WAS v8.5 > Secure applications > Secure web services > Secure web services > Authenticate web services using generic security token login modules > Step 2. Administering a generic security token login module.

Configure a generic security token login module for an authentication token: Token consumer

We can configure a generic security token login module for an authentication token on the token consumer side of the Web Services Security provider. When a web service message is received, the Web Services Security runtime calls the generic security token login module for the token consumer as part of the authentication process. The login module delegates the token validation process to the WS-Trust service using WS-Trust Validate. The WS-Trust service processes the request and returns a RequestSecurityTokenResponse message to the login module, which might contain a new security token or validation status code only. The returned token from WS-Trust service or the original received token is the caller token if the caller token is required.

For illustration purposes, it is assumed that policy sets and bindings are configured and attached to an application. For example, we can use the SAML11 Bearer WSSecurity default policy set and SAML Bearer Provider sample binding. For more information, see the topic about configuring client and provider bindings for the SAML bearer token.

To configure the generic login module on the token consumer side using the dmgr console:

  1. Configure the wss.consume.issuedToken JAAS login module for the application.

    1. Expand Applications > Application Types and click WebSphere enterprise applications.

    2. Click the application containing the policy sets and bindings to modify.

    3. Under Web Services Properties, click Service provider policy sets and bindings.
    4. In the Binding column on the Service client policy sets and bindings panel, click the name of the binding.
    5. In the Policy column on the Bindings configuration panel, click WS-Security.

    6. Under the Main Message Security Policy Bindings heading, click Authentication and protection.
    7. In the Authentication tokens section of the Authentication and protection panel, select the token to configure. For example, select request:SAMLToken11Bearer.

    8. On the Token consumer panel, select the wss.consume.issuedToken option for the JAAS login.

    9. Click Apply.

  2. Configure the callback handler.

    1. Under the Additional Bindings heading, click Callback handler.

    2. Under the Class Name heading on the Callback handler panel, select Use custom and specify com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenConsumeCallbackHandler for the class name.

    3. Click Apply. After you click apply, a list of existing custom properties displays in the Custom Properties section of the panel. We can add, edit, or delete entries in the custom properties list. For more information about the custom properties for the callback handler, see the information about the com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants API. This information is accessible within the Reference > Programming interfaces > APIs- Application Programming Interfaces section of the product documentation.

    4. Click Add to add both the stsURI custom property and its associated value. This custom property value is the target security token service URL address. Required.

    5. Click Add to add both the wstrustClientPolicy custom property and its associated value. This custom property value is the trust client policy set name that applies to the WS-Trust client call.

    6. Click Add to add both the wstrustClientBinding custom property and its associated value. The custom property value is the trust client bindings that applies to the WS-Trust client call. For more information about creating trust client bindings, see steps 3, 4, and 5 in the documentation on configuring client and provider bindings for the SAML bearer token.

    7. Optional: Specify other custom properties. We can add the custom properties listed in the following tables. To add these custom properties, click New in the Custom properties section.

  3. Click OK and click Save to save the bindings.
  4. Stop and restart the applications.


Results

When you complete this task, we have configured a generic login module for the token consumer.

Configure a generic security token login module for the token generator.


Related


Configure a generic security token login module for an authentication token: Token generator


Reference:

Web services security custom properties


+

Search Tips   |   Advanced Search