You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by "bogdan.csoregi" <bo...@gmail.com> on 2009/02/03 19:35:22 UTC

Can I call two different web services with the same security token?

On the server I have three web services:
1. the STS
2. WebService A - needs a security token for accessing
3. WebService B - needs a security token for accessing


On the client I want to do the following:

1. Call A.serviceMethod()
2. Call B.serviceMethod()

I want that both calls to use the same security token so that:

When the first call is done there will be a request to the STS after that I
will have a token then the service A is called with the token then the
service B is called using the same token.

What I managed to do until now is that when the first call is done the STS
is called and I have a token then the service A is called using that token
but when the second call is done the STS is called again and it issues
another token used for the call to service B.

Is it possible to make the second call use the token issued first?

Even if this is not possible only by small configuration, is it possible to
do it by making an programmatic call to the STS then getting the
SAMLassertion and using it to make the calls to service A and B?
-- 
View this message in context: http://www.nabble.com/Can-I-call-two-different-web-services-with-the-same-security-token--tp21816064p21816064.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Can I call two different web services with the same security token?

Posted by Daniel Kulp <dk...@apache.org>.

With the latest WS-SecurityPolicy stuff on 2.2, the answer is yes.   I 
originally had the WS-Trust13 test endpoints setup to do something similar.   

Basically, you can use the STSClient we have to obtain a token from the STS, 
and then set that token into the request context of multple service clients.   
When the clients see the "IssuedToken" assertion in the policy, it will use 
the token from the context.

Dan


On Tue February 3 2009 1:35:22 pm bogdan.csoregi wrote:
> On the server I have three web services:
> 1. the STS
> 2. WebService A - needs a security token for accessing
> 3. WebService B - needs a security token for accessing
>
>
> On the client I want to do the following:
>
> 1. Call A.serviceMethod()
> 2. Call B.serviceMethod()
>
> I want that both calls to use the same security token so that:
>
> When the first call is done there will be a request to the STS after that I
> will have a token then the service A is called with the token then the
> service B is called using the same token.
>
> What I managed to do until now is that when the first call is done the STS
> is called and I have a token then the service A is called using that token
> but when the second call is done the STS is called again and it issues
> another token used for the call to service B.
>
> Is it possible to make the second call use the token issued first?
>
> Even if this is not possible only by small configuration, is it possible to
> do it by making an programmatic call to the STS then getting the
> SAMLassertion and using it to make the calls to service A and B?

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog