Skip to Content »

Tech Life of Recht » Using ActAs with Metro

 Using ActAs with Metro

  • January 5th, 2010
  • 12:18 pm

Yesterday, I wrote about how to implement an STS with Metro. The reason for implementing an STS in the first place is that it enables identity delegation, something you probably want if you need to access a service on behalf of a specific user. The general flow is that the user authenticates, probably using SSO of some kind, and access a website. The site invokes a service on behalf of the user, and the service needs to be pretty sure that the user is actually sitting in the other end, even though there is no direct communication between the user and the service. The job of the STS is to be the one, everybody trusts, so that when the STS issues a token which says that the user is valid, then the service can trust that this is actually the case.

All of this can be done more or less automatically with Metro (at least when using a nightly build) by using this service policy:

CODE:
  1. <sp:AsymmetricBinding>
  2.   <wsp:Policy>
  3.    <sp:InitiatorToken>
  4.     <wsp:Policy>
  5.       <sp:IssuedToken>
  6.            <sp:IssuerName>urn:localsts</sp:IssuerName>
  7.            <sp:RequestSecurityTokenTemplate>
  8.             <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
  9.             <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
  10.            </sp:RequestSecurityTokenTemplate>
  11.         <wsp:Policy>
  12.           <sp:RequireInternalReference />
  13.         </wsp:Policy>
  14.       </sp:IssuedToken>
  15.     </wsp:Policy>
  16.    </sp:InitiatorToken>
  17.    <sp:RecipientToken>
  18.     <wsp:Policy>
  19.      <sp:X509Token>
  20.       <wsp:Policy>
  21.        <sp:RequireKeyIdentifierReference />
  22.        <sp:WssX509V3Token11 />
  23.       </wsp:Policy>
  24.      </sp:X509Token>
  25.     </wsp:Policy>
  26.    </sp:RecipientToken>
  27.     <sp:ProtectTokens/>
  28.     <sp:IncludeTimestamp/>
  29.     <sp:OnlySignEntireHeadersAndBody />
  30.   </wsp:Policy>
  31.  </sp:AsymmetricBinding>

Here, we express that the service requires an issued token of type SAML 2.0. Issued token means that the token has been created by an STS. In this case, we specify that the STS identified by urn:localsts must issue a token of type SAML 2.0. The exact location of the STS needs to be configured in the client.

Unfortunately, WS-SecurityPolicy does not make it possible to express the requirements for the WS-Trust Issue request. When using identity delegation, two sets of credentials should be passed to the STS: The client credentials, for example an X509Token or a UsernameToken, and the user credentials. The client credentials are provided using standard WS-Security mechanisms, and the user credentials are included in the Issue request using the ActAs element.

As shown in the STS example, the STS policy file takes care of the client credentials by specifying the appropriate tokens. The user credentials token cannot, however, be expressed in the policy, so it needs to be agreed upon out of band. This also means that you have to provide it manually to the client.

Luckily, it's pretty easy to add an ActAs token to the client. Normally, the client is generated using wsimport. In this example, the service is called ProviderService:

CODE:
  1. DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration();
  2. config.setSTSInfo("http://docs.oasis-open.org/ws-sx/ws-trust/200512",
  3.     "http://localhost:8080/sts/sts",
  4.     "http://localhost:8080/sts/sts?wsdl",
  5.     "SecurityTokenService",
  6.     "ISecurityTokenService_Port",
  7.     "http://tempuri.org/");
  8. config.getOtherOptions().put(STSIssuedTokenConfiguration.ACT_AS, createToken());
  9.  
  10. STSIssuedTokenFeature feature = new STSIssuedTokenFeature(config);
  11. ProviderService service = new ProviderService();
  12. Provider port = service.getProviderPort(feature);
  13. EchoResponse result = port.echo(new Echo());

Here, we create a new configuration object, set the endpoint information for the STS, and add an ActAs token. The contents of the ACT_AS attribute should be an instance of com.sun.xml.ws.security.Token, for example a com.sun.xml.wss.saml.Assertion. Normally, you don't generate the token yourself. Instead, you get it as part of the initial authentication response - for example, if you're using SAML 2.0 web SSO, one of the attributes received might be the ActAs token that should be passed to the STS when invoking services.

