WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Configure Web Services Security during application assembly > Configure pluggable tokens for v5.x web services with an assembly tool

Configure pluggable tokens using an assembly tool

The following information describes how to configure a pluggable token using an assembly tool.

There is an important distinction between v5.x and v6 and later applications. The information in this article supports v5.x applications only used with WebSphere Application Server v6.0.x and later. The information does not apply to v6.0.x and later applications.

This document describes how to configure a pluggable token in the request sender (ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi file) and request receiver (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi file).

The pluggable token is required for the request sender and request receiver because they are a pair. The request sender and the request receiver must match for the receiver to accept a request.

Prior to completing these steps, it is assumed that we have already created a web service based on the Java EE specification. See either of the following topics for an introduction of how to manage Web Services Security binding information for the server:

Specify the security constraints in the ibm-webservicesclient-ext.xmi and the ibm-webservices-ext.xmi files for the required tokens using an IBM assembly tool.

To configure the request sender using the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files:

  1. Launch an assembly tool. For more information, read about assembly tools.
  2. Switch to the Java EE perspective. Click Window > Open Perspective > J2EE.

  3. Click Application Client Projects > application_name > appClientModule > META-INF.
  4. Right-click the application-client.xml file, select Open with > Deployment descriptor editor.

  5. Click the WS Extension tab. The web service client security extensions editor is displayed.

    1. Under Service References, select an existing service reference or click Add to create a new reference.

    2. Under Port Qname Bindings, select an existing port qualified name for the selected service reference or click Add to create a new port name binding.

    3. Under Request Sender Configuration: Login Configuration, select an exiting authentication method or type in a new one in the editable list box (Lightweight Third Party Authorization (LTPA) is a supported token generation when web services are acting as client).

    4. Click File > Save to save the changes.

  6. Click the Web services client binding tab. The web services client binding editor is displayed.

    1. Under Port qualified name binding, select an existing entry or click Add to add a new port name binding. The web services client binding editor displays for the selected port.

    2. Under Login binding, click Edit or Enable. The Login Binding dialog box is displayed.

      1. In the Authentication Method field, enter the authentication method. The authentication method that you enter in this field must match the authentication method defined on the Security Extension tab for the same web service port. This field is mandatory.

      2. Optional. Enter the token value type information in the URI and Local name fields. These fields are ignored for the BasicAuth, Signature, and IDAssertion authentication methods, but required for other authentication methods. The token value type information is inserted into the <wsse:BinarySecurityToken>@ValueType element for binary security token and is used as the namespace for the XML-based token.

      3. Enter an implementation of the JAAS javax.security.auth.callback.CallbackHandler interface. This field is mandatory.

      4. Enter the basic authentication information in the User ID and Password fields. The basic authentication information is passed to the construct of the CallbackHandler implementation. The use of the basic authentication information depends on the implementation of CallbackHandler.
      5. In the Property field, add name and value pairs. These pairs are passed to the construct of the CallbackHandler implementation as java.util.Map values.

      6. Click OK.

      Click Disable under Login binding on the Web services client port binding tab to remove the authentication method login binding.

    3. Click File > Save to save the changes.

  7. In the Package Explorer window, right-click the webservices.xml file and click Open with > Web services editor. The Web Services window displays.

    1. Click the Security extensions tab. The Web Service Security extensions editor is displayed.

      1. Under Web Services Description Extension, select an existing service reference or click Add to create a new extension.

      2. Under Port Component Binding, select an existing port qualified name for the selected service reference or click Add to create a new one.

      3. Under Request Receiver Service Configuration Details: Login Configuration, select an exiting authentication method or click Add and enter a new method in the Add AuthMethod field that displays. We can select multiple authentication methods for the request receiver. The security token of the incoming message is authenticated against the authentication methods in the order they are specified in the list. Click Remove to remove the selected authentication method or methods.

    2. Click File > Save to save the changes.

    3. Click the Bindings tab. The web services bindings editor is displayed.

      1. Under web service description bindings, select an existing entry or click Add to add a new web services descriptor.

      2. Click the Binding configurations tab. The web services binding configurations editor is displayed for the selected web services descriptor.

      3. Under Request receiver binding configuration details: login mapping, click Add to create a new login mapping or click Edit to edit the selected login mapping. The Login mapping dialog is displayed.

        1. In the Authentication method field, enter the authentication method. The information entered in this field must match the authentication method defined on the Security Extensions tab for the same web service port. This field is mandatory.
        2. In the Configuration name field, enter a JAAS login configuration name. This field is mandatory. You must define the JAAS login configuration name in the WAS dmgr console under Security > Global security. Under Authentication, click Java Authentication and Authorization Service > Application logins. For more information, read about configuring programmatic logins for Java Authentication and Authorization Service.

        3. Optional. Select Use Token value type and enter the token value type information in the URI and Local name fields. This information is optional for BasicAuth, Signature and IDAssertion authentication methods, but required for any other authentication method. The token value type is used to validate the <wsse:BinarySecurityToken>@ValueType element for binary security tokens and to validate the namespace of the XML-based token.

        4. Under Callback Handler Factory, enter an implementation of the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory interface in the Class name field. This field is mandatory.

        5. Under Callback Handler Factory property, click Add and enter the name and value pairs for the Callback Handler Factory Property. These name and value pairs are passed as java.util.Map to the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init() method. The use of these name and value pairs is determined by the CallbackHandlerFactory implementation.

        6. Under Login Mapping Property, click Add and enter the name and value pairs for the Login mapping property. These name and value pairs are available to the JAAS Login Modules through the com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback JAAS Callback interface. Click Remove to delete the selected login mapping.

        7. Click OK.

    4. Click File > Save to save the changes.


Results

The previous steps define how to configure the request sender to create security tokens in the SOAP message and to configure the request receiver to validate the security tokens found in the incoming SOAP message. WAS supports pluggable security tokens.

We can use the authentication method defined in the login bindings and login mappings to generate security tokens in the request sender and validate security tokens in the request receiver.

After you configure pluggable tokens, configure both the client and the server to support pluggable tokens. See the following topics to configure the client and the server:


Related concepts:

Pluggable token support
Overview of authentication methods
Binary security token
XML token
Username token
Security token
Overview of token types
Development and assembly tools


Related


Configure pluggable tokens
Configure the client security bindings using an assembly tool
Configure the security bindings on a server acting as a client
Configure the server security bindings using an assembly tool
Configure the server security bindings
Configure programmatic logins for Java Authentication and Authorization Service
Configure the client for LTPA token authentication: specifying LTPA token authentication
Configure the client for LTPA token authentication: collecting the authentication method information
Configure the server to handle LTPA token authentication information
Configure the server to validate LTPA token authentication information


+

Search Tips   |   Advanced Search