7 Replies Latest reply on Sep 23, 2009 3:06 AM by asoldano

    JBossSTS SOAP protocol handler

    beve

      Hi,

      we are currently working on adding SAML Token support to JBossESB:
      (http://www.jboss.org/index.html?module=bb&op=viewtopic&t=161206).

      After posting to the JBoss Identity forum:
      (http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4255969#4255969)
      I was advised to post here and get some input from the ws team.

      What we are trying to do is this:
      We have a existing SAML Token in a SOAP Security Header and this is sent to our target web service. We have written a SOAP Protocol Handler that extracts the SAML Token and calls JBossSTS to have it validated.
      (http://anonsvn.jboss.org/repos/labs/labs/jbossesb/workspace/dbevenius/saml_support/product/rosetta/src/org/jboss/soa/esb/services/security/auth/ws/JBossSTSSecurityHandler.java)

      Would be great to hear your thoughts on this and if you think this is the correct way to proceed.

      Thanks,

      /Daniel

        • 1. Re: JBossSTS SOAP protocol handler
          anil.saldhana

          I am unsure we can get this done in the WS layer in a generic way. I foresee a need to have multiple handlers - one for JBossWS WS-S impl, one for CXF and other for Metro.

          All these handlers can do the same thing. But they need to handler the appropriate server impl.

          • 2. Re: JBossSTS SOAP protocol handler
            beve

             

            I am unsure we can get this done in the WS layer in a generic way. I foresee a need to have multiple handlers - one for JBossWS WS-S impl, one for CXF and other for Metro.

            I'm sure you are right and I'd like to know what issues you see here?
            The example given only uses standard JAX-WS code, nothing specific to JBossWS. Is this handled completely different for CXF and Metro perhaps? As you can probably tell I've never used them:)

            Thanks,

            /Daniel

            • 3. Re: JBossSTS SOAP protocol handler
              asoldano

              Yes, providing jaxws handlers for calling the STS is probably the easiest way here.
              I think the issue Anil's referring too is that "basic" security configuration (enc/dec and sign) is different from stack to stack, because of the different ws-security implementations, hence the need for having 3 different handlers. Don't know if this can be covered in the existing WSTrustClient, in that case we might probably have a single jaxws handler (and that might even be part of the jbossws-framework project).

              • 4. Re: JBossSTS SOAP protocol handler
                beve

                Hi Alessio,

                thanks for your comments!

                Don't know if this can be covered in the existing WSTrustClient, in that case we might probably have a single jaxws handler (and that might even be part of the jbossws-framework project).

                I'll take a look at what's supported in the WSTrustClient. Currently we only extract the SAML Assertion and pass it along to WSTrustClient which in turn calls JBossSTS. JBossSTS can be configured to sign the SAML tokens that it has issued and check this when when it is validating the token.

                At the moment we thought of adding this to the identity project but I'll let Anil and Jeff comment on this. At least at this stage this makes sense I think as this is specific to the WSTrustClient.

                Regards,

                /Daniel

                • 5. Re: JBossSTS SOAP protocol handler
                  anil.saldhana

                  Dan, the question was whether the SAML assertion can be used as the authentication construct rather than username/pwd or a X509 certificate (as supported by the WS-Security implementation in JBossWS). This was what Stefan and I were referring to.

                  At this time, I think you should forget about the authentication aspect and just focus on passing the saml assertion to the wst client and let the STS handle the token.

                  Maybe you can have a single username/pwd for the ESB layer with the STS to pass in the WS-S headers. Or better some type of X509 certificate that is mutually agreed on.

                  There are two different things:
                  1) There needs to be a security context for the client and the STS to interact. This is what is passed in the ws-s headers. Can be username/pwd or x509 cert.
                  2) And then there is the payload (in this case, the SAML assertion) that the STS will use to validate.

                  From what I see, the item 1 is a trust association between the STS and ESB client. We can set it up once.

                  • 6. Re: JBossSTS SOAP protocol handler
                    beve

                     

                    Dan, the question was whether the SAML assertion can be used as the authentication construct rather than username/pwd or a X509 certificate (as supported by the WS-Security implementation in JBossWS).

                    So we are talking about the STS own requirements for authenticating and authorizing requests for security tokens. (This would be the item 1. in Anils post right).


                    Maybe you can have a single username/pwd for the ESB layer with the STS to pass in the WS-S headers. Or better some type of X509 certificate that is mutually agreed on.

                    This is how we have currently set this up. We are currently using a username/pwd for this in the ESB but I'll look into using X509 certificate instead.

                    Thanks,

                    /Daniel



                    • 7. Re: JBossSTS SOAP protocol handler
                      asoldano

                       

                      "anil.saldhana@jboss.com" wrote:
                      Dan, the question was whether the SAML assertion can be used as the authentication construct rather than username/pwd or a X509 certificate (as supported by the WS-Security implementation in JBossWS). This was what Stefan and I were referring to.

                      Generally speaking I'd love to support authentication based on SAML assertion, but that's not supported in jbosws right now (and yes, doing that in the same way for all stack is probably a tough issue). We can create a jira for this.