Clojure wrapper for web-service security libraries.
This can be used in two ways:
- as an HTTP proxy that runs as a standalone process
- as clj-http (client-side) middleware in your HTTP client
The HTTP proxy listens for HTTP requests (not HTTPS!) on whatever port you specify. When your client code sends an HTTP request to it, the proxy encapsulates that request into a secured request and sends it to the remote server.
clawss adds a sender-vouches assertion to the Security header in outbound requests. This is intended to identify the end user on whose behalf the request is being made.
To identify the end-user, you will need to specify two things. They will ultimately appear in the SAML assertion as the nameid element and nameid-format attribute.
Specify these two keywords in the request map:
- :subject-name
- :subject-name-type
Specify these two headers in the inbound HTTP request (at the input of the proxy):
- x-subject-name
- x-subject-name-type
You need to specify the keystores that will be used for - signing requests and verifying signature on responses - Two-way SSL connections
The same keystores will be used for both.
In ~/.lein/profiles.clj do something like this:
{
:user {
:env {
:trust-store "~/.ssh/truststore.jks"
:trust-store-pass "secure"
:insecure? true
:keystore "~/.ssh/my-identity.p12"
:keystore-pass "secure"
:keystore-type "pkcs12"
:remote-uri-base "https://target.example.com"
}
}
}
This package generates its own SAML Assertion. However, XWSS does generate SAML Assertions if specified in the policy. Look into letting XWSS do it.