friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8826eae394
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/webserv/wssecovtoken.htm

74 lines
6.7 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Web services security token type overview</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="wssecovtoken"></a>Token type overview</h5>
<p>A security token represents a set of claims made by a client that may include a name, password, identity, key, certificate, group, or privilege. Web services security provides a general-purpose mechanism to associate security tokens with messages for single-message authentication. A specific type of security token is not required by Web services security. Web services security is designed to be extensible and support multiple security token formats to accommodate a variety of authentication mechanisms. For example, a client may provide proof of identity and proof that they have a particular business certification.</p>
<p>A security token is embedded in the Simple Object Access Protocol (SOAP) message within the SOAP header. The security token within in the SOAP header is propagated from the message sender to the intended message receiver. On the receiving side, the WebSphere Application Server - Express security handler authenticates the security token and sets up the caller identity on the thread.</p>
<p>The proposed Web services security draft defines these types of security tokens:</p>
<ul>
<li><p><a href="wssecovtokuser.htm">User name tokens</a>
<br>A username token consists of a user name and, optionally, password information. You can include a username token directly in the &lt;Security&gt; header within the message.</p></li>
<li><p><a href="wssecovtokbin.htm">Binary security tokens</a>
<br>Binary tokens require a special encoding for inclusion. The Web services security specification describes how to encode binary security tokens such as X.509 certificates and Kerberos tickets; and how to include opaque encrypted keys. The specification also includes extensibility mechanisms that you can use to further describe the characteristics of the credentials that are included with a message. For more information, see <a href="http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm" target="_">Web Services Security (WS-Security)</a> <img src="www.gif" width="19" height="15" alt="Link outside Information Center"> (http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm).</p></li>
</ul>
<p>WebSphere Application Server - Express supports user name tokens. Basic authentication and identity assertion authentication both require user name tokens. The binary security token implementation supports both X.509 certificates and LTPA binary security. You can extended the implementation to generate other type of tokens. However, Kerberos tickets are not supported in WebSphere Application Server - Express.</p>
<p>Each type of token is processed by a corresponding token-generation and validation module. The binary token generation and validation modules are pluggable and are based on the Java Authentication and Authorization Service (JAAS) framework. For more information, see <a href="wssecplugtoken.htm">Pluggable token support</a>. For example, arbitrary XML-based token format is supported using the JAAS pluggable framework. WebSphere Application Server - Express does not support an XML-based token that is used in SecurityTokenReference. For more information, see <a href="wssecovtokxml.htm">XML tokens</a>.</p>
<p>You can define the types of tokens that the message can accept in the deployment descriptor extension file, ibm.webservices-ext.xmi. A message receiver may support one or more types of security tokens.</p>
<p>The following example shows that the receiver supports four types of security tokens:</p>
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;com.ibm.etools.webservice.wsext:WsExtension xmi:version=&quot;2.0&quot; xmlns:xmi=&quot;http://www.omg.org/XMI&quot;
xmlns:com.ibm.etools.webservice.wsext=&quot;http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsext.xmi&quot;
xmi:id=&quot;WsExtension_1052760331306&quot; routerModuleName=&quot;StockQuote.war&quot;&gt;
&lt;wsDescExt xmi:id=&quot;WsDescExt_1052760331306&quot; wsDescNameLink=&quot;StockQuoteFetcher&quot;&gt;
&lt;pcBinding xmi:id=&quot;PcBinding_1052760331326&quot; pcNameLink=&quot;urn:xmltoday-delayed-quotes&quot; scope=&quot;Session&quot;&gt;
&lt;serverServiceConfig xmi:id=&quot;ServerServiceConfig_1052760331326&quot;actorURI= &quot;myActorURI&quot;&gt;
&lt;securityRequestReceiverServiceConfig xmi:id=&quot;SecurityRequestReceiverServiceConfig_1052760331326&quot;&gt;
&lt;loginConfig xmi:id=&quot;LoginConfig_1052760331326&quot;&gt;
&lt;authMethods xmi:id=&quot;AuthMethod_1052760331326&quot; text=&quot;BasicAuth&quot;/&gt;
&lt;authMethods xmi:id=&quot;AuthMethod_1052760331327&quot; text=&quot;IDAssertion&quot;/&gt;
&lt;authMethods xmi:id=&quot;AuthMethod_1052760331336&quot; text=&quot;Signature&quot;/&gt;
&lt;authMethods xmi:id=&quot;AuthMethod_1052760331337&quot; text=&quot;LTPA&quot;/&gt;
&lt;/loginConfig&gt;
&lt;idAssertion xmi:id=&quot;IDAssertion_1052760331336&quot; idType=&quot;Username&quot; trustMode=&quot;Signature&quot;/&gt;
...</pre>
<p>The message sender may choose one of the token types that are supported by the receiver when sending a message. You can define the type of token to be used by the sending side in the client descriptor extension file, ibm-webservicesclient-ext.xmi.</p>
<p>The following example shows that the sender chooses to send a UsernameToken to the receiver:</p>
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;com.ibm.etools.webservice.wscext:WsClientExtension xmi:version=&quot;2.0&quot;
xmlns:xmi=&quot;http://www.omg.org/XMI&quot; xmlns:com.ibm.etools.webservice.wscext=
&quot;http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscext.xmi&quot;
xmi:id=&quot;WsClientExtension_1052760331496&quot;&gt;
&lt;serviceRefs xmi:id=&quot;ServiceRef_1052760331506&quot; serviceRefLink=&quot;service/StockQuoteService&quot;&gt;
&lt;portQnameBindings xmi:id=&quot;PortQnameBinding_1052760331506&quot; portQnameLocalNameLink=&quot;StockQuote&quot;&gt;
&lt;clientServiceConfig xmi:id=&quot;ClientServiceConfig_1052760331506&quot; actorURI=&quot;myActorURI&quot;&gt;
&lt;securityRequestSenderServiceConfig xmi:id=&quot;SecurityRequestSenderServiceConfig_1052760331506&quot;
actor=&quot;myActorURI&quot;&gt;
&lt;loginConfig xmi:id=&quot;LoginConfig_1052760331506&quot; authMethod=&quot;BasicAuth&quot;/&gt;
...</pre>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink