Personal tools

Saml:AuthenticateClient

From Adapt

Revision as of 23:43, 11 September 2008 by Scsong (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Connect to SAML Authenticated service

SAML Authenticated calls are done using wss4j along with some helper classes in the pawn-ws-sec project. These handle signing messages, and embedding assertions in the soap message.

Configure WSS4j

You'll need to create a client deployment descriptor to tell wss4j to handle signing messages and to tell it to use different classes to do the signing. This connects to the Receiver service. 

<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
  <globalConfiguration >
  </globalConfiguration >

    <service name="Receiver">
        <requestFlow>
            <handler type="java:edu.umiacs.wssec.CachedDoAllSender">
                 <parameter name="action" value="Timestamp SAMLTokenSigned"/>
            </handler> 
        </requestFlow>
    </service>

</deployment>

Prime wss4j

Next, you need to prime <nop>CachedDoAllSender with information regarding the assertion and keystore to use. 

    CachedDoAllSender.setSignatureKeyStore(keystore);
    CachedDoAllSender.setSamlAssertion(samlAssertion);

Create call

Now when you want to call a saml authenticated service, you must first create a service locator and call based on the deployment descriptor above: 

        
        ReceiverServiceLocator recvSl;
        Receiver               recv;

        String                 url = "http://localhost:8080/pawn-archive/services/Receiver"
        EngineConfiguration    config = new FileProvider("client.deploy.wsdd");

        
        recvSl = new ReceiverServiceLocator(config);
        recvSl.setReceiverEndpointAddress(url);
        recv = schedSl.getReceiver();

The next step is to configure the call 

        Stub stub = (stub)recv;

        stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
        stub._setProperty(WSHandlerConstants.USER, KEYSTORE_ALIAS); // alias w/ priv/pub keypair
        stub._setProperty(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallBack(KEYSTORE_PASS));

wss4j wants to pull the password to unlock your private key from a callback class. This is the same as retrieving the password for doing ws-security <nop>UsernameToken authentication. A sample callback class follows: 

public class PasswordCallBack implements CallbackHandler {

    private String pass;

    public PasswordCallBack(String pass) {
        this.pass = pass;
    }

    public void handle(javax.security.auth.callback.Callback[] callbacks) 
            throws java.io.IOException, 
            javax.security.auth.callback.UnsupportedCallbackException {
        
        for (int i = 0; i < callbacks.length; i++) {
            if (callbacks[i] instanceof WSPasswordCallback) {
                WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
                
                // for saml token , uses type unknown due to bug in wss4j
                if (pc.getUsage() == WSPasswordCallback.UNKNOWN) {
                    pc.setPassword(pass);
                }
                
            } else {
                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
            }
        }
    }
}

You can now make web service calls. 

    recv.testAuthorization();

-- Main.MikeSmorul - 12 Sep 2005

Retrieved from "https://wiki.umiacs.umd.edu/adapt/index.php?title=Saml:AuthenticateClient&oldid=1988"