Developing web services applications to use a UsernameToken with no registry interaction
To authenticate a UsernameToken with a caller part without accessing the WebSphere Application Server registry, you can replace the authentication method of the UsernameToken consumer and configure the caller to use an alternative Java™ Authentication and Authorization Service (JAAS) login configuration.
About this task
This information applies only to Java API for XML-based RPC (JAX-RPC) web services.
By default, the default
JAAS login module that is used with the web Services Security UsernameToken
consumer, UsernameLoginModule, always validates the user name and
password that are contained within the token against the WebSphere
registry. You can configure a custom property to circumvent this registry
check. When a caller part is added to the WS-Security constraints
for a service provider, the user name and password that are contained
in the UsernameToken are also validated against the WebSphere registry.
This validation occurs in the com.ibm.ws.security.server.lm.ltpaLoginModule
module
that is part of the system.DEFAULT Java Authentication
and Authorization Service (JAAS)configuration stack, as shown in the
following example.
com.ibm.ws.security.server.lm.ltpaLoginModule
com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule
The WebSphere Application Server WS-Security run time does not support the use of a JAAS configuration for the caller part that does not include these two login modules. However, you can add your own custom login modules to this JAAS configuration stack.
Refer to the Configuring the caller in consumer security constraints topic in the IBM Rational Application Developer documentation.