ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wssecbasic.htm

44 lines
3.5 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Basic authentication for Web services</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wssecbasic"></a>Basic authentication for Web services</h6>
<p>When you use the BasicAuth authentication method, the security token that is generated is a &lt;wsse:UsernameToken&gt; element with &lt;wsse:Username&gt; and &lt;wsse:Password&gt;elements. WebSphere Application Server - Express supports text passwords but not password digest because passwords are not stored and cannot be retrieved from the server.</p>
<p>On the request sender side, a callback handler is invoked to generate the security token. On the request receiver side, a Java Authentication and Authorization Service (JAAS) login module is used to validate the security token. These two operations, token generation and token validation, are described in the following topics.</p>
<p><strong>BasicAuth token generation</strong></p>
<p>The request sender generates a BasicAuth security token using a callback handler. The security token returned by the callback handler is inserted in the SOAP message. The callback handler that is used is specified in the &lt;LoginBinding&gt; element of the bindings file, ibm-webservicesclient-bnd.xmi. The following callback handler implementations are provided with WebSphere Application Server - Express and can be used with the BasicAuth authentication method:</p>
<ul>
<li>com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler</li>
<li>com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler</li>
<li>com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler</li>
</ul>
<p>You can add your own callback handlers that implement javax.security.auth.callback.CallbackHandler.</p>
<p><strong>BasicAuth token validation</strong></p>
<p>The request receiver retrieves the BasicAuth security token from the SOAP message and validates it using a JAAS login module. The &lt;wsse:Username&gt; and &lt;wsse:Password&gt; elements in the security token are used to perform the validation. If the validation is successful, the login module returns a
JAAS Subject. This Subject then is set as the identity of the thread of execution. If the validation fails, the request is rejected with a SOAP fault exception.</p>
<p>The JAAS login configuration is specified in the &lt;LoginMapping&gt; element of the bindings file. There are default bindings specified in the ws-security.xml file. However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.</p>
<p>The configuration information consists of a CallbackHandlerFactory and a ConfigName. The CallbackHandlerFactory specifies the name of a class that is used for creating the JAAS CallbackHandler object. WebSphere Application Server - Express provides the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl CallbackHandlerFactory implementation. The ConfigName specifies a JAAS configuration name entry. WebSphere Application Server - Express searches the security.xml file for a matching configuration name entry. If a match is not found, it searches the wsjaas.conf file for a match. WebSphere Application Server - Express provides the WSLogin default configuration entry, which is suitable for the BasicAuth authentication method.</p>
</body>
</html>