Red Hat SummitFuse 6 is no longer supported
As of February 2025, Red Hat Fuse 6 is no longer supported. If you are using Fuse 6, please upgrade to Red Hat build of Apache Camel.Ce contenu n'est pas disponible dans la langue sélectionnée.
9.2. STS Demonstration
9.2.1. Overview of the Demonstration
Copier lienLien copié sur presse-papiers!
Overview
Copier lienLien copié sur presse-papiers!
The standalone Apache CXF distribution includes an STS demonstration in the following location:
CXFInstallDir/samples/sts
CXFInstallDir/samples/sts
This demonstration illustrates a complete Holder-of-Key scenario, including all of the code for the client, server, and standalone STS.
The demonstration scenario
Copier lienLien copié sur presse-papiers!
Figure 9.5, “STS Demonstration Scenario” shows an overview of the STS demonstration scenario and the steps required to implement single-sign on in the context of WS-Trust and the STS.
Figure 9.5. STS Demonstration Scenario
In this Holder-of-Key scenario, there are two main stages involved in invoking an operation on the server: first the client obtains a single-sign on token (SAML token) from the STS; then the client invokes the WSDL operation on the server, embedding the SAML token in the SOAP security header.
The client-STS connection
Copier lienLien copié sur presse-papiers!
The client-STS connection is used to obtain the single-sign on token (SAML token) from the STS. This connection is secured by a symmetric binding (for message protection) and messages must include a UsernameToken (for client authentication).
The symmetric binding is characterized by the fact that only one key pair is required (the STS X.509 certificate and private key) and the symmetric session key is derived from this key pair. To support the symmetric binding, the client must be configured with the STS X.509 certificate (public key) and the STS must be configured with the corresponding STS private key.
The UsernameToken credentials, which must accompany the Issue request sent to the STS, are used to authenticate the client.
The client-server connection
Copier lienLien copié sur presse-papiers!
The client-server connection is established after the client has obtained the single-sign on token from the STS and is used to invoke the
greetMe WSDL operation. This connection is secured by an asymmetric binding (for message protection and authentication).
The asymmetric binding is characterized by the fact that two key pairs are required: the Initiator token (a SAML token containing the client X.509 certificate); and the Recipient token (server X.509 certificate and private key). Both the client key pair and the server key pair are used for message protection.
The SAML token sent by the client contains a copy of the client's X.509 certificate and is used to authenticate the client (in a Holder-of-Key scenario).
Invocation steps
Copier lienLien copié sur presse-papiers!
In the STS demonstration scenario shown in Figure 9.5, “STS Demonstration Scenario”, the client makes a secure invocation on the server as follows:
- The secure invocation is initiated when the client calls the
greetMe()method. - Before sending a request message to the server, the client must ask the STS to issue the token that will be used for single sign-on. The client delegates this task to the
STSClientbean, which is itself a fully-fledged WS client that can communicate with the STS.To establish the connection to the STS, theSTSClientbean must initialize a symmetric binding, as follows:- The
STSClientgenerates an ephemeral key (the symmetric session key). - The
STSClientencrypts the ephemeral key using the STS public key (X.509 certificate). - The ephemeral key is then used for signing and encrypting the SOAP message parts sent between the
STSClientbean and the STS.
- The
STSClientbean now constructs the RequestSecurityToken (RST) message, which it sends to the STS. TheSTSClientembeds the client's X.509 certificate (to be used as the client's identity in the Holder-of-Key scenario) and the client's UsernameToken credentials (UT) into the RST message.TheSTSClientbean now uses the RST message to invoke the STS Issue operation. - When the RST message arrives in the STS, the STS endpoint immediately tries to authenticate the embedded UsernameToken credentials. If the UsernameToken credentials could not be authenticated, the message would be rejected.
- The STS now processes the issue token request. The RST asks the STS to generate a SAML token, using the client's X.509 certificate as the Holder-of-Key identity. The STS constructs a RequestSecurityTokenResponse (RSTR) message containing a SAML token, taking care to sign the generated SAML token using the STS signing key.
- The STS returns the RSTR message containing the signed SAML token.
- The client is now ready to send the
greetMerequest to the server. The signed SAML token that was issued by the STS is embedded in the SOAP security header of the request message. - The first thing that the server does is to check that the SAML token is signed by the STS public key. To be more precise, what the server actually does is to check whether the SAML token is signed by any trusted key—that is, any of the public keys that can be found in the
servicestore.jkskeystore file.If the SAML token is not signed by a trusted key, the message is rejected, because it is then impossible to establish trust in the SAML token. - The server now performs the Holder-of-Key check, to establish the client's identity (effectively, authenticating the client).The X.509 certificate embedded in the SAML token is meant to be the client identity, but the client must also prove that it possesses the corresponding private key for the certificate, in order to be authentic. It turns out that, as part of the natural configuration of the asymmetric binding policy, the client is configured to sign various parts of the SOAP message using the
myclientkeyprivate key. The server therefore checks all of the message's signing keys and if it finds one that matches the X.509 certificate in the SAML token, it knows that the client is in possession of the private key. - If all of the security checks have been successful, the server now invokes the implementation of the
greetMeWSDL operation.
Single-sign on and scalability
Copier lienLien copié sur presse-papiers!
Notice that the client in this scenario is required to hold a copy of the server's X.509 certificate (
myservicekey certificate). The server's certificate must be distributed to the clients using some out-of-band approach, which creates some extra work when scaling up to a large system.
On the other hand, the server requires absolutely no knowledge whatsoever about the client. It relies entirely on the STS to establish trust with a client. This is a great advantage for scalability of the system.
9.2.2. STS WSDL Contract
Copier lienLien copié sur presse-papiers!
Overview
Copier lienLien copié sur presse-papiers!
The STS WSDL contract specifies the address used to contact the STS and the STS WSDL also specifies the kind of security that applies to incoming connections. In the current demonstration, the STS requires clients to support the symmetric binding and to authenticate by providing UsernameToken credentials.
Location of the STS WSDL contract
Copier lienLien copié sur presse-papiers!
The STS WSDL contract can be found in the following location:
CXFInstallDir/samples/sts/wsdl/ws-trust-1.4-service.wsdl
CXFInstallDir/samples/sts/wsdl/ws-trust-1.4-service.wsdlParts of the contract
Copier lienLien copié sur presse-papiers!
The most important parts of the STS WSDL contract are, as follows:
- STS port type—the standard WSDL port type for the STS, as defined the WS-Trust specification.NoteThere are some other standard WSDL port types defined in the WSDL file, but these port types are not used in this demonstration.
- WSDL binding—the SOAP binding for the STS port type. Policies are enabled by applying them to various parts of the WSDL binding.
- WSDL service and port—the WSDL port element specifies the address of the STS Web service endpoint.
- Binding policy—a WS-Policy element that specifies how connections to the STS must be secured.
- Signed/encrypted parts policies—a WS-Policy element for input messages and a WS-Policy element for output messages, specifying which parts of the incoming SOAP messages and the outgoing SOAP messages must be signed and encrypted.
STS port type
Copier lienLien copié sur presse-papiers!
The STS port type provides an abstract description of all the WSDL operations supported by the STS. The STS port type appearing the STS WSDL file is taken directly from the WS-Trust specification. Only the Issue operation is actually implemented in this demonstration, however.
WSDL binding
Copier lienLien copié sur presse-papiers!
The WSDL binding for the STS is a regular SOAP binding (as could be generated using the Apache CXF
wsdl2soap utility), except for the wsp:PolicyReference elements, which are used to apply the relevant security policies to the binding. Hence, the policy identified by UT_policy is applied to the whole binding and the Input_policy and the Output_policy are applied respectively to the input messages and the output messages of each operation.
For full details of how policy references work, see Policies and policy references.
WSDL service and port
Copier lienLien copié sur presse-papiers!
The WSDL service and WSDL port elements are used to define the address of the STS endpoint (specified by the
location attribute of soap:address).
Binding policy
Copier lienLien copié sur presse-papiers!
The binding policy,
UT_policy, defines what kind of security is applied to incoming STS connections.
