SAML Enabled JBoss Web Services

Version 5

    This is a rough draft for the SAML Enabled JBoss Web Services using PicketLink.

     

     

    In the ideal case, you would create a jaxws handler xml file and then define it via the @HandlerChain annotation on the WS endpoint.

    But if you are insistent on using the JBossWS specific @EndpointConfig annotation, then follow the instrictions below:

     

    JBossWS JAXWS Configuration Blocks

    File: server/default/deployers/jbossws.deployer/META-INF/standard-jaxws-endpoint-config.xml

     

     

     <endpoint-config>
        <config-name>SAML WSSecurity Endpoint</config-name>
        <post-handler-chains>
          <javaee:handler-chain>
            <javaee:protocol-bindings>##SOAP11_HTTP ##SOAP11_HTTP_MTOM</javaee:protocol-bindings>
            <javaee:handler>
              <javaee:handler-name>SAML2 Handler</javaee:handler-name>
              <javaee:handler-class>org.picketlink.trust.jbossws.handler.SAML2Handler</javaee:handler-class>
            </javaee:handler>
            <javaee:handler>
              <javaee:handler-name>Recording Handler</javaee:handler-name>
              <javaee:handler-class>org.jboss.wsf.framework.invocation.RecordingServerHandler</javaee:handler-class>
            </javaee:handler>
          </javaee:handler-chain>
        </post-handler-chains>
      </endpoint-config>
    
    
    
      <endpoint-config>
        <config-name>SAML WSSecurity POJO Endpoint</config-name>
        <pre-handler-chains>
          <javaee:handler-chain>
            <javaee:protocol-bindings>##SOAP11_HTTP ##SOAP11_HTTP_MTOM</javaee:protocol-bindings>
            <javaee:handler>
              <javaee:handler-name>WSAuthorization Handler</javaee:handler-name>
              <javaee:handler-class>org.picketlink.trust.jbossws.handler.WSAuthorizationHandler</javaee:handler-class>
            </javaee:handler>
            <javaee:handler>
              <javaee:handler-name>WSAuthentication Handler</javaee:handler-name>
              <javaee:handler-class>org.picketlink.trust.jbossws.handler.WSAuthenticationHandler</javaee:handler-class>
            </javaee:handler>
            <javaee:handler>
              <javaee:handler-name>SAML2 Handler</javaee:handler-name>
              <javaee:handler-class>org.picketlink.trust.jbossws.handler.SAML2Handler</javaee:handler-class>
            </javaee:handler>
            <javaee:handler>
              <javaee:handler-name>Recording Handler</javaee:handler-name>
              <javaee:handler-class>org.jboss.wsf.framework.invocation.RecordingServerHandler</javaee:handler-class>
            </javaee:handler>
          </javaee:handler-chain>
        </pre-handler-chains>
      </endpoint-config>
    

     

    Note:  For the POJO endpoint, the handlers are installed as "pre-handler-chains"

     

     

    File:  server/default/deployers/jbossws.deployer/META-INF/standard-jaxws-client-config.xml

     

      <client-config>
        <config-name>SAML WSSecurity Client</config-name>
        <post-handler-chains>
          <javaee:handler-chain>
            <javaee:protocol-bindings>##SOAP11_HTTP ##SOAP11_HTTP_MTOM</javaee:protocol-bindings>
            <javaee:handler>
              <javaee:handler-name>SAML2Handler</javaee:handler-name>
              <javaee:handler-class>org.picketlink.trust.jbossws.handler.SAML2Handler</javaee:handler-class>
            </javaee:handler>
          </javaee:handler-chain>
        </post-handler-chains>
      </client-config>
    
    

     

     

     

    If you have used the "SECURITY_DOMAIN" as the login config for your web application such that you can configure the PicketLinkAuthenticator, then

     

    File:  server/default/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml

     

     <entry>
                   <key>NONE</key>
                   <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
                </entry>
                <entry>
                   <key>SECURITY_DOMAIN</key>
                   <value>org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator</value>
                </entry>
    

     

    Note that we have added the SECURITY_DOMAIN block