TokenValidateOperation example - 8.0

Talend ESB STS User Guide

Version
8.0
Language
English (United States)
Product
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
Module
Talend ESB
Talend Runtime
Content
Design and Development
Installation and Upgrade

Finally, it's time to look at an example of how to spring-load the STS so that it can validate tokens. This particular example uses a security policy that requires a UsernameToken over the transport binding (client auth is disabled). As the STS is a web service, we first define an endpoint:

<jaxws:endpoint id="transportSTS"
   implementor="#transportSTSProviderBean"
   address="http://.../SecurityTokenService/Transport"
   wsdlLocation=".../ws-trust-1.4-service.wsdl"
   xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
   serviceName="ns1:SecurityTokenService"
   endpointName="ns1:Transport_Port">
   <jaxws:properties>
      <entry key="security.callback-handler" value="..."/>
   </jaxws:properties>

</jaxws:endpoint>

The CallbackHandler JAX-WS property is used to validate the UsernameToken. The "implementor" of the jaxws:endpoint is the SecurityTokenServiceProvider class defined in the STS provider framework:

<bean id="transportSTSProviderBean"
   class="org.apache.cxf.ws.security.sts.provider.  //
      SecurityTokenServiceProvider">
   ...
   <property name="validateOperation" ref="transportValidateDelegate"/>
</bean>

This bean supports the Validate Operation via a TokenValidateOperation instance:

<bean id="transportValidateDelegate"
   class="org.apache.cxf.sts.operation.TokenValidateOperation">
   <property name="tokenValidators" ref="transportTokenValidators"/>
   <property name="stsProperties" ref="transportSTSProperties"/>
</bean>

This TokenValidateOperation instance has a number of different TokenValidator instances configured:

<util:list id="transportTokenValidators">
   <ref bean="transportSamlTokenValidator"/>
   <ref bean="transportX509TokenValidator"/>
   <ref bean="transportUsernameTokenValidator"/>
</util:list>

<bean id="transportX509TokenValidator"
   class="org.apache.cxf.sts.token.validator.X509TokenValidator"/>

<bean id="transportUsernameTokenValidator"
   class="org.apache.cxf.sts.token.validator.UsernameTokenValidator"/>

<bean id="transportSamlTokenValidator"
   class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"/>
</bean>

Finally the STSPropertiesMBean object that is used is given as follows:

<bean id="transportSTSProperties"
   class="org.apache.cxf.sts.StaticSTSProperties">
   <property name="signaturePropertiesFile" value="..."/>
   <property name="signatureUsername" value="mystskey"/>

   <property name="callbackHandlerClass" value="..."/>
   <property name="encryptionPropertiesFile" value="..."/>
   <property name="issuer" value="DoubleItSTSIssuer"/>
   <property name="encryptionUsername" value="myservicekey"/>
</bean>