OpenSSO provides comprehensive solution for securing web services developed using various technologies and platforms. The WS-Security and WS-Trust are the core security specifications as part of WS-* specifications published via the OASIS Security Committee. The WS-Trust defines a Trust Authority popularly known as STS (Security Token Service) that issues security tokens (for e.g. SAML Tokens) for the consumption of web service clients and web service providers that would like to support WS-Security for their communication model.
Here, I would like to give a high level overview of Web Services Security support in OpenSSO as it stands today.
Fig. 1 Web services security support in OpenSSO
OpenSSO as an STS supports on eight different platforms including Glassfish (Sun Application Server 9.x), Sun Web Server 7.x, WebLogic, Websphere, Tomcat, Oracle Application Server, JBoss, Genorimo. What it means is that any WSC( Web Service Client)/WSP (Web Service Provider) could remotely talk to OpenSSO in an interoperably way (using WS-Trust protocol) to obtain the WS-Security Token.
Now the support for WS-Security for WSPs. Glassfish support JSR 196 specification and OpenSSO provides agents based on JSR 196 specification for achieving web services authentication/authorization. However for other containers such as web logic and web sphere, you have to use OpenSSO Policy Agents to achieve web services authentication.
The web service clients are could be various types including thick clients (standalone mode or Java swing based)) or thin clients (bundled web applications invoked through browser). As it stands today, OpenSSO based JSR196 Agents supports fully on Glassfish and for the standalone clients. However for the other major containers such as Websphere and WebLogic or perhaps for any other third container, you need a custom filter and a custom handler. I have put examples for web logic and AXIS2 in my other entries.
OpenSSO also has a web services proxy solution (Gateway) through OpenSSO extensions. The advantage of the proxy is that it can deployed independent of your web application. As it stands today , there is no official support yet for this.
Could you please address which of Sun's Agents do/don't support WS-Security? Apache 2.2 Agent in particular and J2EE Agents in general.
Posted by Brad Cox on November 24, 2008 at 02:01 PM PST #
OpenSSO J2EE Policy Agents 3.0 onwards only support WS-Security. Currently the nightly builds for the OpenSSO 3.0 Agents for web logic and web sphere are supported, but gradually this will be supported on majority of the platforms.
We will not have any support on 2.2 J2EE Agents (Previous versions).
Posted by Malla Simhachalam on November 24, 2008 at 02:41 PM PST #