Security Token Service and Identity Delegation With Metro
The Metro is a high performance, extensible, easy-to-use web services stack. This paper discusses the basics of WS-Trust and its Security Token Service (STS) framework and showed how to take advantage of Metro's support of WS-Trust and STS to secure a web service. It also shows how identity delegation in STS is used to access the back-end resource in a secure way. WS-Security provides the basic framework for message level security in web services. The STS is an authority trusted by the client and the service. A request for a security token is made by sending a Request Security Token (RST) message to the STS. The STS approach works well if a client needs to securely access a service in another domain. The paper also shows various illustrations and examples. The WebServiceFeature class is a JAX-WS class implemented in Metro. The NetBeans IDE provides a set of security profiles that specify the mechanism to be used in securing conversation. It offers an easy way to enable secure conversations in Metro for a web service. The WS-SecureConversation standard enhances overall security through key derivations and improves performance by avoiding repeated key exchanges in multi-message exchange scenarios. A sample application package includes a sample application that demonstrates identity delegation using ActAs.