1 Reply Latest reply on Apr 19, 2016 9:36 PM by Tomohisa igarashi

    STS Token validation over JMS Binding

    ravi narayanan Expert

      Hi All,

       

      Can you please tell me if i can validate the STS token with JMS binding in switchyard 1.1.

       

      I have a scenario where the consumer puts the soap message with STS saml token  in to an MQ(Hornet Q).

       

      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

        <soapenv:Header>

        <wsse:Security

        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

        <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_d2c3b84d-516f-4c9b-9368-c3fb65c5328e" IssueInstant="2016-04-19T15:31:51.308Z" Version="2.0">

        <saml:Issuer>PicketLinkSTS</saml:Issuer>

        <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

        <dsig:SignedInfo>

        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>

        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

        <dsig:Reference URI="#ID_d2c3b84d-516f-4c9b-9368-c3fb65c5328e">

        <dsig:Transforms>

        <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

        </dsig:Transforms>

        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

        <dsig:DigestValue>Bjd6ccb2d7cvzjGuLyFQSh9dKf8=</dsig:DigestValue>

        </dsig:Reference>

        </dsig:SignedInfo>

        <dsig:SignatureValue>QALMswaYtJjKJrGdwxCzOuQW02sGN3c6snQPRJhUfCOIfmp5fSmgBGmzDgO43aO7jaHv4zpPeb/RV25x7WQn4J/puORj8WxJLqaPGGobxxY87REpdv3DPRJIKK5fB7Hk2m1ugFrx+iJYXKivSYiAZPVZ31RghCKRga0HN+NjUKI=</dsig:SignatureValue>

        <dsig:KeyInfo>

        <dsig:KeyValue>

        <dsig:RSAKeyValue>

        <dsig:Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKwlYGGtrP5VQv00dfNPbs=</dsig:Modulus>

        <dsig:Exponent>AQAB</dsig:Exponent>

        </dsig:RSAKeyValue>

        </dsig:KeyValue>

        </dsig:KeyInfo>

        </dsig:Signature>

        <saml:Subject>

        <saml:NameID NameQualifier="urn:picketlink:identity-federation">UserB</saml:NameID>

        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>

        </saml:Subject>

        <saml:Conditions NotBefore="2016-04-19T15:31:51.308Z" NotOnOrAfter="2016-04-19T17:31:51.308Z"/>

        <saml:AuthnStatement AuthnInstant="2016-04-19T15:31:51.308Z">

        <saml:AuthnContext>

        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:cm:bearer</saml:AuthnContextClassRef>

        </saml:AuthnContext>

        </saml:AuthnStatement>

      </saml:Assertion>

        </wsse:Security>

        </soapenv:Header>

        <soapenv:Body>

        <urn:Input xmlns:urn="urn:InsurInqIMP">

        <urn:policy>

        <urn:POLTYP>POTT</urn:POLTYP>

        <urn:POLBRP>MN</urn:POLBRP>

        <urn:POLNOP>123456</urn:POLNOP>

        </urn:policy>

        <urn:insurer>

        <urn:INSNOP>123456</urn:INSNOP>

        </urn:insurer>

        </urn:Input>

        </soapenv:Body>

      </soapenv:Envelope>

       

      I need to validate the STS Token and process the message only if it is valid.

      i had a look in to the sample quickstart policy-security-saml and it is quickstart working fine.

      I had tried in similar way by adding the security callbackHandler and added the security policy for clientAuthentication

       

      <sy:securities>

            <sy:security callbackHandler="org.switchyard.security.jboss.callback.handler.STSTokenCallbackHandler" securityDomain="saml-validate-token"/>

      </sy:securities>

      ______________________________________________________________________________________________________________________________

      <sca:service name="AsyncConRQ" requires="clientAuthentication">

              <sy:interface.esb inputType="java.lang.String" outputType="java.lang.String"/>

      </sca:service>

       

      It is not validating and i tried debugging the application in STSTokenCallbackHandler the security crentials are returned blank.

       

      Set<Credential> credentials = getCredentials();

       

       

      Can you please help me.