When a Web service message is received, the application server calls the generic security token login module for the token consumer as part of the Web services security authentication process.
The login module delegates the token validation process to the WS-Trust service using WS-Trust Validate. The WS-Trust Security Token Service processes the request and returns a RequestSecurityTokenResponse message to login module, which might contain a new security token or validation status code only. The returned token from the WS-Trust Security Token Service or the original received token is the caller token if the caller token is required.
If the trust service call returns an invalid status code or an error, the token validation process fails and the login module produces a LoginException exception.
The Java™ Authentication and Authorization Service (JAAS) login configuration name is wss.consume.issuedToken, and the callback handler class name is com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenConsumeCallbackHandler.
The implementation of the generic security token login module in a policy set does not involve a new token type. For example, if you plan to use a generic security token login module to generate a user name token, you can create a policy set that specifies a user name token as an authentication token. Some custom token types are not supported by the existing default system login modules. However, you can implement these token types using custom login modules. These custom token types are supported by generic security token login modules if they are supported by the designated trust services.
For example, if you configure a user name token, you can use the wss.consume.unt JAAS login configuration and maintain the existing behavior. However, you can configure the wss.consume.issuedToken JAAS login to use the generic login module.