Configure Web services authentication

WebSphere Application Server - Express provides the following authentication mechamisms for Web services:

For more information, see Authentication method overview.

You must configure a Web service and its clients to use the same authentication mechansim. The client creates a security token in the SOAP message, which is then extracted and validated by the server. For more information, see Security token type overview.

You can configure a Web services server to support multiple authentication mechanisms. Additionally, a server can act as a client to another Web service, so in some cases you may need to configure both server-side and client-side authentication for a Web service application.

The authentication mechanism is configured in the Web service and Web services client deployment descriptors. You can use WebSphere Development Studio Client for iSeries (Version 5.1 or later) or the WebSphere Application Server Toolkit (Version 5.0.2 or later) to configure your deployment descriptors. These topics describe how to configure authentication mechanisms with the Development Studio Client. For more information, see Configure your Web services application.

See the following topics for information about configuring the various Web services authentication mechanisms:

Configure basic authentication
The basic authentication mechanism validates a security token with a user ID and text password. See this topic for more information.

Configure identity assertion authentication
The identity assertion mechanism validates a security token with an identity name only. The identity name can be a user name, a distinguished name (DN), or an X.509 certificate. See this topic for more information.

Configure digital signature authentication
The digital signature mechanism uses a digital signature for authentication. See this topic for more information.

Configure LTPA authentication
The LTPA mechanism uses a binary security token for authentication. See this topic for more information.

As an alternative to the other, more complex Web services authentication mechanisms, you can use HTTP basic authentication to secure your Web services. For more information, see Configure HTTP basic authentication.