Configuring pluggable tokens using the Administrative Console
You can configure a pluggable token in the request sender (ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi file) and request receiver (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi file).
Before you begin
Prior to completing these steps, it is assumed that you have already
created a Web services-enabled Java 2 Platform, Enterprise Edition (J2EE)
with a Web Services for J2EE (JSR 109) enterprise application. If not, see
Developing Web services to create
Web services-enabled J2EE with a JSR 109 enterprise application. See either
of the following topics for an introduction of how to manage Web services
security binding information for the server:
Also prior to completing these steps, it is assumed that you deployed
a Web services-enabled enterprise application to the WebSphere Application
Server.
Why and when to perform this task
Note: The pluggable token is required
for the request sender and request receiver as they are a pair. The request
sender and the request receiver must match for a request to be accepted by
the receiver.
Complete the following steps to configure the client-side
request sender (ibm-webservicesclient-bnd.xmi file) or server-side
request receiver (ibm-webservices-bnd.xmi file) using the WebSphere
Application Server Administrative Console.
Steps for this task
- Click Applications > Enterprise Applications > enterprise_application.
- Under Related Items, click either EJB Modules > Uri or Web
Modules > Uri. The Uri is the Web services-enabled module
- Under Additional Properties, click Web Services: Client Security
Bindings to edit the response sender binding information, if Web services
is acting as client.
- Under Response Sender Binding, click Edit.
- Under Additional Properties, click Login Binding.
- Select Dedicated Login Binding to define a new login
binding.
- Enter the authentication method, this must match the authentication method
defined in IBM extension deployment descriptor. The authentication method
must be unique in the binding file.
- Enter an implementation of the JAAS javax.security.auth.callback.CallbackHandler interface.
- Enter the basic authentication information (User ID and Password) and
the basic authentication information is passed to the construct of the CallbackHandler
implementation. The usage of the basic authentication information is up to
the implementation of the CallbackHandler.
- Enter the token value type, it is optional for BasicAuth, Signature and
IDAssertion authentication methods but required for any other authentication
method. The token value type is inserted into the <wsse:BinarySecurityToken>@ValueType for
binary security token and used as the namespace of the XML based token.
- Click Properties. Define the property with name and value pairs.
These pairs are passed to the construct of the CallbackHandler implementation
as java.util.Map.
- Select None to deselect the login binding.
- Under Additional Properties, click Web Services: Server Security
Bindings to edit the request receiver binding information.
- Under Request Receiver Binding, click Edit.
- Under Additional Properties, click Login Mappings.
- Click New to create new login mapping.
- Enter the authentication method, this must match the authentication method
defined in the IBM extension deployment descriptor. The authentication method
must be unique in the login mapping collection of the binding file.
- Enter a JAAS Login Configuration name. The JAAS Login Configuration must
be defined in Security > JAAS Configuration > Application Logins.
- Enter an implementation of the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory interface.
This is a mandatory field.
- Enter the token value type, it is optional for BasicAuth, Signature and
IDAssertion authentication methods but required for any other authentication
method. The token value type is used to validate against the <wsse:BinarySecurityToken>@ValueType for
binary security token and against the namespace of the XML based token.
- Enter the name and value pairs for the "Login Mapping Property" by clicking Properties .
These name and value pairs are available to the JAAS Login Module or Modules
by com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback JAAS Callback. Note:
This is true when editing existing login mappings but not when creating new
login mappings.
- Enter the name and value pairs for the "Callback Handler Factory Property",
these name and value pairs is passed as java.util.Map to the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init() method. The usage of these name and value pairs is up to the CallbackHandlerFactory
implementation.
- Click authentication method link to edit the selected login
mapping.
- Click Remove to remove the selected login mapping or
mappings.
- Click Save in the upper-left section of the Administrative
Console.
Results
The previous steps define how to configure the request
sender to create security tokens in the SOAP message and the request receiver
to validate the security tokens found in the incoming SOAP message. WebSphere
Application Server supports pluggable security tokens.
You
can use the authentication method defined in the login bindings and login
mappings to generate security tokens in the request sender and validate security
tokens in the request receiver.

Pluggable token support
Authentication method overview
Binary security token
XML token
Username token element
Security token
Token type overview

Securing Web services using a pluggable token
Configuring pluggable tokens using the Assembly Toolkit
Developing Web services based on Web Services for J2EE
Configuring application logins for Java Authentication and Authorization Service
Searchable topic ID:
twbs_confplugac
Last updated: Jun 21, 2007 9:56:50 PM CDT
WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/twbs_confplugac.html