LibraryToggle FramesPrintFeedback

The underlying implementation of WS-Security and WS-Trust is provided by a set of WSS4J interceptors, based on the open source Apache WSS4J security toolkit. These interceptors are automatically installed into a server endpoint, if the endpoint is associated with a WS-SecurityPolicy policy in the server's WSDL file. In the absence of WSDL policies, it is also possible to install the WSS4J interceptors explicitly—see the WS-Security page.

In this example, the SAML token issued by the STS is signed by the STS certificate. The issued SAML token also declares the subject confirmation method to be bearer, which implies that the server should trust the bearer of the SAML token, only if the token's signature is confirmed.

Hence, the server must be configured so that it can confirm incoming signatures. The details of this type of configuration are given in Providing Encryption Keys and Signing Keys and, essentially, it consists of setting the ws-security.encryption.properties property in the relevant jaxws:endpoint element. Confusingly, although this property is named encryption, it is also used for confirming signatures. The ws-security.encryption.properties property accesses the STS certificate, which is used to confirm the token's signature.

Perform the following steps to configure the server-side interceptor:

  1. Comment out the Java code for instantiating the Web service endpoint (in this example, it is more convenient to instantiate the endpoint in XML, because it enables you to specify all of the endpoint's properties in one place).

    Edit the Server.java file from the wsdl_first_https/src/demo/hw_https/server directory. Look for the lines of Java code that instantiate the Web service endpoint (highlighted below) and enclose them between /* and */, so that the lines are commented out as shown.

    package demo.hw_https.server;
    ...
    public class Server {
    
        protected Server() throws Exception {
            System.out.println("Starting Server");
    
            SpringBusFactory bf = new SpringBusFactory();
            URL busFile = Server.class.getResource("CherryServer.xml");
            Bus bus = bf.createBus(busFile.toString());
            bf.setDefaultBus(bus);
    
    	/*
            Object implementor = new GreeterImpl();
            String address = "https://localhost:9001/SoapContext/SoapPort";
            Endpoint.publish(address, implementor);
    	*/
        }
        ...
  2. Create the Web service endpoint in XML. Edit the CherryServer.xml file from the wsdl_first_https/src/demo/hw_https/server directory. Add the following jaxws:endpoint element as a child of the beans element to instantiate the Web service endpoint.

    <beans ...>
      ...
      <jaxws:endpoint id="server"
        endpointName="s:SoapPort"
        serviceName="s:SOAPService"
        implementor="demo.hw_https.server.GreeterImpl"    
        address="https://localhost:9001/SoapContext/SoapPort"
        wsdlLocation="wsdl/hello_world_server.wsdl"
        xmlns:s="http://apache.org/hello_world_soap_http" >
        <jaxws:properties>
            <entry key="ws-security.encryption.properties" value="sts/sts.properties" />
        </jaxws:properties>
      </jaxws:endpoint>
      ...
    </beans>

    Notice how the wsdlLocation attribute points at the hello_world_server.wsdl file, which is the copy of the WSDL contract that excludes the IssuedToken policy. The ws-security.encryption.properties property points at the file, sts/sts.properties, which will be defined in a later step.

  3. Enable policy support and logging as follows. Continue editing the CherryServer.xml file. Add the following cxf:bus element as a child of the beans element:

    <beans ...>
      ...
      <cxf:bus xmlns:cxf="http://cxf.apache.org/core">
         <cxf:features>
            <p:policies xmlns:p="http://cxf.apache.org/policy"/>
            <cxf:logging/>
         </cxf:features>
      </cxf:bus>
      ...
    </beans> 
  4. Add the requisite XML schema locations. Continue editing the CherryServer.xml file. To support the jaxws and cxf namespace prefixes, add the highlighted schema locations and define the jaxws namespace prefix, as follows:

  5. Now define the sts.properties file, which specifies the WSS4J properties for accessing the STS certificate. In the wsdl_first_https/sts directory, use your favorite text editor to create the file, sts.properties, containing the following property settings:

    For more details on these WSS4J properties, see Providing Encryption Keys and Signing Keys.

  6. Add Maven instructions to copy the sts.properties file into the target/classes/sts directory (so that the sts.properties file gets included in the WAR package). Edit the pom.xml file from the wsdl_first_https/ directory and search for the copyxmlfiles target of the Maven antrun plug-in. Under configuration tasks, add the highlighted lines as shown in the following fragment:

    <project ...>
        ...
        <build>
            ...
            <plugins>
                <plugin>
                    <artifactId>maven-antrun-plugin</artifactId>
                    <executions>
                        <execution>
                            <id>copyxmlfiles</id>
                            ...
                            <configuration>
                                <tasks>
                                    <copy file="${basedir}/src/demo/hw_https/server/CherryServer.xml" todir="${basedir}/target/classes/demo/hw_https/server" />
                                    <copy file="${basedir}/src/demo/hw_https/client/WibbleClient.xml" todir="${basedir}/target/classes/demo/hw_https/client" />
                                    <copy file="${basedir}/src/demo/hw_https/client/InsecureClient.xml" todir="${basedir}/target/classes/demo/hw_https/client" />
                                    <copy todir="${basedir}/target/classes/certs">
                                        <fileset dir="${basedir}/certs" />
                                    </copy>
                                    <copy todir="${basedir}/target/classes/sts">
                                        <fileset dir="${basedir}/sts" />
                                    </copy>
                                </tasks>
                            </configuration>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
        ...
    </project>
    [Note]Note

    This step is only necessary, because this wsdl_first_https Maven project is set up in a slightly unconventional way. Normally, in a Maven project, you put all of your resource files under src/main/resources/, which Maven automatically copies into the target package.

Comments powered by Disqus
loading table of contents...