You can request SAML tokens with the bearer subject confirmation method from an external Security Token Service (STS). After obtaining the SAML bearer token, you can then send these tokens with web services request messages using the Java API for XML-Based Web Services (JAX-WS) programming model and Web Services Security APIs (WSS API).
This task assumes that you are familiar with the JAX-WS programming model, the WSS API interfaces, SAML concepts, and the use of policy sets to configure and administer web services settings.
You can request a SAML token with the bearer subject confirmation method from an external STS and then send the SAML token in web services request messages from a web services client using WSS APIs.
newfeatThe web services application client used in this task is a modified version of the client code that is contained in the JaxWSServicesSamples sample application that is available for download. Code snippets from the sample are described in the procedure section, and a complete, ready-to-use web services client sample is provided in the Example section.
You have requested a SAML token with the bearer subject confirmation method with transport level protection from an external STS. After obtaining the token, you sent the token with web services request messages using the JAX-WS programming model and WSS APIs.
//Request the SAML Token from external STS WSSFactory factory = WSSFactory.getInstance(); String STS_URI = "https://externalstsserverurl:port/TrustServerWST13/services/RequestSecurityToken"; String ENDPOINT_URL = "http://localhost:9080/WSSampleSei/EchoService"; WSSGenerationContext gencont1 = factory.newWSSGenerationContext(); WSSConsumingContext concont1 = factory.newWSSConsumingContext(); HashMap<Object, Object> cbackMap1 = new HashMap<Object, Object>(); cbackMap1.put(SamlConstants.STS_ADDRESS, STS_URI); cbackMap1.put(SamlConstants.SAML_APPLIES_TO, ENDPOINT_URL); cbackMap1.put(SamlConstants.TRUST_CLIENT_WSTRUST_NAMESPACE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512"); cbackMap1.put(SamlConstants.TRUST_CLIENT_COLLECTION_REQUEST, "false"); cbackMap1.put(SamlConstants.TOKEN_TYPE, WSSConstants.SAML.SAML11_VALUE_TYPE); cbackMap1.put(SamlConstants.CONFIRMATION_METHOD, "Bearer"); SAMLGenerateCallbackHandler cbHandler1 = new SAMLGenerateCallbackHandler(cbackMap1); // Add UNT to trust request UNTGenerateCallbackHandler utCallbackHandler = new UNTGenerateCallbackHandler("testuser", "testuserpwd"); SecurityToken ut = factory.newSecurityToken(UsernameToken.class, utCallbackHandler); gencont1.add(ut); cbHandler1.setWSSConsumingContextForTrustClient(concont1); cbHandler1.setWSSGenerationContextForTrustClient(gencont1); SecurityToken samlToken = factory.newSecurityToken(SAMLToken.class, cbHandler1, "system.wss.generate.saml"); System.out.println("SAMLToken id = " + samlToken.getId());Additionally, the step to configure the verification of the digital signature in the response message is optional in the case of the bearer token.
The following code sample is a web services client application that demonstrates how to request a SAML token from an external STS and send that SAML token in web services request messages. If your usage scenario requires SAML tokens, but does not require your application to pass the SAML tokens using web services messages, you only need to use the first part of the following sample code, up through the // Initialize web services client section.
/** * The following source code is sample code created by IBM Corporation. * This sample code is provided to you solely for the purpose of assisting you in the * use of the technology. The code is provided 'AS IS', without warranty or condition of * any kind. IBM shall not be liable for any damages arising out of your use of the * sample code, even if IBM has been advised of the possibility of such damages. */ package com.ibm.was.wssample.sei.cli; import com.ibm.was.wssample.sei.echo.EchoService12PortProxy; import com.ibm.was.wssample.sei.echo.EchoStringInput; import com.ibm.websphere.wssecurity.wssapi.WSSFactory; import com.ibm.websphere.wssecurity.wssapi.WSSGenerationContext; import com.ibm.websphere.wssecurity.wssapi.WSSConsumingContext; import com.ibm.websphere.wssecurity.wssapi.WSSTimestamp; import com.ibm.websphere.wssecurity.callbackhandler.SAMLGenerateCallbackHandler; import com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler; import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken; import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken; import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken; import com.ibm.wsspi.wssecurity.core.token.config.WSSConstants; import com.ibm.wsspi.wssecurity.saml.config.SamlConstants; import java.util.Map; import java.util.HashMap; import javax.xml.ws.BindingProvider; /** * SampleClient * main entry point for thin client JAR sample * and worker class to communicate with the services */ public class SampleClient { private String urlHost = "localhost"; private String urlPort = "9443"; private static final String CONTEXT_BASE = "/WSSampleSei/"; private static final String ECHO_CONTEXT12 = CONTEXT_BASE+"EchoService12"; private String message = "HELLO"; private String uriString = "https://" + urlHost + ":" + urlPort; private String endpointURL = uriString + ECHO_CONTEXT12; private String input = message; /** * main() * * see printusage() for command-line arguments * * @param args */ public static void main(String[] args) { SampleClient sample = new SampleClient(); sample.CallService(); } /** * CallService Parms were already read. Now call the service proxy classes * */ void CallService() { String response = "ERROR!:"; try { System.setProperty("java.security.auth.login.config", "profile_root/properties/wsjaas_client.conf"); System.setProperty("com.ibm.SSL.ConfigURL", "file:profile_root/properties/ssl.client.props"); //Request the SAML Token from external STS WSSFactory factory = WSSFactory.getInstance(); String STS_URI = "https://externalstsserverurl:port/TrustServerWST13/services/RequestSecurityToken"; String ENDPOINT_URL = "http://localhost:9080/WSSampleSei/EchoService"; WSSGenerationContext gencont1 = factory.newWSSGenerationContext(); WSSConsumingContext concont1 = factory.newWSSConsumingContext(); HashMap<Object, Object> cbackMap1 = new HashMap<Object, Object>(); cbackMap1.put(SamlConstants.STS_ADDRESS, STS_URI); cbackMap1.put(SamlConstants.SAML_APPLIES_TO, ENDPOINT_URL); cbackMap1.put(SamlConstants.TRUST_CLIENT_WSTRUST_NAMESPACE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512"); cbackMap1.put(SamlConstants.TRUST_CLIENT_COLLECTION_REQUEST, "false"); cbackMap1.put(SamlConstants.TOKEN_TYPE, WSSConstants.SAML.SAML20_VALUE_TYPE); cbackMap1.put(SamlConstants.CONFIRMATION_METHOD, "Bearer"); SAMLGenerateCallbackHandler cbHandler1 = new SAMLGenerateCallbackHandler(cbackMap1); // Add UNT to trust request UNTGenerateCallbackHandler utCallbackHandler = new UNTGenerateCallbackHandler("testuser", "testuserpwd"); SecurityToken ut = factory.newSecurityToken(UsernameToken.class, utCallbackHandler); gencont1.add(ut); cbHandler1.setWSSConsumingContextForTrustClient(concont1); cbHandler1.setWSSGenerationContextForTrustClient(gencont1); SecurityToken samlToken = factory.newSecurityToken(SAMLToken.class, cbHandler1, "system.wss.generate.saml"); System.out.println("SAMLToken id = " + samlToken.getId()); // Initialize web services client EchoService12PortProxy echo = new EchoService12PortProxy(); echo._getDescriptor().setEndpoint(endpointURL); // Configure SOAPAction properties BindingProvider bp = (BindingProvider) (echo._getDescriptor().getProxy()); Map<String, Object> requestContext = bp.getRequestContext(); requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpointURL); requestContext.put(BindingProvider.SOAPACTION_USE_PROPERTY, Boolean.TRUE); requestContext.put(BindingProvider.SOAPACTION_URI_PROPERTY, "echoOperation"); // Initialize WSSGenerationContext WSSGenerationContext gencont = factory.newWSSGenerationContext(); gencont.add(samlToken); // Add timestamp WSSTimestamp timestamp = factory.newWSSTimestamp(); gencont.add(timestamp); gencont.process(requestContext); // Build the input object EchoStringInput echoParm = new com.ibm.was.wssample.sei.echo.ObjectFactory().createEchoStringInput(); echoParm.setEchoInput(input); System.out.println(">> CLIENT: SEI Echo to " + endpointURL); // Prepare to consume timestamp in response message. WSSConsumingContext concont = factory.newWSSConsumingContext(); concont.add(WSSConsumingContext.TIMESTAMP); concont.process(requestContext); // Call the service response = echo.echoOperation(echoParm).getEchoResponse(); System.out.println(">> CLIENT: SEI Echo invocation complete."); System.out.println(">> CLIENT: SEI Echo response is: " + response); } catch (Exception e) { System.out.println(">> CLIENT: ERROR: SEI Echo EXCEPTION."); e.printStackTrace(); } } }
SAMLToken id = _191EBC44865015D9AB1270745072344 Retrieving document at 'file:profile_root/.../wsdl/'. >> CLIENT: SEI Echo to https://localhost:9443/WSSampleSei/EchoService12 >> CLIENT: SEI Echo invocation complete. >> CLIENT: SEI Echo response is: SOAP12==>>HELLO
In this information ...Related tasks
| IBM Redbooks, demos, education, and more(Index) |