The binding policy defines the STS security policy to be a symmetric binding. This implies that security is applied at the SOAP message level, where parts of the SOAP payload are liable to be encrypted and/or signed. Because this is a symmetric binding, the keys used for encrypting and signing in both directions are derived from a single key, specified by the
sp:ProtectionToken element (which is ultimately configured to be the mystskey private key and X.509 certificate on the STS server). The client is required to include a WSS UsernameToken in the SOAP security header, which is used by the STS to authenticate the client.
For a more detailed discussion of the symmetric binding policy, see
.
Signed parts and encrypted parts policies
Copier lienLien copié sur presse-papiers!
The
Input_policy policy is used to specify exactly which parts of an input message should be encrypted and/or signed by the symmetric session keys. In addition to signing and encrypting the SOAP body, the standard WS-Addressing SOAP headers are also signed (which protects them from tampering by third-parties).
The
Output_policy policy is used to specify exactly which parts of an output message should be encrypted and/or signed by the symmetric session keys.
9.2.3. Security Token Service Configuration
Copier lienLien copié sur presse-papiers!
Overview
Copier lienLien copié sur presse-papiers!
Figure 9.6, “Demonstration STS Configuration” shows an overview of how the STS is configured for the current demonstration.
Figure 9.6. Demonstration STS Configuration
Aspects of configuration
Copier lienLien copié sur presse-papiers!
The current demonstration configures the following aspects of the STS:
- WSDL contract and security policies—as already discussed in Section 9.2.2, “STS WSDL Contract”, the policies in the WSDL contract are used to define the type of security that protects incoming connections to the STS. In particular, it is important that some form of client authentication is required by these security policies.
- STS plug-in configuration—as described in Section 9.1.1, “Overview of the STS”, the STS has a plug-in architecture. In order to instantiate an STS server, you must assemble and configure the STS plug-ins that you want to use.
- STS signing key—you must configure the STS with its own signing key, which effectively provides the stamp of authenticity for any tokens issued by the STS.
- List of known Web service endpoints—you can optionally install a service plug-in into the STS, which is used to define a list of known Web service endpoints that can use the STS (see Section 9.4, “Enabling AppliesTo in the STS”).
- JAX-WS endpoint configuration—you must define a Web service endpoint for the STS, which clients use to connect to the STS. In the JAX-WS endpoint you specify the X.509 certificate and private key that are used as the protection token in the symmetric binding and you also specify a callback handler, that accesses the database of UsernameToken credentials for authenticating clients.
Location of the STS Spring configuration
Copier lienLien copié sur presse-papiers!
The STS Spring configuration file can be found in the following location:
CXFInstallDir/samples/sts/src/main/resources/wssec-sts.xml
CXFInstallDir/samples/sts/src/main/resources/wssec-sts.xmlSTS plug-in configuration
Copier lienLien copié sur presse-papiers!
The first part of the
wssec-sts.xml Spring configuration file is concerned with instantiating the STS implementation and specifying the relevant STS plug-ins to use:
In the demonstration STS instance, only two STS operations are supported: Issue, implemented by the
utIssueDelegate bean, and Validate, implemented by the utValidateDelegate bean. The Validate operation is not used in the current demonstration.
The
utIssueDelegate bean is configured with the following properties:
tokenProviders- A list of plug-ins that can generate various kinds of token. In this demonstration, this list is initialized with a single provider,
SAMLTokenProvider, which is capable of generating SAML tokens. services- (Optional) The
servicesproperty enables you to specify the Web services that are secured by the STS, by specifying a list of regular expressions that must match the Web service URLs. stsProperties- The
stsPropertiesspecifies some generic configuration settings that are common to many of the plug-ins in the STS.
STS signing key
Copier lienLien copié sur presse-papiers!
The STS signing key—which is used to sign all of the tokens issued by the STS—is specified by setting the following properties on the
StaticSTSProperties class:
signaturePropertiesFile- A WSS4J properties file that defines the properties for accessing the
keys/stsstore.jksJava keystore file. signatureUsername- The alias of the STS signing key in the Java keystore file.
callbackHandlerClass- A callback handler class that returns the password for accessing the STS signing key.