80 People had this to say...

[...] This post was mentioned on Twitter by sorenp, Joakim Recht. Joakim Recht said: a little about using ActAs in #metro: http://bit.ly/7OMnLI #wsdeathstarwillruletheworld #wstrust [...]

Gravatar
  • GEENA28
  • January 15th, 2010
  • 2:09 pm

The newspapers give the facts thence some people suppose that it is much better to buy an essay or choose custom papers.

Gravatar

writing jobs will help you get extra money in you spare time

Gravatar

as shown in the STS example, the STS policy file takes care of the client credentials by specifying the appropriate tokens.

Gravatar

custom papers will help you in learning and save your time

Gravatar

People that were looking for some information related to papers for money at the writing service will read your nice writing referring to this good topic. Other way, that’s possible to use the help of the custom writing service.

Gravatar

Which way can you complete your superb tought related to this topic I wonder? The dissertation writing service will employ writers like you for the format thesis doing. Hence you have got a great chance to enter to the team of masters.

Gravatar

as shown in the STS example, the STS policy file takes care of the client credentials by specifying the appropriate tokens.

Gravatar
  • essay
  • August 12th, 2010
  • 6:19 pm

if you have any problems with education,buy essay,it will help in learning and save your time

Gravatar
  • James
  • September 16th, 2010
  • 12:11 pm

What is the basic Purpose of metro ?? Online Education

Gravatar

Very useful This good quality of information for my site. Thanks for sharing

Gravatar
  • jack balboa
  • October 1st, 2010
  • 10:18 am

Thanks for sharing.Term Paper Writing

Gravatar
  • Peter Rossy
  • October 13th, 2010
  • 1:15 pm

Thanks for useful info
college essay

Gravatar

poker virtuel – it’s your first step to rich and beautiful life.

Gravatar

read your nice writing referring to this good topic. Other way, that’s possible to use the help of the custom writing service

Gravatar

Thanks for your information!

Gravatar

Thanks for your information!

Gravatar

Hi
This is really very good post…I like very much!

Gravatar

Thank you for your information!

Gravatar

site:http://ketari.niretv.com/ Dejar un Comentario

Gravatar

Ugg sheepskin boots in Australia’s history dates back to 1978UGG Classic Crochet

Gravatar

Chapter three discusses the basic contents of ability construction.

Gravatar
  • winamax
  • November 19th, 2010
  • 5:55 pm

I enjoyed reading this post. Great blog, keep up the good work!

Gravatar

Using ActAs with Metro is a thing that has good for those who does know about it and I think that the information given is really good to read and it is easier to understand.

Gravatar

It is my pleasure to read this page,I look forward to reading more

Gravatar

Good post.You did a good work,and offer more effective imformation for us!Thank you.

Gravatar

I wanted to thank you for this great read!! louboutin shoes I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post

Gravatar

many millionaires have earned their money through automatenspiele

Gravatar

Dec have coming,there comes the coldest weather all of the year UGG Bailey Button Triplet

Gravatar

Using ActAs with Metro, is nice thing to use with it I think Metro as for use has good and when it there is ActAs use with it, it makes good for the one who use it for there own good.

Gravatar

Using ActAs with Metro, is nice thing to use with it

Gravatar

This is a nice And interesting post That I have never seen before this. Well your site is a great plate form to get the knowledge, I am sure peoples will take advantage from this site, Thanks for this and keep posting.

