This documentation is for WSO2 Identity Server 4.1.0. View documentation for the latest release.
WSO2 Identity Server and Claim Aware Proxy Services with ESB - Identity Server 4.1.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Tip

You can learn more about the WSO2 ESB from the Enterprise Service Bus documentation.

The use case.

1. A Proxy Service created in WSO2 ESB requires a security token issued by the WSO2 Identity Server for authentication.

2. At the same time, the security policy in the Proxy Service specifies that it requires a given set of claim values with the security token.

<sp:RequestSecurityTokenTemplate xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
    <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
    <t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
    <t:KeySize>256</t:KeySize>
    <t:Claims Dialect="http://wso2.org/claims" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
    <ic:ClaimType Uri="http://wso2.org/claims/givenname" />
    </t:Claims>
    </sp:RequestSecurityTokenTemplate>

3. Identity Server is connected to an LDAP user store, and all user attributes reside there.

4. The user needs to authenticate to Identity Server first and obtain the Security Token with claims.

5. Then the user needs to send it to the ESB Proxy Service.

Follow the instructions below to achieve this.

1. Set up the LDAP server. Find instructions here: http://blog.facilelogin.com/2009/04/setting-apache-directory-studio-as-ldap.html.

2. Configure WSO2 Identity Server to talk to the LDAP Server and do the claim mapping.

3. Configure WSO2 Identity Server STS. This resource explains the steps you need to take.

3.1. Get the public certificate (wso2carbon.cert.cer) of the ESB.

3.2. Log in to the Identity Server as an admin, and import the above certificate to wso2carbon.jks from the Configure/Key Stores.

Tip

WSO2 ESB and Identity Server use two different key stores.

3.3. Make sure to select wso2carbon.cert as the "Certificate Alias" when adding the trusted "Endpoint Address."

3.4. When applying the security policy to the STS, make sure you select the group that LDAP users ("ldapuserole") belong to.

4. Create and apply security for the Proxy Service. You need to follow the exact steps defined here. However, you should use another security policy (service.policy.xml) when you are overriding.

The client code.

You may also need to download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0 from here, and copy the two .jar files from the extracted jce directory (local_policy.jar and US_export_policy.jar) to $JAVA_HOME/jre/lib/security. For JDK 6, it is found here.

Note

Perform the above actions on both the client side as well as on the server side, if you are running it on two machines.

Note

While running the client code, make sure the  bouncycastle  .jar file is in the classpath.

package org.apache.ws.axis2;

    import java.util.Properties;

    import javax.xml.namespace.QName;

    import org.apache.axiom.om.OMAbstractFactory;
    import org.apache.axiom.om.OMElement;
    import org.apache.axiom.om.OMFactory;
    import org.apache.axiom.om.OMNamespace;
    import org.apache.axiom.om.impl.builder.StAXOMBuilder;
    import org.apache.axis2.addressing.EndpointReference;
    import org.apache.axis2.client.Options;
    import org.apache.axis2.client.ServiceClient;
    import org.apache.axis2.context.ConfigurationContext;
    import org.apache.axis2.context.ConfigurationContextFactory;
    import org.apache.neethi.Policy;
    import org.apache.neethi.PolicyEngine;
    import org.apache.rahas.RahasConstants;
    import org.apache.rahas.Token;
    import org.apache.rahas.TokenStorage;
    import org.apache.rahas.TrustUtil;
    import org.apache.rahas.client.STSClient;
    import org.apache.rampart.RampartMessageData;
    import org.apache.rampart.policy.model.RampartConfig;
    import org.apache.rampart.policy.model.CryptoConfig;
    import org.apache.ws.secpolicy.Constants;
    import org.opensaml.XML;

    public class IdentitySTSClient {

     /**
      * @param args
      */

     final static String RELYING_PARTY_SERVICE_EPR = "http://localhost:8280/services/echo";
     final static String ESB_TRANS_EPR = "http://localhost:8280/services/test";
     final static String STS_EPR = "https://localhost:9443/services/wso2carbon-sts";

     /**
      * @param args
      * @throws Exception
      */
     public static void main(String[] args) throws Exception {
      ConfigurationContext confContext = null;
      Policy stsPolicy = null;
      STSClient stsClient = null;
      Policy servicePolicy = null;
      Token responseToken = null;
      String trustStore = null;

      // You need to import the Identity Server, public certificate to this key store.
      // By default it's there - if you use wso2carbon.jks from [ESB_HOME]\resources\security
      trustStore = "wso2carbon.jks";
      // We are accessing STS over HTTPS - so need to set trustStore parameters.
      System.setProperty("javax.net.ssl.trustStore", trustStore);
      System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");

      // Create configuration context - you will have Rampart module engaged in the
      // client.axis2.xml
      confContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo",
        "repo/conf/client.axis2.xml");

      stsClient = new STSClient(confContext);

      stsClient.setRstTemplate(getRSTTemplate());
      stsClient.setAction(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_SCT);

      // This is the security policy we applied to Identity Server STS.
      // You can see it by https://[IDENTITY_SERVER]/services/wso2carbon-sts?wsdl
      stsPolicy = loadSTSPolicy("sts.policy.xml");

