The main dependencies and interactions of the Security Token Service and security agents in a web services security scenario are with the interfaces of the OpenSSO Enterprise Client SDK. This includes the following:
Security agents bootstrap the Security Token Service or the Liberty Alliance Project Discovery Service using the Client SDK.
The OpenSSO Enterprise Discovery Service can be leveraged with the Client SDK so consumers can continue to use it's end point for web services security token utilities, resource offerings and WSP end points. A configuration on the client side would choose either the WS-Trust orLiberty Alliance Project protocol for web services security token management.
The Client SDK implements XML signing and XML encryption for SOAP requests and responses.
The Client SDK generates the proprietary SSOToken based on security token credentials provided to the WSP. It also sets the SSOToken into the container Subject for further authorization processing.
The Client SDK implements caching for the security tokens generated by the Security Token Service or the Liberty Alliance Project Discovery Service. This improves performance when requesting security tokens.
The Client SDK implements complete processing (including token insertion, extraction and validation) of SOAP requests and responses.
The Web Services Security framework and the Security Token Service include the following Java packages as part of the Client SDK
com.sun.identity.wss.provider provides administrative interfaces for configuration of the WSC and WSP with their respective security mechanisms and Security Token Service configuration. They are called by the security agent during run time, and also by applications that would like to secure messages. On the WSC side, they are called to secure the web service request and to validate any response from the WSP. Similarly, there are interfaces for this functionality on the WSP side. When a WSC is configured to communicate with the Security Token Service, security mechanisms and security tokens would be obtained from it. When a WSP is configured to communicate with the Security Token Service, its resource offering would be published at the Security Token Service.
A WSC and a WSP can be associated with more than one Security Token Service.
com.sun.identity.wss.security provides classes that create, manage and represent security tokens and their processing. This SPI can plug in new security token implementations to the Security Token Service.
com.sun.identity.wss.sts contains classes for getting security tokens from the Security Token Service end point and converting an end user token from one format to another (for instance, converting to the OpenSSO Enterprise proprietary SSOToken in order to validate it against the Authentication Service and Policy Service). It also contains an SPI to issue different security tokens, attribute provider and authorization provider.