Skip to main content

TokenIssueOperation Example

Finally, it's time to look at an example of how to spring-load the STS so that it can issue tokens. This particular example uses a security policy that requires a UsernameToken over the symmetric binding. As the STS is a web service, we first define an endpoint:

<jaxws:endpoint id="UTSTS"
   implementor="#utSTSProviderBean"
   address="http://.../SecurityTokenService/UT"
   wsdlLocation=".../ws-trust-1.4-service.wsdl"
   xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
   serviceName="ns1:SecurityTokenService"
   endpointName="ns1:UT_Port">
   <jaxws:properties>
      <entry key="security.callback-handler" value="..."/>
      <entry key="security.signature.properties" 
         value="stsKeystore.properties"/>
   </jaxws:properties>
</jaxws:endpoint>

The jaxws:properties are required to parse the incoming message. The CallbackHandler is used to validate the UsernameToken and provide the password required to access the private key defined in the signature properties parameter. The "implementor" of the jaxws:endpoint is the SecurityTokenServiceProvider class defined in the STS provider framework: 

<bean id="utSTSProviderBean"
class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
   <property name="issueOperation" ref="utIssueDelegate"/>
   ...
</bean>

This bean supports the Issue Operation via a TokenIssueOperation instance: 

<bean id="utIssueDelegate"
   class="org.apache.cxf.sts.operation.TokenIssueOperation">
   <property name="tokenProviders" ref="utSamlTokenProvider"/>
   <property name="services" ref="utService"/>
   <property name="stsProperties" ref="utSTSProperties"/>
</bean>

This TokenIssueOperation instance has a single TokenProvider configured to issue SAML Tokens (with a default Subject and Attribute statement): 

<bean id="utSamlTokenProvider"
   class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
</bean>

The TokenIssueOperation also refers to a single StaticService implementation, which in turn defines a single URL expression to use to compare any received AppliesTo addresses: 

<bean id="utService"
   class="org.apache.cxf.sts.service.StaticService">
   <property name="endpoints" ref="utEndpoints"/>
</bean>

<util:list id="utEndpoints">
   <value>http://localhost:(\d)*/(doubleit|metrowsp)/services/doubleit   //
      (UT|.*symmetric.*|.*)</value>
</util:list>

Finally, the TokenIssueOperation is configured with a StaticSTSProperties object. This class contains properties that define what private key to use to sign issued SAML tokens, as well as the Issuer name to use in the generated token. 

<bean id="utSTSProperties"
   class="org.apache.cxf.sts.StaticSTSProperties">
   <property name="signaturePropertiesFile" value="stsKeystore.properties"/>
   <property name="signatureUsername" value="mystskey"/>
   <property name="callbackHandlerClass" value="..."/>
   <property name="issuer" value="DoubleItSTSIssuer"/>
   ...
</bean>

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here