Wednesday, 22 August 2012

The Security Token Service

With the release of Fuse ESB Enterprise 7.0.1, the Web Services Security Guide (for Apache CXF) has been expanded to cover the Security Token Service (STS).

A full implementation of the STS was recently added to the Apache CXF codebase and this implementation has a highly modular and customisable architecture, as you can see from the following architecture overview:

For example, the token Issue operation can be customised by plugging in a SAMLTokenProvider or an SCTProvider (secure conversation token provider); and the token Validate operation can be customised by plugging in one of the token validators, SAMLTokenValidator, UsernameTokenValidator, X509TokenValidator, or SCTTokenValidator.

The STS implementation has a number of special features, including:

  • Support for embedding Claims data in issued tokens.
  • Support for the AppliesTo policy (which enables you to centralise token issuing requirements).
  • Support for security realms.

These are all described in the new doc, in The Security Token Services chapter.

Tuesday, 17 July 2012

New FAB Videos

Recently, I have worked on producing a couple of videos that explain Fuse Application Bundles (FABs). A FAB is basically a new way of deploying applications into an OSGi container that can make your life a whole lot easier. This technology has been developed by my engineering colleagues at FuseSource and is open sourced at Github.

If you have ever built and deployed OSGi bundles using Maven, you might have experienced the frustration of adding a whole lot of package dependencies into the Maven bundle plugin. You have already specified all of your dependencies as Maven dependencies, and here you are doing it all over again! Is it really necessary? Well, if you are using FABs, it's not. The key idea of FABs is to leverage the existing Maven dependency metadata and use that metadata to figure out the requisite OSGi package dependencies.

The first video explains this basic concept and also explains the difference between shared and non-shared dependencies in a FAB project:

As we started to use FABs in practical applications, it soon became clear how important it is to distinguish between dependencies already provided by the container and other artifacts. Recently, our engineering team has done a lot of work to make FABs smarter, so that they can recognise provided dependencies automatically.

The second video shows a practical example of how to prepare a Maven project for FAB deployment and explains the importance of setting the dependency's <scope> tag correctly: