When you use the lightweight third party authentication (LTPA) method, the security token that is generated is <wsse:BinarySecurityToken>. On the request sender side, the security token is generated by invoking a callback handler. On the request receiver side, the security token is validated by a Java Authentication and Authorization Service (JAAS) login module. The token generation and token validation operations are described in the following topics.
LTPA token generation
The request sender uses a callback handler to generate an LTPA security token. The callback handler returns a security token that is inserted in the SOAP message. Specify the appropriate callback handler in the <LoginBinding> element of the bindings file (ibm-webservicesclient-bnd.xmi). The com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler can be used with the LTPA authentication method. You can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler interface. For more information, see Generating a pluggable token.
When you use the LTPA authentication method (or any authentication method other than BasicAuth, Signature or IDAssertion), the TokenValueType attribute of the <LoginBinding> element in the bindings file (ibm-webservicesclient-bnd.xmi) must be specified.
The following values are used for the LTPA TokenValueType:
LTPA token validation
The request receiver retrieves the LTPA security token from the SOAP message and validates it using a JAAS login module. The security token, <wsse:BinarySecurityToken>, is used to perform the validation. If the validation is successful, the login module returns a JAAS Subject. Subsequently, this Subject is set as the identity of the thread of execution. If the validation fails, the request is rejected with a SOAP fault.
The appropriate JAAS login configuration to use is specified in the bindings file <LoginMapping> element. There are default bindings specified in the ws-security.xml file, but these can be overridden using the application-specific ibm-webservices-bnd.xmi file. The configuration information consists of the following properties:
CallbackHandlerFactory
The CallbackHandlerFactory specifies the name of a class to use to create the JAAS CallbackHandler object. A CallbackHandlerFactory implementation is provided: com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl.
ConfigName
The ConfigName specifies a JAAS configuration name entry. The Web services security run time first searches the security.xml file for a matching entry and if a matching entry is not found, the run time searches the wsjaas.conf file. A default configuration entry suitable for the LTPA authentication method is provided (WSLogin).
TokenValueType
There is an appropriate TokenValueType element in the LTPA LoginMapping section of the default ws-security.xml file.
For more information, see Validating a pluggable token.