This information describes the default implementations
of the service provider interfaces (SPI) for Web services security
within WebSphere Application Server Version 6 and later.
The
default implementations of the service provider interfaces for WebSphere
Application Server Version 5.x are not described in this document.
Instead, see Securing Web services for Version 5.x applications based on WS-Security for the Version 5.x implementations that
are deprecated in Version 6.0.x and later.
Default
implementations for the JAX-RPC run time
- com.ibm.wsspi.wssecurity.token.X509TokenGenerator
- This class
implements the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent
interface. It is responsible for creating the
X.509 token object from the X.509 certificate, which is returned by
the com.ibm.wsspi.wssecurity.auth.callback.{X509,PKCS7,PkiPath}CallbackHandler
interface. Encode the token using the base 64 format and insert its
XML representation into the Simple Object Access Protocol (SOAP) message,
if necessary.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and it retrieves the X.509 certificate from the keystore
file.
- com.ibm.wsspi.wssecurity.token.UsernameTokenGenerator
- This class
implements the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent
interface. It is responsible for creating the
username token object from user name and password that is returned
by a javax.security.auth.callback.CallbackHandler implementation such
as the following callback handlers:
com.ibm.wsspi.wssecurity.auth.callback.{GUIPrompt,NonPrompt,StdinPrompt}CallbackHandler
It
also inserts the XML representation of the token into the SOAP message,
if necessary.
- com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
- This class
implements the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. This
class retrieves the keys from the keystore files for digital signature
and encryption.
- com.ibm.wsspi.wssecurity.token.X509TokenConsumer
- This class
implements the com.ibm.wsspi.wssecurity.token.TokenConsumerComponent
interface. This class processes
the X.509 token from the binary security token. This class decodes
the Base64 encryption within the X.509 token and then invokes the
system.wssecurity.X509BST Java Authentication and Authorization Service
(JAAS) Login Configuration with the com.ibm.wsspi.wssecurity.auth.module.X509LoginModule
login module to validate the X.509 token. An object of the com.ibm.wsspi.wssecurity.auth.token.X509Token
is created for the validated X.509 token and stored in JAAS Subject.
- com.ibm.wsspi.wssecurity.token.IDAssertionUsernameTokenConsumer
- This class
implements the com.ibm.wsspi.wssecurity.token.TokenConsumerComponent
interface. This class processes
the username token for identity assertion (IDAssertion), which does
not have a password element. This interface invokes the system.wssecurity.IDAssertionUsernameToken
JAAS login configuration with the com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule
login module to validate the IDAssertion user name token. An object
of the com.ibm.wsspi.wssecurity.auth.token.UsernameToken class is
created for the validated username token and stored in the JAAS Subject.
- com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule
- This class implements the javax.security.auth.spi.LoginModule
interface and checks whether the username value is not empty. The
login module assumes that the UsernameToken is valid if the username
value is not empty.
- com.ibm.wsspi.wssecurity.token.LTPATokenGenerator
- This class
implements the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent
interface. This class is responsible for Base
64 encoding the LTPA token object obtained from the com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
callback handler. The object is inserted into the Web services security
header within the SOAP message, if necessary.
- com.ibm.wsspi.wssecurity.token.LTPATokenConsumer
- This class
implements the com.ibm.wsspi.wssecurity.token.TokenConsumerComponent
interface. This class processes
the LTPA token from the binary security token, and decodes the Base64
encoding within the LTPA token. An object of the com.ibm.wsspi.wssecurity.auth.token.LTPAToken
class is created for the validated LTPA token and stored in the JAAS
Subject.
- com.ibm.wsspi.wssecurity.auth.module.X509LoginModule
- This class implements the javax.security.auth.spi.LoginModule
interface and validates the X.509 Certificate based on the trust anchor
and the collection certification store configuration.
- com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer
- This class
implements the com.ibm.wsspi.wssecurity.token.TokenConsumerComponent
interface. This class processes
the username token, extracts the user name and password, and then
invokes the system.wssecurity.UsernameToken JAAS login configuration
using the com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule
login module to validate the user name and password. An object of
the com.ibm.wsspi.wssecurity.auth.token.UsernameToken class is created
for the validated username token and stored in the JAAS Subject.
- com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator
- This class
implements the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. This
class is used to retrieve a public key from a X.509 certificate. The
X.509 certificate is stored in the X.509 token (com.ibm.wsspi.wssecurity.auth.token.X509Token)
in the JAAS Subject. The X.509 token is created by the X.509 Token
Consumer (com.ibm.wsspi.wssecurity.tokenX509TokenConsumer).
- com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
- This class
implements the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. This
class is used to retrieve a public key from the X.509 certificate
of the request signer and encrypt the response. You can use this key
locator in the response generator binding configuration only.
Important: This implementation assumes that only one signer
certificate is used in the request.
- com.ibm.wsspi.wssecurity.auth.token.UsernameToken
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken
abstract class to represent the username token.
- com.ibm.wsspi.wssecurity.auth.token.X509Token
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken
abstract class to represent the X.509 binary security token (X.509
certificate).
- com.ibm.wsspi.wssecurity.auth.token.LTPAToken
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken
abstract class as a wrapper to the LTPA token that is extracted from
the binary security token.
- com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and is responsible for creating a certificate and binary
data with or without a certificate revocation list (CRL) using the
PKCS#7 encoding. The certificate and the binary data is passed back
to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator implementation
through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback
callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and it is responsible for creating a certificate and binary
data without a CRL using the PkiPath encoding. The certificate and
binary data is passed back to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator
implementation through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback
callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and it is responsible for creating a certificate from the
keystore file. The X.509 token certificate is passed back to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator
implementation through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback
callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- This implementation generates a Lightweight Third Party Authentication
(LTPA) token in the Web services security header as a binary security
token. If basic authentication data is defined in the application
binding file, it is used to perform a login, to extract the LTPA token
from the WebSphere Application Server credentials, and to insert the
token in the Web services security header. Otherwise, it extracts
the LTPA security token from the invocation credentials (run as identity)
and inserts the token in the Web services security header.
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
- This implementation reads the basic authentication data from the
application binding file. You might use this implementation on the
server side to generate a username token.
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- This implementation presents you with a login prompt to gather
the basic authentication data. Use this implementation on the client
side only.
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- This implementation collects the basic authentication data using
a standard in (stdin) prompt. Use this implementation on the client
side only.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
- This interface is used to evaluate the level of trust for identity
assertion. The default implementation is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl,
which enables you to define a list of trusted identities.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl
- This default implementation enables you to define a list of trusted
identities for identity assertion.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorException
- This exception class is used by an implementation of the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
to communicate the exception and errors to the Web services security
run time.