Open Source and SOA, ESB and Security-HeidCloud
Talend has donated an STS implementation to the Apache CXF community as posted already on this hereThis is the first part of a series of blogs on using WS-Federation Passive Requestor Profile to implement a Web and Web Services SSO solution from a web application to a target Web Service. The used technologies are CXF 2.5 (to be>
[*] Part I
Configure and deploy CXF STS using Claims
[*] Part II
Configure and deploy>
[*] Part III
Configure and deploy Tomcat>
[*] Part IV
Enhance Tomcat RP to call a target web services which delegates the>
[*] Part V
Interoperability testing with Microsoft Windows>
The STS in this part is configured to support the following functionality:
[*] STS WSDL is enriched with the WS-SecurityPolicy information
[*] STS issues a signed SAML 2.0 token
[*] STS is secured using HTTPS
[*] STS validates an incoming UsernameToken against a local file store
[*] STS adds claims information to the SAML token in an attribute statement
You can find a running maven project called services/sts here. 1. Username and password management
The users and passwords are configured in a spring configuration file in WEB-INF/passwords.xml. The XML file has the following structure:
The intention of this STS example is to illustrate how to set up an STS. If you have an LDAP directory in place or any other JAAS based LoginModule you can also plug in the WSS4J JAASUsernameTokenValidator.
2. Claims management
The claims for each user are configured in a spring configuration file also in WEB-INF/userClaims.xml. The XML file has the following structure:
The claim>
There is no standard URI for role. Therefore, I reuse Microsoft's role URI which is used by ADFS (Active Directory Federation Service) and Windows> The intention of this STS example is to illustrate how to set up an STS. If you have an LDAP directory in place you can configure the LdapClaimsHandler where you configure the mapping of the claim>
3. Project dependencies
The STS has the following dependencies in the Maven project.
2.5.2
org.apache.cxf
cxf-rt-transports-http
${cxf.version}
org.apache.cxf
cxf-rt-frontend-jaxws
${cxf.version}
org.apache.cxf
cxf-rt-ws-policy
${cxf.version}
org.apache.cxf.services.sts
cxf-services-sts-core
${cxf.version}
4. STS endpoint configuration
Setting up the STS involves several steps. The STS is configured using the spring framework. First step is to download Tomcat 7.
4.1 Configure HTTP/S connector in Tomcat
The HTTP connector should be configured with port 9080.
The HTTPS connector in Tomcat is configured in conf/server.xml. Deploy the tomcatkeystore.jks of the example projectto the Tomcat root directory if the Connector is configured as illustrated:
Update: Have a read through the following blog here which describes how to generate a keystore.
4.2 Configure the WS-SecurityPolicies of the STS endpoint
The following policies must be added to the WSDL. CXF provides other ways to correlate policies with a wsdl subject (port type, service, port, ...). I've chosen the simplest one where the policies are embedded into the wsdl for illustration purposes. The WSDL can be found in WEB-INF/wsdl/ws-trust-1.4-service.wsdl
The following policy defines a transport binding (https) and expects a UsernameToken be present in the WS-Security header. The UsernameToken must be signed which is implicitly supported by HTTPS:
4.3 Configure TokenProvider
This STS endpoint configuration only supports to issue SAML tokens (2.0 or 1.1). For a full list of the supported features by the STS check this blog.
The configuration>
The last bean claimsAttributeProvider is described in section 4.5
4.4 Configure Username/password authentication
As described in section 1. the user and passwords are managed in the file WEB-INF/passwords.xml.
To configure username/password authentication in CXF/WSS4J you must provide a CallbackHandler. The CallbackHandler is part of this example project.
The configuration is located in the following spring configuration file (cxf-transport.xml):
The bean upCallBackHandler implements the CallbackHandler which is configured as a jaxws property ws-security.callback-handler in jaxws:properties of the jaxws:endpoint configuration.
4.5 Configure ClaimsManager
Claims data can be stored in different kind of>
The claims>
The bean userClaims is defined in the imported spring configuration file userClaims.xml.
5. Deploy the STS to Tomcat
To deploy the STS using Maven you have to follow these steps:
[*] Configuring the following maven plugin
org.codehaus.mojo
tomcat-maven-plugin
1.1
myTomcat
http://localhost:9080/manager/text
/${project.build.finalName}
Add the server with username and password to your settings.xml
Ensure the user has the role "manager-script" as described here
Run mvn tomcat:redeploy
(I recommend to use redeploy as deploy works the first time only)
If you use Tomcat 6, you must change the url of the tomcat maven plugin: http://localhost:9080/manager
6. Test the STS with SoapUI
This is a sample request (called RST) to the STS:
alice
ecila
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
https://localhost:8081/doubleit/services/doubleittransportsaml1claims
and this the expected response (called RSTR):
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
DoubleItSTSIssuer
YIHAnHYol0pOs1Mc4MWhgwTP540=
Mb3WfLefs0KziHe7NjhLUBsgfD2spr8M3HpqqhpO+yzIqMrw9eY1r7nFIh3nWeDOHY4odPBa0w06XDpzPGSzdmm9k/Ay+S6trtkgS/Hoi3sL8CGAmAHEPWSO4+td6MNrucdVhG9P+do6JflXDOppDroGh/YjvxpdosM55G2TbL0=
REMOVED
alice
https://localhost:8081/doubleit/services/doubleittransportsaml1claims
Alice
Smith
alice@mycompany.org
#_ACF774CE2C8F387D9413183197088603
_ACF774CE2C8F387D9413183197088603
https://localhost:8081/doubleit/services/doubleittransportsaml1claims
2011-10-11T07:55:08.872Z
2011-10-11T08:00:08.872Z
页:
[1]