SAML2 authentication in Axis2 using external STS - Part 1

Page content

In enterprise service infrastructures security and secure token handling is a major requirement. WS-Security implements a standard way for SOAP based webservice security.

Token based authorization for web services provides the ability to securely pass information about an end user between the Identity Provider (Authority) and the Service Provider. The Identity Provider manages identity information that Service Provider use to authorize their services. In most infrastructures the Token based authentication using an Identity Provider is used to implement a single sign on

The following article starts with the setup of Axis2 on top of Tomcat9 and then describes the way of validating SAML2 Tokens in WS-Security infrastructure.

The download page provides md5, sha1 and pgp checksums and signatures to verify the downloaded files.

  • Set enviroment variables for Axis2
    • $ export AXIS2_HOME=/path/to/extracted-binary-distribution
    • and/or add the export command to .bashrc or similar

The binary distribution of Axis2 is used for development environment and compiling the service.


Setting up Axis2 in Tomcat 9

Running Apache Axis2 in Tomcat 9 is straight forward and simply requires deploying the Apache Axis2 WAR-File distribution in Tomcats ‘webapps’ folder.

To test the deployment, point the browser to http://localhost:8080/axis2. Navigating to ‘Services’ shows a single service that returns the Axis2 version.


Start with building a service

This article does not cover all steps to create a new webservice nor creating a client. Apache Axis2 has a nice quickstart guide that describes the most important steps necessary to build a new service. A client that should use our secured webservice has to send a SOAP request containing a SAML2 token in its header.

Here I assume you created the StockQuoteService example service as described in “Deploying POJOs” section of the the quickstart guide. The source code comes with the binary distribution in $AXIS2_HOME/samples/quickstart. If so, there should be the following directory tree:

Source directoy tree

  quickstart
  |- README.txt
  |- build.xml
  |- resources
  | |- META-INF
  |   |- services.xml
  |- src
    |- samples
      |- quickstart
        |- service
          |- pojo
            |- StockQuoteService.java

After building the service

  quickstart/build/classes
  |- META-INF
  | |- services.xml
  |- samples
    |- quickstart
      |- service
        |- pojo
          |- StockQuoteService.class

The next part shows how to extract the SOAP header and describes the basic structure of the token.