axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Håkon Sagehaug <Hakon.Sageh...@bccs.uib.no>
Subject Question about rampart samples05, verification of the token issued
Date Tue, 17 Mar 2009 15:40:10 GMT
Hi all,

I've got some question about rampart sample 05, using the sts service.

In the client the sts service is first called then the token is inserted in
the header and sent to the target service, my question is how does the
target service know that this token was issued by the sts service, is this
inside the SAML assertion?

I'm sorry but I can't get my head around this. I would guess that the
digital signature from the request to the target service from the client is
based on the soap body for that request  so this one

<ns1:echo xmlns:ns1="http://sample05.policy.samples.rampart.apache.org">
            <param0>Hello world1</param0>
         </ns1:echo>

And if the target service is validating the SAML assertion and seeing that
the signature info in this is signed by the sts, how would one approach it,
if the target service does not accept a SAML token, or maybe a SMAL 2 token.


Sorry if I did not phrase the question good enough, but hopefully someone
can debug it and answer.

My naive idea is something like this: get token form sts signed, copy it to
the head of the next request to the target service, the target service uses
the public key to verify the signature and extract the token and on the
basis of this performs authrization operation.
Is this correct way of thinking about it?

cheers, Håkon


-- 
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)

Mime
View raw message