In this example, security tokens are propagated using Web services
security, the security infrastructure of the WebSphere Application Server,
and Java 2 Platform, Enterprise Edition (J2EE) security.
Important: There is an important distinction between
Version 5.x and Version 6 and later applications. The information in
this article supports Version 5.x applications only that are used with
WebSphere Application Server Version 6.0.x and later. The information
does not apply to Version 6.0.x and later applications.
An example scenario
In this example, Client 1 invokes
Web services 1. Then Web services 1 calls the Enterprise JavaBeans (EJB) file
2. The EJB file 2 calls Web services 3 and Web services 3 calls Web services
4.
Figure 1. Propagating security tokens
The previous figure shows security tokens propagated
using Web services security, the security infrastructure of the WebSphere
Application Server, and Java 2 Platform, Enterprise Edition (J2EE) security.
Web services 1 is configured to accept
<wsse:UsernameToken> only
and use the BasicAuth authentication method. However, Web services 4 is configured
to accept either
<wsse:UsernameToken> using the BasicAuth
authentication method or Lightweight Third Party Authentication (LTPA) as
<wsse:BinarySecurityToken>.
The following steps describe the scenario shown in the previous figure:
- Client 1 sends a SOAP message to Web services 1 with user1 and password in
the <wsse:UsernameToken> element.
- The user1 and password values are authenticated
by the Web services security run time and set in the current security context
as the Java Authentication and Authorization Service (JAAS) Subject.
- Web services 1 invokes EJB file 2 using the Remote Method Invocation over
the Internet Inter-ORB Protocol (RMI/IIOP) protocol.
- The user1 identity is propagated to the downstream call.
- The EJB container of EJB file 2 performs an authorization check against user1.
- EJB file 2 calls Web services 3 and Web services 3 is configured to accept
LTPA tokens.
- The RunAs role of EJB file 2 is set to user2.
- The LTPA CallbackHandler implementation extracts the LTPA token from
the current JAAS Subject in the security context and Web services security
run time inserts the token as <wsse: BinarySecurityToken> in
the SOAP header.
- The Web services security run time in Web services 3 calls the JAAS login
configuration to validate the LTPA token and set it in the current security
context as the JAAS Subject.
- Web services 3 is configured to send LTPA security to Web services 4.
In this case, assume that the RunAs role is not configured for Web services
3. The LTPA token of user2 is propagated to Web services
4.
- Client 2 uses the <wsse:UsernameToken> element to
propagate the basic authentication data to Web services 4.
Web services security complements the WebSphere Application Server
security run time and the J2EE role-based security. This example demonstrates
how to propagate security tokens across multiple resources such as Web services
and EJB files.