TokenValidateOperation example - 7.1

Talend ESB STS User Guide

author
Talend Documentation Team
EnrichVersion
7.1
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB
Talend Runtime

Finally, it's time to look at an example of how to spring-load the STS so that it can validate tokens. This particular example uses a security policy that requires a UsernameToken over the transport binding (client auth is disabled). As the STS is a web service, we first define an endpoint:

<jaxws:endpoint id="transportSTS"
   implementor="#transportSTSProviderBean"
   address="http://.../SecurityTokenService/Transport"
   wsdlLocation=".../ws-trust-1.4-service.wsdl"
   xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
   serviceName="ns1:SecurityTokenService"
   endpointName="ns1:Transport_Port">
   <jaxws:properties>
      <entry key="security.callback-handler" value="..."/>
   </jaxws:properties>

</jaxws:endpoint>

The CallbackHandler JAX-WS property is used to validate the UsernameToken. The "implementor" of the jaxws:endpoint is the SecurityTokenServiceProvider class defined in the STS provider framework:

<bean id="transportSTSProviderBean"
   class="org.apache.cxf.ws.security.sts.provider.  //
      SecurityTokenServiceProvider">
   ...
   <property name="validateOperation" ref="transportValidateDelegate"/>
</bean>

This bean supports the Validate Operation via a TokenValidateOperation instance:

<bean id="transportValidateDelegate"
   class="org.apache.cxf.sts.operation.TokenValidateOperation">
   <property name="tokenValidators" ref="transportTokenValidators"/>
   <property name="stsProperties" ref="transportSTSProperties"/>
</bean>

This TokenValidateOperation instance has a number of different TokenValidator instances configured:

<util:list id="transportTokenValidators">
   <ref bean="transportSamlTokenValidator"/>
   <ref bean="transportX509TokenValidator"/>
   <ref bean="transportUsernameTokenValidator"/>
</util:list>

<bean id="transportX509TokenValidator"
   class="org.apache.cxf.sts.token.validator.X509TokenValidator"/>

<bean id="transportUsernameTokenValidator"
   class="org.apache.cxf.sts.token.validator.UsernameTokenValidator"/>

<bean id="transportSamlTokenValidator"
   class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"/>
</bean>

Finally the STSPropertiesMBean object that is used is given as follows:

<bean id="transportSTSProperties"
   class="org.apache.cxf.sts.StaticSTSProperties">
   <property name="signaturePropertiesFile" value="..."/>
   <property name="signatureUsername" value="mystskey"/>

   <property name="callbackHandlerClass" value="..."/>
   <property name="encryptionPropertiesFile" value="..."/>
   <property name="issuer" value="DoubleItSTSIssuer"/>
   <property name="encryptionUsername" value="myservicekey"/>
</bean>