[Version 5 only]WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Web services security service provider programming interfaces

Important distinction between Version 5.x and Version 6.0.x applications
Note: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6. The information does not apply to version 6.0.x applications.
Several Service Provider Interfaces (SPIs) are provided to extend the capability of the Web services security run time. The following list contains the SPIs that are available for WebSphere Application Server:
  • com.ibm.wsspi.wssecurity.config.KeyLocator is an abstract for obtaining the keys for digital signature and encryption. The following list contains the default implementations:
    • com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator

      Implements the Java key store.

    • com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator

      Provides a mapping of the authenticated identity to a key for encryption. Or, the implementation uses the default key that is specified. This implementation is typically used in the response sender configuration.

    • com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator

      Provides the capability of using the signer key for encryption in the response message. This implementation is typically used in the response sender configuration.

  • com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator is an interface that is used to evaluate the trust for identity assertion. The default implementation is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl, which enables you to define a list of trusted identities.
  • The Java Authentication and Authorization Service (JAAS) CallbackHandler application programming interfaces (APIs) are used for token generation by the request sender. This interface can be extended to generate a custom token that can be inserted in the Web services security header. The following list contains the default implementations that are provided by WebSphere Application Server:
    • com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler

      Presents a login prompt to gather the basic authentication data. Use this implementation in the client environment only.

    • com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler

      Collects the basic authentication data in the standard in (stdin) prompt. Use this implementation in the client environment only.

    • com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler

      Reads the basic authentication data from the application binding file. This implementation might be used on the server side to generate a user name token.

    • com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler

      Generates a Lightweight Third Party Authentication (LTPA) token in the Web services security header as a binary security token. If basic authentication data is defined in the application binding file, it is used to perform a login, to extract the LTPA token from the WebSphere credentials, and to insert the token in the Web services security header. Otherwise, it will extract the LTPA security token from the invocation credentials (run as identity) and insert the token in the Web services security header.

The JAAS LoginModule API is used for token validation on the request receiver side of the message. You can implement a custom LoginModule API to perform validation of the custom token on the request receiver of the message. After the token is verified and validated, the token is set as the caller and then run as the identity in the WebSphere Application Server run time. The identity is used for authorization checks by the containers before a Java 2 Platform, Enterprise Edition (J2EE) resource is invoked. The following list presents the are the default AuthMethod configurations provided by WebSphere Application Server:
BasicAuth
Validates a user name token.
Signature
Maps the distinguished name (DN) of a verified certificate to a Java Authentication and Authorization Service (JAAS) subject.
IDAssertion
Maps a trusted identity to a JAAS subject.
LTPA
Validates an LTPA token that is received in the message and creates a JAAS subject.



Related concepts
Lightweight Third Party Authentication
Web services security model in WebSphere Application Server
Login mappings

Related reference
Web services security support

Reference topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rwbs_wssecapi.html

© Copyright IBM Corporation 2003, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)