One of the morecomplex examples that ship with WLS is a WS-Trust based authentication of a web
service using SAML assertions. This example is quite easy to setup and run and
the example’s documentation gives a basic understanding of what is going on.
But we want to look deeper and shed light on the complexity that is hidden
behind SSL, WS-Trust and SAML authentication. In a first step we separate the
scenario from the example server and integrate it into eclipse, to create an
isolated laboratory environment for further investigation. We will use
Wireshark to analyze the actual flow of messages on the wire. We even look
inside the SSL streams to identify the WS-Trust tokens and SAML assertions as
they are passed between the participants.
The WS-Trust specification, which is part of the WS-* stack of specifications for web services, was approved as OASIS standard in March 2007. Meanwhile it is generally accepted as an industry standard for implementing secure, trusted, and federated message exchange between service providers and consumers. So now is a good time to have a closer look at this technology. Despite the complexity of this topic, it is fairly easy to set up running examples of WS-Trust based java implementations using the examples that ship with Weblogic Server. We want to have a closer look at one of these examples: “Using SAML 1.1 Bearer Assertion for Authentication Case”
Read the full article as PDF: WS-Security_unveiled.pdf (1,6 MB)
Links to Files used in the Project:
- Text file containing the output from building and running the project: saml_bearer11ssl.output.txt
- WLS example documentation as PDF: WLS_Example_SAML_Bearer11ssl.pdf (177 KB)
- Eclipse project file: saml_bearer11ssl.zip (160 KB)