Tuesday, May 27, 2014

Invoke STS Service in WSO2 IS using CXF STS Client


Following guide describes how to invoke the STS Service in WSO2 Identity Server using a CXF STS client. The STS Client is configured via Spring.

As I have noticed, CXF STS client fails to invoke the STS service if you use the wso2carbon-sts wsdl to generate the client. So, I have followed a different approach.

Pre-requisites:


WSO2 Identity Server 4.6.0 or latter
Apache CXF 2.7.x

Instructions:


What I'm going to show you is using the CXF client via a simple stand-alone java class with Spring.

Configurations


1. First, you need to define the spring bean. Let's say the file is named wssec-sts-bean.xml.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:cxf="http://cxf.apache.org/core"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:http="http://cxf.apache.org/transports/http/configuration"
       xsi:schemaLocation="
       http://cxf.apache.org/core   http://cxf.apache.org/schemas/core.xsd
       http://cxf.apache.org/transports/http/configuration            http://cxf.apache.org/schemas/configuration/http-conf.xsd
       http://www.springframework.org/schema/beans            http://www.springframework.org/schema/beans/spring-beans.xsd">
    <cxf:bus>
        <cxf:features>
            <cxf:logging/>
        </cxf:features>
    </cxf:bus>

<bean id="{http://ws.apache.org/axis2}wso2carbon-stsHttpsSoap12Endpoint.sts-client"
      class="org.apache.cxf.ws.security.trust.STSClient">
    <constructor-arg ref="cxf"/>
    <!--<property name="wsdlLocation" value="https://localhost:9443/services/wso2carbon-sts?wsdl"/>-->
    <property name="Location"
              value="https://localhost:9443/services/wso2carbon-sts.wso2carbon-stsHttpsSoap12Endpoint"/>
    <property name="serviceName" value="{http://ws.apache.org/axis2}wso2carbon-sts"/>
    <property name="endpointName" value="{http://ws.apache.org/axis2}wso2carbon-stsHttpsSoap12Endpoint"/>

    <property name="properties">
        <map>
            <entry key="ws-security.username" value="admin"/>
            <!--<entry key="ws-security.password" value="admin"/>-->
            <entry key="ws-security.callback-handler" value="com.cxf.sts.ClientCallbackHandler"/>
            <entry key="ws-security.encryption.properties"
                   value="bearer-client.properties"/>
            <entry key="ws-security.encryption.username" value="wso2carbon"/>
            <entry key="ws-security.sts.applies-to"
                   value="https://localhost:9453/services/echo"/>
        </map>
    </property>
</bean>
</beans>


NOTES: Please note that the wsdlLocation has NOT been set. Instead, we set the Location attribute which is the SOAP 1.2 STS https endpoint. Other attributes are the usual attributes that we normally set.

2. For the ws-security.encryption.properties property in the spring bean config, you have to  point to a properties file that has the encryption properties. The contents of bearer-client.properties would look like follows.

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=wso2carbon
org.apache.ws.security.crypto.merlin.keystore.alias=wso2carbon
org.apache.ws.security.crypto.merlin.keystore.file=/opt/wso2/wso2is-4.6.0/repository/resources/security/client-truststore.jks

3. We need one more configuration file to store the ws-policy of the STS service. First, you need to secure the STS service in IS as described in this documentation - https://docs.wso2.org/display/IS460/Securing+the+Security+Token+Service
Now, if you browse to the wso2carbon-sts WSDL, you will see the policy that is applied to your service. Extract the policy element from the WSDL. It starts with <wsp:Policy ...>. If you secure the service with UsernameToken, then the policy would like below. Place it in a file called sts.policy.xml.

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UTOverTransport">
    <wsp:ExactlyOne  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >
        <wsp:All>
            <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                <sp:TransportToken>
                    <wsp:Policy>
                        <sp:HttpsToken RequireClientCertificate="false"></sp:HttpsToken>
                    </wsp:Policy>
                </sp:TransportToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic256></sp:Basic256>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Lax></sp:Lax>
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp></sp:IncludeTimestamp>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"></sp:UsernameToken>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

Now all the configuration files are in place. Now, we can go ahead, and write java code to retrieve the sts tokens.


STS Service Invocation


1. First, we need to set the trust-store of wso2 is as a system property since we are invoking a https endpoint. And, then, we will read the spring beans file.

System.setProperty("javax.net.ssl.trustStore",
        "/opt/wso2/wso2is-4.6.0/repository/resources/security/client-truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");

2. Next, we should read the spring bean file, wssec-sts-bean.xml, and get the bean we created.

ApplicationContext ctx = new FileSystemXmlApplicationContext(
        "classpath:wssec-sts-bean.xml");
STSClient sts = (STSClient) ctx.
        getBean("{http://ws.apache.org/axis2}wso2carbon-stsHttpsSoap12Endpoint.sts-client");



3. Now, we have the STSClient instance. We need to set some attributes to the client before we can request security tokens. One is the policy we just extracted from the WSDL.

//parse the ut policy xml, and get a DOM element
File f = new File("src/main/resources/sts.policy.xml");
Element stsPolicy = loadPolicy(f.getAbsolutePath());
sts.setPolicy(stsPolicy);

sts.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
sts.setKeyType("http://schemas.xmlsoap.org/ws/2005/02/trust/Bearer");
sts.setSoap11(false);


4. Then, we can go ahead and request sts tokens.

SecurityToken samlToken = 
        sts.requestSecurityToken("http://localhost:9453/services/echo",
        "http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT",
        "/Issue", null);

//convert the token dom element to string
String token = ((DOMImplementationLS) samlToken.getToken().getOwnerDocument().getImplementation()).
        createLSSerializer().writeToString(samlToken.getToken().getOwnerDocument());
System.out.println(token);

With these steps, you should be able to invoke STS service in WSO2 Identity Server using a CXF client. You can download the full source of this from here - http://goo.gl/Dpmjee

Testing 

 

1. Start WSO2 Identity Server 4.6.0.
2. Secure STS Service with UsernameToken as described in this documentation - https://docs.wso2.org/display/IS460/Securing+the+Security+Token+Service
3. Extract the client, cxf-sts-w-wso2-is.zip
4. Run the client as follows.

mvn clean install -Pclient



Friday, May 2, 2014

Different ways to Revert GIT commits


In GIT, there are different requirements to revert changes. This includes reverting local changes in your working copy, revert a commit already made, rewrite already pushed GIT history etc. I'll show you how to do these in this blog. The `git log` I have used can be found at the end of this article.

  • To temporarily go back to a old revision, fool around, then come back to where you are, then you should checkout the desired commit.
git checkout 1f5d1eb7e

If you want to make some commits while you are in this older revision:
git checkout -b old_revision_branch 1f5d1eb7e


But, if you want to completely remove the commits you have made since a given revision, then there are two routes to go:

1. If you have pushed any commits:
#This will destroy all your local modifications:
git reset --hard 1f5d1eb7e

#But, if you have local work to keep:
git stash
git reset --hard 1f5d1eb7e
git stash pop
#This saves the modifications (git stash), and re-applies (git stash pop) it on top of the reset copy. You might get merge conflicts.

2. If you have already pushed the work:
Then you might not want to actually remove all the commits which will effectively rewrite the history. But what you can do is you can revert the commits. With git, revert has a very specific meaning: create a commit with a reverse patch to cancel it out. This way, you don't rewrite any history.

# This will create three separate commits
git revert 2ce3f91c4 0cc5599c5 3e5f8805a

# It also takes ranges. This will revert the last two commits:
git revert HEAD~2..HEAD

#Finally, commit
git commit


`git log`

commit 3e5f8805aa06d80d50f130107d48e4ec67289719
Author: Kasun Gajasinghe <kasung@wso2.com>
Date:   Wed Apr 30 02:14:20 2014 +0530

    cleaning up cxf ws-discovery

commit 0cc5599c57f443a937affcd2045617d8660a58e4
Author: Kasun Gajasinghe <kasung@wso2.com>
Date:   Wed Apr 30 01:51:51 2014 +0530

    moving APIScanner class to correct package

commit 2ce3f91c4262749ca262ddc0bf75924f13bbb485
Author: Kasun Gajasinghe <kasung@wso2.com>
Date:   Wed Apr 30 01:45:12 2014 +0530

    Adding support to read the WSDL 1.1 wsdl:portType from the JAX-WS annotations.

commit 1f5d1eb7ef6152de32f5c8282e765f3e8aaa6468
Author: chanikag <chanika@wso2.com>
Date:   Mon Apr 28 08:37:07 2014 +0530

    upgrade data-bridge conmponent to revision 201003

commit 64958bc9df641b3628d6d88ed39acb5e37eae688
Author: Chamath Gunawardana <chamathg@gmail.com>
Date:   Fri Apr 25 12:56:20 2014 +0530

    Updating pom

This was generously inspired from a Stackoverflow answer at http://stackoverflow.com/questions/4114095/revert-to-previous-git-commit