Personal tools

Saml:AuthenticateClient: Difference between revisions

From Adapt

Jump to: navigation, search
No edit summary
 
No edit summary
 
Line 26: Line 26:
===Prime wss4j===
===Prime wss4j===


Next, you need to prime <nop>CachedDoAllSender with information regarding the assertion and keystore to use.
Next, you need to prime CachedDoAllSender with information regarding the assertion and keystore to use.


<pre>
<pre>
Line 61: Line 61:
</pre>
</pre>


wss4j wants to pull the password to unlock your private key from a callback class. This is the same as retrieving the password for doing ws-security <nop>UsernameToken authentication. A sample callback class follows:
wss4j wants to pull the password to unlock your private key from a callback class. This is the same as retrieving the password for doing ws-security UsernameToken authentication. A sample callback class follows:


<pre>
<pre>

Latest revision as of 23:44, 11 September 2008

Connect to SAML Authenticated service

SAML Authenticated calls are done using wss4j along with some helper classes in the pawn-ws-sec project. These handle signing messages, and embedding assertions in the soap message.

Configure WSS4j

You'll need to create a client deployment descriptor to tell wss4j to handle signing messages and to tell it to use different classes to do the signing. This connects to the Receiver service.

<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
  <globalConfiguration >
  </globalConfiguration >

    <service name="Receiver">
        <requestFlow>
            <handler type="java:edu.umiacs.wssec.CachedDoAllSender">
                 <parameter name="action" value="Timestamp SAMLTokenSigned"/>
            </handler> 
        </requestFlow>
    </service>

</deployment>

Prime wss4j

Next, you need to prime CachedDoAllSender with information regarding the assertion and keystore to use.

    CachedDoAllSender.setSignatureKeyStore(keystore);
    CachedDoAllSender.setSamlAssertion(samlAssertion);

Create call

Now when you want to call a saml authenticated service, you must first create a service locator and call based on the deployment descriptor above:

        
        ReceiverServiceLocator recvSl;
        Receiver               recv;

        String                 url = "http://localhost:8080/pawn-archive/services/Receiver"
        EngineConfiguration    config = new FileProvider("client.deploy.wsdd");

        
        recvSl = new ReceiverServiceLocator(config);
        recvSl.setReceiverEndpointAddress(url);
        recv = schedSl.getReceiver();
        

The next step is to configure the call

        Stub stub = (stub)recv;

        stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
        stub._setProperty(WSHandlerConstants.USER, KEYSTORE_ALIAS); // alias w/ priv/pub keypair
        stub._setProperty(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallBack(KEYSTORE_PASS));

wss4j wants to pull the password to unlock your private key from a callback class. This is the same as retrieving the password for doing ws-security UsernameToken authentication. A sample callback class follows:

public class PasswordCallBack implements CallbackHandler {

    private String pass;

    public PasswordCallBack(String pass) {
        this.pass = pass;
    }

    public void handle(javax.security.auth.callback.Callback[] callbacks) 
            throws java.io.IOException, 
            javax.security.auth.callback.UnsupportedCallbackException {
        
        for (int i = 0; i < callbacks.length; i++) {
            if (callbacks[i] instanceof WSPasswordCallback) {
                WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
                
                // for saml token , uses type unknown due to bug in wss4j
                if (pc.getUsage() == WSPasswordCallback.UNKNOWN) {
                    pc.setPassword(pass);
                }
                
            } else {
                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
            }
        }
    }
}

You can now make web service calls.

    recv.testAuthorization();

-- Main.MikeSmorul - 12 Sep 2005