Usage scenario for propagating security tokens

[Version 5 only]

 

Usage scenario for propagating security tokens

Important distinction between Version 5.x and Version 6 applications

Note: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6. The information does not apply to version 6 applications.

A sample scenario

This document describes a usage scenario for Web services security.

In scenario 1, Client 1 invokes
Web services 1. Then Web services 1 calls EJB file 2. EJB file 2 calls Web services 3 and Web services 3 calls Web services 4.

Figure 1. Propagating security tokens The previous scenario shows how to propagate security tokens using Web services security, the security infrastructure of the WebSphere Application Server, and Java 2 Platform, Enterprise Edition (J2EE) security.
Web services 1 is configured to accept <wsse:UsernameToken> only and use the BasicAuth authentication method. However, Web services 4 is configured to accept either <wsse:UsernameToken> using the BasicAuth authentication method or Lightweight Third Party Authentication (LTPA) as <wsse:BinarySecurityToken>. The following steps describe the scenario shown in the previous figure:

  1. Client 1 sends a SOAP message to Web services 1 with user1 and password in the <wsse:UsernameToken> element.

  2. The user1 and password values are authenticated by the Web services security run time and set in the current security context as the Java Authentication and Authorization Service (JAAS) Subject.

  3. Web services 1 invokes EJB file 2 using the Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) protocol.

  4. The user1 identity is propagated to the downstream call.

  5. The EJB container of EJB file 2 performs an authorization check against user1.

  6. EJB file 2 calls Web services 3 and Web services 3 is configured to accept LTPA tokens.

  7. The RunAs role of EJB file 2 is set to user2.

  8. The LTPA CallbackHandler implementation extracts the LTPA token from the current JAAS Subject in the security context and Web services security run time inserts the token as <wsse: BinarySecurityToken> in the SOAP header.

  9. The Web services security run time in Web services 3 calls the JAAS login configuration to validate the LTPA token and set it in the current security context as the JAAS Subject.

  10. Web services 3 is configured to send LTPA security to Web services 4. In this case, assume that the RunAs role is not configured for Web services 3. The LTPA token of user2 is propagated to Web services 4.

  11. Client 2 uses the <wsse:UsernameToken> element to propagate the basic authentication data to Web services 4.

Web services security complements the WebSphere Application Server security run time and the J2EE role-based security. This scenario demonstrates how to propagate security tokens across multiple resources such as Web services and EJB files.

Related concepts
Web services security specification-a chronology
Web services security and Java 2 Platform, Enterprise Edition security relationship
Web services security model in WebSphere Application Server
Security token
Configurations

Related tasks
Configuring the client for LTPA token authentication: specifying LTPA token authentication
Configuring the client for LTPA token authentication: collecting the authentication method information
Configuring the server to handle LTPA token authentication information
Configuring the server to validate LTPA token authentication information
Configuring the client security bindings using an assembly tool
Configuring the security bindings on a server acting as a client using the administrative console
Configuring pluggable tokens using an assembly tool
Configuring pluggable tokens using the administrative console

Related reference
Web services security support


Searchable topic ID: xwbs_usagescen