test

The WSIT Tutorial

Example: STS Issued Token (STS)

This section describes the following tasks:

Another STS example application can be found at the following URL: https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.

ProcedureTo Secure the Example Service Application (STS)

The following example application starts with the example provided in Chapter 3, WSIT Example Using a Web Container and NetBeans IDE and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of STS Issued Token is used to secure the application. The steps are similar to the ones described in Example: Username Authentication with Symmetric Keys (UA), with the addition of creating and securing an STS.

To add security to the service part of the example, follow these steps.

  1. Create a user on GlassFish if you haven’t already done so. (see Adding Users to GlassFish).

  2. Create the CalculatorApplication example by following the steps described in the following sections of Chapter 3, WSIT Example Using a Web Container and NetBeans IDE.

    1. Creating a Web Service

    2. Skip the section on adding Reliable Messaging.

    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet).

  3. Expand CalculatorApplication->Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.

  4. Deselect the Reliable Messaging option if it is selected.

  5. Select Secure Service.

  6. From the drop-down list for Security Mechanism, select STS Issued Token.

  7. Select the Configure button. For Algorithm Suite, select Basic128 bit. For Key Size, select 128. Select OK to close the configuration dialog (the algorithm suite value of the service must match the algorithm suite value of the STS.)

    Note –

    If you have configured Unlimited Strength Encryption as described in To Create a Third-Party STS, you can leave the key size at 256. Otherwise, you must set it to 128.

  8. Click OK to exit the WSIT Configuration editor.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages->WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml.

  9. Right-click the CalculatorApplication node and select Run Project. This step compiles the application and deploys it onto GlassFish. A browser will open and display the WSDL file for the application.

Next Steps

Follow the steps for creating and securing the Security Token Service as described in To Create and Secure the STS (STS).

ProcedureTo Create and Secure the STS (STS)

To create and secure a Security Token Service for this example, follow these steps.

  1. Create a new project for the STS by selecting File->New Project.

  2. Select Web, then Web Application, then Next.

  3. Type MySTSProject for the Project Name, then click Finish.

  4. Right-click the MySTSProject node, select New, then click File/Folder at the top.

  5. Select Web Services from the Categories list.

  6. Select Secure Token Service (STS) from the File Type(s) list, then click Next.

  7. Type the name MySTS for the Web Service Class Name.

  8. Select org.me.my.sts from the Package list, then click Finish.

    The IDE takes a while to create the STS. When created, it appears under the project’s Web Services node as MySTSService, and MySTS.java appears in the right pane.

  9. The STS wizard creates an empty implementation of the provider class. Implement the provider implementation class by copying the following code into the MySTS.java file.

    1. Add these import statements to the list of imports:

          import com.sun.xml.ws.security.trust.sts.BaseSTSImpl;
    import javax.annotation.Resource;
    import javax.xml.ws.Provider;
    import javax.xml.ws.Service;
    import javax.xml.ws.ServiceMode;
    import javax.xml.ws.WebServiceContext;
    import javax.xml.ws.WebServiceProvider;
    import javax.xml.transform.Source;
    import javax.xml.ws.handler.MessageContext;

    2. Add the following Resource annotation after the line public class MySTS implements javax.xml.ws.Provider<Source> {:

          @Resource protected WebServiceContext context;

    3. Change the following line of code:

          public class MySTS implements
        javax.xml.ws.Provider<Source>

      to:

          public class MySTS extends BaseSTSImpl implements
        javax.xml.ws.Provider<Source>

    4. For the invoke method, replace the return null line with the following return statement:

          return super.invoke(source);

    5. Add the following method after the invoke method:

          protected MessageContext getMessageContext() {
         MessageContext msgCtx = context.getMessageContext();
         return msgCtx;
    }

  10. Back in the Projects window, expand the MySTSProject node, then expand the Web Services node. Right-click the MySTSService[IMySTSService_Port] node and select Edit Web Service Attributes to configure the STS.

  11. Select Secure Service if it’s not already selected.

  12. Verify that the Security Mechanism of Username Authentication with Symmetric Keys is selected.

  13. Select the Configure button. For Algorithm Suite, verify that Basic128 bit is selected (so that it matches the value selected for the service.) For the Key Size, verify that 128 is selected. Select OK to close the configuration dialog.

  14. Select Act as Secure Token Service (STS), then click OK to close the Select STS Service Provider dialog.

  15. Click the Keystore button to provide your keystore with the alias identifying the service certificate and private key. To do this, click the Load Aliases button, select wssip, then click OK to close the dialog.

  16. Click OK to close the WSIT Configuration dialog.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages->WEB-INF->wsdl->MySTS, then double-click the file MySTSService.wsdl. This file contains the sc:KeyStore element.

  17. Right-click the MySTSProject tab, select Properties. Select the Run category, and type the following in the Relative URL field: /MySTSService?wsdl.

  18. Run the Project (right-click the project and select Run Project).

    The STS WSDL appears in the browser.

Next Steps

Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (STS).

ProcedureTo Secure the Example Web Service Client Application (STS)

This section demonstrates adding security to the CalculatorApplication’s web service client, which was secured using the security mechanism described in STS Issued Token.

To add security to the client, complete the following steps.

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service.

    Note –

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  2. Drill down from CalculatorWSServletClient->Web Service References.

  3. Right-click CalculatorWSService and select Edit Web Service Attributes, then select the WSIT Configuration tab.

  4. Provide the client’s private key by pointing to an alias in the keystore. To do this, expand the Certificates node, click the Load Aliases button for the keystore, and select xws-security-client from the Alias list.

  5. Provide the service’s certificate by pointing to an alias in the client truststore. To do this, from the Certificates node, click the Load Aliases button for the truststore and select xws-security-server from the Alias list.

  6. Expand the Security Token Service node to provide details for the STS to be used. When the Endpoint and the Metadata values are the same, you only need to enter the Endpoint value. For the Endpoint field, type the following value: 


    http://localhost:8080/MySTSProject/MySTSService

  7. Click OK to close this dialog.

  8. The service requires a token to be issued from the STS at http://localhost:8080/MySTSProject/MySTSService, with WSDL file http://localhost:8080/MySTSProject/MySTSService?wsdl. To do this, follow these steps:

    1. Right-click the CalculatorWSServletClient node and select New->Web Service Client.

      The New Web Service Client window appears.

    2. Select the WSDL URL option.

    3. Cut and paste the URL of the web service that you want the client to consume into the WSDL URL field. For example, here is the URL for the MySTS web service:


      http://localhost:8080/MySTSProject/MySTSService?wsdl

    4. Type org.me.calculator.client.sts in the Package field, then click Finish.

      The Projects window displays the new web service client.

  9. Drill down from CalculatorWSServletClient->Web Service References.

  10. Right-click MySTSService and select Edit Web Service Attributes.

  11. Select the WSIT Configuration tab of the MySTSService dialog.

  12. Provide the client’s private key by pointing to an alias in the keystore. To do this, expand the Certificates node, click the Load Aliases button for the keystore, and select xws-security-client from the Alias list.

  13. Verify the STS’s certificate by pointing to an alias in the client truststore. To do this, from the Certificates node, click the Load Aliases button and select wssip from the Alias list.

  14. Expand the Username Authentication node and verify that the default user name and password as specified in GlassFish.

    If you followed the steps in Adding Users to GlassFish, this will be User Name wsitUser and Password changeit.

  15. Click OK to close this dialog.

  16. Compile and run this application by right-clicking the CalculatorWSServletClient project and selecting Run Project.