+

Search Tips   |   Advanced Search

Default implementations of the WS-Security SPI


This information describes the default implementations of the service provider interfaces (SPI) for WS-Security binding.

Default implementations for the JAX-RPC run time

 

Default implementations for the JAX-WS run time

com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator

This implementation invokes the JAAS CallbackHandler and JAAS login configuration specified in the binding to create the SecurityToken at run time on the outbound SOAP message.

com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and retrieves the X.509 certificate.

The following properties may be specified:

  • com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed. This property takes a boolean value, and the default value is false.

  • com.ibm.wsspi.wssecurity.token.cert.useRequestorCert. This property takes a boolean value, and the default value is false.

com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule

The wss.generate.x509 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule. X509GenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML Username token structure, and also a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule

The wss.generate.pkcs7 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule. PKCS7GenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule

The wss.generate.pkiPath JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule. PkiPathGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time.

com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the binding configuration and user name and password authentication data.

The following properties may be specified. These properties take a boolean value, and the default value is false.

com.ibm.ws.wssecurity.wssapi.token.impl.UNTGenerateLoginModule

The wss.generate.unt JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl. UNTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML Username token structure and also a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed has a the value of true, the generated username token does not contain a password. When com.ibm.wsspi.wssecurity.token.IDAssertion.sendRealm has the value of true, the user name is qualified by the local realm name. When com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm has the value of true, the user name field contains both the user name and a registry-dependent unique identifier for the user. Both the user name and the unique identifier are qualified by the local realm name.

com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the Kerberos user name and password, along with other binding configuration properties.

The following properties may be specified. The properties take a string that specifies the target service name as part of a service principal name (SPN), in the form of service_name/host_name@Kerberos_realm_name.

com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule

The wss.generate.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. KRBGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule

The wss.generate.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. DKTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time when the Requires derived keys option is enabled.

com.ibm.websphere.wssecurity.callbackhandler.LTPAGenerateCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the user name and password binding data if they are specified.

com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule

The wss.generate.ltpa JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule. LTPAGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time. The security token contains an LTPA token that is generated from the user name and password if they are defined in the binding data, or the LTPA authentication token from the RunAs Subject, in that order.

com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule

The wss.generate.ltpaProp JAAS system login configuration contains com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule. LTPAPropagationGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time. The security token contains the serialized RunAs Subject.

com.ibm.ws.wssecurity.impl.auth.callback.WSTrustCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves security context token configuration data.

com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule

The wss.generate.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. SCTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the security context token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule

The wss.generate.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule. DKTGenerateLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for generating an XML token structure and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the token at run time when the Requires derived keys option is enabled.

com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer

This implementation invokes the JAAS CallbackHandler and JAAS login configuration specified in the binding to extract the security token from the inbound SOAP message and to create the SecurityToken object at run time.

com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on SOAP message inbound to retrieve the trust store and certificate file information that are required to validate the X.509 certificate.

com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule

The wss.consume.x509 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule. X509ConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the X.509 certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule

The wss.consume.pkcs7 JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule PKCS7ConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the X.509 certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule

The wss.consume.pkiPath JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule. PkiPathConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the X.509 certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the X.509 token at run time.

com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on SOAP message inbound to retrieve binding configuration data.

The following properties may be specified. These properties take a boolean value and the default value is false.

com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule

The wss.consume.unt JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule. UNTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the username token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the username token at run time. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed has the value of false, UNTConsumeLoginModule validates the username and password against the local user registry. An incorrect user name or incorrect or missing password will cause the token validation to fail. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed has a value of true, and com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm has a value of false, the user name is validated against the local user registry. There should be no password in the username token. When both com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed and com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm have a value of true, the user name field must contain a realm-qualified user name and unique user identifier data, and the realm must be one of the trusted realms in the multiple security domain inbound trust configuration.

com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the inbound SOAP message, and it retrieves the binding configuration data.

com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsu

The wss.consume.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. KRBConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the Kerberos AP_REQ token.

It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the AP_REQ token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule

The wss.consume.KRB5BST JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. DKTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving the derived key when a derived key is required.

com.ibm.websphere.wssecurity.callbackhandler.LTPAConsumeCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the inbound SOAP message, and it retrieves the binding configuration data.

com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule

The wss.consume.ltpa JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule. LTPAConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the LTPA v2 or LTPA token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents the LTPA v2 or LTPA token at run time.

com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule

The wss.consume.ltpaProp JAAS system login configuration contains the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule. LTPAPropagationConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving, deserializing, and validating the propagation token and reconstructing the security context.

com.ibm.ws.wssecurity.impl.auth.callback.SCTConsumeCallbackHandler

This class implements the javax.security.auth.callback.CallbackHandler interface on the outbound SOAP message, and it retrieves the binding configuration data.

com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule

The wss.consume.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. SCTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving and validating the security context token.

com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule

The wss.consume.sct JAAS system login configuration contains the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule, and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule. DKTConsumeLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for retrieving the derived key when a derived key is required.

com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule

The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule. PreCallerLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for validating whether it has received any security token that may be used to establish caller identity or trusted identity.

com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule

The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule. UNTCallerLoginModule implements the javax.security.auth.spi.LoginModule interface. UNTCallerLoginModule also determines if the user identity is authorized to make an identity assertion if the username is configured to be a trusted identity, or if there is exactly one caller identity if the username token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.

com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule

The wss.caller JAAS system login configuration contains com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule. X509CallerLoginModule implements the javax.security.auth.spi.LoginModule interface. X509CallerLoginModule checks to see if the user identity is authorized to make an identity assertion if the X509 token is configured to be a trusted identity, or if there is exactly one caller identity if the X509 token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.

com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule

The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule. LTPACallerLoginModule implements the javax.security.auth.spi.LoginModule interface. LTPACallerLoginModule also checks to see if the user identity is an authorized to make an identity assertion if the LTPA token is configured to be a trusted identity, or if there is exactly one caller identity if the LTPA token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.

com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule

The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule. LTPAPropagationCallerLoginModule implements the javax.security.auth.spi.LoginModule interface. LTPAPropagationCallerLoginModule also checks to see if the user identity is an authorized to make an identity assertion if the propagation token is configured to be a trusted identity, or if there is exactly one caller identity if the propagation token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.

com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule

The wss.caller JAAS system login configuration contains com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule. KRBCallerLoginModule implements the javax.security.auth.spi.LoginModule interface. KRBCallerLoginModule also checks to see if the user identity is an authorized to make an identity assertion if the Kerberos token is configured to be a trusted identity, or if there is exactly one caller identity if the Kerberos token is configured to be a caller identity. It sets the validated caller and trusted identity into the shared state.

com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule

The wss.caller JAAS system login configuration contains the class com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule. WSWSSLoginModule implements the javax.security.auth.spi.LoginModule interface and is responsible for asserting the caller identity to the ltpaLoginModule and the wsMapDefaultInboundLoginModule to establish the caller security context.

com.ibm.ws.security.server.lm.ltpaLoginModule

The wss.caller JAAS system login configuration contains the class com.ibm.ws.security.server.lm.ltpaLoginModule.

com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule

The wss.caller JAAS system login configuration contains the class com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.




 

Related concepts


High-level architecture for WS-Security

 

Related tasks


Secure Web services for V5.x applications based on WS-Security
Secure Web services applications using message level security