You can configure a generic security token login module
for an authentication token on the token consumer side of the Web
Services Security provider.
About this task
When a web service message is received, the Web Services
Security runtime calls the generic security token login module for
the token consumer as part of the authentication process. The login
module delegates the token validation process to the WS-Trust service
using WS-Trust Validate. The WS-Trust service
processes the request and returns a RequestSecurityTokenResponse message
to the login module, which might contain a new security token or validation
status code only. The returned token from WS-Trust service
or the original received token is the caller token if the caller token
is required.
For illustration purposes, it is assumed that policy
sets and bindings are configured and attached to an application. For
example, you can use the SAML11 Bearer WSSecurity default policy set
and SAML Bearer Provider sample binding. For more information, see
the topic about configuring client and provider bindings for the SAML
bearer token.
Complete the following steps to configure the
generic login module on the token consumer side using the administrative
console:
Procedure
- Configure the wss.consume.issuedToken Java™ Authentication and Authorization
Service (JAAS) login module for your application.
- Expand and click WebSphere
enterprise applications.
- Click the application that contains the policy sets
and bindings that you want to modify.
- Under Web Services Properties,
click Service provider policy sets and bindings.
- In the Binding column on the
Service client policy sets and bindings panel, click the name of the
binding.
- In the Policy column on the Bindings
configuration panel, click WS-Security.
- Under the Main Message Security Policy Bindings heading,
click Authentication and protection.
- In the Authentication tokens section of the Authentication
and protection panel, select the token that you want to configure.
For example, select request:SAMLToken11Bearer.
- On the Token consumer panel,
select the wss.consume.issuedToken option for the
JAAS login.
- Click Apply.
- Configure the callback handler.
- Under the Additional Bindings heading,
click Callback handler.
- Under the Class Name heading
on the Callback handler panel, select Use
custom and specify com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenConsumeCallbackHandler for
the class name.
- Click Apply.
After
you click apply, a list of existing custom properties displays in
the Custom Properties section of the panel.
You can add, edit, or delete entries in the custom properties list.
For more information about the custom properties for the callback
handler, see the information about the com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants application
programming interface (API). This information is accessible within
the section of the product documentation.
- Click Add to add both the stsURI custom
property and its associated value.
This custom property
value is the target Security Token Service URL address. This property
is required.
- Click Add to add both the wstrustClientPolicy custom
property and its associated value.
This custom property
value is the trust client policy set name that applies to the WS-Trust client call.
- Click Add to add both the wstrustClientBinding custom
property and its associated value.
The custom property
value is the trust client bindings that applies to the WS-Trust client
call. For more information about creating trust client bindings, see
steps 3, 4, and 5 in the documentation on configuring client and provider
bindings for the SAML bearer token.
- Optional: Specify other custom properties.
- Click OK and click Save to
save the bindings.
- Stop and restart the applications.
Results
When you complete this task, you have configured a generic
login module for the token consumer.
What to do next
Configure a generic security token login module for the token
generator.