Pluggable token support

You can extend the WebSphere Application Server - Express login mapping mechanism to handle new types of authentication tokens. WebSphere Application Server - Express provides a pluggable framework to generate security tokens on the sender-side of the message and to validate the security token on the receiver-side of the message. The framework is based on the Java Authentication and Authorization Service (JAAS) Application Programming Interfaces (APIs). For more information, see Generating a pluggable token and Validating a pluggable token.

Users can use the javax.security.auth.callback.CallbackHandler implementation to create a new type of security token following these guidelines:

• Use a constructor that takes a user name (of type String or null, if not defined), password (of type char[] or null, if not defined) and java.util.Map (empty, if properties are not defined).

• Use handle() methods that can process the following implementations:

  • javax.security.auth.callback.NameCallback
  • javax.security.auth.callback.PasswordCallback
  • com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl
  • com.ibm.wsspi.wssecurity.auth.callback.XMLTokenCallback

• Encode the token byte by using the security handler and not by using the javax.security.auth.callback.CallbackHandler implementation if the following items are true:

  • Either the javax.security.auth.callback.NameCallback or the javax.security.auth.callback.PasswordCallback implementation is populated with data, then a <wsse:UsernameToken> element is created.
  • com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl is populated, the <wsse:BinarySecurityToken> element is created from the com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl implementation.
  • com.ibm.wsspi.wssecurity.auth.callback.XMLTokenCallback is populated, a XML-based token is created based on the Document Object Model (DOM) element that is returned from the XMLTokenCallback.

You can implement the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory interface, which is a factory for instantiating the javax.security.auth.callback.CallbackHandler. For your own implementation, you must provide the javax.security.auth.callback.CallbackHandler interface. The Web service security run time instantiates the factory implementation class and passes the authentication information from the Web services message header to the factory class through the setter methods. The Web services security run time then invokes the newCallbackHandler() method of the factory implementation class to obtain an instance of the javax.security.auth.CallbackHandler object. The object is passed to the JAAS login configuration.

The following example is the definition of the CallbackHandlerFactory interface:

public interface com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory {
  public void setUsername(String username);
  public void setRealm(String realm);
  public void setPassword(String password);
  public void setHashMap(Map properties);
  public void setTokenByte(byte[] token);
  public void setXMLToken(Element xmlToken);
  public CallbackHandler newCallbackHandler();
}