Token framework
WebSphere Application Server provides a token framework to enable populating the JAAS Subject with Java objects and to provide the serialization functionality for those objects. The token framework is able to identify the uniqueness of the token contained in the Authenticated Subject. This uniqueness of the token determines how the Subject gets cached and the purpose of the token. This uniqueness of the token also determines how the token gets recreated when the Subject is lost.
The Token framework is used for propagating custom security attributes downstream. WAS Token framework defines four token interfaces that enable the WAS runtime to determine how to propagate the token. All of the token types defined by the propagation framework have similar interfaces.
The token types are marker interfaces. Marker interface is a Java interface that does not define any fields and is only used to "mark" Java classes that implement the interface...
com.ibm.wsspi.security.token.TokenThere are four tokens provided by the WAS Token framework...
- Authorization Token
User specific. Contains authorization related security attributes for the authenticated Subject. Used by WAS to make J2EE Authorization decisions
- Single Sign-On Token
User specific. Part of the JAAS Subject. Enables WAS to do Single Signon to other WAS instances.
Added to the response as an HTTP cookie and sent to the browser and represents unique authentication. The default value of this token is the LTPA Token version 2.
- Propagation Token
Not user specific. Not stored in the JAAS Subject. Stored on the thread context.
The default propagation token records all user switches and host switches.
- Authentication Token
Contains the identity of the user. Equivalent to the LTPA token in previous versions. Typically reserved for internal WAS purposes. Added to the HTTP Response as a LTPAToken cookie to maintain backward compatibility with previous versions.
Token Name com.ibm.wsspi.websphere.security.token.* Based on Notes Authorization com.ibm.wsspi.security.token.AuthorizationToken authenticated Subject Propagated downstream Single Signon com.ibm.wsspi.security.token.SingleSignonToken authenticated Subject Sent to the browser as a cookie named LtpaToken2 by default. Propagated downstream Authentication com.ibm.wsspi.security.token.AuthenticationToken authenticated Subject Exists for backward compatibility. Has the old LtpaToken for backward compatibility. Propagated downstream Propagation com.ibm.wsspi.security.token.PropagationToken Thread Propagated downstream