Configuring a UsernameToken caller configuration with no registry interaction
To authenticate a UsernameToken with a caller configuration without accessing the WebSphere® registry, you can replace the authentication method of the UsernameToken consumer and configure the caller to use an alternative JAAS login configuration.
About this task
This information applies only to Java API for XML Web Services (JAX-WS).
By default, the JAX-WS Web Services Security UsernameToken consumer, UNTConsumeLoginModule, always validates the user name and password that are contained within the token against the WebSphere registry. You can use the SPIs that GenericSecurityTokenFactory provides to replace this authentication method with one of your own. For more information, see Replacing the authentication method of the UsernameToken consumer using a stacked JAAS login module.
When a caller configuration is added to the WS-Security constraints for a service provider, the user name and password that are contained in the UsernameToken are also validated against the WebSphere registry. If a user name and password are provided, both the user name and password are validated against the WebSphere registry. If only a user name is provided, the user name must exist in the WebSphere registry. These validations occur in the com.ibm.ws.security.server.lm.ltpaLoginModule module that is part of the wss.caller Java™ Authentication and Authorization Service (JAAS) configuration stack, as shown in the following example:
com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule
com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule
...
com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule
com.ibm.ws.security.server.lm.ltpaLoginModule
com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule
The WebSphere WS-Security run time does not support using JAAS configuration for the caller that does not include the ltpaLoginModule and wsMapDefaultInboundLoginModule login modules.
To use a UsernameToken with a caller configuration without accessing the WebSphere registry, you must prevent the UNTConsumeLoginModule and ltpaLoginModule modules from accessing the registry and provide alternative modules.