Hi, I have a Web Service with an STS and a Custom Token issuer that i have developed, who issues to the client, after a negotiation, a custom security token. My problem is: how can i make the service accept and check the token? I haven't used Rampart, cause i don't want to have any security header in the message from client to service, but just a security token (that client obtains previously from STS) sent in the message to the service as a credential to have access to the service.
So i need a way to send the security token in message from client ( for example using an OperationClient ) and a way to check the token at the service side. Perhaps i need to implement a handler in the service, that checks the security token? I haven't found anything about how a service checks or validates a security token (for example a SAML Token) and now i'm in trouble to make accept and validate a custom security token to my web service. I can construct a custom soap message, for example, containing in the body the custom security token (for example a simple signature..i'haven't decided yet) and at service side extract the token from the message and checks if it is valid...but how can i do this at service side? I can't understand, for example, in a scenario like sample05 of Rampart, where the token sent from client, at the service side is checked..is there a default handler in Rampart module? In sample 05, in the client, instructions like *options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, loadPolicy(servicePolicy));* or *options.setProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN, responseToken.getId());* are used: is it in this way that message is created in a way that then at service side, is manipulated from a default handler? In sample05 in services.xml security policy are specified for STS and for the Service..in my case there is a unique and simple policy for the service, requiring an issued token, that client obtians from STS after a negotiation. So i don't think i can use sth similiar as sample 05, but i have to custom code the mechanism at service side. I don't think if i have explained in a clear way my problem and what i need. Any idea or suggestion is very appreciated! Thanks! Regards, Filippo Agazzi Student of University of Parma - Italy
