The token processing and pluggable token architecture in the Web Service Security runtime for IBM WebSphere Application Server Version 6.1 Feature Pack has been redesign to reuse the same security token interface and JAAS Login Module from the Web Services Security APIs (WSS API). The same implementation of token creation and validation can be used in both the WSS API and the WSS SPI in the Web Service Security runtime.
In IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services, the new design removes the need for the following interfaces from WebSphere Application Server Version 6.1:
However, if your applications continue to use JAX-RPC and deployment descriptors for configuration instead of using the Feature Pack for Web Services, these Version 6.1 interfaces are still valid.
Note that the key name (KeyName) element is not supported in the Feature Pack for Web Services because there is no KeyName policy assertion defined in the current OASIS Web Services Security draft specification. For similar reasons, a SAML token is not supported in the Feature Pack for Web Services out of the box.
Using the new design in the Feature Pack for Web Services, the Java Authentication and Authorization Service (JAAS) callback handler (CallbackHandler) and the JAAS login module (LoginModule) implementations are responsible for creating the security token on the generator side and validating (authenticating) the security token on the consumer side.
For example, on the generator side, the Username token is created by the JAAS LoginModule and using the JAAS CallbackHandler to pass the authentication data. The JAAS LoginModule creates the Username SecurityToken object and passes it to the Web services security runtime.
Then, on the consumer side, the Username Token XML format is passed to the JAAS LoginModule for validation or authentication. The token consumer class name for the response consumer must be similar to the token generator class name for the request generator. For example, if your application requires a Username token consumer, you can specify the com.ibm.wsspi.wssecurity.token.UsernameTokenGenerator class name for the token generator and the com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer class name for the token consumer.
The JAAS CallbackHandler is used to pass authentication data from the Web services security runtime to the LoginModule. If successful, after the token is authenticated, a Username SecurityToken object is created and passed it to the Web Service Security runtime.
The SPI implementation provides a com.ibm.wsspi.wssecurity.SoapSecurityException exception if an error condition occurs. This class is the same implementation as the class used in WebSphere Application Server Version 6.1.
The token generator class must implement the com.ibm.websphere.wssecurity.wssapi.token.Generatable interface. The token generator class name for the request generator must be similar to the token consumer class name for the request consumer. For example, if your application requires a security token generator, you can specify the com.ibm.websphere.wssecurity.wssapi.token.SecurityTokenImpl class name.
The JAAS Login Module implementation handles the following arguments from the default token generator to the JAAS LoginModule:
Default token generator > LoginModule
The types of key information include: EMB, KEYID, STRREF, THUMBPRINT, or X509ISSUER.
The types of key include a SigningKey or an EncryptingKey.
The JAAS Login Module implementation handles the following arguments from the JAAS login module to the default token generator:
Custom properties are name-value pairs of data that are passed to and from the JAAS Login Module during configuration on the generator side.
The Property name column displays the name of the custom property. The name must match the name of a configuration property or setting that the JAAS Login Module understands and expects. The Property value column displays the configuration setting that is passed to the JAAS Login Module during configuration.
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_MESSAGE_CONTEXT com.ibm.wsspi.wssecurity.core.messageContext |
The MessageContext instance. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE com.ibm.wsspi.wssecurity.keyinfo.keytype |
The type of key: SigningKey. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm |
The algorithm used for signing operation. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE com.ibm.wsspi.wssecurity.keyinfo.keytype |
The type of key: EncryptingKey. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm |
The algorithm used for encryption operation. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEYINFO_TYPE com.ibm.wsspi.wssecurity.keyinfo.type |
The type of key information: EMB, KEYID, STRREF, THUMBPRINT, X509ISSUER. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ENCODING com.ibm.wsspi.wssecurity.keyinfo.Encoding |
The encoding type of key identifier if the CommonContentGenerator invokes the CommonTokenGenerator with the KEYID or THUMBPRINT type of key information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_IDTYPE com.ibm.wsspi.wssecurity.keyinfo.idType |
The calculation method of key identifier if the CommonContentGenerator invokes the CommonTokenGenerator with the KEYID type of key information. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO com.ibm.wsspi.wssecurity.token.loginInfo |
The security token that the JAAS Login Module creates. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.config.TokenGeneratorConfig.CONFIG_KEY com.ibm.wsspi.wssecurity.config.tokenGenerator.configKey |
The configuration of the token generator. |
com.ibm.wsspi.wssecurity.core.Constants.AXIOM_PROCESSING_ELEMENT com.ibm.ws.wssecurity.common.Constants.PROCESSING_ELEMENT |
The parent element of the security token in OMElement. |
com.ibm.wsspi.wssecurity.core.Constants.DOM_PROCESSING_ELEMENT com.ibm.wsspi.wssecurity.domProcessingElement |
The parent element of the security token in DOM Element. (This property contains value only when a custom property named com.ibm.wsspi.wssecurity.domElementEnabled is set to true in the token generator and consumer bindings.) |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO |
A list of security tokens or one security token that the JAAS Login Module creates. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_ELEM_INSERT_TO_MESSAGE |
True if the security tokens received from the JAAS Login Module are inserted into the message. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_REFERENCED_TOKEN |
The security token referenced by other tokens in the list. The token is inserted first in the <wsse:Security> header. |
The JAAS Login Module implementation handles the following arguments from the default token consumer to the JAAS LoginModule:
Default token consumer > JAAS LoginModule
The types of key information include: EMB, KEYID, STRREF, THUMBPRINT, or X509ISSUER.
The types of key include a VerifyingKey or an DecryptingKey.
The following information describes the default implementations of the service provider interfaces (SPI) for Web services security used with Feature Pack for Web Services on the consumer side:
Custom properties are name-value pairs of data that are passed to and from the JAAS Login Module during configuration on the consumer side.
The Property name column displays the name of the custom property. The name must match the name of a configuration property or setting that the JAAS Login Module understands and expects. The Property value column displays the configuration setting that is passed to the JAAS Login Module during configuration.
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_MESSAGE_CONTEXT |
The MessageContext instance. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE com.ibm.wsspi.wssecurity.keyinfo.typetype |
The type of key: VerifyingKey |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm |
The algorithm used for verifying operation. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE com.ibm.wsspi.wssecurity.keyinfo.keytype |
The type of key: DecryptingKey. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm |
The algorithm used for decryption operation. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEYINFO_TYPE com.ibm.wsspi.wssecurity.keyinfo.type |
The type of key information: EMB, KEYID, STRREF, THUMBPRINT, X509ISSUER |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_EMBID com.ibm.wsspi.wssecurity.keyinfo.embeddedId |
The identifier of the <wsse:Embedded> element CommonContentConsumer involves the common Token Consumer with the EMB type of information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ID com.ibm.wsspi.wssecurity.keyinfo.id |
The key identifier of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID type of key information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_THUMBPRINT_REFERENCE com.ibm.wsspi.wssecurity.keyinfo.thumbprintReference |
The thumbprint reference of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the THUMBPRINT type of key information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_REFERENCE com.ibm.wsspi.wssecurity.keyinfo.reference |
The reference URI of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the STRREF type of key information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ISSUERNAME com.ibm.wsspi.wssecurity.keyinfo.issuerName |
The issuer name of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the X509ISSUER type of key information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ISSUERSERIAL com.ibm.wsspi.wssecurity.keyinfo.issuerSerial |
The issuer serial number of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the X509ISSUER type of key information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_VALUETYPE com.ibm.wsspi.wssecurity.keyinfo.ValueType |
The value type of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID or THUMBPRINT type of key information. |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ENCODING com.ibm.wsspi.wssecurity.keyinfo.Encoding |
The encoding type of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID or THUMBPRINT type of key information |
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_IDTYPE com.ibm.wsspi.wssecurity.keyinfo.idType |
The calculation method of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID type of key information. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO com.ibm.wsspi.wssecurity.token.loginInfo |
The security token that the JAAS Login Module creates. |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO com.ibm.wsspi.wssecurity.token.loginInfo |
The configuration of the token consumer. |
com.ibm.wsspi.wssecurity.core.Constants.AXIOM_PROCESSING_ELEMENT com.ibm.ws.wssecurity.common.Constants.PROCESSING_ELEMENT |
The parent element of the security token in OMElement. |
com.ibm.wsspi.wssecurity.core.Constants.DOM_PROCESSING_ELEMENT com.ibm.wsspi.wssecurity.domProcessingElement |
The parent element of the security token in DOM Element. (This property contains A value only when a custom property named com.ibm.wsspi.wssecurity.domElementEnabled is set to true in the token generator and consumer bindings.) |
Property name | Property value |
---|---|
com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO com.ibm.wsspi.wssecurity.token.loginInfo |
The security token that the JAAS Login Module creates. |