The request receiver defines the security requirement of the SOAP
message. The security handler on the request receiver side of the SOAP message
enforces the security specifications that are defined in the IBM® extension
deployment descriptor (ibm-webservices-ext.xmi) and bindings (ibm-webservices-bnd.xmi).
Important: There is an important distinction between Version 5.x and
Version 6 and later applications. The information in this article supports
Version 5.x applications only that are used with WebSphere® Application
Server Version 6.0.x and later. The information does not apply to Version
6 and later applications.
The security constraint for request sender must match the security requirement
of the request receiver for the server to accept the request. If the incoming
SOAP message does not meet all the security requirements defined, then the
request is rejected with the appropriate fault code returned to the sender.
For security tokens, the token is validated using Java™ Authentication and Authorization Service
(JAAS) login configuration and authenticated identity is set as the identity
for the downstream invocation.
For example, if there is a security requirement to have the SOAP body digitally
signed by Joe Smith and if the SOAP body of the incoming SOAP message is not
signed by Joe Smith, then the request is rejected.
You can define the following security requirements for the request receiver:
- Required integrity (digital signature)
- You can select multiple parts of a message to sign digitally. The following
list contains the integrity options:
- Body
- Time stamp
- Security token
- Required confidentiality (encryption)
- You can select multiple parts of a message to encrypt. The following list
contains the confidentiality options:
You can have multiple security tokens. The following list contains
the security token options:
- Basic authentication, which requires both a user name and a password
- Identity assertion, which requires a user name only
- X.509 binary security token
- Lightweight Third Party Authentication (LTPA) binary security token
- Custom token, which is pluggable and supports custom-defined tokens validated
by the JAAS login configuration
- Received time stamp
- You can have a time stamp for checking the timeliness of the message.