3 Replies Latest reply on Nov 9, 2011 10:27 AM by marc.van.andel

    How implementing webservices with JBoss and the L7 XML Gateway

    bloemg
    bloemg Nov 2, 2011 5:58 AM

      Has anyone experience with implementing webservices in an JBoss environment with an XML Gateway. The XML Gateway is also responsible for security.

       

      The goal is implementing webservices without ws-security en ws-trust implementations. This will be done in the XML gateway. For propagating identity information will be done with SAML2.

       

      The STS function will be done in the XML Gateway. We see PL as product which also can act as an STS. If implementing PL do we have to use the STS function.

       

      The only thing we want to do is the ability to consume the SAML assertions.

      • 1750 Views
      • Tags:
        • 1. Re: How implementing webservices with JBoss and the L7 XML Gateway
          anil.saldhana
          anil.saldhana Nov 7, 2011 3:01 PM (in response to bloemg)

          This is some kind of custom work. You can take a look at the saml enabled handlers for WS.

           

          POJO WS:

          https://docs.jboss.org/author/display/PLINK/WSAuthenticationHandler

          https://docs.jboss.org/author/display/PLINK/WSAuthorizationHandler

           

          EJB3 WS:

          https://docs.jboss.org/author/display/PLINK/SAML2Handler

            • Actions
          • 2. Re: How implementing webservices with JBoss and the L7 XML Gateway
            bloemg
            bloemg Nov 9, 2011 8:34 AM (in response to anil.saldhana)

            Do we need all handlers.

             

            We only want to use the SAML2Handler. We do not want to use authentication or authorization again because this was already done at the Gateway.

             

            Is this possible?

              • Actions
            • 3. Re: How implementing webservices with JBoss and the L7 XML Gateway
              marc.van.andel
              marc.van.andel Nov 9, 2011 10:27 AM (in response to bloemg)

              Working with bloemg I'll provide some more info about this. It seems that the SAML2Handler should be enough 'cause '

              The SAML20TokenProvider is capable of validating the SAML assertions it issues' following http://community.jboss.org/wiki/PicketLinkSTS-SAMLProfile#SAML_Token_Validation There's also an example of just using just the SAML2Handler: https://docs.jboss.org/author/display/PLINK/SAML2Handler (Inbound part).

               

              But calling the JAX-WS endpoint running on JBoss EAP 5.1 with Apache CXF as WS Stack provider and enhancing the SOAP request with a SAML token in Layer7:

               

              <soapenv:Envelope

                  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v20="http://www.company.com/schemas/example-app/v20111101">

                  <soapenv:Header>

                      <wsse:Security soapenv:mustUnderstand="1"

                          xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

                          <saml2:Assertion

                              ID="SamlAssertion-144fa48dc370c7a921414f3c53ed111b"

                              IssueInstant="2011-11-09T15:04:07.000Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

                              <saml2:Issuer>layer7.company.com</saml2:Issuer>

                              <saml2:Subject>

                                  <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">

                                      <saml2:NameID>CN=layer7.company.com</saml2:NameID>

                                  </saml2:SubjectConfirmation>

                              </saml2:Subject>

                              <saml2:Conditions NotBefore="2011-11-09T15:02:07.000Z" NotOnOrAfter="2011-11-09T15:09:07.000Z"/>

                              <saml2:AuthnStatement AuthnInstant="2011-11-09T15:04:07.000Z">

                                  <saml2:SubjectLocality Address="10.103.121.235"/>

                                  <saml2:AuthnContext>

                                      <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>

                                  </saml2:AuthnContext>

                              </saml2:AuthnStatement>

                          </saml2:Assertion>

                          <wsu:Timestamp>

                              <wsu:Created>2011-11-09T15:04:07.006451559Z</wsu:Created>

                              <wsu:Expires>2011-11-09T15:09:07.006Z</wsu:Expires>

                          </wsu:Timestamp>

                      </wsse:Security>

                  </soapenv:Header>

                  <soapenv:Body>

                      <v20:getUserPrincipal/>

                  </soapenv:Body>

              </soapenv:Envelope>

               

              We get the following exception:

               

              16:03:18,949 ERROR [SAML2Handler] Exception in parsing the assertion:

              java.lang.ClassCastException: com.ctc.wstx.evt.CompactStartElement cannot be cast to javax.xml.stream.events.EndElement

                      at org.picketlink.identity.federation.core.parsers.saml.SAMLSubjectParser.parse(SAMLSubjectParser.java:123)

                      at org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser.parse(SAMLAssertionParser.java:148)

                      at org.picketlink.identity.federation.core.parsers.saml.SAMLParser.parse(SAMLParser.java:76)

                      at org.picketlink.identity.federation.core.parsers.AbstractParser.parse(AbstractParser.java:92)

                      at org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil.fromElement(SAMLUtil.java:145)

                      at org.picketlink.trust.jbossws.handler.SAML2Handler.handleInbound(SAML2Handler.java:86)

                • Actions