ActAs and Credential Delegation II: Secure Conversation with STS

In the scenario that the requester asks for delegation tokens from an STS
acting as various users, the security header for the request message to the STS carries
the credentials of the requester and the STS while the payload has the credentials
of the actual users being acted as. It is a perfect case that secure conversation should be
enabled for the STS to optimize the communications between the requester and STS.

To achieve this with Metro:

1. On the STS side, enable secure conversation with SecureConversationToken in the wsdl:
A sample wsdl is provided here. To use it with the delegate sample,
you just need to rename it from sts-sc.wsdl to sts.wsdl.

2. On the client side, one need to use the same STSIssuedTokenConfiguration instance for the different
calls to the STS as illustrated by the following codes for the server:

     public class FSImpl implements IFinancialService {
         @Resource
         private WebServiceContext context;

         private DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration();

         public String getAccountBalance(Department dept){

                 ...
     }

     private void ping(){
         PingService service = new PingService();
         Token actAsToken = getActAsToken();
         config.getOtherOptions().put(STSIssuedTokenConfiguration.ACT_AS, actAsToken);
         STSIssuedTokenFeature feature = new STSIssuedTokenFeature(config);

         IPingService stub = service.getCustomBindingIPingService(new WebServiceFeature[]{feature});
         stub.ping(new Holder("1"), new Holder("sun"), new Holder("Passed!"));
     }

     private Token getActAsToken(){
         return new GenericToken(getSAMLAssertion());
     }

     private Element getSAMLAssertion() {
        Element samlAssertion = null;
         try {
                Subject subj = SubjectAccessor.getRequesterSubject(context);
                Set set = subj.getPublicCredentials();
                Element samlAssertion = null;
                for (Object obj : set) {
                     if (obj instanceof XMLStreamReader) {
                        XMLStreamReader reader = (XMLStreamReader) obj;
                        //To create a DOM Element representing the Assertion :
                         samlAssertion = SAMLUtil.createSAMLAssertion(reader);
                         break;
                     } else if (obj instanceof Element) {
                         samlAssertion = (Element) obj;
                         break;
                     }
                 }
             } catch (XMLStreamException ex) {
                 throw new XWSSecurityRuntimeException(ex);
             } catch (XWSSecurityException ex) {
                 throw new XWSSecurityRuntimeException(ex);
         }
         return samlAssertion;
    }

Another important use scenario for using secure conversation with STS is OnBehalf mechanism where
the STS client is used as a proxy to obtain tokens from STS for different users. I will get back
to that in a different blog:

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jiandong Guo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today