Fix Pack 8550

Web services security caller configuration

You can run a web service in authenticated or unauthenticated mode. When you want to restrict access to resources based on the identity of a user, the web service must run in authenticated mode. When a web service is run in authenticated mode, the identity of the user is placed on the same thread on which the web service runs.

There are two ways that a web service can run in the authenticated mode:
HTTP basic authentication
The identity from the HTTP header is placed on the thread by the web container.
WS-Security caller configuration
The identity of one of the tokens in the SOAP security header is placed on the thread by the WS-Security run time.

The WS-Security specification allows more than one token to be passed in the security header of a SOAP message. When a web service is required to run in authenticated mode by using WS-Security, some mechanism is required to tell the WS-Security runtime environment which token to use for the identity. This mechanism is called a caller configuration.

The WS-Security caller configuration is specified in the server.xml file with the <callerToken> element.

The following example shows a sample WS-Security provider configuration that includes a caller configuration for a UsernameToken:
<wsSecurityProvider ...>
  ...
  <callerToken name="UsernameToken" />
  ...
</wsSecurityProvider>
The following values can be specified for the <callerToken> element:

If you configure an X509Token as a caller token, make sure only one client's X509Certificate can be resolved from the security header. For example, ensure that only one client certificate is resolved from the initiator token in an AsymmetricBinding, or that only one client certificate that is resolved from an endorsing token.

If you configure a UsernameToken as a caller token, the security header must contain only one UsernameToken.


Icon that indicates the type of topic Concept topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=cwlp_wssec_caller_config
File name: cwlp_wssec_caller_config.html