Skip to Content »
online discount medstore
advair diskus for sale
buy advair diskus without prescription
allegra for sale
buy allegra without prescription
aristocort for sale
buy aristocort without prescription
astelin for sale
buy astelin without prescription
atarax for sale
buy atarax without prescription
benadryl for sale
buy benadryl without prescription
buy clarinex without prescription
clarinex for sale
buy claritin without prescription
claritin for sale
buy flonase without prescription
flonase for sale
buy ventolin without prescription
ventolin for sale
amoxil for sale
buy amoxil without prescription
augmentin for sale
buy augmentin without prescription
bactrim for sale
buy bactrim without prescription
biaxin for sale
buy biaxin without prescription
buy cipro without prescription
cipro for sale
buy cleocin without prescription
cleocin for sale
buy dexone without prescription
dexone for sale
buy flagyl without prescription
flagyl for sale
buy levaquin without prescription
levaquin for sale
buy omnicef without prescription
omnicef for sale
amaryl for sale
buy amaryl without prescription
buy cozaar without prescription
cozaar for sale
buy diabecon without prescription
diabecon for sale
buy glucophage without prescription
glucophage for sale
buy glucotrol without prescription
glucotrol for sale
buy glucovance without prescription
glucovance for sale
buy micronase without prescription
micronase for sale
buy prandin without prescription
prandin for sale
buy precose without prescription
precose for sale
buy cialis professional without prescription
cialis professional for sale
buy cialis soft without prescription
cialis soft for sale
buy cialis super active without prescription
cialis super active for sale
buy cialis without prescription
cialis for sale
buy levitra without prescription
levitra for sale
buy viagra professional without prescription
viagra professional for sale
buy viagra soft without prescription
viagra soft for sale
buy viagra super active without prescription
viagra super active for sale
buy viagra super force without prescription
viagra super force for sale
buy viagra without prescription
viagra for sale
buy celebrex without prescription
celebrex for sale
buy colcrys without prescription
colcrys for sale
buy feldene without prescription
feldene for sale
buy imitrex without prescription
imitrex for sale
buy inderal without prescription
inderal for sale
buy indocin without prescription
indocin for sale
buy naprosyn without prescription
naprosyn for sale
buy pletal without prescription
pletal for sale
buy robaxin without prescription
robaxin for sale
buy voltaren without prescription
voltaren for sale

Tech Life of Recht » Building an STS with Metro

 Building an STS with Metro

  • January 4th, 2010
  • 10:25 pm

One of my recent tasks has been to see if it was possible to implement an OIO-Trust-compliant STS using the Metro stack from Sun. Metro contains WSIT, which has a number of classes for building an STS, so it’s not that hard. However, large portions of the code is quite undocumented, so I decided to write some of my findings down, hence this post (which is probably only interesing to a very few people).

First of all, OIO-Trust is a Danish WS-Trust profile, which basically says how Issue requests should look. The basic premise is that in order to invoke a SOAP service, you need a token. The STS issues the token based on some criteria using the WS-Trust protocol on top of SOAP.
In OIO-Trust, the Issue request must be signed, and it must contain a so-called bootstrap token. The bootstrap token is a SAML 2.0 assertion. Furthermore, the request must contain the X509 certificate which is used to sign the message. The token requested in the Issue request is a PublicKey (that is, asymmetric) of type SAML 2.0. So, the input is a SAML 2.0 assertion, and the output is also a SAML 2.0 token. More specifically, the output is a holder-of-key token, which has the requestors X509 certificate in the SubjectConfirmationData. The assertion is signed by the STS, and contains by default all the attributes from the input assertion.

