[Version 5 only]WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Request receiver

Important distinction between Version 5.x and Version 6.0.x applications
Note: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6. The information does not apply to version 6.0.x applications.

The security handler on the request receiver side of the Simple Object Access Protocol (SOAP) message enforces the security specifications defined in the IBM extension deployment descriptor (ibm-webservices-ext.xmi) and bindings (ibm-webservices-bnd.xmi). The request receiver defines the security requirement of the SOAP message. The security constraint for request sender must match the security requirement of the request receiver for the server to accept the request. If the incoming SOAP message does not meet all the security requirements defined, then the request is rejected with the appropriate fault code returned to the sender. For security tokens, the token is validated using Java Authentication and Authorization Service (JAAS) login configuration and authenticated identity is set as the identity for the downstream invocation.

For example, if there is a security requirement to have the SOAP body digitally signed by Joe Smith and if the SOAP body of the incoming SOAP message is not signed by Joe Smith, then the request is rejected.

You can define the following security requirements for the request receiver:

Required integrity (digital signature)
You can select multiple parts of a message to sign digitally. The following list contains the integrity options:
  • Body
  • Time stamp
  • Security token
Required confidentiality (encryption)
You can select multiple parts of a message to encrypt. The following list contains the confidentiality options:
  • Body content
  • Token
You can have multiple security tokens. The following list contains the security token options:
  • Basic authentication, which requires both a user name and a password
  • Identity assertion, which requires a user name only
  • X.509 binary security token
  • Lightweight Third Party Authentication (LTPA) binary security token
  • Custom token, which is pluggable and supports custom-defined tokens validated by the JAAS login configuration
Received time stamp
You can have a time stamp for checking the timeliness of the message.
  • Time stamp



Sub-topics
Request receiver binding collection

Related concepts
Response sender
Response receiver
Request sender

Related tasks
Configuring the server for request decryption: choosing the decryption method

Concept topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/cwbs_reqrecvr.html

© Copyright IBM Corporation 2003, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)