The
StaticSTSProperties class is instantiated as the utSTSProperties bean in the wssec-sts.xml configuration file:
List of known Web service endpoints
Copier lienLien copié sur presse-papiers!
The
utService bean enables you to specify the Web service endpoints that are known to the STS, as follows:
The
utEndpoints bean instantiates a java.util.List object containing a list of regular expressions that must match the server's endpoint URL. When a client requests a new token from the STS, it includes the server's endpoint URL in the request, so that the STS can check whether or not the target endpoint is a known endpoint.
For more details about how to configure this, see Section 9.4, “Enabling AppliesTo in the STS”.
JAX-WS endpoint configuration
Copier lienLien copié sur presse-papiers!
To create a HTTP/SOAP endpoint that listens for incoming connections to the STS, define a
jaxws:element, as follows:
In addition to the usual attributes required for a JAX-WS endpoint, the
jaxws:endpoint element defines properties for accessing the protection token and a reference to a callback handler instance.
Protection token for the symmetric binding
Copier lienLien copié sur presse-papiers!
The protection token provides the fundamental basis for the symmetric binding. It is used to generate all of the sessions keys for the connection. Although you might expect the corresponding properties to be called something like protection.token, the following properties of
jaxws:endpoint are, in fact, used to specify the protection token:
ws-security.signature.properties- A WSS4J properties file that defines the properties for accessing the
keys/stsstore.jksJava keystore file. ws-security.signature.username- The alias of the protection token (X.509 certificate and private key pair) in the Java keystore file.
ws-security.callback-handler- A callback handler class that returns the password for accessing the protection token.
It so happens that in this demonstration, the protection token uses the same X.509 certificate and private key as the STS signing key.
STS callback handler
Copier lienLien copié sur presse-papiers!
The
jaxws:endpoint element is also configured with a callback handler (through the ws-security.callback-handler property), as follows:
The security callback handler can be used for multiple purposes (for example, see Providing Client Credentials). In particular, in this demonstration the callback handler on the
jaxws:element is used for the following purposes:
- Retrieving the password for the protection tokenthe protection token consists of a private key/public key pair and a password is needed to access the private key (which is stored in a Java keystore file).
- Retrieving the password for a client's UsernameToken credentialsthe symmetric binding policy in this demonstration requires the client to send UsernameToken credentials to the STS, for the purpose of authenticating the client. The callback handler must therefore have access to a database of UsernameToken credentials, in order to authenticate the incoming UsernameToken credentials. In this example, just a single UsernameToken credential is supported, with username,
alice, and password,clarinet.NoteIn an enterprise security system, it is more likely that you would use an LDAP server to store the client UsernameToken credentials.
9.2.4. Server WSDL Contract
Copier lienLien copié sur presse-papiers!
Overview
Copier lienLien copié sur presse-papiers!
The server WSDL contract determines the kind of security policies that are applied to the client-server connection. In the current demonstration, this connection is secured by an asymmetric binding policy.
A particularly important aspect of this policy is that the
InitiatorToken is specified by an IssuedToken policy element. It is the presence of the IssuedToken element in the policy which triggers the client to call out to the STS, requesting the STS to issue a SAML token for single sign-on.
Location of the server WSDL contract
Copier lienLien copié sur presse-papiers!
The server WSDL contract can be found in the following location:
CXFInstallDir/samples/sts/wsdl/hello_world.wsdl
CXFInstallDir/samples/sts/wsdl/hello_world.wsdlParts of the contract
Copier lienLien copié sur presse-papiers!
The most important parts of the server WSDL contract are, as follows:
- Greeter port type—a simple hello world interface consisting of a single WSDL operation,
greetMe. - WSDL binding—the SOAP binding for the
Greeterport type. Policies are enabled by applying them to various parts of the WSDL binding. - WSDL service and port—the WSDL port element specifies the address of the
GreeterWeb service endpoint. - Binding policy—a WS-Policy element that specifies how connections to the server must be secured.
