Default AuthenticationToken

 

Default authentication token

Do not use the default authentication token in service provider code. This default token is used by the WebSphere Application Server run-time code only and is authentication mechanism specific.

Any modifications to this token by service provider code can potentially cause interoperability problems. If you need to create an authentication token for custom usage, see Implementing a custom authentication token for more information.

Changing the token factory associated with the default authentication token

When WebSphere Application Server generates a default authentication token, the application server utilizes the token factory class that is specified using the com.ibm.wsspi.security.token.authenticationTokenFactory property. To modify this property using the administrative console, complete the following steps:

  1. Click Security > Global Security .

  2. Under Additional properties, click Custom properties .

The com.ibm.ws.security.ltpa.LTPATokenFactory token factory is the default for this property. The LTPATokenFactory token factory uses the DESede/ECB/PKCS5Padding cipher. This token factory creates an interoperable Lightweight Third Party Authentication (LTPA) token. If you change this token factory, you lose the interoperability with any servers running a version of WebSphere Application Server prior to Version 5.1.1 and any other servers that do not support the new token factory implementation. However, if all of your application servers use WebSphere Application Server Version 5.1.1 or later and all of your servers use your new token factory, this interoperability is not a problem.

If you associate the com.ibm.ws.security.ltpa.LTPAToken2Factory token factory with the com.ibm.wsspi.security.token.authenticationTokenFactory property, the token is Advanced Encryption Standard (AES) encrypted. However, you need to weigh the performance against your security needs. You might add additional attributes to the authentication token in the Subject during a login that are available downstream. If you need to perform your own signing and encryption of the default authentication token, implement the following classes:

Your token factory implementation instantiates (createToken) and validates (validateTokenBytes) your token implementation. You can use the LTPA keys that are passed into the initialize method of the token factory or you can use your own keys. If you use your own keys, they must be the same everywhere to validate the tokens that are generated using those keys. See the API documentation, available through a link on the front page of the information center, for more information on implementing your own custom token factory. To associate your token factory with the default authentication token using the administrative console, complete the following steps:

  1. Click Security --> Global security.

  2. Under Additional properties, click Custom properties.

  3. Locate the com.ibm.wsspi.security.token.authenticationTokenFactory property and verify that the value of this property matches your custom token factory implementation

  4. Verify that your implementation classes are put into the install_dir/classes directory so that the WebSphere class loader can load the classes.


Related concepts

Security attribute propagation

Related tasks

Implementing a custom authentication token

Propagating security attributes among application servers


Searchable topic ID: rsec_defauthenttoken