-
1. Re: JBossSTS SOAP protocol handler
anil.saldhana Sep 21, 2009 1:04 PM (in response to beve)I am unsure we can get this done in the WS layer in a generic way. I foresee a need to have multiple handlers - one for JBossWS WS-S impl, one for CXF and other for Metro.
All these handlers can do the same thing. But they need to handler the appropriate server impl. -
2. Re: JBossSTS SOAP protocol handler
beve Sep 21, 2009 2:05 PM (in response to beve)I am unsure we can get this done in the WS layer in a generic way. I foresee a need to have multiple handlers - one for JBossWS WS-S impl, one for CXF and other for Metro.
I'm sure you are right and I'd like to know what issues you see here?
The example given only uses standard JAX-WS code, nothing specific to JBossWS. Is this handled completely different for CXF and Metro perhaps? As you can probably tell I've never used them:)
Thanks,
/Daniel -
3. Re: JBossSTS SOAP protocol handler
asoldano Sep 22, 2009 4:56 AM (in response to beve)Yes, providing jaxws handlers for calling the STS is probably the easiest way here.
I think the issue Anil's referring too is that "basic" security configuration (enc/dec and sign) is different from stack to stack, because of the different ws-security implementations, hence the need for having 3 different handlers. Don't know if this can be covered in the existing WSTrustClient, in that case we might probably have a single jaxws handler (and that might even be part of the jbossws-framework project). -
4. Re: JBossSTS SOAP protocol handler
beve Sep 22, 2009 5:34 AM (in response to beve)Hi Alessio,
thanks for your comments!Don't know if this can be covered in the existing WSTrustClient, in that case we might probably have a single jaxws handler (and that might even be part of the jbossws-framework project).
I'll take a look at what's supported in the WSTrustClient. Currently we only extract the SAML Assertion and pass it along to WSTrustClient which in turn calls JBossSTS. JBossSTS can be configured to sign the SAML tokens that it has issued and check this when when it is validating the token.
At the moment we thought of adding this to the identity project but I'll let Anil and Jeff comment on this. At least at this stage this makes sense I think as this is specific to the WSTrustClient.
Regards,
/Daniel -
5. Re: JBossSTS SOAP protocol handler
anil.saldhana Sep 22, 2009 10:28 AM (in response to beve)Dan, the question was whether the SAML assertion can be used as the authentication construct rather than username/pwd or a X509 certificate (as supported by the WS-Security implementation in JBossWS). This was what Stefan and I were referring to.
At this time, I think you should forget about the authentication aspect and just focus on passing the saml assertion to the wst client and let the STS handle the token.
Maybe you can have a single username/pwd for the ESB layer with the STS to pass in the WS-S headers. Or better some type of X509 certificate that is mutually agreed on.
There are two different things:
1) There needs to be a security context for the client and the STS to interact. This is what is passed in the ws-s headers. Can be username/pwd or x509 cert.
2) And then there is the payload (in this case, the SAML assertion) that the STS will use to validate.
From what I see, the item 1 is a trust association between the STS and ESB client. We can set it up once. -
6. Re: JBossSTS SOAP protocol handler
beve Sep 23, 2009 1:52 AM (in response to beve)Dan, the question was whether the SAML assertion can be used as the authentication construct rather than username/pwd or a X509 certificate (as supported by the WS-Security implementation in JBossWS).
So we are talking about the STS own requirements for authenticating and authorizing requests for security tokens. (This would be the item 1. in Anils post right).
Maybe you can have a single username/pwd for the ESB layer with the STS to pass in the WS-S headers. Or better some type of X509 certificate that is mutually agreed on.
This is how we have currently set this up. We are currently using a username/pwd for this in the ESB but I'll look into using X509 certificate instead.
Thanks,
/Daniel -
7. Re: JBossSTS SOAP protocol handler
asoldano Sep 23, 2009 3:06 AM (in response to beve)"anil.saldhana@jboss.com" wrote:
Dan, the question was whether the SAML assertion can be used as the authentication construct rather than username/pwd or a X509 certificate (as supported by the WS-Security implementation in JBossWS). This was what Stefan and I were referring to.
Generally speaking I'd love to support authentication based on SAML assertion, but that's not supported in jbosws right now (and yes, doing that in the same way for all stack is probably a tough issue). We can create a jira for this.