Administrators can set the checkImpersonation property associated with the security configuration to “false” to allow authentication to succeed when in token based authentication the user name presented cannot be matched against any of the user names validated in the login modules.
The checkImpersonation property is used when a custom login module that maps the token to a user name and adds a principal with that user name is unavailable. In token-based authentication, even though a valid token may be presented to Unwired Platform, the token may not be associated with the user indicated by the user name. To prevent the user authentication from succeeding, the checkImpersonation property is set to true by default.
When an un-authenticated request is received by Unwired Platform (from a device or DCN request), it may contain a token (in an HTTP header or cookie) that should be validated to authenticate the user. In some cases a user name can be extracted from the token. In Unwired Platform, the specified user name is matched to the name of at least one of the public Principals added by the login modules. If the user name cannot be extracted from the token as part of the validation, then the specified user name is not added as a principal.
In certain situations, it may not be possible for the token validation server to return the user name embedded in the token. If no such custom login module is available, then the administrator can allow authentication to succeed even when the user name presented cannot be matched against any of the user names validated by the configured login modules. In these situations, a custom login module that maps the token to a user name and adds a principal with that user name may be used. To allow this authentication, set the checkImpersonation property associated with the security configuration to false.