You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by FILIPPO AGAZZI <fi...@studenti.unipr.it> on 2012/07/18 13:59:42 UTC

[Axis2] STS Custom Token and service

Hi,

I have a Web Service with an STS and a Custom Token issuer that i have
developed, who issues to the client, after a negotiation, a custom security
token. My problem is: how can i make the service accept and check the
token? I haven't used Rampart, cause i don't want to have any security
header in the message from client to service, but just a security token
(that client obtains previously from STS) sent in the message to the
service  as a credential to have access to the service.

So i need a way to send the security token in message from client ( for
example using an OperationClient ) and a way to check the token at the
service side. Perhaps i need to implement a handler in the service, that
checks the security token? I haven't found anything about how a service
checks or validates a security token (for example a SAML Token) and now i'm
in trouble to make accept and validate a custom security token to my web
service. I can construct a custom soap message, for example, containing in
the body the custom security token (for example a simple
signature..i'haven't decided yet) and at service side extract the token
from the message and checks if it is valid...but how can i do this at
service side?
I can't understand, for example, in a scenario like sample05 of Rampart,
where the token sent from client, at the service side is checked..is there
a default handler in Rampart module? In sample 05, in the client,
instructions like *options.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
loadPolicy(servicePolicy));* or
*options.setProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN,
responseToken.getId());* are used: is it in this way that message is
created in a way that then at service side, is manipulated from a default
handler? In sample05 in services.xml security policy are specified for STS
and for the Service..in my case there is a unique and simple policy for the
service, requiring an issued token, that client obtians from STS after a
negotiation. So i don't think i can use sth similiar as sample 05, but i
have to custom code the mechanism at service side. I don't think if i have
explained in a clear way my problem and what i need.
Any idea or suggestion is very appreciated! Thanks!

Regards,

Filippo Agazzi
Student of University of Parma - Italy