Access Manager WS-Trust STS can be accessed from various Web service clients. The following sections provide example configurations and sample code snippets for CXF-based and Metro-based Web service clients:
You can configure CXF-based Web service clients either programmatically or through XML configuration files. Below is a sample XML configuration. Add the following features to cxf.xml under the top-level beans section:
<cxf:bus>
<cxf:features>
<cxf:logging />
<wsa:addressing />
</cxf:features>
</cxf:bus>
Define the STS client with its properties as follows:
<jaxws:client name="{<your webservice target namespace>}WebServicePort"
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf" />
<property name="wsdlLocation"
value="https://<your idp base url>nidp/wstrust/sts?wsdl" />
<property name="serviceName" value="{http://www.netiq.com/nam-4-0/wstrust}SecurityTokenService" />
<property name="endpointName" value="{http://www.netiq.com/nam-4-0/wstrust}STS_Port" />
<property name="wspNamespace" value="http://schemas.xmlsoap.org/ws/2004/09/policy" />
<property name="properties">
<map>
<entry key="ws-security.username" value="<username to connect to idp>" />
<entry key="ws-security.password" value="<password>" />
<entry key="ws-security.encryption.properties" value="clientKeystore.properties" />
<entry key="ws-security.encryption.username" value="mystskey" />
<entry key="soap.force.doclit.bare" value="true" />
<entry key="soap.no.validate.parts" value="true" />
</map>
</property>
</bean>
</entry>
</jaxws:clien>
You can configure ws-security.callback-handler to provide username and password programmatically. You can also configure global sts-client in cxf.xml that can be used across multiple Web services.
For more information about configuring Apache CXF-based Web service clients, see http://cxf.apache.org/docs/ws-trust.html.
You can configure Metro-based clients through NetBeans (an integrated development environment).
Create a Web service client project in NetBeans.
Right click the project and click Create Web Service Client to create a STS client. Point the WSDL to http://<name of the identity provider server>:<port>/nidp/wstrust/sts?wsdl.
Configure the username and password to access WS-Trust STS.
The user configured needs to get authenticated into Access Manager password-based authentication classes. You can also configure the Callback-based configuration in NetBeans to provide username and passwords dynamically.
When you create a Web service client for your Web service, which is configured for STS-issued tokens, you need to specify the endpoint URL of WS-Trust STS in the Web service client properties. You can specify this in NetBeans by right clicking Web Service References> Web Service and selecting Secure Token Service.
For more information about configuring Metro-based Web service clients, see To Specify an STS on the Service Side and To Specify an STS on the Client Side in Configuring A Secure Token Service (STS).