The configuration is located in the following spring configuration file (cxf-transport.xml): The CallbackHandler is part of this example project. To configure username/password authentication in CXF/WSS4J you must provide a CallbackHandler. the user and passwords are managed in the file WEB-INF/passwords.xml. The last bean claimsAttributeProvider is described in section 4.5Ĥ.4 Configure Username/password authenticationĪs described in section 1. The configuration related to issuing a token is located in the following spring configuration file (cxf-transport.xml):
For a full list of the supported features by the STS check this blog. This STS endpoint configuration only supports to issue SAML tokens (2.0 or 1.1).
The UsernameToken must be signed which is implicitly supported by HTTPS: The following policy defines a transport binding (https) and expects a UsernameToken be present in the WS-Security header.
I've chosen the simplest one where the policies are embedded into the wsdl for illustration purposes. CXF provides other ways to correlate policies with a wsdl subject (port type, service, port. The following policies must be added to the WSDL.
Update: Have a read through the following blog here which describes how to generate a keystore.Ĥ.2 Configure the WS-SecurityPolicies of the STS endpoint Deploy the tomcatkeystore.jks of the example project to the Tomcat root directory if the Connector is configured as illustrated: The HTTPS connector in Tomcat is configured in conf/server.xml. The HTTP connector should be configured with port 9080. The STS is configured using the spring framework. Setting up the STS involves several steps. The STS has the following dependencies in the Maven project. If you have an LDAP directory in place you can configure the LdapClaimsHandler where you configure the mapping of the claim id (URI) to an LDAP user attribute. The intention of this STS example is to illustrate how to set up an STS. If the STS issues claims using the same role URI, you get role-based access control (or claims based authorization support for WIF based applications out-of-the-box).
Therefore, I reuse Microsoft's role URI which is used by ADFS (Active Directory Federation Service) and Windows Identity Foundation (WIF). The mapping of claims to a SAML attribute statement are described in chapter 7.2. The claim id's are configured according to chapter 7.5 in the specification Identity Metasystem Interoperability. The XML file has the following structure: The claims for each user are configured in a spring configuration file also in WEB-INF/userClaims.xml. If you have an LDAP directory in place or any other JAAS based LoginModule you can also plug in the WSS4J JAASUsernameTokenValidator. The users and passwords are configured in a spring configuration file in WEB-INF/passwords.xml. You can find a running maven project called services/sts here. STS adds claims information to the SAML token in an attribute statement.STS validates an incoming UsernameToken against a local file store.STS WSDL is enriched with the WS-SecurityPolicy information.The STS in this part is configured to support the following functionality: Interoperability testing with Microsoft Windows Identity Foundation The used technologies are CXF 2.5 (to be released soon) and Tomcat 7.Ĭonfigure and deploy CXF STS using ClaimsĬonfigure and deploy Identity Provider (IdP)Ĭonfigure and deploy Tomcat Relying Party (RP)Įnhance Tomcat RP to call a target web services which delegates the identity
This is the first part of a series of blogs on using WS-Federation Passive Requestor Profile to implement a Web and Web Services SSO solution from a web application to a target Web Service. Talend has donated an STS implementation to the Apache CXF community as posted already on this here