SHYAM RAO

« Advanced Web Service... | Main | How to log WS-Trust... »
Tuesday May 06, 2008

How to Renew a SecureConversationToken Using Metro 1.2

Renewal of SecureConversation Token for submitted and standard(WS-SX) version of SecureConversation specification is supported in Metro 1.2 release. In this blog, i will show you how to enable the renewal of SecureConversation Token automatically, once it is expired.

Metro 1.2 defines the following client side SecureConversation configuration policy :
    1) lifetime of SecureConversation Token.
    2) whether to Renew Expired Secure Session Tokens

Here is the client-side SecureConversation  policy, which has to be put in the client-side configuration (i.e. in wsit-client.xml file)

<scc:SCClientConfiguration xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client" renewExpiredSCT="true">
     <scc:LifeTime>36000</scc:LifeTime>
</scc:SCClientConfiguration>

We also have a tooling support for this configuration in Netbeans 6.0 onwards. Here is the Netbeans screenshots for configuring Web Services Client with SecureConversation policy.

Figure 1 : Right click on Web Services Reference node and select Web Services Editor to configure Quality of service on the client side

 Figure 1 : Right click on Web Services Reference node and select Web Services Editor to configure Quality of Service on the client side 

 


Figure 2 : In Client's Web Services Editor, configure client with SecureConversation policy (i.e Token Lifetime, Enable/disable of token renewal)

 

Here is the format of Renew request from client :

 <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" >
    <S:Header>
         ...........
        <Action xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5004">
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew</Action>
         .........

Here is the format of Renew response from service :

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
    <S:Header>
         ...........
        <Action xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5005"> 
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew</Action>
         .........

 

In the WS-SX version of SecurityPolicy specification, MustNotSendRenew policy is being introduced under SecureConversationToken. MustNotSendRenew optional element is a policy assertion that indicates the  SCT Token issuer issuing the secure conversation token does not support SCT/Renew RST messages. If this assertion is not present it means that SCT/Renew RST messages are supported by the STS.

Here is the format of  MustNotSendRenew optional element under SecureConversationToken policy :

<sp:SecureConversationToken sp:IncludeToken="xs:anyURI"? xmlns:sp="..." ... >
    ........
    <wsp:Policy xmlns:wsp="...">
        .......
        <sp:MustNotSendRenew ... /> ?
        <sp:BootstrapPolicy ... >
            <wsp:Policy> ... </wsp:Policy>
        </sp:BootstrapPolicy>
    </wsp:Policy>
</sp:SecureConversationToken>

 

If client side SecureConversation configuration policy has renewExpiredSCT=true, and MustNotSendRenew optional element is not present in SecureConversationToken service policy, then the  renewal of  SCT token will be successful.

Posted at 09:52PM May 06, 2008 by Shyam Rao in WebServicesSecurity  |  Comments[6]

Comments:

Hi Shyam,

I would like to ask you for a help.
I have problem with web services security and I described my problem in post on SUN forum:
http://forums.sun.com/thread.jspa?threadID=5324556

Nobody answered me till today :(
I know that you wrote few articles about web services security on your Weblog, therefore I decided to ask you.
I would be greatful if you can take a look on my post and help me to solve my problem.

I don't know your email address, therefore I decided to put this message here.

Looking forward to your reply.
Best regards.

Posted by zajjar on September 15, 2008 at 10:37 PM IST #

Hi Zajjar,

You haven't posted your question in the correct forum.
Please post your issue in the Metro forum : http://forums.java.net/jive/forum.jspa?forumID=46

Sun's WebServices stack is know as Metro (https://metro.dev.java.net/).

Thanks
-- Shyam

Posted by Shyam Rao on September 15, 2008 at 11:38 PM IST #

Thanks Shyam,

I will post it there.

Posted by zajjar on September 16, 2008 at 12:00 AM IST #

My thread on this forum is here:
http://forums.java.net/jive/thread.jspa?messageID=299681

Maybe it will be helpful for other people.

Posted by zajjar on September 18, 2008 at 11:53 AM IST #

Hi Shyam,

I' ve tried everything the way you described here, but SCT Renewal doesn't happen.

My colleage made a post for it: http://www.nabble.com/SCT-Renewal-in-federated-scenario-(WCF)-td22181672.html

but nobody responds.

Maybe you can help?

Thanks,

Peter

Posted by Peter on March 06, 2009 at 07:32 PM IST #

hi,
my .net WCF wsdl contains
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">

in this case should i do some configuration in netbeans.

Can u tell me how can i proceed with METRO?
Thanks,
Thej

Posted by Thej on August 06, 2009 at 09:26 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed

Calendar

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Search

Links

Navigation

Referers

Today's Page Hits: 18