...
WS-Trust
...
support
...
in
...
CXF
...
builds
...
upon
...
the
...
...
implementation
...
to
...
handle
...
the
...
IssuedToken
...
policy
...
assertions
...
that
...
could
...
be
...
found
...
in
...
the
...
WS-SecurityPolicy
...
fragment.
...
Note:
...
Because
...
the
...
WS-IssuedToken
...
support
...
builds
...
on
...
the
...
WS-SecurityPolicy
...
support,
...
this
...
is
...
currently
...
only
...
available
...
to
...
"wsdl
...
first"
...
projects.
...
WS-Trust
...
extends
...
the
...
WS-Security
...
specification
...
to
...
allow
...
issuing,
...
renewing,
...
and
...
validation
...
of
...
security
...
tokens.
...
A
...
lot
...
of
...
what
...
WS-Trust
...
does
...
centers
...
around
...
the
...
use
...
of
...
a
...
"Security
...
Token
...
Service",
...
or
...
STS.
...
The
...
STS
...
is
...
contacted
...
to
...
obtain
...
security
...
tokens
...
that
...
are
...
used
...
to
...
create
...
messages
...
to
...
talk
...
to
...
the
...
services.
...
The
...
primary
...
use
...
of
...
the
...
STS
...
is
...
to
...
acquire
...
SAML
...
tokens
...
used
...
to
...
talk
...
to
...
the
...
service.
...
Why
...
is
...
this
...
interesting?
...
When
...
using
...
"straight"
...
WS-Security,
...
the
...
client
...
and
...
server
...
need
...
to
...
have
...
keys
...
exchanged
...
in
...
advance.
...
If
...
the
...
client
...
and
...
server
...
are
...
both
...
in
...
the
...
same
...
security
...
domain,
...
that
...
isn't
...
usually
...
a
...
problem,
...
but
...
for
...
larger,
...
complex
...
applications
...
spanning
...
multiple
...
domains,
...
that
...
can
...
be
...
a
...
burden.
...
Also,
...
if
...
multiple
...
services
...
require
...
the
...
same
...
security
...
credentials,
...
updating
...
all
...
the
...
services
...
when
...
those
...
credentials
...
change
...
can
...
by
...
a
...
major
...
operation.
...
WS-Trust
...
solves
...
this
...
by
...
using
...
security
...
tokens
...
that
...
are
...
obtained
...
from
...
a
...
trusted
...
Security
...
Token
...
Service.
...
A
...
client
...
authenticates
...
itself
...
with
...
the
...
STS
...
based
...
on
...
policies
...
and
...
requirements
...
defined
...
by
...
the
...
STS.
...
The
...
STS
...
then
...
provides
...
a
...
security
...
token
...
(example:
...
a
...
SAML
...
token)
...
that
...
the
...
client
...
then
...
uses
...
to
...
talk
...
to
...
the
...
target
...
service.
...
The
...
service
...
can
...
validate
...
that
...
token
...
to
...
make
...
sure
...
it
...
really
...
came
...
from
...
the
...
trusted
...
STS.
...
When
...
the
...
WS-SecurityPolicy
...
runtime
...
in
...
CXF
...
encounters
...
an
...
IssuedToken
...
assertion
...
in
...
the
...
policy,
...
the
...
runtime
...
requries
...
an
...
instance
...
of
...
org.apache.cxf.ws.security.trust.STSClient
...
to
...
talk
...
to
...
the
...
STS
...
to
...
obtain
...
the
...
required
...
token.
...
Since
...
the
...
STSClient
...
is
...
a
...
WS-SecurityPolicy
...
client,
...
it
...
will
...
need
...
configuration
...
items
...
to
...
be
...
able
...
to
...
create
...
it's
...
secure
...
SOAP
...
messages
...
to
...
talk
...
to
...
the
...
STS.
...
There
...
are
...
several
...
ways
...
to
...
configure
...
the
...
STSClient:
...
Direct
...
configuration
...
of
...
an
...
STS
...
bean
...
in
...
the
...
properties:
...
In
...
this
...
scenario,
...
a
...
STSClient
...
object
...
is
...
created
...
directly
...
as
...
a
...
property
...
of
...
the
...
client
...
object.
...
The
...
wsdlLocation,
...
service/endpoint
...
names,
...
etc...
...
are
...
all
...
configured
...
in
...
line
...
for
...
that
...
client.
Code Block | ||||
---|---|---|---|---|
| ||||
{code:xml} <jaxws:client name="{http://cxf.apache.org/}MyService"> <jaxws:properties> <entry key="ws-security.sts.client"> <!-- direct STSClient config and creation --> <bean class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf"/> <property name="wsdlLocation" value="target/wsdl/trust.wsdl"/> <property name="serviceName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenService"/> <property name="endpointName" value=""{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"/> <property name="properties"> <map> <entry key="ws-security.username" value="joe"/> <entry key="ws-security.callback-handler" value="interop.client.KeystorePasswordCallback"/> <entry key="ws-security.signature.properties" value="etc/alice.properties"/> <entry key="ws-security.encryption.properties" value="etc/bob.properties"/> </map> </property> </bean> </entry> </jaxws:properties> </jaxws:client> {code} |
This
...
also
...
works
...
for
...
"code
...
first"
...
cases
...
as
...
you
...
can
...
do:
Code Block | ||||
---|---|---|---|---|
| ||||
{code:java} STSClient sts = new STSClient(...); sts.setXXXX(....) ..... ((BindingProvider)port).getRequestContext().put("ws-security.sts.client", sts); {code} *Indirect configuration based on endpoint name:* If the runtime does not find a STSClient bean configured directly on the client, it checks the configuration for a STSClient bean with the name of the endpoint appended with |
Indirect configuration based on endpoint name:
If the runtime does not find a STSClient bean configured directly on the client, it checks the configuration for a STSClient bean with the name of the endpoint appended with ".sts-client".
...
For
...
example,
...
if
...
the
...
endpoint
...
name
...
for
...
your
...
client
...
is
...
"{http://cxf.apache.org/}TestEndpoint",
...
then
...
it
...
can
...
be
...
configured
...
as:
Code Block | ||||
---|---|---|---|---|
| ||||
{code:xml} <bean name="{http://cxf.apache.org/}TestEndpoint.sts-client" class="org.apache.cxf.ws.security.trust.STSClient" abstract="true"> <property name="wsdlLocation" value="WSDL/wsdl/trust.wsdl"/> <property name="serviceName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenService"/> <property name="endpointName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"/> <property name="properties"> <map> <entry key="ws-security.signature.properties" value="etc/alice.properties"/> <entry key="ws-security.encryption.properties" value="etc/bob.properties"/> <entry key="ws-security.sts.token.properties" value="etc/bob.properties"/> <entry key="ws-security.callback-handler" value="interop.client.KeystorePasswordCallback"/> </map> </property> </bean> {code} |
Default configuration:
If an STSClient is not found from the above methods, it then tries to find one configured like the indirect, but with the name "default.sts-client". This can be used to configure sts-clients for multiple services.