Enabling JSON Web Token single sign-on authentication

Modify the server.xml configuration file found in your DBB server installation folder at wlp/usr/servers/dbb/server.xml to add the JSON Web Token (JWT) single sign-on authentication feature under the <featureManager> tag:

<feature>jwtSso-1.0</feature>

By default, single sign-on is disabled. Find the following line in your configuration file:

<webAppSecurity ssoRequiresSSL="true" singleSignonEnabled="false"/>

And change it to the following:

<webAppSecurity ssoRequiresSSL="true" singleSignonEnabled="true"/>

To tighten security by mitigating Cross-site request forgery, it is highly recommended to include the following line:

<webAppSecurity sameSiteCookie="Strict"/>

This enables JWT single sign-on authentication on the DBB server with no extra steps. To configure specific settings like expiration time on specific tokens, see the explanations below.

Note: It does not disallow basic authentication from authorizing commands on the server. A toolkit can still interface with the server without using JWTs.

Configuring JWT single sign-on authentication

Some JWT single sign-on options are customizable on the server side. See Configuring a JSON Web Token as a Single-Sign-On cookie in the IBM WebSphere® Liberty documentation to see the full extent of what you can do.

For example, you can change the expiration time on your tokens with the following additions to your server.xml:

 <!-- JWT single sign-on configuration. -->

 <jwtSso cookieName="JWT" jwtBuilderRef="defaultJwtSso"/>
 <jwtBuilder id="defaultJwtSso" expiresInSeconds="1800"/>

You can change the expiresInSeconds value to whatever you need.

Important: The cookie key name must stay "JWT" for the tokens to be recognized by the toolkit.