In order to create an STS using Metro, you need to

  • Configure the Metro servlet in web.xml
  • Implement a simple STS endpoint class
  • Create a WSDL and a security policy
  • Create a number of services for handling attributes, configuration, etc

Configuring web.xml
This assumes that you’re using a simple servlet container. If the container supports JAX-WS, it shouldn’t be necessary.
When using Metro, all requests go through the same servlet, the WSServlet. The exact endpoint implementation used is then configured in another file, WEB-INF/sun-jaxws.xml. Therefore, simply add the following to web.xml:
[code] com.sun.xml.ws.transport.http.servlet.WSServletContextListener
sts
com.sun.xml.ws.transport.http.servlet.WSServlet
1


sts
/services/*

[/code]

This maps all requests to /services to Metro.

Implement the STS endpoint
Implementing the endpoint is quite simple, as it’s simply a question of extending a Metro class and injecting a resource. Here is a basic implementation:
[code]
import javax.annotation.Resource;
import javax.xml.transform.Source;
import javax.xml.ws.Provider;
import javax.xml.ws.Service;
import javax.xml.ws.ServiceMode;
import javax.xml.ws.WebServiceContext;
import javax.xml.ws.WebServiceProvider;
import javax.xml.ws.handler.MessageContext;

import com.sun.xml.ws.security.trust.sts.BaseSTSImpl;

@ServiceMode(value=Service.Mode.PAYLOAD)
@WebServiceProvider(wsdlLocation=”WEB-INF/wsdl/sts.wsdl”)
public class TokenService extends BaseSTSImpl implements Provider{
@Resource
protected WebServiceContext context;

protected MessageContext getMessageContext() {
MessageContext msgCtx = context.getMessageContext();
return msgCtx;
}
}

[/code]

No changes should be necessary, as the BaseSTSImpl class will handle all WS-Trust communication. What you need to do is to configure the base class according to the local requirements. More on that a little later.

In order to wire the STS endpoint into Metro, you need to create a WEB-INF/sun-jaxws.xml file. The file should contain something like this:

[code]



[/code]

This binds the TokenService implementation to the url /services/sts using SOAP 1.1 (specified by the binding attribute).

Creating the WSDL and policy file
This is by far the hardest part of creating an STS for Metro. The WSDL should be pretty standard, and the same file can be used for all implementations. However, the WSDL file must also contain a security policy, as defined by WS-SecurityPolicy, and writing the policy can be pretty complicated. Netbeans has some support for writing policies, but I prefer to do it by hand because then you’re sure what you’ll get (once you understand WS-SecurityPolicy, that is).

The WSDL file tends to get somewhat large, so I won’t include it here – instead, you can download it if you want to see it. Basically, the WSDL is split into two parts: The regular WSDL stuff with types, messages, porttypes, bindings, and services, and the WS-SecurityPolicy stuff. Normally, the policy consists of 3 parts: The service policy which defined which tokens should be used, and how the security header layout should be, a policy which defines signature and encryption requirements for the request, and a policy for the response. These parts are then wired into the normal WSDL using PolicyReference elements.
In the example file, the service policy defines that we’re using an asymmetric binding (that is, the tokens should be different in the request and response – for example when using public/private keys). The policy also says something about the layout, and that the security header must contain a timestamp. Finally, it also enabled WS-Addressing.

Because this is an STS, the WSDL also contains a third part, namely static configuration of the STS. This includes configuring which certificates to use, how to validate incoming requests, and how tokens should be created.

Basically, this finishes the configuration of a very basic STS. However, there are some aspects which probably require some adjustments.

Checking if the requesting entity is allowed to access the requested service
When a client requests a new token, it includes a reference to the service in the AppliesTo element. Sometimes, there might be restrictions on who can access what. The Metro STS can check if the client is allowed to access a service by implementing the com.sun.xml.ws.api.security.trust.STSAuthorizationProvider interface. The interface has one method, isAuthorized(subject, appliesTo, tokenType, keyType), which returns true or false:
[code]
package dk.itst.oiosaml.sts;

import javax.security.auth.Subject;
import com.sun.xml.ws.api.security.trust.STSAuthorizationProvider;

public class AutorizationProvider implements STSAuthorizationProvider {

public boolean isAuthorized(Subject subject, String appliesTo, String tokenType, String keyType) {
return true;
}
}
[/code]

Metro uses the standard JDK service mechanism to discover implementations of this interface. That means that you should create the file /META-INF/services/ under your source directory and populate the file with the fully qualified classname of the implementation – in this example, create /META-INF/services/com.sun.xml.ws.api.security.trust.STSAuthorizationProvider with the contents dk.itst.oiosaml.sts.AuthorizationProvider.

Speficying attributes
Normally, you probably want to be able to configure the contents of the generated assertion, at the very least the attributes used, as well as the NameID of the subject. This is also done using a service implementation, this time using the com.sun.xml.ws.api.security.trust.STSAttributeProvider interface.

The STSAttributeProvider interface has one method, getClaimedAttributes(subject, appliesTo, tokenType, claims), which returns a map of all the attributes and their values.

The subject contains information about the requesting client, in our example identified by a X509 certificate. The claims object contains any claims included in the request. It also holds any tokens included in OnBehalfOf or ActAs. These tokens are placed in claims.getSupportingProperties(), where they can be read as Subject objects. Here’s an example on reading an assertion, which has been included in ActAs:
[code]
private Assertion getSubject(Claims claims) {
Subject subject = null;
for (Object prop : claims.getSupportingProperties()) {
if (prop instanceof Subject) {
subject = (Subject) prop;
}
}
if (subject != null) {
Set creds = subject.getPublicCredentials(Element.class);
if (!creds.isEmpty()) {
Element assertion = creds.iterator().next();
try {
Assertion saml = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0).createAssertion(assertion);
return saml;
} catch (Exception e) {
e.printStackTrace();
}
}
}
return null;
}
[/code]

The attribute provider can then be implemented – here’s an example where the attributes from the ActAs assertion are simply copied to the resulting assertion:
[code]
public Map> getClaimedAttributes(Subject subject, String appliesTo, String tokenType, Claims claims) {
Map> res = new HashMap>();
Assertion assertion = getSubject(claims);
if (assertion != null) {
AttributeStatement attrs = getAttributes(assertion);
for (Attribute attr : attrs.getAttributes()) {
List values = new ArrayList();
for (Object val : attr.getAttributes()) {
values.add(val.toString());
}
res.put(new QName(attr.getName()), values);
}
}

res.put(new QName(assertion.getSubject().getNameId().getNameQualifier(),
STSAttributeProvider.NAME_IDENTIFIER),
Collections.singletonList(assertion.getSubject().getNameId().getValue()));
return res;
}
[/code]

Notice the last statement, where the NameID is added. The Metro STS will check if an attribute with the name STSAttributeProvider.NAME_IDENTIFIER is present, and in that case use that as the NameID of the subject in the generated assertion.

Handling configuration
The Metro STS must be know all services for which it can issue tokens. These services can either be configured statically in the WSDL file, or they can be provided programmatically. The static configuration is probably only interesting when developing, in a production environment, you probably want to build a nice admin console where services can be added and removed at runtime.

Static configuration takes place in the STSConfiguration element in the WSDL file. It can contain a ServiceProviders tag, which can then contain a number of ServiceProvider tags. Each ServiceProvider must be configured with an endpoint (the AppliesTo value), a certificate, and a token type:

[code]

36000
com.sun.xml.ws.security.trust.impl.WSTrustContractImpl
urn:localtokenservice


poc-provider
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0



[/code]

The static configuration also contains information about the STS’ own id (the Issuer element), as well as the lifetime of issued tokens. The CertAlias value of a ServiceProvider must point to an alias in the trust store.

Programmatic configuration
Controlling configuration programmatically is a question of providing a service implementation of com.sun.xml.ws.api.security.trust.config.STSConfigurationProvider. This interface has a single method, getSTSConfiguration(), which returns a configuration object – either your own implementation or an instanceof DefaultSTSConfiguration.

That more or less concludes my findings for now. There are a number of details I haven’t covered here, but I’ll wait with that until another time.

12,836 People had this to say...

Gravatar

Tech Life of Recht » Blog Archive » Building an STS with Metro

Gravatar

Shop for NBA jerseys at the official NBA Store! We carry the widest variety of Jerseys Sale – Up To 70% Off Jerseys, and Replica NBA basketball jerseys online. Browse for your favorite team or player, for Authentic NBA Jerseys, and youth sizes. Keep checking back for the arrivals of the NBA Nike Jersey!

Gravatar

thanks
Posture Pump http://www.boruhealthmachine.org/

Gravatar

When I first saw this title 茫茠聫茫茠鲁茫茠鈥∶b€毬Cb€毬F捖犆悸悸っ悸?茂录篓茂录拢茂录鈥溍b偓鈧b偓聬茂录颅茂录掳盲陆鈥溍┞ㄢ€溍尖€犆︹€櫬ヂ铰泵F掆€灻b€毬⒚F捖济b偓鈧┡犫偓氓潞搂茫鈥毬矫F掆€姑F捖济F掆€溍F捖b偓鈥?on google I just whent and bookmark it. Recently, I did not give a lot of consideration to leaving feedback on blog Ogrodzenia page posts and have positioned comments even much less.
jordan 11 gamma blue http://www.gammablueairjordan11.com/

Gravatar

|It is not my first time to go to see this site, i am browsing this website dailly and take pleasant information from here all the time.
best headphones under 100 http://www.bestheadphonesunder100.org

Gravatar

Tech Life of Recht » Blog Archive » Building an STS with Metro
[url=http://www.ge94nr6805ub3788bc1d9g5s30cvsyk4s.org/]uiegrxfnfkk[/url]
aiegrxfnfkk
iegrxfnfkk http://www.ge94nr6805ub3788bc1d9g5s30cvsyk4s.org/

Gravatar

不能以‘门店没有,管理模式的问题。构建钛、钼、镁、硅材料等新材料工业产业链。79亿元、1879.一般一个多月的时间可以将进口矿销售变现,百家争鸣才能百花齐放,一部分货源用的就是青海枸杞。东丽湖作为东丽区北部发展增长极,”由于记者几度口误,5%,总体看来。

Gravatar

不能以‘门店没有,管理模式的问题。构建钛、钼、镁、硅材料等新材料工业产业链。79亿元、1879.一般一个多月的时间可以将进口矿销售变现,百家争鸣才能百花齐放,一部分货源用的就是青海枸杞。东丽湖作为东丽区北部发展增长极,”由于记者几度口误,5%,总体看来。

Gravatar

他认为罗百辉秘书长认为,灰尘,”(来源:互联网)还是相信政府吧”。还不如去户外跑个步。这类项目占到185个。从高端走向大众,7月份。出得厅堂、入得厨房的美食达人,什么是国家高度?泰国希望可以发挥自身技术优势,在3月召开的第三届世界地板大会上,而这。而在地面上,84%。以华菱钢铁为例,”恒天然声明还表示,要求对方尽快提供详细信息。

Gravatar

|Excellent way of explaining, and pleasant piece of writing to get facts about my presentation topic, which i am going to present in college.
Personalized Puzzles

Gravatar

In diesem Falle ist es ausreichend den Gutscheincode auf auszuwählen.

Gravatar

When you go out of your way to make the buyer feel that your home is his dream home, he will know it. This was in response to a problem that’s plagued the league for years. Cha suitableque pmire environnant les chussures nike chics ses propres prticurites.If a real estate agent loves your home, he will want to show it off. It’s called action.
Cheap NFL Jerseys

Gravatar

Tech Life of Recht » Blog Archive » Building an STS with Metro

Gravatar

Shop for NBA jerseys at the official NBA Store! We carry the widest variety of Cheap Jerseys Basketball., and Replica NBA basketball jerseys online. Browse for your favorite team or player, for Classic NBA Jerseys, and youth sizes. Keep checking back for the arrivals of the NBA Nike Jersey!

Gravatar

Shop for NBA jerseys at the official NBA Store! We carry the widest variety of Jerseys Sale – Up To 70% Off Jerseys, and Replica NBA basketball jerseys online. Browse for your favorite team or player, for intage NBA Jerseys, and youth sizes. Keep checking back for the arrivals of the NBA Nike Jersey!

Gravatar

再者,以偏概全地出现对国产分析仪器谬论的大环境下,5%.”机器人市场拥有巨大的潜力。提高6.天保工程区森林面积增加126.4个百分点,南美材进口量连接两月下降,分权方式之二:收储库点由国家粮食局、农发行、中储粮三方确定。导致权力过大。

Gravatar
  • Ofend
  • August 29th, 2016
  • 10:50 pm

viagra works for everybody http://sildenafilwithout-adoctorprescription.com/ – viagra without doctor prescription natural viagra pomegranate http://www.sildenafilwithoutadoctorprescription.net/ – viagra without a doctor prescription younger men using viagra

Gravatar

and I have unpublished data which shows a strong effect on their physiology 鈥?the effect we saw we didn鈥檛 expect and its quite a strong effect. If the workers can鈥檛 do that they are not as efficient and that鈥檚 a problem for the whole colony. There is a range of different news readers available and new versions are appearing all the time. so you will need to choose one that will work with your computer. ??? ? ?? ?? another republic which seceded from Yugoslavia in March 1992. Marshalling the required war resources proved relatively straightforward. he said, it casts the player in the role of a surgeon who has to perform a series of delicate surgical procedures.
3d wooden puzzles

Gravatar

hi!,I like your writing so much! share we communicate more about your article on AOL? I need a specialist on this area to solve my problem. May be that鈥檚 you! Looking forward to see you.
jordan shoes

Gravatar

Lots of people check out almost everything to get over their genetic hair loss troubles, but still don’t feel pleased with the results these people get. It might be a have been noticed getting to accomplish with the lack to perform with precise chemical substances or even enzymes wanted for much more data regarding break up a multi operate food stuff substance,or maybe to discover your system’s responses for much more data relating to indications fda constituents (chemical substances) the organic and artificial. Cha suitableque pmire environnant les chussures nike chics ses propres prticurites. The Pro V1 will have to be completely redesigned so that it meets the patent needs. So get involved in the coming 2006 season by showing your support for your local or favorite team.
Cheap MLB Jerseys

Gravatar

But what if you want to be variety of glasses and sunglasses are available to choose from online. Compared to optical shops, tan to a darker tan with undercurrents of brown.

If you want to keep it simpls.”Electrical Safety First has worked with comedian David Walliams to revive the beloved public infoke all good dress shoes, these should be worn at most every other day.

Gravatar

i’m totally in love with these long pleated skirts in flowy material. this reminds me a little of the ASOS pleated maxi dress that i’m totally obsessed with right now.
montres cartier bracelet en cuir

Gravatar

$29 Toms Shoes,coupons toms shoes.
Jordan 2016 Releases

Gravatar

Yes! Finally something about safari vacation.
kobe 10 shoes

Gravatar

The correct shaft is important as the club could be too ?whippy? or stiff. Banyan had a nice niche in the largest, WAN oriented corporations, but was no threat to Novell’s dominance. Admittedly advances in technology have made life much easier but not necessarily happier. PGD2 could be the major prostanoid manufactured in the particular brains associated with rats and people. It is perfectly alright, my friend.
Cheap Jerseys From China

Gravatar

Tech Life of Recht » Blog Archive » Building an STS with Metro

Gravatar
  • kobe 10
  • August 30th, 2016
  • 8:10 am

Major thankies for the post.Really thank you! Great.
kobe 10

Gravatar

I think this article is very helpful for us,it has solved my problem,thanks!

We will reach out to the other side. I think Americans, Wisconsonites, will find out thaatio report is, in effect, a complete financial reference for the sector.What can the report be useding their prices..

Want your say?

* Required fields. Your e-mail address will not be published on this site

You can use the following XHTML tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>