Generic security token login module for the token consumer
When a web service message is received, the application server calls the generic security token login module for the token consumer as part of the Web Services Security authentication process.
The login module delegates the token validation process to the WS-Trust service using WS-Trust Validate. The WS-Trust Security Token Service processes the request and returns a RequestSecurityTokenResponse message to login module, which might contain a new security token or validation status code only. The returned token from the WS-Trust Security Token Service or the original received token is the caller token if the caller token is required.
If the trust service call returns an invalid status code or an error, the token validation process fails and the login module produces a LoginException exception.
The login module, and its use of the WS-Trust Service, permits the following actions:
- The exchange of security tokens when the incoming or outgoing security tokens are different types
- The exchange of security tokens when you map one identity to another identity
- The evaluation of authorization checks to ensure that authenticated users are permitted to invoke the target web service
The JAAS login configuration name is wss.consume.issuedToken, and the callback handler class name is com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenConsumeCallbackHandler.
Supported token types
The receiving token must have a ValueType value that the designated trust service can handle and exchange. The valid token ValidType value might be a known token type supported by system default login modules. The valid incoming tokens can be a user name token, an XML token, or a binary security token, including the following token types:
- SAML 2.0
- SAML 1.1
- Username
- PassTicket
- Kerberos
- Lightweight Third Party Authentication (LTPA)
- Security Access Manager credential
However, if WS-Trust Validate does not complete the token exchange and returns a validation status code only, the incoming token type must be one of following token types:
- SAML 2.0
- SAML 1.1
- Username
- Kerberos
- LTPA v2
- LTPA
Also, the return token value type from WS-Trust call must be one of the previous token types.
- The received token sent by the requesting party is the token specified in the policy.
- Use this token for authentication only. We cannot use this token as a protection token.
Policy sets
The implementation of the generic security token login module can support any authentication tokens supported by system default login modules or by a custom login module. The generic security token login module implementation does not add a new security token type in the policy set. For example, if we plan to use a generic security token login module to generate a user name token, we can create a policy set that specifies a user name token as an authentication token. Any token types supported by designated security token services can be used with the generic security token login modules. We can implement custom login modules to process any new token types that are not supported by the existing default system login modules.
Bindings
When we configure bindings for an authentication token, we have the following options:
- Use a generic login module.
- Use an existing system default login module.
- Create our own custom login module.
For example, if we configure a user name token, we can use the wss.consume.unt JAAS login configuration and maintain the existing behavior. However, we can configure the wss.consume.issuedToken JAAS login to use the generic login module.
Related:
Generic security token login modules Generic security token login module for the token generator Configure a generic security token login module for an authentication token: Token consumer