Overview
The Web Services Security token
generation and consuming processes invoke these login modules. The
Web Services Security component provides default login modules for
common tokens such as the following examples:
- Username tokens
- X.509 tokens
- Kerberos tokens
- Lightweight Third Party Authentication (LTPA) tokens
- Security Assertion Markup Language (SAML) tokens
- Security context tokens
For more information on the token implementations, see the default
implementations of the Web Services Security service provider programming
interfaces documentation.
Note: For JAX-WS
web services that use Web Services Security, the generic security
token login modules generate and consume tokens using WS-Trust
Issue and WS-Trust Validate requests.
As a result of these requests, the login module issues, validates,
or exchanges tokens with a WS-Trust Security
Token Service, such as the service that is provided with the IBM® Tivoli® Federated
Identity Manager.
Avoid trouble: ![[Updated in August 2011]](../../delta.gif)
If
you are using the IBM Tivoli Federated Identity Manager
as an external Security Token Service, you should use Versions 6.2.0.9,
6.2.1.2, 6.2.2 or later to prevent LTPA token exchange failures.
![[Updated in August 2011]](../../deltaend.gif)
aug2011
gotcha
The
following illustration shows the flow of information through the generic
security token login module process.
- The caller's identity is inherited by the runtime environment
of the web services client.
- The generic security token login module for the token generator sends
a token request to a WS-Trust service using
a WS-Trust client using either an issue or
validate request.
- The returned or validated token is set in the security header
of the SOAP message as an authentication token. For more information,
see the documentation about the generic security token login modules
for the token generator.
- The PassTicket is sent as part of the SOAP message to the service
provider.
- The generic security token login module for the token consumer sends
the received token in the security header of the SOAP message within
a WS-Trust Validate request to a designated WS-Trust service.
- The request might result in a new token or in a notification that
the sent token has been validated successfully.
- As required, the new or originally validated token is used as
the caller token for authorization purposes. For more information,
see the documentation about the generic security token login modules
for the token consumer.
A PassTicket is a dynamically generated, one-time
use, substitute password. You can use the PassTicket to authenticate
to a service rather than sending the actual password.