Monday, September 21, 2009

Asserting an Identity from JAX-RPC Web Services to WebSphere

I've received similar questions from multiple customers all about asserting identity on Web Services requests within JAX-RPC. Therefore, let me talk a bit about how this can be done with the support in WebSphere today.

The JAX-RPC web services security implementation has two phases of processing a security token embedded in the WS-Security header.
  1. Verify the validity of the security token.
    This is handled by the Token Consumer and/or JAAS Login Module configured in the deployment descriptor and binding.
  2. Verify the identity of the security token exist in the configured user registry and then create the WebSphere credentials.
    This is enabled via the Caller and it is optional.
In some business use cases, you may want to assert the identity based on trust and do not necessary want to add the identity to the configured user registry. Here is how you can do this (since 6.1.0.19).

Phase 1

The user must provide a custom implementation of a Token Consumer. Here is a developerWorks article with step by step instructions.

Phase 2

The user must override the default JAAS Login Configuration.

The default JAAS Login Configuration used by the Caller to create WebSphere Principal and Credential is “system.DEFAULT”. This JAAS Login Configuration is used by many other parts of the system. It is best to create a new JAAS Login Configuration with the same content of “system.DEFAULT” and ensure your custom JAAS Login Module is the first in the list, and then specify the Caller to use the new JAAS Login Configuration. The property to specify a different JAAS Login Configuration for the Caller (see figure below):


Name: com.ibm.wsspi.wssecurity.Caller.assertionLoginConfig

Value: name of the JAAS Login Configuration



Please follow the WebSphere Attribute Assertion framework in your custom JAAS Login Module implementations to assert the identity. The information is available here and here.

I hope you find this information useful.

1 comment:

  1. Any idea how can we intercept SOAP requests and apply identity assertion within WAS, before it is passed on to the hosted web service to be processed, without having to change the source and/or the target applications?

    ReplyDelete