Get Security Token

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Get Security Token

patch_78
Hi,

I am a newbie. I follow the example at http://www.jroller.com/gmazza/entry/cxf_sts_tutorial.

I have a web service that use policy sp:IssuedToken from a STS.
On my web app calling the web service, I define the STS class in the cxf.xml as
<jaxws:properties>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
....
</bean></entry></jaxws:properties>

This is code on my web app is
DataStorageService service = new DataStorageService();
DataStoragePortType port = service.getDataStoragePort();

How can I get security token got from the STS?

patch


Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

ivan
Hi,

I am also new, but I think I already managed to make running what you just
need. However, it has been quite a long procedure.

You need the Apache CXF Fediz for this. You can check it out from here:
https://github.com/apache/cxf-fediz

Then the best way is to go through almost all the blog entries by Oliver,
starting from the beginning:
http://owulff.blogspot.de/2011/10/configure-and-deploy-cxf-25-sts-part-i.html
You need to make running everything one by one: first the STS, then the
IDP, then a relying party (RP), and finally a web service / web service
client. If you follow the blogs, finally you can make running the
examples\wsclientWebapp\ example, that does what you need:
- there is an IDP/STS running on a Tomcat
- another Tomcat is running a web service that needs a SAML IssuedToken
- another Tomcat is running a web application that calls the previous web
service (first acquires a SAML token), and finally visualizes the token and
the web service result in the browser.

Please tell, if I can help you further.

Cheers,
Ivan





2013/6/6 patch_78 <[hidden email]>

> Hi,
>
> I am a newbie. I follow the example at
> http://www.jroller.com/gmazza/entry/cxf_sts_tutorial.
>
> I have a web service that use policy sp:IssuedToken from a STS.
> On my web app calling the web service, I define the STS class in the
> cxf.xml
> as
> <jaxws:properties>
> <entry key="ws-security.sts.client">
> <bean class="org.apache.cxf.ws.security.trust.STSClient">
> ....
> </bean></entry></jaxws:properties>
>
> This is code on my web app is
> DataStorageService service = new DataStorageService();
> DataStoragePortType port = service.getDataStoragePort();
>
> How can I get security token got from the STS?
>
> patch
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Get-Security-Token-tp5728824.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

patch_78
Hi Ivan,

I tried Apache CXF Fediz already. It does not exactly fit my requirements.
Thanks anyway!

I got the requirement as:
1) user will be authenticated by an external identity provider and get SAML2 token.  This will be done during the client logins using a Web interface.
2) the SAML2 token from 1) (or a part of it) is used by the Web interface to get another SAML2 token from a web service.
3) the SAML2 token from 2) will be used by the Web interface when it calls other web services for other services.  

I follow the example at http://www.jroller.com/gmazza/entry/cxf_sts_tutorial, and tried to do some customization to implement step 2 and 3.

patch
Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

ivan
I think examples\wsclientWebapp\ does exactly what you need. When you log
into it, it acquires a SAML token from the IDP. Then when you press a
button on the web GUI, it aquires a new token OnBehalOf the previous one,
and uses this second token to call the web service. And finally it
displayes the SAML token information. You can use container specific
(Tomcat, Jetty) plugins to access the SAML token internals, or use Spring
Security.


2013/6/6 patch_78 <[hidden email]>

> Hi Ivan,
>
> I tried Apache CXF Fediz already. It does not exactly fit my requirements.
> Thanks anyway!
>
> I got the requirement as:
> 1) user will be authenticated by an external identity provider and get
> SAML2
> token.  This will be done during the client logins using a Web interface.
> 2) the SAML2 token from 1) (or a part of it) is used by the Web interface
> to
> get another SAML2 token from a web service.
> 3) the SAML2 token from 2) will be used by the Web interface when it calls
> other web services for other services.
>
> I follow the example at
> http://www.jroller.com/gmazza/entry/cxf_sts_tutorial, and tried to do some
> customization to implement step 2 and 3.
>
> patch
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Get-Security-Token-tp5728824p5728827.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

patch_78
Hi Ivan,

I am still confused how the examples\wsclientWebapp\ fits my requirement. It would be very helpful if you can point out based on my requirement described previously.

FYI,
in step 1) the user is authenticated by an external identity provider based on SSO protocol. I implemented this with Spring Security - SAML extension and managed to get SAML2 token.
After step 1) there is no IDP need, only STS/web service that issues another SAML token based on the one got from step 1).

Thanks!
patch
Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

ivan
Hi patch,

Maybe I am not the best one to answer your question, but let me explain in
more detail what happens in wsclientWebapp.

You have 3 tomcat instances: a) runs the CXF STS and Fediz IDP, b) runs the
web service that requires a SAML token, c) runs the web application that is
a client to the web service in (b)

1) When you log in to the web application (c), a SAML token is aquired from
the IDP/STS.
(When you use Fediz with the Tomcat plugin for instance, you get a
FederationPrincipal by calling HttpServletRequest.getUserPrincipal(). By
using the FederationPrincipal, you access the claims in the SAML token. You
can also access the whole token, if you put it into ThreadLocal from a
servlet filter - also in the example).

2) After logged in, when you call from the web application (c) the web
service (b), a new token request is sent to the STS (a) directly (so no IDP
is needed). The request contains the current SAML token as OnBehalOf.

3) The STS prepares a new token, and sends it back

4) The web application (c) calls the web service (b) by sending the second
SAML token.

----

I have the feeling this is your scenario. But as I said, I am also kind of
new in this topic. If you need, I can send you my three Tomcat instances,
and with them you can try the above mentioned steps.

Cheers,
Ivan






2013/6/6 patch_78 <[hidden email]>

> Hi Ivan,
>
> I am still confused how the examples\wsclientWebapp\ fits my requirement.
> It
> would be very helpful if you can point out based on my requirement
> described
> previously.
>
> FYI,
> in step 1) the user is authenticated by an external identity provider based
> on SSO protocol. I implemented this with Spring Security - SAML extension
> and managed to get SAML2 token.
> After step 1) there is no IDP need, only STS/web service that issues
> another
> SAML token based on the one got from step 1).
>
> Thanks!
> patch
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Get-Security-Token-tp5728824p5728838.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

patch_78
Hi Ivan,

Thanks a lot for your explanation and offer! I also have 3 tomcat instances and managed to get it work as same as you.
But in my requirement, step 1) is not the same as the examples\wsclientWebapp\

+++++++++++++++++++++++++
1) When you log in to the web application (c), a SAML token is aquired from
the IDP/STS.
(When you use Fediz with the Tomcat plugin for instance, you get a
FederationPrincipal by calling HttpServletRequest.getUserPrincipal(). By
using the FederationPrincipal, you access the claims in the SAML token. You
can also access the whole token, if you put it into ThreadLocal from a
servlet filter - also in the example).
+++++++++++++++++++++++++

In my requirement the user is authenticated by an external identity provider based on SSO protocol.

patch
Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

patch_78
In reply to this post by patch_78
Hi everyone,

Back to my original question, I found how to get the security token. Here it is (for someone who has the same question as me)

Client client = ClientProxy.getClient(port);
Endpoint ep = client.getEndpoint();
String id = (String)ep.get(SecurityConstants.TOKEN_ID);
TokenStore store = (TokenStore)ep.getEndpointInfo().getProperty(TokenStore.class.getName());
SecurityToken tok = store.getToken(id);
Element e = tok.getToken();

System.out.println("******************** TOKEN ********************");
System.out.println(DOM2Writer.nodeToString(e));
System.out.println("******************** TOKEN ********************");

patch
Reply | Threaded
Open this post in threaded view
|

Re: Get Security Token

Glen Mazza
Administrator
Thanks for letting us know -- I updated my STS blog article with a link
to this email.

Glen

On 06/06/2013 10:07 AM, patch_78 wrote:

> Hi everyone,
>
> Back to my original question, I found how to get the security token. Here it
> is (for someone who has the same question as me)
>
> Client client = ClientProxy.getClient(port);
> Endpoint ep = client.getEndpoint();
> String id = (String)ep.get(SecurityConstants.TOKEN_ID);
> TokenStore store =
> (TokenStore)ep.getEndpointInfo().getProperty(TokenStore.class.getName());
> SecurityToken tok = store.getToken(id);
> Element e = tok.getToken();
>
> System.out.println("******************** TOKEN ********************");
> System.out.println(DOM2Writer.nodeToString(e));
> System.out.println("******************** TOKEN ********************");
>
> patch
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Get-Security-Token-tp5728824p5728850.html
> Sent from the cxf-user mailing list archive at Nabble.com.