Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop web services - Security (WS-Security) > Configure Web Services Security during application assembly > Configure identity assertion for v5.x web services with an assembly tool


Configure the server to validate identity assertion authentication information

The purpose of identity assertion is to assert the authenticated identity of the originating client from a web service to a downstream Web service.

There is an important distinction between v5.x and v6 and later applications. The information in this article supports v5.x applications only that are used with WAS Version 6.0.x and later. The information does not apply to Version 6 and later applications.
Use this task to configure identity assertion authentication. Do not attempt to configure identity assertion from a pure client.
For the downstream web service to accept the identity of the originating client (user name only), supply a special trusted BasicAuth credential that the downstream web service trusts and can authenticate successfully. We must specify the user ID of the special BasicAuth credential in a trusted ID evaluator on the downstream web service configuration. For more information on trusted ID evaluators, see the topic about the trusted ID evaluator. The server side passes the special BasicAuth credential into the trusted ID evaluator, which returns a true or false response that this ID is trusted. After it is trusted, the user name of the client is mapped to the credential, which is used for authorization.

Complete the following steps to validate the identity assertion authentication information:


Procedure

  1. Launch an assembly tool. For more information, see the related information on assembly tools.
  2. Switch to the Java EE perspective. Click Window > Open Perspective > J2EE.

  3. Click EJB Projects > application_name > ejbModule > META-INF.
  4. Right-click the webservices.xml file, and click Open with > Web services editor.

  5. Click the Binding Configurations tab, which is located at the bottom of the web services editor within the assembly tool.
  6. Expand the Request receiver binding configuration details > Login mapping section.

  7. Click Edit to view the login mapping information. Click Add to add new login mapping information. The login mapping dialog is displayed. Select or enter the following information:

    Authentication method

    Type of authentication that occurs. Select IDAssertion to use basic authentication.

    Configuration name

    Java Authentication and Authorization Service (JAAS) login configuration name. For the IDAssertion authentication method, enter system.wssecurity.IDAssertion for the JAAS (JAAS) login configuration name.

    Use token value type

    Determines to specify a custom token type. For the default authentication method selections, you do not need to specify this option.

    Token value type URI and Token value type local name

    When you select ID assertion, you cannot edit the token value type URI and local names. Specifies custom authentication types. For the ID assertion authentication method, leave these values blank.

    Callback handler factory class name

    Ccreates a JAAS CallbackHandler implementation that understands the following callbacks:

    • javax.security.auth.callback.NameCallback
    • javax.security.auth.callback.PasswordCallback
    • com.ibm.wsspi.wssecurity.auth.callback.BinaryTokenCallback
    • com.ibm.wsspi.wssecurity.auth.callback.XMLTokenReceiverCallback
    • com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback

    For any of the default authentication methods (BasicAuth, IDAssertion, and Signature), use the callback handler factory default implementation. Enter the following class name for any of the default Authentication methods including IDAssertion:

    com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl
    

    This implementation creates the correct callback handler for the default implementations.

    Callback handler factory property name and Callback handler factory property value

    Specifies callback handler properties for custom callback handler factory implementations. The default callback handler factory implementation does not need any specified properties. For ID assertion, leave these values blank.

    Login mapping property name and Login mapping property value

    Specifies properties for a custom login mapping. For the default implementations including IDAssertion, leave these values blank.
  8. Expand the Trusted ID evaluator section.

  9. Click Edit to see a dialog that displays all the trusted ID evaluator information. The following table describes the purpose of this information.

    Class name

    Refers to the implementation of the trusted ID evaluator that to use. Enter the default implementation as
    com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl
    
    If to implement your own trusted ID evaluator, implement the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.

    Property name

    Represents the name of this configuration. Enter BasicIDEvaluator.

    Property value

    Defines the name and value pairs that can be used by the trusted ID evaluator implementation. For the default implementation, the trusted list is defined here. When a request comes in and the trusted ID is verified, the user ID, as it appears in the user registry, must be listed in this property.  Specify the property as a name and value pair where the name is trustedId_n. n is an integer starting from 0 and the value is the user ID associated with that name. An example list with the trusted names include two properties.

    For example: trustedId_0 = user1, trustedId_1 = user2. The previous example means that both user1 and user2 are trusted. user1 and user2 must be listed in the configured user registry

  10. Expand the Trusted ID evaluator reference section.

  11. Click Enable to add a new entry. The text you enter for the Trusted ID evaluator reference must be the same as the name entered previously in the Trusted ID evaluator. Make sure that the name matches exactly because the information is case sensitive. If an entry is already specified, you can change it by clicking Edit.


What to do next

We must specify how the server handles the identity assertion authentication method. See Configure the server to handle identity assertion authentication if we have not previously specified this information.
Trusted ID evaluator
Assembly tools
Configure the server to handle identity assertion authentication
Configure the server security bindings using an assembly tool
Secure web services for v5.x applications using identity assertion authentication

+

Search Tips   |   Advanced Search