...
Code Block | ||||
---|---|---|---|---|
| ||||
<jaxws:client name="{http://cxf.apache.org/}MyService" createdFromAPI="true"> <jaxws:properties> <entry key="ws-security.sts.client"> <!-- direct STSClient config and creation --> <bean class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf"/> <property name="wsdlLocation" value="target/wsdl/trust.wsdl"/> <property name="serviceName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenService"/> <property name="endpointName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"/> <property name="properties"> <map> <entry key="ws-security.username" value="joealice"/> <entry key="ws-security.callback-handler" value="interop.client.KeystorePasswordCallbackMyCallbackHandler"/> <entry key="ws-security.signature.properties" value="etc/aliceclientKeystore.properties"/> <entry key="ws-security.encryption.properties" value="etc/bobclientKeystore.properties"/> <entry key="ws-security.encryption.username" value="mystskey"/> </map> </property> </bean> </entry> </jaxws:properties> </jaxws:client> |
The above example shows a configuration where the STS uses the UsernameToken profile to validate the client. It is assumed the keystore identified within clientKeystore.properties contains both the private key of the client and the public key (identified above as mystskey) of the STS; if not, create separate property files for the signature properties and the encryption properties, pointing to the keystore and truststore respectively.
Remember the jaxws:client createdFromAPI attribute is needs to be set to true (as shown above) if you created the client programmatically via the CXF API's--i.e., Endpoint.publish() or Service.getPort().
...
Code Block | ||||
---|---|---|---|---|
| ||||
STSClient sts = new STSClient(...);
sts.setXXXX(....)
.....
((BindingProvider)port).getRequestContext().put("ws-security.sts.client", sts);
|
Sample clientKeystore.properties format:
Code Block | ||||
---|---|---|---|---|
| ||||
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=KeystorePasswordHere org.apache.ws.security.crypto.merlin.keystore.alias=ClientKeyAlias org.apache.ws.security.crypto.merlin.file=NameOfKeystore.jks |
Indirect configuration based on endpoint name:
If the runtime does not find a STSClient bean configured directly on the client, it checks the configuration for a STSClient bean with the name of the endpoint appended with ".sts-client". For example, if the endpoint name for your client is "{http://cxf.apache.org/}TestEndpoint", then it can be configured as:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean name="{http://cxf.apache.org/}TestEndpoint.sts-client" class="org.apache.cxf.ws.security.trust.STSClient" abstract="true"> <property name="wsdlLocation" value="WSDL/wsdl/trust.wsdl"/> <property name="serviceName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenService"/> <property name="endpointName" value="{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"/> <property name="properties"> <map> <entry key="ws-security.signaturests.token.properties" value="etc/alicebob.properties"/> <entry key="ws-security.encryption.propertiescallback-handler" value="etc/bob.propertiesinterop.client.KeystorePasswordCallback"/> <entry key="ws-security.sts.tokensignature.properties" value="etc/bobalice.properties"/> <entry key="ws-security.callback-handlerencryption.properties" value="interop.client.KeystorePasswordCallbacketc/bob.properties"/> </map> </property> </bean> |
This properties configured in this example demonstrate STS validation of the client using the X.509 token profile. The abstract="true" setting for the bean above defers creation of the STSClient object until it is actually needed. When that occurs, the CXF runtime will instantiate a new STSClient using the values configured for this bean.
...