Signature authentication refers to an X.509 certificate
sent by the client to the server. The certificate is used to authenticate
to the user registry configured at the server. After a request is
received by the server that contains the certificate, the server needs
to log in to form a credential. The credential is used for authorization.
You can validate signature authentication at the server.
About this task
Important: There is an important distinction
between Version 5.x and Version 6.0.x and later applications.
The information supports Version 5.x applications only that
are used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
If the certificate supplied
cannot be mapped to an entry in the user registry, an exception is
thrown and the request ends without invoking the resource.
Complete
the following steps to configure the server to validate signature
authentication:
Procedure
- Launch an assembly tool. For more information,
see the related information on Assembly Tools.
- Switch to the Java™ Platform,
Enterprise Edition (Java EE)
perspective by clicking .
- Click .
- Right-click the webservices.xml file,
and click .
- Click the Binding Configurations tab, which is located at the end of the
web services editor within the assembly tool.
- Expand the section.
- Click Edit to view the login mapping
information or click Add to add new login mapping
information. The login mapping dialog is displayed and
you select (or enter) the following information:
- Authentication method
- Specifies the type of authentication. Select Signature to
use signature authentication.
- Configuration name
- Specifies the Java Authentication and Authorization
Service (JAAS) login configuration name. For the signature authentication
method, enter system.wssecurity.Signature for
the JAAS login configuration name. This specification logs in with
the com.ibm.wsspi.wssecurity.auth.module.SignatureLoginModule JAAS
login module.
- Use token value type
- Determines if you want to specify a custom token type. For the
default authentication method selections, you can leave this field
blank.
- URI and local name
- When you select Signature method, you cannot edit the token value
type URI and local name values. Specifies custom authentication types.
For signature authentication, you can leave this field blank.
- Callback handler factory class name
- Creates a JAAS CallbackHandler implementation that understands
the following callback handlers:
- javax.security.auth.callback.NameCallback
- javax.security.auth.callback.PasswordCallback
- com.ibm.wsspi.wssecurity.auth.callback.BinaryTokenCallback
- com.ibm.wsspi.wssecurity.auth.callback.XMLTokenReceiverCallback
- com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback
For any of the default authentication methods (BasicAuth, IDAssertion,
and Signature), use the callback handler factory default implementation.
Enter the following class name for any of the default authentication
methods including signature: com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl
This
implementation creates the correct callback handler for the default
implementations.
- Callback handler factory property name and callback handler factory
property value
- Specifies callback handler properties for custom callback handler
factory implementations. You do not need to specify any properties
for the default callback handler factory implementation. For signature,
you can leave this field blank.
- Login mapping property name and login mapping property value
- Specifies properties for a custom login mapping to use. For the
default implementations including signature, you can leave this field
blank.
What to do next
Specify how the server handles the signature authentication
method. See
Configuring the server to support signature authentication if
you have not previously specified this information.