Do not use the default authentication token in service
provider code. This default token is used by the WebSphere® Application
Server run-time code only and is authentication mechanism specific.
Changing the token factory that is associated with
the default authentication token
When WebSphere Application
Server generates a default authentication token, the application server
utilizes the TokenFactory class that is specified using the com.ibm.wsspi.security.token.authenticationTokenFactory
property. To modify this property using the administrative console,
complete the following steps:
- Click .
- Under Additional properties, click Custom properties.
The com.ibm.ws.security.ltpa.LTPATokenFactory
token factory is the default for this property. The LTPATokenFactory
token factory uses the DESede/ECB/PKCS5Padding cipher. This token
factory creates an interoperable Lightweight Third Party Authentication
(LTPA) token.
If you associate the com.ibm.ws.security.ltpa.LTPAToken2Factory
token factory with the com.ibm.wsspi.security.token.authenticationTokenFactory
property, the token is Advanced Encryption Standard (AES) encrypted.
However, you need to weigh the performance against your security needs.
You might add additional attributes to the authentication token in
the Subject during a login that are available downstream.
If
you need to perform your own signing and encryption of the default
authentication token, you must implement the following classes:
- com.ibm.wsspi.security.ltpa.Token
- com.ibm.wsspi.security.ltpa.TokenFactory
Your token factory implementation instantiates (createToken)
and validates (validateTokenBytes) your token implementation. You
can use the LTPA keys that are passed into the initialize method of
the token factory or you can use your own keys. If you use your own
keys, they must be the same everywhere to validate the tokens that
are generated using those keys. See the API documentation, available
through a link on the front page of the information center, for more
information on implementing your own custom token factory. To associate
your token factory with the default authentication token using the
administrative console, complete the following steps:
- Click .
- Under Additional properties, click Custom properties.
- Locate the com.ibm.wsspi.security.token.authenticationTokenFactory
property and verify that the value of this property matches your custom
token factory implementation.
- Verify that your implementation classes are put into the install_dir/classes directory
so that the WebSphere Application Server class loader
can load the classes.
- Verify that the QEJBSVR user profile has read,
write, and execute (*RWX) authority to the classes directory. You
can use the Work with Authority (WRKAUT) command to view the authority
permissions for that directory.