=A0=C2=A0=C2=A0 items to the security header.=C2=A0 The sp:Lax sub-elem=
ent indicates items
+=C2=A0=C2=A0=C2=A0 are added to the security header in any order that conf=
orms to
+=C2=A0=C2=A0=C2=A0 WSS: SOAP Message Security.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Layout>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:L=
ax />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:Layout>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:IncludeTimestamp />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:EncryptSignature />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:OnlySignEntireHeadersAndBody />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SymmetricBinding>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:SignedSupportingTokens element declares that the=
security header
+=C2=A0=C2=A0=C2=A0 of messages must contain a sp:UsernameToken and the tok=
en must be signed. =C2=A0
+=C2=A0=C2=A0=C2=A0 The attribute IncludeToken=3D"http://docs.oasis-open.or=
g/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
+=C2=A0=C2=A0=C2=A0 on sp:UsernameToken indicates that the token MUST be in=
cluded in all
+=C2=A0=C2=A0=C2=A0 messages sent from initiator to the recipient and that =
the token MUST
+=C2=A0=C2=A0=C2=A0 NOT be included in messages sent from the recipient to =
the initiator. =C2=A0
+=C2=A0=C2=A0=C2=A0 And finally the element sp:WssUsernameToken10 is a poli=
cy assertion
+=C2=A0=C2=A0=C2=A0 indicating the Username token should be as defined in=
=C2=A0 Web Services
+=C2=A0=C2=A0=C2=A0 Security UsernameToken Profile 1.0
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SignedSupportingTokens
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:UsernameToken
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sp:IncludeToken=3D"http://=
docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRec=
ipient">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:W=
ssUsernameToken10 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:UsernameToken>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SignedSupportingTokens>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:Wss11 element declares WSS: SOAP Message Securit=
y 1.1 options
+=C2=A0=C2=A0=C2=A0 to be supported by the STS.=C2=A0 These particular elem=
ents generally refer
+=C2=A0=C2=A0=C2=A0 to how keys are referenced within the SOAP envelope.=C2=
=A0 These are normally
+=C2=A0=C2=A0=C2=A0 handled by CXF.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
Wss11
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefKeyIdentifier />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefIssuerSerial />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefThumbprint />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefEncryptedKey />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:Wss11>
+<!--
+=C2=A0=C2=A0=C2=A0 The sp:Trust13 element declares controls for WS-Trust 1=
.3 options. =C2=A0
+=C2=A0=C2=A0=C2=A0 They are policy assertions related to exchanges specifi=
cally with
+=C2=A0=C2=A0=C2=A0 client and server challenges and entropy behaviors.=C2=
=A0 Again these are
+=C2=A0=C2=A0=C2=A0 normally handled by CXF.
+-->=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
Trust13
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportIssuedTokens />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireClientEntropy />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireServerEntropy />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:Trust13>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0 =C2=A0
+=C2=A0=C2=A0 <wsp:Policy wsu:Id=3D"Input_policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SignedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"To"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"From"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"FaultTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"ReplyTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"MessageID"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"RelatesTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"Action"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
EncryptedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0 =C2=A0
+=C2=A0=C2=A0 <wsp:Policy wsu:Id=3D"Output_policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SignedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"To"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"From"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"FaultTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"ReplyTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"MessageID"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"RelatesTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"Action"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
EncryptedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0 </wsp:Policy>
+
+</wsdl:definitions>
+
+
+
+
+ =
+ STS Implementation
+
+ The Apache CXF's STS, SecurityTokenServiceProvider, is a web=
service provider that is compliant with the protocols and functionality d=
efined by the WS-Trust specification. It has a modular architecture. Many=
of its components are configurable or replaceable and there are many opt=
ional features that are enabled by implementing and configuring plug-ins. =
Users can customize their own STS by extending from SecurityTokenServiceP=
rovider and overriding the default settings. Extensive information about =
the CXF's STS configurable and pluggable components can be found
+ here
+ .
+
+ This STS implementation class, SimpleSTS, is a POJO that=
extends from SecurityTokenServiceProvider. Note that the class is define=
d with a WebServiceProvider annotation and not a WebService annotation. =
This annotation defines the service as a Provider-based endpoint, meaning =
it supports a more messaging-oriented approach to Web services. In partic=
ular, it signals that the exchanged messages will be XML documents of some=
type. SecurityTokenServiceProvider is an implementation of the javax.xml=
.ws.Provider interface. In comparison the WebService annotation defines a=
(service endpoint interface) SEI-based endpoint which supports message ex=
change via SOAP envelopes.
+
+ As was done in the ServiceImpl class, the WSS4J annotations=
EndpointProperties and EndpointProperty are providing endpoint configurat=
ion for the CXF runtime. This was previous described
+ here
+ .
+
+ The InInterceptors annotation is used to specify a JBos=
sWS integration interceptor to be used for authenticating incoming request=
s; JAAS integration is used here for authentication, the username/passowo=
rd coming from the UsernameToken in the ws-requester message are used for =
authenticating the requester against a security domain on the application =
server hosting the STS deployment.
+ In this implementation we are customizing the operations=
of token issuance, token validation and their static properties.
+ StaticSTSProperties is used to set select properties for=
configuring resources in the STS. You may think this is a duplication of=
the settings made with the WSS4J annotations. The values are the same bu=
t the underlaying structures being set are different, thus this informatio=
n must be declared in both places.
+ The setIssuer setting is important because it uniquely =
identifies the issuing STS. The issuer string is embedded in issued token=
s and, when validating tokens, the STS checks the issuer string value. Co=
nsequently, it is important to use the issuer string in a consistent way, =
so that the STS can recognize the tokens that it has issued.
+ The setEndpoints call allows the declaration of a set o=
f allowed token recipients by address. The addresses are specified as reg=
-ex patterns.
+ TokenIssueOperation and TokenValidateOperation have a =
modular structure. This allows custom behaviors to be injected into the p=
rocessing of messages. In this case we are overriding the SecurityTokenS=
erviceProvider's default behavior and performing SAML token processing and=
validation. CXF provides an implementation of a SAMLTokenProvider and SA=
MLTokenValidator which we are using rather than writing our own.
+
+ Learn more about the SAMLTokenProvider
+ here
+ .
+
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
+=C2=A0
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
-
+=C2=A0
import javax.xml.ws.WebServiceProvider;
-
+=C2=A0
import org.apache.cxf.annotations.EndpointProperties;
import org.apache.cxf.annotations.EndpointProperty;
import org.apache.cxf.interceptor.InInterceptors;
@@ -3173,190 +3896,339 @@
import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvide=
r;
-
+=C2=A0
@WebServiceProvider(serviceName =3D "SecurityTokenService",
- portName =3D "UT_Port",
- targetNamespace =3D "http://docs.oasis-open.org/ws-sx/ws-trust/20051=
2/",
- wsdlLocation =3D "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 portName =3D "UT_Port",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 targetNamespace =3D "http://docs.oasis-open=
.org/ws-sx/ws-trust/200512/",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/ws-trust-1.4=
-service.wsdl")
@EndpointProperties(value =3D {
- @EndpointProperty(key =3D "ws-security.signature.username", value =
=3D "mystskey"),
- @EndpointProperty(key =3D "ws-security.signature.properties", value =
=3D "stsKeystore.properties"),
- @EndpointProperty(key =3D "ws-security.callback-handler", value =3D =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
- @EndpointProperty(key =3D "ws-security.validate.token", value =3D "f=
alse") //to let the JAAS integration deal with validation through the inter=
ceptor below
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "mystskey"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D "stsKeystore.properties"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.STSCallbackHandler"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 //to let the JAAS integration deal with val=
idation through the interceptor below
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.vali=
date.token", value =3D "false")
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
})
@InInterceptors(interceptors =3D {"org.jboss.wsf.stack.cxf.security.authen=
tication.SubjectCreatingPolicyInterceptor"})
public class SampleSTS extends SecurityTokenServiceProvider
{
- public SampleSTS() throws Exception
- {
- super();
+=C2=A0=C2=A0 public SampleSTS() throws Exception
+=C2=A0=C2=A0 {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super();
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 StaticSTSProperties props =3D new StaticSTS=
Properties();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setSignaturePropertiesFile("stsKeysto=
re.properties");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setSignatureUsername("mystskey");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setCallbackHandlerClass(STSCallbackHa=
ndler.class.getName());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setIssuer("DoubleItSTSIssuer");
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 List<ServiceMBean> services =3D new L=
inkedList<ServiceMBean>();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 StaticService service =3D new StaticService=
();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 service.setEndpoints(Arrays.asList(
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 "http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust/SecuritySer=
vice",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 "http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecuritySer=
vice",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 "http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-trust=
/SecurityService"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 ));
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 services.add(service);
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenIssueOperation issueOperation =3D new =
TokenIssueOperation();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.setServices(services);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.getTokenProviders().add(new =
SAMLTokenProvider());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.setStsProperties(props);
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenValidateOperation validateOperation =
=3D new TokenValidateOperation();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 validateOperation.getTokenValidators().add(=
new SAMLTokenValidator());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 validateOperation.setStsProperties(props);
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 this.setIssueOperation(issueOperation);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 this.setValidateOperation(validateOperation=
);
+=C2=A0=C2=A0 }
+}
+
+
+
+
+ =
+ STSCallbackHandler
+ STSCallbackHandler is a callback handler for the WSS4J C=
rypto API. It is used to obtain the password for the private key in the k=
eystore. This class enables CXF to retrieve the password of the user name=
to use for the message signature.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
=
- StaticSTSProperties props =3D new StaticSTSProperties();
- props.setSignaturePropertiesFile("stsKeystore.properties");
- props.setSignatureUsername("mystskey");
- props.setCallbackHandlerClass(STSCallbackHandler.class.getName());
- props.setIssuer("DoubleItSTSIssuer");
+import java.util.HashMap;
+import java.util.Map;
=
- List<ServiceMBean> services =3D new LinkedList<ServiceMBean=
>();
- StaticService service =3D new StaticService();
- service.setEndpoints(Arrays.asList("http://localhost:(\\d)*/jaxws-sa=
mples-wsse-policy-trust/SecurityService", "http://\\[::1\\]:(\\d)*/jaxws-sa=
mples-wsse-policy-trust/SecurityService"));
- services.add(service);
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
=
- TokenIssueOperation issueOperation =3D new TokenIssueOperation();
- issueOperation.setServices(services);
- issueOperation.getTokenProviders().add(new SAMLTokenProvider());
- issueOperation.setStsProperties(props);
+public class STSCallbackHandler extends PasswordCallbackHandler
+{
+=C2=A0=C2=A0 public STSCallbackHandler()
+=C2=A0=C2=A0 {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap());
+=C2=A0=C2=A0 }
=
- TokenValidateOperation validateOperation =3D new TokenValidateOperat=
ion();
- validateOperation.getTokenValidators().add(new SAMLTokenValidator());
- validateOperation.setStsProperties(props);
-
- this.setIssueOperation(issueOperation);
- this.setValidateOperation(validateOperation);
- }
-}
-
-
- The
- @WebServiceProvider
- annotation references a WS-SecurityPolicy enriched
- v=
ersion
- of the WS-Trust 1.4 wsdl.
-
-
- The
- @EndpointProperty
- annotations provides the usual WSS4J configuration elements.
