+

Search Tips   |   Advanced Search

Web Services Trust standard

Web Services Trust (WS-Trust) is a proposed Organization for the Advancement of Structured Information Standards (OASIS) standard that enables security token interoperability by defining a request/response protocol. This protocol allows SOAP actors, such as a web services client, to request of some trusted authority that a particular security token be exchanged for another. The trust service, which is provided with WebSphere Application Service, uses the secure messaging mechanisms of WS-Trust to define additional extensions for the issuance, exchange, and validation of security tokens.

WS-Trust defines a request and response protocol for security token exchange. A client sends a RequestSecurityToken (RST) to a security token service. The request includes the security token that the client is asking to be exchanged. The security token service responds back with a RequestSecurityTokenResponse (RSTR) containing the new token.

In addition to the token exchange, the WS-Trust request/response protocol is general enough to support token issuance, where the client presents a claim to the trust service for the service to authorize through the issuance of a corresponding security token. Token validation is where the client presents a token to the trust service and asks that its validity be determined.

Also, WS-Trust enables the issuance and dissemination of credentials within different trust domains. To secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). Each party must first determine if they can trust the asserted credentials of the other party.

The OASIS WS-Trust specification defines extensions to Web Services Security (WS-Security) for issuing and exchanging security tokens and for providing ways to establish and access the presence of trust relationships. Using these extensions, applications can engage in secure communication, and these extensions are designed to work with the general web services framework. The general web services framework includes the WSDL service descriptions, UDDI businessServices and bindingTemplates, and SOAP messages.

The WebSphere Application Server support of WS-Trust focuses on establishing a security context token for Web Services Secure Conversation (WS-SecureConversation). The WS-Trust support focuses on the four actions for the security context token: issue, renew, validate, and cancel. Also supported for WS-Trust Version 1.3 are collection requests for the same actions: issue, renew, validate and cancel. The major component for WS-Trust that WebSphere Application Server supports is the security token service, which is referred to as the trust service.


Support for submission draft and approved levels of the WS-Trust standard

Version 6.1 and later of WAS supports the WS-Trust 2005 Submission Draft specification (Version 1.1). However, WAS does not provide a full security token service that implements all the contents of the WS-Trust draft specification.

Support for the approved version 1.3 specification, which is dated March 2007, is provided for WebSphere Application Server version 7.0 and later. The Security Context Token (SCT) provider supports the OASIS version 1.3 specifications for WS-Trust and WS-SecureConversation. There is a configuration option that allows support for the two different levels of the WS-Trust standard to co-exist on the same server. This provides interoperability between systems and products that support different specification levels. See the topic Configuring the security context token provider for the trust service using the console for details.

A setting is also provided to specifically disable support for the WS-Trust 2005 Submission Draft specification (Version 1.1) for the Security Context Token provider. For more information about this property, refer to the topic Disabling the draft standard level for the Security Context Token.

Processing a trust service request depends on the specifications referenced in the request. Also, the trust service response is determined by the level of the specification used in the request.

For more information about WS-Trust:


Related concepts

  • Web Services Secure Conversation


    Related information:

    Web Services Trust Language