Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

9.4. Enabling AppliesTo in the STS

Overview
링크 복사

When you specify an IssuedToken policy, you can replace both of the TokenType and KeyType elements by a single AppliesTo element, which specifies the identity of the server that the client wants to communicate with. The idea behind this approach is that the STS already knows what type of token the server wants and what kind of single sign-on scenario the server supports. In other words, this information is centralized in the STS (and the STS must be configured with this information).
Figure 9.10, “Processing the AppliesTo Policy” shows an overview of the steps that the STS follows to process the AppliesTo policy.

Figure 9.10. Processing the AppliesTo Policy

Steps to process the AppliesTo policy
링크 복사

When the IssuedToken policy includes the AppliesTo policy, the STS processes the client's issue token request as follows:
  1. The trigger that enables the AppliesTo policy is when the client encounters an IssuedToken policy with a RequestSecurityTokenTemplate that contains the AppliesTo policy element. In this case, the STSClient constructs a RequestSecurityToken request message containing the specified AppliesTo element and uses this message to invoke the Issue operation on the STS.
    In the example shown in Figure 9.10, “Processing the AppliesTo Policy”, the AppliesTo element references the FooAddress endpoint URL, which is the URL of the WS endpoint in the server that the client wants to invoke.
  2. After detecting the presence of the AppliesTo element in the incoming request, the TokenIssueOperation instance iterates over the list of registered StaticService objects, trying to find a regular expression that matches the target address, FooAddress, that was specified by the AppliesTo element.
    If a match is found, the TokenIssueOperation checks whether the tokenType and keyType properties are set on the StaticService object. If these properties are set, they override the values (if any) that were specified in the incoming request.
    If a match is not found, the TokenIssueOperation raises an error.
    Note
    If a list of services is registered with the TokenIssueOperation instance, one of the registered services must match the address specified by AppliesTo.
  3. Now that the requested token type and key type have been determined, the TokenIssueOperation object proceeds as usual to issue the requested token (for example, see Section 9.1.3, “Customizing the Issue Operation”).
  4. The STS returns the issued token to the client.
  5. The client can now send a secure invocation to the FooAddress endpoint on the server, including the issued token in the SOAP security header.

IssuedToken policy without AppliesTo enabled
링크 복사

Before looking at how to enable the AppliesTo policy, it is worth reminding ourselves what a typical IssuedToken policy looks like without the AppliesTo policy enabled. For example, the following IssuedToken policy requests a SAML 2.0 token that embeds a key of type public key (an X.509 certificate) for the purpose of identifying the client (Holder-of-Key scenario): 
<sp:IssuedToken
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <sp:RequestSecurityTokenTemplate>
        <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
        <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
    </sp:RequestSecurityTokenTemplate>
    <wsp:Policy>
        <sp:RequireInternalReference />
    </wsp:Policy>
    <sp:Issuer>
        <wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address>
    </sp:Issuer>
</sp:IssuedToken>
Copy to Clipboard Toggle word wrap
In the ordinary case, without AppliesTo enabled, the IssuedToken policy specifies the required token type and key type explicitly.

IssuedToken policy with AppliesTo enabled
링크 복사

When the AppliesTo policy is enabled, it is no longer necessary to specify the required token type and key type in the message that is sent to the STS. You use the AppliesTo policy to specify which target endpoint the issued token is needed for and the STS looks up the target endpoint to discover the policies that apply to the issued token.
Therefore, in the RequestSecurityTokenTemplate element in the IssuedToken policy, you need only specify the AppliesTo element, as shown in the following example: 
<sp:IssuedToken
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <sp:RequestSecurityTokenTemplate>
        <wsp:AppliesTo>
            <wsa:EndpointReference>
                <wsa:Address>http://localhost:9001/SoapContext/SoapPort</wsa:Address>
            </wsa:EndpointReference>
        </wsp:AppliesTo>
    </sp:RequestSecurityTokenTemplate>
    <wsp:Policy>
        <sp:RequireInternalReference />
    </wsp:Policy>
    <sp:Issuer>
        <wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address>
    </sp:Issuer>
</sp:IssuedToken>
Copy to Clipboard Toggle word wrap
In this example, the AppliesTo policy specifies that the token is issued for the server endpoint, http://localhost:9001/SoapContext/SoapPort.

Configuring the list of services
링크 복사

When using the AppliesTo policy, you must configure the STS to recognize the relevant target endpoint and provide the appropriate policies for issuing tokens (in particular, the TokenType and KeyType policies).
The following sample STS configuration shows how to configure the TokenIssueOperation with a list of services (in this example, the list is just a singleton). 
<beans ... >
    <bean id="utIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
        <property name="tokenProviders" ref="utTokenProviders" />
        <property name="services" ref="utService" />
        <property name="stsProperties" ref="utSTSProperties" />
    </bean>
    ...
    <bean id="utService"
        class="org.apache.cxf.sts.service.StaticService">
        <property name="endpoints" ref="utEndpoints"/>
        <property name="tokenType"
            value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
        <property name="keyType"
            value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"/>
    </bean>
    
    <util:list id="utEndpoints">
        <value>http://localhost:(\d)*/SoapContext/SoapPort</value>
    </util:list>
    ...
</beans>
Copy to Clipboard Toggle word wrap
Services are represented by one or more StaticService instances. Each StaticService instance holds a list of regular expressions, which are matched against the AppliesTo address URL. If a match is found, the specified properties of the StaticService instance are then used for issuing the token.
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat