String delegate
Id = null;


Element onBehalfOfToken = null;


Set<Object> publicCred = ctx.getRequestorSubject().getPublicCredentials();


for (Iterator<Object> it = publicCred.iterator(); it.hasNext();) {


Object publicCredentialsObject = it
.next();


if (publicCredentialsObject instanceof X509Certificate) {


X509Certificate subjectX509Certificate = (X509Certificate) publicCredentialsObject;


//Delegate ID is determined from Entity Certificate number.


delegateId = tf.getEntityId(subjectX509Certificate);


} else if (publicCredentialsObject instanceof Element) {


onBehalfOfToken = (Element) publicCredentialsObject;


}


}

}


31

A
SAML Token Assertion

included
within

an


OnBehalfOf


element has to be validated according to

the

normative conformance requirements outlined in section 8.8.2 of the
S2S
. Sample code validating
the
included SAML Token Assertion
can
be located in
the
GWSS2SPSI in
the

gov
.
nie
m
.
ws
.
sample
.
cvc
.
sts
.
GFIPMSTSTokenProvider


class.

The s
ample code in “
gov
.
niem
.
ws
.
sample
.
cvc
.
sts
.
GFIPMSTSTokenProvider
” also shows how to generate
SAML 2.0 Assertion and how to sign it according to
S2S
specification.

3.1.5.1.2

Attribute Generation

The
SAML Attribute generation is performed by
the

GFIPMSTS
Attribute
Provider
” class

located
in the


src
/
main
/
java
/
gov
/
niem
/
ws
/
sample
/
cvc
/
sts

directory
.
This

c
lass implements

the


com.sun.xml.ws.api.security.trust.STSAttributeProvider
” interface.
A c
ustom STS Attribute Provider is
configured through
the

com.sun.xml.ws.api.security.trust.STS
Attribute
Provider
” file located
in the


src
/
main
/
resources
/
META
-
INF
/
services
” directory.

For
a
request sen
t

to

the
IDP

STS
,
the
attribute provider creates

new

GFI
PM User Assertion attributes as
shown on the following cod
e

snippet:


For
the
request to

the

ADS using

OnBehalfOf
,

the
attribute provider copies attributes from the
original
SAML Assertion token.
The
re are several ways to obtain the

SAML Assertion from
the
OnBehalfOf
element
. Obtaining
the
original SAML Assertion
through subject’s public credentials
is
shown on the
code snippet below:



Map<QName, List<String>> attrs = new HashMap<QName, List<String>>();


addAttribute(attrs, "urn:oasis:names:tc:SAML:2.0:attrname
-
format:uri",

"gfipm:2.0:user:EmployerName", "Dun
dler Mifflin");


private void addAttribute(Map<QName, List<String>> attrs, String nameFormat, String name,
String value) {


QName testQName = new QName(nameFormat, name);


List<String> testAttrs = new ArrayList<String>();


testAttrs
.add(value);


attrs.put(testQName, testAttrs);


}


Set<Object> publicCredential = subject.getPublicCredentials();


Element onBehalfOfElement = null;


for (Object o
bj : publicCredential) {


if (obj instanceof XMLStreamReader) {


XMLStreamReader reader = (XMLStreamReader) obj;


onBehalfOfElement = SAMLUtil.createSAMLAssertion(reader);


} else if (obj instanceof Element) {



onBehalfOfElement = (Element) obj;


}


}


32

Obtaining
the
original SAML Assertion through Claims is shown
in

the code snippet below:


3.1.5.1.3

IDP

SLA

Implementation

The
IDP

STS is deployed under the following URL:
https://cureidpm2:8181/m2sts/services/idp?wsdl

The
IDP

STS is implemen
ted by
the


gov.niem.ws.sample.cvc.sts.IDPImpl


class located in the

src
/
main
/
java
/
gov
/
niem
/
ws
/
sample
/
cvc
/
sts

directory
.

The
IDP

STS uses
the

SLA security policy stipulated in
the

src
/
wsdl
/
idp.wsdl
” file.

The
SLA for
the
IDP

STS is not subject to S2S specification requirements.
Attachment D: Sample SLA Security Policy for
IDP

STS

includes
two

sample
alternatives

available

for user authe
ntication to

the

IDP
:
(1)
Using
Username
T
oken
and

S
ecure
T
ransport,
and (2)
Using
Username
T
oken and
S
erver
C
ertificate.

User authentication for user name / password combination is provided through
the
sample

gov.niem.ws.sample.cvc.service.GFIPMUsernamePasswordValidator
” class.
The
Username validator for
Metro is configured through
the

src
/
wsdl
/
idp.wsdl
” file as follow
s
:


The sample includes h
ardcoded s
ample
user name
s

and

passwords a
re “bob:bob” and “alice:alice”.

The
IDP

STS configuration in “
src
/
wsdl
/
idp.wsdl
” allows
the
service

to issue tokens only for
the

WSC

Service EndPoints (SEP)
of “curewscm2” and “ha50wscm2”
as shown on the code snippet below:

public Map<QName, List<String>> getClaimedAttributes(Subject subject, String appliesTo, String
tokenType, Cla
ims claims) {


if ("true".equals(claims.getOtherAttributes().get(new QName("OnBehalfOf")))) {


// Get the OnBehalfOf token


Element token = null;


for (Object obj : claims.getSupportingProperties()) {


if (obj instanceof
Subject) {


token = (Element) ((Subject) obj).getPublicCredentials().iterator().next();


break;


}


}


//retrieve attributes from an original token and adds them to the new assertion


addAttributes(token, attrs, true);


}


<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">



<sc:Validator name="usernameValidator"


classname="gov.niem.ws.sample.cvc.service.GFIPMUsernamePasswordValidator"/>


</sc:ValidatorConfiguration>


33


3.1.5.1.4

ADS
SLA

Implementation

The
ADS STS is deployed under the following URL:
https://cureidpm2:8181/m2sts/services/sts?wsdl


The
ADS STS is implemented by
the
gov.niem.ws.sample.cvc.sts.
S
TS
Imp
l

class located in the

src
/
main
/
java
/
gov
/
niem
/
ws
/
sample
/
cvc
/
sts

directory
.

The
ADS STS uses
the

SLA security policy stipulated in

the


src
\
wsdl
\
sts.wsdl
” file.


The
SLA for
an
ADS
STS is subject to
the
GFIPM WS S2S Consumer
-
Provider

Model 1

specification requirements and is
included

in
the
Attachment E: Sample SLA Security Policy for ADS STS
.
The
ADS STS SLA uses mutual
certificate
s

authentication descr
ibed in

the

WSP Implementation
.

In accordance with the S2S Consumer
-
Provider
Model 1

specification requirements the ADS STS SLA requires use of the Transport Level
Security (TLS). The TLS is implemented through the Glassfish domain container.

3.1.5.1.5

ADS Certificate Validation

To

provide
the
WSC
certificate validation
against

the

GFIPM CTF
,

it
is necessary to
include

a

custom
certificate validator
. A custom certificate validator is implemented in the


gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator

class
,

and is
configured in
the

src
/
wsdl
/
sts.wsdl


file

as follows
:



<
tc:STSConfiguration wspp:visibility="private" encryptIssuedKey="false"
encryptIssuedToken="false">


<tc:Contract>com.sun.xml.ws.security.trust.impl.WSTrustContractImpl</tc:Contract>


<tc:LifeTime>300000</tc:LifeTime>


<tc:Issuer>
cureidpm2</tc:Issuer>


<tc:ServiceProviders>


<!
--

Metro WSC
--
>


<tc:ServiceProvider endpoint="https://curewscm2:8181/m2wsc/services/cvc">


<tc:CertAlias>curewscm2</tc:CertAlias>


<tc:TokenType>ht
tp://docs.oasis
-
open.org/wss/oasis
-
wss
-
saml
-
token
-
profile
-
1.1#SAMLV2.0</tc:TokenType>


</tc:ServiceProvider>


<!
--

.NET WSC
--
>


<tc:ServiceProvider endpoint="https://ha50wscm2:8643/Model2/Service.svc">


<tc:
CertAlias>ha50wscm2</tc:CertAlias>


<tc:TokenType>http://docs.oasis
-
open.org/wss/oasis
-
wss
-
saml
-
token
-
profile
-
1.1#SAMLV2.0</tc:TokenType>


</tc:ServiceProvider>


</tc:ServiceProviders>


</tc:STSConfig
uration>


<sc:Validato
rConfiguration wspp:visibility="private" revocationEnabled="false">


<sc:Validator name="certificateValidator"


classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator"/>


<
/sc:ValidatorConfiguration>


34

The c
ustom certificate validator

class,


gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator

,

provides full
X
.
509
certificate validation
and shows an example
of accessing

the

GFIPM CTF.

