Colm and Oliver,
Thanks for your responses and tips. I would definitely use callbackhandler
In production environment.
Since I am going to use Symmetric bindings, I need to add certificate for
both Service Provider and STS to client keystore for encryting request to
WSP and STS. Following is part of my client configuration file. I don't
think that I configured 'myservicekey' and 'mystskey' right. Could you
correct me?
<map>
<entry key="ws-security.username" value="GLOBAL\\Certificateuser"/>
<entry key="ws-security.password" value="Welcome2"/>
<entry key="ws-security.signature.properties"
value="clientKeystore.properties"/>
<entry key="ws-security.signature.username"
value="clientkey"/>
<entry key="ws-security.encryption.properties"
value="clientKeystore.properties"/>
<entry key="ws-security.encryption.username"
value="mystskey"/>
<entry key="ws-security.encryption.username"
value="myservicekey"/>
<entry key="ws-security.is-bsp-compliant"
value="false"/>
</map>
And following is content of my clientKeystore.properties file.
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=cspass
org.apache.ws.security.crypto.merlin.keystore.alias=myclientkey
org.apache.ws.security.crypto.merlin.file=wsclientstore.jks
Thanks.
Gina
On Wed, May 23, 2012 at 6:56 AM, Oliver Wulff <[email protected]> wrote:
> You can also configure the password like this if you don't want to use a
> callback handler:
>
> <entry key="ws-security.password" value="password"/>
>
> You must add the properties here:
> <entry key="ws-security.sts.client">
> <bean
> class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf" />
> <property name="wsdlLocation"
> value="https://localhost:9443/fedizidpsts/STSServiceTransport?wsdl"; />
> <property name="serviceName"
> value="{
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"; />
> <property name="endpointName"
> value="{
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"; />
> <property name="onBehalfOf"
> ref="delegationCallbackHandler" />
> <property name="enableAppliesTo"
> value="true" />
> <property name="properties">
> <map>
>
> </map>
> </property>
> </bean>
> </entry>
>
> Finally, it depends on your requirements. Not everybody likes to have
> passwords in configuration files whereas a callback handler could read the
> password from an encrypted file.
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Colm O hEigeartaigh [[email protected]]
> Sent: 23 May 2012 09:54
> To: [email protected]
> Subject: Re: Redirecting Fediz GreeterService to ADFS2.0
>
> Hi Gina,
>
> > 2. I used folloiwng TokenType, hopefully Apache CXF understand it.
> > <t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
>
> It can.
>
> > 5. When client request ADFS2.0 new token using ActAs token, it need to be
> > authenticated using username token since my ADSF end point is
> > /adfs/services/trust/13/usernamemixed. I still don't see place to set
> > username and password in bean.xml.
>
> You need to set a username as well as the class name of a
> CallbackHandler instance that returns the password for said username.
> See here for an example:
>
>
> http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-client.xml?view=markup
>
> i.e.:
>
> <entry key="ws-security.username" value="alice"/>
> <entry key="ws-security.callback-handler"
> value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
>
> The CallbackHandler in question is here:
>
>
> http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CommonCallbackHandler.java?view=markup
>
> Colm.
>
>
> On Tue, May 22, 2012 at 10:58 PM, Gina Choi <[email protected]> wrote:
> > Hi Oliver,
> >
> > I have converted hello_world.wsdl file to Symmetric bindings and zip
> file is
> > attached.
> >
> > 1. Since all configuration related to STS is can be done through
> beans.xml
> > under examples\wsclientWebapp\webapp\src\main\webapp\WEB-INF, I commented
> > out STS related refernce from hello_world.wsdl(line 135-137).
> >
> > </wsp:Policy>
> > <!--sp:Issuer>
> > <wsaw:Address>https://strts01.ams.dev/adfs/services/trust/mex
> </wsaw:Address>
> > </sp:Issuer-->
> > </sp:IssuedToken>
> >
> > 2. I used folloiwng TokenType, hopefully Apache CXF understand it.
> > <t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
> >
> > 3. In line 54, you have this. I don't know if type should be xsd:string.
> I
> > left as it is for now.
> > <element name="responseType" type="string"/>
> >
> > 4. In bean.xml file under
> > examples\wsclientWebapp\webapp\src\main\webapp\WEB-INF, I have updated
> > conduit name by the hostname of ADFS.
> >
> > 5. When client request ADFS2.0 new token using ActAs token, it need to be
> > authenticated using username token since my ADSF end point is
> > /adfs/services/trust/13/usernamemixed. I still don't see place to set
> > username and password in bean.xml.
> >
> > Thanks.
> > Gina
> >
> > On Tue, May 22, 2012 at 4:34 PM, Oliver Wulff <[email protected]> wrote:
> >>
> >> Hi Gina
> >>
> >> The configuration file is here:
> >>
> >>
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup
> >>
> >> The bean jaxws:client contains all the configuration to call the
> >> helloworld service. The property "ws-security.sts.client" contains all
> sts
> >> related configuration.
> >>
> >> You also have to configure the trustore for the https communication
> which
> >> is here:
> >> 68 <!-- STS WSDL download -->
> >> 69 <http:conduit name="https://localhost:9443/.*";>
> >> 70 <http:tlsClientParameters disableCNCheck="true">
> >> 71 <sec:trustManagers>
> >> 72 <sec:keyStore type="jks" password="tompass"
> >> resource="tomcatKeystore.jks" />
> >> 73 </sec:trustManagers>
> >> 74 </http:tlsClientParameters>
> >> 75 </http:conduit>
> >>
> >> where you can update the conduit name by the hostname of ADFS.
> >>
> >>
> >>
> >> ------
> >>
> >> Oliver Wulff
> >>
> >> Blog: http://owulff.blogspot.com
> >> Solution Architect
> >> http://coders.talend.com
> >>
> >> Talend Application Integration Division http://www.talend.com
> >>
> >> ________________________________
> >> From: Gina Choi [[email protected]]
> >> Sent: 22 May 2012 21:59
> >> To: Oliver Wulff
> >> Cc: [email protected]
> >> Subject: Redirecting Fediz GreeterService to ADFS2.0
> >>
> >> Hi Oliver,
> >>
> >> With your help, previously I have successfully connected Fediz
> Helloworld
> >> web
> >> app(
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/
> )
> >> to ADFS2.0 using WS-Federation. My next goal is to change Fediz
> >> GreeterService(
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webservice/service/
> )
> >> to point to ADFS2.0 using Assertion token previously obtained from
> >> WS-Federation. This Assertion token will be used as actas token. I am
> >> planning to use Symmetric bindings for Web service-client-ADFS2.0 and
> >> ADFS2.0 end point will be adfs/services/trust/13/usernamemixed.
> Everything
> >> pretty much same as your blog (SSO across Web Applications and Web
> Services
> >> - Part IV b :
> >>
> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
> )
> >> except that my STS is ADFS2.0. I have attached zipped mex file for my
> ADFS
> >> and wsdl file for my final .NET web service. I will send you wsdl file
> for
> >> GreeterService using Symmetric bindings later.
> >>
> >> You previously mentioned configuring the password with the property
> >> "ws-security.password". Do you have a configuration file in the client
> side
> >> to add ws-security.password?
> >>
> >> Thanks.
> >> Gina
> >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
