Token Caching and Sharing, Single Sign On Among Services

It is a common requirement from many users and customers of Metro to
let the client have more control of the use of issued token from an STS.
One particular requirement is that to share issued tokens among
multiples services. With today's Metro 2.0 nightly build, we provide the
support for this capability, as described here.

Here is a description of how this is supported in Metro:


  1. The services to be accessed with the same token must share
    the same certificate.

  2. Only issued tokens from the same STS are shared.

  3. Caching and sharing issued tokens can be enabled for each service
    instance by configuration

To enable this capability for a service proxy, you need to add attribute
shareToken="true" in the wsit-client.xml or the file referenced by it
for the proxy:


<t:PreConfiguredSTS
xmlns:t="http://schemas.sun.com/ws/2006/05/trust/client"
shareToken="true">
</t:PreConfiguredSTS>

To illustate the usage, you may find a sample here. This sample contains 5
Netbeans projects for client, STS, PingService, HelloService and CalculatorService.
Each service is configured to use the STS issued token to access. On the
client side, the client instances for the PingService and CalculatorServcie
are configured to be in the circle to share the issued tokens from the STS,
while the client instance for HelloService not (check various client configuration
files in the directory Client\\src\\java). The client calls PingService first,
then HelloService and CalculatorService. You will see that the client goes
to the STS to get the token to access PingService, then again to the STS
to get token to access HelloService, and then to call CalcutorService without
goes to the STS but use the token obtained in calling PingService.

We also have a stand alone sample available here.

We still need to provide support for renewing the token once it is expired,
as specified here.

Comments:

I get a "javax.xml.ws.WebServiceException: com.sun.xml.ws.api.security.trust.WSTrustException: com.sun.xml.ws.security.trust.impl.
bindings.ClaimsType cannot be cast to com.sun.xml.ws.security.trust.impl.wssx.bindings.ClaimsType" when I try it with my own services.

Posted by Lindemann Ralf on June 15, 2009 at 08:23 PM PDT #

So your service and STS use different versions of security policy and trust? Have you set wstVersion attribute in PreConfiguredSTS to indicate the actual version of STS to use?

We do support the case that the STS and service have different versions, but there maybe an issue for Claims.

Posted by Jiandong Guo on June 16, 2009 at 04:01 AM PDT #

Hi Lindemann,

The actual issue for Claims in the case of mixed trust versions is fixed with Metro 2.0. Please try with next Metro 2.0 nightly build:

https://metro.dev.java.net/servlets/ProjectDocumentList?folderID=10314&expandFolder=10314&folderID=10314

Regards,

Jiandong

Posted by Jiandong Guo on June 16, 2009 at 07:25 AM PDT #

[Trackback] It is a common requirement from many users and customers of Metro to let the client have more control of the use of issued token from an STS. One particular requirement is that to share issued tokens among multiples services. With today's Metro ...

Posted by Jiandong Guo on August 17, 2009 at 01:56 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jiandong Guo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today