WSIT10UISpec
Page Info
Plain View
My Prefs
Log in
This page (revision-13) last changed on
17:29 16-Jan-2008
by Martin Grebac.
![[RSS]](http://wiki.netbeans.org/images/xml.png "Aggregate the RSS feed of the entire wiki")
UI spec for WSIT NB modules Netbeans 5.5 / 5.5.1 / Gavotte integration
Current screen:
Main changes from pre-redesigned version
- Attributes are combined based on scope (service/operation), not based on technology
- Messaging and Security panels merged into one WSIT panel
- Transactions support added
- Some of advanced settings hidden behind Advanced... button
- Security profiles introduced
- TCP button added
Main usecases
- Ability to switch on and configure different advanced WSIT attributes on top of an existing web service
- Ability to implement a web service client for such services
- Ability to develop Secure Token Service (STS)
- Security Usecases Document: security_use_cases.html
- Profiles Description document: Profiles_For_WSSecurity.html
- Profiles Definition document: policy_templates_for_profiles.html
WSIT panel - Service
The configuration is accessible through 'Edit WS Attributes' action on Web Service node. The action opens UI which shows different panels representing different attributes of the service. One of them is wsdl customization view, other is WSIT, or AM Security configuration.
Screen 1a - Basic overview
+---Edit WS Attributes------------------------------------------------------+ | ___________________________ | | | Customizations |//WSIT//| | | +-----------------------------------------------------------------------+ | | | | | | | MyService1 WSIT Attributes | | | | | | | | [ ] Optimize Transfer of Binary Data (MTOM) | | | | ------------------------------------------------------------------- | | | | [ ] Reliable Message Delivery | | | | [ ] Deliver Messages in Exact Order | | | | [Advanced...] | | | | ------------------------------------------------------------------- | | | | [ ] Secure All Service Operations | | | | Security Mechanism: |_Transport Security (SSL)v| [Configure...] | | | | +-------------------------------------------------------------+ | | | | | This is a description text for the profile. Each of the | | | | | | security mechanisms (profiles) has a short associated | | | | | | description (no more than 4 lines). | | | | | +-------------------------------------------------------------+ | | | | [Keystore...] [Truststore...] [Validator (optional)... ] | | | | | | | | [ ] Act As Secure Token Service (STS) [ Configure... ] | | | | ------------------------------------------------------------------- | | | | [ ] Allow TCP Transport | | | | [ ] Allow Binary Encoding (Fast Infoset) | | | | | | | | + operation1 | | | | + operation2 | | | | + operation3 | | | | | | | | | | | | | | | | | | | | | | | +-----------------------------------------------------------------------+ | | | +---------------------------------------------------------------------------+
Combo box items:
Security Profile: 1 |_Transport Security (SSL)___________________v|
2 |_Message Authentication over SSL_____________|
3 |_SAML Authorization Token over SSL___________|
4 |_Username Authentication - Symmetric Keys____| (default)
5 |_Mutual Certificates - Sign & Encrypt________|
6 |_Endorsing Certificate_______________________|
7 |_SAML Sender Vouches With Certificates_______|
8 |_SAML Holder of Key With Mutual Certificates_|
9 |_Kerberos ___________________________________| (not included in 1.0)
10 |_STS Issued Token____________________________|
11 |_STS_Issued_Token_for_Service_Certificate____|
12 |_STS Issued Endorsing Token__________________|
13 |_Generic_____________________________________| (not included in 1.0)
Optimize Transfer of Binary Data corresponds to MTOM policy assertion
Reliable Message Delivery corresponds to RMAssertion policy assertion
Deliver Messages in Exact Order corresponds to Odered assertion
Secure All Service Operations corresponds to attaching a security policy to the service scope
Allow TCP Transport corresponds to attaching a TCP proprietary elements to the service scope, adding elements to web.xml
Allow Binary Encoding (Fast Infoset) corresponds to attaching FI proprietary elements to the service scope;
Act as Secure Token Service - means that the service is to be considered as a secure token service, available only on WebServiceProvider
[Configure] - next to STS leads to screen 5
[KeyStore...], [Truststore...] - both buttons are available only when Tomcat is specified as Target server, Keystore leads to screen 4a, Truststore 4b
If all the top-level checkboxes are disabled, no policy is attached to a service scope. Any top-level enabled
means attachment of the policy to the service scope.
Screen 1b - Operation Level attributes expanded
+---------------------------------------------------------------------------+ | _________________________ | | | Customizations |//WSIT//| | | +-----------------------------------------------------------------------+ | | | | | | | MyService1 WSIT Attributes | | | | | | | | [ ] Optimize Transfer of Binary Data (MTOM) | | | | ------------------------------------------------------------------- | | | | [ ] Reliable Message Delivery | | | | [ ] Deliver Messages in Exact Order | | | | [Advanced...] | | | | ------------------------------------------------------------------- | | | | [ ] Secure All Service Operations | | | | Security Mechanism: |_Transport Security (SSL)v| [Configure...] | | | | +-------------------------------------------------------------+ | | | | | This is a description text for the profile. Each of the | | | | | | security mechanisms (profiles) has a short associated | | | | | | description (no more than 4 lines). | | | | | +-------------------------------------------------------------+ | | | | [Keystore...] [Truststore...] [Validator (optional)... ] | | | | | | | | [ ] Act As Secure Token Service (STS) [ Configure... ] | | | | ------------------------------------------------------------------- | | | | [ ] Allow TCP Transport | | | | [ ] Allow Binary Encoding (Fast Infoset) | | | | | | | | - operation1 | | | | | | | | [ ] Transaction: |_Mandatory_v| | | | | | | | | [ ] Override Service Security Configuration | | | | Security Profile: |_Transport Security (SSL)_v| [Configure...] | | | | [Keystore...] [Truststore...] | | | | | | | | - Input Message | | | | | | | | Authentication token: |_X509____________v| [Configure...] | | | | [ ] Signed | | | | [ ] Endorsing | | | | [Message Parts...] | | | | | | | | - Output Message | | | | | | | | Authentication token: |_X509____________v| [Configure...] | | | | [ ] Signed | | | | [ ] Endorsing | | | | [Message Parts...] | | | | | | | | + operation2 | | | | + operation3 | | | | | | | | | | | +-----------------------------------------------------------------------+ | | | +---------------------------------------------------------------------------+
- Combo Box items:*
Transaction: |__None_________v|
|__Mandatory_____|
|__Required______|
|__Requires New__|
|__Supported_____|
|__Not Supported_|
- default value is 'Required in EJB' service, in WSDL->Java case the default is 'Not Supported' [KeyStore...], [Truststore...] - both buttons are available only when Tomcat is specified as Target server, Keystore leads to screen 4a, Truststore 4b
[Message Parts] - leads to screen 4c, enabled when security on binding is enabled
Screen 2 - Advanced Reliable Messaging Attributes
+-Advanced Reliable Messaging Attributes------------+ | | | [ ] Deliver Messages in Exact Order | | [ ] Flow Control | | Maximum Flow Control Buffer size: [__] | | Inactivity Timeout: [____] | | | +---------------------------------------------------+
Screen 3a - Profile #1
+-Security Profile Configuration------------------------+ | | | [ ] Require Client Certificate | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
Screen 3b - Profile #2
+-Security Profile Configuration------------------------+ | | | Supporting Token: |_X509_v| [Configure...] | | WSS Version: |_1.0_v| | | Security Header Layout: |_Strict________v| | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Require Signature Confirmation | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
Combo Box items:
WSS Version: 1.0 (default), 1.1
Supporting Token: Username, X509
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Require Signature Confirmation: - enabled only if WSS11 is selected
Screen 3c - Profile #3
+-Security Profile Configuration------------------------+ | | | SAML Version: |_1.0_v| | | SAML Token Profile: |_1.0_v| | | WSS Version: |_1.0_v| | | Security Header Layout: |_Strict________v| | | [ ] Require Client Certificate | | [ ] Require Signature Confirmation | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
- Combo Box items:*
SAML Version: 1.0, 1.1, 2.0 SAML Token Profile: 1.0, 1.1
Require Signature Confirmation: - enabled only if WSS11 is selected
Screen 3d - Profile #4
+-Security Profile Configuration------------------------+ | | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Require Signature Confirmation | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3e - Profile #5
+-Security Profile Configuration------------------------+ | | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3f - Profile #6
+-Security Profile Configuration------------------------+ | | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Require Signature Confirmation | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3g - Profile #7
+-Security Profile Configuration------------------------+ | | | SAML Version: |_1.0_v| | | SAML Token Profile: |_1.0_v| | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
- Combo box items:*
SAML Version: 1.0, 1.1, 2.0 SAML Token Profile: 1.0, 1.1
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3h - Profile #8
