When you use the lightweight third party authentication (LTPA) method, the <wsse:BinarySecurityToken> security token is generated. On the request sender side, the security token is generated by invoking a callback handler. On the request receiver side, the security token is validated by a Java™ Authentication and Authorization Service (JAAS) login module.
The following information describes token generation and token validation operations.
You can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler property.
The appropriate JAAS login configuration to use is specified in the bindings file <LoginMapping> element. Default bindings specified in the ws-security.xml file, but these can be overridden using the application-specific ibm-webservices-bnd.xmi file. The configuration information consists of a CallbackHandlerFactory, a ConfigName and a TokenValueType attribute. The CallbackHandlerFactory specifies the name of a class to use to create the JAAS CallbackHandler object. A CallbackHandlerFactory implementation is provided (com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl). The ConfigName attribute specifies a JAAS configuration name entry. The Web services security run time first searches the security.xml file for a matching entry and if a matching entry is not found, the run time searches the wsjaas.conf file. A default configuration entry suitable for the LTPA authentication method is provided (WSLogin). An appropriate TokenValueType element is located in the LTPA LoginMapping section of the default ws-security.xml file.