+

Search Tips   |   Advanced Search

Signature authentication method


Signature authentication refers to an X.509 certificate that is sent by the client to the server. The certificate is used to authenticate to the user registry configured at the server. When using the signature authentication method, the security token is generated with a ds:Signature and a wsse:BinarySecurityToken element.

There is an important distinction between V5.x and Version 6.0.x and later applications. The information in this article supports V5.x applications only that are used with WAS V6.0.x and later. The information does not apply to V 6.0.x and later applications.

On the request sender side, a callback handler is invoked to generate the security token. On the request receiver side, a JAAS login module is used to validate the security token. These two operations, token generation and token validation, are described in the following sections.

Signature token generation

The request sender generates a Signature security token using a callback handler. The security token returned by the callback handler is inserted in the SOAP message. The callback handler is specified in the <LoginBinding> element of the bindings file, ibm-webservicesclient-bnd.xmi. WAS provides the following callback handler implementation that can be used with the Signature authentication method: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler

You can add our own callback handlers that implement the javax.security.auth.callback.CallbackHandler implementation.

Security token validation

The request receiver retrieves the Signature security token from the SOAP message and validates it using a JAAS login module. The <ds:Signature> and <wsse:BinarySecurityToken> elements in the security token are used to perform the validation. If the validation is successful, the login module returns a (JAAS) Subject. This Subject then is set as the identity of the running thread. If the validation fails, the request is rejected with a SOAP fault exception.

The JAAS login configuration is specified in the <LoginMapping> element of the bindings file. Default bindings are specified in the ws-security.xml file. However, we can override these bindings using the application-specific ibm-webservices-bnd.xmi file. The configuration information consists of a CallbackHandlerFactory and a ConfigName. The CallbackHandlerFactory specifies the name of a class used for creating the JAAS CallbackHandler object. WAS provides the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImp CallbackHandlerFactory implementation. The ConfigName specifies a JAAS configuration name entry. WAS searches in security.xml for a matching configuration name entry. If a match is not found, it searches the wsjaas.conf file. WAS provides the system.wssecurity.Signature default configuration entry, which is suitable for the signature authentication method.




 

Related tasks


Set the client for signature authentication: specifying the method
Secure Web services for version 5.x applications using signature authentication
Set the client for signature authentication: collecting the authentication information