Web Services Security pluggable token framework SPIs

The token processing and pluggable token architecture in the Web Service Security runtime for IBM WebSphere Application Server Version 6.1 Feature Pack has been redesign to reuse the same security token interface and JAAS Login Module from the Web Services Security APIs (WSS API). The same implementation of token creation and validation can be used in both the WSS API and the WSS SPI in the Web Service Security runtime.

In IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services, the new design removes the need for the following interfaces from WebSphere Application Server Version 6.1:

However, if your applications continue to use JAX-RPC and deployment descriptors for configuration instead of using the Feature Pack for Web Services, these Version 6.1 interfaces are still valid.

Note that the key name (KeyName) element is not supported in the Feature Pack for Web Services because there is no KeyName policy assertion defined in the current OASIS Web Services Security draft specification. For similar reasons, a SAML token is not supported in the Feature Pack for Web Services out of the box.

JAAS callback handler and the JAAS login module

Using the new design in the Feature Pack for Web Services, the Java Authentication and Authorization Service (JAAS) callback handler (CallbackHandler) and the JAAS login module (LoginModule) implementations are responsible for creating the security token on the generator side and validating (authenticating) the security token on the consumer side.

For example, on the generator side, the Username token is created by the JAAS LoginModule and using the JAAS CallbackHandler to pass the authentication data. The JAAS LoginModule creates the Username SecurityToken object and passes it to the Web services security runtime.

Then, on the consumer side, the Username Token XML format is passed to the JAAS LoginModule for validation or authentication. The token consumer class name for the response consumer must be similar to the token generator class name for the request generator. For example, if your application requires a Username token consumer, you can specify the com.ibm.wsspi.wssecurity.token.UsernameTokenGenerator class name for the token generator and the com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer class name for the token consumer.

The JAAS CallbackHandler is used to pass authentication data from the Web services security runtime to the LoginModule. If successful, after the token is authenticated, a Username SecurityToken object is created and passed it to the Web Service Security runtime.

The SPI implementation provides a com.ibm.wsspi.wssecurity.SoapSecurityException exception if an error condition occurs. This class is the same implementation as the class used in WebSphere Application Server Version 6.1.

Generator side

The token generator class must implement the com.ibm.websphere.wssecurity.wssapi.token.Generatable interface. The token generator class name for the request generator must be similar to the token consumer class name for the request consumer. For example, if your application requires a security token generator, you can specify the com.ibm.websphere.wssecurity.wssapi.token.SecurityTokenImpl class name.

The JAAS Login Module implementation handles the following arguments from the default token generator to the JAAS LoginModule:

Default token generator > LoginModule

The JAAS Login Module implementation handles the following arguments from the JAAS login module to the default token generator:

Generator - Service Provider Interfaces

This information describes the default implementations of the service provider interfaces (SPI) for Web services security used with the Feature Pack for Web Services on the generator side:
com.ibm.wsspi.wssecurity.SoapSecurityException
This exception class is used by an implementation of com.ibm.wsspi.wssecurity.SoapSecurity to communicate the exception and errors to the Web services security runtime. This class is the same implementation that is used for WebSphere Application Server Version 6.1.
com.ibm.wsspi.wssecurity.core.messageContext
This interface is used to define the MessageContext instance on the generator side. The default implementation is com.ibm.ws.wssecurity.impl.core.messageContext, which enables you to define the MessageContext instance for Web Services Security.
com.ibm.wsspi.wssecurity.keyinfo.keytype
This interface is used to define the type of SigningKey or EncryptingKey to be used for the signature or encryption, respectively, on the generator side. The default implementation is com.ibm.ws.wssecurity.impl.keyinfo.keytype, which enables you to define the signing or encryption key.
com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm
This interface is used to define the algorithm to be used for the signing or encryption operation on the generator side. There is no default implementation to define for SignatureGenerator or EncryptionGenerator..
com.ibm.wsspi.wssecurity.keyinfo.type
This interface is used to define the type of key information to be used on the generator side. There is no default implementation to define the EncryptionGenerator. The default implementation is com.ibm.ws.wssecurity.impl.keyinfo.type, which enables you to define the type of key information for CommonContentGenerator. The following types of keys can be defined: EMB, KEYID, STRREF, THUMBPRINT, X509ISSUER.encryption key.
com.ibm.wsspi.wssecurity.keyinfo.Encoding
This interface is used to define the encoding type of key identifier if the CommonContentGenerator invokes the CommonTokenGenerator with the KEYID or THUMBPRINT type of key information on the generator side. The default implementation is com.ibm.ws.wssecurity.impl.keyinfo.Encoding, which enables you to define the encoding type of key information for CommonContentGenerator.
com.ibm.wsspi.wssecurity.keyinfo.idType
This interface is used to define the calculation method of key identifier if the CommonContentGenerator invokes the CommonTokenGenerator with the KEYID type of key information on the generator side. The default implementation is com.ibm.ws.wssecurity.impl.token.loginInfo, which enables you to define the calculation method of key identifier for CommonContentGenerator.
com.ibm.wsspi.wssecurity.token.loginInfo
This interface is used to define the security token that the JAAS Login Module creates on the generator side. The default implementation is com.ibm.ws.wssecurity.impl.token.loginInfo, which enables you to define the security token for CommonContentGenerator.
com.ibm.wsspi.wssecurity.config.tokenGenerator.configKey
This interface is used to define the configuration of the token generator that the JAAS Login Module creates on the generator side. The default implementation is com.ibm.ws.wssecurity.impl.config.tokenGenerator.configKey, which enables you to define the configuration of the token generator token for CommonTokenGenerator.
com.ibm.wsspi.wssecurity.core.processingElement
This interface is used to define the configuration of the token generator that the JAAS Login Module creates on the generator side. There is no default implementation to define for CommonTokenGenerator.

Generator - property names and values

Custom properties are name-value pairs of data that are passed to and from the JAAS Login Module during configuration on the generator side.

The Property name column displays the name of the custom property. The name must match the name of a configuration property or setting that the JAAS Login Module understands and expects. The Property value column displays the configuration setting that is passed to the JAAS Login Module during configuration.

Table 1. WSSGenerator > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_MESSAGE_CONTEXT

com.ibm.wsspi.wssecurity.core.messageContext

The MessageContext instance.
Table 2. SignatureGenerator > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE

com.ibm.wsspi.wssecurity.keyinfo.keytype

The type of key: SigningKey.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM

com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm

The algorithm used for signing operation.
Table 3. EncryptionGenerator > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE

com.ibm.wsspi.wssecurity.keyinfo.keytype

The type of key: EncryptingKey.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM

com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm

The algorithm used for encryption operation.
Table 4. CommonContentGenerator > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEYINFO_TYPE

com.ibm.wsspi.wssecurity.keyinfo.type

The type of key information: EMB, KEYID, STRREF, THUMBPRINT, X509ISSUER.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ENCODING

com.ibm.wsspi.wssecurity.keyinfo.Encoding

The encoding type of key identifier if the CommonContentGenerator invokes the CommonTokenGenerator with the KEYID or THUMBPRINT type of key information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_IDTYPE

com.ibm.wsspi.wssecurity.keyinfo.idType

The calculation method of key identifier if the CommonContentGenerator invokes the CommonTokenGenerator with the KEYID type of key information.
Table 5. CommonContentGenerator < JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO

com.ibm.wsspi.wssecurity.token.loginInfo

The security token that the JAAS Login Module creates.
Table 6. CommonTokenGenerator > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.config.TokenGeneratorConfig.CONFIG_KEY

com.ibm.wsspi.wssecurity.config.tokenGenerator.configKey

The configuration of the token generator.

com.ibm.wsspi.wssecurity.core.Constants.AXIOM_PROCESSING_ELEMENT

com.ibm.ws.wssecurity.common.Constants.PROCESSING_ELEMENT

The parent element of the security token in OMElement.

com.ibm.wsspi.wssecurity.core.Constants.DOM_PROCESSING_ELEMENT

com.ibm.wsspi.wssecurity.domProcessingElement

The parent element of the security token in DOM Element. (This property contains value only when a custom property named com.ibm.wsspi.wssecurity.domElementEnabled is set to true in the token generator and consumer bindings.)
Table 7. CommonTokenGenerator < JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO

A list of security tokens or one security token that the JAAS Login Module creates.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_ELEM_INSERT_TO_MESSAGE

True if the security tokens received from the JAAS Login Module are inserted into the message.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_REFERENCED_TOKEN

The security token referenced by other tokens in the list. The token is inserted first in the <wsse:Security> header.

Consumer side

The JAAS Login Module implementation handles the following arguments from the default token consumer to the JAAS LoginModule:

Default token consumer > JAAS LoginModule

The JAAS Login Module implementation handles the following arguments from the JAAS LoginModule to the default token consumer:
  • The security token that is constructed in the login module: com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO

Consumer - Service Provider Interfaces

The following information describes the default implementations of the service provider interfaces (SPI) for Web services security used with Feature Pack for Web Services on the consumer side:

com.ibm.wsspi.wssecurity.core.messageContext
This interface is used to define the MessageContext instance for Web services security on the consumer side. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_MESSAGE_CONTEXT.
com.ibm.wsspi.wssecurity.keyinfo.keytype
This interface is used to define the type of the verifying key to be used for the signature verification on the consumer side. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE.
com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm
This interface is used to define the verifying key algorithm to be used for the verifying operation on the consumer side. The default implementation is . com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM.
com.ibm.wsspi.wssecurity.keyinfo.keytype
This interface is used to define the type of decryption key information to be used for CommonContentConsumer on the consumer side. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE.
com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm
This interface is used to define the algorithm to be used for the decryption key on the consumer side. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE.
com.ibm.wsspi.wssecurity.keyinfo.type
This interface is used to define the type of key to be used on the consumer side. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEYINFO_TYPE. The possible types of key information are EMB, KEYID, STRREF, THUMBPRINT, and X509ISSUER.
com.ibm.wsspi.wssecurity.keyinfo.embeddedId
This interface is used to define the identifier of the <wsse:Embedded> element. CommonContentConsumer involves the common Token Consumer with the EMB type of information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_EMBID.
com.ibm.wsspi.wssecurity.keyinfo.id
This interface is used to define the key identifier of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ID
com.ibm.wsspi.wssecurity.keyinfo.thumbprintReference
This interface is used to define the thumbprint reference of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the THUMBPRINT type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_THUMBPRINT_REFERENCE.
com.ibm.wsspi.wssecurity.keyinfo.reference
This interface is used to define the reference URI of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the STRREF type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_REFERENCE.
com.ibm.wsspi.wssecurity.keyinfo.issuerName
This interface is used to define the issuer name of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the X509ISSUER type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ISSUERNAME.
com.ibm.wsspi.wssecurity.keyinfo.issuerSerial
This interface is used to define the issuer serial number of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the X509ISSUER type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ISSUERSERIAL.
com.ibm.wsspi.wssecurity.keyinfo.ValueType
This interface is used to define the value type of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID or THUMBPRINT type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_VALUETYPE.
com.ibm.wsspi.wssecurity.keyinfo.Encoding
This interface is used to define the encoding type of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID or THUMBPRINT type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ENCODING.
com.ibm.wsspi.wssecurity.keyinfo.idType
This interface is used to define the calculation method of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_IDTYPE.
com.ibm.wsspi.wssecurity.token.loginInfo
This interface is used to define the security token that the JAAS Login Module creates. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO.
com.ibm.wsspi.wssecurity.config.tokenConsumer.configKey
This interface is used to define the configuration of the token consumer. The default implementation is com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig.CONFIG_KEY.
com.ibm.wsspi.wssecurity.core.processingElement
This interface is used to define the target security token element if the WSSConsumer directly invokes the CommonTokenConsumer or the CommonContentConsumer invokes the CommonTokenConsumer with the EMB type of key information. The KeyInfo element if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID, STRREF, THUMBPRINT, or X509ISSUER type of key information. The default implementation is com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_PROCESSING_ELEMENT.

