When using the signature authentication method, the security token
is generated with a <ds:Signature> and a <wsse:BinarySecurityToken>
element.
On the request sender side, a callback handler is invoked to generate the
security token. On the request receiver side, a Java Authentication and Authorization
Service (JAAS) login module is used to validate the security token. These
two operations, token generation and token validation, are described in the
following sections.
- Signature token generation
- The request sender generates a Signature security token using a callback
handler. The security token returned by the callback handler is inserted in
the SOAP message. The callback handler is specified in the <LoginBinding>
element of the bindings file, ibm-webservicesclient-bnd.xmi. WebSphere
Application Server provides the following callback handler implementation
that can be used with the Signature authentication method: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
You
can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler
implementation.
- Security token validation
- The request receiver retrieves the Signature security token from the Simple
Object Access Protocol (SOAP) message and validates it using a JAAS login
module. The <ds:Signature> and <wsse:BinarySecurityToken> elements in
the security token are used to perform the validation. If the validation is
successful, the login module returns a Java Authentication and Authorization
Service (JAAS) Subject. This Subject then is set as the identity of the running
thread. If the validation fails, the request is rejected with a SOAP fault
exception.
The JAAS login configuration is specified in the <LoginMapping> element
of the bindings file. Default bindings are specified in the ws-security.xml file.
However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.
The configuration information consists of a CallbackHandlerFactory and a ConfigName.
The CallbackHandlerFactory specifies the name of a class that is used for
creating the JAAS CallbackHandler object. WebSphere Application Server provides
the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImp CallbackHandlerFactory
implementation. The ConfigName specifies a JAAS configuration name entry.
WebSphere Application Server searches in the security.xml file for
a matching configuration name entry. If a match is not found, it searches
the wsjaas.conf file. WebSphere Application Server provides the system.wssecurity.Signature
default configuration entry, which is suitable for the signature authentication
method.
Remember: The information in this article supports
version 5.x applications only that are used with WebSphere Application Server
Version 6.0.x. The information does not apply to version 6.0.x applications.