Fuse ESB - Web Services Security Guide - Define the Security Policy

Define the Security Policy

Overview

To enable single sign-on for the client-server connection, you need to add a suitable security policy to the hello_world WSDL contract. The policy used in this example follows the general pattern of an authentication policy and has two major parts:

A TransportBinding policy—this policy specifies that the basic protective features (such as message encryption) are provided by the transport layer, that is SSL/TLS. For more details, see Transport Layer Message Protection.
An IssuedToken policy—this policy enables the single sign-on scenario, involving the security token service (STS).

IssuedToken policy

The IssuedToken policy is a special case of an authentication token policy. Instead of supplying an authentication token directly, the client is required to call out to the STS, to obtain an authentication token (usually a SAML token). The presence of the IssuedToken policy in the WSDL contract automatically triggers the client to implement single sign-on semantics, where the client requests a remote STS to issue a token, which then gets embedded in the outgoing request to the server.

For details of how to specify an IssuedToken policy, see Defining an IssuedToken Policy.

Sample security policy

Example 8.1 shows the security policy for single sign-on, which is applied to the client-server connection.

Example 8.1. Sample Security Policy for Single Sign-On

<wsdl:definitions ... >
    ...
    <wsp:Policy wsu:Id="STS_SAML_Token_policy"
        xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <wsp:Policy>
          <sp:TransportToken>
            <wsp:Policy>
              <sp:HttpsToken/>
            </wsp:Policy>
          </sp:TransportToken>
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict/>
            </wsp:Policy>
          </sp:Layout>
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:Basic128/>
            </wsp:Policy>
          </sp:AlgorithmSuite>
        </wsp:Policy>
      </sp:TransportBinding>    
      <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <wsp:Policy>
          <!-- Put IssuedToken element in here -->
          <sp:IssuedToken
              sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
              <sp:RequestSecurityTokenTemplate>
                  <trust:TokenType
                      xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                      >urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
                  <!-- The demo STS signs the SAML token by default -->
              </sp:RequestSecurityTokenTemplate>
              <wsp:Policy>
                  <!-- No extra policies needed in this demo. -->
              </wsp:Policy>
          </sp:IssuedToken>
        </wsp:Policy>
      </sp:SignedSupportingTokens>
    </wsp:Policy>

</wsdl:definitions>

Steps to add the security policy

Perform the following steps to add the single sign-on security policy to the hello_world WSDL contract:

Edit the hello_world.wsdl file from the wsdl_first_https/wsdl/ directory. Add the single sign-on policy shown in Example 8.1 as a child of the wsdl:definitions element.
Continue editing the hello_world.wsdl file, in order to add a policy reference to the WSDL port. Search for the SOAPService wsdl:service element and then add the wsp:PolicyReference element as a child of the wsdl:port element, as shown in the following WSDL fragment:
```
<wsdl:definitions ... >
    ...
    <wsdl:service name="SOAPService">
        <wsdl:port binding="tns:Greeter_SOAPBinding" name="SoapPort">
            <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#STS_SAML_Token_policy"/>
            <soap:address location="https://localhost:9001/SoapContext/SoapPort"/>
        </wsdl:port>
    </wsdl:service>
    ...
</wsdl:definitions>
```
By inserting the wsp:PolicyReference element at this point, you are associating the WSDL port with the security policy referenced by the URI attribute value, #STS_SAML_Token_policy, (which matches the wsu:Id attribute of the single sign-on security policy).

The server requires a separate copy of the WSDL file, which omits the IssuedToken policy. Copy hello_world.wsdl to hello_world_server.wsdl (in the same directory). Edit the new hello_world_server.wsdl file and delete the sp:SignedSupportingTokens element from the policy, so that the content of the hello_world_server.wsdl file now has the following outline:

<wsdl:definitions ... >
    ...
    <wsp:Policy wsu:Id="STS_SAML_Token_policy"
        xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          ...
      </sp:TransportBinding>
      <!-- sp:SignedSupportingTokens element is omitted in server copy of the WSDL -->
    </wsp:Policy>

</wsdl:definitions>

	Note
	If you completely omit the `wsp:Policy` element from the server's copy of the WSDL file, this would implicitly disable the auto-installation of the WSS4J interceptors. When you run the demonstration, the server would be unable to parse the security header and would therefore return a mustUnderstand fault.

Comments powered by Disqus

Contents
Search