Webservice Security


WS-Trust[WS-SecurityPolicy 1.2, SAML 2.0, UT, X.509, SAML, Kerberos profile]
CXF provides an implementation
OASIS is the standard extension to WS-Seurity dealing with issuing, renewing, validating etc.,

WS-Trust Architecture:

  • Requestor
  • Relying Party
  • Security Token
  • Claims (ex: privileges)
  • Policy
  • STS (Issue, Validate, Renew, Cancel)

SAML Architecture:

  • Assertions (format of a SAML Token):
    • AuthN data like tokens
    • AuthZ data like roles/privileges
    • Security attributes like issuer identity, name & address of subject
  • Protocols: describes request, response messages for operations such as Issue, Renew etc.,
  • Bindinds: Protocols to Network protocol mappiing
  • Profiles: particular use case of building a security system based on SAML

WS-Trust is independent of SAML but very similar.


  • Bearer Scenario: Server trusts if signarute is verified by the public key of the STS.
  • Holder-of-the-Key Scenario: In addition to Bearer Scenario the server authenticates the client using X.509 or UserToken credentials.


STS Architecture:


  • Logical (Type definitions & Port types)
  • Physical (policies, binidng)


  • Issue
  • Renew
  • Validate
  • Cancel

Policies: Boils down to the following three types of policies

  • Transport Layer Security (TLS):
    • X.509 (during SSL/TSL handshake)
    • UT token in SOAP header
  • Symmetric Binding:
    • Security is in SOAP layer( initiator must use UT token)
  • Asymmetric Binding:
    • Security is in SOAP layer( initiator must use X.509 certificate)

3 levels of policies:

  1. Binding Policy -> applies to all operations.
  2. Input Policy -> applies to the request.
  3. Output Policy -> applies to the response.

Example Binding Policy: Symmetric Key Binding & Clients must include UT credentials to authenticate themselves to STS.
<wsp:Policy wsu:Id=”####”>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />

The TokenIssueOp is customizable with staticSTSProperties, pluggable providers(CXF provides SAML & SCT providers)  & a new service.

STSProperties specifies the following:

  • Issuer: Uniquely identifies the STS (used in validating & reognizing issued tokens)
  • Callback Handler: (implement javax.security.auth.callback.CallbackHandler ) to provide passwords
  • Signature Key: Key to sign SAML tokens
  • Encryption Key: Key to Encrypt tokens
  • Realm Settings: ???



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s