Web services security has the ability to send security tokens in the security header of a SOAP message. These security tokens can be used to sign, verify, encrypt or decrypt message parts. These security tokens can also be sent as standalone security tokens and set as the caller on the request consumer. Custom security token propagation is used to propagate these custom security tokens by using Web services security.
Web services security supports the Username, X.509 and Lightweight Third-Party Authentication (LTPA) security token types.
A client can use the propagation token from within a secured service where it locates the runAs subject and propagates the credentials to a downstream server. A server-based client can use the propagation token if it is secured in the Web container with HTTP basic authentication. In many situations, for a server-based client, the overhead of propagation tokens is not necessary as only the identity is required and not the full set of credentials. However, if the client application modifies the subject after it is invoked by the Web container, you might use an propagation token.
When you use security token propagation, the propagation token is sent in the wsse:BinarySecurityToken element in the security header of the SOAP message. Web services security uses the same propagation token format as used by the Security attribute propagation feature.
You can use the com.ibm.ws.webservices.wssecurity.constants.jaasConfig custom property to specify a different JAAS login configuration for the generator. You can do this configuration on the CallbackHandler configuration panel. To specify a different JAAS login configuration on the consumer side, use the JAAS configuration name field in the Token consumer panel.