10-8 Oracle Fusion Middleware Reference for Oracle Security Developer Tools
Now extract the session key KerberosUtils.getSession is an overloaded method, and this
particular one is meant to be used by server. Internally it decrypts the ap_req packet using the servers key or the
tgtSession key and extracts the key from the decrypted ap_req packet
Subject srvrSubject = ... SecretKey sessionKey =
KerberosUtils.getSessionKeysrvrSubject, ap_req;
Now you can decrypt or verify using this key.
10.2.3.4 Creating a SAML Assertion Token
Refer to Chapter 8, Oracle XML Security
for information on how to create Assertion objects. From the Assertion object you can create a SAML assertion
token by simply invoking the SAMLAssertionTokenAssertion assertion constructor.
10.2.4 Security Token References STR
The WS Security specification also defines the concept of a Security token reference, sometimes abbreviated to STR, which is a mechanism to refer to a security token. A
Signature or Encryption uses this STR mechanism to identify the key that was used to sign or encrypt.
STR typically supports the following mechanisms:
■
Direct Reference: The STR uses a URI to refer to the ST.
■
Key Identifier: The STR does not use a URI, but instead uses some other mechanism to identify the token, such as the Issuer serial for X509 tokens and
the assertion ID for SAML tokens. The token may not be in the message at all.
■
Embedded: The token is directly embedded in the KeyInfo.
10.2.4.1 Creating a direct reference STR
Before creating the STR, first create the token as mentioned earlier, then call .setWsuId to set an ID on that token. Next create the STR with that ID, and finally
pass in that STR in the WSSSignatureParams or WSEncryptionParams as described below.
10.2.4.2 Creating a Reference STR for a username token
WSSecurity ws = ... WSSecurityTokenReference str =
ws.createSTR_Username_refMyUser;
10.2.4.3 Creating a Reference STR for a X509 Token
WSSecurity ws = ... WSSecurityTokenReference str =
ws.createSTR_X509_RefMyCert;
Oracle Web Services Security 10-9
10.2.4.4 Creating a Reference STR for Kerberos Token
WSSecurity ws = ... use the appropriate value type
String valueType = WSSURI.vt_GSSKerberosv5; WSSecurityTokenReference str =
ws.createSTR_KerberosKeyRef MyToken;
10.2.4.5 Creating a Reference STR for a SAML Assertion token
WSSecurity ws = ... WSSecurityTokenReference str =
ws.createSTR_SAML_Assertion_Ref20MySAMLAssertion
10.2.4.6 Creating a Reference STR for an EncryptedKey
WSSecurity ws = ... WSSecurityTokenReference str =
ws.createSTR_EncKeyRefMyEncKey
10.2.4.7 Creating a Reference STR for a generic token
Instead of using the createSTR methods you can also create the reference directly with the appropriate valueType and tokenType:
WSSecurity ws = ... String uri = MyToken;
WSSReference ref = new WSSReferencedoc, uri; ref.setValueTypevalueType; set an optional valueType
WSSecurityTokenReference str = new WSSecurityTokenReferencedoc; str.setTokenTypetokenType; set an optional tokenType
str.appendChildref;
10.2.4.8 Creating a Key Identifier STR
A KeyIdentifier is another way to refer to a security token that uses some intrinsic property of the token; for example, an assertionID for a SAML Token or a
Subject Key Identifier for an X509 token.
KeyIdentifers are often used when the token itself is not present in the document. For example, an incoming message can be encrypted with a X509Cert, but instead of
having that X509Cert in the message, it can have only a hint to it, in the form of a SubjectKeyIdentifier.
10.2.4.9 Creating a KeyIdentifier STR for an X509 Token