SAML2.0 Weblogic Sender-Vouches Configuration & POC
This blog post intends to highlight on the SAML2.0 configuration for web services in Weblogic. It details step-by-step guide to configure weblogic domains with a sample test client to test the web service. We will look into SAML2.0 Sender Vouches web service configuration.
What is Sender Vouches?
Sender-Vouches – The asserting party (different from the subject) vouches for the verification of the subject. The receiver must have a trust relationship with the asserting party.
Sender Vouches
1. Rather than authenticating with the STS, here, Client authenticates with an intermediate service.
2. The intermediary gets the security token from the STS.
3. Then it signs the request and sends to the RP.
4. RP trusts both the intermediary and the STS. So, it validates both of them.
Here are the steps:
- Configure STS (Weblogic Domain – Certificate used is wssipsts
- Configure Weblogic domain for weblogic web service with SAML2.0 Sender Vouches policy – Bob is used for this
- Create a stand alone client that which retrieves token from STS and fires a request to web service with SAML1.1 token retrieved from STS – Alice is used for this
Configure STS:
- Create a weblogic domain here ‘am using weblogic 10.3.5
- We need to configure SSL for this domain
- While creating the domain I configure weblogic to use 6001 for Non-SSL and 6002 for SSL port. Let domain name be STSDomain.
- Now go to http://localhost:6001/console
- Got to STSDomain –> Environment –> Admin Server –> Keystores
- Select Custom Identity and Custom Trust
- Custom Identity Keystore: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\oasis.jks
- Type: JKS
- password: password
- Custom Trust Keystore: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\cacerts
- Type: JKS
- password: changeit
- Save and restart server if it asks to do so
- Got to STSDomain –> Environment –> Admin Server –>SSL
- Private Key Alias: WssIPSTS
- Private Key passphrase: password
- Save and restart if asked to do so
- Now build the web service StsUnt.java and deploy it in the domain. Check after successful deployment whether you can open the WSDL url or not.
- STSDomain–>Security Realms –>myrealm
- We need to configure only ‘Credential Mapper’ here. Credential Mapper basically responsible for Issuing SAML tokens. Where as identity Asserter are responsible for validating the SAML tokens. So we will configure Credential Mapper for STS and Identity Asserter for webservice
- Go to Providers –> Credential Mapping
- Add PKI Credential Mapper
- In Provider Specific tab, Keystore Provider: SUN
- Keystore Type: JKS
- Keystore file name: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\oasis.jks
- Keystore pass phrase: password
- Use resource hierarchy and Initator group names check boxes should be selected.
- Click on save and restart if asked to do so
- Add SAML2CredentialMapper
- In Configuration –> Provider specific tab, Issuer URI: www.oracle.com
- Name Qualifier: www.oracle.com
- Default time to live: 120
- offset: 0
- Webservice Assertion Signing key alias: WssIPSTS
- Key pass phrase: password
- Select check box ‘Generate Attributes’
- Save and go to Management tab in the same section
- New–>New Webservice Service Provider Partner
- Add sender vouches relying party: Sendervouches:/echoservicesaml2/EchoServiceSAML2
- Make sure to select ‘Enabled’ check box
- Give description
- Audience URIs: target:*:http://HYD-69ZRV01-L:7001/echoservicesaml2
- Generate Attributes checkbox to be selected
- Select confirmation methods as ‘Sender-Vouches’
- Save and restart the server if asked to do so
- That’s all the configuration from STS side.
Configure Weblogic Webservice:
- Create a weblogic domain here ‘am using weblogic 10.3.5
- We do not need to configure SSL for this domain
- While creating domain configure weblogic to use 7001 port and no SSL port required. Let the domain name be ‘WebserviceDomain’
- Login to weblogic console.
- WebserviceDomain–>servers–>Adminserver–>keystore
- Custom Identity and Custom Trust store
- Custom Identity Keystore: F:\Oracle\Middleware\user_projects\domains\WebserviceDomain\certs\oasis.jks
- Key type: JKS
- password: password
- Trust Keystore: F:\Oracle\Middleware\user_projects\domains\WebserviceDomain\certs\cacerts
- Type: JKS
- password: changeit
- Save and restart the server if asked to do so.
- SSL
- Private key alias: Bob
- password: password
- Save
- Build and deploy the weblogic web service. The scripts and the webservice code is given below.
- Go to security realm–>myrealm–>Providers–>Authentication
- Add SAMLAuthenticator
- Make control Flag as ‘SUFFICIENT’
- Make control Flag of Default Authenticator too as ‘SUFFICIENT’
- (optional step) Also in Default Authenticator’s ‘Provider Specific’ Enable password digest, minimum password length as 1 and save.
- (optional step) In Default Identity Asserter’s –> Common. chose Active Types ‘wsse:passworddigest’ and ‘x.509’ send it to right and click on save.
- (optional step) In Defaul Identity Asserter –> Provider Specific. Default Username as @, Mapper attribute type as ‘CN’, select ‘use default user name mapper’ and click on Save button. Restart if asked to do so
- Got to security realm–>myrealm–>Providers–> Authentication
- Add SAML2IdentityAsserterV
- Go to Management –> New –> New Webservice Identity Provider Partner
- Name: Sendervouches:/echoservicesaml2/EchoServiceSAML2
- Chose Enabled
- Audience URIs: target:*:/echoservicesaml2
- Issuer URI: www.oracle.com
- Virtual User selected
- Confirmation Method: Sender-Vouches
- Process Attributes selected
- Save and restart if asked to do so.
- That’s all the configuration of web service.
Client Testing:
- Open a command prompt window
- Run setWLSEnv.cmd from that command window to set the paths
- ant runsaml2
- That’s all for now…
StsUnt.java
package com.saml.example;</pre> <pre>import weblogic.jws.Policy; import weblogic.wsee.security.saml.SAMLTrustTokenProvider; import weblogic.wsee.security.wst.framework.TrustTokenProviderRegistry;</pre> <pre>import javax.jws.WebMethod; import javax.jws.WebService;</pre> <pre>@WebService @Policy(uri="policy:Wssp1.2-2007-Wssc1.3-Bootstrap-Https-UNT.xml") public class StsUnt { static { init(); } @WebMethod @Policy(uri="policy:Wssp1.2-2007-SignBody.xml") public String dummyMethod(String s) { return s; } static void init() { TrustTokenProviderRegistry reg = TrustTokenProviderRegistry.getInstance(); SAMLTrustTokenProvider provider = <span class="il">new</span> MySAMLTrustTokenProvider(); reg.registerProvider("<a href="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID" target="_blank">http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID</a>", provider); reg.registerProvider("<a href="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID" target="_blank">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID</a>", provider); reg.registerProvider("<a href="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" target="_blank">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</a>", provider); reg.registerProvider("<a href="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.0" target="_blank">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.0</a>", provider); reg.registerProvider("<a href="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" target="_blank">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</a>", provider); } static class MySAMLTrustTokenProvider extends SAMLTrustTokenProvider {</pre> <pre> } }build.xml for StsUnt.java
<?xml version="1.0"?> <project name="SenderVouches11" default="all" basedir="."> <property name="root.dir" value="${basedir}" /> <taskdef name="jwsc" classname="weblogic.wsee.tools.anttasks.JwscTask" /> <taskdef name="clientgen" classname="weblogic.wsee.tools.anttasks.ClientGenTask" /> <taskdef name="wldeploy" classname="weblogic.ant.taskdefs.management.WLDeploy" /> <taskdef name="wsdlc" classname="weblogic.wsee.tools.anttasks.WsdlcTask" /> <property file="${basedir}/properties.txt" /> <property name="source.dir" value="${basedir}" /> <property name="output.dir" value="${basedir}/build" /> <path id="class.path"> <pathelement path="${java.class.path}" /> </path> <target name="all" depends="clean,jwsc,deploy" /> <target name="build" depends="clean,jwsc" /> <target name="clean"> <delete dir="${output.dir}" /> </target> <target name="jwsc"> <antcall target="jwsc-sts" /> </target> <target name="jwsc-sts"> <jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}"> <module contextpath="standalonests" name="standalonests" explode="true"> <jws file="StsUnt.java" type="JAXWS"> <WLHttpTransport serviceUri="SamlSTS" /> </jws> </module> </jwsc> </target> <target name="deploy"> <antcall target="deploy-sts" /> </target> <target name="deploy-sts"> <wldeploy action="deploy" source="${output.dir}/standalonests" user="${sts-wls-username}" password="${sts-wls-passwd}" verbose="false" adminurl="t3://${sts-wls-server}" debug="false" targets="${sts-wls-target}" /> </target> <target name="undeploy"> <property name="wls-admin-server" value="${wls-server}" /> <wldeploy action="undeploy" name="standalonests" user="${sts-wls-username}" password="${sts-wls-passwd}" verbose="false" adminurl="t3://${sts-wls-server}" debug="false" targets="${sts-wls-target}" /> </target> <property name="extra-server-verbose" value=" -Dweblogic.xml.crypto.encrypt.verbose=true -Dweblogic.xml.crypto.dsig.debug=true -Dweblogic.xml.crypto.dsig.verbose=true -Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true -Dweblogic.xml.crypto.wss.debug=true -Dweblogic.xml.crypto.wss.verbose=true -Dweblogic.xml.crypto.keyinfo.debug=true -Dweblogic.xml.crypto.keyinfo.verbose=true -Dweblogic.xml.crypto.dsig.debug=true -Dweblogic.xml.crypto.dsig.verbose=true -Dweblogic.xml.crypto.encrypt.debug=true -Dweblogic.xml.crypto.encrypt.verbose=true -Dweblogic.debug.DebugSecuritySAMLService=true -Dweblogic.debug.DebugSecuritySAMLCredMap=true -Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Atn=true -Dweblogic.debug.DebugSecuritySAML2Lib=true -Dweblogic.debug.DebugSecurityCredMap=true -Dweblogic.log.StdoutSeverity=Debug" /> </project>properties.txt for StsUnt.java
certs.dir=${root.dir}/../certs/ config.dir=${root.dir}/../config/ build.dir=${root.dir}/../build sts.stage.dir=${build.dir}/sts_stage</pre> <pre>sts-wls-host=localhost sts-wls-port=6001 sts-wls-server=${sts-wls-host}:${sts-wls-port} sts-wls-username=weblogic sts-wls-passwd=Welcome1 sts-wls-target=AdminServer</pre> <pre># common properties sts-sport=6002</pre> <pre>sts-server-keystore-name=${root.dir}/../certs/oasis.jks</pre> <pre>sts-server-keystore-pass=password sts-serverKey=${sts.stage.dir}/WssIPPrv.pem sts-server-cert=${sts.stage.dir}/WssIPCert.pem sts-server-alias=WssIPSTS sts-server-cert-alias=WssIPSTS sts-server-certs-pass=password sts-server-key-pass=password sts-server-truststore-name=${sts.stage.dir}/cacerts sts-server-truststore-pwd=changeit</pre> <pre>samlStsURL=https://${sts-wls-host}:${sts-sport}/standalonests/SamlSTS</pre> <pre>EchoServiceSAML2.java
package com.saml.example;</pre> <pre>import weblogic.jws.Policies; import weblogic.jws.Policy; import javax.jws.WebService;</pre> <pre>@Policies( { @Policy(uri = "policy:Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1-Asymmetric.xml"), @Policy(uri = "policy:Wssp1.2-2007-SignBody.xml"), @Policy(uri = "policy:Wssp1.2-2007-EncryptBody.xml") } )</pre> <pre>@WebService public class EchoServiceSAML2 { public String echo( String hello){ System.out.println("Inside EchoServiceSAML2!!!"); return hello; } }build.xml for webservice
</pre> <pre> <?xml version="1.0"?> <project name="SenderVouches11" default="all" basedir="."> <property name="root.dir" value="${basedir}" /> <taskdef name="jwsc" classname="weblogic.wsee.tools.anttasks.JwscTask" /> <taskdef name="clientgen" classname="weblogic.wsee.tools.anttasks.ClientGenTask" /> <taskdef name="wldeploy" classname="weblogic.ant.taskdefs.management.WLDeploy" /> <taskdef name="wsdlc" classname="weblogic.wsee.tools.anttasks.WsdlcTask" /></pre> <pre> <property file="${basedir}/properties.txt" /></pre> <pre> <property name="source.dir" value="${basedir}" /> <property name="output.dir" value="${basedir}/build" /> <property name="clientclasses.dir" value="${basedir}/build/client" /> <property name="clientclassessaml2.dir" value="${basedir}/build/clientsaml2" /> <path id="class.path"> <pathelement path="${java.class.path}" /> <pathelement path="${basedir}/build/client" /> <pathelement path="${basedir}/build/clientsaml2" /> </path></pre> <pre> <target name="all" depends="clean,jwsc,deploy,client" /></pre> <pre> <target name="build" depends="clean,jwsc,client" /></pre> <pre> <target name="clean"> <delete dir="${output.dir}" /> </target></pre> <pre> <target name="jwsc"> <antcall target="jwsc-ws" /> </target></pre> <pre> <target name="jwsc-ws"> <jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}"> <module contextpath="echoservice" name="echoservice" explode="true"> <jws file="EchoService.java" type="JAXWS"> <WLHttpTransport serviceUri="EchoService" /> </jws> </module> </jwsc> <jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}"> <module contextpath="echoservicesaml2" name="echoservicesaml2" explode="true"> <jws file="EchoServiceSAML2.java" type="JAXWS"> <WLHttpTransport serviceUri="EchoServiceSAML2" /> </jws> </module> </jwsc> </target> <target name="clientgen"> <mkdir dir="${clientclasses.dir}" /> <clientgen destdir="${clientclasses.dir}" wsdl="${basedir}/EchoService.wsdl" type="JAXWS" packageName="com.saml.example" /> <clientgen destdir="${clientclassessaml2.dir}" wsdl="${basedir}/EchoServiceSAML2.wsdl" type="JAXWS" packageName="com.saml.example" /> </target> <target name="client"> <mkdir dir="${clientclasses.dir}" /> <copy todir="${clientclasses.dir}" overwrite="true"> <fileset dir="${certs.dir}" includes="*" /> </copy> <antcall target="clientgen" /> <javac debug="true" srcdir="${source.dir}" destdir="${clientclasses.dir}"> <classpath refid="class.path" /> <include name="EchoServicePortClient.java" /> </javac> <javac debug="true" srcdir="${source.dir}" destdir="${clientclassessaml2.dir}"> <classpath refid="class.path" /> <include name="EchoServiceSAML2PortClient.java" /> </javac> </target> </pre> <pre> <target name="deploy"> <antcall target="deploy-ws" /> </target></pre> <pre> <target name="deploy-ws"> <wldeploy action="deploy" source="${output.dir}/echoservice" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" /> <wldeploy action="deploy" source="${output.dir}/echoservicesaml2" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" /> </target></pre> <pre> <target name="undeploy"> <property name="wls-admin-server" value="${wls-server}" /> <wldeploy action="undeploy" name="echoservice" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" /> <wldeploy action="undeploy" name="echoservicesaml2" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" /> </target> <target name="run"> <java classname="com.saml.example.client.EchoServicePortClient" fork="true"> <classpath refid="class.path" /> <jvmarg line="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8453 ${extra-server-verbose} -Dweblogic.wsee.verbose=*,!weblogic.wsee.connection.soap.SoapConnectionMessage" /></pre> <pre> </java> </target> <target name="runsaml2"> <java classname="com.saml.example.client.EchoServiceSAML2PortClient" fork="true"> <classpath refid="class.path" /> <jvmarg line="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8453 ${extra-server-verbose} -Dweblogic.wsee.verbose=*,!weblogic.wsee.connection.soap.SoapConnectionMessage" /></pre> <pre> </java> </target> <property name="extra-server-verbose" value=" -Dweblogic.xml.crypto.encrypt.verbose=true -Dweblogic.xml.crypto.dsig.debug=true -Dweblogic.xml.crypto.dsig.verbose=true -Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true -Dweblogic.xml.crypto.wss.debug=true -Dweblogic.xml.crypto.wss.verbose=true -Dweblogic.xml.crypto.keyinfo.debug=true -Dweblogic.xml.crypto.keyinfo.verbose=true -Dweblogic.xml.crypto.dsig.debug=true -Dweblogic.xml.crypto.dsig.verbose=true -Dweblogic.xml.crypto.encrypt.debug=true -Dweblogic.xml.crypto.encrypt.verbose=true -Dweblogic.debug.DebugSecuritySAMLService=true -Dweblogic.debug.DebugSecuritySAMLCredMap=true -Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Atn=true -Dweblogic.debug.DebugSecuritySAML2Lib=true -Dweblogic.debug.DebugSecurityCredMap=true -Dweblogic.log.StdoutSeverity=Debug" /> </project>properties.txt for webservice
certs.dir=${root.dir}/../certs/ config.dir=${root.dir}/../config/ build.dir=${root.dir}/../build</pre> <pre>wls-host=localhost wls-port=7001 wls-server=${wls-host}:${wls-port} wls-username=weblogic wls-passwd=Welcome1 wls-target=AdminServerEchoServicePortClient.java
package com.saml.example.client; import java.io.InputStream; import java.io.ByteArrayInputStream; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; import java.util.Map; import java.net.URL; import javax.xml.namespace.QName; import javax.xml.ws.BindingProvider; import javax.xml.ws.WebServiceRef; import weblogic.security.SSL.TrustManager; import weblogic.wsee.message.WlMessageContext; import weblogic.wsee.security.bst.ClientBSTCredentialProvider; import weblogic.wsee.security.saml.SAMLTrustCredentialProvider; import weblogic.wsee.security.unt.ClientUNTCredentialProvider; import weblogic.xml.crypto.wss.provider.CredentialProvider; import com.saml.example.*; import weblogic.wsee.security.saml.*; import weblogic.wsee.jaxrpc.WLStub; import weblogic.jws.Policies; import weblogic.jws.Policy; import weblogic.xml.crypto.wss.WSSecurityContext; import weblogic.security.principal.WLSPrincipal; import weblogic.wsee.jaxrpc.WLStub; import javax.jws.WebMethod; import javax.jws.WebParam; import javax.jws.WebResult; import javax.jws.WebService; import java.util.*; import java.security.Principal; import javax.security.auth.Subject; public class EchoServiceSAML2PortClient { @WebServiceRef private static EchoServiceSAML2Service echoServiceService; private static String stsUntPolicy = "<?xml version=\"1.0\"?>\n" + "<wsp:Policy\n" + " xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"\n" + " xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\"\n" + " >\n" + " <sp:TransportBinding>\n" + " <wsp:Policy>\n" + " <sp:TransportToken>\n" + " <wsp:Policy>\n" + " <sp:HttpsToken/>\n" + " </wsp:Policy>\n" + " </sp:TransportToken>\n" + " <sp:AlgorithmSuite>\n" + " <wsp:Policy>\n" + " <sp:Basic256/>\n" + " </wsp:Policy>\n" + " </sp:AlgorithmSuite>\n" + " <sp:Layout>\n" + " <wsp:Policy>\n" + " <sp:Lax/>\n" + " </wsp:Policy>\n" + " </sp:Layout>\n" + " <sp:IncludeTimestamp/>\n" + " </wsp:Policy>\n" + " </sp:TransportBinding>\n" + " <sp:SupportingTokens>\n" + " <wsp:Policy>\n" + " <sp:UsernameToken\n" + " sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" + " <wsp:Policy>\n" + " <sp:WssUsernameToken10/>\n" + " </wsp:Policy>\n" + " </sp:UsernameToken>\n" + " </wsp:Policy>\n" + " </sp:SupportingTokens>\n" + "</wsp:Policy>"; public static void main(String[] args) { System.setProperty( "com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump", "true"); try { String wsURL = "http://HYD-69ZRV01-L:7001/echoservicesaml2/EchoServiceSAML2?WSDL"; echoServiceService = new EchoServiceSAML2Service(new URL(wsURL), new QName("http://example.saml.com/", "EchoServiceSAML2Service")); EchoServiceSAML2 echoService = echoServiceService.getEchoServiceSAML2Port(); System .setProperty("javax.net.ssl.trustStore", "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/cacerts"); Map<String, Object> requestContext = ((BindingProvider) echoService) .getRequestContext(); List<CredentialProvider> credList = new ArrayList<CredentialProvider>(); // Add the necessary credential providers to the list InputStream policy = new ByteArrayInputStream(stsUntPolicy .getBytes("UTF-8")); requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY, policy); String stsURL = "https://HYD-69ZRV01-L:6002/standalonests/SamlSTS"; requestContext.put(WlMessageContext.STS_ENDPOINT_ADDRESS_PROPERTY, stsURL); requestContext.put(WSSecurityContext.TRUST_MANAGER, new TrustManager() { public boolean certificateCallback( X509Certificate[] chain, int validateErr) { // need to validate if the server cert can be // trusted return true; } }); requestContext.put(WLStub.SAML_ATTRIBUTE_ONLY, "False"); credList.add(new SAMLTrustCredentialProvider()); credList.add(new MySAMLCredentialProvider1()); String username = "Alice"; String password = "Interop1"; credList.add(new ClientUNTCredentialProvider(username.getBytes(), password.getBytes())); // ClientBSTCredentialProvider String defaultClientcert = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Alice.cer"; String clientcert = System.getProperty("target.clientcert", defaultClientcert); String defaultClientkey = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Alice.prv"; String clientkey = System.getProperty("target.clientkey", defaultClientkey); String defaultServerCert = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Bob.cer"; String serverCert = System.getProperty("target.serverCert", defaultServerCert); credList.add(new ClientBSTCredentialProvider(clientcert, clientkey, serverCert)); requestContext.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credList); // Add your code to call the desired methods. System.out.println(echoService.echo("Hello SAML2")); } catch (Exception ex) { ex.printStackTrace(); } } /** * This Credntail Provider is for SMAL 2.0 Sender Vouches */ private static class MySAMLCredentialProvider1 extends SAML2CredentialProvider { public SAMLAttributeStatementData getSAMLAttributeData(Subject subject) { System.out.println(" Prividing SAML Attributes from MySAMLCredentialProvider1 for Subject =" + subject); // There are four types of attributes in this test SAMLAttributeStatementData attributes = new SAMLAttributeStatementDataImpl(); String xmlns = "www.oracle.com/webservices/saml/test"; // 1. The attribute without value SAMLAttributeData attribute1 = new SAMLAttributeDataImpl(); attribute1.setAttributeName("test.no.value.attribute"); // Friendly name is optional. It is set in this example. attribute1.setAttributeFriendlyName("Type 1 - No Value"); attribute1.setAttributeNameSpace(xmlns); attributes.addAttributeInfo(attribute1); // 2. Static attribute that has static value SAMLAttributeData attribute2 = new SAMLAttributeDataImpl(); attribute2.setAttributeName("test.static.attribute"); attribute2.setAttributeFriendlyName("Type 2 - Static Attribute"); attribute2.setAttributeNameSpace(xmlns); attribute2.addAttributeValue("static.attribute.value"); attributes.addAttributeInfo(attribute2); // 3. Subjust dependent attributes SAMLAttributeData attribute3 = new SAMLAttributeDataImpl(); attribute3.setAttributeName("test.subject.dependent.attribute"); attribute3.setAttributeFriendlyName("Type 3 - Subject Dependent Attribute"); attribute3.setAttributeNameSpace(xmlns); if (hasUser("Alice", subject)) { attribute3.addAttributeValue("Alice A"); } else if (hasUser("Bob", subject)) { attribute3.addAttributeValue("Bob B"); } else { attribute3.addAttributeValue("Hacker X"); } attributes.addAttributeInfo(attribute3); // 4. Multiple value attributes SAMLAttributeData attribute4 = new SAMLAttributeDataImpl(); attribute4.setAttributeName("test.multi.value.attribute"); attribute4.setAttributeFriendlyName("Type 4 - Multi-Value Attribute"); attribute4.setAttributeNameSpace(xmlns); if (hasUser("Alice", subject)) { attribute4.addAttributeValue("Team Lead"); attribute4.addAttributeValue("Programmer"); } else if (hasUser("Bob", subject)) { attribute4.addAttributeValue("System Admin"); attribute4.addAttributeValue("QA"); } else { attribute4.addAttributeValue("Hacker"); attribute4.addAttributeValue("meber of unkown"); } attributes.addAttributeInfo(attribute4); return attributes; } private static boolean hasUser(String user, Subject subject) { if (null == user || null == subject) { return false; } Set principals = subject.getPrincipals(); if (null == principals || principals.isEmpty()) { return false; } for (Iterator it = principals.iterator(); it.hasNext();) { Object obj = it.next(); if (obj instanceof Principal) { Principal p = (Principal) obj; if (user.equals(p.getName())) { return true; } } else if (obj instanceof WLSPrincipal) { WLSPrincipal principal = (WLSPrincipal) obj; if (user.equals(principal.getName())) { return true; } } } return false; } } }
Hi Karun,
I am trying to follow your above blog but getting stuck at Configure STS…Step 12.
When I add the details and try to save it…it gives me an error stating:
Errors must be corrected before proceeding.
Passwords must match in value.
I am using the same keystores, keys, alias as mentioned in this blog.
Could you advise what is the issue?
Regards,
Sanket
LikeLike
what’s the exception you see in the logs? I wish I had the setup to replicate, but I don’t… anyways still happy to help. Let me know if you see any obvious exceptions in the weblogic console. Also use JDK keytools to verify whether you are able to open the key pair with the same password you are feeding in without issues…
Let me know
LikeLike
Hi Karun,
The issue is resolved…It was related to the wrong password I was providing…Thanks for your help…If I face any other issues I will get back to you…
Thanks & Regards,
Sanket
LikeLike
Good to know. Glad my blog helped.
LikeLike
Hi Karun,
Could you explain what you are doing in the client part…EchoServiceSAML2PortClient.java
i am unable to understand it…Also, the Client Testing part…
Regards,
Sanket
LikeLike
i thought it’s a standard SAML client for sender-vouches request type. Spend some time on the client, you should make out. For testing you can run the ant command that’s included in the blog “and runsaml2”
LikeLike
Hi Karun,
I have followed all the steps properly as mentioned by you in this post…However, I am not getting the client part…Could you help me out with how and where you have configured below files,
properties.txt for webservice
build.xml for webservice
build.xml for StsUnt.java
properties.txt for StsUnt.java
Also, when i run ant runsaml2 in cmd it gives me below error:
Buildfile: build.xml does not exist!
Build failed
May be I need to configures those properties and build file…but I am unaware as of where I should create them and make changes into it…
Also, FYI I am using JDeveloper for creating STS, Webservice and Webservice Proxy Client.
Thanks & Regards,
Sanket
LikeLike
Hi Karun,
Also, how to obtain .prv file as stated in the statement below?
String defaultClientkey = “F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Alice.prv”;
I have ServerCACert.der, ServerCACert.pem, ServerCAKey.der and ServerCAKey.pem files with me…Of which I have extracted .cer file from ServerCACert.pem.
But, I don’t know how to obtain .prv file
Regards,
Sanket
LikeLike