Lightweight Third Party Authentication

 

+

Search Tips   |   Advanced Search

 

When the Lightweight Third Party Authentication (LTPA) authentication method is used, a <wsse:BinarySecurityToken> security token is generated. On the request sender side, the security token is generated by invoking a callback handler. On the request receiver side, the security token is validated by a JAAS login module.

 

LTPA token generation

The request sender uses a callback handler to generate an LTPA security token. The callback handler returns a security token that is inserted in the SOAP message. Specify the appropriate callback handler in the <LoginBinding> element of the bindings file...

ibm-webservicesclient-bnd.xmi

The following callback handler implementation can be used with the LTPA authentication method:

  • com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler

We can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler property.

When using the LTPA authentication method (or any authentication method other than BasicAuth, Signature or IDAssertion), the TokenValueType attribute of the <LoginBinding> element in the bindings file...

ibm-webservicesclient-bnd.xmi

...must be specified. The values to use for the LTPA TokenValueType attribute are:

  • uri="http://www.ibm.com/websphere/appserver/tokentype/5.0.2"
  • localName="LTPA"

 

LTPA token validation

The request receiver retrieves the LTPA security token from the SOAP message and validates the message using a JAAS login module. The <wsse:BinarySecurityToken security token is used to perform the validation. If the validation is successful, the login module returns a JAAS Subject. Subsequently, this Subject is set as the identity of the running thread. If the validation fails, the request is rejected with a SOAP fault.

The appropriate JAAS login configuration to use is specified in the bindings file <LoginMapping element. Default bindings specified in the ws-security.xml file, but these can be overridden using the application-specific file...

ibm-webservices-bnd.xmi

The configuration information consists of a CallbackHandlerFactory, a ConfigName and a TokenValueType attribute. The CallbackHandlerFactory specifies the name of a class to use to create the JAAS CallbackHandler object. A CallbackHandlerFactory implementation is provided...

com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl

The ConfigName attribute specifies a JAAS configuration name entry. The Web services security run time first searches the security.xml file for a matching entry and if a matching entry is not found, the run time searches the wsjaas.conf file. A default configuration entry suitable for the LTPA authentication method is provided (WSLogin). An appropriate TokenValueType element is located in the LTPA LoginMapping section of the default ws-security.xml file.


 

Related Tasks


Configuring the server to handle LTPA token authentication information