Configuring A Secure Token Service (STS)

A Secure Token Service (STS) is a Web service that issues security tokens. That is, it makes assertions based on evidence that it trusts, to whoever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature, to prove knowledge of a security token or set of security tokens. A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement (note that for some security token formats this can just be a re-issuance or co-signature). This forms the basis of trust brokering.

You can specify the STS in one of these ways.

Creating an STS

Use the STS wizard to create an STS from WSIT. The STS wizard creates an empty implementation provider class from a WSDL file. Web services are reusable software components that semantically encapsulate discrete functionality. Web services are accessible over standard protocols such as SOAP. The web services created by this template are deployed and run according to the JSR-109 and J2EE 1.4 standards.

When using the STS wizard, provide the name of the STS implementation class. This class must extend com.sun.xml.ws.security.trust.sts.BaseSTSImpl. After completing the steps of the wizard, your application will contain a new service that is an STS and includes a provider implementation class, STS WSDL, and a WSIT configuration file with a predefined set of policies.

To use the STS wizard to create an STS, follow these steps:

  1. Create a new project for the STS by selecting FileRight ArrowNew Project.
  2. Select Web, then Web Application, then Next.
  3. Enter a Project Name. Click Finish.
  4. Right-click the STS Project node, select New, then click File/Folder at the top.
  5. Select Web Service from the Categories list.
  6. Select Secure Token Service (STS) from the File Type(s) list.
  7. Click Next.
  8. Enter a name for the Web Service Class Name.
  9. Enter or select a name for the Package list.
  10. Click Finish.

    11. The IDE takes a while to create the STS. When created, it displays under the project's Web Services node as SecurityTokenService, and the Java file displays in the right pane.

  11. The STS wizard creates an empty implementation of provider class. Implement the provider implementation class. An example of this can be found in Creating and Securing the STS (STS).
  12. Back in the Projects window, right-click the STS project folder, and select Edit Web Service Attributes to configure the STS.
  13. Select Secure Service.
  14. Select a Security Mechanism (but not one of the STS mechanisms). The example application uses Username Authentication with Symmetric Keys, for example.
  15. Select the Configure button. For Algorithm Suite option, specify a value that matches the value of the web service. Select OK to close the configuration dialog. Note: If you use 256 bit encryption, you may need to download and configure unlimited strength encryption as described at http://java.sun.com/products/jce/javase.html".
  16. Select Act as Secure Token Service (STS). The default values will create a valid STS. Optionally, you can change the following configuration options:
    • Issuer--Specify an identifier for the issuer for the issued token. This value can be any string that uniquely identifies the STS, for example, MySTS.
    • Contract Implementation Class--Specify the actual implementation class for the WSTrustContract interface that will handle token issuance, validation, etc. Default value is com.sun.xml.ws.trust.impl.IssueSamlTokenContractImpl for issuing SAML assertions, or click Browse to browse to another contract implementation class.
    • Life Time of Issued Tokens--The life span of the token issued by the STS. Default value is 300,000 ms.
    • Encrypt Issued Key--Select this option if the issued key should be encrypted using the service certificate. Default is true.
    • Encrypt Issued Token--Select this option if the issued token should be encrypted using the service certificate. Default is false.
  17. Optionally, to add one or more Service Providers that have a trust relationship with the STS, click the Add button and specify the following configuration options:
    • Provider Endpoint URI--The endpoint URI of the service provider.
    • Certificate Alias--The alias of the certificate of the service provider in the keystore.
    • Token Type--The type of token the service provider requires, for example, urn:oasis:names:tc:SAML1.0:assertion.
    • Key Type--The type of key the service provider requires. The choices are public key or symmetric key. Symmetric key cryptography relies on a shared secret and is usually faster than public key cryptography. Public key cryptography relies on a key that is made public to all and is primarily used for encryption but can be used for verifying signatures.
  18. Click OK to close the Select STS Service Provider dialog.
  19. Click OK to close the STS Configuration dialog.
  20. Click the Keystore button to configure the keystore. If you are using the updated GlassFish stores, these are the settings:
    • Location--Defaults to the location and name of the keystore, <GLASSFISH_HOME>/domains/domain1/config/keystore.jks.
    • Store Password--Enter changeit, or the password that you have configured for your truststore.
    • Load Aliases--Click the Load Aliases button.
    • Alias--Select wssip.
    • Click OK to close the dialog.
  21. Right-click the STS Project, select Properties. Select the Run category, and enter the following in the Relative URL field: /SecurityTokenService?wsdl.
  22. Run the Project (right-click the Project and select Run Project).
  23. To view the STS WSDL, append SecurityTokenService to the URL of the deployed application in the browser. For the example application (Example: STS Issued Token (STS)), you would view the STS WSDL by browsing to
    http://localhost:8080//MySTSProject/SecurityTokenService?wsdl.