The WSIT Tutorial

ProcedureTo Create a Third-Party STS

Use the STS wizard to create an STS from a WSDL file. When using the STS wizard, provide the name of the STS implementation class. This class must extend After completing the steps of the wizard, your application will contain a new service that is an STS and includes a provider implementation class, STS WSDL, and a WSIT configuration file with a predefined set of policies.

To use the STS wizard to create an STS, follow these steps.

  1. Create a new project for the STS by selecting File->New Project.

  2. Select Web, then Web Application, then Next.

  3. Type a Project Name. Click Finish.

  4. Right-click the STS Project node, select New, then click File/Folder at the top.

  5. Select Web Service from the Categories list.

  6. Select Secure Token Service (STS) from the File Type(s) list.

  7. Click Next.

  8. Type a name for the Web Service Class Name.

  9. Type or select a name for the Package list.

  10. Click Finish.

    The IDE takes a while to create the STS. When created, it appears under the project’s Web Services node as your_STSService, and the Java file appears in the right pane.

  11. The STS wizard creates an empty implementation of the provider class. Implement the provider implementation class.

    An example of this can be found in To Create and Secure the STS (STS).

  12. Back in the Projects window, right-click the STS project folder, and select Edit Web Service Attributes to configure the STS.

  13. Select Secure Service.

  14. Select a Security Mechanism (but not one of the STS mechanisms). The example application uses Username Authentication with Symmetric Keys.

  15. Select the Configure button. For the Algorithm Suite option, specify a value that matches the value of the web service. Set the Key Size to 128 if you have not configured Unlimited Strength Encryption. Select OK to close the configuration dialog.

    Note –

    Some of the algorithm suite settings require that Unlimited Strength Encryption be configured in the Java Runtime Environment (JRE), particularly the algorithm suites that use 256 bit encryption. Instructions for downloading and configuring unlimited strength encryption can be found at the following URLS:

  16. Select Act as Secure Token Service (STS).

    The default values will create a valid STS.

    Optionally, you can change the following configuration options:

    • Issuer: Specify an identifier for the issuer for the issued token. This value can be any string that uniquely identifies the STS, for example, MySTS.

    • Contract Implementation Class: Specify the actual implementation class for the WSTrustContract interface that will handle token issuance, validation, and the like. Default value is for issuing SAML assertions, or click Browse to browse to another contract implementation class.

    • Life Time of Issued Tokens: The life span of the token issued by the STS. Default value is 300,000 ms.

    • Encrypt Issued Key: Select this option if the issued key should be encrypted using the service certificate. Default is true.

    • Encrypt Issued Token: Select this option if the issued token should be encrypted using the service certificate. Default is false.

  17. Optionally, to add one or more Service Providers that have a trust relationship with the STS, click the Add button and specify the following configuration options:

    • Provider Endpoint URI: The endpoint URI of the service provider.

    • Certificate Alias: The alias of the certificate of the service provider in the keystore.

    • Token Type: The type of token the service provider requires, for example, urn:oasis:names:tc:SAML1.0:assertion.

    • Key Type: The type of key the service provider requires. The choices are public key or symmetric key. Symmetric key cryptography relies on a shared secret and is usually faster than public key cryptography. Public key cryptography relies on a key that is made public to all and is primarily used for encryption but can be used for verifying signatures.

  18. Click OK to close the Select STS Service Provider dialog.

  19. Click OK to close the STS Configuration dialog.

  20. Click the Keystore button to configure the keystore.

    If you are using the updated GlassFish stores, these are the settings:

    • Location: Defaults to the location and name of the keystore,as-install/domains/domain1/config/keystore.jks.

    • Store Password: Type or accept changeit.

    • Load Aliases: Click the Load Aliases button.

    • Alias: Select wssip.

    Click OK to close the dialog.

  21. Right-click the STS Project and select Properties. Select the Run category, and type the following in the Relative URL field: /your_STSService?wsdl.

  22. Run the Project (right-click the Project and select Run Project).

  23. To view the STS WSDL, append your_STSService to the URL of the deployed application in the browser.

    For the example application (Example: STS Issued Token (STS)), you would view the STS WSDL by browsing to http://localhost:8080//MySTSProject/MySTSService?wsdl.