Open Source and SOA, ESB and Security-HeidCloud

_N_了吧唧的_

Talend has donated an STS implementation to the Apache CXF community as posted already on this here
　　This is the first part of a series of blogs on using WS-Federation Passive Requestor Profile to implement a Web and Web Services SSO solution from a web application to a target Web Service. The used technologies are CXF 2.5 (to be>

• 　　Part I
  　　Configure and deploy CXF STS using Claims
  
• 　　Part II
  
  　　Configure and deploy>
  
• 　　Part III
  
  　　Configure and deploy Tomcat>
  
• 　　Part IV
  
  　　Enhance Tomcat RP to call a target web services which delegates the>
  
• 　　Part V
  
  　　Interoperability testing with Microsoft Windows>
  

　　The STS in this part is configured to support the following functionality:

• 　　STS WSDL is enriched with the WS-SecurityPolicy information
  
• 　　STS issues a signed SAML 2.0 token
  
• 　　STS is secured using HTTPS
  
• 　　STS validates an incoming UsernameToken against a local file store
  
• 　　STS adds claims information to the SAML token in an attribute statement
  

You can find a running maven project called services/sts here.　　1. Username and password management
　　The users and passwords are configured in a spring configuration file in WEB-INF/passwords.xml. The XML file has the following structure:
　　
　　
　　
　　
　　
　　The intention of this STS example is to illustrate how to set up an STS. If you have an LDAP directory in place or any other JAAS based LoginModule you can also plug in the WSS4J JAASUsernameTokenValidator.
　　2. Claims management
　　The claims for each user are configured in a spring configuration file also in WEB-INF/userClaims.xml. The XML file has the following structure:
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　

　　The claim>
　　There is no standard URI for role. Therefore, I reuse Microsoft's role URI which is used by ADFS (Active Directory Federation Service) and Windows>　　The intention of this STS example is to illustrate how to set up an STS. If you have an LDAP directory in place you can configure the LdapClaimsHandler where you configure the mapping of the claim>
　　3. Project dependencies
　　The STS has the following dependencies in the Maven project.
　　2.5.2
　　
       　　org.apache.cxf
　　cxf-rt-transports-http
　　${cxf.version}
　　
　　
　　org.apache.cxf
　　cxf-rt-frontend-jaxws
　　${cxf.version}
　　
　　
　　org.apache.cxf
　　cxf-rt-ws-policy
　　${cxf.version}
　　
　　
　　org.apache.cxf.services.sts
　　cxf-services-sts-core
　　${cxf.version}
　　
　　
　　4. STS endpoint configuration
　　Setting up the STS involves several steps. The STS is configured using the spring framework. First step is to download Tomcat 7.
　　4.1 Configure HTTP/S connector in Tomcat
　　The HTTP connector should be configured with port 9080.
　　The HTTPS connector in Tomcat is configured in conf/server.xml. Deploy the tomcatkeystore.jks of the example project  to the Tomcat root directory if the Connector is configured as illustrated:

　　Update: Have a read through the following blog here which describes how to generate a keystore.
　　4.2 Configure the WS-SecurityPolicies of the STS endpoint
　　The following policies must be added to the WSDL. CXF provides other ways to correlate policies with a wsdl subject (port type, service, port, ...). I've chosen the simplest one where the policies are embedded into the wsdl for illustration purposes. The WSDL can be found in WEB-INF/wsdl/ws-trust-1.4-service.wsdl
　　The following policy defines a transport binding (https) and expects a UsernameToken be present in the WS-Security header. The UsernameToken must be signed which is implicitly supported by HTTPS:
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　4.3 Configure TokenProvider
　　This STS endpoint configuration only supports to issue SAML tokens (2.0 or 1.1). For a full list of the supported features by the STS check this blog.

　　The configuration>　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　The last bean claimsAttributeProvider is described in section 4.5
　　4.4 Configure Username/password authentication
　　As described in section 1. the user and passwords are managed in the file WEB-INF/passwords.xml.
　　To configure username/password authentication in CXF/WSS4J you must provide a CallbackHandler. The CallbackHandler is part of this example project.
　　The configuration is located in the following spring configuration file (cxf-transport.xml):
　　
　　
　　

　　
　　
　　
　　
　　The bean upCallBackHandler implements the CallbackHandler which is configured as a jaxws property ws-security.callback-handler in jaxws:properties of the jaxws:endpoint configuration.
　　4.5 Configure ClaimsManager

　　Claims data can be stored in different kind of>
　　The claims>    　　
　　
　　
　　
　　
　　
　　
　　
　　
　　The bean userClaims is defined in the imported spring configuration file userClaims.xml.
　　5. Deploy the STS to Tomcat
　　To deploy the STS using Maven you have to follow these steps:

• 　　Configuring the following maven plugin
  　　
  　　org.codehaus.mojo
  　　tomcat-maven-plugin
  　　1.1
  　　
  　　myTomcat
  　　http://localhost:9080/manager/text
  　　/${project.build.finalName}
  　　
  　　
  

　　Add the server with username and password to your settings.xml
　　Ensure the user has the role "manager-script" as described here
　　Run mvn tomcat:redeploy
　　(I recommend to use redeploy as deploy works the first time only)
If you use Tomcat 6, you must change the url of the tomcat maven plugin:　　http://localhost:9080/manager
　　6. Test the STS with SoapUI
　　This is a sample request (called RST) to the STS:
　　
　　
　　
　　
　　alice
　　ecila
　　
　　
　　
　　
　　
　　http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
　　http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
　　
　　
　　
　　
　　
　　http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
　　
　　
　　https://localhost:8081/doubleit/services/doubleittransportsaml1claims
　　
　　
　　
　　
　　
　　and this the expected response (called RSTR):
　　
　　
　　
　　
　　
　　http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
　　
　　
　　DoubleItSTSIssuer
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　
　　YIHAnHYol0pOs1Mc4MWhgwTP540=
　　
　　
　　Mb3WfLefs0KziHe7NjhLUBsgfD2spr8M3HpqqhpO+yzIqMrw9eY1r7nFIh3nWeDOHY4odPBa0w06XDpzPGSzdmm9k/Ay+S6trtkgS/Hoi3sL8CGAmAHEPWSO4+td6MNrucdVhG9P+do6JflXDOppDroGh/YjvxpdosM55G2TbL0=
　　
　　REMOVED
　　
　　
　　
　　
　　alice
　　
　　
　　
　　
　　https://localhost:8081/doubleit/services/doubleittransportsaml1claims
　　
　　
　　
　　
　　Alice
　　
　　
　　Smith
　　
　　
　　alice@mycompany.org
　　
　　
　　
　　
　　
　　
　　#_ACF774CE2C8F387D9413183197088603
　　
　　
　　
　　
　　_ACF774CE2C8F387D9413183197088603
　　
　　
　　
　　
　　https://localhost:8081/doubleit/services/doubleittransportsaml1claims
　　
　　
　　
　　2011-10-11T07:55:08.872Z
　　2011-10-11T08:00:08.872Z