BasicAuth authentication method
When you use the BasicAuth authentication method, the security
token that is generated is a <wsse:UsernameToken> element with <wsse:Username>
and <wsse:Password> elements.
WebSphere Application Server supports text passwords but not password digest
because passwords are not stored and cannot be retrieved from the server.
On the request sender side, a callback handler is invoked to generate the
security token. On the request receiver side, a Java Authentication and Authorization
Service (JAAS) login module is used to validate the security token. These
two operations, token generation and token validation, are described in the
following sections.
- BasicAuth token generation
- The request sender generates a BasicAuth security token using a callback
handler. The security token returned by the callback handler is inserted in
the Simple Object Access Protocol (SOAP) message. The callback handler that
is used is specified in the <LoginBinding> element of the bindings file, ibm-webservicesclient-bnd.xmi .
The following callback handler implementations are provided with WebSphere
Application Server and can be used with the BasicAuth authentication method:
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
You can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler method. - BasicAuth token validation
- The request receiver retrieves the BasicAuth security token from the SOAP
message and validates it using a JAAS login module. The <wsse:Username>
and <wsse:Password> elements in the security token are used to perform
the validation. If the validation is successful, the login module returns
a JAAS Subject. This Subject is set as the identity of the running thread.
If the validation fails, the request is rejected with a SOAP fault exception.
The
JAAS login configuration is specified in the <LoginMapping> element of
the bindings file. Default bindings are specified in the ws-security.xml file.
However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.
The configuration information consists of a CallbackHandlerFactory and a ConfigName
value. The CallbackHandlerFactory option specifies the name of a class that
is used for creating the JAAS CallbackHandler object. WebSphere Application
Server provides the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl
CallbackHandlerFactory implementation. The ConfigName value specifies a JAAS
configuration name entry. WebSphere Application Server searches the security.xml file
for a matching configuration name entry. If a match is not found, it searches
the wsjaas.conf file for a match. WebSphere Application Server provides
the WSLogin default configuration entry, which is suitable for
the BasicAuth authentication method.

Configuring the client for basic authentication: Specifying the method
Configuring the client for basic authentication: collecting the authentication information
Searchable topic ID:
cwbs_authbasicauth
Last updated: Jun 21, 2007 8:07:48 PM CDT
WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/cwbs_authbasicauth.html