The following information describes how to configure a pluggable
token using an assembly tool.
Before you begin
Important: There is an important distinction
between Version 5.x and Version 6 and later applications. The information
in this article supports Version 5.x applications only that are used
with WebSphere Application Server Version 6.0.x and later. The information
does not apply to Version 6.0.x and later applications.
This
document describes how to configure a pluggable token in the request sender
(ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi file)
and request receiver (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi file).
The pluggable token is required for the request sender and request
receiver because they are a pair. The request sender and the request receiver
must match for the receiver to accept a request.
Prior to completing
these steps, it is assumed that you have already created a Web service that
is based on the Java 2 Platform, Enterprise Edition (J2EE) specification.
See either of the following topics for an introduction of how to manage Web
services security binding information for the server:
About this task
You must specify the security constraints in the ibm-webservicesclient-ext.xmi and
the ibm-webservices-ext.xmi files for the required tokens using an
IBM assembly tool.
Complete the following steps to configure the request
sender using the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files:
Procedure
- Launch an assembly tool. For more information on the
assembly tools, see Assembly tools.
- Switch to the J2EE perspective. Click Window > Open Perspective
> J2EE.
- Click Application Client Projects > application_name >
appClientModule > META-INF.
- Right-click the application-client.xml file, select Open
with > Deployment descriptor editor.
- Click the WS Extension tab. The Web service client security
extensions editor is displayed.
- Under Service References, select an existing service reference
or click Add to create a new reference.
- Under Port Qname Bindings, select an existing port qualified
name for the selected service reference or click Add to create a new
port name binding.
- Under Request Sender Configuration: Login Configuration, select
an exiting authentication method or type in a new one in the editable list
box (Lightweight Third Party Authorization (LTPA) is a supported token generation
when Web services is acting as client).
- Click File > Save to save the changes.
- Click the Web services client binding tab. The Web services
client binding editor is displayed.
- Under Port qualified name binding, select an existing entry
or click Add to add a new port name binding. The Web services
client binding editor displays for the selected port.
- Under Login binding, click Edit or Enable.
The Login Binding dialog box is displayed.
- In the Authentication Method field, enter the authentication method. The
authentication method that you enter in this field must match the authentication
method defined on the Security Extension tab for the same Web service port.
This field is mandatory.
- (Optional) Enter the token value type information in the URI and Local
name fields. These fields are ignored for the BasicAuth, Signature, and IDAssertion
authentication methods, but required for other authentication methods. The
token value type information is inserted into the <wsse:BinarySecurityToken>@ValueType
element for binary security token and is used as the namespace for the XML-based
token.
- Enter an implementation of the Java Authentication and Authorization Service
(JAAS) javax.security.auth.callback.CallbackHandler interface. This field
is mandatory.
- Enter the basic authentication information in the User ID and Password
fields. The basic authentication information is passed to the construct of
the CallbackHandler implementation. The use of the basic authentication information
depends on the implementation of CallbackHandler.
- In the Property field, add name and value pairs. These pairs are passed
to the construct of the CallbackHandler implementation as java.util.Map values.
- Click OK.
Click Disable under Login binding on the Web services client
port binding tab to remove the authentication method login binding.
- Click File > Save to save the changes.
- In the Package Explorer window, right-click the webservices.xml file
and click Open with > Web services editor. The Web Services
window displays.
- Click the Security extensions tab. The Web service
security extensions editor is displayed.
- Under Web Service Description Extension, select an existing service reference
or click Add to create a new extension.
- Under Port Component Binding, select an existing port qualified name for
the selected service reference or click Add to create a new one.
- Under Request Receiver Service Configuration Details: Login Configuration,
select an exiting authentication method or click Add and enter a new
method in the Add AuthMethod field that displays. You can select multiple
authentication methods for the request receiver. The security token of the
incoming message is authenticated against the authentication methods in the
order that they are specified in the list. Click Remove to remove the
selected authentication method or methods.
- Click File > Save to save the changes.
- Click the Bindings tab. The Web services bindings
editor is displayed.
- Under Web service description bindings, select an existing entry or click Add to
add a new Web services descriptor.
- Click the Binding configurations tab. The Web services binding configurations
editor is displayed for the selected Web services descriptor.
- Under Request receiver binding configuration details: login mapping, click Add to
create a new login mapping or click Edit to edit the selected login
mapping. The Login mapping dialog is displayed.
- In the Authentication method field, enter the authentication method. The
information entered in this field must match the authentication method defined
on the Security Extensions tab for the same Web service port. This field is
mandatory.
- In the Configuration name field, enter a JAAS login
configuration name. This is a mandatory field. You must define the JAAS login
configuration name in the WebSphere Application Server administrative console
under Security > Global security. Under Authentication, click JAAS
configuration > Application Logins. For more information, see Configuring programmatic logins for Java Authentication and Authorization Service.
- (Optional) Select Use Token value type and enter the token value
type information in the URI and Local name fields. This information is optional
for BasicAuth, Signature and IDAssertion authentication methods, but required
for any other authentication method. The token value type is used to validate
the <wsse:BinarySecurityToken>@ValueType element for binary security tokens
and to validate the namespace of the XML-based token.
- Under Callback Handler Factory, enter an implementation of the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory
interface in the Class name field. This field is mandatory.
- Under Callback Handler Factory property, click Add and enter the
name and value pairs for the Callback Handler Factory Property. These name
and value pairs are passed as java.util.Map to the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init()
method. The use of these name and value pairs is determined by the CallbackHandlerFactory
implementation.
- Under Login Mapping Property, click Add and enter the name and
value pairs for the Login mapping property. These name and value pairs are
available to the JAAS Login Modules through thecom.ibm.wsspi.wssecurity.auth.callback.PropertyCallback
JAAS Callback interface. Click Remove to delete the selected login
mapping.
- Click OK.
- Click File > Save to save the changes.
Results
The previous steps define how to configure the request
sender to create security tokens in the Simple Object Access Protocol (SOAP)
message and to configure the request receiver to validate the security tokens
found in the incoming SOAP message. WebSphere Application Server supports
pluggable security tokens.
You can use the authentication
method defined in the login bindings and login mappings to generate security
tokens in the request sender and validate security tokens in the request receiver.
What to do next
After you configure pluggable tokens, you must configure
both the client and the server to support pluggable tokens. See the following
topics to configure the client and the server: