The following information describes how to configure a
pluggable token using an assembly tool.
Before you begin
Important: There is an important
distinction between Version 5.x and Version 6 and later applications.
The information supports Version 5.x applications only that
are used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
This document describes
how to configure a pluggable token in the request sender (ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi file)
and request receiver (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi file).
The pluggable token is required for the request sender
and request receiver because they are a pair. The request sender and
the request receiver must match for the receiver to accept a request.
Prior
to completing these steps, it is assumed that you have already created
a web service that is based on the Java™ Platform,
Enterprise Edition (Java EE)
specification. See either of the following topics for an introduction
of how to manage Web Services Security binding information for the
server:
About this task
You must specify the security constraints in the ibm-webservicesclient-ext.xmi and
the ibm-webservices-ext.xmi files for the required
tokens using an IBM® assembly tool.
Complete the following
steps to configure the request sender using the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files:
Procedure
- Launch an assembly tool.
For more information,
read about assembly tools.
- Switch to the Java EE
perspective. Click .
- Click .
- Right-click the application-client.xml file,
select .
- Click the WS Extension tab.
The web service client security extensions editor is displayed.
- Under Service References, select an existing service
reference or click Add to create a new reference.
- Under Port Qname Bindings, select an existing port qualified
name for the selected service reference or click Add to
create a new port name binding.
- Under Request Sender Configuration: Login Configuration,
select an exiting authentication method or type in a new one in the
editable list box (Lightweight Third Party Authorization (LTPA) is
a supported token generation when web services are acting as client).
- Click to save the changes.
- Click the Web services client binding tab.
The web services client binding editor is displayed.
- Under Port qualified name binding, select an existing
entry or click Add to add a new port name binding.
The web services client binding editor displays for the selected
port.
- Under Login binding, click Edit or Enable.
The Login Binding dialog box is displayed.
- In the Authentication Method field, enter the authentication method.
The authentication method that you enter in this field must match
the authentication method defined on the Security Extension tab
for the same web service port. This field is mandatory.
- (Optional) Enter the token value type information in the URI and
Local name fields. These fields are ignored for the BasicAuth, Signature,
and IDAssertion authentication methods, but required for other authentication
methods. The token value type information is inserted into the <wsse:BinarySecurityToken>@ValueType
element for binary security token and is used as the namespace for
the XML-based token.
- Enter an implementation of the Java Authentication
and Authorization Service (JAAS)
javax.security.auth.callback.CallbackHandler
interface.
This field is mandatory.
- Enter the basic authentication information in the User
ID and Password fields. The basic
authentication information is passed to the construct of the
CallbackHandler
implementation.
The use of the basic authentication information depends on the implementation
of CallbackHandler
.
- In the Property field, add name and value pairs. These pairs are
passed to the construct of the
CallbackHandler
implementation
as java.util.Map
values.
- Click OK.
Click Disable under Login binding on
the Web services client port binding tab to
remove the authentication method login binding.
- Click to save the changes.
- In the Package Explorer window, right-click the webservices.xml file
and click .
The Web Services
window displays.
- Click the Security extensions tab.
The Web Service Security extensions editor is displayed.
- Under Web Services Description Extension, select an existing service
reference or click Add to create a new extension.
- Under Port Component Binding, select an existing port qualified
name for the selected service reference or click Add to
create a new one.
- Under Request Receiver Service Configuration Details: Login Configuration,
select an exiting authentication method or click Add and
enter a new method in the Add AuthMethod field
that displays. You can select multiple authentication methods for
the request receiver. The security token of the incoming message is
authenticated against the authentication methods in the order that
they are specified in the list. Click Remove to
remove the selected authentication method or methods.
- Click to save the changes.
- Click the Bindings tab.
The
web services bindings editor is displayed.
- Under web service description bindings, select an existing entry
or click Add to add a new web services descriptor.
- Click the Binding configurations tab. The
web services binding configurations editor is displayed for the selected
web services descriptor.
- Under Request receiver binding configuration details: login mapping,
click Add to create a new login mapping or
click Edit to edit the selected login mapping.
The Login mapping dialog is displayed.
- In the Authentication method field, enter the authentication method.
The information entered in this field must match the authentication
method defined on the Security Extensions tab
for the same web service port. This field is mandatory.
- In the Configuration name field, enter
a JAAS login configuration name. This field is mandatory. You
must define the JAAS login configuration name in the WebSphere Application
Server administrative console under . Under Authentication,
click . For more information, read about configuring programmatic
logins for Java Authentication and Authorization Service.
- (Optional) Select Use Token value type and
enter the token value type information in the URI and Local name fields.
This information is optional for BasicAuth, Signature and IDAssertion
authentication methods, but required for any other authentication
method. The token value type is used to validate the <wsse:BinarySecurityToken>@ValueType
element for binary security tokens and to validate the namespace of
the XML-based token.
- Under Callback Handler Factory, enter an implementation of the
com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory
interface
in the Class name field. This field is mandatory.
- Under Callback Handler Factory property, click Add and
enter the name and value pairs for the Callback Handler Factory Property.
These name and value pairs are passed as
java.util.Map
to
the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init()
method.
The use of these name and value pairs is determined by the CallbackHandlerFactory
implementation.
- Under Login Mapping Property, click Add and
enter the name and value pairs for the Login mapping property. These
name and value pairs are available to the JAAS Login Modules through
the
com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback
JAAS
Callback interface. Click Remove to delete
the selected login mapping.
- Click OK.
- Click to save the changes.
Results
The previous steps define how to configure the
request sender to create security tokens in the SOAP message and to
configure the request receiver to validate the security tokens found
in the incoming SOAP message. WebSphere Application Server
supports pluggable security tokens.You can use the
authentication method defined in the login bindings and login mappings
to generate security tokens in the request sender and validate security
tokens in the request receiver.
What to do next
After you configure pluggable tokens, you must
configure both the client and the server to support pluggable tokens.
See the following topics to configure the client and the server: