ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wssecsignauth.htm

35 lines
3.2 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Digital signature authentication method for Web services</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wssecsignauth"></a>Digital signature authentication method for Web services</h6>
<p>When using the signature authentication method, the security token is generated with a &lt;ds:Signature&gt; and a &lt;wsse:BinarySecurityToken&gt; element. On the request sender side, a callback handler is invoked to generate the security token. On the request receiver side, a Java Authentication and Authorization Service (JAAS) login module is used to validate the security token. These two operations, token generation and token validation, are described in the following topics.</p>
<p><strong>Signature token generation</strong></p>
<p>The request sender generates a Signature security token using a callback handler. The security token returned by the callback handler is inserted in the SOAP message. The callback handler is specified in the &lt;LoginBinding&gt; element of the bindings file, ibm-webservicesclient-bnd.xmi. WebSphere Application Server - Express provides the following callback handler implementation that can be used with the Signature authentication method: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler.</p>
<p>You can add your own callback handlers that implement javax.security.auth.callback.CallbackHandler.</p>
<p><strong>Signature token validation</strong></p>
<p>The request receiver retrieves the Signature security token from the SOAP message and validates it using a JAAS login module. The &lt;ds:Signature&gt; and &lt;wsse:BinarySecurityToken&gt; elements in the security token are used to perform the validation. If the validation is successful, the login module returns a JAAS Subject. This Subject then is set as the identity of the thread of execution. If the validation fails, the request is rejected with a SOAP fault exception.</p>
<p>The JAAS login configuration is specified in the &lt;LoginMapping&gt; element of the bindings file. There are default bindings specified in the ws-security.xml file. However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.</p>
<p>The configuration information consists of a CallbackHandlerFactory and a ConfigName. The CallbackHandlerFactory specifies the name of a class that is used for creating the JAAS CallbackHandler object. WebSphere Application Server - Express provides the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImp CallbackHandlerFactory implementation. The ConfigName specifies a JAAS configuration name entry. WebSphere Application Server - Express searches in the security.xml file for a matching configuration name entry. If a match is not found, it searches the wsjaas.conf file. WebSphere Application Server - Express provides the system.wssecurity.Signature default configuration entry, which is suitable for the signature authentication method.</p>
</body>
</html>