The
c
ertificate validator
also
shows how to initialize

and access
the

keystor
e

shipped with the application
using
the

src
/
main
/
resources
/
gfipm
-
security
-
env.properties
” properties file.
The l
isting below shows
the location of the keystores within
the
IDP

STS.



Certificate validation can also be delegated to an abstracted access control policy framework such as the
XACML framework.

The GFIPMCertificateValidator class

provides certificate validation against
the
GFIPM CTF as shown on the code snippet below:


If validation against CTF
Entity attributes is not necessary, and no end
-
user c
lient certificates are
installed in the STS keystore, it is
possible

to rely on default Metro/Glassfish X
.
509 build
-
in certificate
validation by uncommenting “certificateValidat
or” configuration in

the file

sts.wsdl
.


3.1.5.2

WSC Implementation

(Model 2)

The
Web
Service Consumer

(WSC)

for
the
User
-
Consumer
-
Provider (Model 2) SIP
plays

a
double role

and
structurally consist
s

of two modules: WSC Service and WSC Client
.

The
WSC
works as a proxy service by
receiving the request from the Client, performing necessary b
usiness operations and
applicable
security
tasks, propagating the request to
WSP, processing the response and finally propagating it back to the
Client.


The
WSC includes
a
preconfigured trust keystore and private keystore that are used for both WSC
Service and WSC Client components.


3.1.5.2.1

WSC Service Implementation

The
WSC Service is responsible for
accepting a request from Client and
handling the initial SAML
Assertion token from the Client.

This token is
a
prerequisite for subsequent exchanges described in S2S
for
the
Model 2.

The
WSC Service is deployed under the following URL:
https://curewscm2:8181/m2wsc/services/cvc


src/main/resou
rces/META
-
INF/cureidpm2
-
cacerts.jks


src/main/resources/META
-
INF/cureidpm2
-
keystore.jks


String entityId = null;


entityId = tf.getEntityId(certificate);


if((entityId == null) || (!tf.isWebServiceConsumer(entityId))){


log.log(Level.WARNING, "Unauthorized attempt to access ADS");


throw new CertificateValidationException("Unauthorized attempt to access ADS");


}


src/main/resources/META
-
INF/curewscm2
-
cacerts.jks


src/main/resources/META
-
INF/curewscm2
-
keystore.jks


35

For simplicity,
the
WSC
Service exposes

the

Service Contract

that is
described earlier
,

and
uses the

Information Exchange
Se
rvice Contract
Implementation Library
.


H
owever
,
the
WSC Service

is
not
subject to GFIPM WS S2S

requirements.

The
WSC Service
Contract
is stated in the following files:



The
WSC Service
uses
the

SLA security policy stipulated in the


CommercialVehicleCollisionWebserviceIntf.wsdl


file
.

The
WSC Service relies on default Glassfish /
Metro incoming requests certificate validation against cert
ificates in trust keystores and is configured as
follow
s
:


The
WSC Service SLA
policy
requires
the Client to present a SAML 2.0 Assertion Token obtained from
an
IDP

STS.

No
Issuer

is specified, leaving it up to the client to determine
the

IDP

STS to connect to obtain
SAML Assertion Token.


An o
btained token will use “
urn:oasis:names:tc:SAML:2.0:cm:bearer

as

the
value for

the
Method

in
the
SubjectConfirmation

element
, according to the WSC Service SLA shown
below:


A c
lient authenticates to
an
IDP

STS

of its choice

(see
IDP

SLA

Implementation
)

and

obtains
a
SAML 2.0
Assertion token
containing

GFIPM Assertion Attributes
, then

submits
a
request to
the

WSC Service.


src/wsdl/CommercialVehicleCollisionExchangeSchema.xsd


src/wsdl/CommercialVehicleCollisionMessageSchema.xsd


src/wsdl/CommercialVehicleCollisionWebserviceImpl.wsdl


src/wsdl/CommercialVehi
cleCollisionWebserviceIntf.wsdl


<sc:KeyStore wspp:visibility="private" location="curewscm2
-
keystore.jks" type="JKS"
storepass="changeit" alias="curewscm2"/>


<sc:TrustStore wspp:visibility="private" location="curewscm2
-
c
acerts.jks" type="JKS"
storepass="changeit"/>


<sp:SignedSupportingTo
kens


xmlns:sp="http://docs.oasis
-
open.org/ws
-
sx/ws
-
securitypolicy/200702">


<wsp:Policy>


<sp:IssuedToken sp:IncludeToken="http://docs.oasis
-
open.org/ws
-
sx/ws
-
securitypolicy/200702/IncludeToken/AlwaysToRecipient">


<sp:RequestSecurityTokenTemplate>


<t:TokenType>http://docs.oasis
-
open.org/wss/oasis
-
wss
-
saml
-
token
-
profile
-
1.1#SAMLV2.0</t:TokenType>


<t:KeyType>http://docs.oasis
-
open.org/ws
-
sx/ws
-
trust/200512/Bearer
</t:KeyType>


</sp:RequestSecurityTokenTemplate>


<wsp:Policy>


<sp:RequireInternalReference/>


</wsp:Policy>


</sp:IssuedToken>


</wsp:Policy>


</sp:SignedSupportingToken
s>


36

The
WSC Service provides

a

SAML Assertion validator

that is

configured
through

the

service
WSDL
(
CommercialVehicleCollisionWebserviceIntf.wsdl
)
as follow
s
:


The
SAML Assertion validator does not n
eed to conform to

the

GFIPM WS S2S specification, however it
provides sample code that shows how to process
an
incoming SAML Assertion tokens and prepare them
for
the
future reuse in the application:


The
WSC Service is implemented by the
CommercialVehicleCollisionWebServiceImpl

class located in the

src
/
main
/
java
/
gov
/
niem
/
ws
/
sample
/
cvc
/
service

directory
.

The
WSC Service
obtains a reference to a current

javax.xml.ws.WebServiceContext


and
invokes

the

WSC Client to submit
a
request to
a
WSP as follow
s
:


3.1.5.2.2

WSC Client Implementation

The
WSC Client is responsible for obtaining a new SAML Assertion token from ADS based on the initial
SAML token used by the
command line
Client.
The
WSC Client is also responsible for exchanges with
WSP.

The
WSC Client
uses

the

Information Exchange
Se
rvice Contract
Implementation Library

to
create a
connection to the WSP

service
, retrieves
the
SAML Assertion from cont
ext that was placed there
previously

by
the
SAML
AssertionValidator
, sets proper Service Endpoint for WSP, and
then invokes WSP
service call.


<sc:ValidatorConfiguration wspp:visibility="private"
revocationEnabled="false">


<sc:Validator name="samlAssertionValidator"


classname="gov.niem.ws.sample.cvc.service.GFIPMSAMLAssertionValidatorWSC"/>


</sc:ValidatorConfiguration>


public void validate(XMLStreamReader xmlStreamerReader, Map map, Subject sbjct) throws
SAMLValidationException {


Element domSamlAssertion = SAMLUtil.createSAMLAssertion(xmlStreamerReader);


//To be able to access SAML assertion through S
ubjectAccessor.getRequesterSubject(context)


//add it here


sbjct.getPublicCredentials().add(domSamlAssertion);

public class CommercialVehicleCollisionWebServiceImpl implements
Commer
cialVehicleCollisionPortType {


@Resource


WebServiceContext wsContext;


@Override


public GetDocumentResponseType getDocument(GetDocumentRequestType parameters) {


String wspIncidentText = (new
CommercialVehicleCollisionWSCClient()).get
IncidentText(wsContext);


37


During the invocation

of the WSP service, based on the
retrieved
WSP SLA policy,
the
WSC Client invokes
the
local “
gov.niem.ws.sample.cvc.client.GFIMPWSCSamlCallBackHandler
” class

to obtain
the
required
WSP
SAML Assertion token

that is to be provide to the WSP
.


When invoked,
the
SAML callback
handler retrieves
the

original SAML Assertion token
of

the user from
the
callback runtime properties and
then
requests

a new SAML
Assertion
.
A n
ew SAML Assertion is set
for the call to
the

WSP.


The c
ode snippet below shows

the

steps

that are described above
:


The
code snippet
below
shows
how
to retrieve
a
new SAML Assertion
from
an
ADS STS.
In conformance
with
the
S2S ADS SIP
section

8.8
, the

r
equest
sent
to
an
ADS uses
the

OnBehalfOf


element
to include

the
original SAML Assertion
that
the
user
received from
an
IDP

STS
.

The code also shows how to
dynamically obtain
the
ADS service endpoint and WSDL location from the GFIPM CTF.

The Metro ADS
implementation keeps
the
service name, port name, and namespace
consistent
in the
ADS
WSDL
,

while
.NET implementations might have
different values

and will require code update to accommodate for
WSDL change
.


CommercialVehicleCollisionPortType cvcPort;


CommercialVehicleCollisionWebService cvsWebService;



cvsWebService = new CommercialVehicleCollisionWebService(new URL(wsdlUrl),


new QName("urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0",


"CommercialVehicleCollisionWebService"));


Token samlToken = new GenericToken(GFIPMUtil.getSAMLAssertion(context));


MTOMFeature mtomFeature = new MTOMFeature(true);


cvcPort = cvsWebService.getCommercialVehicleCollisionPort(new
WebServiceFeature[]{mtomFeature});


//put

initial SAML assertion obtained from STS back into request for SamlCallbackHandler


((BindingProvider) cvcPort).getRequestContext().put("userSAMLAssertion",
samlToken.getTokenValue());


//set Service Endpoint


((Bindin
gProvider)
cvcPort).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, sepUrl);


GetDocumentResponseType getDocumentResponseType
;



getDocumentResponseType

=

cvcPort.getDocument(getDocumentRequestType);

for (int i=0; i < callbacks.length; i++) {


if (callbacks[i] instanceof SAMLCallback) {


SAMLCallback samlCallback = (SAMLCallback)callbacks[i];


Map<String, Object> runtimeProps = samlCallback.getRu
ntimeProperties();


Element samlAssertion = (Element)runtimeProps.get("userSAMLAssertion");


samlAssertion = get
New
SAMLAssertionFromSTS(samlAssertion);


samlCallback.setAssertionElement(samlAssertion);

}}


38


The
WSC Client is configured through

the

Client
-
Side WSIT configuration file

wsit
-
client
.xml


located
in
the


src
/
main
/
resources
/
META
-
INF


directory
.

The
Client
-
Side WSIT configuration file include
s a

separate configuration
file
for
the
WSP and ADS as shown on the code snippet below:


The
WSC Client configuration for the connection to the WSP

(“
src
/
main
/
resources
/
META
-
INF
/
CommercialVehicleCollisionWebserviceIntf.xml
”)

includes settings for
the
public and private

certificates that shou
ld be used for the
connection
. The WSC Client configuration also includes

a
SAML
Callback handler
described in detail previously
:

private Element getSAMLAssertionFromSTS(Element samlAssertion) throws WSTrustException {


TrustFabric tf =
TrustFabricFactory.getInstance(
);


String stsEndpoint = tf
.getDelegatedTokenServiceEndpointAddress (issuerEntityId);


String stsWSDLLocation = tf.

get
WsdlUrlAddress (issuerEntityId);


String stsServiceName="SecurityTokenService";


String stsPortName="ISecurityTokenService_Port";


String stsNamespace="http://tempuri.org/";


DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration(


STSIssuedTokenConfiguration.PROTOCOL_13,stsEndpoint, stsWSDLLocation,


stsServiceName, stsPortNam
e, stsNamespace);


config.setTokenType(
WSTrustConstants.SAML20_WSS_TOKEN_TYPE
);


config.setOBOToken(new GenericToken(samlAssertion));


IssuedTokenManager manager = IssuedTokenManager.getInstance();


IssuedTokenContext ctx = manager.createIssued
TokenContext(config, appliesTo);


manager.getIssuedToken(ctx);


Token issuedToken = ctx.getSecurityToken();


return (Element) issuedToken.getTokenValue();

}

<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" na
me="mainclientconfig">


<import location="CommercialVehicleCollisionWebserviceImpl.xml"


namespace="urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0"/>


<import location="sts
-
client.xml" namespace="http://tempu
ri.org/"/>

</definitions>


39


The
WSC Client configuration for the connection to the ADS

(“
src
/
main
/
resources
/
META
-
INF
/
sts
-
client.
xml
”)

also includes settings for public and private certificates that should be used for the
connection
:


Caching
of the WSDL files to prevent WSDL queries is po
ssible through the use of the

src
/
main
/
resources
/
META
-
INF
/
jax
-
ws
-
catalog.xml”

configuration file.

3.1.5.3

WSP Implementation

(Model 2)

The
WSP is responsible for accepting
a
request from
a

WSC
which is
listed in GFIPM CTF.
The
WSP
must
conform

to
GFIPM WS S2S User
-
Consumer
-
Provider (Model 2) SIP
requirements
.

The
WSP is deployed
at

the following URL:
https://curewspm2:8181/m2wsp/services/cvc


The
WSP exposes

the

Service Contract

described earlier, and is using

the

Information Exchange
Se
rvice
Contract
Implementation Library
.
The
WSP Service Contract is stated in the following files:


<wsp:Policy wsu:Id="CalculatorServicePortBindingPolicy">


<wsp:ExactlyOne>


<wsp:All>


<!
--

WSP identity
--
>


<scl:TrustStore wspp:visibility="private" peeralias="curewspm2" storepass="changeit"
type="JKS" location="curewscm2
-
cacerts.jks"/>


<!
--

WSC Client identity
--
>


<scl:KeyStore wspp:visibility="private" alia
s="curewscm2" storepass="changeit"
type="JKS" location="curewscm2
-
keystore.jks"/>


<scl:CallbackHandlerConfiguration wspp:visibility="private">


<scl:CallbackHandler name="samlHandler"
classname="gov.niem.ws.sample.cvc.cl
ient.GFIPMWSCSamlCallbackHandler"/>


</scl:CallbackHandlerConfiguration>


</wsp:All>


</wsp:ExactlyOne>


</wsp:Policy>


<wsp:Policy wsu:Id="STSClientKeystorePolicy"


xmlns:sc="http://schemas.sun.com/2006/03/wss/client"


xmlns:wspp="http://java.sun.com/
xml/ns/wsit/policy">


<wsp:ExactlyOne>


<wsp:All>


<sc:KeyStore wspp:visibility="private" location="curewscm2
-
keystore.jks" type="JKS"
storepass="changeit" alias="curewscm2"/>


<
sc:TrustStore wspp:visibility="private" location="curewscm2
-
cacerts.jks" type="JKS"
storepass="changeit" peeralias="cureidpm2"/>


</wsp:All>


</wsp:ExactlyOne>


</wsp:Policy>


40


The
WS
P

includes
a
preconfigured trust keystore and private keystore
:


3.1.5.3.1

WSP SLA Implementation

The
WS
P

uses
the

SLA security policy stipulated in the “
CommercialVehicleCollisionWebserviceIntf.wsdl


file
.

The SLA for a WSP is subject to the GFIPM WS S2S User
-
Consumer
-
Provider SIP specification
requirements and is included in the
Attachment
G
: Sample SLA Security
Policy for WSP

Model 2
.
T
he
WSP SLA requires attaching a user’s

SAML

token with the message and uses mutual certificates for
authentication
,

message integrity and confidentiality protection.

The
WS
P

SLA policy requires the
WSC

to present a SAML 2.0 Assertion Token
that has been
obtained
from
an
ADS

STS.
An o
btained token
must

use “
urn:oasis:names:tc:SAML:2.0:cm:sender
-
vouches

as

the
value for

the

Method

attribute
in
the
SubjectConfirmation

element
.

