axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <>
Subject Re: SCT
Date Sat, 23 Feb 2008 05:50:47 GMT
Hi Hardev,

Your messages exchanges sounds fine up to the point where the callback
handler accesses the STS to obtain the symm key. IMHO WS-Trust doesn't
provide a specific way to obtain a key at this point of a standard
WS-Trust exchange.

We have you use case implemented in a slightly different approach:

- Client contacts the STS and obtains a SAML token to talk to a service
- The STS includes a symm key encrypted for the service within the SAML token
- The RSTR (response from the STS to the client) will have that *same*
symm key for the client to extract
- (When using Rampart/Rahas the client uses
org.apache.rahas.client.STSClient which will extract this information
and bundle all of it into a org.apache.rahas.Token instance)
- Now this SAML token (assertion) will be added to the Security header
of the message from client to service and the symm key that is
associated with the SAML token will be used to encrypt/sign the
message as specified by the service policy.
- At the service the SAML assertion in the Security header will be
processed and the symm key will be extracted.
- Processing at the service will use this extracted symm key to
decrypt/verify signature where necessary.

A sample client that does this sort of a message exchange is available
here : [1]

Now ... SCT usage scenario is usually a WS-SecureConversation scenario
where rampart/rahas supports the application service it self to act as
an STS. In this case since the service and the STS both are the same
the symm key created is known at the service, and it is not included
in the SecurityContextToken (SCT) itself. Are you sure you want to use
this SCT scenario in the context of WS-SecureConversation or are you
looking for a pure WS-Trust scenario as I explained above.



On Sat, Feb 23, 2008 at 3:06 AM, Hardev Sian <> wrote:
> Hi Dimuthu,
> I have had a look at that sample but it doesn't provide what I am looking
> for. My use case is that I have acquired a SCT from an STS service. I want
> to now embed that token in the outgoing request which can then be accessed
> by a callback handler. The callback handler can access the STS to get the
> symmetric key for that token and encrypt the outbound data with that.
> Similarly the callback at the handler can access the same to decrypt, the
> response can be handled in the same manner. I am just not familiar enough
> how to set the policies to achieve this.
> Any help in doing this is greatly appreciated.
> Thank you,
> Hardev
> Dimuthu Leelarathne <> wrote:
> Hi,
> You can find a SCT sample inside the rampart 1.3 distribution.
> samples/policy/sample04
> Thank you,
> Dimuthu
> On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
> >
> >
> > I know that rahas has been integrated into rampart but I was
> > interested at looking at this example :
> >
> >
> > which talks about using an acquired SCT token to secure the web
> > service requests/responses.
> >
> > Can anybody help in locating this or something similar.
> >
> > Thanks,
> >
> > Hardev
> >
> > ______________________________________________________________________
> > Get the name you always wanted with the new y7mail email address.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
>  ________________________________
>  Get the name you always wanted with the new y7mail email address.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message