Securing Web Services with SAML Sender Vouches

After securing you web applications with SAML is the next step to secure your web services with SAML Sender Vouches ws-security policy, this can be complex because you need to know a lot over the weblogic server configuration and its java security frameworks. For example you need to configure two Weblogic servers, the first is the Web Service server and the second server is the Secure Token Service ( STS ). After that you need to add some client credential providers to the generated web service proxy client. Thanks to Vishal Jain of Oracle who provided me a working example.
This is how SAML Sender Vouches works and what we need to do in weblogic / java.
The short version is, the web service proxy client call the STS server to get an SAML assertion on behalf of the User to call the Web Service.

The long version, the user provides its credentials to the ws proxy client and the ws proxy client calls the STS server and provides the username / password of the user and the client key.
The STS validates the user and the ws proxy client certificate and the STS returns the STS identity assertion to the ws proxy client. The ws proxy client uses this STS assertion together with the ws client and ws server certificate to call the web service.

First we need to have 3 certificates, the first is alice, this will be used in the ws proxy client and the second certificate is bob, this will be used in the Weblogic web service server and the last we use wssipsts certificate for the Weblogic STS server. Add these keys into a java keystore.

Setting up the Secure Token Service (STS)
Create a new Weblogic 10.3.1 domain and start the admin server. First we need to enable SSL in the general tab of the server and then add our keystores in the keystore tab.
Provide the STS certificate alias, in my case wssipprv

Go the myrealm security where we add the Alice user and provide a password, Very important the username must match with the CN of the Alice certificate. The user provides the credentials and must match with user in WLS and the ws proxy client provides the Alice certificate and this must match with the PKI Credential mapping.

Go to the Credential mapping tab of the Provider tab and add a PKI Credential Mapping where we import the keystore and Add a SAML Credential Mapping version 2 where we add the Web Service URL.

Open the just created PKI credential mapping and add the keystore.

Next we open the SAML Credential Mapping version 2 and provide the Issuer URL and Name Qualifier.

Add the public key of the wssipsts

Add a WSS/Sender-Vouches Relying Party

Enable this and provide the target url of the Web Service Url and assign assertions and include key info


That is all for the STS server and now we can deploy the STS web service.

package nl.whitehorses.sts;

import weblogic.jws.Policy;
import weblogic.wsee.security.saml.SAMLTrustTokenProvider;
import weblogic.wsee.security.wst.framework.TrustTokenProviderRegistry;

import javax.jws.WebMethod;
import javax.jws.WebService;

@WebService
@Policy(uri="policy:Wssp1.2-2007-Wssc1.3-Bootstrap-Https-UNT.xml")
public class StsUnt {

static {
init();
}

@WebMethod
@Policy(uri="policy:Wssp1.2-2007-SignBody.xml")
public String dummyMethod(String s) {
return s;
}

static void init() {
TrustTokenProviderRegistry reg = TrustTokenProviderRegistry.getInstance();
SAMLTrustTokenProvider provider = new MySAMLTrustTokenProvider();
reg.registerProvider("http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID", provider);
reg.registerProvider("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID", provider);
reg.registerProvider("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",  provider);
reg.registerProvider("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.0",  provider);
reg.registerProvider("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1",  provider);
}

static class MySAMLTrustTokenProvider extends SAMLTrustTokenProvider {

}
}

Configure the Weblogic server for the Web Services
Create a new Weblogic domain and use the same keystore, we don't need to setup SSL on this server.

Go the myrealm security and go to providers tab where we add a new PKI Credential Mapping in the credentials tab. ( Use the same setting as the STS server )
We need to add 2 authentication providers and change the 2 default providers.
Create a SAML Authentication and SAML Identity Assertion provider.

Every authentication provider need to have the SUFFICIENT control flag.

Change the SAML Identity Assertion by adding an asserting party and the STS public certificate

Import the STS certificate

Change the just create Sender-Vouches asserting party. Enable this and provide the target url of the web service and add the issuer url, signature required and expect the STS certificate and allow virtual user.


Change the defaultIdentityAsserter and add wsse:PasswordDigest and X.509 as active types.
In the provider specific tab we need to set CN in the Default User Name Mapper Attribute Type and enable Use Default User Name Mapper.


In the DefaultAuthenticator we need to set control flag to SUFFICIENT
And in the provider specific tab. Enable Password Digests and Minimum Password Length to 1.

That's all for the Web Service server. Now we can deploy the webservice.

package nl.whitehorses.sts.ws;

import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;

@Policies(
  {
    @Policy(uri = "policy:Wssp1.2-2007-Saml1.1-SenderVouches-Wss1.0.xml"),
    @Policy(uri = "policy:Wssp1.2-2007-SignBody.xml"),
    @Policy(uri = "policy:Wssp1.2-2007-EncryptBody.xml")
  }
)

@WebService
public class EchoService {
  public String echo( String hello){
    return hello;
  }
}

Generating the Web Service Proxy Client
The last step we need to generate a web service proxy client and add the username and the client credentials mappings.

package nl.whitehorses.sts.ws.client;

import java.io.InputStream;
import java.io.ByteArrayInputStream;

import java.security.cert.X509Certificate;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;

import java.net.URL;
import javax.xml.namespace.QName;


import javax.xml.ws.BindingProvider;
import javax.xml.ws.WebServiceRef;

import weblogic.security.SSL.TrustManager;

import weblogic.wsee.message.WlMessageContext;
import weblogic.wsee.security.bst.ClientBSTCredentialProvider;
import weblogic.wsee.security.saml.SAMLTrustCredentialProvider;
import weblogic.wsee.security.unt.ClientUNTCredentialProvider;

import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;

public class EchoServicePortClient
{
 @WebServiceRef
 private static EchoServiceService echoServiceService;

   private static String stsUntPolicy =
   "<?xml version=\"1.0\"?>\n" +
   "<wsp:Policy\n" +
   "  xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"\n" +
   "  xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\"\n" +
   "  >\n" +
   "  <sp:TransportBinding>\n" +
   "    <wsp:Policy>\n" +
   "      <sp:TransportToken>\n" +
   "        <wsp:Policy>\n" +
   "          <sp:HttpsToken/>\n" +
   "        </wsp:Policy>\n" +
   "      </sp:TransportToken>\n" +
   "      <sp:AlgorithmSuite>\n" +
   "        <wsp:Policy>\n" +
   "          <sp:Basic256/>\n" +
   "        </wsp:Policy>\n" +
   "      </sp:AlgorithmSuite>\n" +
   "      <sp:Layout>\n" +
   "        <wsp:Policy>\n" +
   "          <sp:Lax/>\n" +
   "        </wsp:Policy>\n" +
   "      </sp:Layout>\n" +
   "      <sp:IncludeTimestamp/>\n" +
   "    </wsp:Policy>\n" +
   "  </sp:TransportBinding>\n" +
   "  <sp:SupportingTokens>\n" +
   "    <wsp:Policy>\n" +
   "      <sp:UsernameToken\n" +
   "        sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
   "        <wsp:Policy>\n" +
   "          <sp:WssUsernameToken10/>\n" +
   "        </wsp:Policy>\n" +
   "      </sp:UsernameToken>\n" +
   "    </wsp:Policy>\n" +
   "  </sp:SupportingTokens>\n" +
   "</wsp:Policy>";

   public static void main(String[] args) {
       System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump", "true");
       try {

           String wsURL = "http://10.10.10.10:7011/saml-ws-context-root/EchoServicePort?WSDL";

           echoServiceService = new EchoServiceService(    new URL(wsURL) 
                                                        ,  new QName("http://ws.sts.whitehorses.nl/", "EchoServiceService"));
           EchoService echoService = echoServiceService.getEchoServicePort();

           System.setProperty("javax.net.ssl.trustStore", "C:/projecten/workspace/11g_prod/saml1.1_ws/wsttest1/certs/cacerts");

           Map<String, Object> requestContext = ((BindingProvider)echoService).getRequestContext();

           List<CredentialProvider> credList = new ArrayList<CredentialProvider>();

           // Add the necessary credential providers to the list
           InputStream policy = new ByteArrayInputStream(stsUntPolicy.getBytes("UTF-8"));
           requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY, policy );

           String stsURL = "https://localhost:7022/sts/StsUntPort";
          
          
           requestContext.put(WlMessageContext.STS_ENDPOINT_ADDRESS_PROPERTY, stsURL);
           requestContext.put(WSSecurityContext.TRUST_MANAGER,
                              new TrustManager() {
                                   public boolean certificateCallback(X509Certificate[] chain, int validateErr) {
                                   // need to validate if the server cert can be trusted
                                       return true;
                                   }
                               });

           credList.add(new SAMLTrustCredentialProvider());

           String username = "Alice";
           String password = "weblogic1";
           credList.add(new ClientUNTCredentialProvider(username.getBytes(), password.getBytes()));

           // ClientBSTCredentialProvider
           String defaultClientcert = "C:/projecten/workspace/11g_prod/saml1.1_ws/wsttest1/certs/Alice.cer";
           String clientcert = System.getProperty("target.clientcert", defaultClientcert);
           String defaultClientkey =  "C:/projecten/workspace/11g_prod/saml1.1_ws/wsttest1/certs/Alice.prv";
           String clientkey = System.getProperty("target.clientkey", defaultClientkey);
              
           String defaultServerCert = "C:/projecten/workspace/11g_prod/saml1.1_ws/wsttest1/certs/Bob.cer";
           String serverCert = System.getProperty("target.serverCert", defaultServerCert);

           credList.add(new ClientBSTCredentialProvider(clientcert, clientkey, serverCert));

           requestContext.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credList);

           // Add your code to call the desired methods.
           System.out.println(echoService.echo("Hello"));

       } catch (Exception ex) {
           ex.printStackTrace();
       }
   }

   }

JMS Request Reply Interaction Pattern in Soa Suite 11g

In Soa Suite 11g the JMS adapter has support for request reply operations. You can use this operation in synchronous or asynchronous mode. In this blog I will show you both modes. I start with a Asynchronous example and at the end I describe the synchronous mode.

Asynchronous Request / Reply
First we start with a simple Asychronous request and reply JMS adapter. Add a JMS adapter to the references site of the composite.

Choose Request/ Reply and off course asynchronous

Select a request queue ( need to create this in the wls console ) and provide the jndi name of jms resource adapter ( define this in the jms resource adapter ) . Very important use a xa transacted jms connection factory in the jms resource adapter and leave the rest as default.

In the Reply we provide the response queue and use the same jms resource adapter jndi name of the request

Provide the request and response element.

With this as result.

Now we can use this jms adapter in a asynchronous Mediator or in a synchronous BPEL process.
First we start with the mediator. Add a Mediator with the same input and output as the jms adapter
Wire the JMS adapter to this Mediator so we can define the routing rules.

With this as result.

Because this asynchronous service is hard to test, so I will also make a synchronous BPEL process which calls this asynchronous jms adapter with a invoke and receive activity.
Add a BPEL process with the same input and output as the jms adapter

Here an overview of the BPEL process with the invoke and receive activity

Picture of my test composite


For testing we need to transfer the jms message from the request queue to the reply queue. So I add a mediator with a consume and produce jms adapter.

Very important, we need to assign the message id of the jms message to the correlation id of the reply jms message. Do this in the assign of the routing rule.

Last thing is to test the BPEL process in the enterprise manager

With this as result.

Synchronous Request / Reply
The synchronous request reply jms adapter works a bit different then asynchronous.
In step 6 we now select synchronous


In step 7 we can provide the request and reply queue. But very important we to provide the jndi name of a jms resource adapter which has transacted on true and use a jms connection factory which is not xa transacted.
With synchronous jms adapter I had to switch the request and response element. Very strange ( is it a bug ).

This synchronous jms message is a bit different, this message has the JCA_JMSReplyTo field which contains the reply queue name.

Now for testing we also need to add an extra mediator with reads the request queue , set the correlation id and put the message in the reply queue.

