Early Adopting Java WSIT-Experiences with Windows CardSpace
1. Early Adopting Java WSIT Experiences With Windows CardSpace Markus Franke, Oliver Pfaff
2.
3.
4.
5.
6.
7.
8.
9. Windows CardSpace High-Level Architecture Resource provider (consumes identity data) Authz Resources Identity provider (produces identity data Authn User data User agent Identity metadata sharing 1. Security policy 2. Information card selection 3. Security token WS-Trust STS 0. Information card and identity metadata) Identity selector (consumes identity metadata)
10. Windows CardSpace Sequence Diagram (for Web Browsers) Identity selector RP User agent IdP User Access any resource 1a GET any RP resource 7b Response any resource Authz Authz : HTTP/HTML-defined : WS-*-defined : SAML-defined Return security token 3b 2a 2b GET to RP login page RP login page (with HTML tag representing the RP security token policy) POST to RP FEP (with security token) 6a 6b Redirect to any resource (with RP session cookie) GetBrowserToken (RP policy) Click 3a 1b Redirect to RP login page Select identity 4a 4b WS-MEX GetMetadata Response WS-MEX GetMetadata Request GET any RP resource (with RP session cookie) 7a WS-Trust RST Request (user credentials) WS-Trust RSTR Response (security token) 5a 5b Enter credentials Authn Provide information card (out-of-band) 0
11.
12.
13. Java WSIT Sketching a HelloWorld STS HTTP SOAP WS-Trust Protocol stack Tomcat Web application instantiation ( web.xml ) Servlet container configuration ( server.xml ) Servlet container Web service endpoint Web service contract ( stshelloworld.wsdl ) @ServiceMode(value=Service.Mode. PAYLOAD ) @WebServiceProvider(wsdlLocation="WEB-INF/wsdl/stshelloworld.wsdl") public class STSHelloWorld extends BaseSTSImpl { … } … public class HelloWorldWSTrustContract implements WSTrustContract { public RequestSecurityTokenResponse issue(RequestSecurityToken rst, IssuedTokenContext ctx…) { GenericToken stringToken = new GenericToken(getStringElement(“HelloWorld”), GenericToken.OPAQUE_TYPE); ctx.setSecurityToken(stringToken); RequestSecurityTokenResponse rstr = eleFac.createRSTRForIssue(rst, ctx …); … } JAX-WS 2.x Web service endpoint instantiation ( sun-jaxws.xml ) Web services infrastructure com.sun.xml.ws.transport.http.servlet.WSServlet com.sun.xml.ws.security.trust.sts.BaseSTSImpl WSIT
14.
15.
16.
17.
Editor's Notes
Remark on “Basic truth”: A central question is: how does authz employ authn? The traditional approach was (is) to closely couple authz and authn and embody these security functions within the context of a specific IT-system. This traditional approach does not meet the business requirements of open and agile environments.
CardSpace information cards: Issued by identity providers Consumed by identity selectors i.e. on user-side Support users in selecting and interacting with identity providers CardSpace security tokens: Issued by identity providers - based on user authentication Consumed by resource providers Support resource providers in authorizing access requests
Apache Axis 2 was the runner-up No (equivalent) commitment to WCF interoperability Stack has similar technical features (cf. http://wiki.apache.org/ws/StackComparison)
WSTrustElementFactory issues: CardSpace uses elements outside the WS-Trust namespace in WS-Trust RST/RSTR exchanges. Such elements are defined in InfoCard_rc1.xsd (despite that name of this schema, it also defines elements that are not specific to information card objects but used in WS-Trust exchanges between CardSpace and IdPs). Examples are DisplayClaim, DisplayToken. These elements are not supported in the WSIT WSTrustElementFactory. Running WSIT natively with CardSpace results in a <java.lang.RuntimeException: Invalid KeyType> exception in the RequestSecurityTokenImpl constructor from JAXB RequestSecurityTokenType (note that CardSpace provides the key type identifier: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey) BaseSTSImpl extending provides no benefits since almost all methods need to be overridden: invoke would have to be overridden (or modified) to employ an extended WS-Trust element factory issue would have to be overridden (or modified) to employ an extended WS-Trust element factory renew would have to be overridden (or modified) to employ an extended WS-Trust element factory validate would have to be overridden (or modified) to employ an extended WS-Trust element factory
![Contents ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)