WAS v8.5 > Secure applications > Secure web services > Secure web services > Web Services Security concepts

Generic security token login modules

The generic security token login modules are JAAS login modules. These login modules issue, validate, and exchange security tokens using an external security token service (STS).


Overview

The Web Services Security token generation and consuming processes invoke these login modules. The Web Services Security component provides default login modules for common tokens such as the following examples:

For more information on the token implementations, see the default implementations of the Web Services Security service provider programming interfaces documentation.

If we are using the IBM Tivoli Federated Identity Manager as an external security token service, you should use Versions 6.2.0.9, 6.2.1.2, 6.2.2 or later to prevent LTPA token exchange failures.

The following illustration shows the flow of information through the generic security token login module process.

  1. The caller's identity is inherited by the runtime environment of the web services client.
  2. The generic security token login module for the token generator sends a token request to a WS-Trust service using a WS-Trust client using either an issue or validate request.
  3. The returned or validated token is set in the security header of the SOAP message as an authentication token. For more information, see the documentation about the generic security token login modules for the token generator.
  4. The PassTicket is sent as part of the SOAP message to the service provider.
  5. The generic security token login module for the token consumer sends the received token in the security header of the SOAP message within a WS-Trust Validate request to a designated WS-Trust service.
  6. The request might result in a new token or in a notification the sent token has been validated successfully.
  7. As required, the new or originally validated token is used as the caller token for authorization purposes. For more information, see the documentation about the generic security token login modules for the token consumer.

A PassTicket is a dynamically generated, one-time use, substitute password. We can use the PassTicket to authenticate to a service rather than sending the actual password.


Usage scenarios

The generic security token login module might be useful if token exchange, identity mapping, or authorization to invoke a target web service are required. The following list explains some useful usage scenarios for a generic security token login module:

Token exchange with an intermediate server

The required outgoing security token and the incoming security token are different types.

Token exchange on the requesting side

An identity mapping for the requestor is required before invoking a downstream service.

Token exchange on the receiving side

The invoking identity mapping is required after the token is validated.

Authorization to invoke target service

The login module sends the incoming security token and its target service endpoint address to the WS-Trust service. The WS-Trust service completes the web service-level authorization. The WS-Trust service verifies whether the target web service invocation is authorized for the principal contained within the authentication token.


Limitations

The following limitations exist for the generic login modules:


Related concepts:

Generic security token login module for the token consumer
Generic security token login module for the token generator
Auditing the Web Services Security runtime


Related


Default implementations of the Web Services Security service provider programming interfaces
Configure a generic security token login module for an authentication token: Token generator
Configure a generic security token login module for an authentication token: Token consumer


+

Search Tips   |   Advanced Search