Documentation » CoreDevelopersGuide » CoreDevelopersGuideTokenSupport
Login|Register|Print
Broadcast on Broadcast off
The Documentation for Project Zero has moved. Please update your bookmarks to: http://www.projectzero.org/documentation/
Table of
Contents...Hide

Project Zero Developer’s Guide

Concepts and components
Basic concepts overview
Event processing
Writing Java handlers
Writing Groovy handlers
Firing events
Global Context
Global Context reference
Application directory layout
Virtualized directories
Assemble
PHP
Features and configuration
Configuration
Debugging
Dependencies
Packaging
Application classpath
Logging and tracing
RESTful resources
RESTful documentation
File serving
Response rendering
Validators and validation
HTTP error handling
Calling a remote resource
Using the Connection API
Sending an email using EmailConnection
Configuring destinations
Configuring protocols
Configuring connection handlers
Creating a connection handler
Creating a custom protocol transport
Simple logging connection handlers
Protocol reference
Client programming with Dojo
Runtime options
Deployment modifications
HTTP configuration
SSL configuration
Proxy configuration
Extending the CLI
Security considerations
Authentication
OpenID authentication
Extending security
Security tokens
CSRF prevention support
Extending token support
Leveraging TAI
User service
File based user service
LDAP user service
Extending user service
Security Utilities
Leveraging XOREncoder
Extensions
Atom support
RSS support
JSON support
XMLEncoder
REST to SOAP extension
URIUtils
Developer Web tools
Database setup tools
Configuring data access
Common query patterns
Advanced query patterns
Update patterns
Local database transactions
Extending data access
Configuration vendor differences
PHP data access
Resource model
Configuring ZRM
Resource model declaration
Programmatic model API
HTTP REST API
A ZRM mini tutorial
Active content filtering support
Default filters
Custom filters
Runtime management
Management commands
Zero socket opener
Other extension modules
Amazon E-commerce service
Flickr service
WeatherZero forecast service
Wikipedia service
Reference
Zero command line interface
JavaDoc - Public API
JavaDoc - Public SPI
JavaDoc - All Classes

 

Security tokens

Project Zero authentication provides the pluggable token support for various types of tokens. By default, Project Zero provides simple session based authentication. In addition to session based tracking of user login, Project Zero provides LTPAToken2 support that is compatible with what is included in WebSphere Application Server 6.1. The following sections of this article provide information about the tokens supported and how that support is provided:

For additional details regarding LTPA tokens, see the LTPA (Lightweight Third Party Authentication) article in the IBM Information Center.

Simple token support

By default, Project Zero uses a token based on a session and cookie combination for storing user credentials with the limitation of the token being scoped to a single application.

LTPAToken2 support

HELP Advanced Topic Use of LTPA (Lightweight Third Party Authentication) tokens is considered an advanced topic and should not be required for most applications.

Another type of token support is LTPAToken2 support. To enable single sign on token sharing across applications or across servers, LTPAToken2 is required. The following configuration example demonstrates how to configure LTPAToken2 support: 

# LTPAToken2 support
@include "security/token/ltpa2.config"{
	"keyImportFile": "ltpakeys.txt",
	"keyPassword" : "<xor>keypass",
        "ssoDomains" : ["projectzero.org"]

}

The settings should contain the following information:

keyImportFile (required)
The relative path of the LTPA key import file from the configuration folder of the application. The file is exported by WebSphere Application Server. To learn how to export the LTPA keys, see the Exporting Lightweight Third Party Authentication keys article in the IBM Information Center.
keyPassword (required) (xor supported)
The password to extract the LTPA keys from the LTPA key import file.
tokenExpiration (optional)
The expiration limit of the LTPAToken2 in minutes. The default value is 120 minutes.
ssoDomains (optional)
List of possible values for the ltpa token cookie domain. Each element in the list will be matched against the server name obtained the request (GlobalContext.zget(Request.serverName)). If the serverName, obtained from the GlobalContext, ends with a value from the list of ssoDomains, the cookie will be created with that domain (first match wins). The default value for the domain is null.

Default configuration for token support

The cookie that is generated for tokens is scheme specific for SSL based authentication. If the authenticating request is SSL based, the cookie is created with the secure option enabled. If authentication is not SSL based, then the cookie is created with the secure option set to false. This cookie can be used for SSL and non-SSL requests after authentication is performed for a resource that is not SSL protected.

The following example shows the default configuration (enabled by default and requiring no additional configuration) used for simple token support: 

/config/security/token/tokenType="Simple"
/config/security/token/securedCookie=false

If Project Zero cannot determine that the client request was actually SSL based (for example a proxy was rewriting the request from secured to unsecured after going through the firewall), then you can override the default value for whether the cookie should be be secure. To do this, the following code example would be required in the application zero.config: 

/config/security/token/securedCookie=true

This creates a secured cookie that would only be sent for SSL based requests.

Best practices for token support

The recommended configuration for secured applications is to enable SSL for all secured resources, including the login page. This provides the most secured environment for sending information related to authentication (credentials and tokens) between the client and server. See the Requiring SSL information in the Security considerations article for more information about requiring SSL for accessing resources.

r13 - 06 Feb 2008 - 16:58:27 - paynel
Quick Links: Forum | Bugzilla| Blog| Getting Started| Developer's Guide| FAQ
Syndicate this site RSS ATOM
Copyright 2007 © IBM Corporation | Privacy | Terms of Use | About this site