Gravatar

APUNTARSE A LA QUEDADA / DAR EL MAYOR NUMERO DE DATOS, POR FAVOR
Este formulario solo es informativo. Si no recibes ninguna contestación en una semana, algo ha pasado! ;) Vuelve a rellenarlo o contactanos en itxaspe arroba gmail.com Iremos rellenando un listado de gente apuntada y lo colgaremos para que podáis ver si estáis en el mismo.. ;)

Gravatar
  • alangogo
  • December 4th, 2010
  • 5:04 pm

The rescue deal, approved by finance ministers at an emergency meeting in Brussels,
Ugg boots sale
means two of the eurozone’s 16 nations have now come to depend on foreign help and
Uggs on sale
underscores Europe’s struggle to contain its spreading debt crisis.
Ugg boots
The fear is that with Greece and now Ireland shored up, speculative traders will target the bloc’s other weak fiscal links, particularly Portugal.
Discount uggs
In Dublin, Irish Prime Minister Brian Cowen said his country will take euro10 billion immediately to boost the capital reserves of its state-backed banks,
Cheap ugg boots
whose bad loans were picked up by the Irish government but have become too much to handle.
Uggs outlet

Gravatar
  • alangogo
  • December 4th, 2010
  • 5:06 pm

The fear is that with Greece and now Ireland shored up, speculative traders will target the bloc’s other weak fiscal links, particularly Portugal.I love Uggs boot online.
The fear is that with Greece and now Ireland shored up, speculative traders will target the bloc’s other weak fiscal links, particularly Portugal. I love Uggs boot online.

Gravatar

Just a quick hello and also to thank you for discussing your ideas on this page. I wound up in your weblog after researching physical fitness associated points on Yahoo… guess I lost track of what I had been performing!
传奇世界私服
传奇世界私服

Gravatar

For a web service and its client to communicate securely there needs to be a trust relationship established between the service and the client. If the service and client are in the same security domain they can have a direct trust relationship.

Gravatar

cheap uggs

Gravatar

Using ActAs with Metro. This is some thing which makes the work more perfect because when you use some thing to make the thing better for usage it make the work perfect.

Gravatar

genuine ugg boots

Gravatar

I was very pleased to find this site.I wanted to thank you for this great read!!
魔域私服
传奇世界私服

Gravatar
Gravatar

Tiffany tiffany elsa peretti starfish earrings since 1837 inception, has been designed in stunning beauty of the original works as a purpose. Proved, tiffany palomas marrakesh earrings silver Tiffany jewelry lovers not only can the voice of his right, the original silver, stationery and tableware is fascinated. tiffany bead earrings “Classic Design ” is the definition of Tiffany works, that is, each stunning Tiffany masterpiece can be from generation to generation. tiffany elsa peretti teardrop hoop earrings Tiffany’s design never meet the ups and downs of fashion, so it will not be out of date, tiffany elsa peretti teardrop earrings because it is completely above the trend of the above.

Gravatar

we Ugg boots, unique style, fashion and bright. Ugg boots for women is nowadays is the most popular brand, especially in the big one now play to mix the popular fashion, classic mix is necessary. Like black uggs more popular, easy to build, high quality, high grade for the general customers the Ugg will recommend more fashionable design style, the unique Ugg Boots on sale.http://www.cheapbootsonlinesale.com

Gravatar

keep up the good work. These information helps me consider some useful things,

Gravatar

casino online spielen
is the easiest way to get rich

Gravatar

I’m impressed, I have to say. Very seldom do I see a blog thats both educational and entertaining, and let me tell you, you’ve hit the nail on the head. Your blog is important; the matter is something that not a lot of people are talking intelligently about. I’m really happy that I stumbled across this in my search for something relating to it.

Gravatar

Hi, I recently clicked to your site and started reading along your articless. I thought I would leave my first comment. I dont know what to say except that I have adore reading your website. It is a realy nice website. I will keep visiting this blog very often…

Gravatar

why do you then think that will be the first in this list but there is no such and could not because the blog quite advanced and in demand

Gravatar

I recently clicked to your site and started reading along your articless. I thought I would leave my first

Gravatar

as shown in the STS example, the STS policy file takes care of the client credentials by specifying Discount Ugg Boots the appropriate tokens.

Gravatar

A boaster and a liar are cousins-german.

Gravatar
  • dfddd
  • July 8th, 2011
  • 8:00 am

stated together while, the emperor named YangQiLang and witty chi flat irons , around the ghd mk4 of the escape now, bonding, now 4 women, all day long of the

Gravatar

Good post, I would like to leave a comment, 传奇私服 because it gives more bloggers who participate 传世私服 and the opportunity to perhaps learn from each other.

Gravatar

Good points all of them. Web Development and Columbus website design

Gravatar

Gucci Outlet Gucci Outlet
Gucci store Gucci store

Gravatar

your car or truck or maybe pickup will continue nike free run moreover collection in your dirt flap.

Gravatar
Gravatar

I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it.

Gravatar
  • duo
  • July 7th, 2012
  • 5:27 am
Gravatar

Looking forward to another great blog. Good luck to the author! all the best!

Gravatar

I am really convinced with your points and bed no points to discourse with. I am cheerful that works there are many fill who can inform interlacing theme with the puritanical movement so that the readers suchlike me can easily believe.

Gravatar
  • xiaomi
  • October 17th, 2012
  • 9:11 am
Gravatar
  • yuqian
  • November 5th, 2012
  • 6:00 am

Across the nation children are playing futsal. Futsal is a quick paced soccer game, played five on a side, and on an indoor gym. It teaches balance, motor ability, agility and co-ordination, ball mastery, accurate cheap cleats and quick passing and receiving, perception insight and awareness. Games will be played on Saturday mornings at the middle dchool gymnasium. Participants will receive a team t-shirt. Athletic or indoor soccer shoes nike soccer cleats required. Shinguards are cvfcvftfgd highly recommended. Each team needs one parent coach.

Gravatar

Nice post. Thanks for sharing useful information.

Gravatar

MaxiDAS DS708 China Supplier, Best Quality, Fast Shipping

Gravatar

Surely a incredible piece of job … It has applicable information. Thanks for posting this. Your site is so interesting and very instructive. Thanks sharing. absolutely a great piece of work Thanks for your job.

Gravatar

Amaze! I have been looking bing for hours because of this and i also in the end think it is in this article! Mayb I recommend you something helps me all the time? Here’s it http://customessays.ca/

Gravatar

Do you acknowledge that this is correct time to get the personal loans “goodfinance-blog.com”, which would realize your dreams.

Gravatar

To converse the reality this is a good post concerning this topic. I got an uncontaminated solution from here. Also I can refer to you all http://hwsolvers.com/math_homework here to get educational helps. But will wait for more posts from the blogger. Thanks a lot…….

Gravatar

This is the original point in time I visited this blog. Really this is breathtaking effort with the blog. It is exceedingly contentment to search out it as I got mammoth helps right here. I decidedly welcome the bloggers workings and will kill time for more post from the supervision. click here

Gravatar
  • Alston Asine
  • June 1st, 2013
  • 5:30 pm

All of this can be done more or less automatically with Metro (at least when using a nightly build) by using this service policy: Click here
about us
about the site

Gravatar

I know this is really boring and you are skipping to the next comment, but I just wanted to throw you a big thanks you cleared up some things for me!

Gravatar
  • willie
  • June 21st, 2013
  • 2:04 pm

Nice post with awesome points! Can’t wait for the next one.

Gravatar
  • HP - 12.5"EliteBook Notebook 4 GB Memory - 320 GB Hard Drive
  • June 21st, 2013
  • 2:10 pm

I am completely impressed! Keep stuff like this coming

Gravatar

cover letters were manually written and as the years progressed, new technology and changes in life have also changed especially with the way cover letters are done. Cover letters are a form of business letter that you can use in applying for a particular position you desire. In fact, cover letters are now possible through email or in other words “electronic mails” via internet. research thesis

Gravatar

First of all thanks for the post. In actuality it is remarkable post. I do resembling your rigid workings and am glad about your perception. I can refer you another site where one can dig up huge assistances with reference to teaching. To learn moiré, please click here. Thanks……

Gravatar
  • ssl vpn
  • November 16th, 2013
  • 7:04 pm

Really awesome work with the blog. I do like your hard work on and will wait for more post as from you as post gave me pleasure and gives some helps to do same work right here. Thanks a lot…………………………

Gravatar
  • eavedrop44
  • February 25th, 2014
  • 7:13 pm

I am interested in looking for more of such topics and would like to have further information. Hope to see the next blog soon.Franchises UK

Want your say?

* Required fields. Your e-mail address will not be published on this site

You can use the following XHTML tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>