Do not use the default authentication token in service provider
code. This default token is used by the WebSphere® Application Server run-time
code only and is authentication mechanism specific.
Changing the token factory that is associated with the default
authentication token
When WebSphere Application Server generates
a default authentication token, the application server utilizes the TokenFactory
class that is specified using the com.ibm.wsspi.security.token.authenticationTokenFactory
property. To modify this property using the administrative console, complete
the following steps:
- Click Security > Global security.
- Under Additional properties, click Custom properties.
The com.ibm.ws.security.ltpa.LTPATokenFactory
token factory is the default for this property. The LTPATokenFactory token
factory uses the DESede/ECB/PKCS5Padding cipher. This token factory creates
an interoperable Lightweight Third Party Authentication (LTPA) token. If you
change this token factory, you lose the interoperability with any servers
running a version of WebSphere Application Server prior to Version 5.1.1
and any other servers that do not support the new token factory implementation.
However, if all of your application servers use WebSphere Application Server Version
5.1.1 or later and all of your servers use your new token factory, this interoperability
is not a problem.
If you associate the com.ibm.ws.security.ltpa.LTPAToken2Factory
token factory with the com.ibm.wsspi.security.token.authenticationTokenFactory
property, the token is Advanced Encryption Standard (AES) encrypted. However,
you need to weigh the performance against your security needs. You might add
additional attributes to the authentication token in the Subject during a
login that are available downstream.
If you need to perform your own
signing and encryption of the default authentication token, you must implement
the following classes:
- com.ibm.wsspi.security.ltpa.Token
- com.ibm.wsspi.security.ltpa.TokenFactory
Your token factory implementation instantiates (createToken) and validates
(validateTokenBytes) your token implementation. You can use the LTPA keys
that are passed into the initialize method of the token factory or you can
use your own keys. If you use your own keys, they must be the same everywhere
to validate the tokens that are generated using those keys. See the API documentation,
available through a link on the front page of the information center, for
more information on implementing your own custom token factory. To associate
your token factory with the default authentication token using the administrative
console, complete the following steps:
- Click Security > Global security.
- Under Additional properties, click Custom properties.
- Locate the com.ibm.wsspi.security.token.authenticationTokenFactory property
and verify that the value of this property matches your custom token factory
implementation.
- Verify that your implementation classes are put into the install_dir/classes directory
so that the WebSphere Application
Server class loader can load the classes.
Verify that the QEJBSVR user profile has read, write,
and execute (*RWX) authority to the classes directory. You can use the Work
with Authority (WRKAUT) command to view the authority permissions for that
directory.