This information
describes the default implementations
of the service provider interfaces (SPI) for Web Services Security
within WebSphere® Application Server. The default
implementation classes and their functionality for both the JAX-RPC
run time and the JAX-WS run time are discussed. You can use this information
to create or modify the Web Services Security binding configuration.
Best practice: IBM® WebSphere Application Server supports the Java API for XML-Based Web Services (JAX-WS)
programming model and the Java API for XML-based RPC (JAX-RPC) programming model. JAX-WS is the
next generation web services programming model extending the foundation
provided by the JAX-RPC programming model. Using the strategic JAX-WS
programming model, development of web services and clients is simplified
through support of a standards-based annotations model. Although
the JAX-RPC programming model and applications are still supported,
take advantage of the easy-to-implement JAX-WS programming model to
develop new web services applications and clients. bprac
Default implementations for the JAX-RPC run time
- com.ibm.wsspi.wssecurity.token.X509TokenGenerator
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to create the security
token on the generator side. It is responsible for creating the X.509
token object from the X.509 certificate, which is returned by the
com.ibm.wsspi.wssecurity.auth.callback.{X509,PKCS7,PkiPath}CallbackHandler
interface. Encode the token using the base 64 format and insert its
XML representation into the SOAP message, if necessary.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and it retrieves the X.509 certificate from the keystore
file.
- com.ibm.wsspi.wssecurity.token.UsernameTokenGenerator
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to create the security
token on the generator side. It is responsible for creating the username
token object from user name and password that is returned by a javax.security.auth.callback.CallbackHandler
implementation such as the following callback handler:
com.ibm.wsspi.wssecurity.auth.callback{GUIPrompt,NonPrompt,StdinPrompt}CallbackHandler.
It
also inserts the XML representation of the token into the SOAP message,
if necessary.
- com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to create the security
token on the generator side and to validate (authenticate) the security
token on the consumer side. This class retrieves the keys from the
keystore files for digital signature and encryption.
- com.ibm.wsspi.wssecurity.token.X509TokenConsumer
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to validate (authenticate)
the security token on the consumer side. This class processes the
X.509 token from the binary security token. This class decodes the
Base64 encryption within the X.509 token and then invokes the system.wssecurity.X509BST Java Authentication and Authorization Service
(JAAS) Login Configuration with the com.ibm.wsspi.wssecurity.auth.module.X509LoginModule
login module to validate the X.509 token. An object of the com.ibm.wsspi.wssecurity.auth.token.X509Token
is created for the validated X.509 token and stored in JAAS Subject.
- com.ibm.wsspi.wssecurity.token.IDAssertionUsernameTokenConsumer
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to validate (authenticate)
the security token on the consumer side. This class processes the
username token for identity assertion (IDAssertion), which does not
have a password element. This interface invokes the system.wssecurity.IDAssertionUsernameToken
JAAS login configuration with the com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule
login module to validate the IDAssertion user name token. An object
of the com.ibm.wsspi.wssecurity.auth.token.UsernameToken class is
created for the validated username token and stored in the JAAS Subject.
- com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule
- This class implements the javax.security.auth.spi.LoginModule
interface and checks whether the username value is not empty. The
login module assumes that the UsernameToken is valid if the username
value is not empty.
- com.ibm.wsspi.wssecurity.token.LTPATokenGenerator
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to create the security
token on the generator side. This class is responsible for Base 64
encoding the LTPA token object obtained from the com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
callback handler. The object is inserted into the Web Services Security
header within the SOAP message, if necessary.
- com.ibm.wsspi.wssecurity.token.LTPATokenConsumer
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to validate (authenticate)
the security token on the consumer side. This class processes the
LTPA token from the binary security token, and decodes the Base64
encoding within the LTPA token. An object of the com.ibm.wsspi.wssecurity.auth.token.LTPAToken
class is created for the validated LTPA token and stored in the JAAS
Subject.
- com.ibm.wsspi.wssecurity.auth.module.X509LoginModule
- This class implements the javax.security.auth.spi.LoginModule
interface and validates the X.509 Certificate based on the trust anchor
and the collection certification store configuration.
- com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to validate (authenticate)
the security token on the consumer side. This class processes the
username token, extracts the user name and password, and then invokes
the system.wssecurity.UsernameToken JAAS login configuration using
the com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule login
module to validate the user name and password. An object of the com.ibm.wsspi.wssecurity.auth.token.UsernameToken
class is created for the validated username token and stored in the
JAAS Subject.
- com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to create the security
token on the generator side and to validate (authenticate) the security
token on the consumer side. This class is used to retrieve a public
key from a X.509 certificate. The X.509 certificate is stored in the
X.509 token (com.ibm.wsspi.wssecurity.auth.token.X509Token) in the
JAAS Subject. The X.509 token is created by the X.509 Token Consumer
(com.ibm.wsspi.wssecurity.tokenX509TokenConsumer).
- com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
- The Java Authentication and Authorization
Service (JAAS) Login Module implementation is used to create the security
token on the generator side and to validate (authenticate) the security
token on the consumer side. This class is used to retrieve a public
key from the X.509 certificate of the request signer and encrypt the
response. You can use this key locator in the response generator binding
configuration only.
Important: This implementation assumes
that only one signer certificate is used in the request.
- com.ibm.wsspi.wssecurity.auth.token.UsernameToken
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken
abstract class to represent the username token.
- com.ibm.wsspi.wssecurity.auth.token.X509Token
- This implementation
extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken
abstract class to represent the X.509 binary security token (X.509
certificate).
- com.ibm.wsspi.wssecurity.auth.token.LTPAToken
- This implementation extends the com.ibm.wsspi.wssecurity.auth.token.WSSToken
abstract class as a wrapper to the LTPA token that is extracted from
the binary security token.
- com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and is responsible for creating a certificate and binary
data with or without a certificate revocation list (CRL) using the
PKCS#7 encoding. The certificate and the binary data is passed back
to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator implementation
through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback
callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and it is responsible for creating a certificate and binary
data without a CRL using the PkiPath encoding. The certificate and
binary data is passed back to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator
implementation through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback
callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface and it is responsible for creating a certificate from the
keystore file. The X.509 token certificate is passed back to the com.ibm.wsspi.wssecurity.token.X509TokenGenerator
implementation through the com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback
callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- This implementation generates a Lightweight Third Party Authentication
(LTPA) token in the Web Services Security header as a binary security
token. If basic authentication data is defined in the application
binding file, it is used to perform a login, to extract the LTPA token
from the WebSphere Application Server credentials,
and to insert the token in the Web Services Security header. Otherwise,
it extracts the LTPA security token from the invocation credentials
(run as identity) and inserts the token in the Web Services Security
header.
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
- This implementation reads the basic authentication data from the
application binding file. You might use this implementation on the
server side to generate a username token.
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- This implementation presents you with a login prompt to gather
the basic authentication data. Use this implementation on the client
side only.
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- This implementation collects the basic authentication data using
a standard in (stdin) prompt. Use this implementation on the client
side only.
Restriction: If you have a multi-threaded client
and multiple threads attempt to read from standard in at the same
time, all the threads will not successfully obtain the user name and
password information. Therefore, you cannot use the com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
implementation with a multi-threaded client where multiple threads
might attempt to obtain data from standard in concurrently.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
- This interface is used to evaluate the level of trust for identity
assertion. The default implementation is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl,
which enables you to define a list of trusted identities.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl
- This default implementation enables you to define a list of trusted
identities for identity assertion.
- com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorException
- This exception class is used by an implementation of the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
to communicate the exception and errors to the Web Services Security
run time.
Default implementations
for the JAX-WS run time
- com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator
- This implementation invokes the JAAS CallbackHandler and JAAS
login configuration that are specified in the binding to create the
SecurityToken at run time on the outbound SOAP message.
- com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the outbound SOAP message, and retrieves the X.509 certificate.
The following properties may be specified:
- com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed.
This property
takes a boolean value, and the default value is false.
- com.ibm.wsspi.wssecurity.token.cert.useRequestorCert. This property
takes a boolean value, and the default value is false.
- com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule
- The wss.generate.x509 JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule.
X509GenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML Username token
structure, and also a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
that represents the X.509 token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule
- The wss.generate.pkcs7 JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule.
PKCS7GenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule
- The wss.generate.pkiPath JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule.
PkiPathGenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the token at run time.
- com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the outbound SOAP message, and it retrieves the binding
configuration and user name and password authentication data. The
following properties may be specified. These properties take a boolean
value, and the default value is false.
- com.ibm.wsspi.wssecurity.token.username.addNonce
- com.ibm.wsspi.wssecurity.token.username.addTimestamp
- com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
- com.ibm.wsspi.wssecurity.token.IDAssertion.useRunAsIdentity
- com.ibm.wsspi.wssecurity.token.IDAssertion.sendRealm
- com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm
- com.ibm.ws.wssecurity.wssapi.token.impl.UNTGenerateLoginModule
- The wss.generate.unt JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl. UNTGenerateLoginModule
implements the javax.security.auth.spi.LoginModule interface and is
responsible for generating an XML Username token structure and also
a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that represents
the token at run time. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
has a the value of true, the generated username token
does not contain a password. When com.ibm.wsspi.wssecurity.token.IDAssertion.sendRealm
has the value of true, the user name is qualified
by the local realm name. When com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm
has the value of true, the user name field contains
both the user name and a registry-dependent unique identifier for
the user. Both the user name and the unique identifier are qualified
by the local realm name.
- com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the outbound SOAP message, and it retrieves the Kerberos
user name and password, along with other binding configuration properties.
The following properties may be specified. The properties take a string
that specifies the target service name as part of a service principal
name (SPN), in the form of service_name/host_name@Kerberos_realm_name.
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceName
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm
- com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule
- The wss.generate.KRB5BST JAAS system login configuration contains
the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule.
KRBGenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule
- The wss.generate.KRB5BST JAAS system login configuration contains
the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule.
DKTGenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the token at run time when the Requires derived
keys option is enabled.
- com.ibm.websphere.wssecurity.callbackhandler.LTPAGenerateCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the outbound SOAP message, and it retrieves the user
name and password binding data if they are specified.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule
- The wss.generate.ltpa JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule.
LTPAGenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the token at run time. The security token contains an
LTPA token that is generated from the user name and password if they
are defined in the binding data, or the LTPA authentication token
from the RunAs Subject, in that order.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule
- The wss.generate.ltpaProp JAAS system login configuration contains
com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule.
LTPAPropagationGenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the token at run time. The security token contains the
serialized RunAs Subject.
- com.ibm.ws.wssecurity.impl.auth.callback.WSTrustCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the outbound SOAP message, and it retrieves security
context token configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule
- The wss.generate.sct JAAS system login configuration contains
the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule.
SCTGenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the security context token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule
- The wss.generate.sct JAAS system login configuration contains
the classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule.
DKTGenerateLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for generating an XML token structure
and a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken that
represents the token at run time when the Requires derived
keys option is enabled.
- com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer
- This implementation invokes the JAAS CallbackHandler and JAAS
login configuration that are specified in the binding to extract the
security token from the inbound SOAP message and to create the SecurityToken
object at run time.
- com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on SOAP message inbound to retrieve the trust store and
certificate file information that are required to validate the X.509
certificate.
- com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule
- The wss.consume.x509 JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.
X509ConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving and validating the X.509
certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
that represents the X.509 token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule
- The wss.consume.pkcs7 JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule
PKCS7ConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving and validating the X.509
certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
that represents the X.509 token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule
- The wss.consume.pkiPath JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule.
PkiPathConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving and validating the X.509
certificate. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
that represents the X.509 token at run time.
- com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on SOAP message inbound to retrieve binding configuration
data. The following properties may be specified. These properties
take a boolean value and the default value is false.
- com.ibm.wsspi.wssecurity.token.username.verifyTimestamp
- com.ibm.wsspi.wssecurity.token.username.verifyNonce
- com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
- com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm
- com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule
- The wss.consume.unt JAAS system login configuration contains the
class com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule.
UNTConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving and validating the username
token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
that represents the username token at run time. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
has the value of false, UNTConsumeLoginModule validates
the username and password against the local user registry. An incorrect
user name or incorrect or missing password will cause the token validation
to fail. When com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed has
a value of true, and com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm
has a value of false, the user name is validated
against the local user registry. There should be no password in the
username token. When both com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed
and com.ibm.wsspi.wssecurity.token.IDAssertion.trustedRealm have a
value of true, the user name field must contain a
realm-qualified user name and unique user identifier data, and the
realm must be one of the trusted realms in the multiple security domain
inbound trust configuration.
- com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the inbound SOAP message, and it retrieves the binding
configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule
- The wss.consume.KRB5BST JAAS system login configuration contains
the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule.
KRBConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving and validating the Kerberos
AP_REQ token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
that represents the AP_REQ token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule
- The wss.consume.KRB5BST JAAS system login configuration contains
the classes com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule.
DKTConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving the derived key when a
derived key is required.
- com.ibm.websphere.wssecurity.callbackhandler.LTPAConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the inbound SOAP message, and it retrieves the binding
configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule
- The wss.consume.ltpa JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule.
LTPAConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving and validating the LTPA
v2 or LTPA token. It creates a com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
that represents the LTPA v2 or LTPA token at run time.
- com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule
- The wss.consume.ltpaProp JAAS system login configuration contains
the class com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule.
LTPAPropagationConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving, deserializing, and validating
the propagation token and reconstructing the security context.
- com.ibm.ws.wssecurity.impl.auth.callback.SCTConsumeCallbackHandler
- This class implements the javax.security.auth.callback.CallbackHandler
interface on the outbound SOAP message, and it retrieves the binding
configuration data.
- com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule
- The wss.consume.sct JAAS system login configuration contains the
classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule.
SCTConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving and validating the security
context token.
- com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule
- The wss.consume.sct JAAS system login configuration contains the
classes com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule,
and com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule.
DKTConsumeLoginModule implements the javax.security.auth.spi.LoginModule
interface and is responsible for retrieving the derived key when a
derived key is required.
- com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule
- The wss.caller JAAS system login configuration contains the class
com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule. PreCallerLoginModule
implements the javax.security.auth.spi.LoginModule interface and is
responsible for validating whether it has received any security token
that may be used to establish caller identity or trusted identity.
- com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule
- The wss.caller JAAS system login configuration contains the class
com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule. UNTCallerLoginModule
implements the javax.security.auth.spi.LoginModule interface. UNTCallerLoginModule
also determines if the user identity is authorized to make an identity
assertion if the username is configured to be a trusted identity,
or if there is exactly one caller identity if the username token is
configured to be a caller identity. It sets the validated caller and
trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule
- The wss.caller JAAS system login configuration contains com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule.
X509CallerLoginModule implements the javax.security.auth.spi.LoginModule
interface. X509CallerLoginModule checks to see if the user identity
is authorized to make an identity assertion if the X509 token is configured
to be a trusted identity, or if there is exactly one caller identity
if the X509 token is configured to be a caller identity. It sets the
validated caller and trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule
- The wss.caller JAAS system login configuration contains the class
com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule. LTPACallerLoginModule
implements the javax.security.auth.spi.LoginModule interface. LTPACallerLoginModule
also checks to see if the user identity is an authorized to make an
identity assertion if the LTPA token is configured to be a trusted
identity, or if there is exactly one caller identity if the LTPA token
is configured to be a caller identity. It sets the validated caller
and trusted identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule
- The wss.caller JAAS system login configuration contains the class
com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule.
LTPAPropagationCallerLoginModule implements the javax.security.auth.spi.LoginModule
interface. LTPAPropagationCallerLoginModule also checks to see if
the user identity is an authorized to make an identity assertion if
the propagation token is configured to be a trusted identity, or if
there is exactly one caller identity if the propagation token is configured
to be a caller identity. It sets the validated caller and trusted
identity into the shared state.
- com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule
- The wss.caller JAAS system login configuration contains com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule.
KRBCallerLoginModule implements the javax.security.auth.spi.LoginModule
interface. KRBCallerLoginModule also checks to see if the user identity
is an authorized to make an identity assertion if the Kerberos token
is configured to be a trusted identity, or if there is exactly one
caller identity if the Kerberos token is configured to be a caller
identity. It sets the validated caller and trusted identity into the
shared state.
- com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule
- The wss.caller JAAS system login configuration contains the class
com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule. WSWSSLoginModule
implements the javax.security.auth.spi.LoginModule interface and is
responsible for asserting the caller identity to the ltpaLoginModule
and the wsMapDefaultInboundLoginModule to establish the caller security
context.
- com.ibm.ws.security.server.lm.ltpaLoginModule
- The wss.caller JAAS system login configuration contains the class
com.ibm.ws.security.server.lm.ltpaLoginModule.
- com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule
- The wss.caller JAAS system login configuration contains the class
com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.