Web services security has the ability to send security
tokens in the security header of a SOAP message. These security tokens
can be used to sign, verify, encrypt or decrypt message parts. Security
tokens can also be sent as stand-alone security tokens and set as
the caller on the request consumer. Web services security token
propagation is used to send these stand-alone security tokens
in a wsse:BinarySecurityToken element within the security header of
the SOAP message.
Web services security has the following built-in token types:
- Username token
- X.509 token
- Lightweight Third-Party Authentication (LTPA) token
You can configure Web services security to use custom security
tokens. Web services security uses the same propagation token format
as the Security attribute propagation feature. Web services security
can propagate all of the built-in security token types and can propagate
custom token types as long as they are serializable by the security
attribute propagation feature.
When you configure a propagation token in a token generator or
token consumer, use the following values for the token type Uniform
Resource Identifier (URI) and local name:
- Token type URI: http://www.ibm.com/websphere/appserver/tokentype
- Token type local name: LTPA_PROPAGATION
By default, token propagation uses the following Java Authentication
and Authorization Service (JAAS) login configuration entries:
- Inbound: WSS_INBOUND
- Outbound: WSS_OUTBOUND
The propagation token is intended to be used by a client from within
a secured service, where it will pick up all the serializable security
tokens in a RunAs subject and propagate the credentials to a downstream
server. Also, a server-based client that is secured in the Web container
with HTTP basic authentication can use a propagation token. Ordinarily
for the latter case, the overhead of propagation tokens is not necessary
as only the identity is required and not the full set of credentials.
However, if modifications to the subject are made by the client application
after invocation by the Web container, it might be appropriate to
use a propagation token.
Important: To emit the LTPA propagation
token, the service must include a defined caller part for the inbound
token. The caller part indicates that the WebSphere Application Server
credentials must be obtained for the inbound token. The receiver must
have a defined caller part from which to make WebSphere Application
Server credentials.