Hi Gina
>>>
So, what I need is after user log on using Web SSO, the SAML token should be
cached in web context and being used as actas token when making a call to .NET
web service.
>>>
This is supported by CXF without writing any single line of code. I do have a
sample web application here:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/
This example illustrates:
- fediz is configured for web sso
- SAML token is cached in the session and used to request a new token from the
STS
The code to call the web service is in FederationServlet.doPost():
...
Greeter service =
(Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
String reply = service.greetMe();
...
The magic is in the configuration I used here:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup
The following property registers a callback handler to provide the STSClient
the token of the Web Login:
<property name="onBehalfOf" ref="delegationCallbackHandler" />
(There is also a property for actAs)
The above example should exactly do what you need. You just have to change the
above property to use ActAs instead of OnBehalfOf. The details for this example
are described here:
http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
To test this easily, you can use the Mock IDP as part of Fediz for the
authentication. You could also attach Active Directory in the Mock if you like.
See here:
http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html
I use that within a customer set up to connect the CXF STS to Active Directory.
>>>
What is Spring role in CXF?
>>>
You can use Spring to configure your services. The above example is based on
spring. As you see, all security related stuff is enabled by configuration
(Convention of Configuration). You can also write an application without spring
but I wouldn't write an application without spring nowadays but this is up to
you.
>>>
I don't know much LDAP, but it should be used as an attribute store. I consider
it as an alternative of Active Directory. Please correct me if I am wrong.
>>>
Active Directory provides different interfaces. One of them is LDAP. You can
use the LDAPLoginModule of the JDK for authentication. But you don't have to
care that much as ADFS (and maybe the Fediz Mock for testing) will access
ActiveDirectory to read the claims to add them to the SAML token.
Could you zip the wsdl before attaching?
Thanks
------
Oliver Wulff
Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com
<http://coders.talend.com>Talend Application Integration Division
http://www.talend.com
________________________________
Von: Gina Choi [[email protected]]
Gesendet: Freitag, 4. Mai 2012 20:54
Bis: [email protected]
Betreff: Re: CXF supporting scope
Hi Oliver,
Thanks for your response.
>You mean that WIF is deployed in the ASP.NET<http://asp.net/> web service
>using the Active Requestor Profile?
>The SAML token should contain the claims as an AttributeStatement?
>Can you share with us the WS-SecurityPolicy of this Web Service?
I have attached two wsdl file. BookingService.wsdl and
BookingService_imported.wsdl. BookingService.wsdl is importing
BookingService_imported.wsdl and if you open BookingService.wsdl, in line 10
there is a importing statement like bellow. This .NET4.0 service is not owned
by me and I don't know if separating wsdl file is common practice. Is there
anyway to combin them into one when generate artifact using wsimport? I will be
calling CheckIn operation.
<wsdl:import
location="http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0";
namespace="http://tempuri.org/"/>
>I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric and
>Asymmetric binding.
>What roles does ADFS 2.0 play?
>Once as the IDP for the Web application SSO and once to let issue a token
>onbehalfof/actas the original token >from the Web SSO? (this is supported by
>CXF-Fediz)
>http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
I am using Active Directory as an attribute store. So, I could say ADFS role
should be IDP. So, what I need is after user log on using Web SSO, the SAML
token should be cached in web context and being used as actas token when making
a call to .NET web service.
> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which
> application server is your web >application deployed?
ADFS is IDP and my Java web application is Service Provider.
>What do you mean exactly? Is LDAP used for authentication by the STS? Or
>should the service provider retrieve >the claims/roles from LDAP?
I don't know much LDAP, but it should be used as an attribute store. I consider
it as an alternative of Active Directory. Please correct me if I am wrong. I
have been reading many specifications, but I am still having hard time to
straiten up correct terms.
>No, Spring is not a requirement.
What is Spring role in CXF?
Thanks.
Gina
On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff
<[email protected]<mailto:[email protected]>> wrote:
>>>
1. I have to create a client for .NET4.0 web service which claim aware. So,
how is CXF interoperability with .NET?
>>>
You mean that WIF is deployed in the ASP.NET<http://ASP.NET> web service using
the Active Requestor Profile?
The SAML token should contain the claims as an AttributeStatement?
Can you share with us the WS-SecurityPolicy of this Web Service?
>>>
2. If CXF support ADFS2.0 as STS.
>>>
I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric and
Asymmetric binding.
What roles does ADFS 2.0 play?
Once as the IDP for the Web application SSO and once to let issue a token
onbehalfof/actas the original token from the Web SSO? (this is supported by
CXF-Fediz)
http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>>>
3. If CXF support passive profile. Especially SP initiated Redirect -> POST
binding.
>>>
Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which
application server is your web application deployed?
>>>
4. If CXF can work with LDAP.
>>>
What do you mean exactly? Is LDAP used for authentication by the STS? Or should
the service provider retrieve the claims/roles from LDAP?
>>>>
5. My application doesn't use Spring frame work. Do I have to use Spring
Frame work to use CXF.
>>>
No, Spring is not a requirement.
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
Von: gchoi [[email protected]<mailto:[email protected]>]
Gesendet: Mittwoch, 2. Mai 2012 17:29
Bis: [email protected]<mailto:[email protected]>
Betreff: CXF supporting scope
Hi All,
So far, I evaluated several frame works, but they seem don't do what I
expect. Several people suggested me that I should consider CXF. Before I dig
into CXF, I would like know if CXF support following things. By the way, I
just joined this user group.
1. I have to create a client for .NET4.0 web service which claim aware. So,
how is CXF interoperability with .NET?
2. If CXF support ADFS2.0 as STS.
3. If CXF support passive profile. Especially SP initiated Redirect -> POST
binding.
4. If CXF can work with LDAP.
5. My application doesn't use Spring frame work. Do I have to use Spring
Frame work to use CXF.
Thank in advance.
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html
Sent from the cxf-user mailing list archive at Nabble.com.
