WebSphere Application Server Network Deployment, Version 6.1
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results

Web services security token propagation

Web services security has the ability to send security tokens in the security header of a SOAP message. These security tokens can be used to sign, verify, encrypt or decrypt message parts. Security tokens can also be sent as stand-alone security tokens and set as the caller on the request consumer. Web services security token propagation is used to send these stand-alone security tokens in a wsse:BinarySecurityToken element within the security header of the SOAP message.

Web services security has the following built-in token types:

You can configure Web services security to use custom security tokens. Web services security uses the same propagation token format as the Security attribute propagation feature. Web services security can propagate all of the built-in security token types and can propagate custom token types as long as they are serializable by the security attribute propagation feature.

When you configure a propagation token in a token generator or token consumer, use the following values for the token type Uniform Resource Identifier (URI) and local name: By default, token propagation uses the following Java Authentication and Authorization Service (JAAS) login configuration entries:
The propagation token is intended to be used by a client from within a secured service, where it will pick up all the serializable security tokens in a RunAs subject and propagate the credentials to a downstream server. Also, a server-based client that is secured in the Web container with HTTP basic authentication can use a propagation token. Ordinarily for the latter case, the overhead of propagation tokens is not necessary as only the identity is required and not the full set of credentials. However, if modifications to the subject are made by the client application after invocation by the Web container, it might be appropriate to use a propagation token.
Important: To emit the LTPA propagation token, the service must include a defined caller part for the inbound token. The caller part indicates that the WebSphere Application Server credentials must be obtained for the inbound token. The receiver must have a defined caller part from which to make WebSphere Application Server credentials.



Related concepts
Security attribute propagation
Web services security provides message integrity, confidentiality, and authentication
Related tasks
Configuring token generators using JAX-RPC to protect message authenticity at the server or cell level
Configuring token consumers using JAX-RPC to protect message authenticity at the server or cell level
Configuring token generators using JAX-RPC to protect message authenticity at the application level
Configuring token consumers using JAX-RPC to protect message authenticity at the application level
Related reference
Token generator configuration settings
Token consumer configuration settings
Concept topic    

Terms of Use | Feedback

Last updated: Feb 25, 2009 9:32:38 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/cwbs_securitytokenpropagationwbs.html