Several Service Provider Interfaces (SPIs) are provided
to extend the capability of the Web Services Security runtime.
About this task
Important: There is an important distinction
between Version 5.x and Version 6 and later applications. The
information supports Version 5.x applications only that are
used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
The following list contains the SPIs
that are available for WebSphere Application Server:
What to do next
The JAAS LoginModule API is used for token validation
on the request receiver side of the message. You can implement a custom
LoginModule API to perform validation of the custom token on the request
receiver of the message. After the token is verified and validated,
the token is set as the caller and then run as the identity in the WebSphere Application Server runtime. The
identity is used for authorization checks by the containers before
a Java Platform, Enterprise Edition (Java EE) resource is invoked. The following
list presents the default
AuthMethod configurations
provided by WebSphere Application Server:
- BasicAuth
- Validates a user name token.
- Signature
- Maps the distinguished name (DN) of a verified certificate to
a Java Authentication and Authorization Service
(JAAS) subject.
- IDAssertion
- Maps a trusted identity to a JAAS subject.
- LTPA
- Validates an LTPA token that is received in the message and creates
a JAAS subject.