I'm currently tasked with adding the above to our web service, but I'm not entirely sure how I should go about doing it...
Essentially, the client will be using Websphere, and I believe they're asking using to implement the ID Type/User Name and Managing Trust/Signature stuff described here (
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/cwbs_idassert.html), but I barely even know where to start - I've got about 0 experience in implementing this.
What I've found suggests that I should add something like the following to my wsdl:
<wsp:Policy wsu:Id="usernameBindingPolicy">
<wsp:ExactlyOne>Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="
http://www.w3.org/2006/05/addressing/wsdl"/>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sc:KeyStore wspp:visibility="private" type="JKS" storepass="changeit" alias="xws-security-server" location="C:\openesb\glassfish-v2\domains\domain1\config\keystore.jks"/>
<sc:TrustStore wspp:visibility="private" storepass="changeit" type="JKS" location="C:\openesb\glassfish-v2\domains\domain1\config\cacerts.jks"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
That seems to make sense - it's creating a new policy that uses a username token for authentication. I understand I would also have to create another policy for the input/output operations, like so:
<wsp:Policy wsu:Id="usernameBinding_input1_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="AckRequested" Namespace="
http://schemas.xmlsoap.org/ws/2005/02/rm"/>
<sp:Header Name="SequenceAcknowledgement" Namespace="
http://schemas.xmlsoap.org/ws/2005/02/rm"/>
<sp:Header Name="Sequence" Namespace="
http://schemas.xmlsoap.org/ws/2005/02/rm"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I forget where I grabbed these from, but they're examples I found on the internet.
But what do I have to do to actually ensure this works as expected? Can I rely on Glassfish to do all of the work for me provided I've got the WSDL definitions correct? Or do I have to go a step further and write code as in the following link:
http://www.jroller.com/gmazza/entry/using_the_opensaml_library_in
If I do, that seems like a fair amount of work for something that I would have expected to be done by the application server, but if I have to code it myself, so be it.
[Message sent by forum member 'ipsi' (ipsi)]
http://forums.java.net/jive/thread.jspa?messageID=337339