Defines the credential information and sends that information across the network so that a receiving server can interpret it.
When you send authentication information across the network using a token (whether the token is a user ID and password token, that is, Generic Security Services Username Password (GSSUP), or a mechanism-specific format token), the transmission is considered message layer authentication because the data is sent along with the message inside a service context.
A pure Java client uses basic authentication (GSSUP) as the authentication mechanism to establish client identity.
The security token contained in a token-based credential is authentication mechanism-specific. That is, the way the token is interpreted is only known by the authentication mechanism. Therefore, each authentication mechanism has an object ID (OID) representing it. The OID and the client token are sent to the server, so that the server knows which mechanism to use when reading and validating the token. The following list contains the OIDs for each mechanism:
BasicAuth (GSSUP): oid:2.23.130.1.1.1 LTPA: oid:1.3.18.0.2.30.2 SWAM: No OID because it is not forwardable
BasicAuth (GSSUP): oid:2.23.130.1.1.1 SWAM: No OID because it is not forwardable
On the server, the authentication mechanisms can interpret the token and create a credential, or they can authenticate basic authentication data from the client, and create a credential. Either way, the created credential is the received credential that the authorization check uses to determine if the user has access to invoke the method. You can specify the authentication mechanism by using the following password on the client side:
com.ibm.CSI.performClientAuthenticationtype=SAFUSERIDPASSWORDBasic authentication is currently the only valid value. You can configure the server through the administrative console.
Note: When perform basic authentication is enabled, if the client is not similarly configured (and does not pass a credential such as a user ID and password), the server object request broker (ORB) does not.
While this property tells you which authentication mechanism to use, you also need to specify whether you want to perform authentication over the message layer (that is, get a BasicAuth or token-based credential). To complete this task, specify the com.ibm.CSI.performClientAuthenticationRequired (True or False) and com.ibm.CSI.performClientAuthenticationSupported (True or False) properties. Indicating that client authentication is required implies that it must be done for every request. Indicating that the authentication mechanism is supported implies that it might be done but is not required. For some servers, this option is appropriate if no resources are protected. In most cases it is a best practice to indicate that this mechanism is supported so that client authentication is performed if both the client and server support it. Client authentication it is not performed when communicating with certain servers that do not want security, yet the method requests still succeed.