cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > WS-Trust
Date Fri, 23 Jul 2010 03:30:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-Trust">WS-Trust</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~mazzag">Glen
Mazza</a>
    </h4>
        <div id="versionComment">
        <b>Comment:</b>
        Updated documentation to provide more config info.<br />
    </div>
        <br/>
                         <h4>Changes (12)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>*Direct configuration of
an STS bean in the properties:* <br></td></tr>
            <tr><td class="diff-unchanged" >In this scenario, a STSClient object
is created directly as a property of the client object.   The wsdlLocation, service/endpoint
names, etc... are all configured in line for that client.   <br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code:xml} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >                &lt;property name=&quot;properties&quot;&gt;
<br>                    &lt;map&gt; <br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;entry key=&quot;ws-security.username&quot;
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">value=&quot;joe&quot;/&gt;</span>
<span class="diff-added-words"style="background-color: #dfd;">value=&quot;alice&quot;/&gt;</span>
<br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;entry key=&quot;ws-security.callback-handler&quot;
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">value=&quot;interop.client.KeystorePasswordCallback&quot;/&gt;</span>
<span class="diff-added-words"style="background-color: #dfd;">value=&quot;client.MyCallbackHandler&quot;/&gt;</span>
<br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;entry key=&quot;ws-security.signature.properties&quot;
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">value=&quot;etc/alice.properties&quot;/&gt;</span>
<span class="diff-added-words"style="background-color: #dfd;">value=&quot;clientKeystore.properties&quot;/&gt;</span>
<br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;entry key=&quot;ws-security.encryption.properties&quot;
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">value=&quot;etc/bob.properties&quot;/&gt;</span>
<span class="diff-added-words"style="background-color: #dfd;">value=&quot;clientKeystore.properties&quot;/&gt;</span>
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
                      &lt;entry key=&quot;ws-security.encryption.username&quot;
value=&quot;mystskey&quot;/&gt;  <br></td></tr>
            <tr><td class="diff-unchanged" >                    &lt;/map&gt;
<br>                &lt;/property&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Remember
the jaxws:client createdFromAPI attribute is set to true if you created the client programmatically
via the CXF API&#39;s--i.e., Endpoint.publish() or Service.getPort(). <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
above example shows a configuration where the STS uses the UsernameToken profile to validate
the client.  It is assumed the keystore identified within clientKeystore.properties contains
both the private key of the client and the public key (identified above as mystskey) of the
STS; if not, create separate property files for the signature properties and the encryption
properties, pointing to the keystore and truststore respectively. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Remember
the jaxws:client createdFromAPI attribute needs to be set to true (as shown above) if you
created the client programmatically via the CXF API&#39;s--i.e., Endpoint.publish() or
Service.getPort(). <br> <br></td></tr>
            <tr><td class="diff-unchanged" >This also works for &quot;code
first&quot; cases as you can do: <br>{code:java} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Sample
clientKeystore.properties format: <br> <br>{code:xml} <br>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
<br>org.apache.ws.security.crypto.merlin.keystore.type=jks <br>org.apache.ws.security.crypto.merlin.keystore.password=KeystorePasswordHere
<br>org.apache.ws.security.crypto.merlin.keystore.alias=ClientKeyAlias <br>org.apache.ws.security.crypto.merlin.file=NameOfKeystore.jks
 <br>{code} <br> <br></td></tr>
            <tr><td class="diff-unchanged" >*Indirect configuration based on endpoint
name:* <br>If the runtime does not find a STSClient bean configured directly on the
client, it checks the configuration for a STSClient bean with the name of the endpoint appended
with &quot;.sts-client&quot;.   For example, if the endpoint name for your client
is &quot;\{http://cxf.apache.org/}TestEndpoint&quot;, then it can be configured as:
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >    &lt;property name=&quot;properties&quot;&gt;
<br>        &lt;map&gt; <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">
           &lt;entry key=&quot;ws-security.signature.properties&quot; value=&quot;etc/alice.properties&quot;/&gt;
 <br>            &lt;entry key=&quot;ws-security.encryption.properties&quot;
value=&quot;etc/bob.properties&quot;/&gt;	 <br></td></tr>
            <tr><td class="diff-unchanged" >            &lt;entry key=&quot;ws-security.sts.token.properties&quot;
value=&quot;etc/bob.properties&quot;/&gt;   <br>            &lt;entry
key=&quot;ws-security.callback-handler&quot; value=&quot;interop.client.KeystorePasswordCallback&quot;/&gt;
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
           &lt;entry key=&quot;ws-security.signature.properties&quot; value=&quot;etc/alice.properties&quot;/&gt;
 <br>            &lt;entry key=&quot;ws-security.encryption.properties&quot;
value=&quot;etc/bob.properties&quot;/&gt;	 <br></td></tr>
            <tr><td class="diff-unchanged" >        &lt;/map&gt; <br>
   &lt;/property&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">This properties configured in this example demonstrate STS validation of the client
using the X.509 token profile. </span> The abstract=&quot;true&quot; setting
for the bean <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">above</span>
defers creation of the STSClient object until it is actually needed.  When that occurs, the
CXF runtime will instantiate a new STSClient using the values configured for this bean. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>*Default configuration:*
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p>WS-Trust support in CXF builds upon the <a href="/confluence/display/CXF20DOC/WS-SecurityPolicy"
title="WS-SecurityPolicy">WS&#45;SecurityPolicy</a> implementation to handle
the IssuedToken policy assertions that could be found in the WS-SecurityPolicy fragment. 
</p>

<p><b>Note:</b> Because the WS-IssuedToken support builds on the WS-SecurityPolicy
support, this is currently only available to "wsdl first" projects.</p>


<p>WS-Trust extends the WS-Security specification to allow issuing, renewing, and validation
of security tokens.  A lot of what WS-Trust does centers around the use of a "Security Token
Service", or STS.   The STS is contacted to obtain security tokens that are used to create
messages to talk to the services.    The primary use of the STS is to acquire SAML tokens
used to talk to the service.   Why is this interesting?</p>

<p>When using "straight" WS-Security, the client and server need to have keys exchanged
in advance.   If the client and server are both in the same security domain, that isn't usually
a problem, but for larger, complex applications spanning multiple domains, that can be a burden.
 Also, if multiple services require the same security credentials, updating all the services
when those credentials change can by a major operation.   </p>

<p>WS-Trust solves this by using security tokens that are obtained from a trusted Security
Token Service.   A client authenticates itself with the STS based on policies and requirements
defined by the STS.   The STS then provides a security token (example: a SAML token) that
the client then uses to talk to the target service.  The service can validate that token to
make sure it really came from the trusted STS.  </p>


<p>When the WS-SecurityPolicy runtime in CXF encounters an IssuedToken assertion in
the policy, the runtime requries an instance of  org.apache.cxf.ws.security.trust.STSClient
to talk to the STS to obtain the required token.    Since the STSClient is a WS-SecurityPolicy
client, it will need configuration items to be able to create it's secure SOAP messages to
talk to the STS.  </p>

<p>There are several ways to configure the STSClient:</p>

<p><b>Direct configuration of an STS bean in the properties:</b><br/>
In this scenario, a STSClient object is created directly as a property of the client object.
  The wsdlLocation, service/endpoint names, etc... are all configured in line for that client.
 </p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;jaxws:client name=<span class="code-quote">"{http://cxf.apache.org/}MyService"</span>
createdFromAPI=<span class="code-quote">"true"</span>&gt;</span>
    <span class="code-tag">&lt;jaxws:properties&gt;</span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.sts.client"</span>&gt;</span>
            <span class="code-tag"><span class="code-comment">&lt;!-- direct
STSClient config and creation --&gt;</span></span>
            <span class="code-tag">&lt;bean class=<span class="code-quote">"org.apache.cxf.ws.security.trust.STSClient"</span>&gt;</span>
                <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"cxf"</span>/&gt;</span>
                <span class="code-tag">&lt;property name=<span class="code-quote">"wsdlLocation"</span>
value=<span class="code-quote">"target/wsdl/trust.wsdl"</span>/&gt;</span>
                <span class="code-tag">&lt;property name=<span class="code-quote">"serviceName"</span>
value=<span class="code-quote">"{http://cxf.apache.org/securitytokenservice}SecurityTokenService"</span>/&gt;</span>
                <span class="code-tag">&lt;property name=<span class="code-quote">"endpointName"</span>
value=<span class="code-quote">"{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"</span>/&gt;</span>
                <span class="code-tag">&lt;property name=<span class="code-quote">"properties"</span>&gt;</span>
                    <span class="code-tag">&lt;map&gt;</span>
                       <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.username"</span>
value=<span class="code-quote">"alice"</span>/&gt;</span>
                       <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>
value=<span class="code-quote">"client.MyCallbackHandler"</span>/&gt;</span>
                       <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>
value=<span class="code-quote">"clientKeystore.properties"</span>/&gt;</span>
                       <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
value=<span class="code-quote">"clientKeystore.properties"</span>/&gt;</span>
                       <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>
value=<span class="code-quote">"mystskey"</span>/&gt;</span> 
                    <span class="code-tag">&lt;/map&gt;</span>
                <span class="code-tag">&lt;/property&gt;</span>
            <span class="code-tag">&lt;/bean&gt;</span>            
        <span class="code-tag">&lt;/entry&gt;</span> 
    <span class="code-tag">&lt;/jaxws:properties&gt;</span>
<span class="code-tag">&lt;/jaxws:client&gt;</span>
</pre>
</div></div>

<p>The above example shows a configuration where the STS uses the UsernameToken profile
to validate the client.  It is assumed the keystore identified within clientKeystore.properties
contains both the private key of the client and the public key (identified above as mystskey)
of the STS; if not, create separate property files for the signature properties and the encryption
properties, pointing to the keystore and truststore respectively.</p>

<p>Remember the jaxws:client createdFromAPI attribute needs to be set to true (as shown
above) if you created the client programmatically via the CXF API's--i.e., Endpoint.publish()
or Service.getPort().</p>

<p>This also works for "code first" cases as you can do:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
STSClient sts = <span class="code-keyword">new</span> STSClient(...);
sts.setXXXX(....)
.....
((BindingProvider)port).getRequestContext().put(<span class="code-quote">"ws-security.sts.client"</span>,
sts);
</pre>
</div></div>

<p>Sample clientKeystore.properties format:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=KeystorePasswordHere
org.apache.ws.security.crypto.merlin.keystore.alias=ClientKeyAlias
org.apache.ws.security.crypto.merlin.file=NameOfKeystore.jks 
</pre>
</div></div>

<p><b>Indirect configuration based on endpoint name:</b><br/>
If the runtime does not find a STSClient bean configured directly on the client, it checks
the configuration for a STSClient bean with the name of the endpoint appended with ".sts-client".
  For example, if the endpoint name for your client is "{<a href="http://cxf.apache.org/"
class="external-link" rel="nofollow">http://cxf.apache.org/</a>}TestEndpoint", then
it can be configured as:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;bean name=<span class="code-quote">"{http://cxf.apache.org/}TestEndpoint.sts-client"</span>

    class=<span class="code-quote">"org.apache.cxf.ws.security.trust.STSClient"</span>
abstract=<span class="code-quote">"true"</span>&gt;
    <span class="code-tag">&lt;property name=<span class="code-quote">"wsdlLocation"</span>
value=<span class="code-quote">"WSDL/wsdl/trust.wsdl"</span>/&gt;</span>
    <span class="code-tag">&lt;property name=<span class="code-quote">"serviceName"</span>
value=<span class="code-quote">"{http://cxf.apache.org/securitytokenservice}SecurityTokenService"</span>/&gt;</span>
    <span class="code-tag">&lt;property name=<span class="code-quote">"endpointName"</span>
value=<span class="code-quote">"{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"</span>/&gt;</span>
    <span class="code-tag">&lt;property name=<span class="code-quote">"properties"</span>&gt;</span>
        <span class="code-tag">&lt;map&gt;</span>
            <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.sts.token.properties"</span>
value=<span class="code-quote">"etc/bob.properties"</span>/&gt;</span>
 
            <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>
value=<span class="code-quote">"interop.client.KeystorePasswordCallback"</span>/&gt;</span>
            <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>
value=<span class="code-quote">"etc/alice.properties"</span>/&gt;</span>

            <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
value=<span class="code-quote">"etc/bob.properties"</span>/&gt;</span>

        <span class="code-tag">&lt;/map&gt;</span>
    <span class="code-tag">&lt;/property&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>
</pre>
</div></div>

<p>This properties configured in this example demonstrate STS validation of the client
using the X.509 token profile.  The abstract="true" setting for the bean defers creation of
the STSClient object until it is actually needed.  When that occurs, the CXF runtime will
instantiate a new STSClient using the values configured for this bean.</p>

<p><b>Default configuration:</b><br/>
If an STSClient is not found from the above methods, it then tries to find one configured
like the indirect, but with the name "default.sts-client".   This can be used to configure
sts-clients for multiple services.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-Trust">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=112641&revisedVersion=9&originalVersion=8">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-Trust?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message