-
-
- The
- @InInterceptor
- annotation is used to specify a JBossWS integration intercepto=
r to be used for authenticating incoming requests; JAAS integration is used=
here for authentication, so basically the username/passoword coming from t=
he UsernameToken in the client message are used for authenticating the clie=
nt against a security domain on the application server hosting the STS depl=
oyment.
-
- The stsKeystore.properties file is as follows:
-
- org.apache.ws.security.crypto.provider=3Dorg.a=
pache.ws.security.components.crypto.Merlin
+=C2=A0=C2=A0 private static Map<String, String> getInitMap()
+=C2=A0=C2=A0 {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("mystskey", "stskpass");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords;
+=C2=A0=C2=A0 }
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+
+ WSS4J's Crypto implementation is loaded and configured via a=
Java properties file that contains Crypto configuration data. The file =
contains implementation-specific properties such as a keystore location, p=
assword, default alias and the like. This application is using the Merlin=
implementation. File stsKeystore.properties contains this information.
+ =
+
+
+ File servicestore.jks, is a Java KeyStore (JKS) repository.=
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin =C2=A0
org.apache.ws.security.crypto.merlin.keystore.type=3Djks
org.apache.ws.security.crypto.merlin.keystore.password=3Dstsspass
-org.apache.ws.security.crypto.merlin.keystore.file=3Dstsstore.jks
-
- ... while STSCallbackHandler grants access to the stsstore=
.jks, which has been populated with the STS full key (private/certificate +=
public key) as well as the server endpoint and client public keys.
-
- package org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust;
-
-import java.io.IOException;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import org.apache.ws.security.WSPasswordCallback;
-
-public class STSCallbackHandler implements CallbackHandler {
-
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- for (int i =3D 0; i < callbacks.length; i++) {
- if (callbacks[i] instanceof WSPasswordCallback) {
- WSPasswordCallback pc =3D (WSPasswordCallback) callbacks[i=
];
- if ("mystskey".equals(pc.getIdentifier())) {
- pc.setPassword("stskpass");
- break;
- }
- }
- }
- }
-}
-
- Here is how the STS webservice provider is packaged:
-
- alessio(a)inuyasha /dati/jbossws/stack/cxf/tru=
nk $ jar -tvf ./modules/testsuite/cxf-tests/target/test-libs/jaxws-samples-=
wsse-policy-trust-sts.war
- 0 Mon Jun 25 13:39:06 CEST 2012 META-INF/
- 164 Mon Jun 25 13:39:04 CEST 2012 META-INF/MANIFEST.MF
- 0 Mon Jun 25 13:39:06 CEST 2012 WEB-INF/
- 0 Mon Jun 25 13:39:06 CEST 2012 WEB-INF/classes/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/trust/
- 1148 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/trust/STSCallbackHandler.class
- 3456 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jax=
ws/samples/wsse/policy/trust/SampleSTS.class
- 251 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/jboss-web.xml
- 0 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/wsdl/
- 13635 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/wsdl/ws-trust-1.4-service.wsdl
- 1054 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/classes/stsKeystore.properties
- 3978 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/classes/stsstore.jks
-
-
- The
- jboss-web.xml
- descriptor is used to set the security domain to be used for a=
uthentication (in this case the domain will need to be configured to allow
- alice
- /
- clarinet
- username/password couple):
-
-
- <?xml version=3D"1.0" encoding=3D"UTF-8"?&g=
t;
-<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "htt=
p://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
-<jboss-web>
- <security-domain>java:/jaas/JBossWS-trust-sts</security-domain=
>
-</jboss-web>
-
-
- ... and the manifest contains the usual declaration of JBoss A=
pplication Server 7 module dependencies (Apache CXF internals are needed he=
re to build up the STS configuration in
- SampleSTS
- constructor as shown above):
-
-
- Manifest-Version: 1.0
-Ant-Version: Apache Ant 1.8.2
-Created-By: 1.6.0_26-b03 (Sun Microsystems Inc.)
-Dependencies: org.apache.ws.security,org.apache.cxf.impl
-
-
- WS-MetadataExchange and interoperability
+org.apache.ws.security.crypto.merlin.keystore.file=3Dstsstore.jks
+
+
+
+
+ =
+ MANIFEST.MF
- To achieve better interoperability, you might consider allow=
ing the STS endpoint to reply to WS-MetadataExchange messages directed to t=
he
- /mex
- URL sub-path (e.g.
-
+ When deployed on JBoss Application Server, this application =
requires access to the JBossWs and CXF APIs provided in modules org.jboss=
.ws.cxf.jbossws-cxf-client and org.apache.cxf. The Apache CXF internals, =
org.apache.cxf.impl, are needed to build the STS configuration in the
+ SampleSTS
+ constructor. The dependency statement directs the server to=
provide them at deployment.
+
+
+
+Manifest-Version: 1.0 =C2=A0
+Ant-Version: Apache Ant 1.8.2 =C2=A0
+Created-By: 1.7.0_25-b15 (Oracle Corporation) =C2=A0
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client,org.apache.cxf.impl
+
+
+
+
+ =
+ Security Domain
+
+ The
+ jboss-web.xml
+ descriptor is used to set the security domain to be used fo=
r authentication. For this scenario the domain will need to contain user
+ alice,
+ password
+ clarinet,
+ and role
+ friend
+ . See the listings for jbossws-users.properties and jbossws=
-roles.properties. In addition the JBoss Application Server needs to be c=
onfigured with the domain name, "JBossWS-trust-sts", and with the users and=
roles properties files. See the directions in this
+ ar=
ticle
+ about configuring the security domain using the CLI.
+
+ jboss-web.xml
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8"?> =C2=A0
+<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" ">=
; =C2=A0
+<jboss-web> =C2=A0
+=C2=A0 <security-domain>java:/jaas/JBossWS-trust-sts</security-do=
main> =C2=A0
+</jboss-web>
+
+
+ jbossws-users.properties
+
+
+# A sample users.properties file for use with the UsersRolesLoginModule =
=C2=A0
+alice=3Dclarinet
+
+
+ jbossws-roles.properties
+
+
+# A sample roles.properties file for use with the UsersRolesLoginModule =
=C2=A0
+alice=3Dfriend
+
+
+
+ WS-MetadataExchange and interoperability
+
+ To achieve better interoperability, you might consider al=
lowing the STS endpoint to reply to WS-MetadataExchange messages directed =
to the
+ /mex
+ URL sub-path (e.g.
-
- ). This can be done by tweaking the
- url-pattern
- for the underlying endpoint servlet, for instance by adding a
- web.xml
- descriptor as follows to the deployment:
+ ). This can be done by tweaking the
+ url-pattern
+ for the underlying endpoint servlet, for instance by addin=
g a
+ web.xml
+ descriptor as follows to the deployment:<?xml version=
=3D"1.0" encoding=3D"UTF-8"?>
+ =
+ <web-app
+ =
+ version=3D"2.5" xmlns=3D"http://java.sun.com/xml/ns/javaee"
+ =
+ xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
+ =
+ xsi:schemaLocation=3D"http://java.sun.com/xml/ns/javaee
+
+ ">
+ =
+ <servlet>
+ =
+ <servlet-name>TestSecurityTokenService</servlet-n=
ame>
+ =
+ <servlet-class>org.jboss.test.ws.jaxws.samples.wsse.=
policy.trust.SampleSTS</servlet-class>
+ =
+ </servlet>
+ =
+ <servlet-mapping>
+ =
+ <servlet-name>TestSecurityTokenService</servlet-n=
ame>
+ =
+ <url-pattern>/SecurityTokenService/*</url-pattern=
>
+ =
+ </servlet-mapping>
+ =
+ </web-app>
+ =
+ As a matter of fact, at the time of writing some webservic=
es implementations (including
+ Metro
+ ) assume the
+ /mex
+ URL as the default choice for directing WS-MetadataExchang=
e requests to and use that to retrieve STS wsdl contracts.
+
+
+
+
+
+ =
+ Web service requester
+ This section examines the crucial elements in calling a we=
b service that implements endpoint security as described in the basic WS-T=
rust scenario. The components that will be discussed are.
+
+
+ web service requester's implementation
+
+
+ ClientCallbackHandler
+
+
+ Crypto properties and keystore files
+
+
+
+ =
+ Web service requester Implementation
+
+ The ws-requester, the client, uses standard procedures for c=
reating a reference to the web service in the first four line. To address=
the endpoint security requirements, the web service's "Request Context" i=
s configured with the information needed in message generation. In additi=
on, the STSClient that communicates with the STS is configured with simila=
r values. Note the key strings ending with a ".it" suffix. This suffix f=
lags these settings as belonging to the STSClient. The internal CXF code =
assigns this information to the STSClient that is auto-generated for this =
service call.
=
+ There is an alternate method of setting up the STSCLien=
t. The user may provide their own instance of the STSClient. The CXF cod=
e will use this object and not auto-generate one. This is used in the Act=
As and OnBehalfOf examples. When providing the STSClient in this way, the=
user must provide a org.apache.cxf.Bus for it and the configuration keys =
must not have the ".it" suffix.
- <?xml version=3D"1.0" encoding=3D"UTF-8"?=
>
-<web-app
- version=3D"2.5" xmlns=3D"http://java.sun.com/xml/ns/javaee"
- xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation=3D"http://java.sun.com/xml/ns/javaee http://java.sun=
.com/xml/ns/javaee/web-app_2_5.xsd">
- <servlet>
- <servlet-name>TestSecurityTokenService</servlet-name>
- <servlet-class>org.jboss.test.ws.jaxws.samples.wsse.policy.tru=
st.SampleSTS</servlet-class>
- </servlet>
- <servlet-mapping>
- <servlet-name>TestSecurityTokenService</servlet-name>
- <url-pattern>/SecurityTokenService/*</url-pattern>
- </servlet-mapping>
-</web-app>
+
+QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-extension=
s/wssecuritypolicy", "SecurityService"); =C2=A0
+URL wsdlURL =3D new URL(serviceURL + "?wsdl"); =C2=A0
+Service service =3D Service.create(wsdlURL, serviceName); =C2=A0
+ServiceIface proxy =3D (ServiceIface) service.getPort(ServiceIface.class);=
=C2=A0
+=C2=A0
+// set the security related configuration information for the service "req=
uest" =C2=A0
+Map<String, Object> ctx =3D ((BindingProvider) proxy).getRequestCont=
ext(); =C2=A0
+ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler()); =
=C2=A0
+ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey"); =C2=A0
+ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey"); =C2=A0
+=C2=A0
+=C2=A0
+//-- Configuration settings that will be transfered to the STSClient =C2=
=A0
+// "alice" is the name provided for the WSS Username. Her password will =
=C2=A0
+// be retreived from the ClientCallbackHander by the STSClient. =C2=A0
+ctx.put(SecurityConstants.USERNAME + ".it", "alice"); =C2=A0
+ctx.put(SecurityConstants.CALLBACK_HANDLER + ".it", new ClientCallbackHand=
ler()); =C2=A0
+ctx.put(SecurityConstants.ENCRYPT_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+ctx.put(SecurityConstants.ENCRYPT_USERNAME + ".it", "mystskey"); =C2=A0
+// alias name in the keystore to get the user's public key to send to the =
STS =C2=A0
+ctx.put(SecurityConstants.STS_TOKEN_USERNAME + ".it", "myclientkey"); =C2=
=A0
+// Crypto property configuration to use for the STS =C2=A0
+ctx.put(SecurityConstants.STS_TOKEN_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+// write out an X509Certificate structure in UseKey/KeyInfo =C2=A0
+ctx.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO + ".it", "true");=
=C2=A0
+// Setting indicates the=C2=A0 STSclient should not try using the WS-Metad=
ataExchange =C2=A0
+// call using STS EPR WSA address when the endpoint contract does not cont=
ain =C2=A0
+// WS-MetadataExchange info. =C2=A0
+ctx.put("ws-security.sts.disable-wsmex-call-using-epr-address", "true"); =
=C2=A0
+=C2=A0 =C2=A0
+proxy.sayHello();
+
+
+
+ =
+ ClientCallbackHandler
+ ClientCallbackHandler is a callback handler for the WSS4=
J Crypto API. It is used to obtain the password for the private key in th=
e keystore. This class enables CXF to retrieve the password of the user n=
ame to use for the message signature. Note that "alice" and her password =
have been provided here. This information is not in the (JKS) keystore b=
ut provided in the JBoss Application Server security domain. It was decl=
ared in file jbossws-users.properties.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared; =C2=A0
+=C2=A0
+import java.io.IOException; =C2=A0
+import javax.security.auth.callback.Callback; =C2=A0
+import javax.security.auth.callback.CallbackHandler; =C2=A0
+import javax.security.auth.callback.UnsupportedCallbackException; =C2=A0
+import org.apache.ws.security.WSPasswordCallback; =C2=A0
+=C2=A0
+public class ClientCallbackHandler implements CallbackHandler { =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 public void handle(Callback[] callbacks) throws IOExcep=
tion, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Unsuppo=
rtedCallbackException { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 for (int i =3D 0; i < callba=
cks.length; i++) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (cal=
lbacks[i] instanceof WSPasswordCallback) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 WSPasswordCallback pc =3D (WSPasswordCallback) callbacks=
[i]; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 if ("myclientkey".equals(pc.getIdentifier())) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("ckpass"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } else if ("alice".equals(pc.getIdentifier())) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pc.setPassword("clarinet"); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0 } =C2=A0
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
- As a matter of fact, at the time of writing some webservices=
implementations (including
- Metro
- ) assume the
- /mex
- URL as the default choice for directing WS-MetadataExchange =
requests to and use that to retrieve STS wsdl contracts.
+ WSS4J's Crypto implementation is loaded and configured via a=
Java properties file that contains Crypto configuration data. The file =
contains implementation-specific properties such as a keystore location, p=
assword, default alias and the like. This application is using the Merlin=
implementation. File clientKeystore.properties contains this information.
+ =
-
+
+ File clientstore.jks, is a Java KeyStore (JKS) repository. =
It contains self signed certificates for myservicekey and mystskey.
+ Self signed certificates are not =
appropriate for production use.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks
+org.apache.ws.security.crypto.merlin.keystore.password=3Dcspass
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyclientkey
+org.apache.ws.security.crypto.merlin.keystore.file=3DMETA-INF/clientstore.=
jks
+
+
+
=
@@ -3365,13 +4237,10 @@
PicketLink
provides facilities for building up an alternative to the Apac=
he CXF Security Token Service implementation.
-
- Similarly to the previous implementation, the STS is served th=
rough a
- WebServiceProvider
- annotated POJO:
-
+ Similarly to the previous implementation, the STS is serve=
d through a WebServiceProvider annotated POJO:
- package org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust;
+
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
=
import javax.annotation.Resource;
import javax.xml.ws.Service;
@@ -3388,18 +4257,21 @@
@ServiceMode(value =3D Service.Mode.MESSAGE)
//be sure to have dependency on org.apache.cxf module when on AS7, otherwi=
se Apache CXF annotations are ignored
@EndpointProperties(value =3D {
- @EndpointProperty(key =3D "ws-security.signature.username", value =
=3D "mystskey"),
- @EndpointProperty(key =3D "ws-security.signature.properties", value =
=3D "stsKeystore.properties"),
- @EndpointProperty(key =3D "ws-security.callback-handler", value =3D =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
- @EndpointProperty(key =3D "ws-security.validate.token", value =3D "f=
alse") //to let the JAAS integration deal with validation through the inter=
ceptor below
+(a)EndpointProperty(key =3D "ws-security.signature.username", value =3D "m=
ystskey"),
+(a)EndpointProperty(key =3D "ws-security.signature.properties", value =3D =
"stsKeystore.properties"),
+(a)EndpointProperty(key =3D "ws-security.callback-handler", value =3D "org=
.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
+(a)EndpointProperty(key =3D "ws-security.validate.token", value =3D "false=
") //to let the JAAS integration deal with validation through the intercept=
or below
})
-(a)InInterceptors(interceptors =3D {"org.jboss.wsf.stack.cxf.security.auth=
entication.SubjectCreatingPolicyInterceptor"})
+(a)InInterceptors(interceptors =3D
+
+)
public class PicketLinkSTService extends PicketLinkSTS {
- @Resource
- public void setWSC(WebServiceContext wctx) {
- this.context =3D wctx;
- }
-}
+(a)Resource
+public void setWSC(WebServiceContext wctx)
+Unknown macro: { this.context =3D wctx; }
+
+}
+
The
@@ -3409,237 +4281,244 @@
implementation:
- <?xml version=3D"1.0"?>
+
+<?xml version=3D"1.0"?>
<wsdl:definitions name=3D"PicketLinkSTS" targetNamespace=3D"urn:picketl=
ink:identity-federation:sts"
- xmlns:tns=3D"urn:picketlink:identity-federation:sts"
- xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
- xmlns:wsdl=3D"http://schemas.xmlsoap.org/wsdl/"
- xmlns:wsap10=3D"http://www.w3.org/2006/05/addressing/wsdl"
- xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
- xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse=
curity-utility-1.0.xsd"
- xmlns:wst=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512"
- xmlns:soap12=3D"http://schemas.xmlsoap.org/wsdl/soap12/">
- <wsdl:types>
- <xs:schema elementFormDefault=3D"qualified" targetNamespace=3D'http=
://docs.oasis-open.org/ws-sx/ws-trust/200512' xmlns:xs=3D"http://www.w3.org=
/2001/XMLSchema">
- <xs:element name=3D'RequestSecurityToken' type=3D'wst:AbstractReq=
uestSecurityTokenType' />
- <xs:element name=3D'RequestSecurityTokenResponse' type=3D'wst:Abs=
tractRequestSecurityTokenType' />
- <xs:complexType name=3D'AbstractRequestSecurityTokenType' >
- <xs:sequence>
- <xs:any namespace=3D'##any' processContents=3D'lax' minOccurs=
=3D'0' maxOccurs=3D'unbounded' />
- </xs:sequence>
- <xs:attribute name=3D'Context' type=3D'xs:anyURI' use=3D'option=
al' />
- <xs:anyAttribute namespace=3D'##other' processContents=3D'lax' =
/>
- </xs:complexType>
- <xs:element name=3D'RequestSecurityTokenCollection' type=3D'wst:R=
equestSecurityTokenCollectionType' />
- <xs:complexType name=3D'RequestSecurityTokenCollectionType' >
- <xs:sequence>
- <xs:element name=3D'RequestSecurityToken' type=3D'wst:Abstrac=
tRequestSecurityTokenType' minOccurs=3D'2' maxOccurs=3D'unbounded'/>
- </xs:sequence>
- </xs:complexType>
- <xs:element name=3D'RequestSecurityTokenResponseCollection' type=
=3D'wst:RequestSecurityTokenResponseCollectionType' />
- <xs:complexType name=3D'RequestSecurityTokenResponseCollectionTyp=
e' >
- <xs:sequence>
- <xs:element ref=3D'wst:RequestSecurityTokenResponse' minOccur=
s=3D'1' maxOccurs=3D'unbounded' />
- </xs:sequence>
- <xs:anyAttribute namespace=3D'##other' processContents=3D'lax' =
/>
- </xs:complexType>
- </xs:schema>
- </wsdl:types>
-
- <wsdl:message name=3D"RequestSecurityTokenMsg">
- <wsdl:part name=3D"request" element=3D"wst:RequestSecurityToken" /&=
gt;
- </wsdl:message>
- <wsdl:message name=3D"RequestSecurityTokenResponseCollectionMsg">
- <wsdl:part name=3D"responseCollection"
- element=3D"wst:RequestSecurityTokenResponseCollection"/>
- </wsdl:message>
-
- <wsdl:portType name=3D"SecureTokenService">
- <wsdl:operation name=3D"IssueToken">
- <wsdl:input wsap10:Action=3D"http://docs.oasis-open.org/ws-sx/ws-=
trust/200512/RST/Issue" message=3D"tns:RequestSecurityTokenMsg"/>
- <wsdl:output wsap10:Action=3D"http://docs.oasis-open.org/ws-sx/ws=
-trust/200512/RSTRC/IssueFinal" message=3D"tns:RequestSecurityTokenResponse=
CollectionMsg"/>
- </wsdl:operation>
- </wsdl:portType>
- <wsdl:binding name=3D"STSBinding" type=3D"tns:SecureTokenService">
- <wsp:PolicyReference URI=3D"#UT_policy" />
- <soap12:binding transport=3D"http://schemas.xmlsoap.org/soap/http"/=
>
- <wsdl:operation name=3D"IssueToken">
- <soap12:operation soapAction=3D"http://docs.oasis-open.org/ws-sx/=
ws-trust/200512/RST/Issue" style=3D"document"/>
- <wsdl:input>
- <wsp:PolicyReference URI=3D"#Input_policy" />
- <soap12:body use=3D"literal"/>
- </wsdl:input>
- <wsdl:output>
- <wsp:PolicyReference URI=3D"#Output_policy" />
- <soap12:body use=3D"literal"/>
- </wsdl:output>
- </wsdl:operation>
- </wsdl:binding>
- <wsdl:service name=3D"PicketLinkSTS">
- <wsdl:port name=3D"PicketLinkSTSPort" binding=3D"tns:STSBinding">
- <soap12:address location=3D"http://localhost:8080/picketlink-sts/=
PicketLinkSTS"/>
- </wsdl:port>
- </wsdl:service>
-
- <wsp:Policy wsu:Id=3D"UT_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <wsap10:UsingAddressing/>
- <sp:SymmetricBinding
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <wsp:Policy>
- <sp:ProtectionToken>
- <wsp:Policy>
- <sp:X509Token
- sp:IncludeToken=3D"http://docs.oasis-open.org/w=
s-sx/ws-securitypolicy/200702/IncludeToken/Never">
- <wsp:Policy>
- <sp:RequireDerivedKeys />
- <sp:RequireThumbprintReference />
- <sp:WssX509V3Token10 />
- </wsp:Policy>
- </sp:X509Token>
- </wsp:Policy>
- </sp:ProtectionToken>
- <sp:AlgorithmSuite>
- <wsp:Policy>
- <sp:Basic256 />
- </wsp:Policy>
- </sp:AlgorithmSuite>
- <sp:Layout>
- <wsp:Policy>
- <sp:Lax />
- </wsp:Policy>
- </sp:Layout>
- <sp:IncludeTimestamp />
- <sp:EncryptSignature />
- <sp:OnlySignEntireHeadersAndBody />
- </wsp:Policy>
- </sp:SymmetricBinding>
- <sp:SignedSupportingTokens
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <wsp:Policy>
- <sp:UsernameToken
- sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/w=
s-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
- <wsp:Policy>
- <sp:WssUsernameToken10 />
- </wsp:Policy>
- </sp:UsernameToken>
- </wsp:Policy>
- </sp:SignedSupportingTokens>
- <sp:Wss11
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <wsp:Policy>
- <sp:MustSupportRefKeyIdentifier />
- <sp:MustSupportRefIssuerSerial />
- <sp:MustSupportRefThumbprint />
- <sp:MustSupportRefEncryptedKey />
- </wsp:Policy>
- </sp:Wss11>
- <sp:Trust13
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <wsp:Policy>
- <sp:MustSupportIssuedTokens />
- <sp:RequireClientEntropy />
- <sp:RequireServerEntropy />
- </wsp:Policy>
- </sp:Trust13>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-
- <wsp:Policy wsu:Id=3D"Input_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:SignedParts
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <sp:Body />
- <sp:Header Name=3D"To"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"From"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"FaultTo"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"ReplyTo"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"MessageID"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"RelatesTo"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"Action"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- </sp:SignedParts>
- <sp:EncryptedParts
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <sp:Body />
- </sp:EncryptedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-
- <wsp:Policy wsu:Id=3D"Output_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:SignedParts
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <sp:Body />
- <sp:Header Name=3D"To"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"From"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"FaultTo"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"ReplyTo"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"MessageID"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"RelatesTo"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- <sp:Header Name=3D"Action"
