8.6 Sample Code Analysis
8.6.1 Single Sign-on ComponentIn this demo, the ContentsServlet reads in the URL header that contains the unique identifier for the identity (also called the company identifier, a short name that denotes the company identity used in demonstrating Single Sign-on.). The unique identifier consists of _URL, _Name, _Description, and _SiteID. These are configurable in the "mmc.properties" (contents.property.forwardservletlocation section). In real life, you may have a different set of schema to implement the user identity. This can be also linked up with your credentials stored in the Directory Server. Two major SAML assertion Java classes provide methods to create SAML requests and support the data transport (see Figure 8-19): Figure 8-19 Two Major Java Classes Used to Support SAMLimport com.netegrity.jsaml.assertion.*; import com.netegrity.jsaml.protocol.*; The ForwardServlet manages the process of creating a SAML Assertion request. It requires the user name, category, and the given access level and looks up whether the requester has sufficient access rights for the target partner Web site. Then the generateAssertion method of the ForwardServlet will create the conditions (such as AbstractCondition), subject (such as Security Domain, user name), authentication statement (such as authentication locality with IP address and DNS address), and the associated attributes (for example, attribute name="Partner Block"). 8.6.2 FX Spot Rate QuoteThe FX Spot Rate Quote requester that invokes the remote FX Spot Rate Quote engine needs to set the parameters of the service end-point or URL and the operation name. This is usually found in the WSDL published by the remote Service Provider. In this demo, the remote FX Spot Rate Quote Service is provided by xmethods.org, and the WSDL can be downloaded from http://www.xmethods.net/sd/2001/CurrencyExchangeService.wsdl . By reading the WSDL, we can identify the service end-point to be http://services.xmethods.net:80/soap (<soap:address location />), the namespace is ("urn: xmethods-CurrencyExchange"), and the operation name is "getRate" (<operation />). We need to examine the input and output data type as defined in the WSDL. Complex data types may need special handling or data type conversion. The program in Figure 8-20 is extracted to highlight how a SOAP client is used to invoke a remote FX Spot Rate Quote Service. Apache Axis (the next generation of Apache SOAP engine; refer to http://xml.apache.org/axis ) is used to illustrate that it is ready for the next-generation SOAP engine. The same FX Spot Rate Quote Web Service can also be invoked by an Apache SOAP client or a Perl client (using SOAP-Lite; refer to http://www.soaplite.com ). Figure 8-20 Sample Client Invoking FX Spot Rate Quote Service [View full width] package com.sun.webservicedemo; import java.math.BigDecimal; import java.util.*; import org.apache.axis.client.Call; import org.apache.axis.client.Service; import org.apache.axis.AxisFault; import org.apache.axis.encoding.XMLType; import org.apache.axis.utils.Options; import javax.xml.namespace.QName; public class FXProviderImpl implements FXProviderIF { // FX conversion rate public String getPrice(String sellCurrency, String buyCurrency) { String sell = ""; String buy = ""; String myQuote = ""; // Mapping input parameter for the remote FX quote engine if (sellCurrency.equalsIgnoreCase("HKD")) sell = "hong kong"; if (sellCurrency.equalsIgnoreCase("USD")) sell = "us"; if (sellCurrency.equalsIgnoreCase("EUR")) sell = "euro"; if (sellCurrency.equalsIgnoreCase("RMB")) sell = "china"; if (sellCurrency.equalsIgnoreCase("SGD")) sell = "singapore"; if (sellCurrency.equalsIgnoreCase("MYR")) sell = "malaysia"; if (buyCurrency.equalsIgnoreCase("HKD")) buy = "hong kong"; if (buyCurrency.equalsIgnoreCase("USD")) buy = "us"; if (buyCurrency.equalsIgnoreCase("EUR")) buy = "euro"; if (buyCurrency.equalsIgnoreCase("RMB")) buy = "china"; if (buyCurrency.equalsIgnoreCase("SGD")) buy = "singapore"; if (buyCurrency.equalsIgnoreCase("MYR")) buy = "malaysia"; try { String endpoint = "http://services.xmethods.net:80/soap"; Service service = new Service(); Call call = (Call) service.createCall(); call.setTargetEndpointAddress( new java.net.URL(endpoint) ); call.setOperationName(new QName("urn:xmethods-CurrencyExchange", "getRate") ); Object resp = call.invoke( new Object[] { sell, buy } ); Float ret = (Float)resp; myQuote = (String)ret.toString(); // System.out.println("We offer you a spot rate of " + ret + " for " + 8.6.3 Secure Message ServiceWe choose WS-Security implementation to provide secure message service. VeriSign's Trust Service Integration Kit (TSIK) is one of the early WS-Security implementations (another is XML Key Management Service). WS-Security can work with multiple security token implementations , ranging from Kerberos ticket to digital certificate, and provide XML encryption and XML digital signature. Refer to Chapter 7, Web Services Security, for details. The advantage is that developers can rely on the secure message service provided by WS-Security to perform data transport and message security and focus on application business logic in the server codes. This enables decoupling the security- related logic from the application business logic, instead of tightly coupling security processing logic into the application codes. WS-Security also integrates with SSL over HTTPS to ensure the client-server connection is secure. To create a TSIK Client, you need to create a message (Document), get the client's private key and certificate, get the service's certificate, create a "trust verifier" using the X.509v3 certificate (see method below), and generate the data encryption key (for example, Triple DES key with SHA-1). Then you need to create the transport with the client's private key and certificate, send the message over the transport, and retrieve the contents from a response message. Finally, you can create and retrieve a SOAP fault element (see Figure 8-21). Figure 8-21 Sample XKMS Trust Verifiersimport org.xmltrustcenter.verifier.SimpleTrustVerifier; ... trustVerifier = new SimpleTrustVerifier( Collections.singleton(clientCert.getPublicKey())); In this demo, the ProfileServlet (which retrieves the currency name with a given currency code) reads in a predefined key store, which is an X.509v3 certificate, and creates a "trust verifier" as follows : It receives a message and converts to SOAPMessage. It verifies the requester's signature, decrypts the SOAP request body, creates a response message, and then encrypts the response body. The ProfileServlet will not proceed to retrieve the currency description if the certificate cannot be verified . 8.6.4 Integration of Different ComponentsThere are two files that need to be replaced in order to integrate the FX Spot Rate Quote Service with jSAML Single Sign-on demo program. First, we simply modify the file "defaultContent.htm" (the page that originally shows local contents) under the %JWSDP_HOME%\webapps\ContentProvider\docs. This is the HTML page that the ArticleServlet redirects to upon successful SAML Assertion processing and access approval. Next, you also need to modify the entry in the entries.xml under the directory %JWSDP_HOME%\webapps\MMC\conf to display the FX Spot Rate Quote Service (see Figure 8-22): Figure 8-22 Sample Configuration File for jSAML Demo [View full width] <Entry> <Name>FX Spot Rate Quote</Name> <URL>http://localhost:8080/ContentProvider/docs/defaultContent.htm</URL> <Description>Online indicative Foreign Exchange Spot Rate quote service to meet your  |
sellCurrency + "-" + buyCurrency + " if you confirm acceptance in 3 seconds today."); } catch (Exception e) { System.err.println(e.toString()); } return myQuote; } // getPrice } // class 