Has anyone ever got WS-Trust to work in JBoss 7?

Question

I've literally tried everything under the sun to get token based WS-Trust Web Services to work, to no avail. I can obtain a token from an STS, but the life of me, I can not figure out how make the WS server secure and accessible from the outside using a token.

So what I would love to know, is if anyone has ever got this to work on JBoss 7. I'm not interested in "this and that on jboss should give you some information". Been there done that - doesn't work. Have YOU been able to get it to work?

Answer 1

I looked at picketlink to secure web services using SAML but it appears to be exposing the SAML authentication using a JAAS security context. So instead I just wrote a custom handler using the picketlink API to secure the WS. The handler essentially does the same thing (i.e. saml assertion expiration and digital signature validation check) as the SAMLTokenCertValidatingCommonLoginModule available in picketlink jars but passes the SAML attributes into WS message context instead of passing it along as a JAAS security context.

Find below the code snippet.

See org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule class of the picketlink-jbas-common source for implementation of methods getX509Certificate, validateCertPath used in the custom handler.

public class CustomSAML2Handler<C extends LogicalMessageContext> implements SOAPHandler {

protected boolean handleInbound(MessageContext msgContext) {
    logger.info("Handling Inbound Message");

    String assertionNS = JBossSAMLURIConstants.ASSERTION_NSURI.get();
    SOAPMessageContext ctx = (SOAPMessageContext) msgContext;


    SOAPMessage soapMessage = ctx.getMessage();

    if (soapMessage == null)
        throw logger.nullValueError("SOAP Message");

    // retrieve the assertion
    Document document = soapMessage.getSOAPPart();
    Element soapHeader = Util.findOrCreateSoapHeader(document.getDocumentElement());
    Element assertion = Util.findElement(soapHeader, new QName(assertionNS, "Assertion"));
    if (assertion != null) {
        AssertionType assertionType = null;
        try {
            assertionType = SAMLUtil.fromElement(assertion);
            if (AssertionUtil.hasExpired(assertionType))
                throw new RuntimeException(logger.samlAssertionExpiredError());
        } catch (Exception e) {
            logger.samlAssertionPasingFailed(e);
        }
        SamlCredential credential = new SamlCredential(assertion);
        if (logger.isTraceEnabled()) {
            logger.trace("Assertion included in SOAP payload: " + credential.getAssertionAsString());
        }

        try {
            validateSAMLCredential(credential, assertionType);
            ctx.put("roles",AssertionUtil.getRoles(assertionType, null));
            ctx.setScope("roles", MessageContext.Scope.APPLICATION);

        } catch (Exception e) {
            logger.error("Error: " + e);
            throw new RuntimeException(e);
        }
    } else {
        logger.trace("We did not find any assertion");
    }


    return true;
}

private void validateSAMLCredential(SamlCredential credential, AssertionType assertion) throws LoginException, ConfigurationException, CertificateExpiredException, CertificateNotYetValidException {


    // initialize xmlsec
    org.apache.xml.security.Init.init();

    X509Certificate cert = getX509Certificate(credential);

    // public certificate validation
    validateCertPath(cert);

    // check time validity of the certificate
    cert.checkValidity();

    boolean sigValid = false;
    try {
        sigValid = AssertionUtil.isSignatureValid(credential.getAssertionAsElement(), cert.getPublicKey());
    } catch (ProcessingException e) {
        logger.processingError(e);
    }
    if (!sigValid) {
        throw logger.authSAMLInvalidSignatureError();
    }
    if (AssertionUtil.hasExpired(assertion)) {
        throw logger.authSAMLAssertionExpiredError();
    }

}

}