ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/webserv/wssecltpa.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Lightweight Third-party Authentication (LTPA) method for Web services</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h6><a name="wssecltpa"></a>Lightweight Third-party Authentication (LTPA) method for Web services</h6>

<p>When you use the lightweight third party authentication (LTPA) method, the security token that is generated is &lt;wsse:BinarySecurityToken&gt;. On the request sender side, the security token is generated by invoking a callback handler. On the request receiver side, the security token is validated by a Java Authentication and Authorization Service (JAAS) login module. The token generation and token validation operations are described in the following topics.</p>

<p><strong>LTPA token generation</strong></p>

<p>The request sender uses a callback handler to generate an LTPA security token. The callback handler returns a security token that is inserted in the SOAP message. Specify the appropriate callback handler in the &lt;LoginBinding> element of the bindings file (ibm-webservicesclient-bnd.xmi). The com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler can be used with the LTPA authentication method. You can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler interface. For more information, see <a href="wssecplugtokgen.htm">Generating a pluggable token</a>.</p>

<p>When you use the LTPA authentication method (or any authentication method other than BasicAuth, Signature or IDAssertion), the TokenValueType attribute of the &lt;LoginBinding&gt; element in the bindings file (ibm-webservicesclient-bnd.xmi) must be specified.</p>

<p>The following values are used for the LTPA TokenValueType:</p>

<ul>
<li><tt>uri=&quot;http://www.ibm.com/websphere/appserver/tokentype/5.0.2&quot;</tt></li>
<li><tt>localName=&quot;LTPA&quot;</tt></li>
</ul> 

<p><strong>LTPA token validation</strong></p>

<p>The request receiver retrieves the LTPA security token from the SOAP message and validates it using a JAAS login module. The security token, &lt;wsse:BinarySecurityToken&gt;, is used to perform the validation. If the validation is successful, the login module returns a JAAS Subject. Subsequently, this Subject is set as the identity of the thread of execution. If the validation fails, the request is rejected with a SOAP fault.</p>

<p>The appropriate JAAS login configuration to use is specified in the bindings file &lt;LoginMapping&gt; element. There are default bindings specified in the ws-security.xml file, but these can be overridden using the application-specific ibm-webservices-bnd.xmi file. The configuration information consists of the following properties:</p>

<ul>
<li><p><strong>CallbackHandlerFactory</strong>
<br>The CallbackHandlerFactory specifies the name of a class to use to create the JAAS CallbackHandler object. A CallbackHandlerFactory implementation is provided: com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl.</p></li>

<li><p><strong>ConfigName</strong>
<br>The ConfigName specifies a JAAS configuration name entry. The Web services security run time first searches the security.xml file for a matching entry and if a matching entry is not found, the run time searches the wsjaas.conf file. A default configuration entry suitable for the LTPA authentication method is provided (WSLogin).</p></li>

<li><p><strong>TokenValueType</strong>
<br>There is an appropriate TokenValueType element in the LTPA LoginMapping section of the default ws-security.xml file.</p></li>
</ul>

<p>For more information, see <a href="wssecplugtokval.htm">Validating a pluggable token</a>.</p>

</body>
</html>