Skip to Content »

online prescription solutions
online discount medstore
pills online
buy lorazepam without prescription
xanax for sale
buy xanax without prescription
buy ambien without prescription
ambien for sale
buy modafinil without prescription
buy phentermine without prescription
modafinil for sale
phentermine for sale
lorazepam for sale
buy lexotan without prescription
bromazepam for sale
xenical for sale
buy stilnox without prescription
valium for sale
buy prosom without prescription
buy mefenorex without prescription
buy sildenafil citrate without prescription
buy adipex-p without prescription
librium for sale
buy restoril without prescription
buy halazepam without prescription
cephalexin for sale
buy zoloft without prescription
buy renova without prescription
renova for sale
terbinafine for sale
dalmane for sale
buy lormetazepam without prescription
nobrium for sale
buy klonopin without prescription
priligy dapoxetine for sale
buy prednisone without prescription
buy aleram without prescription
buy flomax without prescription
imovane for sale
adipex-p for sale
buy niravam without prescription
seroquel for sale
carisoprodol for sale
buy deltasone without prescription
buy diazepam without prescription
zopiclone for sale
buy imitrex without prescription
testosterone anadoil for sale
buy provigil without prescription
sonata for sale
nimetazepam for sale
buy temazepam without prescription
buy xenical without prescription
buy famvir without prescription
buy seroquel without prescription
rivotril for sale
acyclovir for sale
loprazolam for sale
buy nimetazepam without prescription
buy prozac without prescription
mogadon for sale
viagra for sale
buy valium without prescription
lamisil for sale
camazepam for sale
zithromax for sale
buy clobazam without prescription
buy diflucan without prescription
modalert for sale
diflucan for sale
buy alertec without prescription
buy zyban without prescription
buy serax without prescription
buy medazepam without prescription
buy imovane without prescription
mefenorex for sale
lormetazepam for sale
prednisone for sale
ativan for sale
buy alprazolam without prescription
buy camazepam without prescription
buy nobrium without prescription
mazindol for sale
buy mazindol without prescription
buy mogadon without prescription
buy terbinafine without prescription
diazepam for sale
buy topamax without prescription
cialis for sale
buy tafil-xanor without prescription
buy librium without prescription
buy zithromax without prescription
retin-a for sale
buy lunesta without prescription
serax for sale
restoril for sale
stilnox for sale
lamotrigine for sale

Tech Life of Recht » Building an STS with Metro

 Building an STS with Metro

  • January 4th, 2010
  • 10:25 pm

One of my recent tasks has been to see if it was possible to implement an OIO-Trust-compliant STS using the Metro stack from Sun. Metro contains WSIT, which has a number of classes for building an STS, so it's not that hard. However, large portions of the code is quite undocumented, so I decided to write some of my findings down, hence this post (which is probably only interesing to a very few people).

First of all, OIO-Trust is a Danish WS-Trust profile, which basically says how Issue requests should look. The basic premise is that in order to invoke a SOAP service, you need a token. The STS issues the token based on some criteria using the WS-Trust protocol on top of SOAP.
In OIO-Trust, the Issue request must be signed, and it must contain a so-called bootstrap token. The bootstrap token is a SAML 2.0 assertion. Furthermore, the request must contain the X509 certificate which is used to sign the message. The token requested in the Issue request is a PublicKey (that is, asymmetric) of type SAML 2.0. So, the input is a SAML 2.0 assertion, and the output is also a SAML 2.0 token. More specifically, the output is a holder-of-key token, which has the requestors X509 certificate in the SubjectConfirmationData. The assertion is signed by the STS, and contains by default all the attributes from the input assertion.

In order to create an STS using Metro, you need to

  • Configure the Metro servlet in web.xml
  • Implement a simple STS endpoint class
  • Create a WSDL and a security policy
  • Create a number of services for handling attributes, configuration, etc

Configuring web.xml
This assumes that you're using a simple servlet container. If the container supports JAX-WS, it shouldn't be necessary.
When using Metro, all requests go through the same servlet, the WSServlet. The exact endpoint implementation used is then configured in another file, WEB-INF/sun-jaxws.xml. Therefore, simply add the following to web.xml:

CODE:
  1. <listener>
  2.     <listener-class>com.sun.xml.ws.transport.http.servlet.WSServletContextListener</listener-class>
  3.   </listener>
  4.   <servlet>
  5.     <servlet-name>sts</servlet-name>
  6.     <servlet-class>com.sun.xml.ws.transport.http.servlet.WSServlet</servlet-class>
  7.     <load-on-startup>1</load-on-startup>
  8.   </servlet>
  9.   <servlet-mapping>
  10.     <servlet-name>sts</servlet-name>
  11.     <url-pattern>/services/*</url-pattern>
  12.   </servlet-mapping>

This maps all requests to /services to Metro.

