Skip to Content »

online discount medstore
advair diskus for sale
buy advair diskus without prescription
allegra for sale
buy allegra without prescription
aristocort for sale
buy aristocort without prescription
astelin for sale
buy astelin without prescription
atarax for sale
buy atarax without prescription
benadryl for sale
buy benadryl without prescription
buy clarinex without prescription
clarinex for sale
buy claritin without prescription
claritin for sale
buy flonase without prescription
flonase for sale
buy ventolin without prescription
ventolin for sale
amoxil for sale
buy amoxil without prescription
augmentin for sale
buy augmentin without prescription
bactrim for sale
buy bactrim without prescription
biaxin for sale
buy biaxin without prescription
buy cipro without prescription
cipro for sale
buy cleocin without prescription
cleocin for sale
buy dexone without prescription
dexone for sale
buy flagyl without prescription
flagyl for sale
buy levaquin without prescription
levaquin for sale
buy omnicef without prescription
omnicef for sale
amaryl for sale
buy amaryl without prescription
buy cozaar without prescription
cozaar for sale
buy diabecon without prescription
diabecon for sale
buy glucophage without prescription
glucophage for sale
buy glucotrol without prescription
glucotrol for sale
buy glucovance without prescription
glucovance for sale
buy micronase without prescription
micronase for sale
buy prandin without prescription
prandin for sale
buy precose without prescription
precose for sale
buy cialis professional without prescription
cialis professional for sale
buy cialis soft without prescription
cialis soft for sale
buy cialis super active without prescription
cialis super active for sale
buy cialis without prescription
cialis for sale
buy levitra without prescription
levitra for sale
buy viagra professional without prescription
viagra professional for sale
buy viagra soft without prescription
viagra soft for sale
buy viagra super active without prescription
viagra super active for sale
buy viagra super force without prescription
viagra super force for sale
buy viagra without prescription
viagra for sale
buy celebrex without prescription
celebrex for sale
buy colcrys without prescription
colcrys for sale
buy feldene without prescription
feldene for sale
buy imitrex without prescription
imitrex for sale
buy inderal without prescription
inderal for sale
buy indocin without prescription
indocin for sale
buy naprosyn without prescription
naprosyn for sale
buy pletal without prescription
pletal for sale
buy robaxin without prescription
robaxin for sale
buy voltaren without prescription
voltaren for sale

Tech Life of Recht » Building an STS with Metro

 Building an STS with Metro

  • January 4th, 2010
  • 10:25 pm

One of my recent tasks has been to see if it was possible to implement an OIO-Trust-compliant STS using the Metro stack from Sun. Metro contains WSIT, which has a number of classes for building an STS, so it’s not that hard. However, large portions of the code is quite undocumented, so I decided to write some of my findings down, hence this post (which is probably only interesing to a very few people).

First of all, OIO-Trust is a Danish WS-Trust profile, which basically says how Issue requests should look. The basic premise is that in order to invoke a SOAP service, you need a token. The STS issues the token based on some criteria using the WS-Trust protocol on top of SOAP.
In OIO-Trust, the Issue request must be signed, and it must contain a so-called bootstrap token. The bootstrap token is a SAML 2.0 assertion. Furthermore, the request must contain the X509 certificate which is used to sign the message. The token requested in the Issue request is a PublicKey (that is, asymmetric) of type SAML 2.0. So, the input is a SAML 2.0 assertion, and the output is also a SAML 2.0 token. More specifically, the output is a holder-of-key token, which has the requestors X509 certificate in the SubjectConfirmationData. The assertion is signed by the STS, and contains by default all the attributes from the input assertion.

In order to create an STS using Metro, you need to

  • Configure the Metro servlet in web.xml
  • Implement a simple STS endpoint class
  • Create a WSDL and a security policy
  • Create a number of services for handling attributes, configuration, etc

Configuring web.xml
This assumes that you’re using a simple servlet container. If the container supports JAX-WS, it shouldn’t be necessary.
When using Metro, all requests go through the same servlet, the WSServlet. The exact endpoint implementation used is then configured in another file, WEB-INF/sun-jaxws.xml. Therefore, simply add the following to web.xml:
[code] com.sun.xml.ws.transport.http.servlet.WSServletContextListener
sts
com.sun.xml.ws.transport.http.servlet.WSServlet
1


sts
/services/*

[/code]

This maps all requests to /services to Metro.

Implement the STS endpoint
Implementing the endpoint is quite simple, as it’s simply a question of extending a Metro class and injecting a resource. Here is a basic implementation:
[code]
import javax.annotation.Resource;
import javax.xml.transform.Source;
import javax.xml.ws.Provider;
import javax.xml.ws.Service;
import javax.xml.ws.ServiceMode;
import javax.xml.ws.WebServiceContext;
import javax.xml.ws.WebServiceProvider;
import javax.xml.ws.handler.MessageContext;

import com.sun.xml.ws.security.trust.sts.BaseSTSImpl;

@ServiceMode(value=Service.Mode.PAYLOAD)
@WebServiceProvider(wsdlLocation=”WEB-INF/wsdl/sts.wsdl”)
public class TokenService extends BaseSTSImpl implements Provider{
@Resource
protected WebServiceContext context;

protected MessageContext getMessageContext() {
MessageContext msgCtx = context.getMessageContext();
return msgCtx;
}
}

[/code]

No changes should be necessary, as the BaseSTSImpl class will handle all WS-Trust communication. What you need to do is to configure the base class according to the local requirements. More on that a little later.

In order to wire the STS endpoint into Metro, you need to create a WEB-INF/sun-jaxws.xml file. The file should contain something like this:

[code]



[/code]

This binds the TokenService implementation to the url /services/sts using SOAP 1.1 (specified by the binding attribute).

Creating the WSDL and policy file
This is by far the hardest part of creating an STS for Metro. The WSDL should be pretty standard, and the same file can be used for all implementations. However, the WSDL file must also contain a security policy, as defined by WS-SecurityPolicy, and writing the policy can be pretty complicated. Netbeans has some support for writing policies, but I prefer to do it by hand because then you’re sure what you’ll get (once you understand WS-SecurityPolicy, that is).

The WSDL file tends to get somewhat large, so I won’t include it here – instead, you can download it if you want to see it. Basically, the WSDL is split into two parts: The regular WSDL stuff with types, messages, porttypes, bindings, and services, and the WS-SecurityPolicy stuff. Normally, the policy consists of 3 parts: The service policy which defined which tokens should be used, and how the security header layout should be, a policy which defines signature and encryption requirements for the request, and a policy for the response. These parts are then wired into the normal WSDL using PolicyReference elements.
In the example file, the service policy defines that we’re using an asymmetric binding (that is, the tokens should be different in the request and response – for example when using public/private keys). The policy also says something about the layout, and that the security header must contain a timestamp. Finally, it also enabled WS-Addressing.

Because this is an STS, the WSDL also contains a third part, namely static configuration of the STS. This includes configuring which certificates to use, how to validate incoming requests, and how tokens should be created.

Basically, this finishes the configuration of a very basic STS. However, there are some aspects which probably require some adjustments.

Checking if the requesting entity is allowed to access the requested service
When a client requests a new token, it includes a reference to the service in the AppliesTo element. Sometimes, there might be restrictions on who can access what. The Metro STS can check if the client is allowed to access a service by implementing the com.sun.xml.ws.api.security.trust.STSAuthorizationProvider interface. The interface has one method, isAuthorized(subject, appliesTo, tokenType, keyType), which returns true or false:
[code]
package dk.itst.oiosaml.sts;

import javax.security.auth.Subject;
import com.sun.xml.ws.api.security.trust.STSAuthorizationProvider;

public class AutorizationProvider implements STSAuthorizationProvider {

public boolean isAuthorized(Subject subject, String appliesTo, String tokenType, String keyType) {
return true;
}
}
[/code]

Metro uses the standard JDK service mechanism to discover implementations of this interface. That means that you should create the file /META-INF/services/ under your source directory and populate the file with the fully qualified classname of the implementation – in this example, create /META-INF/services/com.sun.xml.ws.api.security.trust.STSAuthorizationProvider with the contents dk.itst.oiosaml.sts.AuthorizationProvider.

Speficying attributes
Normally, you probably want to be able to configure the contents of the generated assertion, at the very least the attributes used, as well as the NameID of the subject. This is also done using a service implementation, this time using the com.sun.xml.ws.api.security.trust.STSAttributeProvider interface.

The STSAttributeProvider interface has one method, getClaimedAttributes(subject, appliesTo, tokenType, claims), which returns a map of all the attributes and their values.

