When you use the BasicAuth authentication method, the security
token that is generated is a <wsse:UsernameToken> element with <wsse:Username>
and <wsse:Password> elements.
WebSphere Application Server supports text passwords but not password digest
because passwords are not stored and cannot be retrieved from the server.
On the request sender side, a callback handler is invoked to generate the
security token. On the request receiver side, a Java Authentication and Authorization
Service (JAAS) login module is used to validate the security token. These
two operations, token generation and token validation, are described in the
following sections.
- BasicAuth token generation
- The request sender generates a BasicAuth security token using a callback
handler. The security token returned by the callback handler is inserted in
the SOAP message. The callback handler that is used is specified in the <LoginBinding>
element of the bindings file, ibm-webservicesclient-bnd.xmi . The
following callback handler implementations are provided with WebSphere Application
Server and can be used with the BasicAuth authentication method:
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
You can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler method.
- BasicAuth token validation
- The request receiver retrieves the BasicAuth security token from the SOAP
message and validates it using a JAAS login module. The <wsse:Username>
and <wsse:Password> elements in the security token are used to perform
the validation. If the validation is successful, the login module returns
a JAAS Subject. This Subject is set as the identity of the running thread.
If the validation fails, the request is rejected with a SOAP fault exception.
The
JAAS login configuration is specified in the <LoginMapping> element of
the bindings file. Default bindings are specified in the ws-security.xml file.
However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.
The configuration information consists of a CallbackHandlerFactory and a ConfigName
value. The CallbackHandlerFactory option specifies the name of a class that
is used for creating the JAAS CallbackHandler object. WebSphere Application
Server provides the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl
CallbackHandlerFactory implementation. The ConfigName value specifies a JAAS
configuration name entry. WebSphere Application Server searches the security.xml file
for a matching configuration name entry. If a match is not found, it searches
the wsjaas.conf file for a match. WebSphere Application Server provides
the WSLogin default configuration entry, which is suitable for the BasicAuth
authentication method.
Important: There is an important distinction between Version 5.x
and Version 6 and later applications. The information in this article supports
Version 5.x applications only that are used with WebSphere Application
Server Version 6.0.x and later. The information does not apply to Version
6 and later applications.