- Signed/encrypted parts policies—a WS-Policy element for input messages and a WS-Policy element for output messages, specifying which parts of the incoming SOAP messages and the outgoing SOAP messages must be signed and encrypted.
Greeter port type
Copier lienLien copié sur presse-papiers!
The
Greeter port type defines the logical interface to the Web service provided by the server, as follows:
Binding
Copier lienLien copié sur presse-papiers!
The WSDL binding for the
Greeter port type is a regular SOAP binding, except for the wsp:PolicyReference elements, which are used to apply the relevant security policies to the binding. Hence, the policy identified by AsymmetricSAML2Policy is applied to the whole binding and the Input_policy and the Output_policy are applied respectively to the input messages and the output messages of each operation.
For full details of how policy references work, see Policies and policy references.
Service and port
Copier lienLien copié sur presse-papiers!
The WSDL service and WSDL port elements are used to define the address of the
Greeter WS endpoint (specified by the location attribute of soap:address).
Binding policy
Copier lienLien copié sur presse-papiers!
The binding policy,
AsymmetricSAML2Policy, defines what kind of security is applied to incoming server connections.
The binding policy defines the
Greeter server security policy to be an asymmetric binding. This implies that security is applied at the SOAP message level, where parts of the SOAP payload are liable to be encrypted and/or signed. Because this is an asymmetric binding, two keys must be provided:
- Initiator token—a SAML token, which has the client's X.509 certificate embedded inside it. Because the initiator token is defined to be an
IssuedTokentoken, it is actually obtained by the querying the STS (using anSTSClientobject). - Recipient token—an X.509 certificate (public key) and private key pair, which is provided by the server side.
For a more detailed discussion of the asymmetric binding policy, see
.
IssuedToken policy
Copier lienLien copié sur presse-papiers!
Take a closer look at the
IssuedToken policy, which is the IntiatorToken in the server's asymmetric binding. It is defined as follows:
The
IssuedToken policy is the key component of WS-Trust. It triggers the client to request an issued token from the STS. The sp:RequestSecurityTokenTemplate element specifies some elements that are to be included in the request that is sent to the STS. It includes the following elements:
<t:TokenType>...#SAMLV2.0</t:TokenType>- Indicates that the client wishes the STS to issue a SAML 2.0 token.
<t:KeyType>.../PublicKey</t:KeyType>- Indicates that the client wants the STS to support the Holder-of-Key scenario, where an X.509 certificate (public key) is used to verify the client identity. This implies that the client's X.509 certificate will be included in the request sent to the STS.
Signed parts and encrypted parts policies
Copier lienLien copié sur presse-papiers!
The
Input_policy policy is used to specify exactly which parts of an input message should be encrypted and/or signed by the asymmetric session keys (initiator token and recipient token). In addition to signing and encrypting the SOAP body, the standard WS-Addressing SOAP headers are also signed (which protects them from tampering by third-parties).
The
Output_policy policy is used to specify exactly which parts of an output message should be encrypted and/or signed by the asymmetric session keys (initiator token and recipient token).
9.2.5. Server Configuration
Copier lienLien copié sur presse-papiers!
Overview
Copier lienLien copié sur presse-papiers!
Figure 9.7, “Demonstration Server Configuration” shows an overview of the configuration for the demonstration server.
Figure 9.7. Demonstration Server Configuration
Aspects of configuration
Copier lienLien copié sur presse-papiers!
The most important aspects of the server configuration are, as follows:
- WSDL contract and security policies—as already discussed in Section 9.2.4, “Server WSDL Contract”, the policies in the WSDL contract are used to define the type of security that protects incoming connections to the
Greeterserver. - JAX-WS endpoint configuration—in the JAX-WS endpoint you specify the X.509 certificate and private key that are used as the recipient token in the asymmetric binding and you also specify the certificate (or certificates) for checking the signature of a SAML token.
- Recipient token—is specified by setting the relevant properties in the JAX-WS endpoint configuration.
- Server-side SAML token interceptor—the SAML token interceptor checks the signature of the SAML token, using the X.509 certificates (public keys) stored in the keystore file referenced by the
ws-security.encryption.propertiesproperty. - Server callback handler—is used to provide the passwords for private keys.