A
n

SLA policy
snippet for

the WSP
is
shown below:


The
WSP provides
a
SAML Assertion validator
and
a
Certificate validator
configured through
the
service
WSDL (
CommercialVehicleCollisionWebserviceIntf.wsdl
) as follow
s
:



src/wsdl/CommercialVehicleCollisionExchangeSchema.xsd


src/wsdl/CommercialVehicleCollisionMessageSchema.xsd



src/wsdl/CommercialVehicleCollisionWebserviceImpl.wsdl


src/wsdl/CommercialVehicleCollisionWebserviceIntf.wsdl


src/main/resources/META
-
INF/curewspm2
-
cacerts.jks



src/main/resources/META
-
INF/curewspm2
-
keystore.jks


<sp:SignedEncryptedSupportingTokens>


<wsp:Policy>


<sp:SamlToken sp:IncludeToken="http://docs.oasis
-
open.org/ws
-
sx/ws
-
securitypolicy/200702/IncludeToken/AlwaysToRecipient">


<wsp:Policy>



<sp:WssSamlV20Token11/>


</wsp:Policy>


</sp:SamlToken>


</wsp:Policy>


</sp:SignedEncryptedSupportingTokens>


<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">


<sc:Validator name="certificateValidator"



c
lassn
ame="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidatorWSP"/>


<sc:Validator name="samlAssertionValidator"


classname="gov.niem.ws.sample.cvc.service.GFIPMSAMLAssertionValidatorWSP"/>


</sc:ValidatorConfiguration
>


41

3.1.5.3.2

Certificate

Validation

The WSP provides a certificate validator configured through the service WSDL
(
CommercialVehicleCollisionWebserviceIntf.wsdl
) as follows:


The custom certificate validator
class,

gov.niem.ws.sample.cv
c.service.GFIPMCertificateValidator
WSP

,

provides X
.
509 certificate validation

of

the ADS certificate

(
that was used to sign
the
SAML Assertion
)

and WSC certificate
(
that was used to connect to the

WSP service
)
.

The certificate validator uses the

src
\
main
\
resources
\
gfipm
-
security
-
env.properties
” properties file to initialize and use
the

keystore that
is shipped with the application.

Furthermore
,

the
GFIPMCertificateValidator
WSP

class

provides

certificate validation according to the GFIPM WS S2S U
ser
-
Consumer
-
Provider SIP normative
conformance requirements
in section
8.2.2.


The
code snippet below shows
how to validate

the
certificate against
the
GFIPM CTF

and
how to obtain an
access
control

decision

based on the
WSC
Entity
attributes listed in the

GFIPM CTF.

Note that the code in this snippet is hard
-
coding an access control policy. In production environment, it
is recommended that the access control decision making be abstracted out into a separate Policy
Decision Point (PDP) component using a
n access control framework such as the XACML framework

See
the Global Privacy Policy Technical Framework
[
GPPTF] for more information about integrating with an
access control framework
.

T
he
access
control decision

could also be obtained in the actual WSP service implementation as shown
in the
chapter

3.1.5.3.4

on

WSP Service Implementation
.



<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">


<sc:Validator name="certificateValidator"



c
lassname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator
WSP
"/>


</sc:ValidatorConfiguration>


42


3.1.5.3.3

SAML Assertion Validation

The custom SAML Assertion validator provides checks according to the GFIPM WS S2S User
-
C
onsumer
-
Provider SIP normative conformance requirements
in section
8.2.2 and
follows
GFIPM
-
Specific SAML
Assertion Format Rules
requirements
as
outlined

in the Appendix A of the S2S document.

For
the
full
validation code sample see
the
GFIPMSAMLAssertionValidatorWSP

class.

After validation is complete it
is necessary to
add
the
obtained object to
the
subject’s public credentials for future reuse.


private static TrustFabric tf =
TrustFabricFactory.getInstance();

private boolean isAuthorized(X509Certificate certificate) {


String entityId = tf.getEntityId(certificate);


if (entityId ==

null) {


log.log(Level.WARNING, "Certificate used by the peer is not in the GFIPM Trust Fabric: " +
certificate.getSubjectDN());


return false;


}


/*GFIPM Entity (entityId) should belong to WSC or IDP. The IDP case is possible because

this
validator also provides check for the certificate used to sign SAML Assertion, therefore this code
will be executed to validate a certificate for both: WSC and IDP */


if (tf.isWebServiceProvider(entityId)) {


log.log(Level.WARNING, "Entit
y connecting to this WSP should be listed as WSC or IDP in the
GFIPM Trust Fabric, entity id :" + entityId);


return false;


}


//add any access control decisions based on the GFIPM CTF entityAttributes


if (tf.isWebServiceConsumer(entityId)) {


String ownerAgencyCountryCode = tf.getGfipmEntityAttribute(entityId,
"gfipm:2.0:entity:OwnerAgencyCountryCode");


//As an example current WSP SLA currently allows only country codes US and VQ



if (!(("VQ".compareToIgnoreCase(ownerAgencyCountryCode) != 0) ||
("US".compareToIgnoreCase(ownerAgencyCountryCode) != 0))) {


log.log(Level.WARNING, "WSP: WSC Entity connecting to this WSP should have
OwnerAgencyCountryCode as VQ or US. Retr
ieved agency ID from TF is: " +
ownerAgencyCountryCode);


return false;


}


}


return true;

} //isAuthorized

public void validate(XMLStreamReader xmlStreamerReader, Map map, Subject sbjct) throws
S
AMLValidationException {


Element domSamlAssertion = SAMLUtil.createSAMLAssertion(xmlStreamerReader);


// … validation code ….


IIif we wan琠瑯 be able 瑯 acceVV 瑨e Va浬 aVVer瑩on la瑥r on we Uave 瑯 aTT i琠Uere



Vbjc琮ge瑐ublic䍲eTen瑩alV().aTT(To浓a浬AVVer瑩on);


43

3.1.5.3.4

WSP Service Implementation

The
WSP
service
is implemented by the
CommercialVehicleCollisionWebServiceImpl

class located in the

src
/
main
/
java
/
gov
/
niem
/
ws
/
sample
/
cvc
/
service

directory
.

If
,

for any business logic reasons
,

access to SAML Assertion is needed
,

it is possible to
obtain a reference
to the assertion
with

the following code:



The

WSP
service implementation

class
obtains

the
access
control decision

based on the invoked
method
,
the
WSC cred
entials
,

and the

GFIPM SAML Assertion

of the user
.


The “
GFIPMAuthorizationProvider
” class
provides implementation of the

access
control
decision
logic
based on the WSC CTF
GFIPM attributes, and
GFIPM SAML Assertion

of the user.

The following code

snippet from the “
GFIPMAuthorizationProvider
” class
shows how to obtain
authorization access control decision for the user

based on the presented GFIPM SAML Assertion
:


Where
the

GFIPM
attribute validation is performed in the following function:


@Resource


WebServiceContext wsContext;


static {DelegateUtil.initDelegateJAXBContext();}


@Override


public GetDocumentResponseType getDocument(GetDocumentRequestType parameters) {


//if for any reason we need to have an access to the assertion that user came in with


//

here is how to get the Assertion from the Context



Element samlAssertion = GFIPMUtil.getSAMLAssertion(wsContext);


Assertion assertion = AssertionUtil.fromElement(samlAssertion);


String currentMethodName = GFIPMAuthorizationProvider.getCurrentMethodName();


GFIPMAuthorizationProvider.isServiceAuthorized(currentMethodName, wsContext );


GFIPMAuthorizationPro
vider.isUserAuthorized(currentMethodName, samlAssertion );



public static boolean isUserAuthorized(String methodName, Element userSAMLAssert
ion) {


Assertion assertion = AssertionUtil.fromElement(userSAMLAssertion);


HashMap<String, String> attributesHashMap = new HashMap<String, String>();


List<Object> statements = assertion.getStatements();


for (Object s : statements) {


if (s instanceof AttributeStatement) {


for (Attribute samlAttr : ((AttributeStatement) s).getAttributes()) {


attributesHashMap.put(samlAttr.getName(), (String)
samlAttr.g
etAttributes().iterator().next());


}}}//for statements


return isAuthorized(attributesHashMap);


}


44


The following code snippet from the “
GFIPMAuthorizationProvider
” class
shows how to obtain
access
co
ntrol decision
based on the
WSC

CTF GFIPM attributes
:



Note that the code is hard
-
coding an access control

policy. In production environment, it is
recommended that the access control decision making be abstracted out into a separate Policy Decision
Point (PDP) component using an access control framework such as the XACML framework.
See the
Global Privacy Policy Technical Framework
[
GPPTF] for more information about integrating with an
access control framework
.

The WSP service implementation class includes
business logic operations that are not subject to GFIPM
WS S2S requirements.


private static Boolean isAuthorized(HashMap<String, St
ring> attributesHashMap) {


//Check gfipm:2.0:user:SwornLawEnforcementOfficerIndicator and


//gfipm:2.0:user:CitizenshipCode

if(("true".compareToIgnoreCase(attributesHashMap.get("gfipm:2.0:user:SwornLawEnforcementOff
icerIndicator")) == 0) &&
("US".compareToIgnoreCase(attributesHashMap.get("gfipm:2.0:user:CitizenshipCode")) == 0)) {


return true;


}


return false;


}


public static boolean isAuthorized(String methodName,WebServiceContext wsContext
)

{


boolean isAuthorized = false;


try {


if (SubjectAccessor.getRequesterSubject(wsContext) != null) {


for (Iterator<Object> it =
SubjectAccessor.getRequesterSubject(wsContext).getPublicCredentials().iterator(); it.hasNext();) {


Object publicCredent
ialsObject = it.next();


if (publicCredentialsObject instanceof X509Certificate) {


X509Certificate subjectX509Certificate = (X509Certificate) publicCredentialsObject;


//Delegate ID is deter
mined from Entity Certificate.


String wscId = tf.getEntityId(subjectX509Certificate);


//Provide authorization decision for the WSC to execute methodName


if (tf.isWebServiceConsumer(wsc
Id) &&
"gov.niem.ws.sample.cvc.service.CommercialVehicleCollisionWebServiceImpl.getDocument".equal
s(methodName)) {


//In this example any WSC from the CTF is authorized to execute this method


isAuthori
zed = true;


}}}}


} catch (XWSSecurityException ex) {


logger.log(Level.SEVERE, "Unable to get UserPrincipal", ex);


}


return isAuthorized;


}


45

3.1.5.4

GF
IPM Client
(Model 2)

The Client is responsible
for
communication
with
the
WS
C
.

The Client uses

the

Information Exchange
Se
rvice Contract
Implementation Library

to cr
eate a connection to the
WSC

service,

retrieves the WSDL,

sets proper Service Endpoint,

connects to the
IDP

STS
, obtains SAML Assertion

from an
IDP
,
and then
invokes
the

WSC
service.


The Client is configured through the Client
-
Side WSIT

[WSIT]

configurat
ion file “
wsit
-
client.xml


located
in the


src
/
main
/
resources
/
META
-
INF
” directory. The Client
-
Side WSIT configuration file includes a
separate configuration

file

for the WSC and
IDP

as shown on the code snippet below:


The Client configuration for the connection to
the WSC (“
src
\
main
\
resources
\
META
-
INF/
CommercialVehicleCollisionWebserviceIntf.xml
”) includes settings for the
WSC
public
certificate

that
should be used for the connection.


<definitions
xmlns="http://schemas.xmlsoap.org/wsdl/" name="mainclientconfig">


<import location="CommercialVehicleCollisionWebserviceImpl.xml"


namespace="urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0"/>


<import location="
net
-
sts
-
client.xml"


namespace="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"/>


<import location="sts
-
client.xml" namespace="http://tempuri.org/"/>

</definitions>


<wsp:Policy wsu:Id="CalculatorServicePortBindingPolicy">


<wsp:Exac
tlyOne>


<wsp:All>


<!
--

WSC identity
--
>


<scl:TrustStore wspp:visibility="private" peeralias="curewscm2" storepass="changeit"
type="JKS" location="cure
-
client
-
cacerts.jks"/>


<!
--

Us
ername / Password based IDP Metro https,


works with sp:TransportBinding in idp.wsdl
--
>


<tc:PreconfiguredSTS


wspp:visibility="private"


shareToken="false"



xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client"


wstVersion="http://docs.oasis
-
open.org/ws
-
sx/ws
-
trust/200512"


endpoint="https://cureidpm2:8181/m2sts/services/idp"


wsdlLocation="http://cureidpm2:8080/m2sts/services/idp?wsdl"


serviceName="IdentityProviderService"


portName="IIdentityProviderService_Port"


namespace="http://t
empuri.org/">


</tc:PreconfiguredSTS>


</wsp:All>


</wsp:ExactlyOne>


</wsp:Policy>


46

The Client configuration does not include a SAML Callback handler
since
the
IDP

configuration is
specified through
PreconfiguredSTS
and

Metro automatically sends token request to the specified
IDP
.


It is possible to configure
the
Client
in the code

as shown in the code snippet below:



The Client
includes
a
separate
configuration for the connection to the
IDP

through
the

src
/
main
/
resources
/
META
-
INF
/
sts
-
client.xml


configuration file.
The c
onfiguration

includes settings for
public and private certificates that should be used for the connection.


If the
IDP

SLA policy

requires

the

client to authenticate using Username and Password then
the

GFIPMUsernamePasswordCallbackHandler
” class is called. If the
IDP

SLA policy requests
a
client
certificate then the Client retrieves
the certificate for
“alice” from the “
cure
-
client
-
keystore.jks

keystore.
The Client can be authenticated
to
the
IDP

STS using
hardcoded
Username

and
Password

private static DefaultSTSIssuedTokenConfiguration getDefaultSTSIssuedTokenConfiguration() {


//Metro Username Token


String stsEndpoint = "https://cureidpm2:8181/m2sts/services/idp";


String stsWSDLLocation = "https://cureidpm2:8181/m2sts/services/idp?wsdl";


String stsServiceName = "IdentityProviderService";


S
tring stsPortName = "IIdentityProviderService_Port";


String stsNamespace = "http://tempuri.org/";


DefaultSTSIssuedTokenConfiguration stsIssuedTokenConfiguration = new
DefaultSTSIssuedTokenConfiguration(STSIssuedTokenConfiguration.PROTOCOL_1
3,


stsEndpoint, stsWSDLLocation, stsServiceName, stsPortName, stsNamespace);


return stsIssuedTokenConfiguration;


}


<wsp:Policy wsu:Id="STSClientKeystorePolicy"


xmlns:sc="http://schemas.sun.com/2006/03/wss/client"


xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"


xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client" >


<wsp:ExactlyOne>


<wsp:All>


<sc:KeySto
re wspp:visibility="private" location="cure
-
client
-
keystore.jks" type="JKS"
alias="alice" storepass="changeit"/>


<sc:TrustStore wspp:visibility="private" location="cure
-
client
-
cacerts.jks" type="JKS"
peeralias="cureidpm2" storepass="changei
t"/>


<sc:CallbackHandlerConfiguration>


<sc:CallbackHandler name="usernameHandler"
classname="gov.niem.ws.sample.cvc.client.GFIPMUsernamePasswordCallbackHandler"/>


<sc:CallbackHan
dler name="passwordHandler"
classname="gov.niem.ws.sample.cvc.client.GFIPMUsernamePasswordCallbackHandler"/>


</sc:CallbackHandlerConfiguration>


</wsp:All>


</wsp:ExactlyOne>


</wsp:Policy>


47

(alice:alice; bob:bob) or to
the
ADS STS as user “alice”.
The
ADS STS contains public key for user “alice”
in
its

trust
-
store and can
act as an
IDP

as well.

Ca
c
hing of the WSDL files to prevent WSDL queries is possible through the use of the

src
/
main
/
resources
/
META
-
INF
/
jax
-
ws
-
catalog.xml”

configuration file.

The Client initializes the service connection to WSC (cvcPort), sets proper Se
rvice Endpoint, and invokes
a service call as shown on the code snippet below:


For details on
the
client execution an
d

running test
s
,

see
the
Readme.txt installation instructions file in
the
GWSS2SPSI distribution

package.

3.2

Debugging

3.2.1

Message Logging

Message logging
can

be enabled on Glassfish either through
the
Web
-
based Administration GUI or
through
the
domain configurat
ion file “
$AS_HOME/domains/domain1/config/domain.xml
”, where
$AS_HOME is
the
Glassfish home directory, for example: “
/var/opt/glassfish/glassfish
”.

To enable logging of the server side messages
,

modify
the
Java options under
the
server configuration
(<con
fig name="server
-
config">):


<jvm
-
options>
-
Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=
true
</jvm
-
options>

To enable logging of the client messages modify
the
Java options under
the
server configuration (<config
name="server
-
config">):


<jvm
-
opti
ons>
-
Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true</jvm
-
options>


CommercialVehicleCollisionPortType cvcPort;


CommercialVehicleCollisionWebService cvsWebService;


DefaultSTSIssuedTokenConfiguration stsIssuedTo
kenConfiguration =


getDefaultSTSIssuedTokenConfiguration(); // see above


STSIssuedTokenFeature stsIssuedTokenFeature = new


STSIssuedTokenFeature(stsIssuedTokenConfiguration);


MTOMFeature mtomFeature = new MTOMFeature(true);


cvsWebService = new CommercialVehicleCollisionWebService(new URL(wsd
lUrl),


new QName("urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0",


"CommercialVehicleCollisionWebService"));


cvcPort = cvsWebService.getCommercialVehicleCollisionPort(



new WebServiceFeature[]{stsIssuedTokenFeature, mtomFeature});


Map<String, Object> requestContext = ((BindingProvider) cvcPort).getRequestContext();


requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, s
epUrl);


GetDocumentResponseType getDocumentResponseType =


cvcPort.getDocument(getDocumentRequestType);




48

Restarting the
Glassfish server
is

required

if these configuration files are edited
.

Log
s

can

be viewed in
the

server.log
” file
in the

$AS_HOME/domains/domain1/logs
” di
rectory.

3.2.2

Applications

Logging

The application logging can be enabled on Glassfish either through the Web
-
based Administration GUI
or through the domain
logging properties
configuration file

$AS_HOME/domains/domain1/config/
logging.properties
”, where
$AS_HOME is the Glassfish home
directory, for example: “
/var/opt/glassfish/glassfish


The following packages should be set to the highest log level (“FINEST”) for
the
debug information from
the sample implementation components (
WSC, WSP, IDP/ADS STS
)

to be

logged to the

$AS_HOME/domains/domain1/logs/server.log

log
file
.

gov.niem.ws.util.level = FINEST

gov.niem.ws.util.jaxb.level = FINEST

gov.niem.ws.util.jaxb.delegate.level = FINEST

gov.niem.ws.sample.cvc.client.level = FINEST

gov.niem.ws.sample.cvc.handlers.level = FINEST

gov.niem.ws.sample.cvc.sts.level = FINEST

gov.niem.ws.sample.cvc.service.level = FINEST




49

4

References

[GFIPMCTF] GFIPM Cryptographic Trust Fabric,
http://it.ojp.gov/docdownloader.aspx?ddid=1338


[GFIPMMETA] GFIPM Metadata 2,
http://gfipm.net/standards/metadata/2.0/



[
GFIPMS2SP
] Global Federated Identity and Privilege Management (GFIPM) Web Ser
vices System
-
to
-
System Profile Version 1.0
,

(URL TBD)

[GFIPMTERMS] Global Federated Identity and Privilege Management (GFIPM) Terminology Matrix
Version 1.0; (September 2010),
http://www.it
.ojp.gov/docdownloader.aspx?ddid=1333



[GLASSFISH] Oracle, Open Source Application Server v3.1.2,
http://glassfish.java.net/



[GO4] Design Patterns: Elements of Reusable Object
-
Oriented Software by ErichGamma, RichardHelm,
RalphJohnson, and JohnVlissides, AddisonWesley Professional (November 10, 1994)

[
GPPTF
] Implementing
Privacy Policy
in Justice Information Sharing: A
Technica
l Framework
, Global
Security Working Group Technical Privacy Task Team, October 31, 2007,
http://it.ojp.gov/docdownloader.aspx?ddid=1195


[GRA] Global Reference Architecture (GRA), BJA,
http://www.it.ojp.gov/global



[GRAGIDES] Global Reference Architecture (GRA) Guidelines for Identifying and Designing Services
Version 1.1; May 2011
,

http://www.it.ojp.gov/
global



[JAVA] Oracle,
http://www.oracle.com/us/technologies/java/overview/index.html



[JAXB] Oracle, Java Architecture for XML Binding (JAXB),
http://jaxb.dev.java.net


[JAXWS] Oracle, Java API for XML Web Services (JAX
-
WS),
http://jax
-
ws.dev.java.net
,
http://jax
-
ws.java.net/2.2.6/docs/



[KEYT
OOL] Oracle, keytool
-

Key and Certificate Management Tool,
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
,

http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html



[KSEXPL] LAZGO Software,
http://www.lazgosoftware.com/kse/ind
ex.html



[KTIUI] KeyTool IUI,
http://www.lazgosoftware.com/kse/index.html


[MAVEN] Apache build manager for Java projects,
http://maven.apache.org



[METRO
] Oracle, Metro Web Services Framework,
https://metro.dev.java.net


[MTOM] MTOM Serialization Policy Assertion (WS
-
MTOMPol
icy), Version 1.0, Nov 01, 2006,

http://www.w3.org/Submission/WS
-
MTOMPolicy/



[MUG] Metro User Guide


Java.net,
http://metro.java.net/guide/user
-
guide.html




50

[OPENSSL] O
penSSL, OpenSSL: The Open Source toolkit for SSL/TLS,
http://www.openssl.org


[SAML20
-
CORE] OASIS Standard, “Assertions and Protocols for the OASIS Security Assertion Markup
Language (SAML) V2.0”, March 2005
,

http://docs.oasis
-
open.org/security/saml/v2.0/saml
-
core
-
2.0
-
os.pdf



[SAMLCore] Maler, E., Mishra, P., Philpott, R., et al., "Assertions and Protocol for the OASIS Security
As
sertion Markup Language (SAML) V1.1", September 2003,
http://www.oasis
-
open.org/committees/download.php/3406/oasis
-
sstc
-
saml
-
core
-
1.1.pdf


[SAMLDelegation20
09] “SAML V2.0 Condition for Delegation Restriction Version 1.0”15 November 2009,
http://docs.oasis
-
open.org/security/saml/Post2.0/sstc
-
saml
-
delegation.pdf



[SAMLTo
ken1.1] Lawrence, K., Kaler, C., Monzillo, R., et al., "Web Services Security: SAML Token Profile
1.1", February 2006,
http://www.oasis
-
open.org/c
ommittees/download.php/16768/wss
-
v1.1
-
spec
-
os
-
SAMLTokenProfile.pdf


[SPEOAIS] WS
-
SecurityPolicy Examples Version 1.0, Oasis Committee Specification, 4 November 2010,
http://docs.oasis
-
open.org/ws
-
sx/security
-
policy/examples/ws
-
sp
-
usecases
-
examples.html



[WSAM2007] W3C, Web Services Addressing 1.0


Metadata, W3C Recommendation, 4 September
2007,
http://www.w3.org/TR/2007/REC
-
ws
-
addr
-
metadata
-
20070904


[WSAWSDL] Web Services Addressing 1.0
-

WSDL Binding, W3C CR 29 May 2006
,
http://www.w3.org/TR/ws
-
addr
-
wsdl/



[WSIBP12] WS
-
I Basic Prof
ile Version 1.2, 2010
-
11
-
09
,

http://ws
-
i.org/profiles/basicprofile
-
1.2
-
2010
-
11
-
09.html



[WSIMPORT] Oracle, Java API for XML Web Services (JAX
-
WS)


wsimport, version 2.2, revision 2
.2.1,
http://jax
-
ws.java.net/nonav/2.2.1/docs/wsimport.html



[WSIT] Oracle, Web Services Interoperability Technologies (WSIT),
https://wsit.dev.java.net/



