Document reference: D.03.07.00001
The following describes how to configure the Java-based samples to request a token from the STS, call a protected service using this token, and how to protect a java service to require a token.
This is a soap service that authenticates the caller with a token issued by an STS compliant with the KOMBIT Støttesystemer specification for STS. The service has a simple ping method, that requires no input and which returns a statically configured text message.
In the following, this service is also referred to as Service.
In the following, a consumer refers to the caller of the service.
After completing this guide, the java-based sampleservice will be configured.
It is assumed that the reader is a Java developer knowledgeable in the following technologies used to develop this based sample. This includes:
- Java
- NetBeans Development Environment (IDE)
- Glassfish application server with the Java Metro framework
- OIOSamlJava library
- X509v3 Certificates
- Java keystore
The following prerequisites must be in place to be able to complete this guide.
- JDK 7 installed
- NetBeans 8, installed with Glassfish (metro framework included)
- Unlimited Strength Cryptography file downloaded from Oracle and installed.
This sample is comprised of two main web projects:
- Service
- Consumer
And 3 supporting library open source projects from the OIOSAML.Java library
- OIOSAML.java (revision 21290)
- OpenSaml v2.5.1
- XmlTooling v1.4.4
Service is a soap service that authenticates the caller with a token issued by an STS compliant with the KOMBIT Støttesystemer specification for STS. The service has a simple ping method, that requires no input and which returns a statically configured text message.
Consumer is a caller of the soap service exposed by Service. This project contains servlets for the test cases below:
- ServiceConsumer: call Service
- IssueToken: issue token successfully directly from STS not through Service.
- IssueTokenByRstWithWrongFormat: try sending an empty soap message to STS and handle error returned from it.
- IssueTokenThrowError: try to issue token from STS which returns specific error and handle it.
- ServiceConsumerWithNormalOBO: call Service webservice with an issued token from STS as an OnBehalfOf token.
- ServiceConsumerWithProxyOBO: call Service webservice with a certificate token as an OnBehalfOf token.
The first step is to import the relevant certificates with private keys into the relevant java keystore.
The default password for java keystore in glassfish is changeit and keystore path of glassfish (on Microsoft Windows) is:
c:\Program Files\glassfish-4.1\glassfish\domains\domain1\config\keystore.jks
This is done as follows:
- Import “CertificateAnvendersystem.p12” into glassfish keystore with the following command:
keytool -v -importkeystore -srckeystore {certpath}\CertificateAnvendersystem.p12-srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
- Change password of the certificate to be the same as the keystore password:
keytool -keypasswd -alias {46bf4ba8-c898-45b1-b79f-0d7fb690adcf}-new changeit -storepass changeit -keystore keystore.jks
Alias is the output of the first command when the certificate is imported.
The next step is to import the public certificates into the cacerts keystore of glassfish.
The default password for trust store in glassfish is changeit and trust store of Glassfish (on Microsoft Windows) is located at:
c:\Program Files\glassfish-4.1\glassfish\domains\domain1\config\cacerts.jks
This is done as follows:
- Import the public part of
CertificateIdp.p12to trust store, along with all root and intermediate certificates in the certificate chain. - Import the SSL certificate of the STS to the trust store, along with all root and intermediate certificates in the certificate chain.
The following command is a sample command for importing a certificate to the cacerts.jks keystore file:
keytool -import -alias kombit -file {certpath}\kombit.cer -keystore cacerts.jks
The supplied keystore files in the “certifcatestore” folder of project can be used, and may be copied to your glassfish config install folder:
c:\Program Files\glassfish-4.1\glassfish\domains\domain1\config
This section describes how to setup Consumer and build it for deployment:
- Right click at Consumer project, click on
Properties > Build > Packing > Compress WAR fileto force the project to build the war file in the dist folder. - Open
Constant.javain packageconsumer.util, and change the following configurations, if you’re not using the STS in the project environment:StsEndpointAddressThe address where this STS service is deployed.StsMexEndpointAddressThe mex endpoint address of STSUserContextEndpointAddressThe address where Service is deployed.AppliesToEndpointAddressThe applied to endpoint address.
- Change log message path (optional)
- Open
Constant.javain packageconsumer.util, change value ofLogFilePathproperty (default value isC:\temp\).
- Open
- Right Click at project click Clean and Build
- Deploy the war file in dist folder to Flassfish then you can run the test servlets (see section Test).
This section describes how to setup Service and build it for deployment:
- Right click project, click on
Properties > Build > Packing > Compress WAR fileto force the project build war file in the dist folder. - Right click a web service, and select “Edit Web Service Attributes”
- Select Secure Service with option STS Issued Token with Service Certificate
- Click configure to edit key type and key size. Public key must be used.
- Do not input value for issuer address or meta data, since we will set it in the code to easily change the URL for deployment purposes.
- All the URL values are stored in the Constant.java file.
- Select the keystore and config with glass fish keystore and alias we import for
CertificateAnvendersystem.p12as above step
- It is not recommended to edit setting on “security mechanism”. Otherwise, the generated file
Web pages\WEB-INF\wsit-service.service.Service.xmlwill be re-generated so it must be updated manually as follows:- On element
AsymmetricBinding\Policy\InitiatorToken\Policy\IssueToken- Replace value of
IncludeTokenwithhttp://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
- Replace value of
- On element
AsymmetricBinding\Policy\InitiatorToken\Policy\IssueToken\RequestSecurityTokenTemplate\TokenType- Replace value of TokenType with
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
- Replace value of TokenType with
- Add element
<sp:ProtectTokens/>below elementAsymmetricBinding\Policy\IncludeTimestamp- Remove element
<sp:EncryptedParts> - Replace policy wss11 by wss10
- Remove element
<sp:Wss10 xmlns:sp=“http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702”> - On element
wsp:Policy <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefIssuerSerial /> </wsp:Policy> </sp:Wss10> ```
- Save XML file click Clean and Build, then deploy to Glassfish
- Then we can access to that service WSDL URL: https://adgangsstyringeksempler.projekt-stoettesystemerne.dk:8181/Service/Service
The deployed Service can be tested with the deployed Anvendersystem (consumer) by visiting these URLs:
https://adgangsstyringeksempler.projekt-stoettesystemerne.dk:8181/Consumer/IssueToken
https://adgangsstyringeksempler.projekt-stoettesystemerne.dk:8181/Consumer/IssueTokenThrowsError
https://adgangsstyringeksempler.projekt-stoettesystemerne.dk:8181/Consumer/ServiceConsumer
In addition, the service WSDL can be downloaded here:
https://adgangsstyringeksempler.projekt-stoettesystemerne.dk:8181/Service/Service