Signature authentication refers to an X.509 certificate that is
sent by the client to the server. The certificate is used to authenticate
to the user registry that is configured at the server. When using the signature
authentication method, the security token is generated with a ds:Signature
and a wsse:BinarySecurityToken element.
Important: There is an important distinction between Version 5.x and
Version 6.0.x and later applications. The information in this article
supports Version 5.x applications only that are used with WebSphere
Application Server Version 6.0.x and later. The information does not
apply to Version 6.0.x and later applications.
On the request sender side, a callback handler is invoked to generate the
security token. On the request receiver side, a Java Authentication and Authorization
Service (JAAS) login module is used to validate the security token. These
two operations, token generation and token validation, are described in the
following sections.
- Signature token generation
- The request sender generates a Signature security token using a callback
handler. The security token returned by the callback handler is inserted in
the SOAP message. The callback handler is specified in the <LoginBinding>
element of the bindings file, ibm-webservicesclient-bnd.xmi. WebSphere
Application Server provides the following callback handler implementation
that can be used with the Signature authentication method: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
You
can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler
implementation.
- Security token validation
- The request receiver retrieves the Signature security token from the SOAP
message and validates it using a JAAS login module. The <ds:Signature>
and <wsse:BinarySecurityToken> elements in the security token are used
to perform the validation. If the validation is successful, the login module
returns a Java Authentication and Authorization Service (JAAS) Subject. This
Subject then is set as the identity of the running thread. If the validation
fails, the request is rejected with a SOAP fault exception.
The JAAS login
configuration is specified in the <LoginMapping> element of the
bindings file. Default bindings are specified in the ws-security.xml file.
However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.
The configuration information consists of a CallbackHandlerFactory and a ConfigName.
The CallbackHandlerFactory specifies the name of a class that is used for
creating the JAAS CallbackHandler object. WebSphere Application Server provides
the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImp CallbackHandlerFactory
implementation. The ConfigName specifies a JAAS configuration name entry.
WebSphere Application Server searches in the security.xml file for
a matching configuration name entry. If a match is not found, it searches
the wsjaas.conf file. WebSphere Application Server provides the system.wssecurity.Signature
default configuration entry, which is suitable for the signature authentication
method.