Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Single sign-on for authentication


Use a WAS API to achieve downstream web single sign-on with an LtpaToken2 cookie

We can programmatically perform downstream Single Sign On (SSO) web propagation of a Lightweight Third Party Authentication (LTPA) cookie without the need for an application to store and send user credentials.

WAS provides API support to propagate an LtpaToken2 cookie to downstream web single sign-on applications.

New feature:

Web applications running in mid-tier WebSphere servers might need to propagate LtpaToken2 cookies on downstream web invocations. In this release of WAS, a new API is provided for application developers to programmatically perform downstream SSO without the need for an application to store and send user credentials. New feature:

Figure 1. Use of the LTPA Cookie API for downstream authentication

This function is a public API in package com.ibm.websphere.security.WSSecurityHelper, and is defined as follows:

/**
   * Extracts an LTPA sso token from the subject of current
   * thread and builds a ltpa cookie out of it for use on    * downstream web invocations.
   * When the returned value is not null use Cookie methods
   * getName() and getValue() to set the Cookie header    * on an //publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=/   request with header value of    * Cookie.getName()=Cookie.getValue()
   *
   * @return an object of type javax.servlet.//publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=/  .Cookie.
   *
   */

The following is an example of how you can use the new WSSecurityHelper API:

import javax.servlet.//publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=/  .Cookie;
import com.ibm.websphere.security.WSSecurityHelper;

Cookie ltpaCookie = WSSecurityHelper.getLTPACookieFromSSOToken()

Subsequently, the LTPA cookie can be set on an HTTP request header. In this case, the value of the cookie header is the string:

ltpaCookie.getName()=ltpaCookie.getValue()

For example, if you use org.apache.commons.//publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=/ client.HttpMethod to build your HTTP request, the LTPA cookie can be set as follows:

HttpMethod method = .;  // new your HttpMethod based on the

       // target URL for the web application if (ltpaCookie != null)
     method.setRequestHeader(“Cookie”, ltpaCookie.getName()+”=”+ltpaCookie.getValue());

You should only send LTPA cookies over SSL connections.

We must check whether the LTPA cookie that is returned from calling WSSecurityHelper.getLTPACookieFromSSOToken() in the example above is not null before you issue any getter methods. Also, to successfully retrieve a LTPA cookie object, and to ensure an SSO token on the thread of execution, make sure that the user has established a successful authentication with the mid-tier server.

WAS does not ship supporting jars for HTTP programming, such as the Apache //publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=/ client. We must provide your own supporting functions for HTTP programming.
Single sign-on for authentication using LTPA cookies
Single sign-on for authentication

+

Search Tips   |   Advanced Search