WAS 7.0 and UsernameToken with no password - Websphere

This is a discussion on WAS 7.0 and UsernameToken with no password - Websphere ; How to configure WebSphere 7.0.0.5 to accept UsernameToken without password? I want to make a webservices call with WS-Securtity UsernameToken which doesn't contain the password (I assume that the authorization is done before by TAM PolicyServer). I've configured the Authentication ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: WAS 7.0 and UsernameToken with no password

  1. WAS 7.0 and UsernameToken with no password

    How to configure WebSphere 7.0.0.5 to accept UsernameToken without password? I want to make a webservices call with WS-Securtity UsernameToken which doesn't contain the password (I assume that the authorization is done before by TAM PolicyServer). I've configured the Authentication and protection for an inbound UsernameToken v1.0, JAAS login "wss.consume.unt" and callback handler "com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed= true" property. Beside that I have specified a Caller Identity Local Part for "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken" and used an "wss.caller" for caller JAAS login.

    My configuration gives me this stacktrace:

    {code}javax.xml.ws.soap.SOAPFaultException: security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS6500E: There is no caller identity candidate that can be used to login. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHa ndler$1@1f6f1f6f
    at org.apache.axis2.jaxws.marshaller.impl.alt.MethodM arshallerUtils.createSystemException(MethodMarshal lerUtils.java:1249)
    at org.apache.axis2.jaxws.marshaller.impl.alt.MethodM arshallerUtils.demarshalFaultResponse(MethodMarsha llerUtils.java:975)
    at org.apache.axis2.jaxws.marshaller.impl.alt.DocLitW rappedMethodMarshaller.demarshalFaultResponse(DocL itWrappedMethodMarshaller.java:550)
    at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHand ler.getFaultResponse(JAXWSProxyHandler.java:421)
    at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHand ler.createResponse(JAXWSProxyHandler.java:384)
    at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHand ler.invokeSEIMethod(JAXWSProxyHandler.java:308)
    at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHand ler.invoke(JAXWSProxyHandler.java:158)
    at $Proxy37.sayHello(Unknown Source)
    at pl.ibm.com.client.Client.main(Client.java:18){code }

    I tried all the options, when I push the UsernameToken with password and without the property defined in the callback handler I can see the proper Principal of the user, unfortunatelly I cannot use the WAS to do the authorization and I need to process only the username without the password.

    I would be very gratefull for any of your help.

    Best Regards,
    Sebastian Kapciak

  2. Re: WAS 7.0 and UsernameToken with no password

    I think there are following solution:
    *GSO junctions*
    Mapping between TAM identity and another id/password
    *Trust Association Interceptors (TAI)*
    Intercepts HTTP requests from reverse proxy and delegates trust from WebSphere to TAM
    *LTPA cookies*
    Encrypted cookie shared by WAS and TAM
    *Remove authentication from back-end resource and pass this responsibility to TAM

  3. Re: WAS 7.0 and UsernameToken with no password

    Simon,

    Thank you very much for your answer. Our motivation for using the IDAssertion (UsernameToken without password) was that the communication on the backend will be dane through not only couple of WAS servers but also by WebSphere Message Broker. As far as I know WMB doesn't understand LTPA but does the UsernameToken.
    Because we are considering webservices communication only - so SOAP instead of clear HTTP we wanted to dispach the calls within the WebSphere Gateway so the TAM junction option doesn't satisfy us. Can you tell us how to consume the IDAssertion (UT with no password) on WebSphere? The following usecases would be possible:

    1. Client WAS WSGW TFIM (Auth via TAM and token exchange) WAS (Business Service)
    2. The same as above but with WMB instead of WAS at the end (also webservice protocol)

  4. Re: WAS 7.0 and UsernameToken with no password

    It turned up to be a WebSphere 7 bug. With fixpack 5 everything works fine (I was previously working with version 7.0.0.3).

    Thanks again for the interest!
    Sebastian

+ Reply to Thread