WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results
             New or updated topic for this feature pack

Custom security token propagation

Web services security has the ability to send security tokens in the security header of a SOAP message. These security tokens can be used to sign, verify, encrypt or decrypt message parts. These security tokens can also be sent as standalone security tokens and set as the caller on the request consumer. Custom security token propagation is used to propagate these custom security tokens by using Web services security.

Web services security supports the Username, X.509 and Lightweight Third-Party Authentication (LTPA) security token types.

A client can use the propagation token from within a secured service where it locates the runAs subject and propagates the credentials to a downstream server. A server-based client can use the propagation token if it is secured in the Web container with HTTP basic authentication. In many situations, for a server-based client, the overhead of propagation tokens is not necessary as only the identity is required and not the full set of credentials. However, if the client application modifies the subject after it is invoked by the Web container, you might use an propagation token.

When you use security token propagation, the propagation token is sent in the wsse:BinarySecurityToken element in the security header of the SOAP message. Web services security uses the same propagation token format as used by the Security attribute propagation feature.

Configuring this option is similar to the configuration for sending and receiving LTPA tokens. The same token generator and token consumer implementations are used, for example: But, the token type Uniform Resource Identifier (URI) and local name for the token generator and token consumer are different. For custom token properties, use the following values: By default, the custom token propagation uses the following JAAS login configuration entries:

You can use the com.ibm.ws.webservices.wssecurity.constants.jaasConfig custom property to specify a different JAAS login configuration for the generator. You can do this configuration on the CallbackHandler configuration panel. To specify a different JAAS login configuration on the consumer side, use the JAAS configuration name field in the Token consumer panel.




Related concepts
Security attribute propagation
Web services security provides message integrity, confidentiality, and authentication
Related tasks
Configuring token generators using JAX-RPC to protect message authenticity at the server or cell level
Configuring token consumers using JAX-RPC to protect message authenticity at the server or cell level
Configuring token generators using JAX-RPC to protect message authenticity at the application level
Configuring token consumers using JAX-RPC to protect message authenticity at the application level
Related reference
Token generator configuration settings
Token consumer configuration settings
Concept topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/cwbs_securitytokenpropagationwbs.html