Add a synchronous mediator and wire to the synchronous jms adapter, complete the routing rule and finally test this in the enterprise manager.

Oracle OpenWorld 2009 Fusion middleware highlights

The most important news is that Oracle plans to release JDeveloper 11g R1 PS1 in November. This so called patch set is more a new release ( more then 550+ new features ) then a patch
Here is my quick overview of the features and products I noticed at OOW.

ADF
- Oracle improved the ADF Event mechanism, so the Task Flow fragment regions can communicate much better, You can define the event on a JSF item and not manually in the pagedef, define your own payload. For example in an ADF tree with employees and departments you can send an event when the user select an item in the tree and this number will be passed on to the right task flow. And you even can fire events with drag and drop. For more info buy the coming book of Frank Nimphius, he wrote a whole chapter about this subject.
- ADS active data services pushing the data to the page, Frank N. and Matthias W. made a great demo
- Maybe Maven support.
- Better EJB support in ADF

ADF Mobile
Build your web application just like a normal ADF web application on deploy this on weblogic server. These mobile jsf pages which work on every phone in the native look of the phone, the so called the browser version. With mobile you can also build native applications for blackberry and windows mobile ( just make the right deployment profile ) and this will work with the black berry and windows mobile services and these services will sync with the oracle lite server. So this technology makes it possible to make an offline ADF application, when there are enough customers who wants this feature then Oracle will build this. ADF mobile is now only supported with ADF BC and the next versions will have also have web services support.
For more info see the Amis blog

Soa Suite 11G
-The soa suite is becoming more and more complete, the next version will have a spring context component, this component is in this version only available as technical preview. But this is a good start and there are talks about supporting C code in the composite.
- EDN Event Delivery Network now only works with AQ but there will be also a JMS implementation.
For more info see the blog of Torsten and Hajo

BPM 11G
In one of the hands-on sessions we could play with BPM 11g and it is really great. You can now use JDeveloper to configure it and BPM is an composite component in the Soa Suite. So you can take a look or change it at the BPM level or go to the composite level. BPM uses the human task flows components of the soa suite for the human interaction, Next we can import this human task in jdeveloper to create an task flow which can be deployed in the worklist application. And BPM introduces the BPM composer which is a web application ( don't need jdeveloper ) where you can change your process. Oracle thinks to release it early 2010.

Continuous build with Soa Suite 11g and Hudson

With Soa Suite 11g we can add unit tests (test suites) to our composite applications and start these tests with the ant scripts provided by Oracle. The soa test ant script can start and generate an junit xml which can be read for the result of the test. For more info see my previous blogpost about the ant scripts and the testsuite option in Soa Suite 11g.

So the last step is to combine the test suite feature and the ant scripts of mine and Oracle so we can use it in a continuous build system. I will use Hudson for this.

We start by downloading the lastest hudson war.

Start hudson by setting the java home and path
set JAVA_HOME=c:\java\jdk160_05
set PATH=%JAVA_HOME%\bin;%PATH
java -jar hudson.war

this will start Hudson and open a browser and go to http://localhost:8080.


First we install Hudson as a windows service. Just provide the location. I will use c:\java\hudson

This will restart hudson. Now we can configure Hudson

Provide the ant and java location of the jdeveloper 11g R1 home.

Put the soa projects and ant scripts in subversion, so Hudson can check this out

This is how it looks. Very important my ant scripts need this folder paths.

Now we can create a new job.

Configure this new job. We start by adding the svn url.

Then add the ant script ( build.xml ) and fill the target ( deployAll) and for the oracle ant scripts we need to set the basedir java parameter to the jdeveloper bin folder.

And provide the location where Hudson can find the junit xml files.


Now we have to add ant-contrib-1.0XXXX.jar the to the jdeveloper\ant\lib folder and add a environment variable to the ant.bat

set CURRENT_FOLDER=%CD%

I need this for the ant scripts so I can use relative paths.

Let's press build now and look at the result. My example composite application contains two tests, in my case they are both succesfull.


Look at the test.
And the performance.

That's all. This will save you a lot of testing time and off course Hudson can blame the person who checked in as last.
Here is my test project and ant scripts