此内容没有您所选择的语言版本。
9.4. Enabling AppliesTo in the STS
Overview
When you specify an
IssuedToken policy, you can replace both of the TokenType and KeyType elements by a single AppliesTo element, which specifies the identity of the server that the client wants to communicate with. The idea behind this approach is that the STS already knows what type of token the server wants and what kind of single sign-on scenario the server supports. In other words, this information is centralized in the STS (and the STS must be configured with this information).
Figure 9.10, “Processing the AppliesTo Policy” shows an overview of the steps that the STS follows to process the
AppliesTo policy.
Figure 9.10. Processing the AppliesTo Policy
Steps to process the AppliesTo policy
When the
IssuedToken policy includes the AppliesTo policy, the STS processes the client's issue token request as follows:
- The trigger that enables the
AppliesTopolicy is when the client encounters anIssuedTokenpolicy with aRequestSecurityTokenTemplatethat contains theAppliesTopolicy element. In this case, theSTSClientconstructs aRequestSecurityTokenrequest message containing the specifiedAppliesToelement and uses this message to invoke the Issue operation on the STS.In the example shown in Figure 9.10, “Processing the AppliesTo Policy”, theAppliesToelement references theFooAddressendpoint URL, which is the URL of the WS endpoint in the server that the client wants to invoke. - After detecting the presence of the
AppliesToelement in the incoming request, theTokenIssueOperationinstance iterates over the list of registeredStaticServiceobjects, trying to find a regular expression that matches the target address,FooAddress, that was specified by theAppliesToelement.If a match is found, theTokenIssueOperationchecks whether thetokenTypeandkeyTypeproperties are set on theStaticServiceobject. If these properties are set, they override the values (if any) that were specified in the incoming request.If a match is not found, theTokenIssueOperationraises an error.NoteIf a list of services is registered with theTokenIssueOperationinstance, one of the registered services must match the address specified byAppliesTo. - Now that the requested token type and key type have been determined, the
TokenIssueOperationobject proceeds as usual to issue the requested token (for example, see Section 9.1.3, “Customizing the Issue Operation”). - The STS returns the issued token to the client.
- The client can now send a secure invocation to the
FooAddressendpoint on the server, including the issued token in the SOAP security header.
IssuedToken policy without AppliesTo enabled
Before looking at how to enable the
AppliesTo policy, it is worth reminding ourselves what a typical IssuedToken policy looks like without the AppliesTo policy enabled. For example, the following IssuedToken policy requests a SAML 2.0 token that embeds a key of type public key (an X.509 certificate) for the purpose of identifying the client (Holder-of-Key scenario):
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address>
</sp:Issuer>
</sp:IssuedToken>
In the ordinary case, without
AppliesTo enabled, the IssuedToken policy specifies the required token type and key type explicitly.
IssuedToken policy with AppliesTo enabled
When the
AppliesTo policy is enabled, it is no longer necessary to specify the required token type and key type in the message that is sent to the STS. You use the AppliesTo policy to specify which target endpoint the issued token is needed for and the STS looks up the target endpoint to discover the policies that apply to the issued token.
Therefore, in the
RequestSecurityTokenTemplate element in the IssuedToken policy, you need only specify the AppliesTo element, as shown in the following example:
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>http://localhost:9001/SoapContext/SoapPort</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address>
</sp:Issuer>
</sp:IssuedToken>
In this example, the
AppliesTo policy specifies that the token is issued for the server endpoint, http://localhost:9001/SoapContext/SoapPort.
Configuring the list of services
When using the
AppliesTo policy, you must configure the STS to recognize the relevant target endpoint and provide the appropriate policies for issuing tokens (in particular, the TokenType and KeyType policies).
The following sample STS configuration shows how to configure the
TokenIssueOperation with a list of services (in this example, the list is just a singleton).
<beans ... >
<bean id="utIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
<property name="tokenProviders" ref="utTokenProviders" />
<property name="services" ref="utService" />
<property name="stsProperties" ref="utSTSProperties" />
</bean>
...
<bean id="utService"
class="org.apache.cxf.sts.service.StaticService">
<property name="endpoints" ref="utEndpoints"/>
<property name="tokenType"
value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
<property name="keyType"
value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"/>
</bean>
<util:list id="utEndpoints">
<value>http://localhost:(\d)*/SoapContext/SoapPort</value>
</util:list>
...
</beans>
Services are represented by one or more
StaticService instances. Each StaticService instance holds a list of regular expressions, which are matched against the AppliesTo address URL. If a match is found, the specified properties of the StaticService instance are then used for issuing the token.