Consumer - property names and values

Custom properties are name-value pairs of data that are passed to and from the JAAS Login Module during configuration on the consumer side.

The Property name column displays the name of the custom property. The name must match the name of a configuration property or setting that the JAAS Login Module understands and expects. The Property value column displays the configuration setting that is passed to the JAAS Login Module during configuration.

Table 8. WSSConsumer > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_MESSAGE_CONTEXT

The MessageContext instance.
Table 9. SignatureConsumer > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE

com.ibm.wsspi.wssecurity.keyinfo.typetype

The type of key: VerifyingKey

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM

com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm

The algorithm used for verifying operation.
Table 10. EncryptionConsumer > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE

com.ibm.wsspi.wssecurity.keyinfo.keytype

The type of key: DecryptingKey.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ALGORITHM

com.ibm.wsspi.wssecurity.keyinfo.keyAlgorithm

The algorithm used for decryption operation.
Table 11. CommonContentConsumer > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEYINFO_TYPE

com.ibm.wsspi.wssecurity.keyinfo.type

The type of key information: EMB, KEYID, STRREF, THUMBPRINT, X509ISSUER

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_EMBID

com.ibm.wsspi.wssecurity.keyinfo.embeddedId

The identifier of the <wsse:Embedded> element CommonContentConsumer involves the common Token Consumer with the EMB type of information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ID

com.ibm.wsspi.wssecurity.keyinfo.id

The key identifier of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID type of key information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_THUMBPRINT_REFERENCE

com.ibm.wsspi.wssecurity.keyinfo.thumbprintReference

The thumbprint reference of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the THUMBPRINT type of key information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_REFERENCE

com.ibm.wsspi.wssecurity.keyinfo.reference

The reference URI of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the STRREF type of key information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ISSUERNAME

com.ibm.wsspi.wssecurity.keyinfo.issuerName

The issuer name of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the X509ISSUER type of key information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ISSUERSERIAL

com.ibm.wsspi.wssecurity.keyinfo.issuerSerial

The issuer serial number of the token if the CommonContentConsumer invokes the CommonTokenConsumer with the X509ISSUER type of key information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_VALUETYPE

com.ibm.wsspi.wssecurity.keyinfo.ValueType

The value type of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID or THUMBPRINT type of key information.

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_ENCODING

com.ibm.wsspi.wssecurity.keyinfo.Encoding

The encoding type of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID or THUMBPRINT type of key information

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_IDTYPE

com.ibm.wsspi.wssecurity.keyinfo.idType

The calculation method of key identifier if the CommonContentConsumer invokes the CommonTokenConsumer with the KEYID type of key information.
Table 12. CommonContentConsumer < JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO

com.ibm.wsspi.wssecurity.token.loginInfo

The security token that the JAAS Login Module creates.
Table 13. CommonTokenConsumer > JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO

com.ibm.wsspi.wssecurity.token.loginInfo

The configuration of the token consumer.

com.ibm.wsspi.wssecurity.core.Constants.AXIOM_PROCESSING_ELEMENT

com.ibm.ws.wssecurity.common.Constants.PROCESSING_ELEMENT

The parent element of the security token in OMElement.

com.ibm.wsspi.wssecurity.core.Constants.DOM_PROCESSING_ELEMENT

com.ibm.wsspi.wssecurity.domProcessingElement

The parent element of the security token in DOM Element. (This property contains A value only when a custom property named com.ibm.wsspi.wssecurity.domElementEnabled is set to true in the token generator and consumer bindings.)
Table 14. CommonTokenConsumer < JAAS Login Module
Property name Property value

com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_LOGININFO

com.ibm.wsspi.wssecurity.token.loginInfo

The security token that the JAAS Login Module creates.



Related tasks
Configuring Web services security using the WSS APIs
Related reference
Web services security APIs
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=rwbs_wss_spi
File name: rwbs_wss_spi.html