My previous post Security Token Configuration in Metro has exceeded the maximum limits (even after having used the extended entry) of a post and hence when i added some more details yesterday, i am seeing that the tail end of my post was truncated.
The earliest version of WS-SecurityPolicy implemented during early days of Metro/WSIT did not allow Binding Assertions to be attached to any scope other than the EndPoint scope. The latest versions of WS-SecurityPolicy specification allows Binding Assertions to be attached to operation scope.
In this post, i would like to describe how to configure various types of security tokens that Metro supports. There are various aspects to token configuration depending on the type of the token and the article i wrote long ago is outdated, things have changed for good and i will talk about it here.
One of the design goals of Metro is to be able to run on any Application Server as a WebServices Stack. One project that i know levarages this ability is OpenSSO. The OpenSSO product is supported on several application servers.
With Latest Metro 2.0 bits you can now try signing and encrypting SOAP Messages using the WSS 1.1 Password Derived Keys Feature. This is useful incase one does not want to use Certificates or Kerberos tokens etc.
My colleague Nithya has written about an interesting recent feature addition to GlassFish V3 where you can dynamically add a new Custom Realm (built as an OSGI module) to a running glassfish server (No Restart Required !!).
If you are using latest GlassFish V3 builds : Latest V3 Promoted Builds
Although not considered very secure many users in the past have asked
If you have a WebService configured to use the href="https://wsit-docs.dev.java.net/releases/m6/WSIT_Security4.html#wp129317">Mutual
Certificates Security mechanism as supported by
Netbeans. Then when developing a client for the service you would
generally be required to configure the client side keystore alias or
provide a callbackhandler.
Starting with Promoted href="https://sailfin.dev.java.net/downloads/v1-b36.html">Build 36
of SailFin, Metro 1.3 users can perform Programmatic
Authorization decisions inside their SEI Implementations.
1. What is the API to be used for Programmatic Authorization ?
A Question that is often asked is, I am Using a WSIT Secure
Scenario containing SAML Assertion, How do i access the SAML Assertion ?
Here is how you can access the SAML Assertion inside your WebService
Endpoint Implementation Class. Note the method getSAMLAssertion() in