Author: asoldano
Date: 2014-03-17 06:40:11 -0400 (Mon, 17 Mar 2014)
New Revision: 18530
Modified:
stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml
stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml
stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml
stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml
stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide.xml
Log:
Updating doc
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml
===================================================================
--- stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml 2014-03-17 10:37:51 UTC
(rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Author_Group.xml 2014-03-17 10:40:11 UTC
(rev 18530)
@@ -15,4 +15,8 @@
<firstname>Jim</firstname>
<surname>Ma</surname>
</author>
+ <author>
+ <firstname>Rebecca</firstname>
+ <surname>Searls</surname>
+ </author>
</authorgroup>
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml
===================================================================
--- stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml 2014-03-17 10:37:51 UTC (rev
18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Book_Info.xml 2014-03-17 10:40:11 UTC (rev
18530)
@@ -4,7 +4,7 @@
<title>JBoss Web Services Documentation</title>
<!--<subtitle></subtitle>-->
<productname>JBossWS - CXF</productname>
- <productnumber>4.1.1.Final</productnumber>
+ <productnumber>4.3.0.Final</productnumber>
<!-- <edition>ToDo</edition>
<pubsnumber>ToDo</pubsnumber> -->
<abstract>
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml
===================================================================
--- stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml 2014-03-17 10:37:51 UTC (rev
18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Preface.xml 2014-03-17 10:40:11 UTC (rev
18530)
@@ -2,5 +2,5 @@
<!DOCTYPE preface PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<preface id="preface-JBoss_Web_Services_Documentation">
<title>Preface</title>
- <para>This book covers the documentation of the current JBossWS release. The
documentation for JBossWS 4 series, with a special focus on the JBoss Application Server
7.x integration, is also available <ulink
url="https://docs.jboss.org/author/display/JBWS">online</...
+ <para>This book covers the documentation of the current JBossWS release. The
documentation for JBossWS 4 series, with a special focus on the JBoss Application Server
7.x / WildFly 8.x integration, is also available <ulink
url="https://docs.jboss.org/author/display/JBWS">online</...
</preface>
Modified: stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml
===================================================================
--- stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml 2014-03-17 10:37:51 UTC
(rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/Revision_History.xml 2014-03-17 10:40:11 UTC
(rev 18530)
@@ -102,6 +102,20 @@
</simplelist>
</revdescription>
</revision>
+ <revision>
+ <revnumber>4.3.0</revnumber>
+ <date>Mon Mar 17 2014</date>
+ <author>
+ <firstname>Alessio</firstname>
+ <surname>Soldano</surname>
+ <email>alessio.soldano(a)jboss.com</email>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>JBossWS-CXF 4.3.0 documentation</member>
+ </simplelist>
+ </revdescription>
+ </revision>
</revhistory>
</simpara>
</appendix>
Modified: stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide.xml
===================================================================
--- stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide.xml 2014-03-17
10:37:51 UTC (rev 18529)
+++ stack/cxf/trunk/modules/dist/src/main/doc/chapter-5-Advanced_User_Guide.xml 2014-03-17
10:40:11 UTC (rev 18530)
@@ -365,15 +365,16 @@
<section
id="sid-41713670_Predefinedclientandendpointconfigurations-Overview">
<title>Overview</title>
+ <para>JBossWS enables extra setup configuration data to be predefined and
associated with an endpoint. Endpoint configurations can include JAX-WS handlers and
key/value properties declarations that control JBossWS and Apache CXF internals.
Predefined endpoint configurations can be used for JAX-WS client and JAX-WS endpoint
setup.</para>
<para>
- JBossWS comes with a concept of
- <emphasis role="italics">predefined
configurations</emphasis>
- , which are kind of basic templates that can be used for both JAX-WS client and
JAX-WS endpoint setup. Configurations can include JAX-WS handlers as well as basic
key/value properties declarations.
+ Endpoint configurations can be defined in the webservice subsystem and in a
deployment descriptor file within the application. There can be many endpoint
configuration definitions in the webservice subsystem and in an application. Each
endpoint configuration must have a name that is unique within the server. Configurations
defined in an application are local to the application. Endpoint implementations declare
the use of a specific configuration through the use of the
+ <code>org.jboss.ws.api.annotation.EndpointConfig</code>
+ annotation. An endpoint configuration defined in the webservices subsystem is
available to all deployed applications on the server container and can be referenced by
name in the annotation. An endpoint configuration defined in an application must be
referenced by deployment descriptor file name and the configuration name in the
annotation.
</para>
<section
id="sid-41713670_Predefinedclientandendpointconfigurations-Handlers">
<title>Handlers</title>
- <para>For each endpoint configuration, both PRE and POST handler chains
can be specified. Each handler chain may include JAXWS handlers. For outbound messages,
PRE handler chain handlers are meant to be executed before any handler attached to the
endpoints using standard JAXWS means (e.g. using @HandlerChain), while POST handler chain
handlers are executed after usual endpoint handlers. For inbound messages, the opposite
applies.</para>
+ <para>Each endpoint configuration may be associated with zero or more PRE
and POST handler chains. Each handler chain may include JAXWS handlers. For outbound
messages the PRE handler chains are executed before any handler that is attached to the
endpoint using the standard means, such as with annotation @HandlerChain, and POST
handler chains are executed after those objects have executed. For inbound messages the
POST handler chains are executed before any handler that is attached to the endpoint
using the standard means and the PRE handler chains are executed after those objects
have executed.</para>
<informalexample>
<programlisting>* Server inbound messages
Client --> ... --> POST HANDLER --> ENDPOINT HANDLERS --> PRE
HANDLERS --> Endpoint
@@ -396,9 +397,9 @@
<title>Endpoint configuration assignment</title>
<para>
- JAX-WS endpoints can be assigned to a given configuration by annotating them
with the
+ Annotation
<code>org.jboss.ws.api.annotation.EndpointConfig</code>
- annotation:
+ is used to assign an endpoint configuration to a JAX-WS endpoint
implementation. When assigning a configuration that is defined in the webservices
subsystem only the configuration name is specified. When assigning a configuration that
is defined in the application, the relative path to the deployment descriptor and the
configuration name must be specified.
</para>
<informalexample>
<programlisting>@EndpointConfig(configFile =
"WEB-INF/jaxws-endpoint-config.xml", configName = "Custom WS-Security
Endpoint")
@@ -410,30 +411,16 @@
}
}</programlisting>
</informalexample>
+ </section>
+ <section
id="sid-41713670_Predefinedclientandendpointconfigurations-EndpointConfigurationDeploymentDescriptor">
+
+ <title>Endpoint Configuration Deployment Descriptor</title>
<para>
- The
- <code>configFile</code>
- attribute is used to specify which config file, if any, is to be used to load
the configuration; if
- <code>configFile</code>
- is not set, the application server configurations are used.
+ Java EE archives that can contain JAX-WS endpoint implementations can also
contain predefined endpoint configurations. All endpoint configuration definitions for a
given archive must be provided in a single deployment descriptor file. The file must
reside in directory WEB-INF for a web application and directory META-INF for a client and
EJB application. The file name must end with extension .xml and be an implementation of
schema
+ <ulink
url="http://anonsvn.jboss.org/repos/jbossws/spi/tags/jbossws-spi-2.1...
+ . Common practice is to use the file name jaxws-endpoint-config.xml but this
is not required.
</para>
- <para>
- The
- <code>configName</code>
- attributed is used to specify the name of the configuration to be used.
- </para>
- <para>
- Alternatively, configurations can be assigned to endpoints through the
- <link linkend="sid-3866738">jboss-webservices.xml deployment
descriptor</link>
- .
- </para>
- <para>
- The configuration file, if any, needs to be included in the endpoint
deployment; the
- <ulink
url="http://anonsvn.jboss.org/repos/jbossws/spi/tags/jbossws-spi-2.1...
schema</ulink>
- defines its contents and is included in the
- <emphasis role="italics">jbossws-spi</emphasis>
- artifact.
- </para>
+ <para>Many endpoint configurations can be defined within the deployment
descriptor file. Each configuration must have a name that is unique within the server on
which the application is deployed. The configuration name is not referencable by endpoint
implementations outside the application.</para>
</section>
<section
id="sid-41713670_Predefinedclientandendpointconfigurations-Clientconfigurationassignment">
@@ -469,7 +456,7 @@
</programlisting>
</informalexample>
<para>
- JBossWS internally parses the specified configuration file, if any, after
having resolved it as a resources using the current thread context classloader. The
+ JBossWS parses the specified configuration file. The configuration file
must be found as a resource by the classloader of the current thread. The
<ulink
url="http://anonsvn.jboss.org/repos/jbossws/spi/tags/jbossws-spi-2.1...
schema</ulink>
defines the descriptor contents and is included in the
<emphasis role="italics">jbossws-spi</emphasis>
@@ -479,7 +466,7 @@
<section
id="sid-41713670_Predefinedclientandendpointconfigurations-Explicitsetup">
<title>Explicit setup</title>
- <para>Alternatively, JBossWS API facility classes can be used for
assigning configurations when building up a client; JAXWS handlers can be read from client
configurations as follows:</para>
+ <para>Alternatively, JBossWS API comes with facility classes that can
be used for assigning configurations when building a client. JAXWS handlers read from
client configurations as follows:</para>
<informalexample>
<programlisting>import
org.jboss.ws.api.configuration.ClientConfigUtil;
import org.jboss.ws.api.configuration.ClientConfigurer;
@@ -661,19 +648,22 @@
<section id="sid-3866749">
<title>Authentication</title>
- <para>This page explains the simplest way to authenticate a web service user
with JBossWS.</para>
- <para>First we secure the access to the SLSB as we would do for normal (non
web service) invocations: this can be easily done through the @RolesAllowed, @PermitAll,
@DenyAll annotation. The allowed user roles can be set with these annotations both on the
bean class and on any of its business methods.</para>
- <informalexample>
- <programlisting>@Stateless
+ <section id="sid-3866749_Authentication-Authentication">
+
+ <title>Authentication</title>
+ <para>Here the simplest way to authenticate a web service user with JBossWS
is explained.</para>
+ <para>First we secure the access to the SLSB as we would do for normal
(non web service) invocations: this can be easily done through the @RolesAllowed,
@PermitAll, @DenyAll annotation. The allowed user roles can be set with these annotations
both on the bean class and on any of its business methods.</para>
+ <informalexample>
+ <programlisting>@Stateless
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
...
}</programlisting>
- </informalexample>
- <para>Similarly POJO endpoints are secured the same way as we do for normal
web applications in web.xml:</para>
- <informalexample>
- <programlisting><security-constraint>
+ </informalexample>
+ <para>Similarly POJO endpoints are secured the same way as we do for normal
web applications in web.xml:</para>
+ <informalexample>
+ <programlisting><security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
@@ -686,44 +676,44 @@
<security-role>
<role-name>friend</role-name>
</security-role></programlisting>
- </informalexample>
- <section id="sid-3866749_Authentication-Specifythesecuritydomain">
-
- <title>Specify the security domain</title>
- <para>
- Next, specify the security domain for this deployment. This is performed using
the
- <code>@SecurityDomain</code>
- annotation for EJB3 endpoints
- </para>
- <informalexample>
- <programlisting>@Stateless
+ </informalexample>
+ <section
id="sid-3866749_Authentication-Specifythesecuritydomain">
+
+ <title>Specify the security domain</title>
+ <para>
+ Next, specify the security domain for this deployment. This is performed
using the
+ <code>@SecurityDomain</code>
+ annotation for EJB3 endpoints
+ </para>
+ <informalexample>
+ <programlisting>@Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
...
}</programlisting>
- </informalexample>
- <para>or modifying the jboss-web.xml for POJO endpoints</para>
- <informalexample>
- <programlisting>
+ </informalexample>
+ <para>or modifying the jboss-web.xml for POJO endpoints</para>
+ <informalexample>
+ <programlisting>
<jboss-web>
<security-domain>JBossWS</security-domain>
</jboss-web>
</programlisting>
- </informalexample>
- <para>The security domain as well as its the authentication and
authorization mechanisms are defined differently depending on the JBoss Application Server
in use.</para>
- </section>
- <section
id="sid-3866749_Authentication-UseBindingProvidertosetprincipal%2Fcredential">
-
- <title>Use BindingProvider to set principal/credential</title>
- <para>
- A web service client may use the
- <code>javax.xml.ws.BindingProvider</code>
- interface to set the username/password combination
- </para>
- <informalexample>
- <programlisting>URL wsdlURL = new
File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
+ </informalexample>
+ <para>The security domain as well as its the authentication and
authorization mechanisms are defined differently depending on the JBoss Application Server
in use.</para>
+ </section>
+ <section
id="sid-3866749_Authentication-UseBindingProvidertosetprincipal%2Fcredential">
+
+ <title>Use BindingProvider to set principal/credential</title>
+ <para>
+ A web service client may use the
+ <code>javax.xml.ws.BindingProvider</code>
+ interface to set the username/password combination
+ </para>
+ <informalexample>
+ <programlisting>URL wsdlURL = new
File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
QName qname = new QName("http://org.jboss.ws/jaxws/context",
"TestEndpointService");
Service service = Service.create(wsdlURL, qname);
port = (TestEndpoint)service.getPort(TestEndpoint.class);
@@ -731,18 +721,18 @@
BindingProvider bp = (BindingProvider)port;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,
"thefrog");</programlisting>
- </informalexample>
- </section>
- <section
id="sid-3866749_Authentication-UsingHTTPBasicAuthforsecurity">
-
- <title>Using HTTP Basic Auth for security</title>
- <para>
- To enable HTTP Basic authentication you use the
- <code>@WebContext</code>
- annotation on the bean class
- </para>
- <informalexample>
- <programlisting>@Stateless
+ </informalexample>
+ </section>
+ <section
id="sid-3866749_Authentication-UsingHTTPBasicAuthforsecurity">
+
+ <title>Using HTTP Basic Auth for security</title>
+ <para>
+ To enable HTTP Basic authentication you use the
+ <code>@WebContext</code>
+ annotation on the bean class
+ </para>
+ <informalexample>
+ <programlisting>@Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
@WebContext(contextRoot="/my-cxt", urlPattern="/*",
authMethod="BASIC", transportGuarantee="NONE",
secureWSDLAccess=false)
@@ -750,18 +740,133 @@
{
...
}</programlisting>
+ </informalexample>
+ <para>
+ For POJO endpoints, we modify the
+ <emphasis role="italics">web.xml</emphasis>
+ adding the auth-method element:
+ </para>
+ <informalexample>
+ <programlisting><login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>Test Realm</realm-name>
+</login-config></programlisting>
+ </informalexample>
+ </section>
+ </section>
+ <section id="sid-3866749_Authentication-JASPIAuthentication">
+
+ <title>JASPI Authentication</title>
+ <para>A Java Authentication SPI (JASPI) provider can be configured in
WildFly security subsystem to authenticate SOAP messages:</para>
+ <informalexample>
+ <programlisting>
+<security-domain name="jaspi">
+ <authentication-jaspi>
+ <login-module-stack name="jaas-lm-stack">
+ <login-module code="UsersRoles"
flag="required">
+ <module-option name="usersProperties"
value="jbossws-users.properties"/>
+ <module-option name="rolesProperties"
value="jbossws-roles.properties"/>
+ </login-module>
+ </login-module-stack>
+ <auth-module
code="org.jboss.wsf.stack.cxf.jaspi.module.UsernameTokenServerAuthModule"
login-module-stack-ref="jaas-lm-stack"/>
+ </authentication-jaspi>
+ </security-domain>
+</programlisting>
</informalexample>
+ <important>
+ <para>
+ For further information on configuring security domains in WildFly, please
refer to
+ <ulink
url="https://docs.jboss.org/author/display/WFLY8/Security+subsystem+...
+ .
+ </para>
+ </important>
<para>
- For POJO endpoints, we modify the
- <emphasis role="italics">web.xml</emphasis>
- adding the auth-method element:
+ Here
+
<code>org.jboss.wsf.stack.cxf.jaspi.module.UsernameTokenServerAuthModule</code>
+ is the class implementing
+ <code>javax.security.auth.message.module.ServerAuthModule</code>
+ , which delegates to the proper login module to perform authentication using
the credentials from WS-Security UsernameToken in the incoming SOAP message. Alternative
implementations of
+ <code>ServerAuthModule</code>
+ can be implemented and configured.
</para>
+ <para>To enable JASPI authentication, the endpoint deployment needs to
specify the security domain to use; that can be done in two different ways:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Setting the
+ <code>jaspi.security.domain</code>
+ property in the
+ <code>jboss-webservices.xml</code>
+ descriptor
+ </para>
+ </listitem>
+ </itemizedlist>
<informalexample>
- <programlisting><login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>Test Realm</realm-name>
-</login-config></programlisting>
+ <programlisting>
+<?xml version="1.1" encoding="UTF-8"?>
+<webservices
+
xmlns="http://www.jboss.com/xml/ns/javaee"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ version="1.2"
+
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee">
+
+ <property>
+ <name>jaspi.security.domain</name>
+ <value>jaspi</value>
+ </property>
+
+</webservices>
+</programlisting>
</informalexample>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Referencing (through
+ <code>@EndpointConfig</code>
+ annotation) an endpoint config that sets the
+ <code>jaspi.security.domain</code>
+ property
+ </para>
+ </listitem>
+ </itemizedlist>
+ <informalexample>
+ <programlisting>
+@EndpointConfig(configFile = "WEB-INF/jaxws-endpoint-config.xml", configName =
"jaspiSecurityDomain")
+public class ServiceEndpointImpl implements ServiceIface {
+</programlisting>
+ </informalexample>
+ <para>
+ The
+ <code>jaspi.security.domain</code>
+ property is specified as follows in the referenced descriptor:
+ </para>
+ <informalexample>
+ <programlisting>
+<?xml version="1.0" encoding="UTF-8"?>
+<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:javaee="http://java.sun.com/xml/ns/javaee"
+ xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0
schema/jbossws-jaxws-config_4_0.xsd">
+ <endpoint-config>
+ <config-name>jaspiSecurityDomain</config-name>
+ <property>
+ <property-name>jaspi.security.domain</property-name>
+ <property-value>jaspi</property-value>
+ </property>
+ </endpoint-config>
+</jaxws-config>
+</programlisting>
+ </informalexample>
+ <note>
+ <para>
+ If the JASPI security domain is specified in both
+ <code>jboss-webservices.xml</code>
+ and config file referenced by
+ <code>@EndpointConfig</code>
+ annotation, the JASPI security domain specified in
+ <code>jboss-webservices.xml</code>
+ will take precedence.
