Lightweight Third Party Authentication

When you use the lightweight third party authentication (LTPA) method, the <wsse:BinarySecurityToken> security token is generated. On the request sender side, the security token is generated by invoking a callback handler. On the request receiver side, the security token is validated by a Java™ Authentication and Authorization Service (JAAS) login module.

Important: The information supports Version 5.x applications only that are used with WebSphere® Application Server Version 6.0.x and later. The information does not apply to Version 6 and later applications.

The following information describes token generation and token validation operations.

LTPA token generation
The request sender uses a callback handler to generate an LTPA security token. The callback handler returns a security token that is inserted in the SOAP message. Specify the appropriate callback handler in the <LoginBinding> element of the bindings file (ibm-webservicesclient-bnd.xmi). The following callback handler implementation can be used with the LTPA authentication method:
  • com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler

You can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler property.

When using the LTPA authentication method (or any authentication method other than BasicAuth, Signature or IDAssertion), the TokenValueType attribute of the <LoginBinding> element in the bindings file (ibm-webservicesclient-bnd.xmi) must be specified. The values to use for the LTPA TokenValueType attribute are:
  • uri="http://www.ibm.com/websphere/appserver/tokentype/5.0.2"
  • localName="LTPA"
LTPA token validation
The request receiver retrieves the LTPA security token from the SOAP message and validates the message using a JAAS login module. The <wsse:BinarySecurityToken> security token is used to perform the validation. If the validation is successful, the login module returns a JAAS Subject. Subsequently, this Subject is set as the identity of the running thread. If the validation fails, the request is rejected with a SOAP fault.

The appropriate JAAS login configuration to use is specified in the bindings file <LoginMapping> element. Default bindings specified in the ws-security.xml file, but these can be overridden using the application-specific ibm-webservices-bnd.xmi file. The configuration information consists of a CallbackHandlerFactory, a ConfigName and a TokenValueType attribute. The CallbackHandlerFactory specifies the name of a class to use to create the JAAS CallbackHandler object. A CallbackHandlerFactory implementation is provided (com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl). The ConfigName attribute specifies a JAAS configuration name entry. The Web Services Security run time first searches the security.xml file for a matching entry and if a matching entry is not found, the run time searches the wsjaas.conf file. A default configuration entry suitable for the LTPA authentication method is provided (WSLogin). An appropriate TokenValueType element is located in the LTPA LoginMapping section of the default ws-security.xml file.