When using the signature authentication method, the security token is generated with a <ds:Signature> and a <wsse:BinarySecurityToken> element. On the request sender side, a callback handler is invoked to generate the security token. On the request receiver side, a Java Authentication and Authorization Service (JAAS) login module is used to validate the security token. These two operations, token generation and token validation, are described in the following topics.
Signature token generation
The request sender generates a Signature security token using a callback handler. The security token returned by the callback handler is inserted in the SOAP message. The callback handler is specified in the <LoginBinding> element of the bindings file, ibm-webservicesclient-bnd.xmi. WebSphere Application Server - Express provides the following callback handler implementation that can be used with the Signature authentication method: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler.
You can add your own callback handlers that implement javax.security.auth.callback.CallbackHandler.
Signature token validation
The request receiver retrieves the Signature security token from the SOAP message and validates it using a JAAS login module. The <ds:Signature> and <wsse:BinarySecurityToken> elements in the security token are used to perform the validation. If the validation is successful, the login module returns a JAAS Subject. This Subject then is set as the identity of the thread of execution. If the validation fails, the request is rejected with a SOAP fault exception.
The JAAS login configuration is specified in the <LoginMapping> element of the bindings file. There are default bindings specified in the ws-security.xml file. However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file.
The configuration information consists of a CallbackHandlerFactory and a ConfigName. The CallbackHandlerFactory specifies the name of a class that is used for creating the JAAS CallbackHandler object. WebSphere Application Server - Express provides the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImp CallbackHandlerFactory implementation. The ConfigName specifies a JAAS configuration name entry. WebSphere Application Server - Express searches in the security.xml file for a matching configuration name entry. If a match is not found, it searches the wsjaas.conf file. WebSphere Application Server - Express provides the system.wssecurity.Signature default configuration entry, which is suitable for the signature authentication method.