      // This is the security of the relying party web service.
      // This policy will accept a security token issued from Identity Server STS
      servicePolicy = loadServicePolicy("service.policy.xml");

      responseToken = stsClient.requestSecurityToken(servicePolicy, STS_EPR, stsPolicy,
        RELYING_PARTY_SERVICE_EPR);

      System.out.println(responseToken.getToken());

      TokenStorage store = TrustUtil.getTokenStore(confContext);
      store.add(responseToken);

      ServiceClient client = new ServiceClient(confContext, null);
      Options options = new Options();
      options.setAction("urn:echoString");
      options.setTo(new EndpointReference(RELYING_PARTY_SERVICE_EPR));
      options.setProperty(org.apache.axis2.Constants.Configuration.TRANSPORT_URL, ESB_TRANS_EPR);
      options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, servicePolicy);
      options.setProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN, responseToken.getId());
      client.setOptions(options);

      client.engageModule("addressing");
      client.engageModule("rampart");

      OMElement response = client.sendReceive(getPayload("Hello world1"));
      System.out.println("Response  : " + response);
     }

     private static Policy loadSTSPolicy(String xmlPath) throws Exception {
      StAXOMBuilder builder = null;
      Policy policy = null;
      RampartConfig rc = null;

      builder = new StAXOMBuilder(xmlPath);
      policy = PolicyEngine.getPolicy(builder.getDocumentElement());
      rc = new RampartConfig();
      // User from the LDAP user store
      rc.setUser("prabath");
      // You need to have password call-back class to provide the user password
      rc.setPwCbClass(PWCBHandler.class.getName());
      policy.addAssertion(rc);
      return policy;
     }

     private static Policy loadServicePolicy(String xmlPath) throws Exception {
      StAXOMBuilder builder = null;
      Policy policy = null;
      RampartConfig rc = null;
      CryptoConfig sigCryptoConfig = null;
      String keystore = null;
      Properties merlinProp = null;
      CryptoConfig encrCryptoConfig = null;

      builder = new StAXOMBuilder(xmlPath);
      policy = PolicyEngine.getPolicy(builder.getDocumentElement());
      rc = new RampartConfig();
      rc.setUser("wso2carbon");
      rc.setEncryptionUser("wso2carbon");
      // You need to have password call-back class to provide the user password
      rc.setPwCbClass(PWCBHandler.class.getName());

      keystore = "wso2carbon.jks";
      merlinProp = new Properties();
      merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
      merlinProp.put("org.apache.ws.security.crypto.merlin.file", keystore);
      merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.password", "wso2carbon");

      sigCryptoConfig = new CryptoConfig();
      sigCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");
      sigCryptoConfig.setProp(merlinProp);

      encrCryptoConfig = new CryptoConfig();
      encrCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");
      encrCryptoConfig.setProp(merlinProp);

      rc.setSigCryptoConfig(sigCryptoConfig);
      rc.setEncrCryptoConfig(encrCryptoConfig);

      policy.addAssertion(rc);
      return policy;
     }

     private static OMElement getRSTTemplate() throws Exception {
      OMFactory fac = OMAbstractFactory.getOMFactory();
      OMElement element = null;
      OMElement elem = fac.createOMElement(Constants.RST_TEMPLATE);
      TrustUtil.createTokenTypeElement(RahasConstants.VERSION_05_02, elem).setText(XML.SAML_NS);
      TrustUtil.createKeyTypeElement(RahasConstants.VERSION_05_02, elem,
        RahasConstants.KEY_TYPE_SYMM_KEY);
      TrustUtil.createKeySizeElement(RahasConstants.VERSION_05_02, elem, 256);
      element = TrustUtil.createClaims(RahasConstants.VERSION_05_02, elem,"http://wso2.org");
      addClaimType(element,"http://wso2.org/claims/givenname");
      return elem;
     }

     private static void addClaimType(OMElement parent,String uri) {
      OMElement element = null;
      element = parent.getOMFactory().createOMElement(new QName("http://schemas.xmlsoap.org/ws/2005/05/identity", "ClaimType", "wsid"),
                    parent);
      element.addAttribute( parent.getOMFactory().createOMAttribute("Uri",null,uri));
     }

     private static OMElement getPayload(String value) {
      OMFactory factory = null;
      OMNamespace ns = null;
      OMElement elem = null;
      OMElement childElem = null;

      factory = OMAbstractFactory.getOMFactory();
      ns = factory.createOMNamespace("http://echo.services.core.carbon.wso2.org", "ns1");
      elem = factory.createOMElement("echoString", ns);
      childElem = factory.createOMElement("in", null);
      childElem.setText(value);
      elem.addChild(childElem);
      return elem;
     }
    }
package org.apache.ws.axis2;

    import org.apache.ws.security.WSPasswordCallback;

    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import javax.security.auth.callback.UnsupportedCallbackException;

    public class PWCBHandler implements CallbackHandler {

     public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
      WSPasswordCallback cb = (WSPasswordCallback) callbacks[0];
      if ("prabath".equals(cb.getIdentifier())) {
       cb.setPassword("prabath");
      } else {
       cb.setPassword("wso2carbon");
      }
     }
    }
  • No labels