+

Search Tips   |   Advanced Search

Web Services Security token propagation

Web Services Security has the ability to send security tokens in the security header of a SOAP message. These security tokens can be used to sign, verify, encrypt or decrypt message parts. Security tokens can also be sent as stand-alone security tokens and set as the caller on the request consumer. Web Services Security token propagation is used to send these stand-alone security tokens in a wsse:BinarySecurityToken element within the security header of the SOAP message.

Web Services Security has the following built-in token types:

We can configure Web Services Security to use custom security tokens. Web Services Security uses the same propagation token format as the Security attribute propagation feature. Web Services Security can propagate all of the built-in security token types and can propagate custom token types as long as they are serializable by the security attribute propagation feature.

When we configure a propagation token in a token generator or token consumer, use the following values for the token type Uniform Resource Identifier (URI) and local name:

When a propagation token is generated, Web Services Security gathers all of the serializable security tokens in the RunAs subject for the current thread and serialize the security tokens within a wsse:BinarySecurityToken token. To have a RunAs subject and the credentials that are necessary on the current thread, a JAAS login must occur on the current thread before a propagation token can be created.

Under ordinary circumstances, for a service provider, the JAAS login is achieved by including a defined caller part for the inbound token in the WS-Security configuration. For a web services client, the JAAS login is achieved by configuring HTTP basic authentication.

There are two common uses for a propagation token:

Important: For the receiver of the LTPA propagation token to make proper use of the credentials that were sent to it in the propagation token, configure and define a caller part for the token in the WS-Security configuration on the receiver side.


Related:

  • Security attribute propagation
  • Configure token generators using JAX-RPC to protect message authenticity at the server or cell level
  • Configure token consumers using JAX-RPC to protect message authenticity at the application level
  • Token generator configuration settings
  • Token consumer configuration settings