Oracle Web Services Security 10-9
10.2.4.4 Creating a Reference STR for Kerberos Token
WSSecurity ws = ... use the appropriate value type
String valueType = WSSURI.vt_GSSKerberosv5; WSSecurityTokenReference str =
ws.createSTR_KerberosKeyRef MyToken;
10.2.4.5 Creating a Reference STR for a SAML Assertion token
WSSecurity ws = ... WSSecurityTokenReference str =
ws.createSTR_SAML_Assertion_Ref20MySAMLAssertion
10.2.4.6 Creating a Reference STR for an EncryptedKey
WSSecurity ws = ... WSSecurityTokenReference str =
ws.createSTR_EncKeyRefMyEncKey
10.2.4.7 Creating a Reference STR for a generic token
Instead of using the createSTR methods you can also create the reference directly with the appropriate valueType and tokenType:
WSSecurity ws = ... String uri = MyToken;
WSSReference ref = new WSSReferencedoc, uri; ref.setValueTypevalueType; set an optional valueType
WSSecurityTokenReference str = new WSSecurityTokenReferencedoc; str.setTokenTypetokenType; set an optional tokenType
str.appendChildref;
10.2.4.8 Creating a Key Identifier STR
A KeyIdentifier is another way to refer to a security token that uses some intrinsic property of the token; for example, an assertionID for a SAML Token or a
Subject Key Identifier for an X509 token.
KeyIdentifers are often used when the token itself is not present in the document. For example, an incoming message can be encrypted with a X509Cert, but instead of
having that X509Cert in the message, it can have only a hint to it, in the form of a SubjectKeyIdentifier.
10.2.4.9 Creating a KeyIdentifier STR for an X509 Token
There are three different ways to identify an X509 Token:
1.
Issuer Serial: A combination of Issuer DN and Serial number of the certificate
2.
Subject Key Identifier : The subject key Identifier of the certificate
3.
Thumbprint SHA1: SHA1 of the certificate. X509Certificate cert = ...
10-10 Oracle Fusion Middleware Reference for Oracle Security Developer Tools
WSSecurity ws = ... WSSecurityTokenReference str =
ws.createSTR_X509_IssuerSerialcert; alternatively use ws.createSTR_X509_SKIcert
or ws. createSTR_X509_ThumbprintSHA1cert
10.2.4.10 Creating a KeyIdentifier STR for a Kerberos Token
Kerberos tokens can be identified by the SHA1 of the AP_REQ packet or of the GSS wrapped AP_REQ packet.
byte ap_req[] = ... WSSecurity ws = ...
String valueType = WSSURI.vt_GSSKerberosv5; WSSecurityTokenReference str =
ws.createSTR_KerberosKeyIdSHA1ap_req, valueType;
10.2.4.11 Creating a KeyIdentifier STR for a SAML Assertion Token
SAML assertions can be identified by the Assertion ID. For local SAML 1.1 assertions use:
WSSecurity.createSTR_SAML_AssertionIdv11byte assertionId[] For remote SAML 1.1 assertions use:
createSTR_SAML_AssertionIdv11 byte assertionId[], AuthorityBinding authorityBinding
For local SAML 2.0 assertions use: createSTR_SAML_AssertionIdv20byte assertionId[]
For remote SAML 2.0 assertions use a reference URI: createSTR_SAML_Assertion_Ref20MySAMLAssertion
10.2.4.12 Creating a KeyIdentifier STR for an EncryptedKey
Remote encrypted keys can be identified by their SHA1 hash. Use this function to create the KeyIdentifier:
createSTR_EncKeySHA1byte sha1[]
10.2.4.13 Adding an STRTransform
An STRTransform is a very useful transform that you add to your signatures. This transform causes a temporary replacement of the STRs wth the corresponding STs
while calculating the signature.
For example, you might include an X509 SKI based STR in your reference. Without the STRTransform this will result in only the STR reference being included in the
signature,that is, only the SKI value. But if you add an STRTransform, during the signing and verifiing process the STR will be replaced by the actual X509 Certificate,
that is, the entire X509 certificate will be included in the message.
Oracle Web Services Security 10-11
10.2.5 Signing and Verifying