Implement the STS endpoint
Implementing the endpoint is quite simple, as it's simply a question of extending a Metro class and injecting a resource. Here is a basic implementation:

CODE:
  1. import javax.annotation.Resource;
  2. import javax.xml.transform.Source;
  3. import javax.xml.ws.Provider;
  4. import javax.xml.ws.Service;
  5. import javax.xml.ws.ServiceMode;
  6. import javax.xml.ws.WebServiceContext;
  7. import javax.xml.ws.WebServiceProvider;
  8. import javax.xml.ws.handler.MessageContext;
  9.  
  10. import com.sun.xml.ws.security.trust.sts.BaseSTSImpl;
  11.  
  12. @ServiceMode(value=Service.Mode.PAYLOAD)
  13. @WebServiceProvider(wsdlLocation="WEB-INF/wsdl/sts.wsdl")
  14. public class TokenService extends BaseSTSImpl implements Provider<Source>{
  15.     @Resource
  16.     protected WebServiceContext context;
  17.    
  18.     protected MessageContext getMessageContext() {       
  19.         MessageContext msgCtx = context.getMessageContext();
  20.         return msgCtx;
  21.     } 
  22. }

No changes should be necessary, as the BaseSTSImpl class will handle all WS-Trust communication. What you need to do is to configure the base class according to the local requirements. More on that a little later.

In order to wire the STS endpoint into Metro, you need to create a WEB-INF/sun-jaxws.xml file. The file should contain something like this:

CODE:
  1. <endpoints
  2.     xmlns="http://java.sun.com/xml/ns/jax-ws/ri/runtime"
  3.     version="2.0">
  4.  
  5.     <endpoint
  6.         name="sts"
  7.         implementation="dk.itst.oiosaml.sts.TokenService"
  8.         wsdl="WEB-INF/wsdl/sts.wsdl"   
  9.         service="{http://tempuri.org/}SecurityTokenService"
  10.         port="{http://tempuri.org/}ISecurityTokenService_Port"
  11.         binding="http://schemas.xmlsoap.org/wsdl/soap/http"
  12.         url-pattern="/sts" />
  13. </endpoints>

This binds the TokenService implementation to the url /services/sts using SOAP 1.1 (specified by the binding attribute).

Creating the WSDL and policy file
This is by far the hardest part of creating an STS for Metro. The WSDL should be pretty standard, and the same file can be used for all implementations. However, the WSDL file must also contain a security policy, as defined by WS-SecurityPolicy, and writing the policy can be pretty complicated. Netbeans has some support for writing policies, but I prefer to do it by hand because then you're sure what you'll get (once you understand WS-SecurityPolicy, that is).

The WSDL file tends to get somewhat large, so I won't include it here - instead, you can download it if you want to see it. Basically, the WSDL is split into two parts: The regular WSDL stuff with types, messages, porttypes, bindings, and services, and the WS-SecurityPolicy stuff. Normally, the policy consists of 3 parts: The service policy which defined which tokens should be used, and how the security header layout should be, a policy which defines signature and encryption requirements for the request, and a policy for the response. These parts are then wired into the normal WSDL using PolicyReference elements.
In the example file, the service policy defines that we're using an asymmetric binding (that is, the tokens should be different in the request and response - for example when using public/private keys). The policy also says something about the layout, and that the security header must contain a timestamp. Finally, it also enabled WS-Addressing.

Because this is an STS, the WSDL also contains a third part, namely static configuration of the STS. This includes configuring which certificates to use, how to validate incoming requests, and how tokens should be created.

Basically, this finishes the configuration of a very basic STS. However, there are some aspects which probably require some adjustments.

Checking if the requesting entity is allowed to access the requested service
When a client requests a new token, it includes a reference to the service in the AppliesTo element. Sometimes, there might be restrictions on who can access what. The Metro STS can check if the client is allowed to access a service by implementing the com.sun.xml.ws.api.security.trust.STSAuthorizationProvider interface. The interface has one method, isAuthorized(subject, appliesTo, tokenType, keyType), which returns true or false:

CODE:
  1. package dk.itst.oiosaml.sts;
  2.  
  3. import javax.security.auth.Subject;
  4. import com.sun.xml.ws.api.security.trust.STSAuthorizationProvider;
  5.  
  6. public class AutorizationProvider implements STSAuthorizationProvider {
  7.  
  8.   public boolean isAuthorized(Subject subject, String appliesTo, String tokenType, String keyType) {
  9.     return true;
  10.   }
  11. }

Metro uses the standard JDK service mechanism to discover implementations of this interface. That means that you should create the file /META-INF/services/ under your source directory and populate the file with the fully qualified classname of the implementation - in this example, create /META-INF/services/com.sun.xml.ws.api.security.trust.STSAuthorizationProvider with the contents dk.itst.oiosaml.sts.AuthorizationProvider.

Speficying attributes
Normally, you probably want to be able to configure the contents of the generated assertion, at the very least the attributes used, as well as the NameID of the subject. This is also done using a service implementation, this time using the com.sun.xml.ws.api.security.trust.STSAttributeProvider interface.

The STSAttributeProvider interface has one method, getClaimedAttributes(subject, appliesTo, tokenType, claims), which returns a map of all the attributes and their values.

The subject contains information about the requesting client, in our example identified by a X509 certificate. The claims object contains any claims included in the request. It also holds any tokens included in OnBehalfOf or ActAs. These tokens are placed in claims.getSupportingProperties(), where they can be read as Subject objects. Here's an example on reading an assertion, which has been included in ActAs:

CODE:
  1. private Assertion getSubject(Claims claims) {
  2.   Subject subject = null;
  3.   for (Object prop : claims.getSupportingProperties()) {
  4.     if (prop instanceof Subject) {
  5.       subject = (Subject) prop;
  6.     }
  7.   }
  8.   if (subject != null) {
  9.     Set<Element> creds = subject.getPublicCredentials(Element.class);
  10.     if (!creds.isEmpty()) {
  11.       Element assertion = creds.iterator().next();
  12.       try {
  13.         Assertion saml = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0).createAssertion(assertion);
  14.         return saml;
  15.       } catch (Exception e) {
  16.         e.printStackTrace();
  17.       }
  18.     }
  19.   }
  20.   return null;
  21. }

The attribute provider can then be implemented - here's an example where the attributes from the ActAs assertion are simply copied to the resulting assertion:

CODE:
  1. public Map<QName, List<String>> getClaimedAttributes(Subject subject, String appliesTo, String tokenType, Claims claims) {
  2.   Map<QName, List<String>> res = new HashMap<QName, List<String>>();
  3.   Assertion assertion = getSubject(claims);
  4.   if (assertion != null) {
  5.     AttributeStatement attrs = getAttributes(assertion);
  6.     for (Attribute attr : attrs.getAttributes()) {
  7.       List<String> values = new ArrayList<String>();
  8.       for (Object val : attr.getAttributes()) {
  9.         values.add(val.toString());
  10.       }
  11.       res.put(new QName(attr.getName()), values);
  12.     }
  13.   }
  14.  
  15.   res.put(new QName(assertion.getSubject().getNameId().getNameQualifier(),
  16.       STSAttributeProvider.NAME_IDENTIFIER),
  17.       Collections.singletonList(assertion.getSubject().getNameId().getValue()));
  18.   return res;
  19. }

Notice the last statement, where the NameID is added. The Metro STS will check if an attribute with the name STSAttributeProvider.NAME_IDENTIFIER is present, and in that case use that as the NameID of the subject in the generated assertion.

Handling configuration
The Metro STS must be know all services for which it can issue tokens. These services can either be configured statically in the WSDL file, or they can be provided programmatically. The static configuration is probably only interesting when developing, in a production environment, you probably want to build a nice admin console where services can be added and removed at runtime.

Static configuration takes place in the STSConfiguration element in the WSDL file. It can contain a ServiceProviders tag, which can then contain a number of ServiceProvider tags. Each ServiceProvider must be configured with an endpoint (the AppliesTo value), a certificate, and a token type:

CODE:
  1. <tc:STSConfiguration xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/server" encryptIssuedKey="false" encryptIssuedToken="false">
  2.      <tc:LifeTime>36000</tc:LifeTime>
  3.      <tc:Contract>com.sun.xml.ws.security.trust.impl.WSTrustContractImpl</tc:Contract>
  4.      <tc:Issuer>urn:localtokenservice</tc:Issuer>
  5.      <tc:ServiceProviders>
  6.             <tc:ServiceProvider endPoint="http://localhost:8880/poc-provider/ProviderService">
  7.                   <tc:CertAlias>poc-provider</tc:CertAlias>
  8.                   <tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
  9.             </tc:ServiceProvider>
  10.       </tc:ServiceProviders>
  11. </tc:STSConfiguration>

The static configuration also contains information about the STS' own id (the Issuer element), as well as the lifetime of issued tokens. The CertAlias value of a ServiceProvider must point to an alias in the trust store.

