Atom
RSS
RDF
WS Trust
WS-S-5 Using a Secure SOAP Services
Exposing WS Trust SOAP Endpoints
Preliminaries
The WS Trust protocol is a SOAP based secure service and client that can be used to retrieve a security token (X.509 certificate or similar) in order to be used for making secure operation with an ultimate service in the client's operation.
In common scenario the client asks Token Issuer for a security token. Then client uses token from WS Trust response to perform second remote call signed and/or encrypted to another service which is a ultimate target service. Usually Token Issuer, Client and Ultimate service are located on different physical locations.
Example
Before running this demo make sure that WS-S-1 tutorial is set-up and a valid X.509 certificate and corresponding private key are imported (for server and client usage) via WS-S-1 example certificate upload utility.
This example uses WS Trust client to obtain X.509 security token from a Token Issuer service and then it uses to make signed request to dummy Weblog service. In real situation the Weblog service instead of echoing a random URL would create an entry in the user's blog. Note that in that demo all operations are performed in context of a same server (i.e. Token Issuer, Weblog service and client are running on one Virtuoso server instance).
The following are demo's main points.
- Client uses a Username and password to digitally sign the request from Token Issuer.
- Token Issuer will check the signature and user credentials and then will issue security token to the client
- The Token Issuer service uses a PL hook to return appropriate X.509 token
- Client uses the returned token (from Token Issuer service) to match it against local key storage and to digitally sign the second request (to the Weblog service)
- The Weblog service will just verify the signature and will return an echo of the client's request plus an random URL string and post id. (In the real world such service should add data into a Database keeping the blog posts)
- The Weblog service will digitally sign the response before sending it to client.
- To see request/response messages from/to Token Issuer or Web service use the radio group buttons.
Note: In this example Token Issuer, Weblog service and client uses same X.509 certificate.
| View the source | Action |
|---|---|
| 1. ws_s_5.sql | Set the initial state |
| 2. trust_client.vsp | Run |
OpenLink Home
Technical Support