Default AuthenticationToken

Do not use the default AuthenticationToken in service provider code. This default token is used by the WAS run-time code only and is authentication mechanism specific. Any modifications to this token by service provider code can potentially cause interoperability problems. If we need to create an authentication token for custom usage, see Implementing a custom AuthenticationToken for more information.

 

Changing the TokenFactory associated with the default AuthenticationToken

When

WebSphere Application Server generates a default AuthenticationToken, the application server utilizes the TokenFactory class that is specified using the com.ibm.wsspi.security.token.authenticationTokenFactory property. To modify this property using the administrative console, complete the following steps:

  1. Click Security > Global Security.

  2. Under Additional properties, click Custom properties.

The default TokenFactory specified for this property is called com.ibm.ws.security.ltpa.LTPATokenFactory. The LTPATokenFactory uses the DESede/ECB/PKCS5Padding cipher. This token factory creates an interoperable Lightweight Third Party Authentication (LTPA) token. If you change this TokenFactory, you lose the interoperability with any servers running a version of WebSphere Application Server prior to v5.1.1 and any other servers that do not support the new TokenFactory implementation. However, this is not a problem if all of your application servers use WebSphere Application Server V5.1.1 or later and all of your servers use your new TokenFactory.

If you associate com.ibm.ws.security.ltpa.LTPAToken2Factory with the com.ibm.wsspi.security.token.authenticationTokenFactory property, the token is AES encrypted. However, we need to weigh the performance against your security needs. By doing this, you might add additional attributes to the AuthenticationToken in the Subject during a login that are available downstream.

If we need to perform your own signing and encryption of the default AuthenticationToken, implement the following classes:

  • com.ibm.wsspi.security.ltpa.Token

  • com.ibm.wsspi.security.ltpa.TokenFactory

Your TokenFactory implementation instantiates (createToken) and validates (validateTokenBytes) your token implementation. Use the LTPA keys passed into the initialize method of the TokenFactory or use your own keys. If you use your own keys, they must be the same everywhere in order to validate the tokens that are generated using those keys. See the Javadoc, available through a link on the front page of the information center, for more information on implementing your own custom TokenFactory. To associate your TokenFactory with the default AuthenticationToken using the administrative console, complete the following steps:

  1. Click Security > Global Security.

  2. Under Additional properties, click Custom properties.

  3. Locate the com.ibm.wsspi.security.token.authenticationTokenFactory property and verify that the value of this property matches your custom TokenFactory implementation.

  4. Verify that your implementation classes are put into the install directory/classes directory so that the WebSphere class loader can load the classes.

 

Related Tasks


Implementing a custom AuthenticationToken