When you use the BasicAuth authentication
method, the security token that is generated is a <wsse:UsernameToken>
element with <wsse:Username> and <wsse:Password> elements.
Important: There is an important distinction between Version
5.x and Version 6 and later applications. The information supports
Version 5.x applications only that are used with WebSphere® Application
Server Version 6.0.x and later. The information does not apply
to Version 6 and later applications.
WebSphere Application Server supports text
passwords but not password digest because passwords are not stored
and cannot be retrieved from the server. On the request sender side,
a callback handler is invoked to generate the security token. On the
request receiver side, a Java Authentication
and Authorization Service (JAAS) login module is used to validate
the security token. These two operations, token generation and token
validation, are described in the following sections.
- BasicAuth token generation
- The request sender generates a BasicAuth security token using
a callback handler. The security token returned by the callback handler
is inserted in the SOAP message. The callback handler that is used
is specified in the <LoginBinding> element of the bindings file, ibm-webservicesclient-bnd.xmi.
The following callback handler implementations are provided with WebSphere Application Server and can be
used with the BasicAuth authentication method:
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
You can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler method.
- BasicAuth token validation
- The request receiver retrieves the BasicAuth security token from
the SOAP message and validates it using a JAAS login module. The <wsse:Username>
and <wsse:Password> elements in the security token are used
to perform the validation. If the validation is successful, the login
module returns a JAAS Subject. This Subject is set as the identity
of the running thread. If the validation fails, the request is rejected
with a SOAP fault exception.
The JAAS login configuration is specified
in the <LoginMapping> element of the bindings file. Default
bindings are specified in the ws-security.xml file.
However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.
The configuration information consists of a CallbackHandlerFactory
and a ConfigName value. The CallbackHandlerFactory option specifies
the name of a class that is used for creating the JAAS CallbackHandler
object. WebSphere Application Server provides the
com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl
CallbackHandlerFactory implementation. The ConfigName value specifies
a JAAS configuration name entry. WebSphere Application
Server searches the security.xml file for a matching
configuration name entry. If a match is not found, it searches the wsjaas.conf file
for a match. WebSphere Application Server provides the
WSLogin default configuration entry, which is suitable for the BasicAuth
authentication method.