(WAS v8.5.0.1)

Use Web Services Security SPIs

We can use the GenericSecurityTokenFactory SPIs to create security tokens for use by the WS-Security runtime. These security tokens can be used for, but are not be limited to, WSSAPIs, JAAS login modules, and custom security tokens.

Through various method signatures, we can use the GenericSecurityTokenFactory SPI to:

• Generate a dynamic UsernameToken using a stacked JAAS login module

• Create custom security tokens for Web services security

• Generate and consume custom tokens with the Generic Issue Login Modules.

• (V8502) Generate and consume dynamic X.509 tokens using a stacked JAAS login module

• (V8502) Generate a dynamic LTPA token using a stacked JAAS login module

• (V8502) Generate a dynamic Kerberos token using a stacked JAAS login module

• (V8502) Replace the authentication method of the UsernameToken consumer using a stacked JAAS login module

• Generate a dynamic UsernameToken using a stacked JAAS login module.

• Create a custom token for Web services security.

• Generate and consume custom tokens with the Generic Issue Login Modules.

• (V8502) Generate and consume dynamic X.509 tokens using a stacked JAAS login module.

• (V8502) Generate a dynamic LTPA token using a stacked JAAS login module.

• (V8502) Generate a dynamic Kerberos token using a stacked JAAS login module.

• (V8502) Replace the authentication method of the UsernameToken consumer.

Subtopics

• (WAS v8.5.0.1)
• Generating a dynamic UsernameToken using a stacked JAAS login module
  We can use the GenericSecurityTokenFactory APIs to create fully-populated or simple UsernameToken security tokens for use by the WS-Security runtime. These security tokens can be used for, but are not be limited to, WSSAPIs, and JAAS login modules, or UNTGenerateLoginModule.

• (WAS v8.5.0.1)
• Create custom security tokens for Web services security using the GenericSecurityTokenFactory SPIs
  Use the GenericSecurityTokenFactory SPIs to create custom security tokens for use by the WS-Security runtime. These security tokens can be used for, but are not be limited to, WSSAPIs, JAAS login modules, and custom security tokens.

• (zos)(iseries)(dist)(WAS v8.5.0.1)
• Generating and Consuming custom tokens with the Generic Issue Login Modules
  The Generic Issued token generator and consumer, GenericIssuedTokenGenerateLoginModule, and GenericIssuedTokenConsumeLoginModule, can be used in conjunction with the GenericSecurityTokenFactory and GenericSecurityToken SPIs to implement an end-to-end solution for a custom token. Generating and consuming custom tokens with the Generic Issue Login Modules can be done with either policy and bindings, or WSSAPIs.

• (V8502) Generating and consuming a dynamic X.509 token using a stacked JAAS login module
  We can use the GenericSecurityTokenFactory SPIs to create X.509 tokens for use by the WS-Security runtime environment. These security tokens can be used for, but are not limited to, WSSAPIs and JAAS login modules.

• (V8502) Generating a dynamic LTPA token using a stacked JAAS login module
  We can dynamically pass a username and password to the LTPA token generator, LTPAGenerateLoginModule, when using WSS SPIs. However, if use policy sets and bindings, we cannot do this in a standard configuration because both the callback handler, and the username and password in the callback handler are fixed values. We can use policy sets and bindings to create dynamic Kerberos tokens if a custom JAAS login module is used.

• (V8502) Generating and consuming SAML tokens using stacked JAAS login modules
  We can use the GenericSecurityTokenFactory APIs to pass a SAML token that we have created to the SAMLGenerateLoginModule or GenericIssuedTokenGenerateLoginModule modules. We can also use these APIs to obtain SAML tokens that are consumed by SAMLConsumeLoginModule or GenericIssuedTokenConsumeLoginModule modules.

• (V8502) Generating a dynamic Kerberos token using a stacked JAAS login module
  We can dynamically pass a username and password to the Kerberos token generator, KRBGenerateLoginModule, when using WSSAPIs. However, if use policy sets and bindings, we cannot dynamically pass a username and password to the Kerberos token generator in a standard configuration because both the callback handler and the username and password in the callback handler are fixed values. Dynamic Kerberos tokens can be created using policy sets and bindings if a custom JAAS login module is used.

• (V8502) Replace the authentication method of the UsernameToken consumer using a stacked JAAS login module
  By default, the Web services security UsernameToken consumer, UNTConsumeLoginModule, always validates the username and password contained within the token against the WebSphere registry. We can use the SPIs that GenericSecurityTokenFactory provides to bypass this authentication method.

• (V8502) Configure a UsernameToken caller configuration with no registry interaction
  To authenticate a UsernameToken with a caller configuration without accessing the WebSphere registry, we can replace the authentication method of the UsernameToken consumer and configure the caller to use an alternative JAAS login configuration.

Related tasks

Create custom security tokens for Web services security using the GenericSecurityTokenFactory SPIs