ActAs
The ActAs capability allows an initiator to request a security token that allows it to act as if it were somebody else. This capability becomes important in composite services where intermediate services make additional requests on-behalf of the true initiator. In this scenario, the relying party (the final destination of an indirect service request) may require information about the true origin of the request. The ActAs capability allows an intermediary to request a token that can convey this information.
The content of the ActAs element to be sent in the STS RequestSecurityToken call can be set in one of two ways:
-
By specifying a value for the JAX-WS property SecurityConstants.STS_TOKEN_ACT_AS ("ws-security.sts.token.act-as")
-
By specifying a value for the STSClient.actAs property.
For either case, the value can be one of the following:
-
A String
-
A DOM Element
-
A CallbackHandler object to use to obtain the token
For example, the following code fragment demonstrates how to use an interceptor to dynamically set the content of the ActAs element in the STS RST. Note that this interceptor is applied to the secured client, the initiator, and not to the STSClient's interceptor chain.
public class ActAsOutInterceptor extends
AbstractPhaseInterceptor<Message> {
ActAsOutInterceptor () {
// This can be in any stage before the WS-SP interceptors
// setup the STS client and issued token interceptor.
super(Phase.SETUP);
}
@Override
public void handleMessage(Message message) throws Fault {
message.put(SecurityConstants.STS_TOKEN_ACT_AS, ...);
}
}
Alternatively, the ActAs content may be set directly on the STS as shown below.
<bean name="{http://cxf.apache.org/}TestEndpoint.sts-client"
class="org.apache.cxf.ws.security.trust.STSClient" abstract="true">
<property name="wsdlLocation" value="WSDL/wsdl/trust.wsdl"/>
<property name="serviceName" value=
"{http://cxf.apache.org/securitytokenservice}SecurityTokenService"/>
<property name="endpointName" value=
"{http://cxf.apache.org/securitytokenservice}SecurityTokenEndpoint"/>
<property name="actAs" value="..."/>
<property name="properties">
<map>
...
</map>
</property>
</bean>