Default authentication token


Do not use the default authentication token in service provider code. This default token is used by the WAS run-time code only and is authentication mechanism specific.

Any modifications to this token by service provider code can potentially cause interoperability problems. to create an authentication token for custom usage, see Implement a custom authentication token for security attribute propagation for more information.

 

Change the token factory that is associated with the default authentication token

When WAS generates a default authentication token, the appserver utilizes the TokenFactory class specified using the com.ibm.wsspi.security.token.authenticationTokenFactory property. To modify this property using the admin console...

  1. Click...

      Security | Global security

  2. Under Additional properties, click Custom properties.

The com.ibm.ws.security.ltpa.LTPATokenFactory token factory is the default for this property. The LTPATokenFactory token factory uses the DESede/ECB/PKCS5Padding cipher. This token factory creates an interoperable LTPA token. If we change this token factory, you lose the interoperability with any servers running a version of WAS prior to V5.1.1 and any other servers that do not support the new token factory implementation. However, if all of the appservers use WAS V 5.1.1 or later and all of the servers use the new token factory, this interoperability is not a problem.

If we associate the com.ibm.ws.security.ltpa.LTPAToken2Factory token factory with the com.ibm.wsspi.security.token.authenticationTokenFactory property, the token is Advanced Encryption Standard (AES) encrypted. However, we need to weigh the performance against the security needs. We might add additional attributes to the authentication token in the Subject during a login that are available downstream. to perform the own signing and encryption of the default authentication token, implement the following classes:

Your token factory implementation instantiates (createToken) and validates (validateTokenBytes) the token implementation. Use the LTPA keys that are passed into the initialize method of the token factory or we can use our own keys. If we use our own keys, they must be the same everywhere to validate the tokens that are generated using those keys. See the API documentation, available through a link on the front page of the information center, for more information on implementing our own custom token factory. To associate your token factory with the default authentication token using the admin console...

  1. Click...

      Security | Global security

  2. Under Additional properties, click Custom properties.

  3. Locate the com.ibm.wsspi.security.token.authenticationTokenFactory property and verify that the value of this property matches the custom token factory implementation.

  4. Verify that the implementation classes are put into the install_dir/classes directory so that the WAS class loader can load the classes.




 

Related concepts


Security attribute propagation

 

Related tasks


Propagating security attributes among appservers
Implement a custom authentication token for security attribute propagation