+ </para>
+ </note>
</section>
</section>
<section id="sid-3866786">
@@ -1041,7 +1146,7 @@
<code>BusFactory</code>
to be used leverages the Service API, basically looking for optional
configurations in
<emphasis
role="italics">META-INF/services/...</emphasis>
- location using the current thread context classloader. JBossWS-CXF
integration comes with his own implementation of
+ location using the current thread context classloader. JBossWS-CXF
integration comes with its own implementation of
<code>BusFactory</code>
,
<code>org.jboss.wsf.stack.cxf.client.configuration.JBossWSBusFactory</code>
@@ -1109,9 +1214,9 @@
<emphasis
role="italics">getThreadDefaultBus()</emphasis>
and
<emphasis
role="italics">getThreadDefaultBus(true)</emphasis>
- first fallback to retrieving the configured global default bus before
actually trying creating a new instance (and the created new instance is set as global
default bus if that was not there set yet).
+ first fallback to retrieving the configured global default bus before
actually trying creating a new instance (and the created new instance is set as global
default bus if that was not set there yet).
</para>
- <para>The drawback of this mechanism (which is basically fine in JSE
environment) is that when running in a JBoss AS container you need to be careful in
order not to (mis)use a bus over multiple applications (assuming the Apache CXF classes
are loaded by the same classloader, which is currently the case with AS6 and
7).</para>
+ <para>The drawback of this mechanism (which is basically fine in JSE
environment) is that when running in a JBoss AS container you need to be careful in
order not to (mis)use a bus over multiple applications (assuming the Apache CXF classes
are loaded by the same classloader, which is currently the case with JBoss AS6, JBoss AS7
and WildFly).</para>
<para>Here is a list of general suggestions to avoid problems when
running in-container:</para>
<itemizedlist>
<listitem>
@@ -1138,8 +1243,9 @@
<para>keep in mind thread pooling whenever you customize a thread
default bus instance (for instance adding bus scope interceptors, ...), as that thread
and bus might be later reused; so either shutdown the bus when you're done or
explicitly remove it from the BusFactory thread association.</para>
</listitem>
</itemizedlist>
+ <para>Finally, remember that each time you explictly create a new Bus
instance (factory.createBus()) that is set as thread default bus and global default bus
if those are not set yet.</para>
<para>
- Finally, remember that each time you explictly create a new Bus instance
(factory.createBus()) that is set as thread default bus and global default bus if those
are not set yet. The JAXWS
+ The JAXWS
<code>Provider</code>
implementation also creates
<code>Bus</code>
@@ -1147,9 +1253,156 @@
<code>Provider</code>
makes sure the default bus is never internally used and instead a new
<code>Bus</code>
- is created if required.
+ is created if required (more details on this in the next paragraph).
</para>
</section>
+ <section
id="sid-3866786_ApacheCXFintegration-BusselectionstrategiesforJAXWSclients">
+
+ <title>Bus selection strategies for JAXWS clients</title>
+ <para>
+ JAXWS clients require an Apache CXF Bus to be available; the client is
registered within the Bus and the Bus affects the client behavior (e.g. through the
configured CXF interceptors). The way a bus is internally selected for serving a given
JAXWS client is very important, especially for in-container clients; for this reason,
JBossWS users can choose the preferred Bus selection strategy. The strategy is enforced in
the
+ <code>javax.xml.ws.spi.Provider</code>
+ implementation from the JBossWS integration, being that called whenever a
JAXWS
+ <code>Service</code>
+ (client) is requested.
+ </para>
+ <section
id="sid-3866786_ApacheCXFintegration-Threadbusstrategy%28THREADBUS%29">
+
+ <title>Thread bus strategy (THREAD_BUS)</title>
+ <para>Each time the vanilla JAXWS api is used to create a Bus, the
JBossWS-CXF integration will automatically make sure a Bus is currently associated to the
current thread in the BusFactory. If that's not the case, a new Bus is created and
linked to the current thread (to prevent the user from relying on the default Bus). The
Apache CXF engine will then create the client using the current thread Bus.</para>
+ <para>This is the default strategy, and the most straightforward one in
Java SE environments; it lets users automatically reuse a previously created Bus instance
and allows using customized Bus that can possibly be created and associated to the thread
before building up a JAXWS client.</para>
+ <para>The drawback of the strategy is that the link between the Bus
instance and the thread needs to be eventually cleaned up (when not needed anymore). This
is really evident in a Java EE environment (hence when running in-container), as threads
from pools (e.g. serving web requests) are re-used.</para>
+ <para>
+ When relying on this strategy, the safest approach to be sure of cleaning
up the link is to surround the JAXWS client with a
+ <code>try/finally</code>
+ block as below:
+ </para>
+ <informalexample>
+ <programlisting>try {
+ Service service = Service.create(wsdlURL, serviceQName);
+ MyEndpoint port = service.getPort(MyEndpoint.class);
+ //...
+} finally {
+ BusFactory.setThreadDefaultBus(null);
+ // OR (if you don't need the bus and the client anymore)
+ Bus bus = BusFactory.getThreadDefaultBus(false);
+ bus.shutdown(true);
+}</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-3866786_ApacheCXFintegration-Newbusstrategy%28NEWBUS%29">
+
+ <title>New bus strategy (NEW_BUS)</title>
+ <para>Another strategy is to have the JAXWS Provider from the JBossWS
integration create a new Bus each time a JAXWS client is built. The main benefit of this
approach is that a fresh bus won't rely on any formerly cached information (e.g.
cached WSDL / schemas) which might have changed after the previous client creation. The
main drawback is of course worse performance as the Bus creation takes time.</para>
+ <para>If there's a bus already associated to the current thread
before the JAXWS client creation, that is automatically restored when returning control to
the user; in other words, the newly created bus will be used only for the created JAXWS
client but won't stay associated to the current thread at the end of the process.
Similarly, if the thread was not associated to any bus before the client creation, no bus
will be associated to the thread at the end of the client creation.</para>
+ </section>
+ <section
id="sid-3866786_ApacheCXFintegration-Threadcontextclassloaderbusstrategy%28TCCLBUS%29">
+
+ <title>Thread context classloader bus strategy
(TCCL_BUS)</title>
+ <para>The last strategy is to have the bus created for serving the
client be associated to the current thread context classloader (TCCL). That basically
means the same Bus instance is shared by JAXWS clients running when the same TCCL is set.
This is particularly interesting as each web application deployment usually has its own
context classloader, so this strategy is possibly a way to keep the number of created Bus
instances bound to the application number in a JBoss AS container.</para>
+ <para>If there's a bus already associated to the current thread
before the JAXWS client creation, that is automatically restored when returning control
to the user; in other words, the bus corresponding to the current thread context
classloader will be used only for the created JAXWS client but won't stay associated
to the current thread at the end of the process. If the thread was not associated to any
bus before the client creation, a new bus will be created (and later user for any other
client built with this strategy and the same TCCL in place); no bus will be associated to
the thread at the end of the client creation.</para>
+ </section>
+ <section
id="sid-3866786_ApacheCXFintegration-Strategyconfiguration">
+
+ <title>Strategy configuration</title>
+ <para>
+ Users can request a given Bus selection strategy to be used for the client
being built by specifying one of the following JBossWS features (which extend
+ <code>javax</code>
+ <code>.</code>
+ <code>xml</code>
+ <code>.</code>
+ <code>ws</code>
+ <code>.</code>
+ <code>WebServiceFeature</code>
+ ):
+ </para>
+ <informaltable>
+ <tgroup cols="2">
+ <thead>
+ <row>
+ <entry>
+ <para>Feature</para>
+ </entry>
+ <entry>
+ <para>Strategy</para>
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <para>
+
<code>org.jboss.wsf.stack.cxf.client.UseThreadBusFeature</code>
+ </para>
+ </entry>
+ <entry>
+ <para>THREAD_BUS</para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <para>
+ <code>org</code>
+ <code>.</code>
+ <code>jboss</code>
+ <code>.</code>
+ <code>wsf</code>
+ <code>.</code>
+ <code>stack</code>
+ <code>.</code>
+ <code>cxf</code>
+ <code>.</code>
+ <code>client.</code>
+ <code>UseNewBusFeature</code>
+ </para>
+ </entry>
+ <entry>
+ <para>NEW_BUS</para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <para>
+ <code>org</code>
+ <code>.</code>
+ <code>jboss</code>
+ <code>.</code>
+ <code>wsf</code>
+ <code>.</code>
+ <code>stack</code>
+ <code>.</code>
+ <code>cxf</code>
+ <code>.</code>
+ <code>client.</code>
+ <code>UseTCCLBusFeature</code>
+ </para>
+ </entry>
+ <entry>
+ <para>TCCL_BUS</para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>The feature is specified as follows:</para>
+ <informalexample>
+ <programlisting>Service service = Service.create(wsdlURL,
serviceQName, new UseThreadBusFeature());</programlisting>
+ </informalexample>
+ <para>
+ If no feature is explicitly specified, the system default strategy is used,
which can be modified through the
+ <code>org.jboss.ws.cxf.jaxws-client.bus.strategy</code>
+ system property when starting the JVM. The valid values for the property
are
+ <code>THREAD_BUS</code>
+ ,
+ <code>NEW_BUS</code>
+ and
+ <code>TCCL_BUS</code>
+ . The default is
+ <code>THREAD_BUS</code>
+ .
+ </para>
+ </section>
+ </section>
</section>
<section
id="sid-3866786_ApacheCXFintegration-ServerSideIntegrationCustomization">
@@ -2711,244 +2964,387 @@
<title>WS-Trust overview</title>
<para>
- The
<ulink
url="https://www.oasis-open.org/standards#wstrustv1.4">WS-Tr...
- specification defines extensions to WS-Security to deal with the issuing,
renewing, and validating of security tokens; it also defines how to establish, assess the
presence of, and broker trust relationships between participants in a secure message
exchange.
+ is a Web service specification that defines extensions to WS-Security. It is
a general framework for implementing security in a distributed system. The standard is
based on a centralized Security Token Service, STS, which is capable of authenticating
clients and issuing tokens containing various kinds of authentication and authorization
data. The specification describes a protocol used for issuance, exchange, and validation
of security tokens, however the following specifications play an important role in the
WS-Trust architecture:
+ <ulink
url="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-se...
1.2</ulink>
+ ,
+ <ulink
url="http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os....
2.0</ulink>
+ ,
+ <ulink
url="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTo...
Token Profile</ulink>
+ ,
+ <ulink
url="http://docs.oasis-open.org/wss-m/wss/v1.1.1/wss-x509TokenProfil...
Token Profile</ulink>
+ ,
+ <ulink
url="https://www.oasis-open.org/committees/download.php/16768/wss-v1...
Token Profile</ulink>
+ , and
+ <ulink
url="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-KerberosTo...
Token Profile</ulink>
+ .
+
</para>
<para>
- Complex applications spanning multiple domains typically suffer from the need
for generating and sharing multiple keys; moreover dealing with services updates when
credentials change is usually painful. With WS-Trust, a trusted
- <emphasis role="italics">Security Token Service
(STS)</emphasis>
- can be used to obtain security tokens which are then used as authentication /
authorization. A client authenticates itself with the STS based on policies and
requirements defined by the STS; the STS then provides a security token (e.g. a SAML
token) that the client then uses to talk to the target service; the service can validate
that token to make sure it really came from the trusted STS.
+ The WS-Trust extensions address the needs of applications that span multiple
domains and requires the sharing of security keys by providing a standards based trusted
third party web service (STS) to broker trust relationships between a Web service
requester and a Web service provider. This architecture also alleviates the pain of
service updates that require credential changes by providing a common location for this
information. The STS is the common access point from which both the requester and
provider retrieves and verifies security tokens.
+
</para>
- </section>
- <section id="sid-47972359_WS-TrustandSTS-SecurityTokenService">
-
- <title>Security Token Service</title>
- <para>The security token service is the core of the WS-Trust extension to
WS-Security; it is a service that offers some or all of the following
functionalities:</para>
+ <para>There are three main components of the WS-Trust
specification.</para>
<itemizedlist>
<listitem>
- <para>issuing security tokens of different types depending on the
received credentials</para>
+ <para>The Security Token Service (STS), a web service that issues,
renews, and validates security tokens.</para>
</listitem>
<listitem>
- <para>validation of security tokens</para>
+ <para>The message formats for security token requests and
responses.</para>
</listitem>
<listitem>
- <para>renewal of security tokens</para>
+ <para>The mechanisms for key exchange</para>
</listitem>
- <listitem>
- <para>cancellation of security tokens</para>
- </listitem>
- <listitem>
- <para>transformation of security tokens into different type
ones</para>
- </listitem>
</itemizedlist>
- <para>In the basic scenario, the WSDL contract for an endpoint service will
usually include a WS-Security policy stating that a particular security token type is
required to access the service. Clients reading that contract will ask the STS for a
security token of the required type and attach it to the message invocation to the
service. The endpoint service will locally validate the received token or dispatch it to
the STS for validation.</para>
</section>
+ <section id="sid-47972359_WS-TrustandSTS-SecurityTokenService">
+
+ <title>Security Token Service</title>
+ <para>
+ The Security Token Service, STS, is the core of the WS-Trust specification.
It is a standards based mechanism for authentication and authorization. The STS is an
implementation of the WS-Trust specification's protocol for issuing, exchanging, and
validating security tokens, based on token format, namespace, or trust boundaries. The
STS is a web service that acts as a trusted third party to broker trust relationships
between a Web service requester and a Web service provider. It is a common access point
trusted by both requester and provider to provide interoperable security tokens. It
removes the need for a direct relationship between the two. Because the STS is a
standards based mechanism for authentication, it helps ensure interoperability across
realms and between different platforms.
+
+ </para>
+ <para>The STS's WSDL contract defines how other applications and
processes interact with it. In particular the WSDL defines the WS-Trust and WS-Security
policies that a requester must fulfill in order to successfully communicate with the
STS's endpoints. A web service requester consumes the STS's WSDL and with the
aid of an STSClient utility, generates a message request compliant with the stated
security policies and submits it to the STS endpoint. The STS validates the request and
returns an appropriate response.</para>
+ </section>
<section id="sid-47972359_WS-TrustandSTS-ApacheCXFsupport">
<title>Apache CXF support</title>
+ <para>Apache CXF is an open-source, fully featured Web services framework.
The JBossWS open source project integrates the JBoss Web Services (JBossWS) stack with
the Apache CXF project modules thus providing WS-Trust and other JAX-WS functionality in
the JBoss Application Server. This integration makes it easy to deploy CXF STS
implementations, however JBoss Application Server can run any WS-Trust compliant STS. In
addition the Apache CXF API provides a STSClient utility to facilitate web service
requester communication with its STS.</para>
<para>
- JBossWS inherits Apache CXF support for WS-Trust, which is fully integration
with WS-Security Policy support. On client side, a
- <code>STSClient</code>
- is used to contact the STS and e.g get the security token; the
- <code>STSClient</code>
- can either be programmatically provided or automatically created by CXF runtime
(through policy support) and configured through properties as done with plain WS-Security
(keystore locations, aliases, etc.).
- </para>
- <para>
- Any specification compliant STS can be used; however Apache CXF comes with its
own STS implementation, which can be deployed on JBoss Application Server using JBossWS
integration too. Detailed information on the Apache CXF STS implementation in a multiple
blog post series
+ Detailed information about the Apache CXF's WS-Trust implementation can be
found
<ulink
url="http://coheigea.blogspot.it/2011/10/apache-cxf-sts-documentation-part-i.html">here</ulink>
.
</para>
</section>
- <section id="sid-47972359_WS-TrustandSTS-Example">
+ <section id="sid-47972359_WS-TrustandSTS-ABasicWSTrustScenario">
- <title>Example</title>
+ <title>A Basic WS-Trust Scenario</title>
<para>
- Here is an example of a basic WS-Trust scenario. A service provider published a
WSDL with policy assertions establishing who the communication must happen. A SAML 2.0
token issued by an STS is required to access the service endpoint. The client will
authenticate itself to the STS using a UsernameToken over the symmetric binding and the
STS will issue it the desired SAML 2.0 token, which the client will then forwards to the
service provider endpoint. As the
- <code>IssuedToken</code>
- is defined as the
- <code>InitiatorToken</code>
- of the Asymmetric binding in the policy of the service provider, the client
will use the associated secret key for message signing.
+ Here is an example of a basic WS-Trust scenario. It is comprised of a Web
service requester (ws-requester), a Web service provider (ws-provider), and a Security
Token Service (STS). The ws-provider requires a SAML 2.0 token issued from a designed
STS to be presented by the ws-requester using asymmetric binding. These communication
requirements are declared in the ws-provider's WSDL. The STS requires ws-requester
credentials be provided in a WSS UsernameToken format request using symmetric binding.
The STS's response is provided containing a SAML 2.0 token. These communication
requirements are declared in the STS's WSDL.
+
</para>
- <section id="sid-47972359_WS-TrustandSTS-Endpoint">
+ <orderedlist>
+ <listitem>
+ <para>A ws-requester contacts the ws-provider and consumes its WSDL.
Upon finding the security token issuer requirement, it creates and configures a
STSClient with the information it requires to generate a proper request.</para>
+ </listitem>
+ <listitem>
+ <para>The STSClient contacts the STS and consumes its WSDL. The
security policies are discovered. The STSClient creates and sends an authentication
request, with appropriate credentials.</para>
+ </listitem>
+ <listitem>
+ <para>The STS verifies the credentials.</para>
+ </listitem>
+ <listitem>
+ <para>In response, the STS issues a security token that provides proof
that the ws-requester has authenticated with the STS.</para>
+ </listitem>
+ <listitem>
+ <para>The STClient presents a message with the security token to the
ws-provider.</para>
+ </listitem>
+ <listitem>
+ <para>The ws-provider verifies the token was issued by the STS, thus
proving the ws-requester has successfully authenticated with the STS.</para>
+ </listitem>
+ <listitem>
+ <para>The ws-provider executes the requested service and returns the
results to the the ws-requester.</para>
+ </listitem>
+ </orderedlist>
+ <section id="sid-47972359_WS-TrustandSTS-Webserviceprovider">
- <title>Endpoint</title>
- <para>The service provider is a contract-first endpoint and the need for
WS-Trust communication is completely driven by the wsdl. It comes with policies requiring
signature and encryption of messages and setting the WS-Trust requirements (SAML 2.0
security token and STS location). WS-AddressingMetadata is used to specify the wsdl
location of the STS and the servive/port name in it to be used:</para>
- <informalexample>
- <programlisting><?xml version="1.0"
encoding="UTF-8" standalone="yes"?>
+ <title>Web service provider</title>
+ <para>This section examines the crucial elements in providing endpoint
security in the web service provider described in the basic WS-Trust scenario. The
components that will be discussed are.</para>
+ <itemizedlist>
+ <listitem>
+ <para>web service provider's WSDL</para>
+ </listitem>
+ <listitem>
+ <para>web service provider's Interface and Implementation
classes.</para>
+ </listitem>
+ <listitem>
+ <para>ServerCallbackHandler class</para>
+ </listitem>
+ <listitem>
+ <para>Crypto properties and keystore files</para>
+ </listitem>
+ <listitem>
+ <para>MANIFEST.MF</para>
+ </listitem>
+ </itemizedlist>
+ <section
id="sid-47972359_WS-TrustandSTS-WebserviceproviderWSDL">
+
+ <title>Web service provider WSDL</title>
+ <para>The web service provider is a contract-first endpoint. All the
WS-trust and security policies for it are declared in the WSDL, SecurityService.wsdl.
For this scenario a ws-requester is required to present a SAML 2.0 token issued from a
designed STS. The address of the STS is provided in the WSDL. An asymmetric binding
policy is used to encrypt and sign the SOAP body of messages that pass back and forth
between ws-requester and ws-provider. X.509 certificates are use for the asymmetric
binding. The rules for sharing the public and private keys in the SOAP request and
response messages are declared. A detailed explanation of the security settings are
provided in the comments in the listing below.</para>
+ <informalexample>
+ <programlisting>
+ <?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
<definitions
targetNamespace="http://www.jboss.org/jbossws/ws-extensions/wssecuri...
name="SecurityService"
-
xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/wssecuritypoli...
-
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
-
xmlns="http://schemas.xmlsoap.org/wsdl/"
-
xmlns:wsp="http://www.w3.org/ns/ws-policy"
-
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
-
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w...
-
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
-
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
- <types>
- <xsd:schema>
- <xsd:import
namespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypoli...
schemaLocation="SecurityService_schema1.xsd"/>
- </xsd:schema>
- </types>
- <message name="sayHello">
- <part name="parameters" element="tns:sayHello"/>
- </message>
- <message name="sayHelloResponse">
- <part name="parameters"
element="tns:sayHelloResponse"/>
- </message>
- <portType name="ServiceIface">
- <operation name="sayHello">
- <input message="tns:sayHello"/>
- <output message="tns:sayHelloResponse"/>
- </operation>
- </portType>
- <binding name="SecurityServicePortBinding"
type="tns:ServiceIface">
- <wsp:PolicyReference URI="#AsymmetricSAML2Policy" />
- <soap:binding
transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
- <operation name="sayHello">
- <soap:operation soapAction=""/>
- <input>
- <soap:body use="literal"/>
- <wsp:PolicyReference URI="#Input_Policy" />
- </input>
- <output>
- <soap:body use="literal"/>
- <wsp:PolicyReference URI="#Output_Policy" />
- </output>
- </operation>
- </binding>
- <service name="SecurityService">
- <port name="SecurityServicePort"
binding="tns:SecurityServicePortBinding">
- <soap:address
location="http://localhost:8080/jaxws-samples-wsse-policy-trust/SecurityService"/>
- </port>
- </service>
+
xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w...
+
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+ <types>
+ <xsd:schema>
+ <xsd:import
namespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypoli...
schemaLocation="SecurityService_schema1.xsd"/>
+ </xsd:schema>
+ </types>
+ <message name="sayHello">
+ <part name="parameters" element="tns:sayHello"/>
+ </message>
+ <message name="sayHelloResponse">
+ <part name="parameters"
element="tns:sayHelloResponse"/>
+ </message>
+ <portType name="ServiceIface">
+ <operation name="sayHello">
+ <input message="tns:sayHello"/>
+ <output message="tns:sayHelloResponse"/>
+ </operation>
+ </portType>
+ <!--
+ The wsp:PolicyReference binds the security requirments on all the STS endpoints.
+ The wsp:Policy wsu:Id="#AsymmetricSAML2Policy" element is defined later
in this file.
+ -->
+ <binding name="SecurityServicePortBinding"
type="tns:ServiceIface">
+ <wsp:PolicyReference URI="#AsymmetricSAML2Policy" />
+ <soap:binding
transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
+ <operation name="sayHello">
+ <soap:operation soapAction=""/>
+ <input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#Input_Policy" />
+ </input>
+ <output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#Output_Policy" />
+ </output>
+ </operation>
+ </binding>
+ <service name="SecurityService">
+ <port name="SecurityServicePort"
binding="tns:SecurityServicePortBinding">
+ <soap:address
location="http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust/SecurityService"/>
+ </port>
+ </service>
+
+ <wsp:Policy wsu:Id="AsymmetricSAML2Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <!--
+ The wsam:Addressing element, indicates that the endpoints of this
+ web service MUST conform to the WS-Addressing specification. The
+ attribute wsp:Optional="false" enforces this assertion.
+ -->
+ <wsam:Addressing wsp:Optional="false">
+ <wsp:Policy />
+ </wsam:Addressing>
+ <!--
+ The sp:AsymmetricBinding element indicates that security is provided
+ at the SOAP layer. A public/private key combinations is required to
+ protect the message. The initiator will use it’s private key to sign
+ the message and the recipient’s public key is used to encrypt the message.
+ The recipient of the message will use it’s private key to decrypt it and
+ initiator’s public key to verify the signature.
+ -->
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <!--
+ The sp:InitiatorToken element specifies the elements required in
+ generating the initiator request to the ws-provider's service.
+ -->
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <!--
+ The sp:IssuedToken element asserts that a SAML 2.0 security token is
+ expected from the STS using a public key type. The
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
+ attribute instructs the runtime to include the initiator's public key
+ with every message sent to the recipient.
+
+ The sp:RequestSecurityTokenTemplate element directs that all of the
+ children of this element will be copied directly into the body of the
+ RequestSecurityToken (RST) message that is sent to the STS when the
+ initiator asks the STS to issue a token.
+ -->
+ <sp:IssuedToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <sp:RequestSecurityTokenTemplate>
+
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+ </sp:RequestSecurityTokenTemplate>
+ <wsp:Policy>
+ <sp:RequireInternalReference />
+ </wsp:Policy>
+ <!--
+ The sp:Issuer element defines the STS's address and endpoint information
+ This information is used by the STSClient.
+ -->
+ <sp:Issuer>
+
<wsaws:Address>http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService</wsaws:Address>
+ <wsaws:Metadata
xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"
+
wsdli:wsdlLocation="http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl">
+ <wsaw:ServiceName
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
+
xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+
EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName>
+ </wsaws:Metadata>
+ </sp:Issuer>
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <!--
+ The sp:RecipientToken element asserts the type of public/private key-pair
+ expected from the recipient. The
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
+ attribute indicates that the initiator's public key will never be included
+ in the reply messages.
- <wsp:Policy wsu:Id="AsymmetricSAML2Policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <wsam:Addressing wsp:Optional="false">
- <wsp:Policy />
- </wsam:Addressing>
- <sp:AsymmetricBinding>
- <wsp:Policy>
- <sp:InitiatorToken>
- <wsp:Policy>
- <sp:IssuedToken
-
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
- <sp:RequestSecurityTokenTemplate>
- <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
- <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
- </sp:RequestSecurityTokenTemplate>
- <wsp:Policy>
- <sp:RequireInternalReference />
- </wsp:Policy>
- <sp:Issuer>
- <wsaws:Address>http://localhost:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService</wsaws:Address>
- <wsaws:Metadata
xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"
-
wsdli:wsdlLocation="http://localhost:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl">
- <wsaw:ServiceName
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
-
xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
-
EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName>
- </wsaws:Metadata>
- </sp:Issuer>
- </sp:IssuedToken>
- </wsp:Policy>
- </sp:InitiatorToken>
- <sp:RecipientToken>
- <wsp:Policy>
- <sp:X509Token
-
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
- <wsp:Policy>
- <sp:WssX509V3Token10 />
- <sp:RequireIssuerSerialReference />
- </wsp:Policy>
- </sp:X509Token>
- </wsp:Policy>
- </sp:RecipientToken>
- <sp:Layout>
- <wsp:Policy>
- <sp:Lax />
- </wsp:Policy>
- </sp:Layout>
- <sp:IncludeTimestamp />
- <sp:OnlySignEntireHeadersAndBody />
- <sp:AlgorithmSuite>
- <wsp:Policy>
- <sp:Basic256 />
- </wsp:Policy>
- </sp:AlgorithmSuite>
- </wsp:Policy>
- </sp:AsymmetricBinding>
- <sp:Wss11>
- <wsp:Policy>
- <sp:MustSupportRefIssuerSerial />
- <sp:MustSupportRefThumbprint />
- <sp:MustSupportRefEncryptedKey />
- </wsp:Policy>
- </sp:Wss11>
- <sp:Trust13>
- <wsp:Policy>
- <sp:MustSupportIssuedTokens />
- <sp:RequireClientEntropy />
- <sp:RequireServerEntropy />
- </wsp:Policy>
- </sp:Trust13>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
+ The sp:WssX509V3Token10 element indicates that an X509 Version 3 token
+ should be used in the message.
+ -->
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference
/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+<!--
+ The sp:Layout element, indicates the layout rules to apply when adding
+ items to the security header. The sp:Lax sub-element indicates items
+ are added to the security header in any order that conforms to
+ WSS: SOAP Message Security.
+-->
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:OnlySignEntireHeadersAndBody />
+ <!--
+ The sp:AlgorithmSuite element, requires the Basic256 algorithm suite
+ be used in performing cryptographic operations.
+-->
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+<!--
+ The sp:Wss11 element declares WSS: SOAP Message Security 1.1 options
+ to be supported by the STS. These particular elements generally refer
+ to how keys are referenced within the SOAP envelope. These are normally
+ handled by CXF.
+-->
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+<!--
+ The sp:Trust13 element declares controls for WS-Trust 1.3 options.
+ They are policy assertions related to exchanges specifically with
+ client and server challenges and entropy behaviors. Again these are
+ normally handled by CXF.
+-->
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="Input_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="Output_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</definitions>
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-WebserviceproviderInterface">
+
+ <title>Web service provider Interface</title>
+ <para>The web service provider interface class, ServiceIface, is a
simple straight forward web service definition.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service;
- <wsp:Policy wsu:Id="Input_Policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:EncryptedParts>
- <sp:Body />
- </sp:EncryptedParts>
- <sp:SignedParts>
- <sp:Body />
- <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
- </sp:SignedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
+import javax.jws.WebMethod;
+import javax.jws.WebService;
- <wsp:Policy wsu:Id="Output_Policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:EncryptedParts>
- <sp:Body />
- </sp:EncryptedParts>
- <sp:SignedParts>
- <sp:Body />
- <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
- </sp:SignedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-</definitions></programlisting>
- </informalexample>
- <para>
- The endpoint implementation class is a POJO featuring Apache CXF
- <code>@EndpointProperty</code>
- annotations to provide
- <emphasis role="italics">WSS4J</emphasis>
- security properties:
- </para>
- <informalexample>
- <programlisting>package
org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
+@WebService
+(
+ targetNamespace =
"http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy"
+)
+public interface ServiceIface
+{
+ @WebMethod
+ String sayHello();
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-WebserviceproviderImplementation">
+
+ <title>Web service provider Implementation</title>
+ <para>
+ The web service provider implementation class, ServiceImpl, is a simple
POJO. It uses the standard WebService annotation to define the service endpoint. In
addition there are two Apache CXF annotations, EndpointProperties and EndpointProperty
used for configuring the endpoint for the CXF runtime. These annotations come from the
+ <ulink
url="https://ws.apache.org/wss4j/">Apache WSS4J
project</ulink>
+ , which provides a Java implementation of the primary WS-Security
standards for Web Services. These annotations are programmatically adding properties to
the endpoint. Traditionally, these properties would be set via the
<jaxws:properties> element on the <jaxws:endpoint> element in
the spring config, but these annotations allow the properties to be configured in the
code.
+ </para>
+ <para>WSS4J uses the Crypto interface to get keys and certificates for
encryption/decryption and for signature creation/verification. As is asserted by the
WSDL, X509 keys and certificates are required for this service. The WSS4J configuration
information being provided by ServiceImpl is for Crypto's Merlin implementation.
More information will be provided about this in the keystore section.</para>
+ <para>The first EndpointProperty statement in the listing is declaring
the user's name to use for the message signature. It is used as the alias name in
the keystore to get the user's cert and private key for signature. The next two
EndpointProperty statements declares the Java properties file that contains the (Merlin)
crypto configuration information. In this case both for signing and encrypting the
messages. WSS4J reads this file and extra required information for message handling.
The last EndpointProperty statement declares the ServerCallbackHandler implementation
class. It is used to obtain the user's password for the certificates in the keystore
file.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service;
import javax.jws.WebService;
@@ -2957,211 +3353,538 @@
@WebService
(
- portName = "SecurityServicePort",
- serviceName = "SecurityService",
- wsdlLocation = "WEB-INF/wsdl/SecurityService.wsdl",
- targetNamespace =
"http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy",
- endpointInterface =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.ServiceIface"
+ portName = "SecurityServicePort",
+ serviceName = "SecurityService",
+ wsdlLocation = "WEB-INF/wsdl/SecurityService.wsdl",
+ targetNamespace =
"http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy",
+ endpointInterface =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIface"
)
@EndpointProperties(value = {
- @EndpointProperty(key = "ws-security.signature.username", value =
"myservicekey"),
- @EndpointProperty(key = "ws-security.signature.properties", value =
"serviceKeystore.properties"),
- @EndpointProperty(key = "ws-security.encryption.properties", value =
"serviceKeystore.properties"),
- @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.ServerCallbackHandler")
+ @EndpointProperty(key = "ws-security.signature.username", value =
"myservicekey"),
+ @EndpointProperty(key = "ws-security.signature.properties", value =
"serviceKeystore.properties"),
+ @EndpointProperty(key = "ws-security.encryption.properties", value =
"serviceKeystore.properties"),
+ @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServerCallbackHandler")
})
public class ServiceImpl implements ServiceIface
{
- public String sayHello()
- {
- return "WS-Trust Hello World!";
- }
-}</programlisting>
- </informalexample>
- <para>
- ... the
- <emphasis
role="italics">serviceKeystore.properties</emphasis>
- file references the keystore, aliases, etc.
- </para>
- <informalexample>
-
<programlisting>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
-org.apache.ws.security.crypto.merlin.keystore.type=jks
-org.apache.ws.security.crypto.merlin.keystore.password=sspass
-org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey
-org.apache.ws.security.crypto.merlin.keystore.file=servicestore.jks</programlisting>
- </informalexample>
- <para>
- ... while
- <code>ServerCallbackHandler</code>
- is an usual implementation of
- <code>CallbackHandler</code>
- to allow Apache CXF access to the keystore:
- </para>
- <informalexample>
- <programlisting>package
org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
+ public String sayHello()
+ {
+ return "WS-Trust Hello World!";
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ServerCallbackHandler">
+
+ <title>ServerCallbackHandler</title>
+ <para>ServerCallbackHandler is a callback handler for the WSS4J Crypto
API. It is used to obtain the password for the private key in the keystore. This class
enables CXF to retrieve the password of the user name to use for the message signature.
A certificates' password is not discoverable. The creator of the certificate must
record the password he assigns and provide it when requested through the CallbackHandler.
In this scenario skpass is the password for user myservicekey.</para>
+ <informalexample>
+ <programlisting>
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service;
-import java.io.IOException;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import org.apache.ws.security.WSPasswordCallback;
+import java.util.HashMap;
+import java.util.Map;
-public class ServerCallbackHandler implements CallbackHandler {
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- for (int i = 0; i < callbacks.length; i++) {
- if (callbacks[i] instanceof WSPasswordCallback) {
- WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
- if ("myservicekey".equals(pc.getIdentifier())) {
- pc.setPassword("skpass");
- break;
- }
- }
- }
- }
-}</programlisting>
- </informalexample>
- <para>
- Assuming the
- <emphasis role="italics">servicestore.jks</emphasis>
- keystore has been properly generated and contains service provider (server)
full key (private/certificate + public key) as well as the STS public key, we can proceed
to packaging the endpoint. Here is the expected content (the endpoint is a
- <emphasis role="italics">POJO</emphasis>
- one in a
- <emphasis role="italics">war</emphasis>
- archive, but
- <emphasis role="italics">EJB3</emphasis>
- endpoints in
- <emphasis role="italics">jar</emphasis>
- archives are of course also supported):
- </para>
- <informalexample>
- <programlisting>alessio@inuyasha /dati/jbossws/stack/cxf/trunk $ jar
-tvf ./modules/testsuite/cxf-tests/target/test-libs/jaxws-samples-wsse-policy-trust.war
- 0 Thu Jun 21 14:03:24 CEST 2012 META-INF/
- 159 Thu Jun 21 14:03:22 CEST 2012 META-INF/MANIFEST.MF
- 0 Thu Jun 21 14:03:24 CEST 2012 WEB-INF/
- 0 Thu Jun 21 14:03:24 CEST 2012 WEB-INF/classes/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/
- 0 Thu Jun 21 14:03:22 CEST 2012 WEB-INF/classes/org/jboss/test/ws/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jaxws/
- 0 Thu Jun 21 14:03:20 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jaxws/samples/
- 0 Thu Jun 21 14:03:20 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/
- 0 Thu Jun 21 14:03:20 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/
- 0 Thu Jun 21 14:03:22 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/jaxws/
- 705 Thu Jun 21 14:03:22 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/jaxws/SayHello.class
- 1069 Thu Jun 21 14:03:22 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/jaxws/SayHelloResponse.class
- 0 Thu Jun 21 14:03:22 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/
- 1159 Thu Jun 21 14:03:22 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/ServerCallbackHandler.class
- 383 Thu Jun 21 14:03:20 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/ServiceIface.class
- 1365 Thu Jun 21 14:03:20 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/ServiceImpl.class
- 0 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/wsdl/
- 6478 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/wsdl/SecurityService.wsdl
- 653 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/wsdl/SecurityService_schema1.xsd
- 1121 Thu Jun 21 14:03:18 CEST 2012 WEB-INF/classes/serviceKeystore.properties
- 3350 Thu Jun 21 14:03:18 CEST 2012
WEB-INF/classes/servicestore.jks</programlisting>
- </informalexample>
- <para>As you can see, the jaxws classes generated by the tools are of
course also included. The manifest declares the JBoss Modules dependencies for allowing
Apache CXF annotations and WSS4J usage:</para>
- <informalexample>
- <programlisting>Manifest-Version: 1.0
-Ant-Version: Apache Ant 1.8.2
-Created-By: 1.6.0_26-b03 (Sun Microsystems Inc.)
