Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop web services - Security (WS-Security) > Configure Web Services Security during application assembly > Configure XML basic authentication for v5.x web services with an assembly tool > Configure the client for basic authentication: specifying the method
BasicAuth authentication method
When you use the BasicAuth authentication method, the security token that is generated is a <wsse:UsernameToken> element with <wsse:Username> and <wsse:Password> elements.
There is an important distinction between Version 5.x and v6 and later applications. The information in this article supports v5.x applications only that are used with WAS v6.0.x and later. The information does not apply to v6 and later applications.
WAS supports text passwords but not password digest because passwords are not stored and cannot be retrieved from the server. On the request sender side, a callback handler is invoked to generate the security token. On the request receiver side, a JAAS login module is used to validate the security token. These two operations, token generation and token validation, are described in the following sections.
BasicAuth token generation
The request sender generates a BasicAuth security token using a callback handler. The security token returned by the callback handler is inserted in the SOAP message. The callback handler used is specified in the <LoginBinding> element of the bindings file, ibm-webservicesclient-bnd.xmi. The following callback handler implementations are provided with WAS and can be used with the BasicAuth authentication method:
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
We can add your own callback handlers that implement the javax.security.auth.callback.CallbackHandler method.
BasicAuth token validation
The request receiver retrieves the BasicAuth security token from the SOAP message and validates it using a JAAS login module. The <wsse:Username> and <wsse:Password> elements in the security token are used to perform the validation. If the validation is successful, the login module returns a JAAS Subject. This Subject is set as the identity of the running thread. If the validation fails, the request is rejected with a SOAP fault exception. The JAAS login configuration is specified in the <LoginMapping> element of the bindings file. Default bindings are specified in the ws-security.xml file. However, you can override these bindings using the application-specific ibm-webservices-bnd.xmi file. The configuration information consists of a CallbackHandlerFactory and a ConfigName value. The CallbackHandlerFactory option specifies the name of a class used for creating the JAAS CallbackHandler object. WAS provides the com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl CallbackHandlerFactory implementation. The ConfigName value specifies a JAAS configuration name entry. WAS searches the security.xml file for a matching configuration name entry. If a match is not found, it searches the wsjaas.conf file for a match. WAS provides the WSLogin default configuration entry, which is suitable for the BasicAuth authentication method.
Configure the client for basic authentication: collecting the authentication information
Configure the client for basic authentication: specifying the method