Ce contenu n'est pas disponible dans la langue sélectionnée.
9.4. Enabling AppliesTo in the STS
Overview
When you specify an
IssuedToken
policy, you can replace both of the TokenType
and KeyType
elements by a single AppliesTo
element, which specifies the identity of the server that the client wants to communicate with. The idea behind this approach is that the STS already knows what type of token the server wants and what kind of single sign-on scenario the server supports. In other words, this information is centralized in the STS (and the STS must be configured with this information).
Figure 9.10, “Processing the AppliesTo Policy” shows an overview of the steps that the STS follows to process the
AppliesTo
policy.
Figure 9.10. Processing the AppliesTo Policy
Steps to process the AppliesTo policy
When the
IssuedToken
policy includes the AppliesTo
policy, the STS processes the client's issue token request as follows:
- The trigger that enables the
AppliesTo
policy is when the client encounters anIssuedToken
policy with aRequestSecurityTokenTemplate
that contains theAppliesTo
policy element. In this case, theSTSClient
constructs aRequestSecurityToken
request message containing the specifiedAppliesTo
element and uses this message to invoke the Issue operation on the STS.In the example shown in Figure 9.10, “Processing the AppliesTo Policy”, theAppliesTo
element references theFooAddress
endpoint URL, which is the URL of the WS endpoint in the server that the client wants to invoke. - After detecting the presence of the
AppliesTo
element in the incoming request, theTokenIssueOperation
instance iterates over the list of registeredStaticService
objects, trying to find a regular expression that matches the target address,FooAddress
, that was specified by theAppliesTo
element.If a match is found, theTokenIssueOperation
checks whether thetokenType
andkeyType
properties are set on theStaticService
object. If these properties are set, they override the values (if any) that were specified in the incoming request.If a match is not found, theTokenIssueOperation
raises an error.NoteIf a list of services is registered with theTokenIssueOperation
instance, one of the registered services must match the address specified byAppliesTo
. - Now that the requested token type and key type have been determined, the
TokenIssueOperation
object proceeds as usual to issue the requested token (for example, see Section 9.1.3, “Customizing the Issue Operation”). - The STS returns the issued token to the client.
- The client can now send a secure invocation to the
FooAddress
endpoint on the server, including the issued token in the SOAP security header.
IssuedToken policy without AppliesTo enabled
Before looking at how to enable the
AppliesTo
policy, it is worth reminding ourselves what a typical IssuedToken
policy looks like without the AppliesTo
policy enabled. For example, the following IssuedToken
policy requests a SAML 2.0 token that embeds a key of type public key (an X.509 certificate) for the purpose of identifying the client (Holder-of-Key scenario):
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <sp:RequestSecurityTokenTemplate> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireInternalReference /> </wsp:Policy> <sp:Issuer> <wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address> </sp:Issuer> </sp:IssuedToken>
In the ordinary case, without
AppliesTo
enabled, the IssuedToken
policy specifies the required token type and key type explicitly.
IssuedToken policy with AppliesTo enabled
When the
AppliesTo
policy is enabled, it is no longer necessary to specify the required token type and key type in the message that is sent to the STS. You use the AppliesTo
policy to specify which target endpoint the issued token is needed for and the STS looks up the target endpoint to discover the policies that apply to the issued token.
Therefore, in the
RequestSecurityTokenTemplate
element in the IssuedToken
policy, you need only specify the AppliesTo
element, as shown in the following example:
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <sp:RequestSecurityTokenTemplate> <wsp:AppliesTo> <wsa:EndpointReference> <wsa:Address>http://localhost:9001/SoapContext/SoapPort</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireInternalReference /> </wsp:Policy> <sp:Issuer> <wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address> </sp:Issuer> </sp:IssuedToken>
In this example, the
AppliesTo
policy specifies that the token is issued for the server endpoint, http://localhost:9001/SoapContext/SoapPort
.
Configuring the list of services
When using the
AppliesTo
policy, you must configure the STS to recognize the relevant target endpoint and provide the appropriate policies for issuing tokens (in particular, the TokenType
and KeyType
policies).
The following sample STS configuration shows how to configure the
TokenIssueOperation
with a list of services (in this example, the list is just a singleton).
<beans ... > <bean id="utIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation"> <property name="tokenProviders" ref="utTokenProviders" /> <property name="services" ref="utService" /> <property name="stsProperties" ref="utSTSProperties" /> </bean> ... <bean id="utService" class="org.apache.cxf.sts.service.StaticService"> <property name="endpoints" ref="utEndpoints"/> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> <property name="keyType" value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"/> </bean> <util:list id="utEndpoints"> <value>http://localhost:(\d)*/SoapContext/SoapPort</value> </util:list> ... </beans>
Services are represented by one or more
StaticService
instances. Each StaticService
instance holds a list of regular expressions, which are matched against the AppliesTo
address URL. If a match is found, the specified properties of the StaticService
instance are then used for issuing the token.