Use the default propagation token

A default propagation token is located on the running thread for applications and the security infrastructure to use. WebSphere Application Server v7 propagates this token downstream, and the token stays on the thread where the invocation lands at each hop. The data is available from within the container of any resource where the propagation token lands.

Enable the propagation feature at each server where a request is sent for propagation to work. Enable security attribute propagation for all of the cells in the environment where you want propagation

There is a WSSecurityHelper class that has APIs for accessing the Propagation Token attributes. This page documents the usage scenarios and includes examples. A close relationship exists between the propagation token and the work area feature. The main difference between these features is that after you add attributes to the propagation token, we cannot change the attributes. We cannot change these attributes so that the security runtime can add auditable information and have that information remain there for the life of the invocation. Any time that you add an attribute to a specific key, an ArrayList object is stored to hold that attribute. Any new attribute that is added with the same key is added to the ArrayList object. When you call getAttributes, the ArrayList object is converted to a String array and the order is preserved. The first element in the String array is the first attribute added for that specific key.

In the default propagation token, a change flag is kept that logs any data changes to the token. These changes are tracked to enable WAS to know when to send the authentication information downstream again so that the downstream server has those changes. Normally, CSIv2 maintains a session between servers for an authenticated client. If the propagation token changes, a new session is generated and subsequently a new authentication occurs. Frequent changes to the propagation token during a method cause frequent downstream calls. If we change the token prior to making many downstream calls or you change the token between each downstream call, we might impact security performance.





Related tasks

Authenticate users
Propagating security attributes among appservers