Superpatterns

Pat Patterson on Identity Management, Federation and Single Malt Scotch

accessmanager adfs authentication authorization bloggers blogwatch burtongroup cardspace catalyst donbowen extensions fam federation federationmanager fisl identity idwsf infocard java javapolis libertyalliance lightbulb links microsoft opends openid opensource opensso php planetidentity podcast roller saml sdn sso sun tokyo ubuntu video webservices wsfederation

« At Last - Penelope... | Main | links for 2006-05-24 »

23 May · Tue 2006

If you've been following Eric Leach's blog, you'll know that, just before JavaOne, we released a beta version of Sun Java System Access Manager 7.1 via a couple of bundles:

The former download is 132 MB, the latter 89 MB. The main difference between them seems to be that the Java EE 5 Tools Bundle includes NetBeans; NB EP 5.5 assumes you already have it.

Access Manager's role in this bundle is to secure web services. If you're thinking "Uh oh - this is that Liberty stuff they keep pushing at me; I've barely got my head around basic SAML assertions, let alone ID-WSF.", well - relax. We did show Access Manager working with Java Studio Enterprise and JSR 196 (Java Authentication Service Provider Interface for Containers) to secure web services via Liberty ID-WSF at last year's JavaOne (there's also a technical article on the topic); since then we have implemented WS-I BSP to secure 'plain vanilla' web services.

Here are my notes from installing the Java EE 5 Tools Bundle Beta and working through the Securing Web Services tutorial. I'm running Ubuntu 6.06 'Dapper Drake' Beta. Not an officially supported platform, but I like to surf the bleeding edge

Let's get started. I downloaded the Java EE 5 Tools Bundle Beta, chmod +x netbeans-5_5-ide-entpack-sdk-jbi-am-linux.sh; ./netbeans-5_5-ide-entpack-sdk-jbi-am-linux.sh and I'm into the installer. I need to tell the installer where I've put Java - it doesn't seem to know. Fair enough - this is not a standard system - I have at least three versions of Java floating around.
The installer prompts me for ports, passwords and trundles away for a while. On completion it reports that there were some warnings. I check /tmp/netbeans-5_5-installation-20060523143837.41310.log and it looks like the installer was not able to get to Access Manager (AM) at http://myhostname:8080/amserver/configurator.jsp. Ah - that's probably because it likes your system to have a fully qualified domain name (FQDN), e.g. myhostname.mydomain.com and I don't have a domain set. This is documented in the release notes - it doesn't seem to be a big deal, and I can get to that URL in Firefox, so we'll just carry on.
OK - surf to http://myhostname:8080/amserver/configurator.jsp and I get a nice configuration page:

Those are the 5 parameters you need to set to configure AM. I left everything as default and (as expected from the release notes) got a server error. Putting a dummy domain on the end of the hostname did the trick and I'm at an Access Manager login screen.

Cool! The simplest ever AM install/config
Login with the default amadmin/admin123 (we'll have to change that - I hate default passwords. We should add 'amadmin password' to the 5 configuration parameters) and I'm in the now familiar AM 7.x admin UI:
Ok - install and config done. On to the Securing Web Services tutorial. The tutorial notes are a little sketchy - I'll fill in the gaps here as I go along.
Grab the stockapp.zip sample source and put it somewhere sensible, as suggested in the tutorial. I get two directories, stockclient and stockservice. Cool.
Tutorial step 2 is missing an initial steplet - you need to go to the App Server admin console at http://myhostname:4848/ and login as admin with whatever AS password you selected at install. Hmm - I don't see a 'Runtime' tab, but I can see a running App Server (in fact, I already checked that it was running by browsing http://myhostname:8080/ and, of course, I wouldn't have been able to configure AM if it wasn't running. So, according to step 2c, I can safely skip forward to step 5 in the tutorial. Except that it seems like the next thing I have to do is in step 3.
Tutorial step 3 - yes - done this already.
Step 4 - ah - you will definitely want to do this - set AM to full message debug logging. On my system, the config file was at /home/pat/SUNWappserver/addons/amserver/AMConfig.properties. Beware - there is another AMConfig.properties file for the AM server - on my machine it's at /home/pat/AMConfig.properties. If you set message debug logging at the AM server but not in the AS addons, you won't get any of the diagnostic output described below. I know - I did exactly this first time round and spent several hours trying to figure out what was wrong. Change com.iplanet.services.debug.level to message and restart the App Server. Just go to wherever_you_installed_it/SUNWappserver/bin and do ./asadmin stop-domain; ./asadmin start-domain.
Step 5 - Run NetBeans and disable proxies as directed in the tutorial, since we'll be interacting with local services.
OK - now for some secure web service action... Start NetBeans and... Oh. NetBeans just shows me a blank window. That's not good. Google Google Google... Ah. I have XGL and Compiz eye candy installed. This forum post gives the answer - run the Xnest nested X server, the icewm window manager and then run NetBeans in the nested X session. Fair enough. Ubuntu recommends Xephyr rather than Xnest, so I grab that, icewm and.. great - we have NetBeans! [UPDATE: See this comment for a handy little script I wrote to run NetBeans in a nested X session.] Back to the tutorial...
Open the two projects. Cool - Web Service Provider (WSP) Security Configuration property page. Enable security, select SAML-HolderOfKey, sign reponses. Don't forget to change the password if you overrode the default AS 'adminadmin' password. Ooh - we'll have to fix that password entry field. This is beta, don't forget.