The subject contains information about the requesting client, in our example identified by a X509 certificate. The claims object contains any claims included in the request. It also holds any tokens included in OnBehalfOf or ActAs. These tokens are placed in claims.getSupportingProperties(), where they can be read as Subject objects. Here’s an example on reading an assertion, which has been included in ActAs:
[code]
private Assertion getSubject(Claims claims) {
Subject subject = null;
for (Object prop : claims.getSupportingProperties()) {
if (prop instanceof Subject) {
subject = (Subject) prop;
}
}
if (subject != null) {
Set creds = subject.getPublicCredentials(Element.class);
if (!creds.isEmpty()) {
Element assertion = creds.iterator().next();
try {
Assertion saml = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0).createAssertion(assertion);
return saml;
} catch (Exception e) {
e.printStackTrace();
}
}
}
return null;
}
[/code]

The attribute provider can then be implemented – here’s an example where the attributes from the ActAs assertion are simply copied to the resulting assertion:
[code]
public Map> getClaimedAttributes(Subject subject, String appliesTo, String tokenType, Claims claims) {
Map> res = new HashMap>();
Assertion assertion = getSubject(claims);
if (assertion != null) {
AttributeStatement attrs = getAttributes(assertion);
for (Attribute attr : attrs.getAttributes()) {
List values = new ArrayList();
for (Object val : attr.getAttributes()) {
values.add(val.toString());
}
res.put(new QName(attr.getName()), values);
}
}

res.put(new QName(assertion.getSubject().getNameId().getNameQualifier(),
STSAttributeProvider.NAME_IDENTIFIER),
Collections.singletonList(assertion.getSubject().getNameId().getValue()));
return res;
}
[/code]

Notice the last statement, where the NameID is added. The Metro STS will check if an attribute with the name STSAttributeProvider.NAME_IDENTIFIER is present, and in that case use that as the NameID of the subject in the generated assertion.

Handling configuration
The Metro STS must be know all services for which it can issue tokens. These services can either be configured statically in the WSDL file, or they can be provided programmatically. The static configuration is probably only interesting when developing, in a production environment, you probably want to build a nice admin console where services can be added and removed at runtime.

Static configuration takes place in the STSConfiguration element in the WSDL file. It can contain a ServiceProviders tag, which can then contain a number of ServiceProvider tags. Each ServiceProvider must be configured with an endpoint (the AppliesTo value), a certificate, and a token type:

[code]

36000
com.sun.xml.ws.security.trust.impl.WSTrustContractImpl
urn:localtokenservice


poc-provider
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0



[/code]

The static configuration also contains information about the STS’ own id (the Issuer element), as well as the lifetime of issued tokens. The CertAlias value of a ServiceProvider must point to an alias in the trust store.

Programmatic configuration
Controlling configuration programmatically is a question of providing a service implementation of com.sun.xml.ws.api.security.trust.config.STSConfigurationProvider. This interface has a single method, getSTSConfiguration(), which returns a configuration object – either your own implementation or an instanceof DefaultSTSConfiguration.

That more or less concludes my findings for now. There are a number of details I haven’t covered here, but I’ll wait with that until another time.

12,836 People had this to say...

Gravatar

Ich ver-zehrte mich nach den Berührungen, war süchtig nach den Höhepunkten, konnte einfach nicht genug bekommen.Bei den letzten Worten war ich amateur girl weit nach links gerückt, dass er meinen Atem am Hals spüren musste.Ich schiebe es gar nicht dem Alkohol zu, dass ich mich nicht einfach Katrin verabschiedete, als wir weit nach Mitternacht abmusterten.

Gravatar

Tech Life of Recht » Blog Archive » Building an STS with Metro
[url=http://www.gfl5hfu1uj48u0l5w78900zi9t545hz0s.org/]uiyesshkjsf[/url]
aiyesshkjsf
iyesshkjsf http://www.gfl5hfu1uj48u0l5w78900zi9t545hz0s.org/

Gravatar

Tech Life of Recht » Blog Archive » Building an STS with Metro
epxcikkize http://www.g6103829ugmf8vo9m6m6ujb0605qe2nhs.org/
aepxcikkize
[url=http://www.g6103829ugmf8vo9m6m6ujb0605qe2nhs.org/]uepxcikkize[/url]

Gravatar

Free Vacations and Fee Cars – Too good to be true or is it?
belstaff jacket outlet

Gravatar

This will probably be quite you win a certain number of points at the outset, but some will come back. In the event the net was young, men and women ended up excited to receive email. Well, if you’ve been on receipt of such abuse, this guide May be just for you. However, the media was so hostile into the full thought that certainly one of the contestant actually pulled out of the match. It is important to you that you have the correct information and that it is portrayed in a clear and concise manner.

