You can configure name-value pairs of data, where the name is a property key and the value is a string value that you can use to set internal system configuration properties. Defining a new property enables you to configure a setting beyond that which is available through options in the administrative console. The following is a list of some of the available custom properties for Web services security.
Custom properties for Web services security can be set in various levels of the application server and for JAX-RPC versus JAX-WS applications. The following list of custom properties provides information on where the custom property is set and how it is used.
The com.ibm.wsspi.wssecurity.Caller.assertionLoginConfig property, which is configured on the caller part, specifies the name of the JAAS login configuration that is used by Web services security to obtain WebSphere Application Server authorization credentials. You must configure this property using an assembly tool such as the Rational Application Developer. For more information, see the "Configuring the caller in consumer security constraints" topic for Rational Application Developer. Within this topic, this custom property is set when you configure identity assertion.
Use this property with WS-Security V1.0 JAX-RPC applications only.
Data type | String |
Default | system.DEFAULT |
In WebSphere Application Server prior to Version 6.1x, the mustUnderstand=1 attribute in the <wsse:Security> tag in the SOAP header on the request from the Web Services client was hardcoded. It was not possible to configure the mustUnderstand attribute in the SOAP Web services security header. In an update to the product, an administrator can configure the attribute using outbound generator custom properties.
com.ibm.wsspi.wssecurity.config.request.setMustUnderstand custom property
The com.ibm.wsspi.wssecurity.config.request.setMustUnderstand custom property specifies the mustUnderstand setting in outbound consumer requests. If the value of the property is set to zero (0), no, or false, then the mustUnderstand attribute is not set in the WS-Security header within outbound consumer requests.
Data type | String |
Value | Zero (0), no, false |
Default | true |
In SOAP messages, the default value for the mustUnderstand attribute is zero (0). According to the SOAP specification, if the intended value for the attribute is zero, then the attribute must not be present in the message.
com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne custom property
The com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne custom property specifies that the provider should always respond with a mustUnderstand="1" attribute in the SOAP security header. If the value is set to one (1), yes, or true, the provider responds with the mustUnderstand="1" attribute in the WS-Security header. The default value of the attribute is false.
Data type | String |
Value | One (1), yes, or true |
Default | false |
By default, the response contains the same mustUnderstand attribute as the request. For example, if the inbound request has mustUnderstand="1", the response also includes mustUnderstand="1". If the request does not have a mustUnderstand attribute, the response does not include a mustUnderstand attribute.
If you are using an assembly tool with a JAX-RPC WS-Security version 1.0 application, you can set the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand custom property on the security request generator extension or binding. You can set the com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne custom property on the response generator extension or binding. A setting in the binding takes precedence over a setting in the extension.
If using an assembly tool with a JAX-RPC WS-Security specification draft 13–level application, you can set the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand custom property as a parameter on the port qualified name binding. You can set the com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqualsOne custom property as a parameter on the port component binding.
AdminTask.getPolicySetAttachments([-applicationName HelloSvcClientEAR -attachmentType client]) AdminTask.setBinding([-policyType WSSecurity -bindingLocation "[ [application HelloSvcClientEAR] [attachmentId 1490] ]" -attributes "[[application.securityoutboundbindingconfig.properties_999.name com.ibm.wsspi.wssecurity.config.request.setMustUnderstand] [application.securityoutboundbindingconfig.properties_999.value false]]" -attachmentType client])