« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Blog::Navigation

Blog::Editing

Bookmarks::Blogroll

Blog::Referrers

Today's Page Hits: 9

Site notes

This page validates as XHTML 1.0, and will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device. It was created using techniques detailed at glish.com/css/.

Powered by Roller Weblogger.
« Handling Claims with... | Main | Dynamic Key Stores... »
Tuesday Feb 24, 2009

Managing multiple services with Metro based STS

Metro based STS can be used to secure multiple services. One need to register
a service provider to an STS before the issued tokens of the STS can be used for that service.

Each resgisted service comes up as a ServiceProvide in the STSConfiguration:



    <tc:STSConfiguration xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/server" 

          encryptIssuedKey="true" encryptIssuedToken="false">

        <tc:LifeTime>36000</tc:LifeTime>                                

        <tc:Contract>com.sun.xml.ws.security.trust.impl.WSTrustContractImpl</tc:Contract>

        <tc:Issuer>SunSTS</tc:Issuer>

        <tc:ServiceProviders>

            <tc:ServiceProvider endPoint="http://localhost:8080/jaxws-s5/simple" >

               <tc:CertAlias>bob</tc:CertAlias>

               <tc:TokenType>

                   http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

               </tc:TokenType>

            </tc:ServiceProvider>

            <!-- more service providers -->

        </tc:ServiceProviders>

    </tc:STSConfiguration>

At the minimum, you need to specify the endpoint as well as the cert alias for each service provider. At run time, the actual service is identified for each request RST from a client to the STS. The RST contains an AppliesTo element pointing to the endpoint of the targeted service. On the STS side, the certificate of the service is used to encrypt the issued tokens and proof keys for the service.

With Netbeans, one can add Service Providers to an STS through the configuration panel for STS:

1. Click Configure button besides Act as Secure Token Service (STS).
2. In the STS Configuration panel, click Add.
3. In the Select Service Provider panel, add information of the service provider. Note that you must
import the certificate of the service provider to the TrustStore of the STS.

We provide a default Service Provider with endpoint="default". This default setting, working with any service providers, is for testing purpose only. In a product, you must remove it and add all the service providers to be secured by the STS.

You may also implement STSConfigurationProvider with your own STSConfiguration and TrustSPMetada to configure STS and register service providers to a deployed STS at run time.

Posted at 11:55AM Feb 24, 2009 by jiandongg in Sun  |  Comments[0]

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
Locations of visitors to this page
Copyright (C) 2003, jiandongg