Overview of token types
Web Services Security defines the types of security tokens. The deployment descriptor extension file defines the types of tokens that the message can accept.
Important: There is an important distinction between Version 5.x and Version 6.0.x and later applications. The information supports Version 5.x applications only used with WAS v6.0.x and later. The information does not apply to Version 6.1x and later applications.
The types of security tokens defined by Web Services Security are:
- User name token
- Binary security token
A user name token consists of a user name and, optionally, password information. We can include a user name token directly in the <Security> header within the message. Binary tokens, such as X.509 certificates, Kerberos tickets, LTPA tokens, or other non-XML formats, require a special encoding for inclusion. The Web Services Security specification describes how to encode binary security tokens such as X.509 certificates and Kerberos tickets, and it also describes how to include opaque encrypted keys. The specification also includes extensibility mechanisms that we can use to further describe the characteristics of the credentials that are included with a message.
WebSphere Application Server Version 5.0.2 supports user name tokens, which include both user name and password for basic authentication and user name, which is used for identity assertion. The WebSphere Application Server Version 5.0.2 binary security token implementation supports both X.509 certificates and LTPA binary security. You extend the implementation to generate other types of tokens. However, Kerberos tickets are not supported in WebSphere Application Server Version 5.0.2. Each type of token is processed by a corresponding token generation and validation module. The binary token generation and validation modules are pluggable based on the JAAS framework. For example, an arbitrary XML-based token format is supported using the JAAS pluggable framework. WebSphere Application Server Version 5.0.2 does not support an XML-based token used in the SecurityTokenReference.
We can define the types of tokens that the message can accept in the deployment descriptor extension file, ibm.webservices-ext.xmi. A message receiver might support one or more types of security tokens. The following example shows that the receiver supports four types of security tokens:
Important: In the following code sample, several lines were split into multiple lines due to the width of the printed page. See the close bracket for an indication of where each line of code ends.
?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wsext:WsExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wsext= "http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsext.xmi" xmi:id="WsExtension_1052760331306" routerModuleName="StockQuote.war"> <wsDescExt xmi:id="WsDescExt_1052760331306" wsDescNameLink="StockQuoteFetcher"> <pcBinding xmi:id="PcBinding_1052760331326" pcNameLink="urn:xmltoday-delayed-quotes" scope="Session"> <serverServiceConfig xmi:id="ServerServiceConfig_1052760331326"actorURI="myActorURI"> <securityRequestReceiverServiceConfig xmi:id="SecurityRequestReceiverServiceConfig_1052760331326"> <loginConfig xmi:id="LoginConfig_1052760331326"> <authMethods xmi:id="AuthMethod_1052760331326" text="BasicAuth"/> <authMethods xmi:id="AuthMethod_1052760331327" text="IDAssertion"/> <authMethods xmi:id="AuthMethod_1052760331336" text="Signature"/> <authMethods xmi:id="AuthMethod_1052760331337" text="LTPA"/> </loginConfig> <idAssertion xmi:id="IDAssertion_1052760331336" idType="Username" trustMode="Signature"/>The message sender might choose one of the token types that are supported by the receiver when sending a message. We can define the type of token to be used by the sending side in the client descriptor extension file, ibm-webservicesclient-ext.xmi. The following example shows that the sender chooses to send a UsernameToken to the receiver:
Important: In the following code sample, several lines were split into multiple lines due to the width of the printed page. See the close bracket for an indication of where each line of code ends.
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wscext:WsClientExtension xmi:version="2.0" mlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wscext= "http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscext.xmi" xmi:id="WsClientExtension_1052760331496"> <ServiceRefs xmi:id="ServiceRef_1052760331506" serviceRefLink="service/StockQuoteService"> <portQnameBindings xmi:id="PortQnameBinding_1052760331506" portQnameLocalNameLink="StockQuote"> <clientServiceConfig xmi:id="ClientServiceConfig_1052760331506" actorURI="myActorURI"> <securityRequestSenderServiceConfig xmi:id="SecurityRequestSenderServiceConfig_1052760331506" actor="myActorURI"> <loginConfig xmi:id="LoginConfig_1052760331506" authMethod="BasicAuth"/>
Subtopics
- Username token
The <UsernameToken> element propagates a user name and optionally propagates the password information. Use this token type to carry basic authentication information.
- Binary security token
The <ValueType> attribute identifies the type of the security token, for example, a LTPA> (LTPA) token. The EncodingType indicates how the security token is encoded, for example, Base64Binary. The <BinarySecurityToken> element defines a security token that is binary encoded. The encoding is specified using the EncodingType attribute. The value type and space are specified using the ValueType attribute. The Web Services Security implementation for WebSphere Application Server, Version 5.0.2 supports both LTPA and X.509 certificate binary security tokens.
- XML token
XML tokens are offered in two formats, Security Assertion Markup Language (SAML) and Extensible rights Markup Language (XrML).
Related concepts
Security token