WS-Trust and WS-secure conversation auto-combined when both are enabled?
In my app, client will have to obtain some authorization from a third party before it can consume the service provided by the server.
Client - server interaction may span over several messages.
As in WSIT, how is that implemented? with WS-Trust and WS-secure conversation, can I say that: client only need to be authorized once by third party (WS-Trust) in order to establish multiple transactions with server(secure conversation)?
[451 byte] By [
caesara] at [2007-11-27 10:21:11]
# 1
Yes. If you configure the service for using secure conversation while using
and issued token from an STS for authentication, then secure conversation and trust work together.
# 2
More precisely, the STS is the third party authority per ws-trust.
The user first auththenticates to STS with its credentials (username/password, x509 certificate, etc). Then the STS issue an token (usually an SAML toekn)
to the user for accessing the service. The the client present the issued token
to the service to establish a security context (session) with the service per ws-secure conversation. This security context is used for securing the application messages.
This process is transparent to the application with WSIT. You just need to do configurations with Netbeans to enable it.
See WSIT tutorial for details:
https://wsit-docs.dev.java.net/releases/m5/SecurityProfiles.html#wp113333
