Web services security supports both LTPA (Version 1) and
LTPA Version 2 (LTPA2) tokens. The LTPA2 token,
which is more secure than Version 1, is supported in WebSphere® Application Server Version 7.0 by the JAX-WS runtime
only.
The Lightweight Third Party Authentication (LTPA) token is a specific
type of binary security token. The web services
security implementation for WebSphere Application Server, Version 5 and
later supports the LTPA Version 1 token. WebSphere Application Server Version 7 added
JAX-WS runtime support for the LTPA Version 2 token.
LTPA Version token | Valuetype value |
---|---|
LTPA (Version 1) | http://www.ibm.com/websphere/appserver/tokentype/5.0.2/LTPA |
LTPA2 | http://www.ibm.com/websphere/appserver/tokentype/LTPAv2 |
To allow for interoperability between servers that
are running different versions of WebSphere Application Server, by default, the
JAX-WS web services security runtime in Version 7.0 can successfully
consume an LTPA Version 1 token when the binding is configured to
expect an LTPA2 token. However, you can configure the binding for
the JAX-WS runtime to accept only LTPA2 tokens. For more information,
see the documentation about Authentication generator or consumer token
settings.
If the web services security run time receives a
token with a unrecognized valuetype value and the SOAP security header
contains a mustUnderstand attribute value that is equal to '1',
the web services security run time issues a SOAPFaultException error.
If the mustUnderstand attribute value is equal to '0',
the token is ignored.
Run time | LTPA Version 1 token status | MustUnderstand attribute value | SOAPFaultException error |
---|---|---|---|
JAX-RPC | Required | 1 | com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required. |
JAX-RPC | Required | 0 | com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required. |
JAX-RPC | Optional | 1 | com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5502E: Unexpected element as the target element: s:BinarySecurityToken. |
JAX-RPC | Optional | 0 | None |
JAX-RPC | Not Configured | 1 | com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5502E: Unexpected element as the target element: s:BinarySecurityToken. |
JAX-RPC | Not Configured | 0 | None |
JAX-WS (Version 6.1 Feature Pack for Web Services) | Not Configured | 1 | CWWSS5502E: The target element: s:BinarySecurityToken was not expected. |
JAX-WS (Version 6.1 Feature Pack for Web Services) | Not Configured | 0 | None |
JAX-WS (Version 6.1 Feature Pack for Web Services) | Configured | 1 | CWWSS5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required. |
JAX-WS (Version 6.1 Feature Pack for Web Services) | Configured | 0 | CWWSS5509E: A security token whose type is [{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA] is required. |
You can configure the JAX-WS run time in Version
7 to generate either LTPA (Version 1) or LTPA2 tokens. If you generate
an LTPA (Version 1) token in the token generator within a policy binding,
you must enable the single sign-on interoperability mode, which is
available on the Single sign-on (SSO) panel within the administrative
console. For more information on this option, see the documentation
about single sign-on settings. If you do not enable the interoperability
mode, an error occurs when the application, which is attached to these
bindings, is started. To generate an LTPA (Version 1) token regardless
of the state of the interoperability mode, set the com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7 custom
property to true for the LTPA token generator. For more information,
see the documentation about enabling or disabling single sign-on interoperability
mode for the LTPA token.