-Dependencies: org.apache.ws.security,org.apache.cxf</programlisting>
- </informalexample>
- </section>
- <section id="sid-47972359_WS-TrustandSTS-Client">
-
- <title>Client</title>
- <para>
- You start by consuming the published WSDL contract using the
- <emphasis role="italics">wsconsume</emphasis>
- tool on client side too. Then you simply invoke the the endpoint as a
standard JAX-WS one:
- </para>
- <informalexample>
- <programlisting>QName serviceName = new
QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy",
"SecurityService");
-URL wsdlURL = new URL(serviceURL + "?wsdl");
-Service service = Service.create(wsdlURL, serviceName);
-ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);
+public class ServerCallbackHandler extends PasswordCallbackHandler
+{
-//setup WS-Security
-Map<String, Object> ctx = ((BindingProvider) proxy).getRequestContext();
-ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
-ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
Thread.currentThread().getContextClassLoader().getResource("META-INF/clientKeystore.properties"));
-ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
Thread.currentThread().getContextClassLoader().getResource("META-INF/clientKeystore.properties"));
-ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
-ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
-ctx.put(SecurityConstants.USERNAME + ".it", "alice");
-ctx.put(SecurityConstants.CALLBACK_HANDLER + ".it", new
ClientCallbackHandler());
-ctx.put(SecurityConstants.ENCRYPT_PROPERTIES + ".it",
Thread.currentThread().getContextClassLoader().getResource("META-INF/clientKeystore.properties"));
-ctx.put(SecurityConstants.ENCRYPT_USERNAME + ".it", "mystskey");
-ctx.put(SecurityConstants.STS_TOKEN_USERNAME + ".it",
"myclientkey");
-ctx.put(SecurityConstants.STS_TOKEN_PROPERTIES + ".it",
Thread.currentThread().getContextClassLoader().getResource("META-INF/clientKeystore.properties"));
-ctx.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO + ".it",
"true");
-ctx.put("ws-security.sts.disable-wsmex-call-using-epr-address",
"true");
+ public ServerCallbackHandler()
+ {
+ super(getInitMap());
+ }
-proxy.sayHello();</programlisting>
- </informalexample>
- <para>
- As you can see, as usual the WS-Security properties are set in the request
context. The
- <code>".it"</code>
- suffix is used for properties related to communication with the Security
Token Service (which is described below and also includes policies enforcing signed and
encrypted messages). The
- <code>
- <ulink
url="http://anonsvn.jboss.org/repos/jbossws/stack/cxf/tags/jbossws-c...
- </code>
- is basically similar to the endpoint server one. The
- <emphasis
role="italics">clientKeystore.properties</emphasis>
- file is the client side equivalent of the
- <emphasis
role="italics">serviceKeystore.properties</emphasis>
- and references the
- <emphasis role="italics">clientstore.jks</emphasis>
- keystore file, which has been populated with the client full key
(private/certificate + public key) as well as the server endpoint and STS public keys.
- </para>
- <informalexample>
-
<programlisting>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords = new HashMap<String,
String>();
+ passwords.put("myservicekey", "skpass");
+ return passwords;
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-Cryptopropertiesandkeystorefiles">
+
+ <title>Crypto properties and keystore files</title>
+ <para>WSS4J's Crypto implementation is loaded and configured via a
Java properties file that contains Crypto configuration data. The file contains
implementation-specific properties such as a keystore location, password, default alias
and the like. This application is using the Merlin implementation. File
serviceKeystore.properties contains this information.</para>
+ <para>
+ File servicestore.jks, is a Java KeyStore (JKS) repository. It contains
self signed certificates for myservicekey and mystskey.
+ <emphasis role="italics">Self signed certificates are not
appropriate for production use.</emphasis>
+ </para>
+ <informalexample>
+ <programlisting>
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
-org.apache.ws.security.crypto.merlin.keystore.password=cspass
-org.apache.ws.security.crypto.merlin.keystore.alias=myclientkey
-org.apache.ws.security.crypto.merlin.keystore.file=META-INF/clientstore.jks</programlisting>
- </informalexample>
- <para>The Apache CXF WS-Policy engine will digest the security
requirements in the endpoint contract and ensure a valid secure communication is in place
for interacting with the server endpoint. More in details, here is what will be
happening:</para>
- <orderedlist>
+org.apache.ws.security.crypto.merlin.keystore.password=sspass
+org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey
+org.apache.ws.security.crypto.merlin.keystore.file=servicestore.jks
+</programlisting>
+ </informalexample>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-MANIFEST.MF">
+
+ <title>MANIFEST.MF</title>
+ <para>When deployed on JBoss Application Server this application
requires access to the JBossWs and CXF APIs provided in module
org.jboss.ws.cxf.jbossws-cxf-client. The dependency statement directs the server to
provide them at deployment.</para>
+ <informalexample>
+ <programlisting>
+Manifest-Version: 1.0
+Ant-Version: Apache Ant 1.8.2
+Created-By: 1.7.0_25-b15 (Oracle Corporation)
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client
+</programlisting>
+ </informalexample>
+ </section>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-SecurityTokenService%28STS%29">
+
+ <title>Security Token Service (STS)</title>
+ <para>This section examines the crucial elements in providing the
Security Token Service functionality described in the basic WS-Trust scenario. The
components that will be discussed are.</para>
+ <itemizedlist>
<listitem>
- <para>the client get the service endpoint WSDL; the Apache CXF engine
parses it, processes the included policy and decides to contact the STS</para>
+ <para>STS's WSDL</para>
</listitem>
<listitem>
- <para>the STS client is automatically injected into the application
client and gets the STS wsdl; the Apache CXF engine processes the policy in
it</para>
+ <para>STS's implementation class.</para>
</listitem>
<listitem>
- <para>a WS-Security enabled communication (as per STS advertised
policy) is established and the client issues a request for getting a SAML assertion token
from the STS</para>
+ <para>STSCallbackHandler class</para>
</listitem>
<listitem>
- <para>the STS endpoint receives the request, extracts the client
identify from it and authenticates the client</para>
+ <para>Crypto properties and keystore files</para>
</listitem>
<listitem>
- <para>the SAML token is returned to the client, which uses it for
establishing a new connection with the service endpoint; the Apache CXF engine again
setups signature/encryption as per endpoint advertised policy</para>
+ <para>MANIFEST.MF</para>
</listitem>
<listitem>
- <para>the service endpoint receives the token provided through the
STS and performs the required operation</para>
+ <para>Server configuration files</para>
</listitem>
- </orderedlist>
- </section>
- <section id="sid-47972359_WS-TrustandSTS-ApacheCXFSTS">
-
- <title>Apache CXF STS</title>
- <para>
- As mentioned above, Apache CXF comes with its own Security Token Service
implementation. That is completely configurable and can be used as a JAX-WS
- <code>WebServiceProvider</code>
- endpoint running in payload service mode. An extension to the
org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider is created, properly
annotated and included in an usual webservice endpoint deployment.
- </para>
- <informalexample>
- <programlisting>package
org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
+ </itemizedlist>
+ <section id="sid-47972359_WS-TrustandSTS-STSWSDL">
+
+ <title>STS WSDL</title>
+ <para>The STS is a contract-first endpoint. All the WS-trust and
security policies for it are declared in the WSDL, ws-trust-1.4-service.wsdl. A
symmetric binding policy is used to encrypt and sign the SOAP body of messages that pass
back and forth between ws-requester and the STS. The ws-requester is required to
authenticate itself by providing WSS UsernameToken credentials. The rules for sharing
the public and private keys in the SOAP request and response messages are declared. A
detailed explanation of the security settings are provided in the comments in the listing
below.</para>
+ <informalexample>
+ <programlisting>
+ <?xml version="1.0" encoding="UTF-8"?>
+<wsdl:definitions
+
targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/&q...
+
xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+
xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w...
+
xmlns:wsp="http://www.w3.org/ns/ws-policy"
+
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
+
xmlns:xs="http://www.w3.org/2001/XMLSchema"
+
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
+ <wsdl:types>
+ <xs:schema elementFormDefault="qualified"
targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'...
+
+ <xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType' />
+ <xs:element name='RequestSecurityTokenResponse'
type='wst:AbstractRequestSecurityTokenType' />
+
+ <xs:complexType name='AbstractRequestSecurityTokenType' >
+ <xs:sequence>
+ <xs:any namespace='##any' processContents='lax'
minOccurs='0' maxOccurs='unbounded' />
+ </xs:sequence>
+ <xs:attribute name='Context' type='xs:anyURI'
use='optional' />
+ <xs:anyAttribute namespace='##other' processContents='lax'
/>
+ </xs:complexType>
+ <xs:element name='RequestSecurityTokenCollection'
type='wst:RequestSecurityTokenCollectionType' />
+ <xs:complexType name='RequestSecurityTokenCollectionType' >
+ <xs:sequence>
+ <xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType' minOccurs='2'
maxOccurs='unbounded'/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:element name='RequestSecurityTokenResponseCollection'
type='wst:RequestSecurityTokenResponseCollectionType' />
+ <xs:complexType name='RequestSecurityTokenResponseCollectionType'
>
+ <xs:sequence>
+ <xs:element ref='wst:RequestSecurityTokenResponse'
minOccurs='1' maxOccurs='unbounded' />
+ </xs:sequence>
+ <xs:anyAttribute namespace='##other' processContents='lax'
/>
+ </xs:complexType>
+
+ </xs:schema>
+ </wsdl:types>
+
+ <!-- WS-Trust defines the following GEDs -->
+ <wsdl:message name="RequestSecurityTokenMsg">
+ <wsdl:part name="request"
element="wst:RequestSecurityToken" />
+ </wsdl:message>
+ <wsdl:message name="RequestSecurityTokenResponseMsg">
+ <wsdl:part name="response"
+ element="wst:RequestSecurityTokenResponse" />
+ </wsdl:message>
+ <wsdl:message name="RequestSecurityTokenCollectionMsg">
+ <wsdl:part name="requestCollection"
+ element="wst:RequestSecurityTokenCollection"/>
+ </wsdl:message>
+ <wsdl:message
name="RequestSecurityTokenResponseCollectionMsg">
+ <wsdl:part name="responseCollection"
+ element="wst:RequestSecurityTokenResponseCollection"/>
+ </wsdl:message>
+
+ <!-- This portType an example of a Requestor (or other) endpoint that
+ Accepts SOAP-based challenges from a Security Token Service -->
+ <wsdl:portType name="WSSecurityRequestor">
+ <wsdl:operation name="Challenge">
+ <wsdl:input
message="tns:RequestSecurityTokenResponseMsg"/>
+ <wsdl:output
message="tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+
+ <!-- This portType is an example of an STS supporting full protocol -->
+<!--
+ The wsdl:portType and data types are XML elements defined by the
+ WS_Trust specification. The wsdl:portType defines the endpoints
+ supported in the STS implementation. This WSDL defines all operations
+ that an STS implementation can support.
+-->
+ <wsdl:portType name="STS">
+ <wsdl:operation name="Cancel">
+ <wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Ca...
message="tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/C...
message="tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name="Issue">
+ <wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Is...
message="tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/...
message="tns:RequestSecurityTokenResponseCollectionMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name="Renew">
+ <wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Re...
message="tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/R...
message="tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name="Validate">
+ <wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Va...
message="tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/V...
message="tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name="KeyExchangeToken">
+ <wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KE...
message="tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/K...
message="tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ <wsdl:operation name="RequestCollection">
+ <wsdl:input
message="tns:RequestSecurityTokenCollectionMsg"/>
+ <wsdl:output
message="tns:RequestSecurityTokenResponseCollectionMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+ <!-- This portType is an example of an endpoint that accepts
+ Unsolicited RequestSecurityTokenResponse messages -->
+ <wsdl:portType name="SecurityTokenResponseService">
+ <wsdl:operation name="RequestSecurityTokenResponse">
+ <wsdl:input
message="tns:RequestSecurityTokenResponseMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+
+<!--
+ The wsp:PolicyReference binds the security requirments on all the STS endpoints.
+ The wsp:Policy wsu:Id="UT_policy" element is later in this file.
+-->
+ <wsdl:binding name="UT_Binding" type="wstrust:STS">
+ <wsp:PolicyReference URI="#UT_policy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="Issue">
+ <soap:operation
+
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
/>
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI="#Input_policy" />
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI="#Output_policy" />
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="Validate">
+ <soap:operation
+
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"
/>
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI="#Input_policy" />
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI="#Output_policy" />
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="Cancel">
+ <soap:operation
+
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"
/>
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="Renew">
+ <soap:operation
+
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"
/>
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="KeyExchangeToken">
+ <soap:operation
+
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"
/>
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="RequestCollection">
+ <soap:operation
+
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"
/>
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
+ <wsdl:service name="SecurityTokenService">
+ <wsdl:port name="UT_Port"
binding="tns:UT_Binding">
+ <soap:address
location="http://localhost:8080/SecurityTokenService/UT" />
+ </wsdl:port>
+ </wsdl:service>
+
+ <wsp:Policy wsu:Id="UT_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+<!--
+ The sp:UsingAddressing element, indicates that the endpoints of this
+ web service conforms to the WS-Addressing specification. More detail
+ can be found here: [
http://www.w3.org/TR/2006/CR-ws-addr-wsdl-20060529]
+-->
+ <wsap10:UsingAddressing/>
+<!--
+ The sp:SymmetricBinding element indicates that security is provided
+ at the SOAP layer and any initiator must authenticate itself by providing
+ WSS UsernameToken credentials.
+-->
+ <sp:SymmetricBinding
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+<!--
+ In a symmetric binding, the keys used for encrypting and signing in both
+ directions are derived from a single key, the one specified by the
+ sp:ProtectionToken element. The sp:X509Token sub-element declares this
+ key to be a X.509 certificate and the
+
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200...
+ attribute adds the requirement that the token MUST NOT be included in
+ any messages sent between the initiator and the recipient; rather, an
+ external reference to the token should be used. Lastly the WssX509V3Token10
+ sub-element declares that the Username token presented by the initiator
+ should be compliant with Web Services Security UsernameToken Profile
+ 1.0 specification. [
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-pr... ]
+-->
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
+ <wsp:Policy>
+ <sp:RequireDerivedKeys />
+ <sp:RequireThumbprintReference />
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+<!--
+ The sp:AlgorithmSuite element, requires the Basic256 algorithm suite
+ be used in performing cryptographic operations.
+-->
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+<!--
+ The sp:Layout element, indicates the layout rules to apply when adding
+ items to the security header. The sp:Lax sub-element indicates items
+ are added to the security header in any order that conforms to
+ WSS: SOAP Message Security.
+-->
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:EncryptSignature />
+ <sp:OnlySignEntireHeadersAndBody />
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+<!--
+ The sp:SignedSupportingTokens element declares that the security header
+ of messages must contain a sp:UsernameToken and the token must be signed.
+ The attribute
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200...
+ on sp:UsernameToken indicates that the token MUST be included in all
+ messages sent from initiator to the recipient and that the token MUST
+ NOT be included in messages sent from the recipient to the initiator.
+ And finally the element sp:WssUsernameToken10 is a policy assertion
+ indicating the Username token should be as defined in Web Services
+ Security UsernameToken Profile 1.0
+-->
+ <sp:SignedSupportingTokens
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+ <sp:UsernameToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
+ <wsp:Policy>
+ <sp:WssUsernameToken10 />
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+<!--
+ The sp:Wss11 element declares WSS: SOAP Message Security 1.1 options
+ to be supported by the STS. These particular elements generally refer
+ to how keys are referenced within the SOAP envelope. These are normally
+ handled by CXF.
+-->
+ <sp:Wss11
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier />
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+<!--
+ The sp:Trust13 element declares controls for WS-Trust 1.3 options.
+ They are policy assertions related to exchanges specifically with
+ client and server challenges and entropy behaviors. Again these are
+ normally handled by CXF.
+-->
+ <sp:Trust13
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="Input_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ <sp:Header Name="To"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ </sp:SignedParts>
+ <sp:EncryptedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ </sp:EncryptedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="Output_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ <sp:Header Name="To"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ </sp:SignedParts>
+ <sp:EncryptedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ </sp:EncryptedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</wsdl:definitions>
+</programlisting>
+ </informalexample>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-STSImplementation">
+
+ <title>STS Implementation</title>
+ <para>
+ The Apache CXF's STS, SecurityTokenServiceProvider, is a web service
provider that is compliant with the protocols and functionality defined by the WS-Trust
specification. It has a modular architecture. Many of its components are configurable or
replaceable and there are many optional features that are enabled by implementing and
configuring plug-ins. Users can customize their own STS by extending from
SecurityTokenServiceProvider and overriding the default settings. Extensive information
about the CXF's STS configurable and pluggable components can be found
+ <ulink
url="http://coheigea.blogspot.com/2011/11/apache-cxf-sts-documentati...
+ .
+ </para>
+ <para>This STS implementation class, SimpleSTS, is a POJO that extends
from SecurityTokenServiceProvider. Note that the class is defined with a
WebServiceProvider annotation and not a WebService annotation. This annotation defines
the service as a Provider-based endpoint, meaning it supports a more messaging-oriented
approach to Web services. In particular, it signals that the exchanged messages will be
XML documents of some type. SecurityTokenServiceProvider is an implementation of the
javax.xml.ws.Provider interface. In comparison the WebService annotation defines a
(service endpoint interface) SEI-based endpoint which supports message exchange via SOAP
envelopes.</para>
+ <para>
+ As was done in the ServiceImpl class, the WSS4J annotations
EndpointProperties and EndpointProperty are providing endpoint configuration for the CXF
runtime. This was previous described
+ <link
linkend="sid-47972359_WS-TrustandSTS-WebserviceproviderImplementation">here</link>
+ .
+ </para>
+ <para>The InInterceptors annotation is used to specify a JBossWS
integration interceptor to be used for authenticating incoming requests; JAAS integration
is used here for authentication, the username/passoword coming from the UsernameToken in
the ws-requester message are used for authenticating the requester against a security
domain on the application server hosting the STS deployment.</para>
+ <para>In this implementation we are customizing the operations of token
issuance, token validation and their static properties.</para>
+ <para>StaticSTSProperties is used to set select properties for
configuring resources in the STS. You may think this is a duplication of the settings
made with the WSS4J annotations. The values are the same but the underlaying structures
being set are different, thus this information must be declared in both
places.</para>
+ <para>The setIssuer setting is important because it uniquely
identifies the issuing STS. The issuer string is embedded in issued tokens and, when
validating tokens, the STS checks the issuer string value. Consequently, it is important
to use the issuer string in a consistent way, so that the STS can recognize the tokens
that it has issued.</para>
+ <para>The setEndpoints call allows the declaration of a set of allowed
token recipients by address. The addresses are specified as reg-ex
patterns.</para>
+ <para>TokenIssueOperation and TokenValidateOperation have a modular
structure. This allows custom behaviors to be injected into the processing of messages.
In this case we are overriding the SecurityTokenServiceProvider's default behavior
and performing SAML token processing and validation. CXF provides an implementation of a
SAMLTokenProvider and SAMLTokenValidator which we are using rather than writing our
own.</para>
+ <para>
+ Learn more about the SAMLTokenProvider
+ <ulink
url="http://coheigea.blogspot.it/2011/10/apache-cxf-sts-documentation-part-iv.html">here</ulink>
+ .
+ </para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
+
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
-
+
import javax.xml.ws.WebServiceProvider;
-
+
import org.apache.cxf.annotations.EndpointProperties;
import org.apache.cxf.annotations.EndpointProperty;
import org.apache.cxf.interceptor.InInterceptors;
@@ -3173,190 +3896,339 @@
import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider;
-
+
@WebServiceProvider(serviceName = "SecurityTokenService",
- portName = "UT_Port",
- targetNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
- wsdlLocation = "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
+ portName = "UT_Port",
+ targetNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
+ wsdlLocation = "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
@EndpointProperties(value = {
- @EndpointProperty(key = "ws-security.signature.username", value =
"mystskey"),
- @EndpointProperty(key = "ws-security.signature.properties", value =
"stsKeystore.properties"),
- @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
- @EndpointProperty(key = "ws-security.validate.token", value =
"false") //to let the JAAS integration deal with validation through the
interceptor below
+ @EndpointProperty(key = "ws-security.signature.username", value =
"mystskey"),
+ @EndpointProperty(key = "ws-security.signature.properties", value =
"stsKeystore.properties"),
+ @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
+ //to let the JAAS integration deal with validation through the interceptor below
+ @EndpointProperty(key = "ws-security.validate.token", value =
"false")
+
})
@InInterceptors(interceptors =
{"org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"})
public class SampleSTS extends SecurityTokenServiceProvider
{
- public SampleSTS() throws Exception
- {
- super();
+ public SampleSTS() throws Exception
+ {
+ super();
+
+ StaticSTSProperties props = new StaticSTSProperties();
+ props.setSignaturePropertiesFile("stsKeystore.properties");
+ props.setSignatureUsername("mystskey");
+ props.setCallbackHandlerClass(STSCallbackHandler.class.getName());
+ props.setIssuer("DoubleItSTSIssuer");
+
+ List<ServiceMBean> services = new
LinkedList<ServiceMBean>();
+ StaticService service = new StaticService();
+ service.setEndpoints(Arrays.asList(
+
"http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
+
"http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
+
"http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService"
+ ));
+ services.add(service);
+
+ TokenIssueOperation issueOperation = new TokenIssueOperation();
+ issueOperation.setServices(services);
+ issueOperation.getTokenProviders().add(new SAMLTokenProvider());
+ issueOperation.setStsProperties(props);
+
+ TokenValidateOperation validateOperation = new TokenValidateOperation();
+ validateOperation.getTokenValidators().add(new SAMLTokenValidator());
+ validateOperation.setStsProperties(props);
+
+ this.setIssueOperation(issueOperation);
+ this.setValidateOperation(validateOperation);
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-STSCallbackHandler">
+
+ <title>STSCallbackHandler</title>
+ <para>STSCallbackHandler is a callback handler for the WSS4J Crypto
API. It is used to obtain the password for the private key in the keystore. This class
enables CXF to retrieve the password of the user name to use for the message
signature.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
- StaticSTSProperties props = new StaticSTSProperties();
- props.setSignaturePropertiesFile("stsKeystore.properties");
- props.setSignatureUsername("mystskey");
- props.setCallbackHandlerClass(STSCallbackHandler.class.getName());
- props.setIssuer("DoubleItSTSIssuer");
+import java.util.HashMap;
+import java.util.Map;
- List<ServiceMBean> services = new
LinkedList<ServiceMBean>();
- StaticService service = new StaticService();
-
service.setEndpoints(Arrays.asList("http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
"http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService"));
- services.add(service);
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
- TokenIssueOperation issueOperation = new TokenIssueOperation();
- issueOperation.setServices(services);
- issueOperation.getTokenProviders().add(new SAMLTokenProvider());
- issueOperation.setStsProperties(props);
+public class STSCallbackHandler extends PasswordCallbackHandler
+{
+ public STSCallbackHandler()
+ {
+ super(getInitMap());
+ }
- TokenValidateOperation validateOperation = new TokenValidateOperation();
- validateOperation.getTokenValidators().add(new SAMLTokenValidator());
- validateOperation.setStsProperties(props);
-
- this.setIssueOperation(issueOperation);
- this.setValidateOperation(validateOperation);
- }
-}</programlisting>
- </informalexample>
- <para>
- The
- <code>@WebServiceProvider</code>
- annotation references a WS-SecurityPolicy enriched
- <ulink
url="http://anonsvn.jboss.org/repos/jbossws/stack/cxf/tags/jbossws-c...
- of the WS-Trust 1.4 wsdl.
- </para>
- <para>
- The
- <code>@EndpointProperty</code>
- annotations provides the usual WSS4J configuration elements.
- </para>
- <para>
- The
- <code>@InInterceptor</code>
- annotation is used to specify a JBossWS integration interceptor to be used
for authenticating incoming requests; JAAS integration is used here for authentication, so
basically the username/passoword coming from the UsernameToken in the client message are
used for authenticating the client against a security domain on the application server
hosting the STS deployment.
- </para>
- <para>The stsKeystore.properties file is as follows:</para>
- <informalexample>
-
<programlisting>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords = new HashMap<String,
String>();
+ passwords.put("mystskey", "stskpass");
+ return passwords;
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-Cryptopropertiesandkeystorefilesx">
+
+ <title>Crypto properties and keystore files</title>
+ <para>
+ WSS4J's Crypto implementation is loaded and configured via a Java
properties file that contains Crypto configuration data. The file contains
implementation-specific properties such as a keystore location, password, default alias
and the like. This application is using the Merlin implementation. File
stsKeystore.properties contains this information.
+
+ </para>
+ <para>
+ File servicestore.jks, is a Java KeyStore (JKS) repository. It contains
self signed certificates for myservicekey and mystskey.
+ <emphasis role="italics">Self signed certificates are not
appropriate for production use.</emphasis>
+ </para>
+ <informalexample>
+ <programlisting>
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=stsspass
-org.apache.ws.security.crypto.merlin.keystore.file=stsstore.jks</programlisting>
- </informalexample>
- <para>... while STSCallbackHandler grants access to the stsstore.jks,
which has been populated with the STS full key (private/certificate + public key) as well
as the server endpoint and client public keys.</para>
- <informalexample>
- <programlisting>package
org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
-
-import java.io.IOException;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import org.apache.ws.security.WSPasswordCallback;
-
-public class STSCallbackHandler implements CallbackHandler {
-
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- for (int i = 0; i < callbacks.length; i++) {
- if (callbacks[i] instanceof WSPasswordCallback) {
- WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
- if ("mystskey".equals(pc.getIdentifier())) {
- pc.setPassword("stskpass");
- break;
- }
- }
- }
- }
-}</programlisting>
- </informalexample>
- <para>Here is how the STS webservice provider is packaged:</para>
- <informalexample>
- <programlisting>alessio@inuyasha /dati/jbossws/stack/cxf/trunk $ jar
-tvf
./modules/testsuite/cxf-tests/target/test-libs/jaxws-samples-wsse-policy-trust-sts.war
- 0 Mon Jun 25 13:39:06 CEST 2012 META-INF/
- 164 Mon Jun 25 13:39:04 CEST 2012 META-INF/MANIFEST.MF
- 0 Mon Jun 25 13:39:06 CEST 2012 WEB-INF/
- 0 Mon Jun 25 13:39:06 CEST 2012 WEB-INF/classes/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jaxws/
- 0 Mon Jun 25 13:39:04 CEST 2012 WEB-INF/classes/org/jboss/test/ws/jaxws/samples/
- 0 Mon Jun 25 13:39:04 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/
- 0 Mon Jun 25 13:39:04 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/
- 0 Mon Jun 25 13:39:04 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/
- 1148 Mon Jun 25 13:39:04 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/STSCallbackHandler.class
- 3456 Mon Jun 25 13:39:04 CEST 2012
WEB-INF/classes/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/SampleSTS.class
- 251 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/jboss-web.xml
- 0 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/wsdl/
- 13635 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/wsdl/ws-trust-1.4-service.wsdl
- 1054 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/classes/stsKeystore.properties
- 3978 Mon Jun 25 13:39:02 CEST 2012 WEB-INF/classes/stsstore.jks</programlisting>
- </informalexample>
- <para>
- The
- <emphasis role="italics">jboss-web.xml</emphasis>
- descriptor is used to set the security domain to be used for authentication
(in this case the domain will need to be configured to allow
- <emphasis role="italics">alice</emphasis>
- /
- <emphasis role="italics">clarinet</emphasis>
- username/password couple):
- </para>
- <informalexample>
- <programlisting><?xml version="1.0"
encoding="UTF-8"?>
-<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
-<jboss-web>
-
<security-domain>java:/jaas/JBossWS-trust-sts</security-domain>
-</jboss-web></programlisting>
- </informalexample>
- <para>
- ... and the manifest contains the usual declaration of JBoss Application
Server 7 module dependencies (Apache CXF internals are needed here to build up the STS
configuration in
- <code>SampleSTS</code>
- constructor as shown above):
- </para>
- <informalexample>
- <programlisting>Manifest-Version: 1.0
-Ant-Version: Apache Ant 1.8.2
-Created-By: 1.6.0_26-b03 (Sun Microsystems Inc.)
-Dependencies: org.apache.ws.security,org.apache.cxf.impl</programlisting>
- </informalexample>
- <tip>
- <title>WS-MetadataExchange and interoperability</title>
+org.apache.ws.security.crypto.merlin.keystore.file=stsstore.jks
+</programlisting>
+ </informalexample>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-MANIFEST.MFx">
+
+ <title>MANIFEST.MF</title>
<para>
- To achieve better interoperability, you might consider allowing the STS
endpoint to reply to WS-MetadataExchange messages directed to the
- <code>/mex</code>
- URL sub-path (e.g.
- <code>
+ When deployed on JBoss Application Server, this application requires
access to the JBossWs and CXF APIs provided in modules
org.jboss.ws.cxf.jbossws-cxf-client and org.apache.cxf. The Apache CXF internals,
org.apache.cxf.impl, are needed to build the STS configuration in the
+ <code>SampleSTS</code>
+ constructor. The dependency statement directs the server to provide them
at deployment.
+ </para>
+ <informalexample>
+ <programlisting>
+Manifest-Version: 1.0
+Ant-Version: Apache Ant 1.8.2
+Created-By: 1.7.0_25-b15 (Oracle Corporation)
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client,org.apache.cxf.impl
+</programlisting>
+ </informalexample>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-SecurityDomain">
+
+ <title>Security Domain</title>
+ <para>
+ The
+ <emphasis role="italics">jboss-web.xml</emphasis>
+ descriptor is used to set the security domain to be used for
authentication. For this scenario the domain will need to contain user
+ <emphasis role="italics">alice,</emphasis>
+ password
+ <emphasis role="italics">clarinet,</emphasis>
+ and role
+ <emphasis role="italics">friend</emphasis>
+ . See the listings for jbossws-users.properties and
jbossws-roles.properties. In addition the JBoss Application Server needs to be
configured with the domain name, "JBossWS-trust-sts", and with the users and
roles properties files. See the directions in this
+ <ulink
url="http://middlewaremagic.com/jboss/?p=2049">article</u...
+ about configuring the security domain using the CLI.
+ </para>
+ <para>jboss-web.xml</para>
+ <informalexample>
+ <programlisting>
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN"
">
+<jboss-web>
+
<security-domain>java:/jaas/JBossWS-trust-sts</security-domain>
+</jboss-web>
+</programlisting>
+ </informalexample>
+ <para>jbossws-users.properties</para>
+ <informalexample>
+ <programlisting>
+# A sample users.properties file for use with the UsersRolesLoginModule
+alice=clarinet
+</programlisting>
+ </informalexample>
+ <para>jbossws-roles.properties</para>
+ <informalexample>
+ <programlisting>
+# A sample roles.properties file for use with the UsersRolesLoginModule
+alice=friend
+</programlisting>
+ </informalexample>
+ <tip>
+ <title>WS-MetadataExchange and interoperability</title>
+ <para>
+ To achieve better interoperability, you might consider allowing the STS
endpoint to reply to WS-MetadataExchange messages directed to the
+ <code>/mex</code>
+ URL sub-path (e.g.
<ulink
url="http://localhost:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService/mex"/>
- </code>
- ). This can be done by tweaking the
- <emphasis role="italics">url-pattern</emphasis>
- for the underlying endpoint servlet, for instance by adding a
- <emphasis role="italics">web.xml</emphasis>
- descriptor as follows to the deployment:
+ ). This can be done by tweaking the
+ <emphasis role="italics">url-pattern</emphasis>
+ for the underlying endpoint servlet, for instance by adding a
+ <emphasis role="italics">web.xml</emphasis>
+ descriptor as follows to the deployment:<?xml
version="1.0" encoding="UTF-8"?>
+
+ <web-app
+
+ version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
+
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+
+
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+ <ulink
url="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"/>
+ ">
+
+ <servlet>
+
+
<servlet-name>TestSecurityTokenService</servlet-name>
+
+
<servlet-class>org.jboss.test.ws.jaxws.samples.wsse.policy.trust.SampleSTS</servlet-class>
+
+ </servlet>
+
+ <servlet-mapping>
+
+
<servlet-name>TestSecurityTokenService</servlet-name>
+
+
<url-pattern>/SecurityTokenService/*</url-pattern>
+
+ </servlet-mapping>
+
+ </web-app>
+
+ As a matter of fact, at the time of writing some webservices
implementations (including
+ <emphasis role="italics">Metro</emphasis>
+ ) assume the
+ <code>/mex</code>
+ URL as the default choice for directing WS-MetadataExchange requests to
and use that to retrieve STS wsdl contracts.
+ </para>
+ </tip>
+ </section>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-Webservicerequester">
+
+ <title>Web service requester</title>
+ <para>This section examines the crucial elements in calling a web service
that implements endpoint security as described in the basic WS-Trust scenario. The
components that will be discussed are.</para>
+ <itemizedlist>
+ <listitem>
+ <para>web service requester's implementation</para>
+ </listitem>
+ <listitem>
+ <para>ClientCallbackHandler</para>
+ </listitem>
+ <listitem>
+ <para>Crypto properties and keystore files</para>
+ </listitem>
+ </itemizedlist>
+ <section
id="sid-47972359_WS-TrustandSTS-WebservicerequesterImplementation">
+
+ <title>Web service requester Implementation</title>
+ <para>
+ The ws-requester, the client, uses standard procedures for creating a
reference to the web service in the first four line. To address the endpoint security
requirements, the web service's "Request Context" is configured with the
information needed in message generation. In addition, the STSClient that communicates
with the STS is configured with similar values. Note the key strings ending with a
".it" suffix. This suffix flags these settings as belonging to the STSClient.
The internal CXF code assigns this information to the STSClient that is auto-generated
for this service call.
</para>
+ <para>There is an alternate method of setting up the STSCLient. The
user may provide their own instance of the STSClient. The CXF code will use this object
and not auto-generate one. This is used in the ActAs and OnBehalfOf examples. When
providing the STSClient in this way, the user must provide a org.apache.cxf.Bus for it
and the configuration keys must not have the ".it" suffix.</para>
<informalexample>
- <programlisting><?xml version="1.0"
encoding="UTF-8"?>
-<web-app
- version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
-
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
- <servlet>
- <servlet-name>TestSecurityTokenService</servlet-name>
-
<servlet-class>org.jboss.test.ws.jaxws.samples.wsse.policy.trust.SampleSTS</servlet-class>
- </servlet>
- <servlet-mapping>
- <servlet-name>TestSecurityTokenService</servlet-name>
- <url-pattern>/SecurityTokenService/*</url-pattern>
- </servlet-mapping>
-</web-app></programlisting>
+ <programlisting>
+QName serviceName = new
QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy",
"SecurityService");
+URL wsdlURL = new URL(serviceURL + "?wsdl");
+Service service = Service.create(wsdlURL, serviceName);
+ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);
+
+// set the security related configuration information for the service "request"
+Map<String, Object> ctx = ((BindingProvider) proxy).getRequestContext();
+ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
+ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
+ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
+
+
+//-- Configuration settings that will be transfered to the STSClient
+// "alice" is the name provided for the WSS Username. Her password will
+// be retreived from the ClientCallbackHander by the STSClient.
