Skip to main content

STS use cases in more detail

Security Token Service is defined formally in the OASIS WS-Trust specification. They help immensely in decoupling authentication and authorization maintenance from the web service clients and providers that need that information. Using the STS eliminates the need for the Web Service Provider (WSP) and Web Service Clients (WSC) to have a direct trust relationship, freeing WSPs from needing to maintain WSC UsernameToken passwords or X509 certificates from acceptable clients. Instead, it is just necessary for the WSP to trust the STS and for the STS to be able to validate the WSC's credentials prior to making the STS call.

A client can communicate with the STS using a protocol defined in the WS-Trust specification. The SOAP Body of the request contains a RequestSecurityToken element as follows:

<wst:RequestSecurityToken Context="..." xmlns:wst="...">
   <wst:TokenType>...</wst:TokenType>
   <wst:RequestType>...</wst:RequestType>
   <wst:SecondaryParameters>...</wst:SecondaryParameters>
   ...
</wst:RequestSecurityToken>

The Apache CXF STS implementation supports a wide range of parameters that are passed in the RequestSecurityToken element. The SOAP Body of the response from the STS will contain a RequestSecurityTokenResponse(Collection) element, e.g.:

<wst:RequestSecurityTokenResponseCollection xmlns:wst="...">
   <wst:RequestSecurityTokenResponse>
   ...
   </wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>

In this section

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here