Web services security supports both LTPA (Version 1) and
LTPA Version 2 (LTPA2) tokens. The LTPA2 token, which is more secure
than Version 1, is supported by the JAX-WS runtime only.
避免困難: The support statements in this topic apply
to the web services security implementation for WebSphere® Application
Server and not the security implementation for non-web services functionality.
gotcha
The Lightweight Third Party Authentication (LTPA) token is a specific
type of binary security token. The web services security implementation
for WebSphere Application Server, Version 5
and later supports the LTPA Version 1 token. WebSphere Application
Server Version 7 and later supports the LTPA Version 2 token using
the JAX-WS runtime environment.
Although the same LTPAToken assertion is used in the policy for
both LTPA Version 1 and LTPA Version 2, the valuetype value for the
Version 2 token is different than Version 1. The valuetype value is
composed of the URI and the local name. The following table shows
the valuetype values for the LTPA token versions when they are selected
as the token type for the policy set bindings. These values are not
editable.
Table 1. LTPA token versions and
their valuetype values. This table lists the valuetype
values for both LTPA (Version 1) and LTPA2 tokens.LTPA Version token |
Valuetype value |
LTPA (Version 1) |
http://www.ibm.com/websphere/appserver/tokentype/5.0.2/LTPA |
LTPA2 |
http://www.ibm.com/websphere/appserver/tokentype/LTPAv2 |
To allow for interoperability between servers that are running
different versions of WebSphere Application Server, by default, the
JAX-WS web services security runtime in Version 7.0 and later can
successfully consume an LTPA Version 1 token when the binding is configured
to expect an LTPA2 token. However, you can configure the binding for
the JAX-WS runtime to accept only LTPA2 tokens. For more information,
see the documentation about Authentication generator or consumer token
settings.
If the web services security run time receives a token with a unrecognized
valuetype value and the SOAP security header contains a mustUnderstand
attribute value that is equal to '1', the web services
security run time issues a SOAPFaultException error. If the mustUnderstand
attribute value is equal to '0', the token is ignored.
If an LTPA2 token is sent with a mustUnderstand attribute value
that is equal to
'1' to a web services security run
time in which the LTPA2 token is not supported, the run time does
not recognize the LTPAv2 valuetype value. Thus, the receiving run
time issues a SOAPFaultException error. The following table illustrates
these different configurations and their potential error messages..
Table 2. LTPA token configurations. This
table lists whether the LTPA Version 1 token is optional or required,
lists the associated mustUnderstand attribute value, lists its run
time, and provides the resulting SOAPFaultException error, if applicableRun time |
LTPA Version 1 token status |
MustUnderstand attribute value |
SOAPFaultException error |
JAX-RPC |
Required |
1 |
com.ibm.wsspi.wssecurity.SoapSecurityException:
WSEC5509E: A security token whose type is
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA]
is required.
|
JAX-RPC |
Required |
0 |
com.ibm.wsspi.wssecurity.SoapSecurityException:
WSEC5509E: A security token whose type is
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA]
is required.
|
JAX-RPC |
Optional |
1 |
com.ibm.wsspi.wssecurity.SoapSecurityException:
WSEC5502E: Unexpected element as the target element:
s:BinarySecurityToken.
|
JAX-RPC |
Optional |
0 |
None |
JAX-RPC |
Not Configured |
1 |
com.ibm.wsspi.wssecurity.SoapSecurityException:
WSEC5502E: Unexpected element as the target element:
s:BinarySecurityToken.
|
JAX-RPC |
Not Configured |
0 |
None |
JAX-WS (Version 6.1 Feature Pack for Web
Services) |
Not Configured |
1 |
CWWSS5502E: The target element:
s:BinarySecurityToken was not expected.
|
JAX-WS (Version 6.1 Feature Pack for Web
Services) |
Not Configured |
0 |
None |
JAX-WS (Version 6.1 Feature Pack for Web
Services) |
Configured |
1 |
CWWSS5509E: A security token whose type is
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA]
is required.
|
JAX-WS (Version 6.1 Feature Pack for Web
Services) |
Configured |
0 |
CWWSS5509E: A security token whose type is
[{http://www.ibm.com/websphere/appserver/tokentype/5.0.2}LTPA]
is required.
|
You can configure the JAX-WS run time to generate either LTPA (Version
1) or LTPA2 tokens. If you configure the LTPA token generator in a
policy binding to generate an LTPA (Version 1) token, you must do
one of the following:
- Enable the single sign-on interoperability mode, which is available
on the Single sign-on (SSO) panel within the administrative console.
For more information on this option, see the documentation about single
sign-on settings.
- Set the com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7 custom
property to true for the LTPA token generator.
If you do not perform at least one of the steps previously indicated,
an error occurs when the application, which is attached to these bindings,
is started.