Security Token Persistence in WSO2 Identity Server 5.1.0

When we apply a security policy to theĀ Security Token Service, a token store will also be specified. If we navigate to the registry path /_system/config/repository/axis2/service-groups/org.wso2.carbon.sts-5.0.7/services/wso2carbon-sts/policies/ and view the content of the applied policy, the token store details are included as follows

<rampart:tokenStoreClass>org.wso2.carbon.identity.sts.store.DBTokenStore&</rampart:tokenStoreClass>

The token store class is picked from the following property in carbon.xml file.

<TokenStoreClassName>org.wso2.carbon.identity.sts.store.DBTokenStore</TokenStoreClassName>

However, the default DBTokenStore is an in-memory token store (regardless of what the name implies). Therefore, with time, the token store will retain a significant amount of JVM heap if a large number of users obtains security tokens. Also, the issued tokens will be invalid after a server restart.

If required, we can change the token store to a DB based one. For that change the TokenStoreClassName in carbon.xml as follows.

<TokenStoreClassName>org.wso2.carbon.identity.sts.store.JDBCTokenStore</TokenStoreClassName>

After changes, restart the server and re-apply the security policy to the Security Token Service. The tokens will be persisted in IDN_STS_STORE table.

Advertisements