Signature authentication refers to an X.509 certificate
that is sent by the client to the server. The certificate is used
to authenticate to the user registry that is configured at the server.
When using the signature authentication method, the security token
is generated with a ds:Signature and a wsse:BinarySecurityToken element.
Important: There is an important distinction between Version
5.x and Version 6.0.x and later applications. The information
supports Version 5.x applications only that are used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
On the request sender side, a callback handler is invoked to generate
the security token. On the request receiver side, a Java Authentication
and Authorization Service (JAAS) login module is used to validate
the security token. These two operations, token generation and token
validation, are described in the following sections.
- Signature token generation
- The request sender generates a Signature security token using
a callback handler. The security token returned by the callback handler
is inserted in the SOAP message. The callback handler is specified
in the <LoginBinding> element of the bindings file, ibm-webservicesclient-bnd.xmi. WebSphere Application Server provides the
following callback handler implementation that can be used with the
Signature authentication method: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
You
can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler
implementation.
- Security token validation
- The request receiver retrieves the Signature security token from
the SOAP message and validates it using a JAAS login module. The <ds:Signature>
and <wsse:BinarySecurityToken> elements in the security token
are used to perform the validation. If the validation is successful,
the login module returns a Java Authentication
and Authorization Service (JAAS) Subject. This Subject then is set
as the identity of the running thread. If the validation fails, the
request is rejected with a SOAP fault exception.
The JAAS login
configuration is specified in the <LoginMapping> element
of the bindings file. Default bindings are specified in the ws-security.xml file.
However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.
The configuration information consists of a CallbackHandlerFactory
and a ConfigName. The CallbackHandlerFactory specifies the name of
a class that is used for creating the JAAS CallbackHandler object. WebSphere Application Server provides the
com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImp
CallbackHandlerFactory implementation. The ConfigName specifies a
JAAS configuration name entry. WebSphere Application
Server searches in the security.xml file for
a matching configuration name entry. If a match is not found, it searches
the wsjaas.conf file. WebSphere Application
Server provides the system.wssecurity.Signature default configuration
entry, which is suitable for the signature authentication method.