Security Token Services are defined formally within the OASIS WS-Trust specification. They help immensely in decoupling authentication and authorization maintenance from the web service clients and providers that need that information. Using the STS eliminates the need for the Web Service Provider (WSP) and Web Service Clients (WSC) to have a direct trust relationship, freeing WSPs from needing to maintain WSC UsernameToken passwords or X509 certificates from acceptable clients. Instead, it is just necessary for the WSP to trust the STS and for the STS to be able to validate the WSC's credentials prior to making the STS call.
A client can communicate with the STS via a protocol defined in the WS-Trust specification. The SOAP Body of the request contains a "RequestSecurityToken" element as follows:
<wst:RequestSecurityToken Context="..." xmlns:wst="..."> <wst:TokenType>...</wst:TokenType> <wst:RequestType>...</wst:RequestType> <wst:SecondaryParameters>...</wst:SecondaryParameters> ... </wst:RequestSecurityToken>
The Apache CXF STS implementation supports a wide range of parameters that are passed in the RequestSecurityToken element. The SOAP Body of the response from the STS will contain a "RequestSecurityTokenResponse(Collection)" element, e.g.:
<wst:RequestSecurityTokenResponseCollection xmlns:wst="..."> <wst:RequestSecurityTokenResponse> ... </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection>