Using curl to send requests to WSO2 Identity Server

I've been experimenting with WSO2 Identity Server, an open-source security token service (STS). Prabath Siriwardena, at his blog FacileLogin has great series of articles on setting up the STS (such as this one), however I'm not a fan of setting up a Java client for simple test cases.

To that end, I've figured out the correct incantations required to use curl to send a RequestSecurityToken to the STS. I use this script to send a particular file:

echo -e "Sending RST..."
curl -k --header "soapaction:" --header "Content-Type: text/xml; charset=UTF-8" --data-binary @$1 https://localhost:9443/services/wso2carbon-sts | xmllint --format -

Note the Content-Type and soapaction headers -- these are required for Axis2 to route the incoming request properly.

As for the request itself, I use a variation of the following:

<?xml version="1.0"?>
<soapenv:Envelope xmlns:soapenv="" xmlns:soapenc="" xmlns:xsd="" xmlns:xsi="" xmlns:wsse="" xmlns:wsu="">
    <wsse:Security mustUnderstand="1">
      <wsu:Timestamp xmlns:wsu="" wsu:Id="Timestamp-1">
      <wsse:UsernameToken xmlns:wsu="" wsu:Id="UsernameToken-2">
        <wsse:Password Type="">admin</wsse:Password>
    <t:RequestSecurityToken xmlns:t="">
      <wst:RequestType xmlns:wst=""></wst:RequestType>
      <wst:Issuer xmlns:wst="">
        <wsa:Address xmlns:wsa="">http://issuer/test</wsa:Address>
      <wsp:AppliesTo xmlns:wsp="">
        <wsa:EndpointReference xmlns:wsa="">
      <t:Claims xmlns:ic="" Dialect="">
        <ic:ClaimType Uri=""/>

Note that the address in the AppliesTo element must be defined as a "trusted service" in the STS otherwise a NullPointerException will be thrown (at least in version 2.0.0 of WSO2 Identity Server).

Assuming you put the curl script in a file called "" and the RequestSecurityToken in a file called "rst.xml", you can send the file using:

./ rst.xml

The result will be a nicely formatted SAML assertion if everything has gone to plan!

blog comments powered by Disqus