[WSPL2004] W3C, Web Services Policy 1.2


Framework, W3C Recommendation, 4 September 2007,
http://schemas.xmlsoap.org/ws/2004/09/policy/



[WSS11
-
SAML1120
-
PROFILE]
OASIS Standard, “Web Services Security: SAML Token Profile 1.1”, OASIS
Standard Incorporating Approved Errata, 1 November 2006
,

http://docs.oasis
-
open.org/wss/
v1.1/wss
-
v1.1
-
spec
-
errata
-
os
-
SAMLTokenProfile.pdf



[WSS11
-
SOAPMSG] OASIS Standard, “Web Services Security: SOAP Message Security 1.1”, OASIS
Standard incorporating Approved Errata, 01 November 2006
,

http://docs.oasis
-
open.org/wss/v1.1/wss
-
v1.1
-
spec
-
errata
-
os
-
SOAPMessageSecurity.pdf




51

[WSS2006] OASIS, Web Services Security: SOAP Message Security 1.1, OASIS Standard, 1 February 2006,
http://www.oasis
-
open.org/committees/download.php/16790/wss
-
v1.1
-
spec
-
os
-
SOAPMessageSecurity.pdf



[WS
-
SECURITYPOLICY] OASIS Standard, “WS
-
SecurityPolicy 1.2”, Ju
ly 2007,

http://docs.oasis
-
open.org/ws
-
sx/ws
-
securitypolicy/200702/ws
-
securitypolicy
-
1.2
-
spec
-
os.doc



[WSSPL2007] OASIS, WS
-
SecurityPolicy 1.2, OAS
IS Standard, 1 July 2007,
http://docs.oasis
-
open.org/ws
-
sx/ws
-
securitypolicy/v1.2/wssecuritypolicy.pdf



[WS
-
TRUST] OASIS Standard, “WS
-
Trust 1.3”, March 2007
,

http://docs.oasis
-
open.org/ws
-
sx/ws
-
trust/200512/ws
-
trust
-
1.3
-
os.doc



[XSD2004] W3C, XML Schema Part 1: Structures, W3C Recommendation, 28 October 2004,
http://www.w3.org/TR/2004/REC
-
xmlschema
-
1
-
20041028/




52

5

Appendixes

5.1

Attachment A:
GFIPM SAML User Assertion Sample

<
saml2:Assertion

xmlns:ds
="
http://www.w3.org/2000/09/xmldsig#
"

xmlns:exc14n
="
http://www.w3.org/2001/10/xml
-
exc
-
c14n#
"

xmlns:ns5
="
urn:oasis:names:tc:SAML:2.0:conditions:delegation
"

xmlns:saml2
="
urn:oasis:names:tc:SAML:2.0:assertion
"

xmlns:xenc
="
http://www.w3.org/2001/04/xmlenc#
"

xmlns:xs
="
http://www.w3.org/2001/XMLSchema
"

ID
="
uuid
-
9
dd21656
-
f992
-
40c3
-
a815
-
ff515af24747
"

IssueInstant
="
2012
-
04
-
25T22:49:11.834Z
"

Version
="
2.0
">


<
saml2:Issuer
>
cureidpm2
</
saml2:Issuer
>


<
ds:Signature
>


<
ds:SignedInfo
>


<
ds:CanonicalizationMethod

Algorithm
="
http://www.w3.org/2001/10/xml
-
exc
-
c14n#
"/>


<
ds:SignatureMethod

Algorithm
="
http://www.w3.org/2000/09/xmldsig#rsa
-
sha
256
"/>


<
ds:Reference

URI
="
#uuid
-
9dd21656
-
f992
-
40c3
-
a815
-
ff515af24747
">


<
ds:Transforms
>



<
ds:Transform

Algorithm
="
http://www.w3.org/2000/09/xmldsig#enveloped
-
signature
"/>


<
ds:Transform

Algorithm
="
http://www.w3.org/2001/10/xml
-
exc
-
c14n#
"/>


</
ds:Transforms
>


<
ds:DigestMethod

Algorithm
="
htt
p://www.w3.org/2000/09/xmldsig#sha
256
"/>


<
ds:DigestValue
>
Q0vEPdzmHR42eQ9GoqLOs9hxpAo=
</
ds:DigestValue
>


</
ds:Reference
>


</
ds:SignedInfo
>


<
ds:SignatureValue
>
H78yQg==
</
ds:SignatureValue
>


<
ds:KeyInfo
><
ds:X509Data
><
ds:X509Certificate
>
MIID
</
ds:X509Certificate
></
ds:X509Data
></
ds:KeyInfo
>


</
ds:Signature
>


<
saml2:Subject
>


<
saml2:NameID

NameQualifier
="
urn:oasis:names:tc:SAML:2.0:nameid
-
format:persistent
">
bob
</
saml2:NameID
>


<
saml2:Subjec
tConfirmation

Method
="
urn:oasis:names:tc:SAML:2.0:cm:bearer
"/>


</
saml2:Subject
>


<
saml2:Conditions

NotBefore
="
2012
-
04
-
25T22:49:11.834Z
"

NotOnOrAfter
="
2012
-
04
-
25T22:54:11.834Z
">


<
saml2:AudienceRestriction
>


<
saml2:Audience
>
https://curewscm2:8181/m2wsc/services/cvc
</
saml2:Audience
>


</
saml2:AudienceRestriction
>


</
saml2:Conditions
>


<
saml2:AuthnStatement

AuthnInstant
="
2012
-
04
-
25T22:49:11.834Z
">


<
saml2:AuthnContext
>


<
saml2:AuthnContextClassRef
>

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</
saml2:AuthnContextClassRef
>


</
saml2:AuthnContext
>


</
saml2:AuthnStatement
>


<
saml2:AttributeStatement
>


<
saml2:Attribute

Name
="
gfipm:2.0:user:CitizenshipCode
"

NameForm
at
="
urn:oasis:names:tc:SAML:2.0:attrname
-
format:uri
">


<
saml2:AttributeValue

xmlns:ns7
="
http://www.w3.org/2001/XMLSchema
-
instance
"

xmlns:ns8
="
http://www.w3.org/2001/XMLSchema
"

ns7:type
="
ns8:string
">
US
</
saml2:AttributeValue
>


</
saml2:Attribute
>


<
saml2:Attribute

Name
="
gfipm:2.0:user:EmployerName
"

NameFormat
="
urn:oasis:names:tc:SAML:2.0:attrname
-
format:uri
">


<
saml2:AttributeValue

xmlns:ns7
="
http://www.w3.org/2001/XMLSchema
-
instance
"

xmlns:ns8
="
http://www.w3.org/
2001/XMLSchema
"

ns7:type
="
ns8:string
">
Dundler Mifflin
</
saml2:AttributeValue
>


</
saml2:Attribute
>


<
saml2:Attribute

Name
="
gfipm:2.0:user:SwornLawEnforcementOfficerIndicator
"

NameFormat
="
urn:oasis:names:tc:SAML:2.0:attrname
-
format:uri
">



<
saml2:AttributeValue

xmlns:ns7
="
http://www.w3.org/2001/XMLSchema
-
instance
"

xmlns:ns8
="
http://www.w3.org/2001/XMLSchema
"

ns7:type
="
ns8:string
">
true
</
saml2:AttributeValue
>


</
saml2:Attribute
>


<
saml2:Attribute

Name
="
gfipm:2.0:user:GivenName
"

NameFormat
="
urn:oasis:names:tc:SAML:2.0:attrname
-
format:uri
">


<
saml2:AttributeValue

xmlns:ns7
="
http://www.w3.org/2001/XMLSchema
-
instance
"

xmlns:ns8
="
http://www.w3.org/2001/XMLSchema
"

ns7:type
="
ns8:string
">
Michael
</
saml
2:AttributeValue
>


</
saml2:Attribute
>


<
saml2:Attribute

Name
="
gfipm:2.0:user:SecurityClearanceLevelCode
"

NameFormat
="
urn:oasis:names:tc:SAML:2.0:attrname
-
format:uri
">


<
saml2:AttributeValue

xmlns:ns7
="
http://www.w3.org/2001/XMLSche
ma
-
instance
"

xmlns:ns8
="
http://www.w3.org/2001/XMLSchema
"

ns7:type
="
ns8:string
">
Secret
</
saml2:AttributeValue
>


</
saml2:Attribute
>


<
saml2:Attribute

Name
="
gfipm:2.0:user:SurName
"

NameFormat
="
urn:oasis:names:tc:SAML:2.0:attrname
-
format:uri
">


<
saml2:AttributeValue

xmlns:ns7
="
http://www.w3.org/2001/XMLSchema
-
instance
"

xmlns:ns8
="
http://www.w3.org/2001/XMLSchema
"

ns7:type
="
ns8:string
">
Scott
</
saml2:AttributeValue
>


53


</
saml2:Attribute
>


</
saml2:AttributeStatement
>

</
saml2:Asser
tion
>

5.2

Attachment B: GFIPM SAML
Metadata
Entity Assertion Sample

<
EntitiesDescriptor

xmlns:xsi
="
http://www.w3.org/2001/XMLSchema
-
instance
"

xmlns:xsd
="
http://www.w3.org/2001/XMLSchema
"

validUntil
="
2022
-
04
-
18T00:00:00
-
04:00
"

ID
="
2a2bce2d
-
dec3
-
4be1
-
8e0b
-
e4f2bd29ff2f
"

Name
="
sample
-
implementation:gfipm:ref
"

xmlns
="
urn:oasis:names:tc:SAML:2.0:metadata
">


<
EntityDescriptor

entityID
="
curewspm1
">


<
RoleDescriptor

xmlns:q7
="
http://gfipm.net/standards/metadata/2.0/webservices
"

xs
i:type
="
q7:GFIPMWebServiceProviderType
"

protocolSupportEnumeration
="

http://gfipm.net/standards/webservices/1.0/consumer
-
provider
-
sip.html
"

ServiceDisplayName
="
WebServiceProvider M1
"

ServiceDescription
="
The GFIPM CURE M1 Web Service Provider
">


<
KeyDescriptor

use
="
signing
">


<
KeyInfo

xmlns
="
http://www.w3.org/2000/09/xmldsig#
">


<
X509Data
><
X509Certificate
>
XcxDw5w=
</
X509Certificate
></
X509Data
>


</
KeyInfo
>


</
KeyDescriptor
>


<
Key
Descriptor

use
="
encryption
">


<
KeyInfo

xmlns
="
http://www.w3.org/2000/09/xmldsig#
">


<
X509Data
><
X509Certificate
>
XcxDw5w=
</
X509Certificate
></
X509Data
>


</
KeyInfo
>


</
KeyDescriptor
>


<
q7:WebServiceEndpoint
>


<
EndpointReference

xmlns
="
http://www.w3.org/2005/08/addressing
">


<
Address
>
https://curewspm1:8181/m1wsp/services/cvc
</
Address
>


</
EndpointReference
>


</
q7:WebServiceEndpoin
t
>


<
q7:MetadataExchangeEndpoint
>


<
EndpointReference

xmlns
="
http://www.w3.org/2005/08/addressing
">


<
Address
>
https://curewspm1:8181/m1wsp/services/cvc/mex
</
Address
>


</
EndpointReference
>


</
q7:MetadataExchangeEndpoint
>


<
q7:WSDLURL
>


<
EndpointReference

xmlns
="
http://www.w3.org/2005/08/addressing
">


<
Address
>
https://curewspm1:8181/m1wsp/services/cvc?wsdl
</
Address
>


</
EndpointReference
>


</
q7:WSDLURL
>


</
RoleDescriptor
>


<
ContactPerson

contactType
="
technical
">


<
Company
>
CURE Research Institute
</
Company
>


<
GivenName
>
Roger
</
GivenName
>


<
SurName
>
Waters
</
SurName
>



<
EmailAddress
>
roger.waters@wspm1.net
</
EmailAddress
>


<
TelephoneNumber
>
4145555555
</
TelephoneNumber
>


</
ContactPerson
>


</
EntityDescriptor
>


<
EntityDescriptor

entityID
="
cureidpm2
">


<
RoleDescriptor

xmlns:q9
="
http://gfipm.net/standards/metadata/2.0/webservices
"

xsi:type
="
q9:GFIPMAssertionDelegateServiceType
"

protocolSupportEnumeration
="
http://gfipm.net/standards/webservices/1.0/saml
-
assertion
-
delegate
-
service
-
sip.html
"

ServiceDisplayName
="
ADS for CUREIDPM2
"

ServiceDescription
="
The Assertion Delegate Service for the CURE IDP M2
">


<
KeyDescriptor

use
="
signing
">


<
KeyInfo

xmlns
="
http://www.w3.org/2000/09/xmldsig#
">


<
X509Data
><
X509Certificate
>
MIIDE=
</
X509Certificate
>


</
X509Data
>


</
KeyInfo
>


</
KeyDescriptor
>


<
KeyDescriptor

use
="
encryption
">


<
KeyInfo

xmlns
="
http://www.w3.org/2000/09/xmldsig#
">


<
X509Data
><
X509Certificate
>
MIIDE=
</
X509Certificate
>


</
X509Data
>


</
KeyInfo
>


</
KeyDescriptor
>


<
q9:DelegatedTokenServiceEndpoint
>


<
EndpointReference

xmlns
="
http://www.w3.org/2005/08/addressing
">


<
Address
>
http://cureidpm2:8080/m2sts/services/sts
</
Address
>


54


</
EndpointReference
>


</
q9:DelegatedTokenServiceEndpoint
>


<
q9:WSDLURL
>


<
EndpointReference

xmlns
="
http://www.w3.org/2005/08/addressing
">



<
Address
>
http://cureidpm2:8080/m2sts/services/sts?wsdl
</
Address
>


</
EndpointReference
>


</
q9:WSDLURL
>


<
q9:MetadataExchangeEndpoint
>


<
EndpointReference

xmlns
="
http://www.w3.org/2005/08/addressing
">


<
Address
>
http://cureidpm2:8080/m2sts/services/sts/mex
</
Address
>


</
EndpointReference
>


</
q9:MetadataExchangeEndpoint
>


</
RoleDescriptor
>


<
ContactPerson

contactT
ype
="
technical
">


<
Company
>
CURE Research Institute
</
Company
>


<
GivenName
>
Jack
</
GivenName
>


<
SurName
>
Shephard
</
SurName
>


<
EmailAddress
>
jack.shephard@idpm2.net
</
EmailAddress
>


<
TelephoneNumber
>
4145555555
</
TelephoneNumber
>


</
ContactPerson
>


</
EntityDescriptor
>

</
EntitiesDescriptor
>

5.3

Attachment C: GFIPM CTF Library API

public

interface

TrustFabricIntf {


/**


* Get a list of all the GFIPM entities in the trust document and returns a


* list of GFIPMCertificate instances (id, types, key use, certificate).


*


*
@param

collectDuplicates Flag to determine if duplicate certificate


* strings should be added, even if the certificate is duplicated in the


* trust fabric
document.


*


*
@return

List
<GFIPMCertificate>


*


*/


List<GFIPMCertificate> getAllEntityCertificates(
boolean

collectDuplicates);


/**


* Get entity Id from GFIPM CTF using a Public Key of that entity.


*
@param

public key of

the certificate.


*
@return

entityId The entity ID of an EntityDescriptor in a GFIPM trust


* fabric document.


*/


String getEntityId(PublicKey publicKey);


/**


* Get entity Id from GFIPM CTF using X509Certificate of that entity.



*
@param

X509 Certificate of the entity


*
@return

entityId The entity ID of an EntityDescriptor in a GFIPM trust


* fabric document.


*/


String getEntityId(X509Certificate cert);


/**


* Get entity id from GFIPM CTF using Service Endpoint of that entity.


*
@param

Service Endpoint URL String of the entity


*
@return

entityId The entity ID of an EntityDescriptor in a GFIPM trust


* fabric document.


*/


String get
EntityIdBySEP(String sepString);


/**


* Get the value of a GFIPM trust fabric document Organization Extensions


* attribute in a specific entity.


*


*
@param

entityId The entity ID of an EntityDescriptor in a GFIPM trust