Configure SamlCallbackHandler for Dispatch client

Discussion:

Burkard Stephan

2018-09-17 15:19:05 UTC

Hi

I am trying to "decorate" an outgoing web service call with a SAML token for authentication. Therefore I have written a SamlCallbackHandler. It is for sure not yet complete, but I am already failing to configure it onto my CXF client which is a Dispatch client.

I have found that I need to configure the key SecurityConstants.SAML_CALLBACK_HANDLER with my SamlCallbackHandler instance.

I also found JAX-B based examples who configure the handler on the web service port type:
((BindingProvider)saml2Port).getRequestContext().put(
"ws-security.saml-callback-handler", new SamlCallbackHandler()
);

But my dispatch client has no port type class. It looks like this (simplified names):

@Bean
public Dispatch<Source> myClient(final SamlCallbackHandler samlCallbackHandler) {
QName serviceName = new QName("namespace", "service");
QName portName = new QName("namespace ", "port");
Service service = Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, "address");
Dispatch<Source> dispatch = service.createDispatch(portName, Source.class, Service.Mode.PAYLOAD);
Client client = ((org.apache.cxf.jaxws.DispatchImpl)dispatch).getClient();
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
return dispatch;
}

On this client I tried to configure my SamlCallbackHandler like this:

1. client.getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, samlCallbackHandler);
2. client.getEndpoint().put(SecurityConstants.SAML_CALLBACK_HANDLER, samlCallbackHandler);

Unfortunately none of them works, the handle method of the handler is never called and therefore the outgoing request has no token.

How can I configure the SamlCallbackHandler on a Dispatch client? I did not found an example in the CXF project.

Thanks
Stephan

Colm O hEigeartaigh

2018-09-18 09:20:54 UTC

Permalink

Putting it on the client request context should work. The question is
though, how are you configuring that a SAML token is required? Setting the
SAML CallbackHandler is not enough - either you need to have a SamlToken
policy assertion in the WSDL (or in a local policy file) or else you need
to set up the WSS4JOutInterceptor to configure it to include a SAML token.

Colm.

Post by Burkard Stephan
Hi
I am trying to "decorate" an outgoing web service call with a SAML token
for authentication. Therefore I have written a SamlCallbackHandler. It is
for sure not yet complete, but I am already failing to configure it onto my
CXF client which is a Dispatch client.
I have found that I need to configure the key
SecurityConstants.SAML_CALLBACK_HANDLER with my SamlCallbackHandler
instance.
((BindingProvider)saml2Port).getRequestContext().put(
"ws-security.saml-callback-handler", new SamlCallbackHandler()
);
@Bean
public Dispatch<Source> myClient(final SamlCallbackHandler
samlCallbackHandler) {
QName serviceName = new QName("namespace", "service");
QName portName = new QName("namespace ", "port");
Service service = Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, "address");
Dispatch<Source> dispatch = service.createDispatch(portName,
Source.class, Service.Mode.PAYLOAD);
Client client =
((org.apache.cxf.jaxws.DispatchImpl)dispatch).getClient();
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
return dispatch;
}
1.
client.getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER,
samlCallbackHandler);
2. client.getEndpoint().put(SecurityConstants.SAML_CALLBACK_HANDLER,
samlCallbackHandler);
Unfortunately none of them works, the handle method of the handler is
never called and therefore the outgoing request has no token.
How can I configure the SamlCallbackHandler on a Dispatch client? I did
not found an example in the CXF project.
Thanks
Stephan

--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Burkard Stephan

2018-09-18 09:38:40 UTC

Permalink

Thanks Colm

I just found an example with a WSS4JOutInterceptor and my SamlCallbackHandler gets called now.

What I noticed: On the WSS4JOutInterceptor I have to use ConfigurationConstants.SAML_CALLBACK_REF. When I use SecurityConstants.SAML_CALLBACK_HANDLER instead, I get an error saying that no SAML callback handler is defined.

@Bean
public WSS4JOutInterceptor wss4JOutInterceptor(final SamlCallbackHandler samlCallbackHandler) {
Map<String, Object> properties = new HashMap<>();
properties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED);
properties.put(ConfigurationConstants.SAML_CALLBACK_REF, samlCallbackHandler);
return new WSS4JOutInterceptor(properties);
}

@Bean
public Dispatch<Source> myClient (final WSS4JOutInterceptor wss4JOutInterceptor) {
QName serviceName = new QName("namespace", "service");
QName portName = new QName("namespace ", "port");
Service service = Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, "address");
Dispatch<Source> dispatch = service.createDispatch(portName, Source.class, Service.Mode.PAYLOAD);
Client client = ((org.apache.cxf.jaxws.DispatchImpl)dispatch).getClient();
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
client.getOutInterceptors().add(wss4JOutInterceptor);
return dispatch;
}

Stephan

-----Ursprüngliche Nachricht-----
Von: Colm O hEigeartaigh <***@apache.org>
Gesendet: Dienstag, 18. September 2018 11:21
An: ***@cxf.apache.org
Betreff: Re: Configure SamlCallbackHandler for Dispatch client

Putting it on the client request context should work. The question is though, how are you configuring that a SAML token is required? Setting the SAML CallbackHandler is not enough - either you need to have a SamlToken policy assertion in the WSDL (or in a local policy file) or else you need to set up the WSS4JOutInterceptor to configure it to include a SAML token.

Colm.

Post by Burkard Stephan
Hi
I am trying to "decorate" an outgoing web service call with a SAML
token for authentication. Therefore I have written a
SamlCallbackHandler. It is for sure not yet complete, but I am already
failing to configure it onto my CXF client which is a Dispatch client.
I have found that I need to configure the key
SecurityConstants.SAML_CALLBACK_HANDLER with my SamlCallbackHandler
instance.
((BindingProvider)saml2Port).getRequestContext().put(
"ws-security.saml-callback-handler", new SamlCallbackHandler()
);
@Bean
public Dispatch<Source> myClient(final SamlCallbackHandler
samlCallbackHandler) {
QName serviceName = new QName("namespace", "service");
QName portName = new QName("namespace ", "port");
Service service = Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, "address");
Dispatch<Source> dispatch = service.createDispatch(portName,
Source.class, Service.Mode.PAYLOAD);
Client client =
((org.apache.cxf.jaxws.DispatchImpl)dispatch).getClient();
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
return dispatch;
}
1.
client.getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER
,
samlCallbackHandler);
2.
client.getEndpoint().put(SecurityConstants.SAML_CALLBACK_HANDLER,
samlCallbackHandler);
Unfortunately none of them works, the handle method of the handler is
never called and therefore the outgoing request has no token.
How can I configure the SamlCallbackHandler on a Dispatch client? I
did not found an example in the CXF project.
Thanks
Stephan

--
Colm O hEigeartaigh

Colm O hEigeartaigh

2018-09-18 10:31:15 UTC

Permalink

The SecurityConstants configuration tags only apply to WS-SecurityPolicy
configuration, and not when you are using the WSS4JOutInterceptor. Instead
you can use "ConfigurationConstants.SAML_CALLBACK_CLASS".

Colm.

Post by Burkard Stephan
Thanks Colm
I just found an example with a WSS4JOutInterceptor and my
SamlCallbackHandler gets called now.
What I noticed: On the WSS4JOutInterceptor I have to use
ConfigurationConstants.SAML_CALLBACK_REF. When I use
SecurityConstants.SAML_CALLBACK_HANDLER instead, I get an error saying that
no SAML callback handler is defined.
@Bean
public WSS4JOutInterceptor wss4JOutInterceptor(final
SamlCallbackHandler samlCallbackHandler) {
Map<String, Object> properties = new HashMap<>();
properties.put(ConfigurationConstants.ACTION,
ConfigurationConstants.SAML_TOKEN_SIGNED);
properties.put(ConfigurationConstants.SAML_CALLBACK_REF, samlCallbackHandler);
return new WSS4JOutInterceptor(properties);
}
@Bean
public Dispatch<Source> myClient (final WSS4JOutInterceptor wss4JOutInterceptor) {
QName serviceName = new QName("namespace", "service");
QName portName = new QName("namespace ", "port");
Service service = Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, "address");
Dispatch<Source> dispatch = service.createDispatch(portName,
Source.class, Service.Mode.PAYLOAD);
Client client =
((org.apache.cxf.jaxws.DispatchImpl)dispatch).getClient();
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
client.getOutInterceptors().add(wss4JOutInterceptor);
return dispatch;
}
Stephan
-----UrsprÃŒngliche Nachricht-----
Gesendet: Dienstag, 18. September 2018 11:21
Betreff: Re: Configure SamlCallbackHandler for Dispatch client
Putting it on the client request context should work. The question is
though, how are you configuring that a SAML token is required? Setting the
SAML CallbackHandler is not enough - either you need to have a SamlToken
policy assertion in the WSDL (or in a local policy file) or else you need
to set up the WSS4JOutInterceptor to configure it to include a SAML token.
Colm.

Post by Burkard Stephan
Hi
I am trying to "decorate" an outgoing web service call with a SAML
token for authentication. Therefore I have written a
SamlCallbackHandler. It is for sure not yet complete, but I am already
failing to configure it onto my CXF client which is a Dispatch client.
I have found that I need to configure the key
SecurityConstants.SAML_CALLBACK_HANDLER with my SamlCallbackHandler
instance.
I also found JAX-B based examples who configure the handler on the web
((BindingProvider)saml2Port).getRequestContext().put(
"ws-security.saml-callback-handler", new SamlCallbackHandler()
);
@Bean
public Dispatch<Source> myClient(final SamlCallbackHandler samlCallbackHandler) {
QName serviceName = new QName("namespace", "service");
QName portName = new QName("namespace ", "port");
Service service = Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, "address");
Dispatch<Source> dispatch = service.createDispatch(portName,
Source.class, Service.Mode.PAYLOAD);
Client client =
((org.apache.cxf.jaxws.DispatchImpl)dispatch).getClient();
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
return dispatch;
}
1.
client.getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER
,
samlCallbackHandler);
2.
client.getEndpoint().put(SecurityConstants.SAML_CALLBACK_HANDLER,
samlCallbackHandler);
Unfortunately none of them works, the handle method of the handler is
never called and therefore the outgoing request has no token.
How can I configure the SamlCallbackHandler on a Dispatch client? I
did not found an example in the CXF project.
Thanks
Stephan

--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com

--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com