+-Security Profile Configuration------------------------+ | | | SAML Version: |_1.0_v| | | SAML Token Profile: |_1.0_v| | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
- Combo box items:*
SAML Version: 1.0, 1.1, 2.0 SAML Token Profile: 1.0, 1.1
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3i - Profile #9
+-Security Profile Configuration------------------------+ | | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Require Signature Confirmation | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +--------�-----------------------------------------------+
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3j - Profile #10
+-Security Profile Configuration------------------------+ | | | Issued Token Type: |SAML_1.1_v| [Configure...] | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys for Issued Token | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Require Signature Confirmation | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
- Combo box items:*
Token Type: SAML 1.1 (default), 2.0
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3k - Profile #11
+-Security Profile Configuration------------------------+ | | | Issued Token Type: |SAML_1.1_v| [Configure...] | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Require Signature Confirmation | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
- Combo box items:*
Token Type: SAML 1.1 (default), 2.0
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3l - Profile #12
+-Security Profile Configuration------------------------+ | | | Token Type: |SAML_1.1_v| [Configure...] | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | [ ] Require Derived Keys for X509 Token | | [ ] Require Derived Keys for Issued Token | | [ ] Establish Secure Session (Secure Conversation) | | [ ] Require Derived Keys for Secure Session | | [ ] Require Signature Confirmation | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +-------------------------------------------------------+
- Combo box items:*
Token Type: SAML 1.1 (default), 2.0
Require Derived Keys for Secure Session: - enabled only if secure conversation is enabled
Screen 3m - Profile #13- Generic profile - not recognized as any other profile
+-Security Profile Configuration-------------------------------------+ | | | Authentication token: |_X509____________v| [Configure...] | | Integrity Protection: |_Assymetric keys_v| | | Confidentiality Protection: |_Random Symmetric Keys_v| | | Algorithm Suite: |_Basic 128___________v| | | Security Header Layout: |_Strict________v| | | WSS Version: |_1.0__v| [Configure...] | | [ ] Establish Secure Session (Secure Conversation) [Configure...] | | [ ] Require Derived Keys | | [ ] Include Timestamp | | [ ] Protect Token (Sign Signature Token) | | [ ] Only Sign Entire Headers And Body | | [ ] Encrypt Before Signing | | [ ] Encrypt Signature | | | | [ OK ] [ Cancel ] | +--------------------------------------------------------------------+
- Combo box items:*
Authentication Token: None (default), Username, X509, Saml, Issued, Https, Kerberos \\ Integrity Protection: None (default), Random Symmetric Keys, Issued Symmetric Keys, Assymetric Keys \\ Confidentiality Protection: None (default), Random Symmetric Keys, Issued Symmetric Keys, Transport (SSL) \\ Algorithm Suite: \\ Security Header Layout: Strict (default), Lax, LaxTimestampFirst, LaxTimestampLast \\ WSS Version: 1.0, 1.1 \\
[Configure] for AT - configure button for authentication goes to configuration of token type - supporting/endorsing/..., and potentially other token attributes
[Configure] for SC - configure button for SC goes to configuration of bootstrap policy
Screen 4a - Keystore configuration
+------Keystore configuration-------------------------------------------------+ | Location: |C:\blabla\keystore.jks______________________________| [Browse...]| | Store Password: |________________________________________| [Load Aliases] | | Alias: |_____________________________________________v| | | Key Password: |__________________________________________| | | | | [ OK ] [ Cancel ] | +-----------------------------------------------------------------------------+
- Combo box items:*
Alias: lists aliases if keystore location and correct password are filled in, otherwise empty \\
Screen 4b - Truststore configuration
+------Truststore configuration-----------------------------------------------+ | Location: |C:\blabla\truststore.jks____________________________| [Browse...]| | Store Password: |________________________________________| [Load Aliases] | | Alias: |_____________________________________________v| | | | | [ OK ] [ Cancel ] | +-----------------------------------------------------------------------------+
- Combo box items:*
Alias: lists aliases if keystore location and correct password are filled in, otherwise empty \\
Screen 4c - Message Parts
+------Message Parts-----------------------------------------------------------+ | [ ] default | | +---------------------------------------------------------+ [Add Body] | | | Message Part | Sign | Encrypt | Require | [Add Header...] | | | --------------------------------------------------------| [Add XPath] | | | Body | x | | | [Remove] | | | ReplyTo (addressing) | x | x | | | | | Body | x | | | | | | | | | | | | +---------------------------------------------------------+ | | | | [ OK ] [ Cancel ] | +------------------------------------------------------------------------------+
default - if checked, all other fields are disabled, and defaults for current security setup are used
[Add Body] - adds Body to the table with default Sign checked
[Add Header] - opens dialog to choose header from a list (all possible headers filled in)
[Add XPath] - adds text 'xpath' to the table with default Require checked, user shoudl edit the text
Screen 5 - STS configuration
+------Secure Token Service --------------------------------------------------+ | Contract Implementation Class: |_______________________________| [Browse...]| | Issuer: |______________________________________________________| | | Lifetime Of Issued Tokens: |___________________________________| | | [ ] Encrypt Issued Key | | [ ] Encrypt Issued Token | | | | Service Providers: | | +---------------------------------------------------------+ [Add...] | | | | [Edit...] | | | | [Remove...] | | +---------------------------------------------------------+ | | | | | | [ OK ] [ Cancel ] | +-----------------------------------------------------------------------------+
Contract Implementation Class - class should extend com.sun.xml.ws.trust.impl.IssueSamlTokenContractImpl
[Add], [Edit] - lead to screen6 for specifying the service providers communicating with this STS
Lifetime of issued tokens - default value is 36000
Screen 6 - Specifying STS Service Provider
+------Service Provider---- --------------------------------------------------+ | Provider Endpoint URL: |__________________________________________________| | | Token Type: |_____________________________________________________________| | | Certificate Alias: |______________________________________________________| | | | | [ OK ] [ Cancel ] | +-----------------------------------------------------------------------------+
Token Type - default value: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
WSIT panel - Client
The configuration is accessible through 'Edit WS Attributes' action on Web Service References node. The action opens UI which shows different panels representing different attributes of the service. One of them is wsdl customization view, other is WSIT, or AM Security configuration.
+-----Edit WS Attributes---------------------------------------------+ | ___________________________ | | | Customizations |//WSIT//| | | +----------------------------------------------------------------+ | | | | | | | Transport: | | | | | | | | [ ] Automatically Select Optimal Encoding (XML/Fast Infoset)| | | | [ ] Automatically Select Optimal Transport (HTTP/TCP) | | | | | | | | Certificates: | | | | | | | | Keystore Location: |____________________________| [Browse...] | | | | Keystore Password: |____________________________| | | | | Key Password: |____________________________| | | | | Keystore Alias: |___________________________v| | | | | | | | | Truststore Location: |__________________________| [Browse...] | | | | Truststore Password: |__________________________| | | | | Truststore Alias: |_________________________v| | | | | | | | | Callback: | | | | | | | | Default Username: |_____________________________| | | | | Default Password: |_____________________________| | | | | | | | | CallbackHandler: |_____________________________| [Browse...] | | | | | | | | Secure Token Service (STS): | | | | | | | | Endpoint: |_____________________________________| | | | | WSDL Location: |________________________________| | | | | Service Name: |________________________________| | | | | Port Name: |________________________________| | | | | Namespace: |________________________________| | | | | | | | | | | | | | | | | | | | +----------------------------------------------------------------+ | | | | [Error message...................................................] | | | +--------------------------------------------------------------------+
All fields are visible based on service policy configuration as described in the policy profiles document
STS Configuration is present only if service policy contains Issued token
If there are no fields required, only text "No configuration required." is shown in the WSIT panel.
STS Wizard
STS Wizard creates STS which can then be configured in a very same manner as a general services. However, it's implementation is completely different, and not straightforward, thus requires a wizard. Input for the wizard is a name of the implementation class, and as an output there's an STS (Provider implementation class, sts wsdl, wsit configuration file) with predefined set of policies.
Attachments
| NewSTSWizards.png |  |
25207 bytes |
| Profiles_For_WSSecurity.html |  |
108666 bytes |
| policy_templates_for_profiles.html | |
268888 bytes |
| security_use_cases.html | |
23262 bytes |