+ctx.put(SecurityConstants.USERNAME + ".it", "alice");
+ctx.put(SecurityConstants.CALLBACK_HANDLER + ".it", new
ClientCallbackHandler());
+ctx.put(SecurityConstants.ENCRYPT_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ctx.put(SecurityConstants.ENCRYPT_USERNAME + ".it", "mystskey");
+// alias name in the keystore to get the user's public key to send to the STS
+ctx.put(SecurityConstants.STS_TOKEN_USERNAME + ".it", "myclientkey");
+// Crypto property configuration to use for the STS
+ctx.put(SecurityConstants.STS_TOKEN_PROPERTIES + ".it",
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+// write out an X509Certificate structure in UseKey/KeyInfo
+ctx.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO + ".it",
"true");
+// Setting indicates the STSclient should not try using the WS-MetadataExchange
+// call using STS EPR WSA address when the endpoint contract does not contain
+// WS-MetadataExchange info.
+ctx.put("ws-security.sts.disable-wsmex-call-using-epr-address",
"true");
+
+proxy.sayHello();
+</programlisting>
</informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ClientCallbackHandler">
+
+ <title>ClientCallbackHandler</title>
+ <para>ClientCallbackHandler is a callback handler for the WSS4J Crypto
API. It is used to obtain the password for the private key in the keystore. This class
enables CXF to retrieve the password of the user name to use for the message signature.
Note that "alice" and her password have been provided here. This information
is not in the (JKS) keystore but provided in the JBoss Application Server security
domain. It was declared in file jbossws-users.properties.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared;
+
+import java.io.IOException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import org.apache.ws.security.WSPasswordCallback;
+
+public class ClientCallbackHandler implements CallbackHandler {
+
+ public void handle(Callback[] callbacks) throws IOException,
+ UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+ if ("myclientkey".equals(pc.getIdentifier())) {
+ pc.setPassword("ckpass");
+ break;
+ } else if ("alice".equals(pc.getIdentifier())) {
+ pc.setPassword("clarinet");
+ break;
+ }
+ }
+ }
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-Cryptopropertiesandkeystorefilesxx">
+
+ <title>Crypto properties and keystore files</title>
<para>
- As a matter of fact, at the time of writing some webservices
implementations (including
- <emphasis role="italics">Metro</emphasis>
- ) assume the
- <code>/mex</code>
- URL as the default choice for directing WS-MetadataExchange requests to and
use that to retrieve STS wsdl contracts.
+ WSS4J's Crypto implementation is loaded and configured via a Java
properties file that contains Crypto configuration data. The file contains
implementation-specific properties such as a keystore location, password, default alias
and the like. This application is using the Merlin implementation. File
clientKeystore.properties contains this information.
+
</para>
- </tip>
+ <para>
+ File clientstore.jks, is a Java KeyStore (JKS) repository. It contains
self signed certificates for myservicekey and mystskey.
+ <emphasis role="italics">Self signed certificates are not
appropriate for production use.</emphasis>
+ </para>
+ <informalexample>
+ <programlisting>
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=cspass
+org.apache.ws.security.crypto.merlin.keystore.alias=myclientkey
+org.apache.ws.security.crypto.merlin.keystore.file=META-INF/clientstore.jks
+</programlisting>
+ </informalexample>
+ </section>
</section>
<section id="sid-47972359_WS-TrustandSTS-PicketLinkSTS">
@@ -3365,13 +4237,10 @@
<ulink
url="http://www.jboss.org/picketlink">PicketLink</ulink>
provides facilities for building up an alternative to the Apache CXF Security
Token Service implementation.
</para>
- <para>
- Similarly to the previous implementation, the STS is served through a
- <code>WebServiceProvider</code>
- annotated POJO:
- </para>
+ <para>Similarly to the previous implementation, the STS is served through
a WebServiceProvider annotated POJO:</para>
<informalexample>
- <programlisting>package
org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
+ <programlisting>
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust;
import javax.annotation.Resource;
import javax.xml.ws.Service;
@@ -3388,18 +4257,21 @@
@ServiceMode(value = Service.Mode.MESSAGE)
//be sure to have dependency on org.apache.cxf module when on AS7, otherwise Apache CXF
annotations are ignored
@EndpointProperties(value = {
- @EndpointProperty(key = "ws-security.signature.username", value =
"mystskey"),
- @EndpointProperty(key = "ws-security.signature.properties", value =
"stsKeystore.properties"),
- @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
- @EndpointProperty(key = "ws-security.validate.token", value =
"false") //to let the JAAS integration deal with validation through the
interceptor below
+@EndpointProperty(key = "ws-security.signature.username", value =
"mystskey"),
+@EndpointProperty(key = "ws-security.signature.properties", value =
"stsKeystore.properties"),
+@EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
+@EndpointProperty(key = "ws-security.validate.token", value =
"false") //to let the JAAS integration deal with validation through the
interceptor below
})
-@InInterceptors(interceptors =
{"org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"})
+@InInterceptors(interceptors =
+
+)
public class PicketLinkSTService extends PicketLinkSTS {
- @Resource
- public void setWSC(WebServiceContext wctx) {
- this.context = wctx;
- }
-}</programlisting>
+@Resource
+public void setWSC(WebServiceContext wctx)
+Unknown macro: { this.context = wctx; }
+
+}
+</programlisting>
</informalexample>
<para>
The
@@ -3409,237 +4281,244 @@
implementation:
</para>
<informalexample>
- <programlisting><?xml version="1.0"?>
+ <programlisting>
+<?xml version="1.0"?>
<wsdl:definitions name="PicketLinkSTS"
targetNamespace="urn:picketlink:identity-federation:sts"
- xmlns:tns="urn:picketlink:identity-federation:sts"
-
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
-
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
-
xmlns:wsp="http://www.w3.org/ns/ws-policy"
-
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w...
-
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
-
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/">
- <wsdl:types>
- <xs:schema elementFormDefault="qualified"
targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'
xmlns:xs="http://www.w3.org/2001/XMLSchema">
- <xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType' />
- <xs:element name='RequestSecurityTokenResponse'
type='wst:AbstractRequestSecurityTokenType' />
- <xs:complexType name='AbstractRequestSecurityTokenType' >
- <xs:sequence>
- <xs:any namespace='##any' processContents='lax'
minOccurs='0' maxOccurs='unbounded' />
- </xs:sequence>
- <xs:attribute name='Context' type='xs:anyURI'
use='optional' />
- <xs:anyAttribute namespace='##other' processContents='lax'
/>
- </xs:complexType>
- <xs:element name='RequestSecurityTokenCollection'
type='wst:RequestSecurityTokenCollectionType' />
- <xs:complexType name='RequestSecurityTokenCollectionType' >
- <xs:sequence>
- <xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType' minOccurs='2'
maxOccurs='unbounded'/>
- </xs:sequence>
- </xs:complexType>
- <xs:element name='RequestSecurityTokenResponseCollection'
type='wst:RequestSecurityTokenResponseCollectionType' />
- <xs:complexType name='RequestSecurityTokenResponseCollectionType'
>
- <xs:sequence>
- <xs:element ref='wst:RequestSecurityTokenResponse'
minOccurs='1' maxOccurs='unbounded' />
- </xs:sequence>
- <xs:anyAttribute namespace='##other' processContents='lax'
/>
- </xs:complexType>
- </xs:schema>
- </wsdl:types>
-
- <wsdl:message name="RequestSecurityTokenMsg">
- <wsdl:part name="request"
element="wst:RequestSecurityToken" />
- </wsdl:message>
- <wsdl:message
name="RequestSecurityTokenResponseCollectionMsg">
- <wsdl:part name="responseCollection"
- element="wst:RequestSecurityTokenResponseCollection"/>
- </wsdl:message>
-
- <wsdl:portType name="SecureTokenService">
- <wsdl:operation name="IssueToken">
- <wsdl:input
wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/...
message="tns:RequestSecurityTokenMsg"/>
- <wsdl:output
wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR...
message="tns:RequestSecurityTokenResponseCollectionMsg"/>
- </wsdl:operation>
- </wsdl:portType>
- <wsdl:binding name="STSBinding"
type="tns:SecureTokenService">
- <wsp:PolicyReference URI="#UT_policy" />
- <soap12:binding
transport="http://schemas.xmlsoap.org/soap/http"/>
- <wsdl:operation name="IssueToken">
- <soap12:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Iss...
style="document"/>
- <wsdl:input>
- <wsp:PolicyReference URI="#Input_policy" />
- <soap12:body use="literal"/>
- </wsdl:input>
- <wsdl:output>
- <wsp:PolicyReference URI="#Output_policy" />
- <soap12:body use="literal"/>
- </wsdl:output>
- </wsdl:operation>
- </wsdl:binding>
- <wsdl:service name="PicketLinkSTS">
- <wsdl:port name="PicketLinkSTSPort"
binding="tns:STSBinding">
- <soap12:address
location="http://localhost:8080/picketlink-sts/PicketLinkSTS"/>
- </wsdl:port>
- </wsdl:service>
-
- <wsp:Policy wsu:Id="UT_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <wsap10:UsingAddressing/>
- <sp:SymmetricBinding
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <wsp:Policy>
- <sp:ProtectionToken>
- <wsp:Policy>
- <sp:X509Token
-
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
- <wsp:Policy>
- <sp:RequireDerivedKeys />
- <sp:RequireThumbprintReference />
- <sp:WssX509V3Token10 />
- </wsp:Policy>
- </sp:X509Token>
- </wsp:Policy>
- </sp:ProtectionToken>
- <sp:AlgorithmSuite>
- <wsp:Policy>
- <sp:Basic256 />
- </wsp:Policy>
- </sp:AlgorithmSuite>
- <sp:Layout>
- <wsp:Policy>
- <sp:Lax />
- </wsp:Policy>
- </sp:Layout>
- <sp:IncludeTimestamp />
- <sp:EncryptSignature />
- <sp:OnlySignEntireHeadersAndBody />
- </wsp:Policy>
- </sp:SymmetricBinding>
- <sp:SignedSupportingTokens
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <wsp:Policy>
- <sp:UsernameToken
-
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
- <wsp:Policy>
- <sp:WssUsernameToken10 />
- </wsp:Policy>
- </sp:UsernameToken>
- </wsp:Policy>
- </sp:SignedSupportingTokens>
- <sp:Wss11
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <wsp:Policy>
- <sp:MustSupportRefKeyIdentifier />
- <sp:MustSupportRefIssuerSerial />
- <sp:MustSupportRefThumbprint />
- <sp:MustSupportRefEncryptedKey />
- </wsp:Policy>
- </sp:Wss11>
- <sp:Trust13
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <wsp:Policy>
- <sp:MustSupportIssuedTokens />
- <sp:RequireClientEntropy />
- <sp:RequireServerEntropy />
- </wsp:Policy>
- </sp:Trust13>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-
- <wsp:Policy wsu:Id="Input_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:SignedParts
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <sp:Body />
- <sp:Header Name="To"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="From"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="FaultTo"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="ReplyTo"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="MessageID"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="RelatesTo"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="Action"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- </sp:SignedParts>
- <sp:EncryptedParts
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <sp:Body />
- </sp:EncryptedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-
- <wsp:Policy wsu:Id="Output_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:SignedParts
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <sp:Body />
- <sp:Header Name="To"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="From"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="FaultTo"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="ReplyTo"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="MessageID"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="RelatesTo"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- <sp:Header Name="Action"
-
Namespace="http://www.w3.org/2005/08/addressing" />
- </sp:SignedParts>
- <sp:EncryptedParts
-
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
- <sp:Body />
- </sp:EncryptedParts>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
-
-</wsdl:definitions></programlisting>
+ xmlns:tns="urn:picketlink:identity-federation:sts"
+
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
+
xmlns:wsp="http://www.w3.org/ns/ws-policy"
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w...
+
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
+
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/">
+ <wsdl:types>
+ <xs:schema elementFormDefault="qualified"
targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'
xmlns:xs="http://www.w3.org/2001/XMLSchema">
+ <xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType' />
+ <xs:element name='RequestSecurityTokenResponse'
type='wst:AbstractRequestSecurityTokenType' />
+ <xs:complexType name='AbstractRequestSecurityTokenType' >
+ <xs:sequence>
+ <xs:any namespace='##any' processContents='lax'
minOccurs='0' maxOccurs='unbounded' />
+ </xs:sequence>
+ <xs:attribute name='Context' type='xs:anyURI'
use='optional' />
+ <xs:anyAttribute namespace='##other' processContents='lax'
/>
+ </xs:complexType>
+ <xs:element name='RequestSecurityTokenCollection'
type='wst:RequestSecurityTokenCollectionType' />
+ <xs:complexType name='RequestSecurityTokenCollectionType' >
+ <xs:sequence>
+ <xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType' minOccurs='2'
maxOccurs='unbounded'/>
+ </xs:sequence>
+ </xs:complexType>
+ <xs:element name='RequestSecurityTokenResponseCollection'
type='wst:RequestSecurityTokenResponseCollectionType' />
+ <xs:complexType name='RequestSecurityTokenResponseCollectionType'
>
+ <xs:sequence>
+ <xs:element ref='wst:RequestSecurityTokenResponse'
minOccurs='1' maxOccurs='unbounded' />
+ </xs:sequence>
+ <xs:anyAttribute namespace='##other' processContents='lax'
/>
+ </xs:complexType>
+ </xs:schema>
+ </wsdl:types>
+
+ <wsdl:message name="RequestSecurityTokenMsg">
+ <wsdl:part name="request"
element="wst:RequestSecurityToken" />
+ </wsdl:message>
+ <wsdl:message
name="RequestSecurityTokenResponseCollectionMsg">
+ <wsdl:part name="responseCollection"
+ element="wst:RequestSecurityTokenResponseCollection"/>
+ </wsdl:message>
+
+ <wsdl:portType name="SecureTokenService">
+ <wsdl:operation name="IssueToken">
+ <wsdl:input
wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/...
message="tns:RequestSecurityTokenMsg"/>
+ <wsdl:output
wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR...
message="tns:RequestSecurityTokenResponseCollectionMsg"/>
+ </wsdl:operation>
+ </wsdl:portType>
+ <wsdl:binding name="STSBinding"
type="tns:SecureTokenService">
+ <wsp:PolicyReference URI="#UT_policy" />
+ <soap12:binding
transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="IssueToken">
+ <soap12:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Iss...
style="document"/>
+ <wsdl:input>
+ <wsp:PolicyReference URI="#Input_policy" />
+ <soap12:body use="literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference URI="#Output_policy" />
+ <soap12:body use="literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:service name="PicketLinkSTS">
+ <wsdl:port name="PicketLinkSTSPort"
binding="tns:STSBinding">
+ <soap12:address
location="http://localhost:8080/picketlink-sts/PicketLinkSTS"/>
+ </wsdl:port>
+ </wsdl:service>
+
+ <wsp:Policy wsu:Id="UT_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsap10:UsingAddressing/>
+ <sp:SymmetricBinding
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
+ <wsp:Policy>
+ <sp:RequireDerivedKeys />
+ <sp:RequireThumbprintReference />
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:EncryptSignature />
+ <sp:OnlySignEntireHeadersAndBody />
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:SignedSupportingTokens
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+ <sp:UsernameToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/...
+ <wsp:Policy>
+ <sp:WssUsernameToken10 />
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <sp:Wss11
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier />
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="Input_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ <sp:Header Name="To"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ </sp:SignedParts>
+ <sp:EncryptedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ </sp:EncryptedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="Output_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ <sp:Header Name="To"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action"
+
Namespace="http://www.w3.org/2005/08/addressing" />
+ </sp:SignedParts>
+ <sp:EncryptedParts
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+ <sp:Body />
+ </sp:EncryptedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</wsdl:definitions>
+</programlisting>
</informalexample>
- <para>Differently from the Apache CXF STS example described above, the
PicketLink based STS gets its configuration from a picketlink-sts.xml descriptor which
must be added in WEB-INF into the deployment; please refer to the PicketLink documentation
for further information:</para>
+ <para>Differently from the Apache CXF STS example described above, the
PicketLink based STS gets its configuration from a picketlink-sts.xml descriptor which
must be added in WEB-INF into the deployment; please refer to the PicketLink
documentation for further information:</para>
<informalexample>
- <programlisting><PicketLinkSTS
xmlns="urn:picketlink:identity-federation:config:1.0"
- STSName="PicketLinkSTS" TokenTimeout="7200"
EncryptToken="false">
- <KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
- <Auth Key="KeyStoreURL" Value="stsstore.jks"/>
- <Auth Key="KeyStorePass" Value="stsspass"/>
- <Auth Key="SigningKeyAlias" Value="mystskey"/>
- <Auth Key="SigningKeyPass" Value="stskpass"/>
- <ValidatingAlias
Key="http://localhost:8080/jaxws-samples-wsse-policy-trust/SecurityService"
Value="myservicekey"/>
- </KeyProvider>
- <TokenProviders>
- <TokenProvider
ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML11TokenProvider"
-
TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profi...
- TokenElement="Assertion"
- TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion"/>
- <TokenProvider
ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
-
TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profi...
- TokenElement="Assertion"
- TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/>
- </TokenProviders>
-</PicketLinkSTS></programlisting>
+ <programlisting>
+<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
+ STSName="PicketLinkSTS" TokenTimeout="7200"
EncryptToken="false">
+ <KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
+ <Auth Key="KeyStoreURL" Value="stsstore.jks"/>
+ <Auth Key="KeyStorePass" Value="stsspass"/>
+ <Auth Key="SigningKeyAlias" Value="mystskey"/>
+ <Auth Key="SigningKeyPass" Value="stskpass"/>
+ <ValidatingAlias
Key="http://localhost:8080/jaxws-samples-wsse-policy-trust/SecurityService"
Value="myservicekey"/>
+ </KeyProvider>
+ <TokenProviders>
+ <TokenProvider
ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML11TokenProvider"
+
TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profi...
+ TokenElement="Assertion"
+ TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion"/>
+ <TokenProvider
ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
+
TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profi...
+ TokenElement="Assertion"
+ TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/>
+ </TokenProviders>
+</PicketLinkSTS>
+</programlisting>
</informalexample>
- <para>Finally, the PicketLink alternative approach of course requires
different JBoss AS module dependencies to be declared in the MANIFEST.MF:</para>
+ <para>Finally, the PicketLink alternative approach of course requires
different JBoss AS module dependencies to be declared in the MANIFEST.MF:</para>
<informalexample>
- <programlisting>Manifest-Version: 1.0
+ <programlisting>
+Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.2
Created-By: 1.6.0_26-b03 (Sun Microsystems Inc.)
-Dependencies:
org.apache.ws.security,org.apache.cxf,org.picketlink</programlisting>
+Dependencies: org.apache.ws.security,org.apache.cxf,org.picketlink
+</programlisting>
</informalexample>
<para>Here is how the PicketLink STS endpoint is packaged:</para>
<informalexample>
- <programlisting>alessio@inuyasha /dati/jbossws/stack/cxf/trunk $ jar
-tvf
./modules/testsuite/cxf-tests/target/test-libs/jaxws-samples-wsse-policy-trustPicketLink-sts.war
+ <programlisting>
+alessio@inuyasha /dati/jbossws/stack/cxf/trunk $ jar -tvf
./modules/testsuite/cxf-tests/target/test-libs/jaxws-samples-wsse-policy-trustPicketLink-sts.war
0 Mon Sep 03 17:38:38 CEST 2012 META-INF/
174 Mon Sep 03 17:38:36 CEST 2012 META-INF/MANIFEST.MF
0 Mon Sep 03 17:38:38 CEST 2012 WEB-INF/
@@ -3660,9 +4539,1011 @@
9070 Mon Sep 03 17:38:34 CEST 2012 WEB-INF/wsdl/PicketLinkSTS.wsdl
1267 Mon Sep 03 17:38:34 CEST 2012 WEB-INF/classes/picketlink-sts.xml
1054 Mon Sep 03 16:35:50 CEST 2012 WEB-INF/classes/stsKeystore.properties
- 3978 Mon Sep 03 16:35:50 CEST 2012 WEB-INF/classes/stsstore.jks</programlisting>
+ 3978 Mon Sep 03 16:35:50 CEST 2012 WEB-INF/classes/stsstore.jks
+</programlisting>
</informalexample>
</section>
+ <section id="sid-47972359_WS-TrustandSTS-ActAsWSTrustScenario">
+
+ <title>ActAs WS-Trust Scenario</title>
+ <para>
+ The ActAs feature is used in scenarios that require composite delegation.
It is commonly used in multi-tiered systems where an application calls a service on
behalf of a logged in user or a service calls another service on behalf of the original
caller.
+
+ </para>
+ <para>
+ ActAs is nothing more than a new sub-element in the RequestSecurityToken
(RST). It provides additional information about the original caller when a token is
negotiated with the STS. The ActAs element usually takes the form of a token with
identity claims such as name, role, and authorization code, for the client to access the
service.
+
+ </para>
+ <para>
+ The ActAs scenario is an extension of
+ <link
linkend="sid-47972359_WS-TrustandSTS-ABasicWSTrustScenario">the basic
WS-Trust scenario</link>
+ . In this example the ActAs service calls the ws-service on behalf of a
user. There are only a couple of additions to the basic scenario's code. An ActAs
web service provider and callback handler have been added. The ActAs web services'
WSDL imposes the same security policies as the ws-provider. UsernameTokenCallbackHandler
is new. It is a utility that generates the content for the ActAs element. And lastly
there are a couple of code additions in the STS to support the ActAs request.
+ </para>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsWebserviceprovider">
+
+ <title>ActAs Web service provider</title>
+ <para>This section examines the web service elements from the basic
WS-Trust scenario that have been changed to address the needs of the ActAs example. The
components are</para>
+ <itemizedlist>
+ <listitem>
+ <para>ActAs web service provider's WSDL</para>
+ </listitem>
+ <listitem>
+ <para>ActAs web service provider's Interface and Implementation
classes.</para>
+ </listitem>
+ <listitem>
+ <para>ActAsCallbackHandler class</para>
+ </listitem>
+ <listitem>
+ <para>UsernameTokenCallbackHandler</para>
+ </listitem>
+ <listitem>
+ <para>Crypto properties and keystore files</para>
+ </listitem>
+ <listitem>
+ <para>MANIFEST.MF</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsWebserviceproviderWSDL">
+
+ <title>ActAs Web service provider WSDL</title>
+ <para>The ActAs web service provider's WSDL is a clone of the
ws-provider's WSDL. The wsp:Policy section is the same. There are changes to the
service endpoint, targetNamespace, portType, binding name, and service.</para>
+ <informalexample>
+ <programlisting>
+<?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
+<definitions
targetNamespace="http://www.jboss.org/jbossws/ws-extensions/actaswss...
name="ActAsService"
+
xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/actaswssecurit...
+
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+
xmlns="http://schemas.xmlsoap.org/wsdl/"
+
xmlns:wsp="http://www.w3.org/ns/ws-policy"
+
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w...
+
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+ <types>
+ <xsd:schema>
+ <xsd:import
namespace="http://www.jboss.org/jbossws/ws-extensions/actaswssecurit...
+ schemaLocation="ActAsService_schema1.xsd"/>
+ </xsd:schema>
+ </types>
+ <message name="sayHello">
+ <part name="parameters"
element="tns:sayHello"/>
+ </message>
+ <message name="sayHelloResponse">
+ <part name="parameters"
element="tns:sayHelloResponse"/>
+ </message>
+ <portType name="ActAsServiceIface">
+ <operation name="sayHello">
+ <input message="tns:sayHello"/>
+ <output message="tns:sayHelloResponse"/>
+ </operation>
+ </portType>
+ <binding name="ActAsServicePortBinding"
type="tns:ActAsServiceIface">
+ <wsp:PolicyReference URI="#AsymmetricSAML2Policy" />
+ <soap:binding
transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
+ <operation name="sayHello">
+ <soap:operation soapAction=""/>
+ <input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#Input_Policy" />
+ </input>
+ <output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#Output_Policy" />
+ </output>
+ </operation>
+ </binding>
+ <service name="ActAsService">
+ <port name="ActAsServicePort"
binding="tns:ActAsServicePortBinding">
+ <soap:address
location="http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-actas/ActAsService"/>
+ </port>
+ </service>
+
+</definitions>
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsWebServiceInterface">
+
+ <title>ActAs Web Service Interface</title>
+ <para>The web service provider interface class, ActAsServiceIface, is a
simple web service definition.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas;
+
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+
+@WebService
+(
+ targetNamespace =
"http://www.jboss.org/jbossws/ws-extensions/actaswssecuritypolicy"
+)
+public interface ActAsServiceIface
+{
+ @WebMethod
+ String sayHello();
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsWebServiceImplementation">
+
+ <title>ActAs Web Service Implementation</title>
+ <para>
+ The web service provider implementation class, ActAsServiceImpl, is a
simple POJO. It uses the standard WebService annotation to define the service endpoint
and two Apache WSS4J annotations, EndpointProperties and EndpointProperty used for
configuring the endpoint for the CXF runtime. The WSS4J configuration information
provided is for WSS4J's Crypto Merlin implementation.
+
+ </para>
+ <para>ActAsServiceImpl is calling ServiceImpl acting on behalf of the
user. Method setupService performs the requisite configuration setup.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIface;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustAppUtils;
+
+import javax.jws.WebService;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Map;
+
+@WebService
+(
+ portName = "ActAsServicePort",
+ serviceName = "ActAsService",
+ wsdlLocation = "WEB-INF/wsdl/ActAsService.wsdl",
+ targetNamespace =
"http://www.jboss.org/jbossws/ws-extensions/actaswssecuritypolicy",
+ endpointInterface =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas.ActAsServiceIface"
+)
+
+@EndpointProperties(value = {
+ @EndpointProperty(key = "ws-security.signature.username", value =
"myactaskey"),
+ @EndpointProperty(key = "ws-security.signature.properties", value =
"actasKeystore.properties"),
+ @EndpointProperty(key = "ws-security.encryption.properties", value =
"actasKeystore.properties"),
+ @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas.ActAsCallbackHandler")
+})
+
+public class ActAsServiceImpl implements ActAsServiceIface
+{
+ public String sayHello() {
+ try {
+ ServiceIface proxy = setupService();
+ return "ActAs " + proxy.sayHello();
+ } catch (MalformedURLException e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+
+ private ServiceIface setupService()throws MalformedURLException {
+ ServiceIface proxy = null;
+ Bus bus = BusFactory.newInstance().createBus();
+
+ try {
+ BusFactory.setThreadDefaultBus(bus);
+
+ final String serviceURL = "http://" + WSTrustAppUtils.getServerHost()
+ ":8080/jaxws-samples-wsse-policy-trust/SecurityService";
+ final QName serviceName = new
QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy",
"SecurityService");
+ final URL wsdlURL = new URL(serviceURL + "?wsdl");
+ Service service = Service.create(wsdlURL, serviceName);
+ proxy = (ServiceIface) service.getPort(ServiceIface.class);
+
+ Map<String, Object> ctx = ((BindingProvider)
proxy).getRequestContext();
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new ActAsCallbackHandler());
+
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+
Thread.currentThread().getContextClassLoader().getResource("actasKeystore.properties"
));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myactaskey" );
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+
Thread.currentThread().getContextClassLoader().getResource("../../META-INF/clientKeystore.properties"
));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
+
+ STSClient stsClient = new STSClient(bus);
+ Map<String, Object> props = stsClient.getProperties();
+ props.put(SecurityConstants.USERNAME, "alice");
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myactaskey" );
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+
Thread.currentThread().getContextClassLoader().getResource("actasKeystore.properties"
));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+
+ } finally {
+ bus.shutdown(true);
+ }
+
+ return proxy;
+ }
+
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsCallbackHandler">
+
+ <title>ActAsCallbackHandler</title>
+ <para>ActAsCallbackHandler is a callback handler for the WSS4J Crypto
API. It is used to obtain the password for the private key in the keystore. This class
enables CXF to retrieve the password of the user name to use for the message signature.
This class has been revised to return the passwords for this service, myactaskey and the
"actas" user, alice.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.actas;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+import java.util.HashMap;
+import java.util.Map;
+
+public class ActAsCallbackHandler extends PasswordCallbackHandler {
+
+ public ActAsCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords = new HashMap<String,
String>();
+ passwords.put("myactaskey", "aspass");
+ passwords.put("alice", "clarinet");
+ return passwords;
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-UsernameTokenCallbackHandler">
+
+ <title>UsernameTokenCallbackHandler</title>
+ <para>
+ <emphasis role="color:#000000">The ActAs and OnBeholdOf
sub-elements of the RequestSecurityToken are required to be defined as WSSE Username
Tokens. This utility generates the properly formated element.</emphasis>
+ </para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.delegation.DelegationCallback;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.Element;
+import org.w3c.dom.ls.DOMImplementationLS;
+import org.w3c.dom.ls.LSSerializer;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+import java.util.Map;
+
+/**
+* A utility to provide the 3 different input parameter types for jaxws property
+* "ws-security.sts.token.act-as" and
"ws-security.sts.token.on-behalf-of".
+* This implementation obtains a username and password via the jaxws property
+* "ws-security.username" and "ws-security.password" respectively, as
defined
+* in SecurityConstants. It creates a wss UsernameToken to be used as the
+* delegation token.
+*/
+
+public class UsernameTokenCallbackHandler implements CallbackHandler {
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof DelegationCallback) {
+ DelegationCallback callback = (DelegationCallback) callbacks[i];
+ Message message = callback.getCurrentMessage();
+
+ String username =
+ (String)message.getContextualProperty(SecurityConstants.USERNAME);
+ String password =
+ (String)message.getContextualProperty(SecurityConstants.PASSWORD);
+ if (username != null) {
+ Node contentNode = message.getContent(Node.class);
+ Document doc = null;
+ if (contentNode != null) {
+ doc = contentNode.getOwnerDocument();
+ } else {
+ doc = DOMUtils.createDocument();
+ }
+ UsernameToken usernameToken = createWSSEUsernameToken(username,password,
doc);
+ callback.setToken(usernameToken.getElement());
+ }
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecognized
Callback");
+ }
+ }
+ }
+
+ /**
+ * Provide UsernameToken as a string.
+ * @param ctx
+ * @return
+ */
+ public String getUsernameTokenString(Map<String, Object> ctx){
+ Document doc = DOMUtils.createDocument();
+ String result = null;
+ String username = (String)ctx.get(SecurityConstants.USERNAME);
+ String password = (String)ctx.get(SecurityConstants.PASSWORD);
+ if (username != null) {
+ UsernameToken usernameToken = createWSSEUsernameToken(username,password, doc);
+ result = toString(usernameToken.getElement().getFirstChild().getParentNode());
+ }
+ return result;
+ }
+
+ /**
+ *
+ * @param username
+ * @param password
+ * @return
+ */
+ public String getUsernameTokenString(String username, String password){
+ Document doc = DOMUtils.createDocument();
+ String result = null;
+ if (username != null) {
+ UsernameToken usernameToken = createWSSEUsernameToken(username,password, doc);
+ result = toString(usernameToken.getElement().getFirstChild().getParentNode());
+ }
+ return result;
+ }
+
+ /**
+ * Provide UsernameToken as a DOM Element.
+ * @param ctx
+ * @return
+ */
+ public Element getUsernameTokenElement(Map<String, Object> ctx){
+ Document doc = DOMUtils.createDocument();
+ Element result = null;
+ UsernameToken usernameToken = null;
+ String username = (String)ctx.get(SecurityConstants.USERNAME);
+ String password = (String)ctx.get(SecurityConstants.PASSWORD);
+ if (username != null) {
+ usernameToken = createWSSEUsernameToken(username,password, doc);
+ result = usernameToken.getElement();
+ }
+ return result;
+ }
+
+ /**
+ *
+ * @param username
+ * @param password
+ * @return
+ */
+ public Element getUsernameTokenElement(String username, String password){
+ Document doc = DOMUtils.createDocument();
+ Element result = null;
+ UsernameToken usernameToken = null;
+ if (username != null) {
+ usernameToken = createWSSEUsernameToken(username,password, doc);
+ result = usernameToken.getElement();
+ }
+ return result;
+ }
+
+ private UsernameToken createWSSEUsernameToken(String username, String password,
Document doc) {
+
+ UsernameToken usernameToken = new UsernameToken(true, doc,
+ (password == null)? null: WSConstants.PASSWORD_TEXT);
+ usernameToken.setName(username);
+ usernameToken.addWSUNamespace();
+ usernameToken.addWSSENamespace();
+ usernameToken.setID("id-" + username);
+
+ if (password != null){
+ usernameToken.setPassword(password);
+ }
+
+ return usernameToken;
+ }
+
+
+ private String toString(Node node) {
+ String str = null;
+
+ if (node != null) {
+ DOMImplementationLS lsImpl = (DOMImplementationLS)
+ node.getOwnerDocument().getImplementation().getFeature("LS",
"3.0");
+ LSSerializer serializer = lsImpl.createLSSerializer();
+ serializer.getDomConfig().setParameter("xml-declaration", false); //by
default its true, so set it to false to get String without xml-declaration
+ str = serializer.writeToString(node);
+ }
+ return str;
+ }
+
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-Cryptopropertiesandkeystorefilesxxx">
+
+ <title>Crypto properties and keystore files</title>
+ <para>
+ <emphasis role="color:#000000">The ActAs service must
provide its own credentials. The requisite properties file, actasKeystore.properties,
and keystore, actasstore.jks, were created.</emphasis>
+ </para>
+ <informalexample>
+ <programlisting>
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=aapass
+org.apache.ws.security.crypto.merlin.keystore.alias=myactaskey
+org.apache.ws.security.crypto.merlin.keystore.file=actasstore.jks
+</programlisting>
+ </informalexample>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-MANIFEST.MFxx">
+
+ <title>MANIFEST.MF</title>
+ <para>
+ <emphasis role="color:#000000">When deployed on JBoss
Application Server this application requires access to the JBossWs and CXF APIs provided
in modules org.jboss.ws.cxf.jbossws-cxf-client and org.apache.cxf. The Apache CXF
internals, org.apache.cxf.impl, are needed in handling the ActAs and OnBehalfOf
extensions. The dependency statement directs the server to provide them at
deployment.</emphasis>
+ </para>
+ <informalexample>
+ <programlisting>
+Manifest-Version: 1.0
+Ant-Version: Apache Ant 1.8.2
+Created-By: 1.7.0_25-b15 (Oracle Corporation)
+Dependencies: org.jboss.ws.cxf.jbossws-cxf-client, org.apache.cxf.impl
+</programlisting>
+ </informalexample>
+ </section>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsSecurityTokenService">
+
+ <title>ActAs Security Token Service</title>
+ <para>This section examines the STS elements from the basic WS-Trust
scenario that have been changed to address the needs of the ActAs example. The
components are.</para>
+ <itemizedlist>
+ <listitem>
+ <para>STS's implementation class.</para>
+ </listitem>
+ <listitem>
+ <para>STSCallbackHandler class</para>
+ </listitem>
+ </itemizedlist>
+ <section
id="sid-47972359_WS-TrustandSTS-STSImplementationclass">
+
+ <title>STS Implementation class</title>
+ <para>
+ The initial description of SampleSTS can be found
+ <link
linkend="sid-47972359_WS-TrustandSTS-STSImplementation">here</link>
+ .
+
+ </para>
+ <para>
+ The declaration of the set of allowed token recipients by address has
been extended to accept ActAs addresses and OnBehalfOf addresses. The addresses are
specified as reg-ex patterns.
+
+ </para>
+ <para>The TokenIssueOperation requires class, UsernameTokenValidator
be provided in order to validate the contents of the OnBehalfOf claims and class,
UsernameTokenDelegationHandler to be provided in order to process the token delegation
request of the ActAs on OnBehalfOf user.</para>
+ <informalexample>
+ <programlisting>
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
+
+import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
+
+import javax.xml.ws.WebServiceProvider;
+
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.interceptor.InInterceptors;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.operation.TokenIssueOperation;
+import org.apache.cxf.sts.operation.TokenValidateOperation;
+import org.apache.cxf.sts.service.ServiceMBean;
+import org.apache.cxf.sts.service.StaticService;
+import org.apache.cxf.sts.token.delegation.UsernameTokenDelegationHandler;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
+import org.apache.cxf.sts.token.validator.UsernameTokenValidator;
+import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider;
+
+@WebServiceProvider(serviceName = "SecurityTokenService",
+ portName = "UT_Port",
+ targetNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
+ wsdlLocation = "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
+//be sure to have dependency on org.apache.cxf module when on AS7, otherwise Apache CXF
annotations are ignored
+@EndpointProperties(value = {
+ @EndpointProperty(key = "ws-security.signature.username", value =
"mystskey"),
+ @EndpointProperty(key = "ws-security.signature.properties", value =
"stsKeystore.properties"),
+ @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts.STSCallbackHandler"),
+ @EndpointProperty(key = "ws-security.validate.token", value =
"false") //to let the JAAS integration deal with validation through the
interceptor below
+})
+@InInterceptors(interceptors =
{"org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"})
+public class SampleSTS extends SecurityTokenServiceProvider
+{
+ public SampleSTS() throws Exception
+ {
+ super();
+
+ StaticSTSProperties props = new StaticSTSProperties();
+ props.setSignatureCryptoProperties("stsKeystore.properties");
+ props.setSignatureUsername("mystskey");
+ props.setCallbackHandlerClass(STSCallbackHandler.class.getName());
+ props.setIssuer("DoubleItSTSIssuer");
+
+ List<ServiceMBean> services = new
LinkedList<ServiceMBean>();
+ StaticService service = new StaticService();
+ service.setEndpoints(Arrays.asList(
+
"http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
+
"http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
+
"http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-trust/SecurityService",
+
+
"http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust-actas/ActAsService",
+
"http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-actas/ActAsService",
+
"http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-actas/ActAsService",
+
+
"http://localhost:(\\d)*/jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService",
+
"http://\\[::1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService",
+
"http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService"
+ ));
+ services.add(service);
+
+ TokenIssueOperation issueOperation = new TokenIssueOperation();
+ issueOperation.setServices(services);
+ issueOperation.getTokenProviders().add(new SAMLTokenProvider());
+ // required for OnBehalfOf
+ issueOperation.getTokenValidators().add(new UsernameTokenValidator());
+ // added for OnBehalfOf and ActAs
+ issueOperation.getDelegationHandlers().add(new UsernameTokenDelegationHandler());
+ issueOperation.setStsProperties(props);
+
+ TokenValidateOperation validateOperation = new TokenValidateOperation();
+ validateOperation.getTokenValidators().add(new SAMLTokenValidator());
+ validateOperation.setStsProperties(props);
+
+ this.setIssueOperation(issueOperation);
+ this.setValidateOperation(validateOperation);
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section id="sid-47972359_WS-TrustandSTS-STSCallbackHandlerx">
+
+ <title>STSCallbackHandler</title>
+ <para>The user, alice, and corresponding password was required to be
added for the ActAs example.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.sts;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+
+public class STSCallbackHandler extends PasswordCallbackHandler
+{
+ public STSCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords = new HashMap<String,
String>();
+ passwords.put("mystskey", "stskpass");
+ passwords.put("alice", "clarinet");
+ return passwords;
+ }
+}
+</programlisting>
+ </informalexample>
+ </section>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsWebservicerequester">
+
+ <title>ActAs Web service requester</title>
+ <para>This section examines the ws-requester elements from the basic
WS-Trust scenario that have been changed to address the needs of the ActAs example. The
component is</para>
+ <itemizedlist>
+ <listitem>
+ <para>ActAs web service requester implementation class</para>
+ </listitem>
+ </itemizedlist>
+ <section
id="sid-47972359_WS-TrustandSTS-ActAsWebservicerequesterImplementation">
+
+ <title>ActAs Web service requester Implementation</title>
+ <para>The ActAs ws-requester, the client, uses standard procedures for
creating a reference to the web service in the first four lines. To address the endpoint
security requirements, the web service's "Request Context" is configured
via the BindingProvider. Information needed in the message generation is provided through
it. The ActAs user, myactaskey, is declared in this section and
UsernameTokenCallbackHandler is used to provide the contents of the ActAs element to the
STSClient. In this example a STSClient object is created and provided to the proxy's
request context. The alternative is to provide keys tagged with the ".it"
suffix as was done in [the Basic Scenario
client|../../../../../../../../../../../#WS-TrustandSTS-WebservicerequesterImplementation||||\||].
The use of ActAs is configured through the props map using the
SecurityConstants.STS_TOKEN_ACT_AS key. The alternative is to use the STSClient.setActAs
method.</para>
+ <informalexample>
+ <programlisting>
+ final QName serviceName = new
QName("http://www.jboss.org/jbossws/ws-extensions/actaswssecuritypol...;,
"ActAsService");
+final URL wsdlURL = new URL(serviceURL + "?wsdl");
+Service service = Service.create(wsdlURL, serviceName);
+ActAsServiceIface proxy = (ActAsServiceIface) service.getPort(ActAsServiceIface.class);
+
+Bus bus = BusFactory.newInstance().createBus();
+try {
+ BusFactory.setThreadDefaultBus(bus);
+
+ Map<String, Object> ctx = proxy.getRequestContext();
+
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey");
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
+
+ // Generate the ActAs element contents and pass to the STSClient as a string
+ UsernameTokenCallbackHandler ch = new UsernameTokenCallbackHandler();
+ String str = ch.getUsernameTokenString("myactaskey", null);
+ ctx.put(SecurityConstants.STS_TOKEN_ACT_AS, str);
+
+ STSClient stsClient = new STSClient(bus);
+ Map<String, Object> props = stsClient.getProperties();
+ props.put(SecurityConstants.USERNAME, "bob");
+ props.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
+ props.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclientkey");
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+} finally {
+ bus.shutdown(true);
+}
+proxy.sayHello();
+</programlisting>
+ </informalexample>
+ </section>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfWSTrustScenario">
+
+ <title>OnBehalfOf WS-Trust Scenario</title>
+ <para>
+ The OnBehalfOf feature is used in scenarios that use the proxy pattern. In
such scenarios, the client cannot access the STS directly, instead it communicates
through a proxy gateway. The proxy gateway authenticates the caller and puts information
about the caller into the OnBehalfOf element of the RequestSecurityToken (RST) sent to
the real STS for processing. The resulting token contains only claims related to the
client of the proxy, making the proxy completely transparent to the receiver of the
issued token.
+
+ </para>
+ <para>
+ OnBehalfOf is nothing more than a new sub-element in the RST. It provides
additional information about the original caller when a token is negotiated with the STS.
The OnBehalfOf element usually takes the form of a token with identity claims such as
name, role, and authorization code, for the client to access the service.
+
+ </para>
+ <para>
+ The OnBehalfOf scenario is an extension of
+ <link
linkend="sid-47972359_WS-TrustandSTS-ABasicWSTrustScenario">the basic
WS-Trust scenario</link>
+ . In this example the OnBehalfOf service calls the ws-service on behalf of
a user. There are only a couple of additions to the basic scenario's code. An
OnBehalfOf web service provider and callback handler have been added. The OnBehalfOf web
services' WSDL imposes the same security policies as the ws-provider.
UsernameTokenCallbackHandler is a utility shared with ActAs. It generates the content
for the OnBehalfOf element. And lastly there are code additions in the STS that both
OnBehalfOf and ActAs share in common.
+
+ </para>
+ <para>
+ Infor here [
+ <ulink
url="http://coheigea.blogspot.it/2012/01/apache-cxf-251-sts-updates.html">Open
Source Security: Apache CXF 2.5.1 STS updates</ulink>
+ ]
+ </para>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfWebserviceprovider">
+
+ <title>OnBehalfOf Web service provider</title>
+ <para>This section examines the web service elements from the basic
WS-Trust scenario that have been changed to address the needs of the OnBehalfOf example.
The components are.</para>
+ <itemizedlist>
+ <listitem>
+ <para>OnBehalfOf web service provider's WSDL</para>
+ </listitem>
+ <listitem>
+ <para>OnBehalfOf web service provider's Interface and
Implementation classes.</para>
+ </listitem>
+ <listitem>
+ <para>OnBehalfOfCallbackHandler class</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfWebserviceproviderWSDL">
+
+ <title>OnBehalfOf Web service provider WSDL</title>
+ <para>The OnBehalfOf web service provider's WSDL is a clone of the
ws-provider's WSDL. The wsp:Policy section is the same. There are changes to the
service endpoint, targetNamespace, portType, binding name, and service.</para>
+ <informalexample>
+ <programlisting>
+<?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
+<definitions
targetNamespace="http://www.jboss.org/jbossws/ws-extensions/onbehalf...
name="OnBehalfOfService"
+
xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/onbehalfofwsse...
+
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+
xmlns="http://schemas.xmlsoap.org/wsdl/"
+
xmlns:wsp="http://www.w3.org/ns/ws-policy"
+
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w...
+
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&...
+
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+ <types>
+ <xsd:schema>
+ <xsd:import
namespace="http://www.jboss.org/jbossws/ws-extensions/onbehalfofwsse...
+ schemaLocation="OnBehalfOfService_schema1.xsd"/>
+ </xsd:schema>
+ </types>
+ <message name="sayHello">
+ <part name="parameters"
element="tns:sayHello"/>
+ </message>
+ <message name="sayHelloResponse">
+ <part name="parameters"
element="tns:sayHelloResponse"/>
+ </message>
+ <portType name="OnBehalfOfServiceIface">
+ <operation name="sayHello">
+ <input message="tns:sayHello"/>
+ <output message="tns:sayHelloResponse"/>
+ </operation>
+ </portType>
+ <binding name="OnBehalfOfServicePortBinding"
type="tns:OnBehalfOfServiceIface">
+ <wsp:PolicyReference URI="#AsymmetricSAML2Policy" />
+ <soap:binding
transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
+ <operation name="sayHello">
+ <soap:operation soapAction=""/>
+ <input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#Input_Policy" />
+ </input>
+ <output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#Output_Policy" />
+ </output>
+ </operation>
+ </binding>
+ <service name="OnBehalfOfService">
+ <port name="OnBehalfOfServicePort"
binding="tns:OnBehalfOfServicePortBinding">
+ <soap:address
location="http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-onbehalfof/OnBehalfOfService"/>
+ </port>
+ </service>
+</definitions>
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfWebServiceInterface">
+
+ <title>OnBehalfOf Web Service Interface</title>
+ <para>The web service provider interface class, OnBehalfOfServiceIface,
is a simple web service definition.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof;
+
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+
+@WebService
+(
+ targetNamespace =
"http://www.jboss.org/jbossws/ws-extensions/onbehalfofwssecuritypolicy"
+)
+public interface OnBehalfOfServiceIface
+{
+ @WebMethod
+ String sayHello();
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfWebServiceImplementation">
+
+ <title>OnBehalfOf Web Service Implementation</title>
+ <para>The web service provider implementation class,
OnBehalfOfServiceImpl, is a simple POJO. It uses the standard WebService annotation to
define the service endpoint and two Apache WSS4J annotations, EndpointProperties and
EndpointProperty used for configuring the endpoint for the CXF runtime. The WSS4J
configuration information provided is for WSS4J's Crypto Merlin
implementation.</para>
+ <para>OnBehalfOfServiceImpl is calling the ServiceImpl acting on
behalf of the user. Method setupService performs the requisite configuration
setup.</para>
+ <informalexample>
+ <programlisting>
+package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.annotations.EndpointProperties;
+import org.apache.cxf.annotations.EndpointProperty;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.service.ServiceIface;
+import org.jboss.test.ws.jaxws.samples.wsse.policy.trust.shared.WSTrustAppUtils;
+
+import javax.jws.WebService;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+import java.net.*;
+import java.util.Map;
+
+@WebService
+(
+ portName = "OnBehalfOfServicePort",
+ serviceName = "OnBehalfOfService",
+ wsdlLocation = "WEB-INF/wsdl/OnBehalfOfService.wsdl",
+ targetNamespace =
"http://www.jboss.org/jbossws/ws-extensions/onbehalfofwssecuritypolicy",
+ endpointInterface =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof.OnBehalfOfServiceIface"
+)
+
+@EndpointProperties(value = {
+ @EndpointProperty(key = "ws-security.signature.username", value =
"myactaskey"),
+ @EndpointProperty(key = "ws-security.signature.properties", value =
"actasKeystore.properties"),
+ @EndpointProperty(key = "ws-security.encryption.properties", value =
"actasKeystore.properties"),
+ @EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof.OnBehalfOfCallbackHandler")
+})
+
+public class OnBehalfOfServiceImpl implements OnBehalfOfServiceIface
+{
+ public String sayHello() {
+ try {
+
+ ServiceIface proxy = setupService();
+ return "OnBehalfOf " + proxy.sayHello();
+
+ } catch (MalformedURLException e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+
+ /**
+ *
+ * @return
+ * @throws MalformedURLException
+ */
+ private ServiceIface setupService()throws MalformedURLException {
+ ServiceIface proxy = null;
+ Bus bus = BusFactory.newInstance().createBus();
+
+ try {
+ BusFactory.setThreadDefaultBus(bus);
+
+ final String serviceURL = "http://" + WSTrustAppUtils.getServerHost()
+ ":8080/jaxws-samples-wsse-policy-trust/SecurityService";
+ final QName serviceName = new
QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy",
"SecurityService");
+ final URL wsdlURL = new URL(serviceURL + "?wsdl");
+ Service service = Service.create(wsdlURL, serviceName);
+ proxy = (ServiceIface) service.getPort(ServiceIface.class);
+
+ Map<String, Object> ctx = ((BindingProvider)
proxy).getRequestContext();
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new OnBehalfOfCallbackHandler());
+
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "actasKeystore.properties" ));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myactaskey" );
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "../../META-INF/clientKeystore.properties" ));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey");
+
+ STSClient stsClient = new STSClient(bus);
+ Map<String, Object> props = stsClient.getProperties();
+ props.put(SecurityConstants.USERNAME, "bob");
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myactaskey" );
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "actasKeystore.properties" ));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+
+ } finally {
+ bus.shutdown(true);
+ }
+
+ return proxy;
+ }
+
+}
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfCallbackHandler">
+
+ <title>OnBehalfOfCallbackHandler</title>
+ <para>OnBehalfOfCallbackHandler is a callback handler for the WSS4J
Crypto API. It is used to obtain the password for the private key in the keystore.
This class enables CXF to retrieve the password of the user name to use for the message
signature. This class has been revised to return the passwords for this service,
myactaskey and the "OnBehalfOf" user, alice.</para>
+ <informalexample>
+ <programlisting>
+ package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.onbehalfof;
+
+import org.jboss.wsf.stack.cxf.extensions.security.PasswordCallbackHandler;
+import java.util.HashMap;
+import java.util.Map;
+
+public class OnBehalfOfCallbackHandler extends PasswordCallbackHandler {
+
+ public OnBehalfOfCallbackHandler()
+ {
+ super(getInitMap());
+ }
+
+ private static Map<String, String> getInitMap()
+ {
+ Map<String, String> passwords = new HashMap<String,
String>();
+ passwords.put("myactaskey", "aspass");
+ passwords.put("alice", "clarinet");
+ passwords.put("bob", "trombone");
+ return passwords;
+ }
+
+}
+</programlisting>
+ </informalexample>
+ </section>
+ </section>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfWebservicerequester">
+
+ <title>OnBehalfOf Web service requester</title>
+ <para>This section examines the ws-requester elements from the basic
WS-Trust scenario that have been changed to address the needs of the OnBehalfOf example.
The component is</para>
+ <itemizedlist>
+ <listitem>
+ <para>OnBehalfOf web service requester implementation
class</para>
+ </listitem>
+ </itemizedlist>
+ <section
id="sid-47972359_WS-TrustandSTS-OnBehalfOfWebservicerequesterImplementation">
+
+ <title>OnBehalfOf Web service requester Implementation</title>
+ <para>
+ The OnBehalfOf ws-requester, the client, uses standard procedures for
creating a reference to the web service in the first four lines. To address the endpoint
security requirements, the web service's "Request Context" is configured via
the BindingProvider. Information needed in the message generation is provided through it.
The OnBehalfOf user, alice, is declared in this section and the callbackHandler,
UsernameTokenCallbackHandler is provided to the STSClient for generation of the contents
for the OnBehalfOf message element. In this example a STSClient object is created and
provided to the proxy's request context. The alternative is to provide keys tagged
with the ".it" suffix as was done in
+ <link
linkend="sid-47972359_WS-TrustandSTS-WebservicerequesterImplementation">the
Basic Scenario client</link>
+ . The use of OnBehalfOf is configured by the method call
stsClient.setOnBehalfOf. The alternative is to use the key
SecurityConstants.STS_TOKEN_ON_BEHALF_OF and a value in the props map.
+ </para>
+ <informalexample>
+ <programlisting>
+final QName serviceName = new
QName("http://www.jboss.org/jbossws/ws-extensions/onbehalfofwssecuri...;,
"OnBehalfOfService");
+final URL wsdlURL = new URL(serviceURL + "?wsdl");
+Service service = Service.create(wsdlURL, serviceName);
+OnBehalfOfServiceIface proxy = (OnBehalfOfServiceIface)
service.getPort(OnBehalfOfServiceIface.class);
+
+
+Bus bus = BusFactory.newInstance().createBus();
+try {
+
+ BusFactory.setThreadDefaultBus(bus);
+
+ Map<String, Object> ctx = proxy.getRequestContext();
+
+ ctx.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
+ ctx.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myactaskey");
+ ctx.put(SecurityConstants.SIGNATURE_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey");
+
+ // user and password OnBehalfOf user
+ // UsernameTokenCallbackHandler will extract this information when called
+ ctx.put(SecurityConstants.USERNAME,"alice");
+ ctx.put(SecurityConstants.PASSWORD, "clarinet");
+
+ STSClient stsClient = new STSClient(bus);
+
+ // Providing the STSClient the mechanism to create the claims contents for
OnBehalfOf
+ stsClient.setOnBehalfOf(new UsernameTokenCallbackHandler());
+
+ Map<String, Object> props = stsClient.getProperties();
+ props.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler());
+ props.put(SecurityConstants.ENCRYPT_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey");
+ props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclientkey");
+ props.put(SecurityConstants.STS_TOKEN_PROPERTIES,
+ Thread.currentThread().getContextClassLoader().getResource(
+ "META-INF/clientKeystore.properties"));
+ props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true");
+
+ ctx.put(SecurityConstants.STS_CLIENT, stsClient);
+
+} finally {
+ bus.shutdown(true);
+}
+proxy.sayHello();
+</programlisting>
+ </informalexample>
+ </section>
+ </section>
</section>
</section>
<section id="sid-3866797">