Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure requests to the trust service using system policy sets > Trust service

Security context token

WS-Trust and WS-SecureConversation support allows WAS to issue security context tokens. Requests are processed by the security token service.

The security token service for WAS is called the trust service. However, WAS v8 does not implement all of the WS-Trust specification.

A RequestSecurityToken (RST), defined by WS-Trust and WS-SecureConversation protocols, is sent to the service endpoint, which routes them to the trust service. The trust service processes the RST and responds with a RequestSecurityTokenResponse (RSTR), which is returned to the requestor.

WAS token provider support is limited to the security context token provider.

WAS includes caching support for the security context token in both cluster and non-cluster environments as well as on both the client and server.

WAS also provides trust policy set management for each of the trust service operations:

• issue
• cancel
• validate
• renew

Trust system policy sets can be managed for each of these trust operations relative to an explicit service endpoint or the trust service default. The default trust service policy set for a trust operation is enforced when there is not an explicit attachment.

For the security context token, you can:

• Configure the security context token provider for WS-SecureConversation, providing issue, renew and cancel operations.

• Configure the trust service to issue a security context token for access to a specific endpoint service (target).

• Configure the security requirements for access to the trust service and applications. WAS provides pre-configured application policy sets and trust service policy sets to assist with this configuration.

• Define a system policy for each of the four trust service operations:
  • issue
  • cancel
  • validate
  • renew

  These policies are configured for the default or a specific endpoint service. Note that the amend operation is not supported.

The security context token provider does not support the following operations:

• WS-SecureConversation amend
• Negotation to establish Secure Conversation
• WS-Trust key exchange requests
• Client-initiated RequestSecurityTokenResponse and RequestSecurityTokenResponseCollection requests
• WS-SecurityPolicy trust assertions

Definitions

To better understand security tokens, the following terms are defined:

security token	Collection of claims.
security context	Abstract concept that refers to an established authentication state and negotiated key or keys that can have additional security-related properties. A security context needs to be created and shared by the communicating parties before being used. A security context is shared among the communicating parties for the lifetime of a communications session and a security context token is the wire representation of this abstract security context. WAS does not support a security context token created by one of the communicating parties and propagated with a message WebSphere Application Server does not support creating a security context token through negotiation and exchanges.
security context token	Wire representation of that security context abstract concept, which allows a context to be named by a URI and to be used with Web Services Security. A secured communication with a security context token between two parties is realized with WS-Trust and WS-SecureConversation.
security token service	Web service that issues security tokens, making assertions based on evidence that it trusts, to whoever trusts it (or to specific recipients).
Trust service	Security token service and supporting code provided by Websphere Application Server.
RequestSecurityToken	Message sent to a security token service to request a security token.
RequestSecurityToken Response	Response to a request for a security token from a security token service to a requestor after receiving an RST message.

To communicate trust, a service requires proof, such as a signature, to prove knowledge of a security token or set of security tokens. A service itself can generate tokens or it can rely on a separate security token service to issue a security token with its own trust statement. Note that, for some security token formats, communicating trust can just be a re-issuance or a co-signature that forms the basis of trust brokering.

Syntax for the <wsc:SecurityContextToken> element

A security context is shared among the communicating parties for the lifetime of a communications session and a security context token is the wire representation of this abstract security context.

In the WS-SecureConversation specification, a security context is represented by the <wsc:SecurityContextToken> security token. The following URI represents the security context token type that is required to establish a secure conversation.

http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

The syntax for <wsc:SecurityContextToken> element is as follows:

<wsc:SecurityContextToken wsu:Id="..." ...>
<wsc:Identifier>...
</wsc:Identifier>
<wsc:Instance>...
</wsc:Instance>     ...

</wsc:SecurityContextToken>

The security context token does not support references to it by using key identifiers or key names. All references must use an ID (to a wsu:Id attribute) or use a URI reference, <wsse:Reference>, to the <wsc:Identifier> element in the security context token.

Example

This example shows a RST request to issue a security token. The URI http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct, which is used in this example, represents the token type:

<wsc:SecurityContextToken>
<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://localhost:80/WSSampleSei/EchoService

</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    fc0632828e1252b4:487cee53:11cbfa7916e:-7fb6

</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT

</wsa:Action>
</soapenv:Header>

<soapenv:Body>

<wst:RequestSecurityToken
   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
   Context="http://www.ibm.com/login/">
<wst:TokenType>     http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

</wst:TokenType>
<wst:RequestType>     http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue

</wst:RequestType>
<wsp:AppliesTo
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    -

<wsa:EndpointReference
     xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>       http://localhost:80/WSSampleSei/EchoService

</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret
     Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">      zb//KsawV6DmfC8kB6vNOQ==

</wst:BinarySecret>
</wst:Entropy>
<wst:KeySize>128
</wst:KeySize>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>

This example shows a RSTR request to issue a security token:

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT

</wsa:Action>
<wsa:RelatesTo>    fc0632828e1252b4:487cee53:11cbfa7916e:-7fb6

</wsa:RelatesTo>
</soapenv:Header>

<soapenv:Body>
<wst:RequestSecurityTokenResponseCollection
   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse
    Context="http://www.ibm.com/login/">
<wst:RequestedSecurityToken>
<wsc:SecurityContextToken
      xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      wsu:Id="uuid:FFA51A32EB818FB6EA1222986227363">
<wsc:Identifier>        uuid:FFA51A32EB818FB6EA1222986227346

</wsc:Identifier>
<wsc:Instance>        uuid:FFA51A32EB818FB6EA1222986227345

</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RequestedSecurityToken>
<wsp:AppliesTo
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsa:EndpointReference
      xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>        http://localhost:80/WSSampleSei/EchoService

</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:RequestedProofToken>
<wst:ComputedKey>       http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1

</wst:ComputedKey>
</wst:RequestedProofToken>
<wst:Entropy>
<wst:BinarySecret
      Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">       rF1Yp5zhRhamLQNPAOm4TA==

</wst:BinarySecret>
</wst:Entropy>
<wst:Lifetime>
<wsu:Created
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">       2008-10-02T22:23:44.765Z

</wsu:Created>
<wsu:Expires
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">       2008-10-02T22:35:44.765Z

</wsu:Expires>
</wst:Lifetime>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
       URI="#uuid:FFA51A32EB818FB6EA1222986227363"
       ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct" />
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
       URI="uuid:FFA51A32EB818FB6EA1222986227346"
       ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct" />
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:Renewing Allow="true" OK="false" />
<wst:KeySize>128
</wst:KeySize>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</soapenv:Body>
</soapenv:Envelope>

Example

This example shows a RST request to cancel a security token.

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://localhost:80/WSSampleSei/EchoService

</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    fc0632828e1252b4:-270287b7:11cc22c16ed:-7fa8

</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel

</wsa:Action>
</soapenv:Header>

<soapenv:Body>
<wst:RequestSecurityToken
   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
   Context="http://www.ibm.com/login/">
<wst:TokenType>     http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

</wst:TokenType>
<wst:RequestType>     http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel

</wst:RequestType>
<wsp:AppliesTo
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
     xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>       http://localhost:80/WSSampleSei/EchoService

</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:CancelTarget>
<wsc:SecurityContextToken
     xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     wsu:Id="uuid:AC4764EB4BE91011501223028453769">
<wsc:Identifier>       uuid:AC4764EB4BE91011501223028453768

</wsc:Identifier>
<wsc:Instance>       uuid:AC4764EB4BE91011501223028453751

</wsc:Instance>
</wsc:SecurityContextToken>
</wst:CancelTarget>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope> 

This example shows a RSTR request to cancel a security token:

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:wsa="http://www.w3.org/2005/08/addressing">

<soapenv:Header>  
<wsa:Action>           http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel

</wsa:Action>
<wsa:RelatesTo>           fc0632828e1252b4:-270287b7:11cc22c16ed:-7fa8

</wsa:RelatesTo>
</soapenv:Header>

<soapenv:Body>
<wst:RequestSecurityTokenResponse
           Context="http://www.ibm.com/login/"
                xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">   
<wst:RequestedTokenCancelled>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope> 

Example

This example shows a RST request to renew a security token.

