Access Manager WS-Trust STS can be accessed from various Web service clients. The following sections provide example configurations and sample code snippets for CXF-based and Metro-based Web service clients:
You can configure CXF-based Web service clients either programmatically or through XML configuration files. Below is a sample XML configuration. Add the following features to cxf.xml under the top-level beans section:
<cxf:bus> <cxf:features> <cxf:logging /> <wsa:addressing /> </cxf:features> </cxf:bus>
Define the STS client with its properties as follows:
<jaxws:client name="{<your webservice target namespace>}WebServicePort" createdFromAPI="true"> <jaxws:properties> <entry key="ws-security.sts.client"> <bean class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf" /> <property name="wsdlLocation" value="https://<your idp base url>nidp/wstrust/sts?wsdl" /> <property name="serviceName" value="{http://www.netiq.com/nam-4-0/wstrust}SecurityTokenService" /> <property name="endpointName" value="{http://www.netiq.com/nam-4-0/wstrust}STS_Port" /> <property name="wspNamespace" value="http://schemas.xmlsoap.org/ws/2004/09/policy" /> <property name="properties"> <map> <entry key="ws-security.username" value="<username to connect to idp>" /> <entry key="ws-security.password" value="<password>" /> <entry key="ws-security.encryption.properties" value="clientKeystore.properties" /> <entry key="ws-security.encryption.username" value="mystskey" /> <entry key="soap.force.doclit.bare" value="true" /> <entry key="soap.no.validate.parts" value="true" /> </map> </property> </bean> </entry> </jaxws:clien>
You can configure ws-security.callback-handler to provide username and password programmatically. You can also configure global sts-client in cxf.xml that can be used across multiple Web services.
For more information about configuring Apache CXF-based Web service clients, see http://cxf.apache.org/docs/ws-trust.html.
You can configure Metro-based clients through NetBeans (an integrated development environment).
Create a Web service client project in NetBeans.
Right click the project and click Create Web Service Client to create a STS client. Point the WSDL to http://<name of the identity provider server>:<port>/nidp/wstrust/sts?wsdl.
Configure the username and password to access WS-Trust STS.
The user configured needs to get authenticated into Access Manager password-based authentication classes. You can also configure the Callback-based configuration in NetBeans to provide username and passwords dynamically.
When you create a Web service client for your Web service, which is configured for STS-issued tokens, you need to specify the endpoint URL of WS-Trust STS in the Web service client properties. You can specify this in NetBeans by right clicking Web Service References> Web Service and selecting Secure Token Service.
For more information about configuring Metro-based Web service clients, see To Specify an STS on the Service Side and To Specify an STS on the Client Side in Configuring A Secure Token Service (STS).