Signature authentication refers to an
X.509 certificate
sent by the client to the server. The certificate is used to authenticate
to the user registry configured at the server. After a request is
received by the server that contains the certificate, the server needs
to log in to form a credential. The credential is used for authorization.
You can validate signature authentication at the server.
About this task
Important: There is an important
distinction
between Version 5.x and Version 6.0.x and later applications.
The information in this article supports Version 5.x applications
only that are used with WebSphere® Application Server
Version 6.0.x and later. The information does not apply to
Version 6.0.x and later applications.
If
the certificate supplied cannot be mapped to an entry in the user
registry, an exception is thrown and the request ends without invoking
the resource.
Complete the following steps to configure the
server to validate signature authentication:
Procedure
-
Launch an assembly tool. For more information,
see the related information on Assembly Tools.
- Switch
to the Java Platform,
Enterprise Edition (Java EE)
perspective by clicking .
- Click .
- Right-click the webservices.xml file,
and click .
- Click
the Binding Configurations tab,
which is located at the bottom of the web services editor within the
assembly tool.
- Expand the section.
- Click Edit to
view the login mapping
information or click Add to add new login mapping
information. The login mapping dialog is displayed and
you select (or enter) the following information:
- Authentication
method
- Specifies the type of authentication. Select Signature to
use signature authentication.
- Configuration
name
- Specifies the Java Authentication
and Authorization
Service (JAAS) login configuration name. For the signature authentication
method, enter system.wssecurity.Signature for
the JAAS login configuration name. This specification logs in with
the com.ibm.wsspi.wssecurity.auth.module.SignatureLoginModule
JAAS login module.
- Use token value type
- Determines if you want to specify a custom token type. For the
default authentication method selections, you can leave this field
blank.
- URI and local name
- When
you select Signature method, you cannot edit the token value
type URI and local name values. Specifies custom authentication types.
For signature authentication, you can leave this field blank.
- Callback handler factory class name
- Creates
a JAAS CallbackHandler implementation that understands
the following callback handlers:
- javax.security.auth.callback.NameCallback
- javax.security.auth.callback.PasswordCallback
- com.ibm.wsspi.wssecurity.auth.callback.BinaryTokenCallback
- com.ibm.wsspi.wssecurity.auth.callback.XMLTokenReceiverCallback
- com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback
For
any of the default authentication methods (BasicAuth, IDAssertion,
and Signature), use the callback handler factory default implementation.
Enter the following class name for any of the default authentication
methods including signature: com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl
This
implementation creates the correct callback handler
for the default implementations.
- Callback
handler factory property name and callback handler factory
property value
- Specifies callback handler properties for custom
callback handler
factory implementations. You do not need to specify any properties
for the default callback handler factory implementation. For signature,
you can leave this field blank.
- Login mapping
property name and login mapping property value
- Specifies properties
for a custom login mapping to use. For the
default implementations including signature, you can leave this field
blank.