Token Caching and Sharing, Single Sign On Among Services
By Jiandong Guo on Apr 29, 2009
It is a common requirement from many users and customers of Metro to
let the client have more control of the use of issued token from an STS.
One particular requirement is that to share issued tokens among
multiples services. With today's Metro 2.0 nightly build, we provide the
support for this capability, as described here.
Here is a description of how this is supported in Metro:
- The services to be accessed with the same token must share
the same certificate.
- Only issued tokens from the same STS are shared.
- Caching and sharing issued tokens can be enabled for each service
instance by configuration
To enable this capability for a service proxy, you need to add attribute
shareToken="true" in the wsit-client.xml or the file referenced by it
for the proxy:
To illustate the usage, you may find a sample here. This sample contains 5
Netbeans projects for client, STS, PingService, HelloService and CalculatorService.
Each service is configured to use the STS issued token to access. On the
client side, the client instances for the PingService and CalculatorServcie
are configured to be in the circle to share the issued tokens from the STS,
while the client instance for HelloService not (check various client configuration
files in the directory Client\\src\\java). The client calls PingService first,
then HelloService and CalculatorService. You will see that the client goes
to the STS to get the token to access PingService, then again to the STS
to get token to access HelloService, and then to call CalcutorService without
goes to the STS but use the token obtained in calling PingService.
We also have a stand alone sample available here.
We still need to provide support for renewing the token once it is expired,
as specified here.