Presentation is loading. Please wait.

Presentation is loading. Please wait.

24.10.2006 SOSI biblioteket ver 1.1 KlientServer STS/IdP SOSI – ver 1.1.

Similar presentations


Presentation on theme: "24.10.2006 SOSI biblioteket ver 1.1 KlientServer STS/IdP SOSI – ver 1.1."— Presentation transcript:

1 SOSI biblioteket ver 1.1 KlientServer STS/IdP SOSI – ver 1.1

2 Agenda ● DGWS – development by contract (WSDL) ● WS-I basic profile 1.1 ● Kode eksempler Klient CredentialVault SOSIFactory ID Card WS-Trust RequestSecurityToken Request STS/IdP Valider ID Card Service Request-Reply ● HTTPS håndtering ● OCES certifikater

3 SOSI – ver 1.1 Den Gode Webservice

4 SOSI – ver 1.1 Niveau 3 Et virksomhedscertifikat indestår for at en medarbejder eller system er trusted party Niveau 4 Et medarbejdercertifikat indestår personligt for medarbejderens autenticitet. Bemærk at det involverer klient signatur! Ovenstående er valideret af STS/IdP'en i SOSI Den Gode Webservice - sikkerhedsniveauer SOSI understøtter pt niveau 3 og 4

5 SOSI – ver 1.1 Den Gode Webservice - statuskoder

6 SOSI – ver 1.1 Den Gode Webservice

7 SOSI – ver 1.1 Den Gode Webservice WS-I 1.1 Basic profile Interoperability Testing Tools 1.1

8 SOSI – ver 1.1 Eksempel..... Klient Initialiser CredentialVault //Load keystore file from classpath CredentialVault credentialVault = new ClassPathCredentialVault(”mypasswd”); //... or load it from the file system credentialVault = new FileBasedCredentialVault(new File(”mykeystore.jks”), ”passwd”); //... or provide own implementation credentialVault = new DatabaseCredentialVault(”mypassword”);

9 SOSI – ver 1.1 Eksempel..... Klient Opret SOSI factory Setting up properties The library can be customized with a few properties that are passed to the constructor of the SOSIFactory. Currently the only supported properties are: sosi:validate = {“true”, “false”} Indicates whether or not the DOM parser should validate XMLSchemas for SOSI envelopes. The default value is “true” (ie if the property is not specified, the library will validate) sosi:issuer = “some String” The name of the system that is using the library. The value will be inserted into ID-cards when issuing new ID-cards model objects. The default value is “TheSOSILibrary”. SOSIFactory factory = new SOSIFactory(credentialVault, System.getProperties());

10 SOSI – ver 1.1 Eksempel..... Klient Opret ID Card IDCard idCard = null; if (level == AuthenticationLevel.VOCES_TRUSTED_SYSTEM.getLevel()) { idCard = factory.createNewSystemIDCard( systemName, new CareProvider(SubjectIdentifierTypeValues.CVR_NUMBER, orgCVR, orgName), factory.getCredentialVault().getSystemCredentialPair().getCertificate()); } else if (level == AuthenticationLevel.MOCES_TRUSTED_USER.getLevel()) { idCard = factory.createNewUserIDCard( systemName, cpr, givenName, surName, , "Doctor".equals(occupation) ? UserRole.DOCTOR : UserRole.NURSE, new CareProvider(SubjectIdentifierTypeValues.CVR_NUMBER, orgCVR, orgName), "2101", // authorizationCode AuthenticationLevel.MOCES_TRUSTED_USER, factory.getCredentialVault().getSystemCredentialPair().getCertificate()); }

11 SOSI – ver 1.1 Eksempel..... Klient Request Security Token SecurityTokenRequest securityTokenRequest = factory.createNewSecurityTokenRequest(); securityTokenRequest.setIDCard(idCard); Document doc = securityTokenRequest.serialize2DOMDocument(); if (level == AuthenticationLevel.MOCES_TRUSTED_USER.getLevel()) { // Sign the document - should be done externally with user Moces signature byte[] siBytes = securityTokenRequest.getIDCard().getBytesForSigning( doc, factory.getCredentialVault().getSystemCredentialPair().getCertificate()); // Should be done externally with user Moces signature Signature jceSign = Signature.getInstance("SHA1withRSA"); PrivateKey key = factory.getCredentialVault().getSystemCredentialPair().getPrivateKey(); jceSign.initSign(key); jceSign.update(siBytes); String signature = XmlUtil.toBase64(jceSign.sign()); securityTokenRequest.getIDCard().injectSignature(signature); } // Call STS/IdP String xml = XmlUtil.node2String(doc, false, true); SecurityTokenResponse response = callIdpService(xml); if (!response.isFault()) { idCard = response.getIDCard(); } else { // Error }

12 SOSI – ver 1.1 Eksempel..... Klient Opret service Request Request request = factory.createRequest( false,// don’t require non-repudiation receipt null// Optional flow-ID (not used here) ); request.setIDCard(idCard); Element body = ; request.setBody(body); Document doc = XmlUtil.createEmptyDocument(); request.serialize2DOMDocument(doc); String xml = XmlUtil.node2String(doc, false, true); Reply reply = callService(xml); if (!reply.isFault()) { } else { // Error }

13 SOSI – ver 1.1 Eksempel..... STS/IdP Valider ID Card securityTokenRequest = factory.deserializeSecurityTokenRequest(requestXML); // Verification of the information in the IDCard should be placed here if (!verifyAndDecorate(securityTokenRequest.getIDCard())) { securityTokenResponse = factory.createNewSecurityTokenErrorResponse( securityTokenRequest.getMessageID(), "wst:InvalidRequest", "The request was invalid or malformed"); } else { // Create the WS-Trust response body securityTokenResponse = factory.createNewSecurityTokenResponse(securityTokenRequest.getMessageID()); // Attach a new IDCard based on the data from the requestors IDcard. // The new ID-card will get signed with the IdP VOCES key. securityTokenResponse.setIDCard(factory.copyToVOCESSignedIDCard(securityTokenRequest.getIDCard())); } Document responseDoc = XmlUtil.createEmptyDocument(); securityTokenResponse.serialize2DOMDocument(responseDoc); String responseXML = XmlUtil.node2String(responseDoc, false, true);

14 SOSI – ver 1.1 Eksempel..... Service Request - Reply Request request = factory.deserializeRequest(xml); // This implicitly verifies the IdP signature on the ID card. IDCard idCard = request.getIDCard(); Element body = request.getBody(); Reply sosiReply = factory.createNewReply( sosiRequest.getMessageID(), sosiRequest.getFlowID(), FlowStatusValues.FLOW_FINALIZED_SUCCESFULLY); reply.setIDCard(systemIDCard); Element replyBody = ; reply.setBody(replyBody); Document domDocument = reply.serialize2DOMDocument(); String replyXML = XmlUtil.node2String(domDocument, false, true);


Download ppt "24.10.2006 SOSI biblioteket ver 1.1 KlientServer STS/IdP SOSI – ver 1.1."

Similar presentations


Ads by Google