Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
15.2. Configure Security Token Service (STS)
The EAP Security Token Service (STS) defines several interfaces that provide extension points. Implementations can be plugged in via configuration, and the default values can be specified for some properties via configuration. All STS configurations are specified in the
picketlink.xml file, which belongs in the WEB-INF directory of the deployed application. The following are the elements that can be configured in the picketlink.xml file.
Note
In the following text, a service provider refers to the Web service that requires a security token to be presented by its clients.
PicketLinkSTS: This is the root element. It defines some properties that allows the STS administrator to set a the following default values:STSName: A string representing the name of the security token service. If not specified, the defaultPicketLinkSTSvalue is used.TokenTimeout: The token lifetime value in seconds. If not specified, the default value of 3600 (one hour) is used.EncryptToken: A boolean specifying whether issued tokens are to be encrypted or not. The default value is false.
KeyProvider: This element and all its sub elements are used to configure the keystore that are used by PicketLink STS to sign and encrypt tokens. Properties like the keystore location, its password, and the signing (private key) alias and password are all configured in this section.RequestHandler: This element specifies the fully qualified name of theWSTrustRequestHandlerimplementation to be used. If not specified, the defaultorg.picketlink.identity.federation.core.wstrust.StandardRequestHandleris used.TokenProvider: This section specifies theTokenProviderimplementations that must be used to handle each type of security token. In the example we have two providers - one that handles tokens of typeSpecialTokenand one that handles tokens of typeSAMLV2.0. TheWSTrustRequestHandlercalls thegetProviderForTokenType(String type) method ofSTSConfigurationto obtain a reference to the appropriateTokenProvider.TokenTimeout: This is used by theWSTrustRequestHandlerwhen no Lifetime has been specified in the WS-Trust request. It creates a Lifetime instance that has the current time as the creation time and expires after the specified number of seconds.ServiceProviders: This section specifies the token types that must be used for each service provider (the Web service that requires a security token). When a WS-Trust request does not contain the token type, theWSTrustRequestHandlermust use the service provider endpoint to find out the type of the token that must be issued.EncryptToken: This is used by theWSTrustRequestHandlerto decide if the issued token must be encrypted or not. If true, the public key certificate (PKC) of the service provider is used to encrypt the token.
The following is an example of STS configuration.
Example 15.3. STS Configuration
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
STSName="Test STS" TokenTimeout="7200" EncryptToken="true">
<KeyProvider ClassName="org.picketlink.identity.federation.bindings.tomcat.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/>
<Auth Key="KeyStorePass" Value="testpass"/>
<Auth Key="SigningKeyAlias" Value="sts"/>
<Auth Key="SigningKeyPass" Value="keypass"/>
<ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/>
<ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/>
</KeyProvider>
<RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler>
<TokenProviders>
<TokenProvider ProviderClass="org.picketlink.test.identity.federation.bindings.wstrust.SpecialTokenProvider"
TokenType="http://www.tokens.org/SpecialToken"/>
<TokenProvider ProviderClass="org.picketlink.identity.federation.api.wstrust.plugins.saml.SAML20TokenProvider"
TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
</TokenProviders>
<ServiceProviders>
<ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken"
TruststoreAlias="service1"/>
<ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
TruststoreAlias="service2"/>
</ServiceProviders>
</PicketLinkSTS>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}