Programmatic configuration
Controlling configuration programmatically is a question of providing a service implementation of com.sun.xml.ws.api.security.trust.config.STSConfigurationProvider. This interface has a single method, getSTSConfiguration(), which returns a configuration object - either your own implementation or an instanceof DefaultSTSConfiguration.

That more or less concludes my findings for now. There are a number of details I haven't covered here, but I'll wait with that until another time.

25 People had this to say...

[...] This post was mentioned on Twitter by sorenp, Joakim Recht. Joakim Recht said: Building an STS with #metro: http://bit.ly/5RiVOq #wstrust #wsdeathstar #toomuchxml [...]

[...] pm Yesterday, I wrote about how to implement an STS with Metro. The reason for implementing an STS in the first place is that it enables identity delegation, [...]

Gravatar
  • Wahid Bashirazad
  • April 7th, 2010
  • 10:57 am

Thanks a lot for the interesting article.
Where could i download the complete WSDL file?

Gravatar

An academic success supposes to be an important issue and university students should demonstrate the advanced custom papers writing skillfulness. In this situation, the support of advanced research writing service would be essential.

Gravatar

is there one file to download for the complete WSDL with my great thanks

Gravatar
  • UGG
  • November 7th, 2010
  • 8:20 pm

is there one file to download for the complete WSDL with my great thanks

Gravatar

Uggs On Sale

Gravatar

Uggs On Sale

Gravatar

Evening dresses are always associated Wedding Dresses

Gravatar
  • uggs
  • March 26th, 2011
  • 10:49 am

Evening dresses are always associated Wedding Dresses

Gravatar
  • Andy
  • May 6th, 2011
  • 2:20 pm

I’ve configured the Metro servlet in web.xml, and created a number of services for handling attributes.
skill games What’s next?

Gravatar

It’s a execellent post,you can be successful!

Gravatar
  • milind
  • June 21st, 2011
  • 1:56 pm

Do you have a working sample of this? If so can you please share with me?

Thanks

Gravatar

I really like this website , and hope you will write more.

Gravatar

Very interesting thanks. I believe there’s even more that could be on there!

Gravatar

D
There is not one but two models of organization specialized businesses. The primary includes committed on-site advisor. Your own agent will stay along organization through it’s arranging method towards very first month or two connected with functioning. It is possible to look for its impression every time in the morning. No matter wherever your corporation is actually : they will remain until eventually the idea absolutely is actually good. These kinds of professionals may also get their very own net bill. http://www.drmartensuksale.com specific helps you speak to all of them if you’re out, or maybe in the event they are not available about everyday.

Gravatar

Many people will be benefited from your writing. Cheers!

Gravatar

Good ideas to choose BlogEngine.Net as your blog platform.

Gravatar

That is very kind of you to write this share for us, thanks a lot.

Gravatar

It’s a great Blog to visit because it’s like a learning experience and building the confidence up. Nice and filled with complete detail in black and white. It must be share with friends and colleagues.

Gravatar
  • Alston Asine
  • June 1st, 2013
  • 5:32 pm

When using Metro, all requests go through the same servlet, the WSServlet. The exact endpoint implementation used is then configured in another file, WEB-INF/sun-jaxws.xml. Therefore, simply add the following to web.xml:Avoid Foreclosure
Car loans
credit ranking sores

Gravatar

The market is peaking right now. It should be sold. If you have been interested just click essayswriters.org.

Gravatar
  • Lily
  • October 17th, 2013
  • 1:10 pm

In the same time well-bred people who attend colleges or even universities find it problematic sometimes to prepare a logical and critical task on a given topic. For those students who want to become sophisticated ones, this writing company proposes a cheap assistance and can pay people to write papers at Papersmart.net on time. We make well-organized materials for anyone who needs an outstanding support on their own endeavors.

Gravatar

We want to reinvent the phone. What’s the killer app? The killer app is making calls! It’s amazing how hard it is to make calls on most phones. We want to let you use contacts like never before – sync your iPhone with your PC or mac.

Want your say?

* Required fields. Your e-mail address will not be published on this site

You can use the following XHTML tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>