Versions Compared

Old Version 17

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 18

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CXF supports some of the new functionality defined in the WS-Trust 1.4 specification. The currently supported features are listed below.

ActAs

...

The ActAs capability allows an initiator to request a security token that allows it to act as if it were somebody else. This capability becomes important in composite services where intermediate services make additional requests on-behalf of the true initiator. In this scenario, the relying party (the final destination of an indirect service request) may require information about the true origin of the request. The ActAs capability allows an intermediary to request a token that can convey this information.

The following code fragment demonstrates how to use an interceptor to dynamically set the content of the ActAs element to be sent in the STS RST. The value may be a string containing well-formed XML or a DOM Element. The contents will be added to the RST verbatim. Note that this interceptor is applied to the secured client, the initiator, and not to the STSClient's interceptor chain.RequestSecurityToken call can be set in one of two ways:

  1. By specifying a value for the JAX-WS property SecurityConstants.STS_TOKEN_ACT_AS ("ws-security.sts.token.act-as")
  2. By specifying a value for the STSClient.actAs property.

For either case, the value can be one of the following:

  • A String
  • A DOM Element
  • A CallbackHandler object to use to obtain the token

For example, the following code fragment demonstrates how to use an interceptor to dynamically set the content of the ActAs element in the STS RST, by specifying a value for SecurityConstants.STS_TOKEN_ACT_AS. Note that this interceptor is applied to the secured client, the initiator, and not to the STSClient's interceptor chain.

Code Block
java
java

public class ActAsOutInterceptor extends AbstractPhaseInterceptor<Message> {
   
    ActAsOutInterceptor () {
        // This can be in any stage before the WS-SP interceptors
Code Block
javajava

public class ActAsOutInterceptor extends AbstractPhaseInterceptor<Message> {
   
    ActAsOutInterceptor () {
        // This can be in any stage before the WS-SP interceptors
        // setup the STS client and issued token interceptor.
        super(Phase.SETUP);
    }

    @Override
    public void handleMessage(Message message) throws Fault {

        message.put(SecurityConstants.STS_TOKEN_ACT_AS, ...);

    }
}

Alternatively, the ActAs content may be set directly on the STS as shown below.

Code Block
xml
xml
<bean name="{http://cxf.apache.org/}TestEndpoint.sts-client" 
    class="org.apache.cxf.ws.security.trust.STSClient" abstract="true">
    <property name="wsdlLocation" value="WSDL/wsdl/trust.wsdl"/>
    <property name="serviceName" 
        value="{http://cxf.apache.org/securitytokenservice}SecurityTokenService"/>
    <property name="endpointName" 
        value="{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"/>
    <property name="actAs" value="..."/>
    <property name="properties">
        <map>
            <entry key="ws-security.sts.token.properties" 	
        </map>
        value="etc/bob.properties"/>  
            <entry key="ws-security.callback-handler" 
                value="interop.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                value="etc/alice.properties"/> 
            <entry key="ws-security.encryption.properties" 
                value="etc/bob.properties"/>	
        </map>
    </property>
</bean>
</property>
</bean>

OnBehalfOf

The OnBehalfOf capability allows an initiator to request a security token on behalf of somebody else. The content of the OnBehalfOf element to be sent in the STS RequestSecurityToken call can be set in one of two ways:

  1. By specifying a value for the JAX-WS property SecurityConstants.STS_TOKEN_ON_BEHALF_OF ("ws-security.sts.token.on-behalf-of")
  2. By specifying a value for the STSClient.onBehalfOf property.

For either case, the value can be one of the following:

  • A String
  • A DOM Element
  • A CallbackHandler object to use to obtain the token

WS-Trust using SPNego

As of CXF 2.4.7 and 2.5.3, CXF contains (client) support for WS-Trust using SPNego. See the following blog for an explanation of what this entails, and how to run some system tests in CXF for this feature.

...