Generating and consuming a dynamic X.509 token using a stacked JAAS login module
You can use the GenericSecurityTokenFactory SPIs to create X.509 tokens for use by the WS-Security runtime environment. These security tokens can be used for, but are not limited to, WSSAPIs and JAAS login modules.
About this task
When a GenericSecurityTokenFactory SPI is used to create an X.509 token that does not contain XML, the token can only be emitted by the X.509 generator and consumed by the X.509 consumer. Therefore, an X.509 token is considered a simple token, which is only intended for use by its respective token-specific generator or consumer. An X.509 token cannot be emitted by the GenericSecurityTokenLoginModule.
The GenericSecurityTokenFactory provides several SPIs that you can use to create X.509 tokens that can be emitted with the X509GenerateLoginModule or consumed by the X509ConsumeLoginModule. X.509 tokens that are created using a GenericSecurityTokenFactory SPI contain public and/or private keys that can be used to sign or encrypt an outbound message or decrypt or verify the signature of an inbound message.
- If you need to dynamically change the signing key for a message. For example, the X509GenerateCallbackHandler requires that the signing key be hardcoded at configuration time. If you need to override this hardcoded value, you can code a JAAS login module that is stacked over X509GenerateLoginModule such that the login module puts a simple X.509 token in the shared state. The X509GenerateLoginModule then uses the private key that is specified in the simple X.509 token to override the one configured in the callback handler.
- If you need to allow multiple signature verifying certificates that do not appear in the SOAP message. These messages would include certificates that are referenced by attributes such as KEYID and X509IssuerSerial. The WS-Security engine does not dynamically resolve certificates that do not appear in the SOAP message. The certificate must be hardcoded in the X509ConsumeCallbackHandler, and you can only configure one certificate in the callback handler. If you choose to implement code that resolves the certificate yourself, you can put this code in a JAAS login module that is stacked over X509ConsumeLoginModule, and then put a simple X.509 token in the shared state that contains the desired public certificate. The X509ConsumeLoginModule then uses the public certificate that is specified in the simple X.509 token to override the one configured in the callback handler.
After an X.509 token is created, the public and private key in the token cannot be modified. Therefore, you must determine the type of token you want to create, and then issue commands similar to the ones specified in the following steps to create your token and JAAS login module.