2-28 Securing WebLogic Web Services for Oracle WebLogic Server

2.8.2 Configuring WS-Trust Client Properties

You set some of the configuration properties specifically for the WS-Trust client; others are determined through configuration information generally present for a Web service client. For example, the type of token retrieved is determined by the security policy of the Web service that the Web service client is invoking. The properties that you can explicitly set and the token type they apply to are as follows. ■ STS URI WS-SecureConversation and SAML ■ STS security policy SAML ■ STS SOAP version SAML ■ STS WS-Trust version SAML ■ STS Server Certificate SAML This section describes the following topics: ■ Obtaining the URI of the Secure Token Service on page 2-28 ■ Configuring STS URI for WS-SecureConversation: Standalone Client on page 2-29 ■ Configuring STS URI for SAML: Standalone Client on page 2-29 ■ Configuring STS URI Using WLST: Client On Server Side on page 2-30 ■ Configuring STS URI Using Console: Client On Server Side on page 2-30 ■ Configuring STS Security Policy: Standalone Client on page 2-31 ■ Configuring STS Security Policy Using WLST: Client On Server Side on page 2-31 ■ Configuring STS Security Policy: Using the Console on page 2-32 ■ Configuring the STS SOAP and WS-Trust Version: Standalone Client on page 2-33 ■ Configuring the SAML STS Server Certificate: Standalone Client on page 2-33

2.8.2.1 Obtaining the URI of the Secure Token Service

There are three sources from which the WS-Trust client can obtain the URI of the secure token service STS. The order of precedence is as follows: ■ The URI for the STS, as contained in the sp:Issuerwsa:Address element of the token assertion in the Web services security policy. ■ A configured STS URI. ■ The co-located STS URI. This is the default if there is no other source WS-SecureConversation only. Configuring Message-Level Security 2-29

2.8.2.2 Configuring STS URI for WS-SecureConversation: Standalone Client

For WS-SecureConversation, if the STS is co-located with the service there is no need to configure the STS URI. However, when the STS and the service do not share the same port, for example the service uses an HTTP port and the STS uses an HTTPs port, you need to configure the STS URI. The following code example demonstrates setting the STS URI on a client stub under JAX-RPC. The example assumes that the location of the STS URI is already known to the client. String wsdl = http:myserverwsscsecuredservice?wsdl; WsscSecuredService service = new WsscSecuredService_Implwsdl; WsscSecured port = service.getWsscSecuredSoapPort; Stub stub = Stub port; String sts = https:myserverwsscsecuredservice; stub._setPropertyweblogic.wsee.jaxrpc.WLStub.WST_STS_ENDPOINT_ON_WSSC, sts; The following code example demonstrates setting the STS URI on a client stub under JAX-WS. String wsdl = http:myserverwsscsecuredservice?wsdl; WsscSecuredService service = new WsscSecuredService_Implwsdl; String sts = https:myserverwsscsecuredservice; WsscSecured port = service.getWsscSecuredSoapPort; BindingProvider provider = BindingProvider port; Map context = provider.getRequestContext; context.putweblogic.wsee.jaxrpc.WLStub.WST_STS_ENDPOINT_ON_WSSC, sts

2.8.2.3 Configuring STS URI for SAML: Standalone Client