Red Hat Training

A Red Hat training course is available for Red Hat Fuse

9.4. Enabling AppliesTo in the STS

Overview

When you specify an IssuedToken policy, you can replace both of the TokenType and KeyType elements by a single AppliesTo element, which specifies the identity of the server that the client wants to communicate with. The idea behind this approach is that the STS already knows what type of token the server wants and what kind of single sign-on scenario the server supports. In other words, this information is centralized in the STS (and the STS must be configured with this information).
Figure 9.10, “Processing the AppliesTo Policy” shows an overview of the steps that the STS follows to process the AppliesTo policy.

Figure 9.10. Processing the AppliesTo Policy

Steps to process the AppliesTo policy

When the IssuedToken policy includes the AppliesTo policy, the STS processes the client's issue token request as follows:
  1. The trigger that enables the AppliesTo policy is when the client encounters an IssuedToken policy with a RequestSecurityTokenTemplate that contains the AppliesTo policy element. In this case, the STSClient constructs a RequestSecurityToken request message containing the specified AppliesTo element and uses this message to invoke the Issue operation on the STS.
    In the example shown in Figure 9.10, “Processing the AppliesTo Policy”, the AppliesTo element references the FooAddress endpoint URL, which is the URL of the WS endpoint in the server that the client wants to invoke.
  2. After detecting the presence of the AppliesTo element in the incoming request, the TokenIssueOperation instance iterates over the list of registered StaticService objects, trying to find a regular expression that matches the target address, FooAddress, that was specified by the AppliesTo element.
    If a match is found, the TokenIssueOperation checks whether the tokenType and keyType properties are set on the StaticService object. If these properties are set, they override the values (if any) that were specified in the incoming request.
    If a match is not found, the TokenIssueOperation raises an error.
    Note
    If a list of services is registered with the TokenIssueOperation instance, one of the registered services must match the address specified by AppliesTo.
  3. Now that the requested token type and key type have been determined, the TokenIssueOperation object proceeds as usual to issue the requested token (for example, see Section 9.1.3, “Customizing the Issue Operation”).
  4. The STS returns the issued token to the client.
  5. The client can now send a secure invocation to the FooAddress endpoint on the server, including the issued token in the SOAP security header.

IssuedToken policy without AppliesTo enabled

Before looking at how to enable the AppliesTo policy, it is worth reminding ourselves what a typical IssuedToken policy looks like without the AppliesTo policy enabled. For example, the following IssuedToken policy requests a SAML 2.0 token that embeds a key of type public key (an X.509 certificate) for the purpose of identifying the client (Holder-of-Key scenario): 
<sp:IssuedToken
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <sp:RequestSecurityTokenTemplate>
        <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
        <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
    </sp:RequestSecurityTokenTemplate>
    <wsp:Policy>
        <sp:RequireInternalReference />
    </wsp:Policy>
    <sp:Issuer>
        <wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address>
    </sp:Issuer>
</sp:IssuedToken>
In the ordinary case, without AppliesTo enabled, the IssuedToken policy specifies the required token type and key type explicitly.

IssuedToken policy with AppliesTo enabled

When the AppliesTo policy is enabled, it is no longer necessary to specify the required token type and key type in the message that is sent to the STS. You use the AppliesTo policy to specify which target endpoint the issued token is needed for and the STS looks up the target endpoint to discover the policies that apply to the issued token.
Therefore, in the RequestSecurityTokenTemplate element in the IssuedToken policy, you need only specify the AppliesTo element, as shown in the following example: 
<sp:IssuedToken
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <sp:RequestSecurityTokenTemplate>
        <wsp:AppliesTo>
            <wsa:EndpointReference>
                <wsa:Address>http://localhost:9001/SoapContext/SoapPort</wsa:Address>
            </wsa:EndpointReference>
        </wsp:AppliesTo>
    </sp:RequestSecurityTokenTemplate>
    <wsp:Policy>
        <sp:RequireInternalReference />
    </wsp:Policy>
    <sp:Issuer>
        <wsaw:Address>http://localhost:8080/SecurityTokenService/</wsaw:Address>
    </sp:Issuer>
</sp:IssuedToken>
In this example, the AppliesTo policy specifies that the token is issued for the server endpoint, http://localhost:9001/SoapContext/SoapPort.

Configuring the list of services

When using the AppliesTo policy, you must configure the STS to recognize the relevant target endpoint and provide the appropriate policies for issuing tokens (in particular, the TokenType and KeyType policies).
The following sample STS configuration shows how to configure the TokenIssueOperation with a list of services (in this example, the list is just a singleton). 
<beans ... >
    <bean id="utIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
        <property name="tokenProviders" ref="utTokenProviders" />
        <property name="services" ref="utService" />
        <property name="stsProperties" ref="utSTSProperties" />
    </bean>
    ...
    <bean id="utService"
        class="org.apache.cxf.sts.service.StaticService">
        <property name="endpoints" ref="utEndpoints"/>
        <property name="tokenType"
            value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
        <property name="keyType"
            value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"/>
    </bean>
    
    <util:list id="utEndpoints">
        <value>http://localhost:(\d)*/SoapContext/SoapPort</value>
    </util:list>
    ...
</beans>
Services are represented by one or more StaticService instances. Each StaticService instance holds a list of regular expressions, which are matched against the AppliesTo address URL. If a match is found, the specified properties of the StaticService instance are then used for issuing the token.