TokenIssueOperation Example - 7.1

Talend ESB STS User Guide

author
Talend Documentation Team
EnrichVersion
7.1
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB
Talend Runtime

Finally, it's time to look at an example of how to spring-load the STS so that it can issue tokens. This particular example uses a security policy that requires a UsernameToken over the symmetric binding. As the STS is a web service, we first define an endpoint:

<jaxws:endpoint id="UTSTS"
   implementor="#utSTSProviderBean"
   address="http://.../SecurityTokenService/UT"
   wsdlLocation=".../ws-trust-1.4-service.wsdl"
   xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
   serviceName="ns1:SecurityTokenService"
   endpointName="ns1:UT_Port">
   <jaxws:properties>
      <entry key="security.callback-handler" value="..."/>
      <entry key="security.signature.properties" 
         value="stsKeystore.properties"/>
   </jaxws:properties>
</jaxws:endpoint>

The jaxws:properties are required to parse the incoming message. The CallbackHandler is used to validate the UsernameToken and provide the password required to access the private key defined in the signature properties parameter. The "implementor" of the jaxws:endpoint is the SecurityTokenServiceProvider class defined in the STS provider framework:

<bean id="utSTSProviderBean"
class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
   <property name="issueOperation" ref="utIssueDelegate"/>
   ...
</bean>

This bean supports the Issue Operation via a TokenIssueOperation instance:

<bean id="utIssueDelegate"
   class="org.apache.cxf.sts.operation.TokenIssueOperation">
   <property name="tokenProviders" ref="utSamlTokenProvider"/>
   <property name="services" ref="utService"/>
   <property name="stsProperties" ref="utSTSProperties"/>
</bean>

This TokenIssueOperation instance has a single TokenProvider configured to issue SAML Tokens (with a default Subject and Attribute statement):

<bean id="utSamlTokenProvider"
   class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
</bean>

The TokenIssueOperation also refers to a single StaticService implementation, which in turn defines a single URL expression to use to compare any received AppliesTo addresses:

<bean id="utService"
   class="org.apache.cxf.sts.service.StaticService">
   <property name="endpoints" ref="utEndpoints"/>
</bean>
<util:list id="utEndpoints">
   <value>http://localhost:(\d)*/(doubleit|metrowsp)/services/doubleit   //
      (UT|.*symmetric.*|.*)</value>
</util:list>

Finally, the TokenIssueOperation is configured with a StaticSTSProperties object. This class contains properties that define what private key to use to sign issued SAML tokens, as well as the Issuer name to use in the generated token.

<bean id="utSTSProperties"
   class="org.apache.cxf.sts.StaticSTSProperties">
   <property name="signaturePropertiesFile" value="stsKeystore.properties"/>
   <property name="signatureUsername" value="mystskey"/>
   <property name="callbackHandlerClass" value="..."/>
   <property name="issuer" value="DoubleItSTSIssuer"/>
   ...
</bean>