3 Replies Latest reply on Nov 9, 2011 10:27 AM by Marc van Andel

    How implementing webservices with JBoss and the L7 XML Gateway

    bloemg Newbie

      Has anyone experience with implementing webservices in an JBoss environment with an XML Gateway. The XML Gateway is also responsible for security.

       

      The goal is implementing webservices without ws-security en ws-trust implementations. This will be done in the XML gateway. For propagating identity information will be done with SAML2.

       

      The STS function will be done in the XML Gateway. We see PL as product which also can act as an STS. If implementing PL do we have to use the STS function.

       

      The only thing we want to do is the ability to consume the SAML assertions.

        • 2. Re: How implementing webservices with JBoss and the L7 XML Gateway
          bloemg Newbie

          Do we need all handlers.

           

          We only want to use the SAML2Handler. We do not want to use authentication or authorization again because this was already done at the Gateway.

           

          Is this possible?

          • 3. Re: How implementing webservices with JBoss and the L7 XML Gateway
            Marc van Andel Newbie

            Working with bloemg I'll provide some more info about this. It seems that the SAML2Handler should be enough 'cause '

            The SAML20TokenProvider is capable of validating the SAML assertions it issues' following http://community.jboss.org/wiki/PicketLinkSTS-SAMLProfile#SAML_Token_Validation There's also an example of just using just the SAML2Handler: https://docs.jboss.org/author/display/PLINK/SAML2Handler (Inbound part).

             

            But calling the JAX-WS endpoint running on JBoss EAP 5.1 with Apache CXF as WS Stack provider and enhancing the SOAP request with a SAML token in Layer7:

             

            <soapenv:Envelope

                xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v20="http://www.company.com/schemas/example-app/v20111101">

                <soapenv:Header>

                    <wsse:Security soapenv:mustUnderstand="1"

                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

                        <saml2:Assertion

                            ID="SamlAssertion-144fa48dc370c7a921414f3c53ed111b"

                            IssueInstant="2011-11-09T15:04:07.000Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

                            <saml2:Issuer>layer7.company.com</saml2:Issuer>

                            <saml2:Subject>

                                <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">

                                    <saml2:NameID>CN=layer7.company.com</saml2:NameID>

                                </saml2:SubjectConfirmation>

                            </saml2:Subject>

                            <saml2:Conditions NotBefore="2011-11-09T15:02:07.000Z" NotOnOrAfter="2011-11-09T15:09:07.000Z"/>

                            <saml2:AuthnStatement AuthnInstant="2011-11-09T15:04:07.000Z">

                                <saml2:SubjectLocality Address="10.103.121.235"/>

                                <saml2:AuthnContext>

                                    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>

                                </saml2:AuthnContext>

                            </saml2:AuthnStatement>

                        </saml2:Assertion>

                        <wsu:Timestamp>

                            <wsu:Created>2011-11-09T15:04:07.006451559Z</wsu:Created>

                            <wsu:Expires>2011-11-09T15:09:07.006Z</wsu:Expires>

                        </wsu:Timestamp>

                    </wsse:Security>

                </soapenv:Header>

                <soapenv:Body>

                    <v20:getUserPrincipal/>

                </soapenv:Body>

            </soapenv:Envelope>

             

            We get the following exception:

             

            16:03:18,949 ERROR [SAML2Handler] Exception in parsing the assertion:

            java.lang.ClassCastException: com.ctc.wstx.evt.CompactStartElement cannot be cast to javax.xml.stream.events.EndElement

                    at org.picketlink.identity.federation.core.parsers.saml.SAMLSubjectParser.parse(SAMLSubjectParser.java:123)

                    at org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser.parse(SAMLAssertionParser.java:148)

                    at org.picketlink.identity.federation.core.parsers.saml.SAMLParser.parse(SAMLParser.java:76)

                    at org.picketlink.identity.federation.core.parsers.AbstractParser.parse(AbstractParser.java:92)

                    at org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil.fromElement(SAMLUtil.java:145)

                    at org.picketlink.trust.jbossws.handler.SAML2Handler.handleInbound(SAML2Handler.java:86)