TokenValidateOperation example - 7.3

Finally, it's time to look at an example of how to spring-load the STS so that it can validate tokens. This particular example uses a security policy that requires a UsernameToken over the transport binding (client auth is disabled). As the STS is a web service, we first define an endpoint:

<jaxws:endpoint id="transportSTS"
   implementor="#transportSTSProviderBean"
   address="http://.../SecurityTokenService/Transport"
   wsdlLocation=".../ws-trust-1.4-service.wsdl"
   xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
   serviceName="ns1:SecurityTokenService"
   endpointName="ns1:Transport_Port">
   <jaxws:properties>
      <entry key="security.callback-handler" value="..."/>
   </jaxws:properties>

</jaxws:endpoint>

The CallbackHandler JAX-WS property is used to validate the UsernameToken. The "implementor" of the jaxws:endpoint is the SecurityTokenServiceProvider class defined in the STS provider framework:

<bean id="transportSTSProviderBean"
   class="org.apache.cxf.ws.security.sts.provider.  //
      SecurityTokenServiceProvider">
   ...
   <property name="validateOperation" ref="transportValidateDelegate"/>
</bean>

This bean supports the Validate Operation via a TokenValidateOperation instance:

<bean id="transportValidateDelegate"
   class="org.apache.cxf.sts.operation.TokenValidateOperation">
   <property name="tokenValidators" ref="transportTokenValidators"/>
   <property name="stsProperties" ref="transportSTSProperties"/>
</bean>

This TokenValidateOperation instance has a number of different TokenValidator instances configured:

<util:list id="transportTokenValidators">
   <ref bean="transportSamlTokenValidator"/>
   <ref bean="transportX509TokenValidator"/>
   <ref bean="transportUsernameTokenValidator"/>
</util:list>

<bean id="transportX509TokenValidator"
   class="org.apache.cxf.sts.token.validator.X509TokenValidator"/>

<bean id="transportUsernameTokenValidator"
   class="org.apache.cxf.sts.token.validator.UsernameTokenValidator"/>

<bean id="transportSamlTokenValidator"
   class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"/>
</bean>

Finally the STSPropertiesMBean object that is used is given as follows:

<bean id="transportSTSProperties"
   class="org.apache.cxf.sts.StaticSTSProperties">
   <property name="signaturePropertiesFile" value="..."/>
   <property name="signatureUsername" value="mystskey"/>

   <property name="callbackHandlerClass" value="..."/>
   <property name="encryptionPropertiesFile" value="..."/>
   <property name="issuer" value="DoubleItSTSIssuer"/>
   <property name="encryptionUsername" value="myservicekey"/>
</bean>