- Namespace=3D"http://www.w3.org/2005/08/addressing" />
- </sp:SignedParts>
- <sp:EncryptedParts
- xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypol=
icy/200702">
- <sp:Body />
- </sp:EncryptedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-
-</wsdl:definitions>
+=C2=A0=C2=A0=C2=A0 xmlns:tns=3D"urn:picketlink:identity-federation:sts"
+=C2=A0=C2=A0=C2=A0 xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
+=C2=A0=C2=A0=C2=A0 xmlns:wsdl=3D"http://schemas.xmlsoap.org/wsdl/"
+=C2=A0=C2=A0=C2=A0 xmlns:wsap10=3D"http://www.w3.org/2006/05/addressing/ws=
dl"
+=C2=A0=C2=A0=C2=A0 xmlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+=C2=A0=C2=A0=C2=A0 xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oas=
is-200401-wss-wssecurity-utility-1.0.xsd"
+=C2=A0=C2=A0=C2=A0 xmlns:wst=3D"http://docs.oasis-open.org/ws-sx/ws-trust/=
200512"
+=C2=A0=C2=A0=C2=A0 xmlns:soap12=3D"http://schemas.xmlsoap.org/wsdl/soap12/=
">
+=C2=A0 <wsdl:types>
+=C2=A0=C2=A0=C2=A0 <xs:schema elementFormDefault=3D"qualified" targetNa=
mespace=3D'http://docs.oasis-open.org/ws-sx/ws-trust/200512' xmlns:xs=3D"ht=
tp://www.w3.org/2001/XMLSchema">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
' type=3D'wst:AbstractRequestSecurityTokenType' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
Response' type=3D'wst:AbstractRequestSecurityTokenType' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:complexType name=3D'AbstractRequestS=
ecurityTokenType' >
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:any namespac=
e=3D'##any' processContents=3D'lax' minOccurs=3D'0' maxOccurs=3D'unbounded'=
/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:attribute name=3D'Contex=
t' type=3D'xs:anyURI' use=3D'optional' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:anyAttribute namespace=
=3D'##other' processContents=3D'lax' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:complexType>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
Collection' type=3D'wst:RequestSecurityTokenCollectionType' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:complexType name=3D'RequestSecurityT=
okenCollectionType' >
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=
=3D'RequestSecurityToken' type=3D'wst:AbstractRequestSecurityTokenType' min=
Occurs=3D'2' maxOccurs=3D'unbounded'/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:complexType>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element name=3D'RequestSecurityToken=
ResponseCollection' type=3D'wst:RequestSecurityTokenResponseCollectionType'=
/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:complexType name=3D'RequestSecurityT=
okenResponseCollectionType' >
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:element ref=
=3D'wst:RequestSecurityTokenResponse' minOccurs=3D'1' maxOccurs=3D'unbounde=
d' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:sequence>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xs:anyAttribute namespace=
=3D'##other' processContents=3D'lax' />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xs:complexType>
+=C2=A0=C2=A0=C2=A0 </xs:schema>
+=C2=A0 </wsdl:types>
+=C2=A0
+=C2=A0 <wsdl:message name=3D"RequestSecurityTokenMsg">
+=C2=A0=C2=A0=C2=A0 <wsdl:part name=3D"request" element=3D"wst:RequestSe=
curityToken" />
+=C2=A0 </wsdl:message>
+=C2=A0 <wsdl:message name=3D"RequestSecurityTokenResponseCollectionMsg"=
>
+=C2=A0=C2=A0=C2=A0 <wsdl:part name=3D"responseCollection"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 element=
=3D"wst:RequestSecurityTokenResponseCollection"/>
+=C2=A0 </wsdl:message>
+=C2=A0
+=C2=A0 <wsdl:portType name=3D"SecureTokenService">
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"IssueToken">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input wsap10:Action=3D"http://docs=
.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message=3D"tns:RequestSecu=
rityTokenMsg"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output wsap10:Action=3D"http://doc=
s.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message=3D"tns:Req=
uestSecurityTokenResponseCollectionMsg"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0 </wsdl:portType>
+=C2=A0 <wsdl:binding name=3D"STSBinding" type=3D"tns:SecureTokenService=
">
+=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#UT_policy" />
+=C2=A0=C2=A0=C2=A0 <soap12:binding transport=3D"http://schemas.xmlsoap.=
org/soap/http"/>
+=C2=A0=C2=A0=C2=A0 <wsdl:operation name=3D"IssueToken">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap12:operation soapAction=3D"http://d=
ocs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" style=3D"document"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:input>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#Input_policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap12:body use=3D"literal"=
/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsdl:input>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsdl:output>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#Output_policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap12:body use=3D"literal"=
/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsdl:output>
+=C2=A0=C2=A0=C2=A0 </wsdl:operation>
+=C2=A0 </wsdl:binding>
+=C2=A0 <wsdl:service name=3D"PicketLinkSTS">
+=C2=A0=C2=A0=C2=A0 <wsdl:port name=3D"PicketLinkSTSPort" binding=3D"tns=
:STSBinding">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap12:address location=3D"http://local=
host:8080/picketlink-sts/PicketLinkSTS"/>
+=C2=A0=C2=A0=C2=A0 </wsdl:port>
+=C2=A0 </wsdl:service>
+=C2=A0
+=C2=A0 <wsp:Policy wsu:Id=3D"UT_policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsa=
p10:UsingAddressing/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SymmetricBinding
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:ProtectionToken>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:X=
509Token
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 sp:IncludeToken=3D"http://docs.oasis-open.org/ws-sx/ws-securitypo=
licy/200702/IncludeToken/Never">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireDerivedKeys />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireThumbprintReference />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:WssX509V3Token10 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:=
X509Token>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:ProtectionToken>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:AlgorithmSuite>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:B=
asic256 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:AlgorithmSuite>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:Layout>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:L=
ax />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:Layout>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:IncludeTimestamp />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:EncryptSignature />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:OnlySignEntireHeadersAndBody />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SymmetricBinding>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SignedSupportingTokens
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:UsernameToken
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sp:IncludeToken=3D"http://=
docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRec=
ipient">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:W=
ssUsernameToken10 />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp:UsernameToken>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SignedSupportingTokens>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
Wss11
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefKeyIdentifier />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefIssuerSerial />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefThumbprint />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportRefEncryptedKey />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:Wss11>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
Trust13
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:MustSupportIssuedTokens />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireClientEntropy />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:RequireServerEntropy />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:Trust13>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0
+=C2=A0=C2=A0 <wsp:Policy wsu:Id=3D"Input_policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SignedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"To"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"From"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"FaultTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"ReplyTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"MessageID"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"RelatesTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"Action"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
EncryptedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0
+=C2=A0=C2=A0 <wsp:Policy wsu:Id=3D"Output_policy">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:ExactlyOne>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
SignedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"To"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"From"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"FaultTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"ReplyTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"MessageID"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"RelatesTo"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Header Name=3D"Action"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Namespace=3D"http://www.w3.org/2005/08/addre=
ssing" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:SignedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <sp:=
EncryptedParts
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy=
/200702">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 <sp:Body />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </sp=
:EncryptedParts>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:All>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </wsp:ExactlyOne>
+=C2=A0=C2=A0 </wsp:Policy>
+=C2=A0
+</wsdl:definitions>
+
- Differently from the Apache CXF STS example described abov=
e, the PicketLink based STS gets its configuration from a picketlink-sts.xm=
l descriptor which must be added in WEB-INF into the deployment; please ref=
er to the PicketLink documentation for further information:
+ Differently from the Apache CXF STS example described abov=
e, the PicketLink based STS gets its configuration from a picketlink-sts.x=
ml descriptor which must be added in WEB-INF into the deployment; please =
refer to the PicketLink documentation for further information:
- <PicketLinkSTS xmlns=3D"urn:picketlink:iden=
tity-federation:config:1.0"
- STSName=3D"PicketLinkSTS" TokenTimeout=3D"7200" EncryptToken=3D"false">
- <KeyProvider ClassName=3D"org.picketlink.identity.federation.core.impl=
.KeyStoreKeyManager">
- <Auth Key=3D"KeyStoreURL" Value=3D"stsstore.jks"/>
- <Auth Key=3D"KeyStorePass" Value=3D"stsspass"/>
- <Auth Key=3D"SigningKeyAlias" Value=3D"mystskey"/>
- <Auth Key=3D"SigningKeyPass" Value=3D"stskpass"/>
- <ValidatingAlias Key=3D"http://localhost:8080/jaxws-samples-wsse-po=
licy-trust/SecurityService" Value=3D"myservicekey"/>
- </KeyProvider>
- <TokenProviders>
- <TokenProvider ProviderClass=3D"org.picketlink.identity.fed=
eration.core.wstrust.plugins.saml.SAML11TokenProvider"
- TokenType=3D"http://docs.oasis-open.org/wss/oasis-wss-saml=
-token-profile-1.1#SAMLV1.1"
- TokenElement=3D"Assertion"
- TokenElementNS=3D"urn:oasis:names:tc:SAML:1.0:assertion"/>
- <TokenProvider ProviderClass=3D"org.picketlink.identity.fed=
eration.core.wstrust.plugins.saml.SAML20TokenProvider"
- TokenType=3D"http://docs.oasis-open.org/wss/oasis-wss-saml=
-token-profile-1.1#SAMLV2.0"
- TokenElement=3D"Assertion"
- TokenElementNS=3D"urn:oasis:names:tc:SAML:2.0:assertion"/>
- </TokenProviders>
-</PicketLinkSTS>
+
+<PicketLinkSTS xmlns=3D"urn:picketlink:identity-federation:config:1.0"
+=C2=A0=C2=A0=C2=A0 STSName=3D"PicketLinkSTS" TokenTimeout=3D"7200" Encrypt=
Token=3D"false">
+=C2=A0=C2=A0=C2=A0 <KeyProvider ClassName=3D"org.picketlink.identity.fe=
deration.core.impl.KeyStoreKeyManager">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <Auth Key=3D"KeyStoreURL" Va=
lue=3D"stsstore.jks"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <Auth Key=3D"KeyStorePass" V=
alue=3D"stsspass"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <Auth Key=3D"SigningKeyAlias=
" Value=3D"mystskey"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <Auth Key=3D"SigningKeyPass"=
Value=3D"stskpass"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <ValidatingAlias Key=3D"http=
://localhost:8080/jaxws-samples-wsse-policy-trust/SecurityService" Value=3D=
"myservicekey"/>
+=C2=A0=C2=A0=C2=A0 </KeyProvider>
+=C2=A0=C2=A0=C2=A0 <TokenProviders>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <Tok=
enProvider ProviderClass=3D"org.picketlink.identity.federation.core.wstrust=
.plugins.saml.SAML11TokenProvider"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 TokenType=3D"http://docs.oasis-open.org/wss/oasis-wss-sa=
ml-token-profile-1.1#SAMLV1.1"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenEl=
ement=3D"Assertion"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenEl=
ementNS=3D"urn:oasis:names:tc:SAML:1.0:assertion"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <Tok=
enProvider ProviderClass=3D"org.picketlink.identity.federation.core.wstrust=
.plugins.saml.SAML20TokenProvider"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 TokenType=3D"http://docs.oasis-open.org/wss/oasis-wss-sa=
ml-token-profile-1.1#SAMLV2.0"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenEl=
ement=3D"Assertion"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenEl=
ementNS=3D"urn:oasis:names:tc:SAML:2.0:assertion"/>
+=C2=A0=C2=A0=C2=A0 </TokenProviders>
+</PicketLinkSTS>
+
- Finally, the PicketLink alternative approach of course req=
uires different JBoss AS module dependencies to be declared in the MANIFEST=
.MF:
+ Finally, the PicketLink alternative approach of course req=
uires different JBoss AS module dependencies to be declared in the MANIFE=
ST.MF:
- Manifest-Version: 1.0
+
+Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.2
Created-By: 1.6.0_26-b03 (Sun Microsystems Inc.)