We can go look in the keystore, just to check that we are supplying the right password here, and that the s1as cert is there:

pat@patlinux:~/SUNWappserver/domains/domain1/config$ keytool -list 
-keystore ./keystore.jks -storepass password

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

s1as, May 23, 2006, keyEntry,

Now to the client... Web Service Client (WSC) Security Configuration, enable security, SAML-HolderOfKey, verify response. Check that password again. And we're ready to run. Build and deploy stockservice as described in the tutorial. Build and run stockclient and we have a JSP ready for input. I had to copy the URL into the browser in my main X session, since Firefox wasn't happy running a second instance in the nested X session. I also had to change 'localhost' in the URL to my real hostname.
Now I just press enter to get a quote for SUNW and... I get a page of canned price data. It works!!! On my machine, ClientModule and ServerModule are in /tmp/amserver/, I can see real, honest to goodness WS-I BSP SOAP messages with SAML assertions in the headers. I've indented for clarity and elided most of the base 64 encoded signature and key info.
Here's the raw SOAP message as it leaves the client code (don't forget, the whole point of this is to abstract the security stuff out of the client/server code):

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://sun.com/stockquote.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <env:Body>
    <ns0:QuoteRequest>
      <Symbol>SUNW</Symbol>
    </ns0:QuoteRequest>
  </env:Body>
</env:Envelope>

And here is the secured SOAP message as it goes onto the wire:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://sun.com/stockquote.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-01.xsd">
      <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="s69f7e258e30da2b9b9f5799d4eb0c548782432bf" IssueInstant="2006-05-24T05:52:32Z" Issuer="patlinux" MajorVersion="1" MinorVersion="1">
        <saml:AuthenticationStatement AuthenticationInstant="2006-05-24T05:52:30Z" AuthenticationMethod="urn:com:sun:identity:Application">
          <saml:Subject>
            <saml:NameIdentifier>wsc</saml:NameIdentifier>
            <saml:SubjectConfirmation>
              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
              <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <KeyName>CN=patlinux, OU=Sun Java System Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US</KeyName>
                <KeyValue>
                  <RSAKeyValue>
                   <Modulus>AIE1oq...</Modulus>
                   <Exponent>AQAB</Exponent>
                  </RSAKeyValue>
                </KeyValue>
              </KeyInfo>
            </saml:SubjectConfirmation>
          </saml:Subject>
        </saml:AuthenticationStatement>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
          <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#s69f7e258e30da2b9b9f5799d4eb0c548782432bf">
              <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </Transforms>
              <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
              <DigestValue>zdCY/1iqOMUJq/RvxsaDPWM4+7c=</DigestValue>
            </Reference>
          </SignedInfo>
          <SignatureValue>ApcX/D...</SignatureValue>
          <KeyInfo>
            <X509Data>
              <X509Certificate>MIICmj...</X509Certificate>
            </X509Data>
          </KeyInfo>
        </Signature>
      </saml:Assertion>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference URI="#se0ffabd98ecfdf194adc0c8ac8fb4edabf65cd3a">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>Sccy9a3A7Ps27f3pf9adkRWuGvU=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>aE9vKM...</SignatureValue>
        <KeyInfo>
          <SecurityTokenReference xmlns="http://schemas.xmlsoap.org/ws/2003/06/secext" wsu:Id="STR1">
            <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID" wsu:Id="sbee70b80d8b330875655b8956d13ff5a4199ca1d">s69f7e258e30da2b9b9f5799d4eb0c548782432bf</KeyIdentifier>
          </SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </wsse:Security>
  </env:Header>
  <env:Body wsu:Id="se0ffabd98ecfdf194adc0c8ac8fb4edabf65cd3a">
    <ns0:QuoteRequest>
      <Symbol>SUNW</Symbol>
    </ns0:QuoteRequest>
  </env:Body>
</env:Envelope>

So - in the next thrilling installment, we'll walk through that secure SOAP message and see what each bit actually does.

UPDATE - here is that next installment.