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://localhost:80/WSSampleSei/EchoService

</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    fc0632828e1252b4:487cee53:11cbfa7916e:-7f8e

</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew

</wsa:Action>
</soapenv:Header>

<soapenv:Body>
<wst:RequestSecurityToken
   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
   Context="http://www.ibm.com/login/">
<wst:TokenType>     http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

</wst:TokenType>
<wst:RequestType>     http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew

</wst:RequestType>
<wst:RenewTarget>
<wsc:SecurityContextToken
     xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     wsu:Id="uuid:FFA51A32EB818FB6EA1223026418869">
<wsc:Identifier>       uuid:FFA51A32EB818FB6EA1223026418868

</wsc:Identifier>
<wsc:Instance>       uuid:FFA51A32EB818FB6EA1223026418867

</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RenewTarget>
<wsp:AppliesTo
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
     xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>       http://localhost:80/WSSampleSei/EchoService

</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret
     Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">      U8rH9l/wLV1gpsBf/yCooA==

</wst:BinarySecret>
</wst:Entropy>
<wst:KeySize>128
</wst:KeySize>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope> 

This example shows a RSTR request to renew a security token:

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal

</wsa:Action>
<wsa:RelatesTo>    fc0632828e1252b4:487cee53:11cbfa7916e:-7f8e

</wsa:RelatesTo>
</soapenv:Header>

<soapenv:Body>
<wst:RequestSecurityTokenResponse
   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
   Context="http://www.ibm.com/login/">
<wst:RequestedSecurityToken>
<wsc:SecurityContextToken
     xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     wsu:Id="uuid:FFA51A32EB818FB6EA1223026990448">
<wsc:Identifier>       uuid:FFA51A32EB818FB6EA1223026418868

</wsc:Identifier>
<wsc:Instance>       uuid:FFA51A32EB818FB6EA1223026990447

</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RequestedSecurityToken>
<wst:Entropy>
<wst:BinarySecret
     Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">      lFkKSI/pajtTZzRpQalNMA==

</wst:BinarySecret>
</wst:Entropy>
<wst:Lifetime>
<wsu:Created
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">      2008-10-03T09:43:07.421Z

</wsu:Created>
<wsu:Expires
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">      2008-10-03T09:55:07.421Z

</wsu:Expires>
</wst:Lifetime>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference
     xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
      URI="#uuid:FFA51A32EB818FB6EA1223026990448"
      ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct">
</wsse:Reference>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:Renewing Allow="true" OK="false">
</wst:Renewing>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope> 

Example

This example shows a RST request to validate a security token.

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://localhost:80/WSSampleSei/EchoService

</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    fc0632828e1252b4:-673f2c18:11cc328886a:-7fa7

</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
   soapenv:mustUnderstand="0">    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate

</wsa:Action>
</soapenv:Header>

<soapenv:Body>
<wst:RequestSecurityToken
   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
   Context="http://www.ibm.com/login/">
<wst:TokenType>     http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

</wst:TokenType>
<wst:RequestType>     http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate

</wst:RequestType>
<wst:ValidateTarget>
<wsc:SecurityContextToken
     xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     wsu:Id="uuid:6B77A2DA28C1E523BD1223045150688">
<wsc:Identifier>       uuid:6B77A2DA28C1E523BD1223045150687

</wsc:Identifier>
<wsc:Instance>       uuid:6B77A2DA28C1E523BD1223045150670

</wsc:Instance>
</wsc:SecurityContextToken>
</wst:ValidateTarget>
<wsp:AppliesTo
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
     xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>       http://localhost:80/WSSampleSei/EchoService

</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>

This example shows a RSTR request to validate a security token:

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal

</wsa:Action>
<wsa:RelatesTo>    fc0632828e1252b4:-673f2c18:11cc328886a:-7fa7

</wsa:RelatesTo>
</soapenv:Header>

<soapenv:Body>
<wst:RequestSecurityTokenResponse
   xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
   Context="http://www.ibm.com/login/">
<wst:Status>
<wst:Code>      http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid

</wst:Code>
</wst:Status>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope> 

For additional information, review the two example scenario topics that discuss establishing the security context token.
Web Services Secure Conversation
Trust service
Flow for establishing a security context token to secure conversations
Flow for establishing a security context token to secure reliable messaging
Derived key token
Secure requests to the trust service using system policy sets
Enable secure conversation

+

Search Tips   |   Advanced Search