RequestSecurityToken - Security

Several other important standards are derived from and are complementary to WS-Security; they relate to such fundamental security topics as trust, access control, and rights. In this chapter, we review the family of WS-Security–related technologies. This is part 1 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, Sams, 2004).

TABLE OF CONTENTS:

By: Rosenberg, Remy

Poor Best

Rating:

/ 8

July 26, 2004

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

Now that you know how the model is supposed to work and you understand the key relationships between Web service provider, requestor, and Security Token Service, it's time to look at the two key WS-Trust elements needed to perform its prescribed functions: <RequestSecurityToken> and <RequestSecurityTokenResponse>.

<RequestSecurityToken>

Listing 9.1 shows a request to have a security token issued.

Listing 9.1 The <RequestSecurityToken> Element

<RequestSecurityToken>
<TokenType>...</TokenType>
<RequestType>...</RequestType>
<Base>...</Base>
<Supporting>...</Supporting>
</RequestSecurityToken>

Now let's explore each element that makes up a <RequestSecurityToken> element.

<TokenType> The optional <TokenType> element describes the type of security token requested, specified as a QName (see the following section). That is, it describes the type of token that will be returned in the <RequestSecurityTokenResponse> message.

<RequestType> The <RequestType> element is used to indicate, using a QName, the action that is being requested. The following QNames are predefined:

QName	Description
wsse:ReqIssue	Issue security token
wsse:ReqValidate	Validate security token
wsse:ReqExchange	Exchange security token

<Base> The optional <Base> element has the same type as the <SecurityTokenReference> element and references the base (primary) tokens that are used to validate the authenticity of a request. In general, this element isn't used because signatures provided on the request prove the right to make the request.

<Supporting> The optional <Supporting> element has the same type as the <SecurityTokenReference> element and references the supporting tokens that are used to authorize this request. Typically, this element is used to identify tokens in a certificate authority. It is not required to specify any or all supporting tokens; it is simply a hint or aid to the recipient service.

The example in Listing 9.2 shows an X.509 security token being requested based on the security token located in the <Security> header with the ID "myToken". This token specifies a username, and a signature is placed over the request using a key derived from the password (or password equivalent), nonce, and time stamp.

Listing 9.2 - Requesting an X.509 Security Token Based on a Key Derived from a Password

<S:Envelope xmlns:S="..." xmlns=".../secext" xmlns:wsu=".../utility>
<S:Header>
    ...
    <Security>
      <UsernameToken wsu:Id="myToken">
        <Username>NNK</Username>
        <Nonce>FKJh...</Nonce>
        <wsu:Created>2001-10-13T09:00:00Z </wsu:Created>
      </UsernameToken>
      <ds:Signature xmlns:ds="...">
        ...
      </ds:Signature>
    </Security>
    ...
</S:Header>
<S:Body wsu:Id="req">
    <RequestSecurityToken>
      <TokenType>wsse:X509v3</TokenType>
      <RequestType>wsse:ReqIssue</RequestType>
      <Base>
        <Reference URI="#myToken"/>
      </Base>
    </RequestSecurityToken>
</S:Body>
</S:Envelope>

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.