Do not use the default SingleSignonToken in service provider code.
This default token is used by the WebSphere Application Server run-time code
only. There are size limitations for this token when it is added as an HTTP
cookie. If you need to create an HTTP cookie using this token framework, you
can implement a custom SingleSignonToken. To implement a custom SingleSignonToken,
see Implementing a custom SingleSignonToken for
more information.
Changing the TokenFactory associated with the default SingleSignonToken
When
default SingleSignonToken is generated, the application server utilizes the
TokenFactory class that is specified using the com.ibm.wsspi.security.token.singleSignonTokenFactory
property. To modify this property using the administrative console, complete
the following steps:
- Click Security > Global Security.
- Under Additional properties, click Custom properties.
The default TokenFactory specified for this property is called com.ibm.ws.security.ltpa.LTPAToken2Factory.
This token factory creates an SSO token called LtpaToken2, which WebSphere
Application Server uses for propagation. This TokenFactory uses the AES/CBC/PKCS5Padding
cipher. If you change this TokenFactory, you lose the interoperability with
any servers running a version of WebSphere Application Server prior to version
5.1.1 that use the default TokenFactory. Only servers running WebSphere Application
Server Version 5.1.1 or later with propagation enabled are aware of the LtpaToken2
cookie. However, this is not a problem if all of your application servers
use WebSphere Application Server Version 5.1.1 or later and all of your servers
use your new TokenFactory.
If you need to perform your own signing and
encryption of the default SingleSignonToken, you must implement the following
classes:
- com.ibm.wsspi.security.ltpa.Token
- com.ibm.wsspi.security.ltpa.TokenFactory
Your TokenFactory implementation instantiates (createToken) and validates
(validateTokenBytes) your token implementation. You can use the LTPA keys
passed into the initialize method of the TokenFactory or you can use your
own keys. If you use your own keys, they must be the same everywhere in order
to validate the tokens that are generated using those keys. See the Javadoc,
available through a link on the front page of the information center, for
more information on implementing your own custom TokenFactory. To associate
your TokenFactory with the default SingleSignonToken using the administrative
console, complete the following steps:
- Click Security > Global Security.
- Under Additional properties, click Custom properties.
- Locate the com.ibm.wsspi.security.token.singleSignonTokenFactory property
and verify that the value of this property matches your custom TokenFactory
implementation.
- Verify that your implementation classes are put into the install
directory/classes directory so that the WebSphere class loader can
load the classes.