SHYAM RAO
Develop WSTrust Application Using NetBeans
The WS-Trust specification addresses the issue of brokering trust, in scenarios where the SecurityToken possessed by the Web Service consumer is not trusted by the Service Provider or in cases where the type of the Sercurity Token possesed by the client is not understood by the Service Provider. For example, when the Web Service client and the Web Service provider sit in different security domains (having different trust roots) and have no direct trust relationships. The protocols defined in WS-Trust allow for establishing a Security Token Service as a trust authority for brokering trust among Web Services consumers and Web Services providers. WS-Trust provides methods for issuing, renewing, and validating security tokens used by WS-Security. It also provides way to establish and broker trust relationships.
NetBeans has made life easier in developing WS-Trust applications to get Interoperability among different domains.
Download NetBeans & WSIT Plugin from :
NetBeans v5.5.1 : http://netbeans.info/downloads/dev.php
WSIT Module : http://websvc.netbeans.org/servlets/ProjectDocumentList?folderID=123
In this blog i would like to show how you can develop a Security Token Service using WSIT. This Security Token Service can be used to act as the STS for any of the Security Mechanisms defined in NetBeans that require an STS. When a Security Mechanism requires the use of an STS, then the security configuration of the Consumer should be setup in such a way that it can securely communicate with both the STS and the Service Provider. This blog will also explain how the secuity configuration of the Consumer can be setup for doing this.
The first step is to Create a service which requires an STS, so here are the steps to create the service:
Refer to Security Chapters of WSIT Tutorial on how to create/secure a service.
- when you select "Edit Web Services Attributes" for configuring security options and click "Secure All Services Operations" check box. You will see 3 profiles that require the use of an STS under Security Mechanism(s).
- STS Issued Token
- STS Issued Token with Service Certificate
- STS Issued Endorsing Token
- when you select "Edit Web Services Attributes" for configuring security options and click "Secure All Services Operations" check box. You will see 3 profiles that require the use of an STS under Security Mechanism(s).
Selecting any of these mechanisms listed above will require you to develop or configure an STS. All these 3 mechanism will have the default settings.
Run the service project, it will open a deployed service wsdl in the browser.
Create an STS :
Refer to the Tutorial's section on how to create/secure STS to create a new service and
configure it as an STS. Besides this, we need to implement the provider implementation class as given below, which is created by STS wizard (i.e. STS wizard creates an empty implementation of provider class).
import com.sun.xml.ws.security.trust.sts.BaseSTSImpl;
import javax.annotation.Resource;
import javax.xml.ws.Provider;
import javax.xml.ws.Service;
import javax.xml.ws.Service.Mode;
import javax.xml.ws.ServiceMode;
import javax.xml.ws.WebServiceContext;
import javax.xml.ws.WebServiceProvider;
import javax.xml.transform.Source;
import javax.xml.ws.handler.MessageContext;
@ServiceMode(value = Mode.PAYLOAD)
@WebServiceProvider(wsdlLocation = "WEB-INF/wsdl/<Class_Name>/sts.wsdl", serviceName = "SecurityTokenService", targetNamespace = "http://tempuri.org/", portName = "ISecurityTokenService_Port" )
public class <Class_Name> extends BaseSTSImpl implements javax.xml.ws.Provider<Source> {
@Resource
protected WebServiceContext context;
/** Creates a new instance of <Class_Name> */
public <Class_name>() {
}
public Source invoke(Source rstElement){
return super.invoke(rstElement);
}
protected MessageContext getMessageContext() {
MessageContext msgCtx = context.getMessageContext();
return msgCtx;
}
}
Select any security Mechanisms.
Keep the default values of “Act As Secure Token Service” checkbox, or else you can change the values in STSConfiguration Assertion of the sts wsdl using configure button.
run the STS project. here service name="SecurityTokenService". So if you want to access the wsdl, just append "SecurityTokenService" in the deployed application URL and hit the browser. STS wsdl appears.