-Dependencies: org.apache.ws.security,org.apache.cxf,org.picketlink
+Dependencies: org.apache.ws.security,org.apache.cxf,org.picketlink
+Here is how the PicketLink STS endpoint is packaged:
- alessio(a)inuyasha /dati/jbossws/stack/cxf/tru=
nk $ jar -tvf ./modules/testsuite/cxf-tests/target/test-libs/jaxws-samples-=
wsse-policy-trustPicketLink-sts.war
+
+alessio(a)inuyasha /dati/jbossws/stack/cxf/trunk $ jar -tvf ./modules/test=
suite/cxf-tests/target/test-libs/jaxws-samples-wsse-policy-trustPicketLink-=
sts.war
0 Mon Sep 03 17:38:38 CEST 2012 META-INF/
174 Mon Sep 03 17:38:36 CEST 2012 META-INF/MANIFEST.MF
0 Mon Sep 03 17:38:38 CEST 2012 WEB-INF/
@@ -3660,9 +4539,1011 @@
9070 Mon Sep 03 17:38:34 CEST 2012 WEB-INF/wsdl/PicketLinkSTS.wsdl
1267 Mon Sep 03 17:38:34 CEST 2012 WEB-INF/classes/picketlink-sts.xml
1054 Mon Sep 03 16:35:50 CEST 2012 WEB-INF/classes/stsKeystore.properties
- 3978 Mon Sep 03 16:35:50 CEST 2012 WEB-INF/classes/stsstore.jks
+ 3978 Mon Sep 03 16:35:50 CEST 2012 WEB-INF/classes/stsstore.jks
+
+
+ =
+ ActAs WS-Trust Scenario
+
+ The ActAs feature is used in scenarios that require composite =
delegation. It is commonly used in multi-tiered systems where an applica=
tion calls a service on behalf of a logged in user or a service calls anot=
her service on behalf of the original caller.
+ =
+
+
+ ActAs is nothing more than a new sub-element in the RequestSe=
curityToken (RST). It provides additional information about the original =
caller when a token is negotiated with the STS. The ActAs element usually=
takes the form of a token with identity claims such as name, role, and a=
uthorization code, for the client to access the service.
+ =
+
+
+ The ActAs scenario is an extension of
+ the basic WS-Trust scenario
+ . In this example the ActAs service calls the ws-service on =
behalf of a user. There are only a couple of additions to the basic scena=
rio's code. An ActAs web service provider and callback handler have been =
added. The ActAs web services' WSDL imposes the same security policies =
as the ws-provider. UsernameTokenCallbackHandler is new. It is a utility =
that generates the content for the ActAs element. And lastly there are a =
couple of code additions in the STS to support the ActAs request.
+
+
+ =
+ ActAs Web service provider
+ This section examines the web service elements from the =
basic WS-Trust scenario that have been changed to address the needs of the=
ActAs example. The components are
+
+
+ ActAs web service provider's WSDL
+
+
+ ActAs web service provider's Interface and Implement=
ation classes.
+
+
+ ActAsCallbackHandler class
+
+
+ UsernameTokenCallbackHandler
+
+
+ Crypto properties and keystore files
+
+
+ MANIFEST.MF
+
+
+
+
+ =
+ ActAs Web service provider WSDL
+ The ActAs web service provider's WSDL is a clone of the =
ws-provider's WSDL. The wsp:Policy section is the same. There are change=
s to the service endpoint, targetNamespace, portType, binding name, and s=
ervice.
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8" standalone=3D"yes"?>
+<definitions targetNamespace=3D"http://www.jboss.org/jbossws/ws-extensi=
ons/actaswssecuritypolicy" name=3D"ActAsService"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/actaswssecuritypolic=
y"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns=3D"http://schemas.xmlsoap.org/wsdl/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur=
ity-utility-1.0.xsd"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+=C2=A0=C2=A0=C2=A0 <types>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd:schema>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd=
:import namespace=3D"http://www.jboss.org/jbossws/ws-extensions/actaswssecu=
ritypolicy"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 schemaLocation=3D"ActAsService_s=
chema1.xsd"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xsd:schema>
+=C2=A0=C2=A0=C2=A0 </types>
+=C2=A0=C2=A0=C2=A0 <message name=3D"sayHello">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHello"/>
+=C2=A0=C2=A0=C2=A0 </message>
+=C2=A0=C2=A0=C2=A0 <message name=3D"sayHelloResponse">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHelloResponse"/>
+=C2=A0=C2=A0=C2=A0 </message>
+=C2=A0=C2=A0=C2=A0 <portType name=3D"ActAsServiceIface">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut message=3D"tns:sayHello"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put message=3D"tns:sayHelloResponse"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
+=C2=A0=C2=A0=C2=A0 </portType>
+=C2=A0=C2=A0=C2=A0 <binding name=3D"ActAsServicePortBinding" type=3D"tn=
s:ActAsServiceIface">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#AsymmetricSAML2Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:binding transport=3D"h=
ttp://schemas.xmlsoap.org/soap/http" style=3D"document"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:operation soapAction=3D""/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Input_Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </in=
put>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Output_Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </ou=
tput>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
+=C2=A0=C2=A0=C2=A0 </binding>
+=C2=A0=C2=A0=C2=A0 <service name=3D"ActAsService">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <port name=3D"ActAsServicePo=
rt" binding=3D"tns:ActAsServicePortBinding">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:address location=3D"http://@jboss.bind.address@:8080/jaxws-samples-wsse-p=
olicy-trust-actas/ActAsService"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </port>
+=C2=A0=C2=A0=C2=A0 </service>
+
+</definitions>
+
+
+
+
+ =
+ ActAs Web Service Interface
+ The web service provider interface class, ActAsServiceIf=
ace, is a simple web service definition.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas; =C2=A0
+=C2=A0
+import javax.jws.WebMethod; =C2=A0
+import javax.jws.WebService; =C2=A0
+=C2=A0
+(a)WebService =C2=A0
+( =C2=A0
+=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/actaswssecuritypolicy" =C2=A0
+) =C2=A0
+public interface ActAsServiceIface =C2=A0
+{ =C2=A0
+=C2=A0=C2=A0 @WebMethod =C2=A0
+=C2=A0=C2=A0 String sayHello(); =C2=A0
+}
+
+
+
+
+ =
+ ActAs Web Service Implementation
+
+ The web service provider implementation class, ActAsServiceI=
mpl, is a simple POJO. It uses the standard WebService annotation to defi=
ne the service endpoint and two Apache WSS4J annotations, EndpointPropert=
ies and EndpointProperty used for configuring the endpoint for the CXF ru=
ntime. The WSS4J configuration information provided is for WSS4J's Crypto=
Merlin implementation.
+ =
+
+ ActAsServiceImpl is calling ServiceImpl acting on behal=
f of the user. Method setupService performs the requisite configuration s=
etup.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas; =C2=A0
+=C2=A0
+import org.apache.cxf.Bus; =C2=A0
+import org.apache.cxf.BusFactory; =C2=A0
+import org.apache.cxf.annotations.EndpointProperties; =C2=A0
+import org.apache.cxf.annotations.EndpointProperty; =C2=A0
+import org.apache.cxf.ws.security.SecurityConstants; =C2=A0
+import org.apache.cxf.ws.security.trust.STSClient; =C2=A0
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIf=
ace; =C2=A0
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustApp=
Utils; =C2=A0
+=C2=A0
+import javax.jws.WebService; =C2=A0
+import javax.xml.namespace.QName; =C2=A0
+import javax.xml.ws.BindingProvider; =C2=A0
+import javax.xml.ws.Service; =C2=A0
+import java.net.MalformedURLException; =C2=A0
+import java.net.URL; =C2=A0
+import java.util.Map; =C2=A0
+=C2=A0
+(a)WebService =C2=A0
+( =C2=A0
+=C2=A0=C2=A0 portName =3D "ActAsServicePort", =C2=A0
+=C2=A0=C2=A0 serviceName =3D "ActAsService", =C2=A0
+=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/ActAsService.wsdl", =C2=A0
+=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/actaswssecuritypolicy", =C2=A0
+=C2=A0=C2=A0 endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust.actas.ActAsServiceIface" =C2=A0
+) =C2=A0
+=C2=A0
+(a)EndpointProperties(value =3D { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "myactaskey"), =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D=C2=A0 "actasKeystore.properties"), =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.encr=
yption.properties", value =3D "actasKeystore.properties"), =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.actas.ActAsCallbackHandler") =C2=A0
+}) =C2=A0
+=C2=A0
+public class ActAsServiceImpl implements ActAsServiceIface =C2=A0
+{ =C2=A0
+=C2=A0=C2=A0 public String sayHello() { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D se=
tupService(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return "ActAs " + proxy.s=
ayHello(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } catch (MalformedURLException e) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 e.printStackTrace(); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return null; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 private=C2=A0 ServiceIface setupService()throws MalformedURLE=
xception { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D null; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Bus bus =3D BusFactory.newInstance().create=
Bus(); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefau=
ltBus(bus); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final String serviceURL =
=3D "http://" + WSTrustAppUtils.getServerHost() + ":8080/jaxws-samples-wsse=
-policy-trust/SecurityService"; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final QName serviceName =
=3D new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy"=
, "SecurityService"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final URL wsdlURL =3D new=
URL(serviceURL + "?wsdl"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Service service =3D Servi=
ce.create(wsdlURL, serviceName); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 proxy =3D (ServiceIface) =
service.getPort(ServiceIface.class); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
ctx =3D ((BindingProvider) proxy).getRequestContext(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.CALLBACK_HANDLER, new ActAsCallbackHandler()); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource("actasKeystore.properti=
es" )); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_USERNAME, "myactaskey" ); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource("../../META-INF/clientK=
eystore.properties" )); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_USERNAME, "myservicekey"); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D n=
ew STSClient(bus); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
props =3D stsClient.getProperties(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.USERNAME, "alice"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.ENCRYPT_USERNAME, "mystskey"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USERNAME, "myactaskey" ); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource("actasKeystore.properti=
es" )); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true"); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.STS_CLIENT, stsClient); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } finally { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return proxy; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+}
+
+
+
+
+ =
+ ActAsCallbackHandler
+ ActAsCallbackHandler is a callback handler for the WSS4J=
Crypto API. It is used to obtain the password for the private key in the=
keystore. This class enables CXF to retrieve the password of the user na=
me to use for the message signature. This class has been revised to retur=
n the passwords for this service, myactaskey and the "actas" user, alice.=
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas; =C2=A0
+=C2=A0
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler=
; =C2=A0
+import java.util.HashMap; =C2=A0
+import java.util.Map; =C2=A0
+=C2=A0
+public class ActAsCallbackHandler extends PasswordCallbackHandler { =C2=A0
+=C2=A0
+=C2=A0=C2=A0 public ActAsCallbackHandler() =C2=A0
+=C2=A0=C2=A0 { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap()); =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 private static Map<String, String> getInitMap() =C2=A0
+=C2=A0=C2=A0 { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("myactaskey", "aspass"); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("alice", "clarinet"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+}
+
+
+
+
+ =
+ UsernameTokenCallbackHandler
+
+ The ActAs and OnBeholdOf su=
b-elements of the RequestSecurityToken are required to be defined as WSSE =
Username Tokens. This utility generates the properly formated element.
