OpenSSO provides comprehensive solution for securing web services developed using various technologies and platforms. The WS-Security and WS-Trust are the core security specifications as part of WS-* specifications published via the OASIS Security Committee. The WS-Trust defines a Trust Authority popularly known as STS (Security Token Service) that issues security tokens (for e.g. SAML Tokens) for the consumption of web service clients and web service providers that would like to support WS-Security for their communication model.
Here, I would like to give a high level overview of Web Services Security support in OpenSSO as it stands today.
Fig. 1 Web services security support in OpenSSO
OpenSSO as an STS supports on eight different platforms including Glassfish (Sun Application Server 9.x), Sun Web Server 7.x, WebLogic, Websphere, Tomcat, Oracle Application Server, JBoss, Genorimo. What it means is that any WSC( Web Service Client)/WSP (Web Service Provider) could remotely talk to OpenSSO in an interoperably way (using WS-Trust protocol) to obtain the WS-Security Token.
Now the support for WS-Security for WSPs. Glassfish support JSR 196 specification and OpenSSO provides agents based on JSR 196 specification for achieving web services authentication/authorization. However for other containers such as web logic and web sphere, you have to use OpenSSO Policy Agents to achieve web services authentication.
The web service clients are could be various types including thick clients (standalone mode or Java swing based)) or thin clients (bundled web applications invoked through browser). As it stands today, OpenSSO based JSR196 Agents supports fully on Glassfish and for the standalone clients. However for the other major containers such as Websphere and WebLogic or perhaps for any other third container, you need a custom filter and a custom handler. I have put examples for web logic and AXIS2 in my other entries.
OpenSSO also has a web services proxy solution (Gateway) through OpenSSO extensions. The advantage of the proxy is that it can deployed independent of your web application. As it stands today , there is no official support yet for this.