Hello!
I'm no expert, but I've made a simple implementation of exactly what you are
asking for. I can send the policy (services.xml) for the STS and code for
the password callback handler, hope it helps.
//password callback handler
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
if(userDB.get(pwcb.getIdentifer()).equals(pwcb.getPassword())) {
return;
} else {
throw new UnsupportedCallbackException(callbacks[i],
"check failed");
}
}
}
/Petter
2009/1/26 Tom Schrötter <[email protected]>
> Hello everyone!
>
> Beeing fairly new to the webservice world in general and Rampart
> specifically, I'm currently stuck at what should be a simple problem (and
> probably is).
> I'm trying to set up a Security Token Service which will issue a SAML Token
> to a client based on a plain username/password authentification.
> I've tried to adapt the samples/policy/sample05 that comes with Rampart but
> could not make it work.
>
> Basically I'm a little lost in how to configure the STS to only require a
> username token and no X509 token.
>
> I'd appreciate if someone could point me in the right direction here.
>
>
> Thank you very much in advance,
> have a nice day
>
> Tom Schroetter
>
>
>
>
<?xml version="1.0" encoding="UTF-8"?>
<service name="STS">
<module ref="rampart" />
<module ref="addressing" />
<module ref="rahas" />
<parameter name="saml-issuer-config">
<saml-issuer-config>
<issuerName>STS</issuerName>
<issuerKeyAlias>service</issuerKeyAlias>
<issuerKeyPassword>petter</issuerKeyPassword>
<cryptoProperties>
<crypto provider="org.apache.ws.security.components.crypto.Merlin">
<property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
<property name="org.apache.ws.security.crypto.merlin.file">sts.jks</property>
<property name="org.apache.ws.security.crypto.merlin.keystore.password">petter</property>
</crypto>
</cryptoProperties>
<timeToLive>300000</timeToLive>
<keySize>256</keySize>
<addRequestedAttachedRef />
<addRequestedUnattachedRef />
<!--
Key computation mechanism
1 - Use Request Entropy
2 - Provide Entropy
3 - Use Own Key
-->
<keyComputation>2</keyComputation>
<!--
proofKeyType element is valid only if the keyComputation is set to 3
i.e. Use Own Key
Valid values are: EncryptedKey & BinarySecret
-->
<proofKeyType>BinarySecret</proofKeyType>
<trusted-services>
<service alias="service">*</service>
</trusted-services>
</saml-issuer-config>
</parameter>
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<!-- Transport binding: security handled by transport layer e.g. SSL/TLS -->
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<!-- Uncomment to use SSL/TLS-->
<!-- <sp:HttpsToken RequireClientCertificate="false"/> -->
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"; />
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:passwordCallbackClass>sts_service.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
