Using Handler Methods for SOAP Headers

The VMware vCenter Single Sign On SDK provides sample code that is an extension of the JAX-WS XML Web services message handler (javax.xml.ws.handler). The sample code consists of a set of SOAP header handler methods and a header handler resolver, to which you add the handler methods. The handler methods insert timestamp, user credential, and message signature data into the SOAP security header for the request. A handler method extracts the SAML token from the vCenter Single Sign On Server response.

The VMware vCenter Single Sign On client SOAP header handler files are located in the soaphandlers directory:

SDK/sso/java/JAXWS/samples/com/vmware/sso/client/soaphandlers

To access the SOAP handler implementation, the example code contains the following import statements:

import com.vmware.sso.client.soaphandlers.HeaderHandlerResolver;

import com.vmware.sso.client.soaphandlers.SSOHeaderHandler;

import com.vmware.sso.client.soaphandlers.SamlTokenExtractionHandler

import com.vmware.sso.client.soaphandlers.TimeStampHandler;

import com.vmware.sso.client.soaphandlers.UserCredentialHandler;

import com.vmware.sso.client.soaphandlers.WsSecurityUserCertificateSignatureHandler;

This example uses the following handler elements:

■	HeaderHandlerResolver

■	SamlTokenExtractionHandler

■	TimestampHandler

■	UserCredentialHandler

■	WsSecurityUserCertificateSignatureHandler (SSOHeaderHandler)

The following sequence shows the operations and corresponding Java elements for message security.

1 Create an STS service object (STSService_Service). This object will bind the handlers to the request and provide access to the issue method.
2 Create a handler resolver object (HeaderHandlerResolver). This object acts as a receptacle for the handlers.
3 Add the header handlers: ■ Timestamp – The handler will use system time to set the timestamp values. ■ User credential – The handler requires a username and a password; it will create a username token for the supplied values. ■ User certificate signature – The handler requires a private key and an x509 certificate. The handler will use the private key to sign the body of the SOAP message (the token request), and it will embed the certificate in the SOAP security header. ■ SAML token extraction – The handler extracts the SAML token directly from vCenter Single Sign On Server response to avoid token modification by the JAX-WS bindings.
4 Add the handler resolver to the STS service.

The following code fragment creates a handler resolver and adds the handler methods to the handler resolver. After the handlers have been established, the client creates a token request and calls the Issue method. See Sending a Request for a Security Token.

Important You must perform these steps for message security before retrieving the STS service port. An example of retrieving the STS service port is shown in Sending a Request for a Security Token.

Example: Acquiring a vCenter Single Sign On Token – Soap Handlers

/*

* Instantiate the STS Service

*/

STSService_Service stsService = new STSService_Service();

 

/*

* Instantiate the HeaderHandlerResolver.

*/

HeaderHandlerResolver headerResolver = new HeaderHandlerResolver();

 

/*

* Add handlers to insert a timestamp and username token into the SOAP security header

* and sign the message.

*

* -- Timestamp contains the creation and expiration time for the request

* -- UsernameToken contains the username/password

* -- Sign the SOAP message using the combination of private key and user certificate.

*

* Add the TimeStampHandler

*/

headerResolver.addHandler(new TimeStampHandler());

 

/*

* Add the UserCredentialHandler. arg[1] is the username; arg[2] is the password.

*/

UserCredentialHandler ucHandler = new UserCredentialHandler(args[1], args[2]);

headerResolver.addHandler(ucHandler);

 

/*

* Add the message signature handler (WsSecurityUserCertificateSignatureHandler);

* The client is responsible for supplying the private key and certificate.

*/

SSOHeaderHandler ssoHandler =
new WsSecurityUserCertificateSignatureHandler( privateKey, userCert);

headerResolver.addHandler(ssoHandler);

 

/*

* Add the token extraction handler (SamlTokenExtractionHandler).

*/

SamlTokenExtractionHandler sbHandler = new SamlTokenExtractionHandler;

headerResolver.addHandler(sbHandler);

 

/*

* Set the handlerResolver for the STSService to the HeaderHandlerResolver created above.

*/

stsService.setHandlerResolver(headerResolver);