For step by step screenshots for creating STS project, See below.
Prior to creating the Trust client, create an account (username/password) on glassfish for Username Authentication. Refer to the Tutorial's section on Adding Users to Glassfish
Create a Client :
Refer to Security Chapter of WSIT Tutorial on how to create/secure Client. Besides this, follow the additional steps given below to create a separate client-config for STS and import it in wsit-client.xml ( Note`: wsit-client.xml is a client side configuration).
A ) The service requires a token to be issued from STS at "http://<url>/SecurityTokenService”, with wsdl file being "http://<url>/SecurityTokenService?wsdl". So, in the same project, follow WebService Client wizard again for "http://<url>/SecurityTokenService?wsdl". As a result you see a SecurityTokenService client node in Web Services References . Now configure this client with sts related keystore & truststore. Once you are done, the layout of wsit-client.xml would be :
wsit-client.xml
|
| imports
|-----------> <clinet_config_for_STS>.wsdl [STS related keystore/truststore assertions in client ]
|
|imports
|-----------> <client_config_for_service>.wsdl [Service related keystore/truststore assertions in client ]
Run the client project.
For step by step screenshots for creating STS project & Client Project, See below.
Complete snapshots for creating STS in Netbeans:
Create a web Project for STS :
Right Click on STS project, select New -> File/Folder... and choss the SecureTokenService(STS) from FileType under WebServices Categories :
Create STS class name and package :
Created STS class looks like :
Replace the implementation of STS class with the specified one above. Now, STS class looks like :
Right Click SecurityTokenService node under WebServices folder and select Edit Web Service Attributes :
Select Security Mechanishm (Mutual Certificated Security) :
Select Keystore button and configure keystore for STS, then click OK:
Select Truststore button and configure truststore for STS, then click OK:
Click on configure... button, which is infront of Act As Security Token Service (STS) checkbox. Change the STSConfiguration if you want, then click OK:
Generated sts.wsdl looks like :
Right Click on STS prokect and select Properties :
In project properties, write /SecurityTokenService?wsdl in Relative URL :
Right Click on STS project, and select Run Project :
Now STS wsdl gets deployed on Glassfish and a browser opens up to show the deployed sts wsdl :
Complete snapshots for creating Client project in Netbeans:
Create a WebApplication for the Client Project. Right Click on Client Node and select New -> Web Services Client... :
Give deployed Server wsdl url in WSDL URL Radio button (this url can be found from server project) and create package name :
Right Click on generated server node under Web Service References
and select Edit Web Services Attributes. Provide the client side
Keystore/Truststore for server. Also provide the details for Security Token Service for adding PreconfiguredSTS in client configuration as below. Then click OK :
Generate client configuration for server looks like :
Create another WebService Client for client-side confugiration for STS :
Give deployed STS wsdl url in WSDL URL Radio button (this url can be found from STS project) and create package name :
Right Click on generated SecurityTokenService node under Web Service References
and select Edit Web Services Attributes :
Provide the client side
Keystore/Truststore for STS. Also provide the details of Username Authentication, if you are using usernameToken in the sts wsdl. Then click OK :
Generated client side configuration (wsit-client.xml) will import both client-side configuration ( server & sts ) :
Open index.jsp file, and move your curson just below the statement <%-- start web service invocation --%> . Right click there, select Web Service Client Resources -> Call Web Service Operation. Now expand the client node for server, and see the operation name (which was implemented while creating server project) and select it, then click OK.
Default template for web service invocation shows :
Give the value for parameters, which will be passed to the operation name and print the exception :
Right Click on Client Project and select Run Project :
Once the execution completes. A browser window with JSP page opens up to display the result :
Give it a try! And, let Jiandong & me know what do you think!
Technorati: wsit
Posted at 12:49PM Mar 13, 2007 by Shyam Rao in WebServicesSecurity | Comments[7]
