PRNG:
Certain versions of application containers like IBM WebSphere do not contain the application default Secure Random Provider from SUN. The solution could try to intelligently revert to default providers or algorithms. Listing the possible configurations present in the current environment would be helpful.

Accepted HTTP methods:
The protected and un-protected HTTP methods should be validated not to contain invalid values.

Token length:
The token length should have at least a minimum enforced value.