Home arrow Security arrow Page 5 - Trust, Access Control, and Rights for Web Services Part 1

RequestSecurityToken - Security

Several other important standards are derived from and are complementary to WS-Security; they relate to such fundamental security topics as trust, access control, and rights. In this chapter, we review the family of WS-Security–related technologies. This is part 1 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, Sams, 2004).

TABLE OF CONTENTS:
  1. Trust, Access Control, and Rights for Web Services Part 1
  2. Building Blocks
  3. WS-* Security Specifications for Trust Relationships
  4. Prior to Having Secure Communications...
  5. RequestSecurityToken
  6. RequestSecurity TokenResponse
  7. WS-* Security Specifications for Interoperability
  8. SecurityContextToken
  9. WS-* Security Specifications for Integration
By: Rosenberg, Remy
Rating: starstarstarstarstar / 8
July 26, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Now that you know how the model is supposed to work and you understand the key relationships between Web service provider, requestor, and Security Token Service, it's time to look at the two key WS-Trust elements needed to perform its prescribed functions: <RequestSecurityToken> and <RequestSecurityTokenResponse>.

<RequestSecurityToken>

Listing 9.1 shows a request to have a security token issued.

Listing 9.1 The <RequestSecurityToken> Element

<RequestSecurityToken>
  <TokenType>...</TokenType>
  <RequestType>...</RequestType>
  <Base>...</Base>
  <Supporting>...</Supporting>
</RequestSecurityToken>

Now let's explore each element that makes up a <RequestSecurityToken> element.

<TokenType> The optional <TokenType> element describes the type of security token requested, specified as a QName (see the following section). That is, it describes the type of token that will be returned in the <RequestSecurityTokenResponse> message.

<RequestType> The <RequestType> element is used to indicate, using a QName, the action that is being requested. The following QNames are predefined:

QName

Description

wsse:ReqIssue

Issue security token

wsse:ReqValidate

Validate security token

wsse:ReqExchange

Exchange security token


<Base> The optional <Base> element has the same type as the <SecurityTokenReference> element and references the base (primary) tokens that are used to validate the authenticity of a request. In general, this element isn't used because signatures provided on the request prove the right to make the request.

<Supporting> The optional <Supporting> element has the same type as the <SecurityTokenReference> element and references the supporting tokens that are used to authorize this request. Typically, this element is used to identify tokens in a certificate authority. It is not required to specify any or all supporting tokens; it is simply a hint or aid to the recipient service.

The example in Listing 9.2 shows an X.509 security token being requested based on the security token located in the <Security> header with the ID "myToken". This token specifies a username, and a signature is placed over the request using a key derived from the password (or password equivalent), nonce, and time stamp.

Listing 9.2 - Requesting an X.509 Security Token Based on a Key Derived from a Password

<S:Envelope xmlns:S="..." xmlns=".../secext" xmlns:wsu=".../utility>
  <S:Header>
    ...
    <Security>
      <UsernameToken wsu:Id="myToken">
        <Username>NNK</Username>
        <Nonce>FKJh...</Nonce>
        <wsu:Created>2001-10-13T09:00:00Z </wsu:Created>
      </UsernameToken>
      <ds:Signature xmlns:ds="...">
        ...
      </ds:Signature>
    </Security>
    ...
  </S:Header>
  <S:Body wsu:Id="req">
    <RequestSecurityToken>
      <TokenType>wsse:X509v3</TokenType>
      <RequestType>wsse:ReqIssue</RequestType>
      <Base>
        <Reference URI="#myToken"/>
      </Base>
    </RequestSecurityToken>
  </S:Body>
</S:Envelope>

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Rosenberg, Remy
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: