WAS v8.5 > Secure applications > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication > High-level architecture for Web Services SecurityDefault implementations of the Web Services Security service provider programming interfaces
This information describes the default implementations of the service provider interfaces (SPI) for Web Services Security within WebSphere Application Server. The default implementation classes and their functionality for both the JAX-RPC run time and the JAX-WS run time are discussed. We can use this information to create or modify the Web Services Security binding configuration.
Best practice: IBM WAS supports the JAX-WS programming model and the (JAX-RPC) programming model. JAX-WS is the next generation web services programming model extending the foundation provided by the JAX-RPC programming model. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although the JAX-RPC programming model and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients. best-practices
Default implementations for the JAX-RPC run time
- com.ibm.wsspi.wssecurity.token.X509TokenGenerator
- The JAAS Login Module implementation is used to create the security token on the generator side. It is responsible for creating the X.509 token object from the X.509 certificate, which is returned by the com.ibm.wsspi.wssecurity.auth.callback.{X509,PKCS7,PkiPath}CallbackHandler interface. Encode the token using the base 64 format and insert its XML representation into the SOAP message, if necessary.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface and it retrieves the X.509 certificate from the keystore file.
- com.ibm.wsspi.wssecurity.token.UsernameTokenGenerator
- The JAAS Login Module implementation is used to create the security token on the generator side. It is responsible for creating the username token object from user name and password that is returned by a javax.security.auth.callback.CallbackHandler implementation such as the following callback handler:
com.ibm.wsspi.wssecurity.auth.callback{GUIPrompt,NonPrompt,StdinPrompt}CallbackHandler.
It also inserts the XML representation of the token into the SOAP message, if necessary.
- com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
- The JAAS Login Module implementation is used to create the security token on the generator side and to validate (authenticate) the security token on the consumer side. This class retrieves the keys from the keystore files for digital signature and encryption.
- com.ibm.wsspi.wssecurity.token.X509TokenConsumer
- The JAAS Login Module implementation is used to validate (authenticate) the security token on the consumer side. This class processes the X.509 token from the binary security token. This class decodes the Base64 encryption within the X.509 token and then invokes the system.wssecurity.X509BST Java Authentication and Authorization Service (JAAS) Login Configuration with the com.ibm.wsspi.wssecurity.auth.module.X509LoginModule login module to validate the X.509 token. An object of the com.ibm.wsspi.wssecurity.auth.token.X509Token is created for the validated X.509 token and stored in JAAS Subject.
- com.ibm.wsspi.wssecurity.token.IDAssertionUsernameTokenConsumer
- The JAAS Login Module implementation is used to validate (authenticate) the security token on the consumer side. This class processes the username token for identity assertion (IDAssertion), which does not have a password element. This interface invokes the system.wssecurity.IDAssertionUsernameToken JAAS login configuration with the com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule login module to validate the IDAssertion user name token. An object of the com.ibm.wsspi.wssecurity.auth.token.UsernameToken class is created for the validated username token and stored in the JAAS Subject.
- com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule
- This class implements the javax.security.auth.spi.LoginModule interface and checks whether the username value is not empty. The login module assumes the UsernameToken is valid if the username value is not empty.
- com.ibm.wsspi.wssecurity.token.LTPATokenGenerator
- The JAAS Login Module implementation is used to create the security token on the generator side. This class is responsible for Base 64 encoding the LTPA token object obtained from the com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler callback handler. The object is inserted into the Web Services Security header within the SOAP message, if necessary.
- com.ibm.wsspi.wssecurity.token.LTPATokenConsumer
- The JAAS Login Module implementation is used to validate (authenticate) the security token on the consumer side. This class processes the LTPA token from the binary security token, and decodes the Base64 encoding within the LTPA token. An object of the com.ibm.wsspi.wssecurity.auth.token.LTPAToken class is created for the validated LTPA token and stored in the JAAS Subject.
- com.ibm.wsspi.wssecurity.auth.module.X509LoginModule
- This class implements the javax.security.auth.spi.LoginModule interface and validates the X.509 Certificate based on the trust anchor and the collection certification store configuration.
- com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer
- The JAAS Login Module implementation is used to validate (authenticate) the security token on the consumer side. This class processes the username token, extracts the user name and password, and then invokes the system.wssecurity.UsernameToken JAAS login configuration using the com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule login module to validate the user name and password. An object of the com.ibm.wsspi.wssecurity.auth.token.UsernameToken class is created for the validated username token and stored in the JAAS Subject.
- com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator
- The JAAS Login Module implementation is used to create the security token on the generator side and to validate (authenticate) the security token on the consumer side. This class is used to retrieve a public key from a X.509 certificate. The X.509 certificate is stored in the X.509 token (com.ibm.wsspi.wssecurity.auth.token.X509Token) in the JAAS Subject. The X.509 token is created by the X.509 Token Consumer (com.ibm.wsspi.wssecurity.tokenX509TokenConsumer).
- com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
- The JAAS Login Module implementation is used to create the security token on the generator side and to validate (authenticate) the security token on the consumer side. This class is used to retrieve a public key from the X.509 certificate of the request signer and encrypt the response. We can use this key locator in the response generator binding configuration only.
This implementation assumes that only one signer certificate is used in the request.
- com.ibm.wsspi.wssecurity.auth.token.UsernameToken
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken abstract class to represent the username token.
- com.ibm.wsspi.wssecurity.auth.token.X509Token
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken abstract class to represent the X.509 binary security token (X.509 certificate).
- com.ibm.wsspi.wssecurity.auth.token.LTPAToken
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken abstract class as a wrapper to the LTPA token that is extracted from the binary security token.
- com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface and is responsible for creating a certificate and binary data with or without a certificate revocation list (CRL) using the PKCS#7 encoding. The certificate and the binary data is passed back to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator implementation through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface and it is responsible for creating a certificate and binary data without a CRL using the PkiPath encoding. The certificate and binary data is passed back to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator implementation through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface and it is responsible for creating a certificate from the keystore file. The X.509 token certificate is passed back to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator implementation through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- This implementation generates a LTPA (LTPA) token in the Web Services Security header as a binary security token. If basic authentication data is defined in the application binding file, it is used to perform a login, to extract the LTPA token from the WAS credentials, and to insert the token in the Web Services Security header. Otherwise, it extracts the LTPA security token from the invocation credentials (run as identity) and inserts the token in the Web Services Security header.
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
- This implementation reads the basic authentication data from the application binding file. You might use this implementation on the server side to generate a username token.
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- This implementation presents you with a login prompt to gather the basic authentication data. Use this implementation on the client side only.
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- This implementation collects the basic authentication data using a standard in (stdin) prompt. Use this implementation on the client side only.
Restriction: If we have a multi-threaded client and multiple threads attempt to read from standard in at the same time, all the threads will not successfully obtain the user name and password information. Therefore, we cannot use the com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler implementation with a multi-threaded client where multiple threads might attempt to obtain data from standard in concurrently.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
- This interface is used to evaluate the level of trust for identity assertion. The default implementation is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl, which enables you to define a list of trusted identities.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl
- This default implementation enables you to define a list of trusted identities for identity assertion.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorException
- This exception class is used by an implementation of the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator to communicate the exception and errors to the Web Services Security run time.
Default implementations for the JAX-WS run time
- com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator
- This implementation invokes the JAAS CallbackHandler and JAAS login configuration specified in the binding to create the SecurityToken at run time on the outbound SOAP message.
- com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and retrieves the X.509 certificate. The following properties may be specified:
- com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed. This property takes a boolean value, and the default value is false.
- com.ibm.wsspi.wssecurity.token.cert.useRequestorCert. This property takes a boolean value, and the default value is false.
- com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule
- The wss.generate.x509 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule. X509GenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML Username token structure, and also a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule
- The wss.generate.pkcs7 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule. PKCS7GenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule
- The wss.generate.pkiPath JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule. PkiPathGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time.
- com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the binding configuration and user name and password authentication data. The following properties may be specified. These properties take a boolean value, and the default value is false.
- com.ibm.wsspi.wssecurity.token.username.addNonce
- com.ibm.wsspi.wssecurity.token.username.addTimestamp
- com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
- com.ibm.wsspi.wssecurity.token.IDAssertion.useRunAsIdentity
- com.ibm.wsspi.wssecurity.token.IDAssertion.sendRealm
- com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm
- com.ibm.ws.wssecurity.wssapi.token.impl.UNTGenerateLoginModule
- The wss.generate.unt JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl. UNTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML Username token structure and also a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed has a the value of true, the generated username token does not contain a password. When com.ibm.wsspi.wssecurity.token.IDAssertion.sendRealm has the value of true, the user name is qualified by the local realm name. When com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm has the value of true, the user name field contains both the user name and a registry-dependent unique identifier for the user. Both the user name and the unique identifier are qualified by the local realm name.
- com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the Kerberos user name and password, along with other binding configuration properties. The following properties may be specified. The properties take a string that specifies the target service name as part of a service principal name (SPN), in the form of service_name/host_name@Kerberos_realm_name.
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceName
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm
- com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule
- The wss.generate.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. KRBGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule
- The wss.generate.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. DKTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time when the Requires derived keys option is enabled.
- com.ibm.websphere.wssecurity.callbackhandler.LTPAGenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the user name and password binding data if they are specified.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule
- The wss.generate.ltpa JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule. LTPAGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time. The security token contains an LTPA token generated from the user name and password if they are defined in the binding data, or the LTPA authentication token from the RunAs Subject, in that order.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule
- The wss.generate.ltpaProp JAAS system login configuration contains com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule. LTPAPropagationGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time. The security token contains the serialized RunAs Subject.
- com.ibm.ws.wssecurity.impl.auth.callback.WSTrustCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves security context token configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule
- The wss.generate.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. SCTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the security context token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule
- The wss.generate.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. DKTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time when the Requires derived keys option is enabled.
- com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer
- This implementation invokes the JAAS CallbackHandler and JAAS login configuration specified in the binding to extract the security token from the inbound SOAP message and to create the SecurityToken object at run time.
- com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on SOAP message inbound to retrieve the trust store and certificate file information required to validate the X.509 certificate.
- com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule
- The wss.consume.x509 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule. X509ConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the X.509 certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule
- The wss.consume.pkcs7 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule PKCS7ConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the X.509 certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule
- The wss.consume.pkiPath JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule. PkiPathConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the X.509 certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.
- com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on SOAP message inbound to retrieve binding configuration data. The following properties may be specified. These properties take a boolean value and the default value is false.
- com.ibm.wsspi.wssecurity.token.username.verifyTimestamp
- com.ibm.wsspi.wssecurity.token.username.verifyNonce
- com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
- com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm
- com.ibm.wsspi.wssecurity.token.UsernameToken.disableUserRegistryCheck
- com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule
- The wss.consume.unt JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule. UNTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the username token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the username token at run time. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed has the value of false, UNTConsumeLoginModule validates the username and password against the local user registry. An incorrect user name or incorrect or missing password will cause the token validation to fail. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed has a value of true, and com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm has a value of false, the user name is validated against the local user registry. There should be no password in the username token. When both com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed and com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm have a value of true, the user name field must contain a realm-qualified user name and unique user identifier data, and the realm must be one of the trusted realms in the multiple security domain inbound trust configuration.
- com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the inbound SOAP message, and it retrieves the binding configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule
- The wss.consume.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. KRBConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the Kerberos AP_REQ token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the AP_REQ token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule
- The wss.consume.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. DKTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving the derived key when a derived key is required.
- com.ibm.websphere.wssecurity.callbackhandler.LTPAConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the inbound SOAP message, and it retrieves the binding configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule
- The wss.consume.ltpa JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule. LTPAConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the LTPA v2 or LTPA token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the LTPA v2 or LTPA token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule
- The wss.consume.ltpaProp JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule. LTPAPropagationConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving, deserializing, and validating the propagation token and reconstructing the security context.
- com.ibm.ws.wssecurity.impl.auth.callback.SCTConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the binding configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule
- The wss.consume.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. SCTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the security context token.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule
- The wss.consume.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. DKTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving the derived key when a derived key is required.
- com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule
- The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule. PreCallerLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for validating whether it has received any security token that may be used to establish caller identity or trusted identity.
- com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule
- The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule. UNTCallerLoginModule implements the javax.security.auth.spi.LoginModule interface. UNTCallerLoginModule also determines if the user identity is authorized to make an identity assertion if the username is configured to be a trusted identity, or if there is exactly one caller identity if the username token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule
- The wss.caller JAAS system login configuration contains com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule. X509CallerLoginModule implements the javax.security.auth.spi.LoginModule interface. X509CallerLoginModule checks to see if the user identity is authorized to make an identity assertion if the X509 token is configured to be a trusted identity, or if there is exactly one caller identity if the X509 token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule
- The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule. LTPACallerLoginModule implements the javax.security.auth.spi.LoginModule interface. LTPACallerLoginModule also checks to see if the user identity is an authorized to make an identity assertion if the LTPA token is configured to be a trusted identity, or if there is exactly one caller identity if the LTPA token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule
- The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule. LTPAPropagationCallerLoginModule implements the javax.security.auth.spi.LoginModule interface. LTPAPropagationCallerLoginModule also checks to see if the user identity is an authorized to make an identity assertion if the propagation token is configured to be a trusted identity, or if there is exactly one caller identity if the propagation token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule
- The wss.caller JAAS system login configuration contains com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule. KRBCallerLoginModule implements the javax.security.auth.spi.LoginModule interface. KRBCallerLoginModule also checks to see if the user identity is an authorized to make an identity assertion if the Kerberos token is configured to be a trusted identity, or if there is exactly one caller identity if the Kerberos token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule
- The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule. WSWSSLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for asserting the caller identity to the ltpaLoginModule and the wsMapDefaultInboundLoginModule to establish the caller security context.
- com.ibm.ws.security.server.lm.ltpaLoginModule
- The wss.caller JAAS system login configuration contains the class com.ibm.ws.security.server.lm.ltpaLoginModule.
- com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule
- The wss.caller JAAS system login configuration contains the class com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.
Related concepts:
Secure web services
Programming models for web services message-level security