+
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared; =C2=A0
+=C2=A0
+import org.apache.cxf.helpers.DOMUtils; =C2=A0
+import org.apache.cxf.message.Message; =C2=A0
+import org.apache.cxf.ws.security.SecurityConstants; =C2=A0
+import org.apache.cxf.ws.security.trust.delegation.DelegationCallback; =C2=
=A0
+import org.apache.ws.security.WSConstants; =C2=A0
+import org.apache.ws.security.message.token.UsernameToken; =C2=A0
+import org.w3c.dom.Document; =C2=A0
+import org.w3c.dom.Node; =C2=A0
+import org.w3c.dom.Element; =C2=A0
+import org.w3c.dom.ls.DOMImplementationLS; =C2=A0
+import org.w3c.dom.ls.LSSerializer; =C2=A0
+=C2=A0
+import javax.security.auth.callback.Callback; =C2=A0
+import javax.security.auth.callback.CallbackHandler; =C2=A0
+import javax.security.auth.callback.UnsupportedCallbackException; =C2=A0
+import java.io.IOException; =C2=A0
+import java.util.Map; =C2=A0
+=C2=A0
+/**
+* A utility to provide the 3 different input parameter types for jaxws pro=
perty
+* "ws-security.sts.token.act-as" and "ws-security.sts.token.on-behalf-of".
+* This implementation obtains a username and password via the jaxws proper=
ty
+* "ws-security.username" and "ws-security.password" respectively, as defin=
ed
+* in SecurityConstants.=C2=A0 It creates a wss UsernameToken to be used as=
the
+* delegation token.
+*/ =C2=A0
+=C2=A0
+public class UsernameTokenCallbackHandler implements CallbackHandler { =C2=
=A0
+=C2=A0
+=C2=A0=C2=A0 public void handle(Callback[] callbacks) =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 throws IOException, UnsupportedCallbackExce=
ption { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 for (int i =3D 0; i < callbacks.length; =
i++) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (callbacks[i] instance=
of DelegationCallback) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Delegat=
ionCallback callback =3D (DelegationCallback) callbacks[i]; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Message=
message =3D callback.getCurrentMessage(); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String =
username =3D =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 (String)message.getContextualProperty(SecurityConstants.USERNA=
ME); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String =
password =3D =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 (String)message.getContextualProperty(SecurityConstants.PASSWO=
RD); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (use=
rname !=3D null) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 Node contentNode =3D message.getContent(Node.class); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 Document doc =3D null; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 if (contentNode !=3D null) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 doc =3D contentNode.getOwnerDocument(); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 } else { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 doc =3D DOMUtils.createDocument(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 UsernameToken usernameToken =3D createWSSEUsernameToken(userna=
me,password, doc); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 callback.setToken(usernameToken.getElement()); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } else { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 throw n=
ew UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 /**
+=C2=A0=C2=A0=C2=A0 * Provide UsernameToken as a string.
+=C2=A0=C2=A0=C2=A0 * @param ctx
+=C2=A0=C2=A0=C2=A0 * @return
+=C2=A0=C2=A0=C2=A0 */ =C2=A0
+=C2=A0=C2=A0 public String getUsernameTokenString(Map<String, Object>=
; ctx){ =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String result =3D null; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String username =3D (String)ctx.get(Securit=
yConstants.USERNAME); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String password =3D (String)ctx.get(Securit=
yConstants.PASSWORD); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameTok=
en =3D createWSSEUsernameToken(username,password, doc); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D toString(usern=
ameToken.getElement().getFirstChild().getParentNode()); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 /**
+=C2=A0=C2=A0=C2=A0 *
+=C2=A0=C2=A0=C2=A0 * @param username
+=C2=A0=C2=A0=C2=A0 * @param password
+=C2=A0=C2=A0=C2=A0 * @return
+=C2=A0=C2=A0=C2=A0 */ =C2=A0
+=C2=A0=C2=A0 public String getUsernameTokenString(String username, String =
password){ =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String result =3D null; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameTok=
en =3D createWSSEUsernameToken(username,password, doc); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D toString(usern=
ameToken.getElement().getFirstChild().getParentNode()); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 /**
+=C2=A0=C2=A0=C2=A0 * Provide UsernameToken as a DOM Element.
+=C2=A0=C2=A0=C2=A0 * @param ctx
+=C2=A0=C2=A0=C2=A0 * @return
+=C2=A0=C2=A0=C2=A0 */ =C2=A0
+=C2=A0=C2=A0 public Element getUsernameTokenElement(Map<String, Object&=
gt; ctx){ =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Element result =3D null; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameToken =3D null; =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String username =3D (Stri=
ng)ctx.get(SecurityConstants.USERNAME); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String password =3D (String)ctx.get(Securit=
yConstants.PASSWORD); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken =3D createW=
SSEUsernameToken(username,password, doc); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D usernameToken.=
getElement(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 /**
+=C2=A0=C2=A0=C2=A0 *
+=C2=A0=C2=A0=C2=A0 * @param username
+=C2=A0=C2=A0=C2=A0 * @param password
+=C2=A0=C2=A0=C2=A0 * @return
+=C2=A0=C2=A0=C2=A0 */ =C2=A0
+=C2=A0=C2=A0 public Element getUsernameTokenElement(String username, Strin=
g password){ =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Document doc =3D DOMUtils.createDocument();=
=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Element result =3D null; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameToken =3D null; =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (username !=3D null) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken =3D createW=
SSEUsernameToken(username,password, doc); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 result =3D usernameToken.=
getElement(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return result; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 private UsernameToken createWSSEUsernameToken(String username=
, String password, Document doc) { =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UsernameToken usernameToken =3D new Usernam=
eToken(true, doc, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (password =3D=3D null)? n=
ull: WSConstants.PASSWORD_TEXT); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.setName(username); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.addWSUNamespace(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.addWSSENamespace(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.setID("id-" + username); =C2=
=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (password !=3D null){ =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 usernameToken.setPassword=
(password); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return usernameToken; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0
+=C2=A0=C2=A0 private String toString(Node node) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String str =3D null; =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (node !=3D null) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 DOMImplementationLS lsImp=
l =3D (DOMImplementationLS) =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 node.ge=
tOwnerDocument().getImplementation().getFeature("LS", "3.0"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 LSSerializer serializer =
=3D lsImpl.createLSSerializer(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 serializer.getDomConfig()=
.setParameter("xml-declaration", false); //by default its true, so set it t=
o false to get String without xml-declaration =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 str =3D serializer.writeT=
oString(node); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return str; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+}
+
+
+
+
+ =
+ Crypto properties and keystore files
+
+ The ActAs service must prov=
ide its own credentials. The requisite properties file, actasKeystore.pro=
perties, and keystore, actasstore.jks, were created.
+
+
+
+org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.components=
.crypto.Merlin =C2=A0
+org.apache.ws.security.crypto.merlin.keystore.type=3Djks =C2=A0
+org.apache.ws.security.crypto.merlin.keystore.password=3Daapass =C2=A0
+org.apache.ws.security.crypto.merlin.keystore.alias=3Dmyactaskey =C2=A0
+org.apache.ws.security.crypto.merlin.keystore.file=3Dactasstore.jks
+
+
+
+
+ =
+ MANIFEST.MF
+
+ When deployed on JBoss Appl=
ication Server this application requires access to the JBossWs and CXF API=
s provided in modules org.jboss.ws.cxf.jbossws-cxf-client and org.apache.c=
xf. The Apache CXF internals, org.apache.cxf.impl, are needed in handlin=
g the ActAs and OnBehalfOf extensions. The dependency statement directs t=
he server to provide them at deployment.
+
+
+
+Manifest-Version: 1.0 =C2=A0
+Ant-Version: Apache Ant 1.8.2 =C2=A0
+Created-By: 1.7.0_25-b15 (Oracle Corporation) =C2=A0
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client, org.apache.cxf.impl
+
+
+
+
+
+ =
+ ActAs Security Token Service
+ This section examines the STS elements from the basic WS-T=
rust scenario that have been changed to address the needs of the ActAs ex=
ample. The components are.
+
+
+ STS's implementation class.
+
+
+ STSCallbackHandler class
+
+
+
+ =
+ STS Implementation class
+
+ The initial description of SampleSTS can be found
+ here
+ .
+ =
+
+
+ The declaration of the set of allowed token recipients by a=
ddress has been extended to accept ActAs addresses and OnBehalfOf address=
es. The addresses are specified as reg-ex patterns.
+ =
+
+ The TokenIssueOperation requires class, UsernameTokenVa=
lidator be provided in order to validate the contents of the OnBehalfOf cl=
aims and class, UsernameTokenDelegationHandler to be provided in order to =
process the token delegation request of the ActAs on OnBehalfOf user.
+
+
+=C2=A0package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
+
+import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
+
+import javax.xml.ws.WebServiceProvider;
+
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.interceptor.InInterceptors;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.operation.TokenIssueOperation;
+import org.apache.cxf.sts.operation.TokenValidateOperation;
+import org.apache.cxf.sts.service.ServiceMBean;
+import org.apache.cxf.sts.service.StaticService;
+import org.apache.cxf.sts.token.delegation.UsernameTokenDelegationHandler;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
+import org.apache.cxf.sts.token.validator.UsernameTokenValidator;
+import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvide=
r;
+
+(a)WebServiceProvider(serviceName =3D "SecurityTokenService",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 portName =3D "UT_Port",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 targetNamespace =3D "http://docs.oasis-open=
.org/ws-sx/ws-trust/200512/",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/ws-trust-1.4=
-service.wsdl")
+//be sure to have dependency on org.apache.cxf module when on AS7, otherwi=
se Apache CXF annotations are ignored
+(a)EndpointProperties(value =3D {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "mystskey"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D "stsKeystore.properties"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.sts.STSCallbackHandler"),
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.vali=
date.token", value =3D "false") //to let the JAAS integration deal with val=
idation through the interceptor below
+})
+(a)InInterceptors(interceptors =3D {"org.jboss.wsf.stack.cxf.security.auth=
entication.SubjectCreatingPolicyInterceptor"})
+public class SampleSTS extends SecurityTokenServiceProvider
+{
+=C2=A0=C2=A0 public SampleSTS() throws Exception
+=C2=A0=C2=A0 {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super();
+=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 StaticSTSProperties props =3D new StaticSTS=
Properties();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setSignatureCryptoProperties("stsKeys=
tore.properties");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setSignatureUsername("mystskey");
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setCallbackHandlerClass(STSCallbackHa=
ndler.class.getName());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.setIssuer("DoubleItSTSIssuer");
+=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 List<ServiceMBean> services =3D new L=
inkedList<ServiceMBean>();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 StaticService service =3D new StaticService=
();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 service.setEndpoints(Arrays.asList(
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://localhost:(\\d)*/=
jaxws-samples-wsse-policy-trust/SecurityService",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[::1\\]:(\\d)*/=
jaxws-samples-wsse-policy-trust/SecurityService",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[0:0:0:0:0:0:0:=
1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
+
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://localhost:(\\d)*/=
jaxws-samples-wsse-policy-trust-actas/ActAsService",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[::1\\]:(\\d)*/=
jaxws-samples-wsse-policy-trust-actas/ActAsService",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[0:0:0:0:0:0:0:=
1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-actas/ActAsService",
+
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://localhost:(\\d)*/=
jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[::1\\]:(\\d)*/=
jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService",
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "http://\\[0:0:0:0:0:0:0:=
1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ));
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 services.add(service);
+=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenIssueOperation issueOperation =3D new =
TokenIssueOperation();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.setServices(services);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.getTokenProviders().add(new =
SAMLTokenProvider());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 // required for OnBehalfOf
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.getTokenValidators().add(new=
UsernameTokenValidator());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 // added for OnBehalfOf and ActAs
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.getDelegationHandlers().add(=
new UsernameTokenDelegationHandler());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 issueOperation.setStsProperties(props);
+=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TokenValidateOperation validateOperation =
=3D new TokenValidateOperation();
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 validateOperation.getTokenValidators().add(=
new SAMLTokenValidator());
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 validateOperation.setStsProperties(props);
+=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 this.setIssueOperation(issueOperation);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 this.setValidateOperation(validateOperation=
);
+=C2=A0=C2=A0 }
+}
+
+
+
+
+ =
+ STSCallbackHandler
+ The user, alice, and corresponding password was required=
to be added for the ActAs example.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts; =C2=A0
+=C2=A0
+import java.util.HashMap; =C2=A0
+import java.util.Map; =C2=A0
+=C2=A0
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler=
; =C2=A0
+=C2=A0
+public class STSCallbackHandler extends PasswordCallbackHandler =C2=A0
+{ =C2=A0
+=C2=A0=C2=A0 public STSCallbackHandler() =C2=A0
+=C2=A0=C2=A0 { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap()); =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 private static Map<String, String> getInitMap() =C2=A0
+=C2=A0=C2=A0 { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("mystskey", "stskpass"); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("alice", "clarinet"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+}
+
+
+
+
+
+ =
+ ActAs Web service requester
+ This section examines the ws-requester elements from the b=
asic WS-Trust scenario that have been changed to address the needs of the=
ActAs example. The component is
+
+
+ ActAs web service requester implementation class
+
+
+
+ =
+ ActAs Web service requester Implementation
+ The ActAs ws-requester, the client, uses standard proced=
ures for creating a reference to the web service in the first four lines. =
To address the endpoint security requirements, the web service's "Request=
Context" is configured via the BindingProvider. Information needed in th=
e message generation is provided through it. The ActAs user, myactaskey, i=
s declared in this section and UsernameTokenCallbackHandler is used to pro=
vide the contents of the ActAs element to the STSClient. In this example a=
STSClient object is created and provided to the proxy's request context. =
The alternative is to provide keys tagged with the ".it" suffix as was do=
ne in [the Basic Scenario client|../../../../../../../../../../../#WS-Trust=
andSTS-WebservicerequesterImplementation||||\||]. The use of ActAs is conf=
igured through the props map using the SecurityConstants.STS_TOKEN_ACT_AS k=
ey. The alternative is to use the STSClient.setActAs method.
+
+
+ final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-ex=
tensions/actaswssecuritypolicy", "ActAsService"); =C2=A0
+final URL wsdlURL =3D new URL(serviceURL + "?wsdl"); =C2=A0
+Service service =3D Service.create(wsdlURL, serviceName); =C2=A0
+ActAsServiceIface proxy =3D (ActAsServiceIface) service.getPort(ActAsServi=
ceIface.class); =C2=A0
+=C2=A0
+Bus bus =3D BusFactory.newInstance().createBus(); =C2=A0
+try { =C2=A0
+=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefaultBus(bus); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 Map<String, Object> ctx =3D proxy.getRequestConte=
xt(); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientC=
allbackHandler()); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey=
"); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclient=
key"); =C2=A0
+=C2=A0
+ // Generate the ActAs element contents and pass to the STSClient as a =
string
+=C2=A0=C2=A0=C2=A0 UsernameTokenCallbackHandler ch =3D new UsernameTokenCa=
llbackHandler(); =C2=A0
+=C2=A0=C2=A0=C2=A0 String str =3D ch.getUsernameTokenString("myactaskey", =
null); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.STS_TOKEN_ACT_AS, str); =C2=
=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D new STSClient(bus); =C2=A0
+=C2=A0=C2=A0=C2=A0 Map<String, Object> props =3D stsClient.getProper=
ties(); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.USERNAME, "bob"); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.CALLBACK_HANDLER, new Clien=
tCallbackHandler()); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey=
"); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclie=
ntkey"); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_PROPERTIES, =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYI=
NFO, "true"); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.STS_CLIENT, stsClient); =C2=
=A0
+} finally { =C2=A0
+=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=A0
+} =C2=A0
+proxy.sayHello();
+
+
+
+
+
+ =
+ OnBehalfOf WS-Trust Scenario
+
+ The OnBehalfOf feature is used in scenarios that use the proxy=
pattern. In such scenarios, the client cannot access the STS directly, =
instead it communicates through a proxy gateway. The proxy gateway authent=
icates the caller and puts information about the caller into the OnBehalfO=
f element of the RequestSecurityToken (RST) sent to the real STS for proce=
ssing. The resulting token contains only claims related to the client of t=
he proxy, making the proxy completely transparent to the receiver of the i=
ssued token.
+ =
+
+
+ OnBehalfOf is nothing more than a new sub-element in the RST.=
It provides additional information about the original caller when a toke=
n is negotiated with the STS. The OnBehalfOf element usually takes the fo=
rm of a token with identity claims such as name, role, and authorization =
code, for the client to access the service.
+ =
+
+
+ The OnBehalfOf scenario is an extension of
+ the basic WS-Trust scenario
+ . In this example the OnBehalfOf service calls the ws-servic=
e on behalf of a user. There are only a couple of additions to the basic =
scenario's code. An OnBehalfOf web service provider and callback handler =
have been added. The OnBehalfOf web services' WSDL imposes the same sec=
urity policies as the ws-provider. UsernameTokenCallbackHandler is a utili=
ty shared with ActAs. It generates the content for the OnBehalfOf element=
. And lastly there are code additions in the STS that both OnBehalfOf and=
ActAs share in common.
+ =
+
+
+ Infor here [
+ Open Source Security: Apache CXF 2.5.1 STS updates
+ ]
+
+
+ =
+ OnBehalfOf Web service provider
+ This section examines the web service elements from the =
basic WS-Trust scenario that have been changed to address the needs of the=
OnBehalfOf example. The components are.
+
+
+ OnBehalfOf web service provider's WSDL
+
+
+ OnBehalfOf web service provider's Interface and Impl=
ementation classes.
+
+
+ OnBehalfOfCallbackHandler class
+
+
+
+
+ =
+ OnBehalfOf Web service provider WSDL
+ The OnBehalfOf web service provider's WSDL is a clone of=
the ws-provider's WSDL. The wsp:Policy section is the same. There are =
changes to the service endpoint, targetNamespace, portType, binding name,=
and service.
+
+
+<?xml version=3D"1.0" encoding=3D"UTF-8" standalone=3D"yes"?>
+<definitions targetNamespace=3D"http://www.jboss.org/jbossws/ws-extensi=
ons/onbehalfofwssecuritypolicy" name=3D"OnBehalfOfService"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:tns=3D"http://www.jboss.org/jbossws/ws-extensions/onbehalfofwssecurity=
policy"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:xsd=3D"http://www.w3.org/2001/XMLSchema"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:soap=3D"http://schemas.xmlsoap.org/wsdl/soap/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns=3D"http://schemas.xmlsoap.org/wsdl/"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsp=3D"http://www.w3.org/ns/ws-policy"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsam=3D"http://www.w3.org/2007/05/addressing/metadata"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur=
ity-utility-1.0.xsd"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:wsaws=3D"http://www.w3.org/2005/08/addressing"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 x=
mlns:t=3D"http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+=C2=A0=C2=A0=C2=A0 <types>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd:schema>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <xsd=
:import namespace=3D"http://www.jboss.org/jbossws/ws-extensions/onbehalfofw=
ssecuritypolicy"
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 schemaLocation=3D"OnBehalfOfService_schema1.=
xsd"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </xsd:schema>
+=C2=A0=C2=A0=C2=A0 </types>
+=C2=A0=C2=A0=C2=A0 <message name=3D"sayHello">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHello"/>
+=C2=A0=C2=A0=C2=A0 </message>
+=C2=A0=C2=A0=C2=A0 <message name=3D"sayHelloResponse">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <part name=3D"parameters" el=
ement=3D"tns:sayHelloResponse"/>
+=C2=A0=C2=A0=C2=A0 </message>
+=C2=A0=C2=A0=C2=A0 <portType name=3D"OnBehalfOfServiceIface">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut message=3D"tns:sayHello"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put message=3D"tns:sayHelloResponse"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
+=C2=A0=C2=A0=C2=A0 </portType>
+=C2=A0=C2=A0=C2=A0 <binding name=3D"OnBehalfOfServicePortBinding" type=
=3D"tns:OnBehalfOfServiceIface">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"=
#AsymmetricSAML2Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soap:binding transport=3D"h=
ttp://schemas.xmlsoap.org/soap/http" style=3D"document"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <operation name=3D"sayHello"=
>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:operation soapAction=3D""/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <inp=
ut>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Input_Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </in=
put>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <out=
put>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <soap:body use=3D"literal"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 <wsp:PolicyReference URI=3D"#Output_Policy" />
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </ou=
tput>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </operation>
+=C2=A0=C2=A0=C2=A0 </binding>
+=C2=A0=C2=A0=C2=A0 <service name=3D"OnBehalfOfService">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <port name=3D"OnBehalfOfServ=
icePort" binding=3D"tns:OnBehalfOfServicePortBinding">
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <soa=
p:address location=3D"http://@jboss.bind.address@:8080/jaxws-samples-wsse-p=
olicy-trust-onbehalfof/OnBehalfOfService"/>
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </port>
+=C2=A0=C2=A0=C2=A0 </service>
+</definitions>=C2=A0
+
+
+
+
+ =
+ OnBehalfOf Web Service Interface
+ The web service provider interface class, OnBehalfOfServ=
iceIface, is a simple web service definition.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof; =C2=
=A0
+=C2=A0
+import javax.jws.WebMethod; =C2=A0
+import javax.jws.WebService; =C2=A0
+=C2=A0
+(a)WebService =C2=A0
+( =C2=A0
+=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/onbehalfofwssecuritypolicy" =C2=A0
+) =C2=A0
+public interface OnBehalfOfServiceIface =C2=A0
+{ =C2=A0
+=C2=A0=C2=A0 @WebMethod =C2=A0
+=C2=A0=C2=A0 String sayHello(); =C2=A0
+}
+
+
+
+
+ =
+ OnBehalfOf Web Service Implementation
+ The web service provider implementation class, OnBehalfO=
fServiceImpl, is a simple POJO. It uses the standard WebService annotatio=
n to define the service endpoint and two Apache WSS4J annotations, Endpoi=
ntProperties and EndpointProperty used for configuring the endpoint for th=
e CXF runtime. The WSS4J configuration information provided is for WSS4J=
's Crypto Merlin implementation.
+ OnBehalfOfServiceImpl is calling the ServiceImpl acting=
on behalf of the user. Method setupService performs the requisite config=
uration setup.
+
+
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof; =C2=
=A0
+=C2=A0
+import org.apache.cxf.Bus; =C2=A0
+import org.apache.cxf.BusFactory; =C2=A0
+import org.apache.cxf.annotations.EndpointProperties; =C2=A0
+import org.apache.cxf.annotations.EndpointProperty; =C2=A0
+import org.apache.cxf.ws.security.SecurityConstants; =C2=A0
+import org.apache.cxf.ws.security.trust.STSClient; =C2=A0
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIf=
ace; =C2=A0
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustApp=
Utils; =C2=A0
+=C2=A0
+import javax.jws.WebService; =C2=A0
+import javax.xml.namespace.QName; =C2=A0
+import javax.xml.ws.BindingProvider; =C2=A0
+import javax.xml.ws.Service; =C2=A0
+import java.net.*; =C2=A0
+import java.util.Map; =C2=A0
+=C2=A0
+(a)WebService =C2=A0
+( =C2=A0
+=C2=A0=C2=A0 portName =3D "OnBehalfOfServicePort", =C2=A0
+=C2=A0=C2=A0 serviceName =3D "OnBehalfOfService", =C2=A0
+=C2=A0=C2=A0 wsdlLocation =3D "WEB-INF/wsdl/OnBehalfOfService.wsdl", =C2=
=A0
+=C2=A0=C2=A0 targetNamespace =3D "http://www.jboss.org/jbossws/ws-extensio=
ns/onbehalfofwssecuritypolicy", =C2=A0
+=C2=A0=C2=A0 endpointInterface =3D "org.jboss.test.ws.jaxws.samples.wsse.p=
olicy.trust.onbehalfof.OnBehalfOfServiceIface" =C2=A0
+) =C2=A0
+=C2=A0
+(a)EndpointProperties(value =3D { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.username", value =3D "myactaskey"), =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.sign=
ature.properties", value =3D=C2=A0 "actasKeystore.properties"), =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.encr=
yption.properties", value =3D "actasKeystore.properties"), =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 @EndpointProperty(key =3D "ws-security.call=
back-handler", value =3D "org.jboss.test.ws.jaxws.samples.wsse.policy.trust=
.onbehalfof.OnBehalfOfCallbackHandler") =C2=A0
+}) =C2=A0
+=C2=A0
+public class OnBehalfOfServiceImpl implements OnBehalfOfServiceIface =C2=
=A0
+{ =C2=A0
+=C2=A0=C2=A0 public String sayHello() { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D se=
tupService(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return "OnBehalfOf " + pr=
oxy.sayHello(); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } catch (MalformedURLException e) { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 e.printStackTrace(); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return null; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 /**
+=C2=A0=C2=A0=C2=A0 *
+=C2=A0=C2=A0=C2=A0 * @return
+=C2=A0=C2=A0=C2=A0 * @throws MalformedURLException
+=C2=A0=C2=A0=C2=A0 */ =C2=A0
+=C2=A0=C2=A0 private=C2=A0 ServiceIface setupService()throws MalformedURLE=
xception { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ServiceIface proxy =3D null; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Bus bus =3D BusFactory.newInstance().create=
Bus(); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 try { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefau=
ltBus(bus); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final String serviceURL =
=3D "http://" + WSTrustAppUtils.getServerHost() + ":8080/jaxws-samples-wsse=
-policy-trust/SecurityService"; =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final QName serviceName =
=3D new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy"=
, "SecurityService"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 final URL wsdlURL =3D new=
URL(serviceURL + "?wsdl"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Service service =3D Servi=
ce.create(wsdlURL, serviceName); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 proxy =3D (ServiceIface) =
service.getPort(ServiceIface.class); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
ctx =3D ((BindingProvider) proxy).getRequestContext(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.CALLBACK_HANDLER, new OnBehalfOfCallbackHandler()); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource(
+ "actasKeystore.properties" )); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.SIGNATURE_USERNAME, "myactaskey" ); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource(
+ "../../META-INF/clientKeystore.properties" )); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.ENCRYPT_USERNAME, "myservicekey"); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D n=
ew STSClient(bus); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, Object>=
props =3D stsClient.getProperties(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.USERNAME, "bob"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.ENCRYPT_USERNAME, "mystskey"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USERNAME, "myactaskey" ); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.=
currentThread().getContextClassLoader().getResource(
+ "actasKeystore.properties" )); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 props.put(SecurityConstan=
ts.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true"); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants=
.STS_CLIENT, stsClient); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } finally { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return proxy; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+}
+
+
+
+
+ =
+ OnBehalfOfCallbackHandler
+ OnBehalfOfCallbackHandler is a callback handler for the =
WSS4J Crypto API. It is used to obtain the password for the private key i=
n the keystore. This class enables CXF to retrieve the password of the us=
er name to use for the message signature. This class has been revised to =
return the passwords for this service, myactaskey and the "OnBehalfOf" user=
, alice.
+
+
+=C2=A0package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof=
; =C2=A0
+=C2=A0
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler=
; =C2=A0
+import java.util.HashMap; =C2=A0
+import java.util.Map; =C2=A0
+=C2=A0
+public class OnBehalfOfCallbackHandler extends PasswordCallbackHandler { =
=C2=A0
+=C2=A0
+=C2=A0=C2=A0 public OnBehalfOfCallbackHandler() =C2=A0
+=C2=A0=C2=A0 { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 super(getInitMap()); =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+=C2=A0=C2=A0 private static Map<String, String> getInitMap() =C2=A0
+=C2=A0=C2=A0 { =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Map<String, String> passwords =3D new=
HashMap<String, String>(); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("myactaskey", "aspass"); =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("alice", "clarinet"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 passwords.put("bob", "trombone"); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return passwords; =C2=A0
+=C2=A0=C2=A0 } =C2=A0
+=C2=A0
+}
+
+
+
+
+
+ =
+ OnBehalfOf Web service requester
+ This section examines the ws-requester elements from the b=
asic WS-Trust scenario that have been changed to address the needs of the =
OnBehalfOf example. The component is
+
+
+ OnBehalfOf web service requester implementation class<=
/para>
+
+
+
+ =
+ OnBehalfOf Web service requester Implementation
+
+ The OnBehalfOf ws-requester, the client, uses standard proce=
dures for creating a reference to the web service in the first four lines. =
To address the endpoint security requirements, the web service's "Request =
Context" is configured via the BindingProvider. Information needed in the m=
essage generation is provided through it. The OnBehalfOf user, alice, is d=
eclared in this section and the callbackHandler, UsernameTokenCallbackHandl=
er is provided to the STSClient for generation of the contents for the OnBe=
halfOf message element. In this example a STSClient object is created and =
provided to the proxy's request context. The alternative is to provide keys=
tagged with the ".it" suffix as was done in
+ the Basic Scenario client
+ . The use of OnBehalfOf is configured by the method call st=
sClient.setOnBehalfOf. The alternative is to use the key SecurityConstants=
.STS_TOKEN_ON_BEHALF_OF and a value in the props map.
+
+
+
+final QName serviceName =3D new QName("http://www.jboss.org/jbossws/ws-ext=
ensions/onbehalfofwssecuritypolicy", "OnBehalfOfService"); =C2=A0
+final URL wsdlURL =3D new URL(serviceURL + "?wsdl"); =C2=A0
+Service service =3D Service.create(wsdlURL, serviceName); =C2=A0
+OnBehalfOfServiceIface proxy =3D (OnBehalfOfServiceIface) service.getPort(=
OnBehalfOfServiceIface.class); =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0
+=C2=A0
+Bus bus =3D BusFactory.newInstance().createBus(); =C2=A0
+try { =C2=A0
+=C2=A0=C2=A0 =C2=A0
+=C2=A0=C2=A0=C2=A0 BusFactory.setThreadDefaultBus(bus); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 Map<String, Object> ctx =3D proxy.getRequestConte=
xt(); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientC=
allbackHandler()); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey=
"); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclient=
key");
+
+ // user and password OnBehalfOf user
+ // UsernameTokenCallbackHandler will extract this information when cal=
led
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.USERNAME,"alice"); =C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.PASSWORD, "clarinet"); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 STSClient stsClient =3D new STSClient(bus);
+
+ // Providing the STSClient the mechanism to create the claims contents=
for OnBehalfOf=C2=A0
+=C2=A0=C2=A0=C2=A0 stsClient.setOnBehalfOf(new UsernameTokenCallbackHandle=
r()); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 Map<String, Object> props =3D stsClient.getProper=
ties(); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.CALLBACK_HANDLER, new Clien=
tCallbackHandler()); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_PROPERTIES, =C2=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey=
"); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclie=
ntkey"); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_PROPERTIES, =C2=
=A0
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thread.currentThread().getConte=
xtClassLoader().getResource(
+ "META-INF/clientKeystore.properties")); =C2=A0
+=C2=A0=C2=A0=C2=A0 props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYI=
NFO, "true"); =C2=A0
+=C2=A0
+=C2=A0=C2=A0=C2=A0 ctx.put(SecurityConstants.STS_CLIENT, stsClient); =C2=
=A0
+=C2=A0=C2=A0 =C2=A0
+} finally { =C2=A0
+=C2=A0=C2=A0=C2=A0 bus.shutdown(true); =C2=A0
+} =C2=A0
+proxy.sayHello();
+
+
+
+
--===============4387143128788065075==--