THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Policy set and sample available
Decide what format the security token is going to take
JMS
Assume authentication.message is required here
It's likely the security token will travel in a JMS message property so the JMS binding needs to be extended to be able to call out to policy providers in order to authenticate the token and retrieve the Subject. The Token/Subject should then be placed in the Tuscany message context.
WS
How is a security token to be flowed to a web service
If authentication.message is in force then this is going to rely on sessions at the SOAP level and could take a similar approach to the existing ws-security based policies to extract the token from a suitable session header. We should make sure the token is available to external (to axis) authentication code Then we need to push the token and the subject into the Tuscany message context
If authentication.transport is in force then the token needs to be extracted from the transport. We expect the container/Axis stack to do this for us initially and put it in the service context. Again we need to get it from there and push this out to the external (to axis) authentication code. Again we need to push the token and the subject into the Tuscany message context
Both JMS and WS approaches have the same pattern...
1. Perform some binding & policy specific processing to extract the token
2. Perform some deployment specific processing to authenticate the token, i.e. call the identity provider
3. Place the results of these two stages in the message context.
These steps require a closer integration between the bindings and the policy providers than we have currently.