- Related STS configuration—when setting up a new server, you must remember to add an appropriate regular expression to the list of known Web service endpoints in the STS, or the STS will refuse to perform any operations for this server.
JAX-WS endpoint configuration
Copier lienLien copié sur presse-papiers!
To create a HTTP/SOAP endpoint that listens for incoming connections to the server, define a
jaxws:element, as follows:
In addition to the usual attributes required for a JAX-WS endpoint, the
jaxws:endpoint element defines properties for accessing the recipient token, properties for accessing SAML signature-checking tokens, and a reference to a callback handler instance.
Recipient token
Copier lienLien copié sur presse-papiers!
The recipient token for the asymmetric binding has both a public key part (used for encrypting outgoing messages) and a private key part (used for signing outgoing messages). These parts of the recipient token are specified by the following properties on the server's
jaxws:endpoint element:
ws-security.signature.properties- A WSS4J properties file that defines the properties for accessing the private key part of the recipient token.
ws-security.signature.username- The alias of the recipient token (X.509 certificate and private key pair) in the Java keystore file.
ws-security.callback-handler- A callback handler class that returns the password for accessing the private key part of the recipient token.
ws-security.encryption.properties- A WSS4J properties file that defines the properties for accessing the public key part of the recipient token.
Server-side SAML token interceptor
Copier lienLien copié sur presse-papiers!
The SAML token interceptor is automatically installed in the server, whenever the corresponding security policy is configured to use the
IssuedToken policy. The SAML token interceptor is responsible for verifying the signature of the SAML token received from the client (initiator token).
Hence, it is necessary to configure one or more trusted certificates that can be used to check the signature of the SAML token. The SAML token will be rejected unless it is signed by one of the specified trusted certificates.
As it happens, there is not a dedicated property for specifying these trusted certificates. Instead, the SAML token interceptor re-uses the
ws-security.encryption.properties property. Any trusted certificates found in the Java keystore file specified by ws-security.encryption.properties will be used for checking the signature of the SAML token. The configuration of the SAML token interceptor is thus the very same configuration that was used to specify the public key part of the recipient token:
In practice, configuring the SAML token interceptor consists of using a Java keystore utility to add the trusted STS X.509 certificate to the Java keystore file that is referenced by
ws-security.encryption.properties.
Server callback handler
Copier lienLien copié sur presse-papiers!
The
jaxws:endpoint element is also configured with a callback handler (through the ws-security.callback-handler property), as follows:
In this case, the security callback handler is used solely for the purpose of retrieving the password for accessing the private key part of the recipient token (which has the alias,
myservicekey).
Related STS configuration
Copier lienLien copié sur presse-papiers!
When setting up a server, you must remember to add an appropriate regular expression to the list of known Web service endpoints in the STS. For example, as discussed in the context of configuring the STS, you need to include a regular expression that matches the server's endpoint URL, which is set in the
wssec-sts.xml file as follows:
9.2.6. Client Configuration
Copier lienLien copié sur presse-papiers!
Overview
Copier lienLien copié sur presse-papiers!
Figure 9.8, “Demonstration Client Configuration” shows an overview of the configuration for the demonstration client.
Figure 9.8. Demonstration Client Configuration
Aspects of configuration
Copier lienLien copié sur presse-papiers!
The most important aspects of the client configuration are, as follows:
- Configure the connection to the STS (STSClient)—the client uses an
STSClientinstance to connect to the STS. TheSTSClientinstance is a complete client in itself, requiring you to specify the STS Web service address and to specify the relevant security properties for the connection. - Configure the connection to the server—the client must also be configured to connect to the server, including the relevant security properties for the connection and a reference to the
STSClientinstance. - Client callback handler—is used to provide the passwords for private keys and to provide the passwords for UsernameToken credentials.
- Related STS configuration—you must ensure that the client's UsernameToken credentials are made available to the STS, so that the client can be authenticated.
Configure the connection to the STS
Copier lienLien copié sur presse-papiers!
You must configure the client so that it is capable of contacting the STS to retrieve an issued SAML token. To enable the STS connection, initialize the client's
ws-security.sts.client property with an STSClient instance, as follows:
Besides the usual properties required for connecting to a Web service endpoint (specified by the
wsdlLocation, serviceName, and endpointName properties), you must set the following security-related properties:
ws-security.username- In this demonstration, the STS is configured to authenticate the client using UsernameToken credentials. This property specifies the username part of the UsernameToken credentials.
ws-security.callback-handler- The callback handler class provides both private key passwords and UsernameToken passwords.
ws-security.encryption.properties- A WSS4J properties file that defines the properties for accessing the STS X.509 certificate. This certificate is needed by the symmetric binding protocol, which uses it to generate a symmetric session key.
ws-security.encryption.username- The alias of the X.509 certificate referenced by
ws-security.encryption.properties. ws-security.sts.token.properties- A WSS4J properties file that defines the properties for accessing the client's X.509 certificate. This is the certificate that is used to identify the client to the server in the Holder-of-Key scenario. This token gets embedded in the request that is sent to the STS (and is also embedded in the SAML token returned from the STS).
ws-security.sts.token.username- The alias of the STS X.509 certificate referenced by
ws-security.sts.token.properties. ws-security.sts.token.usecert- Setting this boolean property to
trueindicates that the specified token should be included in the request sent to the STS (theRequestSecurityTokenmessage).
Configure the connection to the server
Copier lienLien copié sur presse-papiers!
To configure the connection to the server, set the relevant properties directly on the JAX-WS client bean, as follows:
Because the client-server connection uses an asymmetric binding (with an issued token), the following aspects of security need to be configured.
Configure the client's signing key (also used for decrypting message parts received from the server), using the following properties:
ws-security.signature.properties- A WSS4J properties file that defines the properties for accessing the client's signing key.
ws-security.signature.username- The alias of the client's signing key in the corresponding Java keystore file.
ws-security.callback-handler- The callback handler instance that can return the password for accessing the client's signing key.
Configure the client's encryption key (also used for verifying signatures on message parts received from the server), using the following properties:
ws-security.encryption.properties- A WSS4J properties file that defines the properties for accessing the client's encryption key (X.509 certificate).
ws-security.encryption.username- The alias of the client's encryption key in the corresponding Java keystore file.
Configure the client to support the IssuedToken policy by setting the
ws-security.sts.client property, as already described in the section called “Configure the connection to the STS”.
Client callback handler
Copier lienLien copié sur presse-papiers!
The client callback handler class is multi-purpose. It is capable of returning both passwords for private keys and the password part of UsernameToken credentials. In this demonstration, the client callback handler class is defined as follows:
Related STS configuration
Copier lienLien copié sur presse-papiers!
In this demonstration, the STS authenticates the client by checking the client's UsernameToken credentials. Hence, you must ensure that the client's UsernameToken credentials are known to the STS. In this demonstration, the known UsernameToken credentials are embedded in the code of the STS callback handler class, the section called “STS callback handler ”.
9.2.7. Build and Run the Demonstration
Copier lienLien copié sur presse-papiers!
Steps to run the demonstration
Copier lienLien copié sur presse-papiers!
To build and run the STS demonstration, perform the following steps:
- Open a command prompt and change directory to the
CXFInstallDir/samples/stsdirectory. Enter the following command to build the demonstration:mvn clean install
mvn clean installCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To start the STS process, enter the following command:
mvn -Psts
mvn -PstsCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To start the WS server process, open a new command prompt, change directory to the
CXFInstallDir/samples/stsdirectory, and enter the following command:mvn -Pserver
mvn -PserverCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To run the WS client, open a new command prompt, change directory to the
CXFInstallDir/samples/stsdirectory, and enter the following command:mvn -Pclient
mvn -PclientCopy to Clipboard Copied! Toggle word wrap Toggle overflow Because CXF logging has been enabled, you should see the SOAP messages being logged to each of the command windows. If the client runs successfully, you should see the following message in the client command window:... -------------------------------------- Server responded with: Hello YourName
... -------------------------------------- Server responded with: Hello YourNameCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}