Web Services Trust (WS-Trust) and Web Services Secure Conversation (WS-SecureConversation) support in the application server provides the ability to issue a security context token (SCT). Requests for a security context token are processed by the security token service.
The security token service for WebSphere® Application Server is called the trust service. However, the application server does not provide a full security token service that implements all the contents of the WS-Trust specification.
The secure session is referred to as secure conversation because the message protocols that are used are defined by WS-SecureConversation and WS-Trust. WebSphere Application Server supports secure conversation.
To request a security context token, a RequestSecurityToken (RST), which is defined by WS-Trust and WS-SecureConversation protocols, is sent to the service endpoint to which you are setting up a secure conversation. These requests are transparently rerouted to the trust service. The trust service processes the RST and responds with a RequestSecurityTokenResponse (RSTR). This response is returned to the requestor as if it was generated by the endpoint service.
The WebSphere Application Server token provider support is limited to the Security Context Token provider. WS-SecureConversation in the application server focuses on the establishing of the security context token between the initiating party and the recipient party for secure conversation.
WebSphere Application Server includes caching support for the Security Context Token in both cluster and non-cluster environments as well as on both the client and server. WebSphere Application Server also provides trust policy set management for each of the trust service operations: issue, cancel, validate, and renew. Trust system policy sets can be managed for each of these trust operations relative to an explicit service endpoint or the trust service default. The default trust service policy set for a trust operation is enforced when there is not an explicit attachment.
See the information about Web Services Trust for the WS-Trust functions that are supported.
To better understand security tokens, the following terms are defined:
WebSphere Application Server does not support a security context token created by one of the communicating parties and propagated with a message
WebSphere Application Server does not support creating a security context token through negotiation and exchanges.To communicate trust, a service requires proof, such as a signature, to prove knowledge of a security token or set of security tokens. A service itself can generate tokens or it can rely on a separate security token service to issue a security token with its own trust statement. Note that, for some security token formats, communicating trust can just be a re-issuance or a co-signature that forms the basis of trust brokering.
A security context is shared among the communicating parties for the lifetime of a communications session and a security context token is the wire representation of this abstract security context.
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
The syntax for <wsc:SecurityContextToken> element is as follows:
<wsc:SecurityContextToken wsu:Id="..." ...>
<wsc:Identifier>...</wsc:Identifier>
<wsc:Instance>...</wsc:Instance>
...
</wsc:SecurityContextToken>
The security context token does not support references to it by using key identifiers or key names. All references must use an ID (to a wsu:Id attribute) or use a URI reference, <wsse:Reference>, to the <wsc:Identifier> element in the security context token.
This example shows a RST request to issue a security token. The URI http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct, which is used in this example, represents the token type:
<wsc:SecurityContextToken>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:487cee53:11cbfa7916e:-7fb6
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
-
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
zb//KsawV6DmfC8kB6vNOQ==
</wst:BinarySecret>
</wst:Entropy>
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
This example shows a RSTR request to issue a security token:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:487cee53:11cbfa7916e:-7fb6
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponseCollection
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse
Context="http://www.ibm.com/login/">
<wst:RequestedSecurityToken>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:FFA51A32EB818FB6EA1222986227363">
<wsc:Identifier>
uuid:FFA51A32EB818FB6EA1222986227346
</wsc:Identifier>
<wsc:Instance>
uuid:FFA51A32EB818FB6EA1222986227345
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RequestedSecurityToken>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:RequestedProofToken>
<wst:ComputedKey>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
</wst:ComputedKey>
</wst:RequestedProofToken>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
rF1Yp5zhRhamLQNPAOm4TA==
</wst:BinarySecret>
</wst:Entropy>
<wst:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-02T22:23:44.765Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-02T22:35:44.765Z
</wsu:Expires>
</wst:Lifetime>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
URI="#uuid:FFA51A32EB818FB6EA1222986227363"
ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct" />
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
URI="uuid:FFA51A32EB818FB6EA1222986227346"
ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct" />
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:Renewing Allow="true" OK="false" />
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</soapenv:Body>
</soapenv:Envelope>
This example shows a RST request to cancel a security token.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:-270287b7:11cc22c16ed:-7fa8
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
</wst:RequestType>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:CancelTarget>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:AC4764EB4BE91011501223028453769">
<wsc:Identifier>
uuid:AC4764EB4BE91011501223028453768
</wsc:Identifier>
<wsc:Instance>
uuid:AC4764EB4BE91011501223028453751
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:CancelTarget>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
This example shows a RSTR request to cancel a security token:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<soapenv:Header>
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:-270287b7:11cc22c16ed:-7fa8
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse
Context="http://www.ibm.com/login/"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestedTokenCancelled>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
This example shows a RST request to renew a security token.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:487cee53:11cbfa7916e:-7f8e
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
</wst:RequestType>
<wst:RenewTarget>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:FFA51A32EB818FB6EA1223026418869">
<wsc:Identifier>
uuid:FFA51A32EB818FB6EA1223026418868
</wsc:Identifier>
<wsc:Instance>
uuid:FFA51A32EB818FB6EA1223026418867
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RenewTarget>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
U8rH9l/wLV1gpsBf/yCooA==
</wst:BinarySecret>
</wst:Entropy>
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
This example shows a RSTR request to renew a security token:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:487cee53:11cbfa7916e:-7f8e
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:RequestedSecurityToken>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:FFA51A32EB818FB6EA1223026990448">
<wsc:Identifier>
uuid:FFA51A32EB818FB6EA1223026418868
</wsc:Identifier>
<wsc:Instance>
uuid:FFA51A32EB818FB6EA1223026990447
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RequestedSecurityToken>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
lFkKSI/pajtTZzRpQalNMA==
</wst:BinarySecret>
</wst:Entropy>
<wst:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-03T09:43:07.421Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-03T09:55:07.421Z
</wsu:Expires>
</wst:Lifetime>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
URI="#uuid:FFA51A32EB818FB6EA1223026990448"
ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct">
</wsse:Reference>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:Renewing Allow="true" OK="false"></wst:Renewing>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
This example shows a RST request to validate a security token.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:-673f2c18:11cc328886a:-7fa7
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
</wst:RequestType>
<wst:ValidateTarget>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:6B77A2DA28C1E523BD1223045150688">
<wsc:Identifier>
uuid:6B77A2DA28C1E523BD1223045150687
</wsc:Identifier>
<wsc:Instance>
uuid:6B77A2DA28C1E523BD1223045150670
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:ValidateTarget>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
This example shows a RSTR request to validate a security token:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:-673f2c18:11cc328886a:-7fa7
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:Status>
<wst:Code>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid
</wst:Code>
</wst:Status>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
For additional information, review the two example scenario topics that discuss establishing the security context token.