@ 11:35 PM PDT Comments [9]

Trackback URL: http://blogs.sun.com/superpat/entry/access_manager_7_1_beta

Comments:

My handy shell script for running netbeans in a nested X session:

#! /bin/bash
# You could use Xnest instead of Xephyr here
Xephyr :2 -ac -screen 1024x768 &
icewm --display :2 &
export DISPLAY=:2
~/netbeans-5.5beta/bin/netbeans &

Posted by Superpat on May 23, 2006 at 11:57 PM PDT #

Using the tutorial, I thought I would develop a Web Service using netbeans and the j2ee bundle to ... I had no problem editing the web service attributes to set the security settings, but when i created a client with a web service reference to this service I could not edit and set the web service setting to enable the WSC to send the corresponding security headers to the WSP. Instead I got "Project not supported" in both netbeans on OS X and Linux. So, I can't apparently use netbeans enterprise pack to set the client settings, but must edit the sub-web.xml directly? It appears the reason why the tutorial worked is because all the stubs were already there and not generated? Also, if you leverage the "blueprints: Identity_BP1" and start reading into the section about "Configuring WebService Client Security Mechanisms Using the Access Manager Console" you find the tutorial completely off the rails from how the amswer is configured. So, I don't know what to make of that, because the some 4 individual Access Manager 7.1 PDF docs don't cover securing web services in the manner these tutorials do. Thoughts?

Posted by Michael on December 13, 2006 at 03:25 PM PST #

Seems like you are creating a Java EE 5 webservice using NB, correct? In the case of Java EE 5 based service, after creating the web service client node you have to also "use the client" node in one of your sevlets/jsp etc.. which will generate a @WebServiceRef annotation which signals the tool that it can enable security. The key is to have the annotation on the client which invokes this service. If you used the bundled stock sample from the IDE (or use the zip file that Pat has included) you would be able to invoke the client wizard without this additional step because the samples are j2ee 1.4 based and hence the workflow for client creation is different. HTH, - Vidhya

Posted by Vidhya on December 13, 2006 at 05:02 PM PST #

Yes, you're corrrect. I have created a Java EE 5 webservice using NB, and then followed up creating the web service client in another project using NB tool features, and created a reference to the the service under "Web Service References" folder in NB. So, I have to apply @WebServiceRef annotation on the servlet making use of the Web Service Reference? I gotta read up more on Java EE 5 web service development... As I've written namely j2ee 1.4; specifically, axis based services.

Posted by Michael on December 14, 2006 at 08:03 AM PST #

You dont need to manually create a @WebServiceRef annotation. If you have a servlet where you want to use this service reference, just drag and drop the client reference node into the servlet where you want to invoke he service.. this would automatically create the annotation for you and then the security dialog will be enabled. - Vidhya

Posted by Vidhya on December 14, 2006 at 11:04 AM PST #

Ahh, it seems Vidhya has been around this block before as I haven't been alone to experience this issue. http://www.nabble.com/Re:-secure-web-service-is-not-supported-t2390532.html Okay as per your directions, I added @WebServiceRef(wsd="http://localhost:80080/MagicEightBall/MagicEightBallService?wsdl") soa.example.client.MagicEightBallService service; to my servlet class, then later on in the appropriate servlet method soa.example.client.MagicEightBall port = service.getMagicEightBallPort(); This builds and deploys but won't run, even if you choose to edit the services attributes to disable message level security under the WSP security configuration and then redeploy. You get security related exceptions as soon as the client tries to connect to the service. It appears that you need to strip out all the security related xml additions to the sun-web.xml file, and remove the amconfig.xml file, then redeploy inorder to get the service and client to work again minus message level security. Now, that I verified my service and client work, I attempt to re-enable message level security on the service... That goes off without a hitch, but I still can't get nb to allow me to edit the security via the web service attributes panel of the client's web service reference. It still return "unsupported project." Is the Q-build of the enterprise bundle available, because I don't see it at http://www.netbeans.info/downloads/dev.php Your forum post mentioned it back in October... -Michael

Posted by Michael on December 14, 2006 at 11:15 AM PST #

okay, just saw the drag dropp response... yeah, that works... you have to drag the method from the web service reference... and it drops in a bunch of canned code to access the method... sweet. Yet, "project not supported" still is their under the edit web service attributes... So, i gotta keep dropping and dragging 'til it pops up cause of the bug?

Posted by Michael on December 14, 2006 at 11:20 AM PST #

Ah, ha! Stopping an starting NB does it. Grr. Hey, it's like Windows!

Posted by Michael on December 14, 2006 at 11:28 AM PST #

There is a bug filed and tracked about this random "project not supported" showing up in java EE 5 projects. Looks like you are seeing this. Just few tries would make this message go away.. atleast for the workaround I didnt have to restart. - Vidhya

Posted by Vidhya on December 14, 2006 at 12:08 PM PST #

Name:
E-Mail:
URL:
	Notify me by email of new comments
	Remember Information?