HomeSecurity Page 5 - Trust, Access Control, and Rights for Web Services Part 1
RequestSecurityToken - Security
Several other important standards are derived from and are complementary to WS-Security; they relate to such fundamental security topics as trust, access control, and rights. In this chapter, we review the family of WS-Security–related technologies. This is part 1 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, Sams, 2004).
Now that you know how the model is supposed to work and you understand the key relationships between Web service provider, requestor, and Security Token Service, it's time to look at the two key WS-Trust elements needed to perform its prescribed functions: <RequestSecurityToken> and <RequestSecurityTokenResponse>.
Listing 9.1 shows a request to have a security token issued.
Now let's explore each element that makes up a <RequestSecurityToken> element.
<TokenType> The optional <TokenType> element describes the type of security token requested, specified as a QName (see the following section). That is, it describes the type of token that will be returned in the <RequestSecurityTokenResponse> message.
<RequestType> The <RequestType> element is used to indicate, using a QName, the action that is being requested. The following QNames are predefined:
Issue security token
Validate security token
Exchange security token
<Base> The optional <Base> element has the same type as the <SecurityTokenReference> element and references the base (primary) tokens that are used to validate the authenticity of a request. In general, this element isn't used because signatures provided on the request prove the right to make the request.
<Supporting> The optional <Supporting> element has the same type as the <SecurityTokenReference> element and references the supporting tokens that are used to authorize this request. Typically, this element is used to identify tokens in a certificate authority. It is not required to specify any or all supporting tokens; it is simply a hint or aid to the recipient service.
The example in Listing 9.2 shows an X.509 security token being requested based on the security token located in the <Security> header with the ID "myToken". This token specifies a username, and a signature is placed over the request using a key derived from the password (or password equivalent), nonce, and time stamp.
Listing 9.2 - Requesting an X.509 Security Token Based on a Key Derived from a Password