You can configure the client-side request sender (ibm-webservicesclient-bnd.xmi file)
or server-side request receiver (ibm-webservices-bnd.xmi file)
by using the WebSphere Application Server administrative console.
Before you begin
Important: There is an important distinction between
Version 5.x and Version 6 and later applications. The information
in this article supports Version 5.x applications only that
are used with WebSphere Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
Prior to completing these steps, it is
assumed that you have already created a Web service that is based
on the Java 2 Platform, Enterprise Edition (J2EE) specification. See
either of the following topics for an introduction of how to manage
Web services security binding information for the server:
About this task
This document describes how to configure a pluggable token
in the request sender (
ibm-webservicesclient-ext.xmi and
ibm-webservicesclient-bnd.xmi file)
and request receiver (
ibm-webservices-ext.xmi and
ibm-webservices-bnd.xmi file).
Important: The pluggable token is required for
the request sender and request receiver as they are a pair. The request
sender and the request receiver must match for a request to be accepted
by the receiver.
Prior to completing these steps, it
is assumed that you deployed a Web services-enabled enterprise application
to the WebSphere Application Server.
Use the following steps
to configure the client-side request sender (
ibm-webservicesclient-bnd.xmi file)
or server-side request receiver (
ibm-webservices-bnd.xmi file)
using the WebSphere Application Server administrative console.
- Click .
- Under Manage modules, click URI_name.
The URI is the Web services-enabled module.
- Under Web Services Security Properties, click Web services:
client security bindings to edit the response sender binding
information, if Web services is acting as client.
- Under Response sender binding, click Edit.
- Under Additional Properties, click Login binding.
- Select Dedicated login binding to define
a new login binding.
- Enter the authentication method, this must match the authentication
method defined in IBM extension deployment descriptor. The authentication
method must be unique in the binding file.
- Enter an implementation of the JAAS javax.security.auth.callback.CallbackHandler interface.
- Enter the basic authentication information (User ID and Password)
and the basic authentication information is passed to the construct
of the CallbackHandler implementation. The usage of the basic authentication
information is up to the implementation of the CallbackHandler.
- Enter the token value type, it is optional for BasicAuth, Signature
and IDAssertion authentication methods but required for any other
authentication method. The token value type is inserted into the <wsse:BinarySecurityToken>@ValueType for
binary security token and used as the namespace of the XML based token.
- Click Properties. Define the property with
name and value pairs. These pairs are passed to the construct of the
CallbackHandler implementation as java.util.Map.
Select None to deselect the login binding.
- Under Web Services Security Properties, click Web services:
server security bindings to edit the request receiver
binding information.
- Under Request Receiver Binding, click Edit.
- Under Additional Properties, click Login mappings.
- Click New to create new login mapping.
- Enter the authentication method, this must match the authentication
method defined in the IBM extension deployment descriptor. The authentication
method must be unique in the login mapping collection of the binding
file.
- Enter a JAAS Login Configuration name. The JAAS Login Configuration
must be defined under . Under Authentication, click . For more information, see Configuring programmatic logins for Java Authentication and Authorization Service.
- Enter an implementation of the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory interface.
This is a mandatory field.
- Enter the token value type, it is optional for BasicAuth, Signature
and IDAssertion authentication methods but required for any other
authentication method. The token value type is used to validate against
the <wsse:BinarySecurityToken>@ValueType for binary
security token and against the namespace of the XML based token.
- Enter the name and value pairs for the "Login Mapping Property"
by clicking Properties . These name and value
pairs are available to the JAAS Login Module or Modules by com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback JAAS
Callback. Note: This is true when editing existing login mappings
but not when creating new login mappings.
- Enter the name and value pairs for the "Callback Handler Factory
Property", these name and value pairs is passed as java.util.Map to
the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init() method.
The usage of these name and value pairs is up to the CallbackHandlerFactory
implementation.
- Click authentication method link to edit the selected login mapping.
- Click Remove to remove the selected login
mapping or mappings.
- Click Save .
Results
The previous steps define how to configure the
request sender to create security tokens in the SOAP message and the
request receiver to validate the security tokens found in the incoming
SOAP message. WebSphere Application Server supports pluggable security
tokens.
You can use the authentication method defined
in the login bindings and login mappings to generate security tokens
in the request sender and validate security tokens in the request
receiver.
What to do next
Once you have configured pluggable tokens,
you must configure both the client and the server to support pluggable
tokens. See the following topics to configure the client and the server: