The WSIT Tutorial

Example: SAML Sender Vouches with Certificates (SV)

This section describes the following tasks:

ProcedureTo Secure the Example Service Application (SV)

The following example application starts with the example provided in Chapter 3, WSIT Example Using a Web Container and NetBeans IDE and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of SAML Sender Vouches with Certificates is used to secure the application. The steps are similar to the ones described in Example: Username Authentication with Symmetric Keys (UA), with the addition of the writing of a client-side SAML callback handler to populate the client’s request with a SAML assertion.

To add security to the service part of the example, follow these steps.

  1. If you haven’t already completed these steps, complete them now:

    1. Update the GlassFish keystore and truststore files as described in To Update GlassFish Certificates.

    2. Create a user on GlassFish as described in Adding Users to GlassFish.

  2. Create the CalculatorApplication example by following the steps described in the following sections of Chapter 3, WSIT Example Using a Web Container and NetBeans IDE:

    1. Creating a Web Service

    2. Skip the section on adding Reliable Messaging.

    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)

  3. Expand CalculatorApplication->Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.

  4. Deselect the Reliable Messaging option if it is selected.

  5. Select Secure Service.

  6. From the drop-down list for Security Mechanism, select SAML Sender Vouches with Certificates.

  7. Click the Keystore button to provide your keystore with the alias identifying the service certificate and private key. To do this, click the Load Aliases button and select xws-security-server, then click OK to close the dialog.

  8. For this example, the Truststore information that you need is specified by default, so there is no need to change these settings.

  9. Click OK to exit the WSIT Configuration editor.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages->WEB-INF, then double-click the file This file contains the sc:KeyStore and sc:Truststore elements.

  10. Right-click the CalculatorApplication node and select Run Project. Accept the s1as certificate if you are prompted to.

    A browser will open and display the WSDL file for the application.

  11. Verify that the WSDL file contains the TransportBinding and SignedSupportingTokens element, which in turn contains a SamlToken element.

  12. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (SV).

ProcedureTo Secure the Example Web Service Client Application (SV)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in SAML Sender Vouches with Certificates.

To add security to the client that references this web service, complete the following steps.

  1. This example uses a non-JSR-109-compliant client. To do this, create the client application up to the step where you create the Servlet (step 7 as of this writing) by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service, with one exception: name the application CalculatorClient (since it’s not a servlet.).

  2. Instead of creating a client servlet as is described in Creating a Client to Consume a WSIT-Enabled Web Service, just add the web service operation to the generated index.jsp file to create a non-JSR-109 client. To do this, follow these steps:

    1. If the index.jsp file is not open in the right pane, double-click it to open it.

    2. Drill down through the Web Service References node until you get to the add operation.

    3. Drag the add operation to the line immediately following the following line:

          <h1>JSP Page</h1>
    4. Edit the values for i and j if you’d like.

  3. Write a SAMLCallback handler for the client side to populate a SAML assertion into the client’s request to the service.

    To create the SAMLCallbackHandler, follow these steps:

    1. Right-click the CalculatorClient node and select New->Java Package.

    2. For Package Name, type xwss.saml, then click Finish.

    3. Drill down from CalculatorClient->Source Packages->xwss.saml.

    4. Right-click xwss.saml and select New->File/Folder.

    5. From the Categories list, select Java Classes.

    6. From the File Types list, select Empty Java File and click Next.

    7. For Class Name, type SamlCallbackHandler, then click Finish.

      The empty file appears in the IDE.

    8. Download the example file from the following URL:[amp ]expandFolder=6645[amp ]folderID=6645

    9. Open the file in a text editor.

    10. Modify the home variable to provide the hard-coded path to your GlassFish installation. For example, modify the line:

              String home = System.getProperty("WSIT_HOME");


              String home = "/home/glassfish";
    11. Set the subject confirmation method to SV (Sender Vouches). For more information on this topic, read Example SAML Callback Handlers.

    12. Copy the contents of this file into the window that is displaying in the IDE.

  4. Drill down from CalculatorClient->Web Service References.

  5. Right-click on CalculatorWSService and select Edit Web Service Attributes.

  6. Select the WSIT Configuration tab of the CalculatorWSService dialog.

  7. Provide the client’s private key by pointing to an alias in the keystore. To do this, expand the Certificates node, click the Load Aliases button for the keystore, then select xws-security-client from the Alias list.

  8. Provide the server’s certificate by pointing to an alias in the client truststore. To do this, from the Certificates node, click the Load Aliases button for the Truststore and select xws-security-server.

  9. Expand the Username Authentication node. In the SAML Callback Handler field, type the name of the class written in step 3 above, xwss.saml.SamlCallbackHandler.

  10. Click OK to close this dialog.

  11. In the tree, drill down from the project to Source Packages->META-INF. Double-click CalculatorWSService.xml, and verify that lines similar to the following are present, where xwss.saml.SamlCallbackHandler is the SAML Callback Handler class for the client:

      <wsaws:UsingAddressing xmlns:wsaws=""/>
      <sc:CallbackHandlerConfiguration wspp:visibility="private">
        <sc:CallbackHandler name="samlHandler" classname="xwss.saml.SamlCallbackHandler"/>
      <sc:KeyStore wspp:visibility="private" 
        storepass="changeit" alias="xws-security-client" keypass="changeit"/>
      <sc:TrustStore wspp:visibility="private" 
        storepass="changeit" peeralias="xws-security-server"/>
  12. Compile and run this application by right-clicking the CalculatorClient node and selecting Run Project.