Knowledgebase

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Configuring an XACML Client for a Custom Identity Asserter

This document describes how to configure an XACML client to invoke a custom identity asserter for authentication.

  1. Create and build a custom identity asserter.

    2. Use the sample UsernameIdentityAsserter located under \ales32-dmin\examples\SampleProviders\UsernameAsserter.

  2. Copy the custom identity asserter (for example, UsernameIdentityAsserter.jar) to the following directories:
    1. On the Administration Console machine: <ALES_ADMIN_HOME>\lib\providers\css
    2. On the Security Module machine: <ALES_SSM_HOME>\webservice-ssm\lib\providers\css directory

      3. If this directory is not there, restart the Admin Server to load the provider.

  3. Login to the Administration Console.
  4. Click on the webservice ssm instance under Service Control Managers.

    5. The SSM configuration page is displayed.

  5. Choose Java SSM 3.0 - > WS SSM 3.0 for Configuration Version under the General tab and apply the change.
  6. Choose “Configure a new UsernameIdentityAsserter ...” in the Authentication Providers section of the Webservice SSM.
  7. Choose “USERID_TOKEN” as the active type for this “UsernameIdentityAsserter”.
  8. Keep the “Base64Decoding required” checkbox unchecked.
  9. Create and apply the previous two changes.

    10. The token type should be identical to the one you have configured.

  10. Click on the “Reorder the Configured Authentication Providers” link on the authentication page and ensure that the “UsernameIdentityAsserter” is at the top.
  11. If any other authentication provider has been configured for this Webservice SSM, its control flag should be set to optional.
  12. Distribute the SSM configuration change.
  13. Shut down the WS-SSM and add the following line into the <ALES_SSM_HOME> \webservice-ssm\instance\instance-name\config\WLESws.wrapper.conf configuration file: Wrapper.java.

    14. classpath.70=D:/bea1001/ales32-ssm/webservice-ssm/lib/smwsCustomAssertion.jar

  14. Add the following entry to the <ALES_SSM_HOME>\webservice-ssm\lib\com\bea\security\ssmws\soap\.castor.xml file.

    15. <class name=" com.bea.security.ssmws.credentials.TestCredHolderImpl ">
    <map-to cst:xml="USERID_TOKEN" />
    <field name="cookie" type="java.lang.String" >
    <bind-xml node="text"/>
    </field>
    </class>

  15. Add the following entry to the <ALES_SSM_HOME> \webservice-ssm\lib\com\bea\security\ssmws\credentials\.castor.xml file.

    16. <class name="com.bea.security.ssmws.credentials.TestCredHolderImpl ">
    <map-to cst:xml="USERID_TOKEN" cst:ns-uri=" @
    http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd " />
    <field name="cookie" type="java.lang.String" >
    <bind-xml node="text"/>
    </field>
    </class>

  16. Add the following entry to the <ALES_SSM_HOME> \webservice-ssm\lib\com\bea\security\ssmws\authorization\xacml\context\.castor.xml file.

<class name="com.bea.security.ssmws.credentials.TestCredHolderImpl">
<map-to cst:xml="USERID_TOKEN" cst:ns-uri=" @
http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd " />
<field name="cookie" type="java.lang.String">
<bind-xml node="text"/>
</field>
</class>

  1. Add @ log4j.logger.com.bea.security.ssmws.server=DEBUG to the <ALES_SSM_HOME>\webservice-ssm\instance\instance-name\config\log4j.properties file.
  2. Copy the attached ssmwsCustomAssertion.jar to <ALES_SSM_HOME>\webservice-ssm\lib.
  3. Restart WS SSM so it can pick up the latest configuration
  4. deploy the provider.

After configuration of UsernameIdentityAsserter to your webservice-ssm, you can send XACML Atz request to the ws-ssm using the following XACMLrequest. Make modifications and use the sample XACML client located under ales32-ssm\webservice-ssm\examples\XACMLClient to test this configuration. The sample has to be modified to use the custom token; in this case, the “USERID_TOKEN” instead of the built-in ALESIdentityAsserter. Also ensure you pass the value of the custom token using the AttributeType entity when you construct a SubjectType.

In the subject element of this request, it is set to use USERID_TOKEN as the asserter and the value of the token is passed in <USERID_TOKEN>. Change the value of the token, resource, and action according to your policy and send the request. You should get a XACMLresponse back. 

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
  <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">
    <Subject xsi:type="ns1:SubjectType"
     xmlns:ns1="urn:oasis:names:tc:xacml:2.0:context:schema:os">
      <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://security.bea.com/ssmws/ssm-ws-1.0.wsdl#USERID_TOKEN" xsi:type="ns1:AttributeType">
      <AttributeValue xsi:type="ns1:AttributeValueType">
            <USERID_TOKEN xmlns="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd">weblogic</ USERID_TOKEN>
          </AttributeValue>
        </Attribute>
        <Attribute AttributeId="http://security.bea.com/ssmws/ssm-ws-1.0.wsdl#level" DataType="http://www.w3.org/2001/XMLSchema#string" xsi:type="ns1:AttributeType">
          <AttributeValue xsi:type="ns1:AttributeValueType">3</AttributeValue>
        </Attribute> 
      </Subject>
      <Resource xsi:type="ns3:ResourceType" xmlns:ns3="urn:oasis:names:tc:xacml:2.0:context:schema:os">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" xsi:type="ns3:AttributeType">
          <AttributeValue xsi:type="ns3:AttributeValueType">MyApp/stock/app</AttributeValue>
        </Attribute>
      </Resource>
      <Action>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" xsi:type="ns4:AttributeType" xmlns:ns4="urn:oasis:names:tc:xacml:2.0:context:schema:os">
          <AttributeValue xsi:type="ns4:AttributeValueType">any</AttributeValue>
        </Attribute>
      </Action>      
      <Environment/>
    </Request>
  </soapenv:Body>
</soapenv:Envelope>

  Back to Top       Previous  Next