I've received similar questions from multiple customers all about asserting identity on Web Services requests within JAX-RPC. Therefore, let me talk a bit about how this can be done with the support in WebSphere today.
The JAX-RPC web services security implementation has two phases of processing a security token embedded in the WS-Security header.
The JAX-RPC web services security implementation has two phases of processing a security token embedded in the WS-Security header.
- Verify the validity of the security token.
This is handled by the Token Consumer and/or JAASLogin Module configured in the deployment descriptor and binding. - Verify the identity of the security token exist in the configured user registry and then create the WebSphere credentials.
This is enabled via the Caller and it is optional.
Phase 1
The user must provide a custom implementation of a Token Consumer. Here is a developerWorks article with step by step instructions.
Phase 2
The user must override the default JAASLogin Configuration.
The default JAASLogin Configuration used by the Caller to create WebSphere Principal and Credential is “system.DEFAULT”. This JAASLogin Configuration is used by many other parts of the system. It is best to create a new JAASLogin Configuration with the same content of “system.DEFAULT” and ensure your custom JAASLogin Module is the first in the list, and then specify the Caller to use the new JAASLogin Configuration. The property to specify a different JAASLogin Configuration for the Caller (see figure below):
Name:com.ibm.wsspi.wssecurity.Caller.assertionLoginConfig
Value: name of the JAASLogin Configuration