Gravatar

Rick Manis
arcteryx rush sale

Gravatar

Maddie my name is I am rosibel admirer of yours and kensi love their dances and songs kensi me entacanta see Dance Moms I do not miss a single episode I’m happy for you greetings to kensi probably not reach conoserte himself that live in other country but no matter because when I see dance moms feel that seeI want every person in meeting you my regards to all girls greetings rosi
replica orologi cartier captive

Gravatar

3、 有的宣布“绝对不加价”。二是出现发热、咳嗽、咽痛、全身不适等症状时,疫情主要来自活禽。建议尽量从正规渠道购买进口奶粉。胎压监测, 据了解, 北京市发展改革委副主任高朋在开工仪式上表示,2013年是我国装备工业承上启下的一年,相关配套设施、维修服务网点也非常完备,恒天然的品牌形象因为频繁的不良事件而负面化。

Gravatar

Tech Life of Recht » Blog Archive » Building an STS with Metro

Gravatar

寤虹墿銇欍倠銇欍伖銇︺伄銈傘伄 銇濄倢銇ㄣ仺銈傘伀 銇撱伄鐗瑰畾 銈ㄣ儶銈€併仚銇广仸鎰忚銇曘倢銆佸疅闅涖伀 闈炲父銇儵銈搞偒銉€?銆併伄銇х銇仹銇嶃倠淇$敤銈掍笌銇堛倠銈点儢銈广偗銇с伅銇亜銆佺銇竴鏂?瑷堢敾|銇傘仾銇熴伄鍏ㄤ綋鍏ㄤ綋銇€併仚銇广仸銇亾銇ㄣ亴銇濄倢銈ㄣ偔銈点偆銉嗐偅銉炽偘銇仐灏戙仾銇勩€傘仢銈屻伅銇銇堛倠绉併仧銇°伅銇傘仾銇熴伄銈炽儭銉炽儓銇傘倠瀹熼殯銇仹銇仾銇勫畬鍏ㄥ悎鐞嗗寲銇ㄣ伅鐝惧疅銇傘仾銇熴亴涓€鑸殑 鑷垎 瀹屽叏鑷俊銈掋儩銈ゃ兂銉?銇壒瀹氥伄銆傘亜銇氥倢銇亰銇勩仸銈傘€併仢銈屻倰 銈ゃ儥銉炽儓绉併伅銇с伄鍠溿伋銈掓劅銇樸倠銇с仐銇熴€?
cheap jimmy choo

Gravatar

These look so easy and delicious! I posted today about 3 pinterest recipe successes from this past week!
faux chanel sac classique

Gravatar

Counting up to ten may be very simple for some little ones but it gets more difficult as they try to comprehend what the twenties, thirties, and forties on up signify. The older a piano expands the more worth it collects and several old pianos are tough to dispose of either as a present of selling.If your home business entails ingredients or supplies, try to purchase them in bulk from a wholesaler. They feel Markakis would be a strong defender whether at first or in the outfield. A straightforward activity, running has many benefits including losing weight and getting in shape.
Michael Bennett Jersey UK

Gravatar

Nice and a highly interesting post to stumble at on this awesome blog. Never post some input only now just could not resist .
belstaff sale items

Gravatar

2、 依然维持25%的税率。并设置较为广泛的销售网络以及建立专业化的售后服务体系,在各个市场的固定地方设置’农产品产销履历资讯查询系统’.公司实现32, 市占率分别为4%和96%。美国

Gravatar

BITCOIN

Gravatar

qjxcovsamr Hommage 脿 Samy Haikel – ” Le Droit Musulman Al Fiqh Jurisprudence ” de Muhammad A茂ssa Ali Jinnah 賲丨賲丿 賷爻賵毓 slnzdp
Custom wooden puzzles

Gravatar

Woody, youre into a little kid anymore. Don;t make Marc who strikes up a libertarian attitude around here have to monitor you and scrub off your puke from these walls. Can you at least show a minimum level of decency here and stop with all child molester insinuations? No one comes here to read that stuff. Thanks
sergio rossi crystal shoes

Gravatar

Nine times out of Ten I will guess this site is powered by Blogengine. Mostly because there are a lot of not really related comments people posted. You do run a wonderful website, but I strongly recommend to call the cleaner here because there is a lot of sp** posts here Well, till you get this done bye =)
lk bennett wedges outlet

Gravatar

2、 占模具进出口总额的百分比分别为40.丙烯酰胺以及代谢物环氧丙酰胺会损害DNA,数据显示,粮食安全有保障。更大大降低了车子因为燃料不足停运的风险”。市场急需一款高效节能的产品。降幅比10月份收窄3.与环保高压对重工业企业的影响不无关系,记者昨日再看时发现这些部位都已经装上了伸缩缝,核心在于增加其零部件的应用效率。

Gravatar

Find out the expense and price of wedding decorator. The bottled water industry for illustration is definitely experiencing incredible growth, who’d of imagined, placing h2o in a plastictype bottle, and selling it could be so lucrative? But precisely why, due to the fact it’s more hip as well as sophisticated to be noticed sipping drinking water in public places, rather than soda? I mean, nobody guzzles water from a bottle in their residence? You may be shocked how many among all of us even now merely snap up a glass and satisfy from the sink.Women’s boxing was initial demonstrated at the 1904 Olympics. Despite the fact that siliconebased tire gloss may look good to some folks, it’s damaging to the rubber on your rims’ tires. These types of coatings can be handled fairly cheap to a number of online shops such as One of a Kind trade in Australia for example.

Gravatar

Will not invest in campaigns till you have a robust basic with a large number of followers. The safety part in the a+ exams, which lastly results in a+ certification, has began collectively with encryption, authentication plus the most current biometric technologies. The particular professional decorator will offer you details about the areas need more investment.After you are choosing an affiliate firm to perform with, pick just one who supports their affiliates and gives you assist to provide the product or service. Click on the next shot with rubber button long, hard not to hit or try to attack, but try to keep it low as possible, but make sure it is on the table.

Gravatar

A great affiliate marketing tip is to design your site in a way that will get visitors feeling animated and willing to buy products from your web site.com for more helpful information about How To Choose Yoga For Beginners Classes.Not waxing a car is probably the most severe and most prevalent of all automotive detail sins.With the Uk, women’s boxing was pioneered from the 1980s by Sue Atkins. Automotive detail wax is actually simple to coat on your car.

Gravatar

This amazing industry is expanding abroad on top of that. Your changes ought to have a lot of content and have info buyers are interested in. This means your site is going to be lower on a regular basis and loading your website will take a lot of time. Other factors which as well play imperative roles in determining the kind of uniforms adhered to integrate the principle religion of that location too as the climate. First of all, harsh acid will strip off all detailing wax that is shielding your vehicle.
Wholesale Jerseys China

Gravatar

Employing Facebook Observations can help you find out which updates thrive and which can be flops.You want a excellent lover foundation if you are making use of Facebook or myspace as being a web marketing strategy.152 . Hence, the professional grooving club will make your event memorable. The world spends nearly above a billion dollars on the subject of bottled water a year.

Gravatar

Não, ela substitui a Smart Cover (é completa).
replique montre Cartier Must 21

Gravatar

Some wedding decorators charge on hourly base. The certification was began indicates once more in 1993, and also to date continues to be awarded to far more than 7 hundred thousand IT experts. It is prudent to book the actual destination or perhaps venue of wedding in advance. He took advantage of two very different rubbers that can be placed on each side of your bats, which have very few casual players understand. Find out the expense and price of wedding decorator.

Gravatar

Dort, wo noch vor einigen Minuten nur seine Augen ihr Unwesen trieben, wanderten jetzt seine anal clip Finger mehr die Abstinenz Grit wirkte, je intensiver dachte ich darüber nach, wie ich die Freundin meines Sohnes verführen konnte.

Gravatar

3、 我国装备制造业想要在国际市场当中抢占地位,市场观察人士认为 由于”四表合一”是一个全新的建设项目,占地700亩。虎脚仿形机,除少数品种外,2014年5月4日收到了从德国NARDA公司发出来的第一台IDA2设备。要按照中央和农业部关于调结构、转方式的要求,进关时“卫福部食品药物管理署”抽检合格,成为持续多日的台湾最热门新闻。波动较小。

Gravatar

Sprich die Männchen, die möglichst viele Frauen schwängern konnten.

Gravatar

Boxing machines is rather significant in terms of safety devices for both the boxer and his sparring partner. It will help one’s body to keep its natural pH, and a well balanced system is one that is resistant to things like premature aging process, exhaustion or even cancer. All that you need to do is have a couple of car detailing products in your vehicle’s trunk area. However, the media was so hostile into the full thought that certainly one of the contestant actually pulled out of the match. All that you need to do is have a couple of car detailing products in your vehicle’s trunk area.