com.ibm.wps.portletservice.credentialvault.credentials
Class LtpaTokenCredential
java.lang.Object
com.ibm.wps.portletservice.credentialvault.credentials.Credential
com.ibm.wps.portletservice.credentialvault.credentials.ActiveCredential
com.ibm.wps.portletservice.credentialvault.credentials.JaasSubjectCredential
com.ibm.wps.portletservice.credentialvault.credentials.LtpaTokenCredential
- All Implemented Interfaces:
- ActiveCredential, Credential, JaasSubjectCredential, LtpaTokenCredential, java.io.Serializable
public abstract class LtpaTokenCredential
- extends JaasSubjectCredential
- implements LtpaTokenCredential
Credential for authenticating at a back-end system that is within the same WebSphere SSO-Domain as the portal.
This Credential can be used to establish an authenticated outbound URL connection by associating the users
existing Ltpa cookie to that connection.
The Ltpa token credential can be retrieved via the vault service through
com.ibm.portal.portlet.service.credentialvault.CredentialVaultService#getLTPATokenCredential(String slotId, Map config, javax.portlet.PortletRequest request)
where slotId = com.ibm.portal.portlet.service.credentialvault.CredentialVaultService.PREDEFINED_SLOT_USER_JAAS_SUBJECT;
Alternative the Ltpa token credential can be created by:
CredentialFactory.createCredential(CredentialTypes.LTPA_TOKEN);
See CredentialFactory
- Initialize the credential via the init(Map config) method
After retrieving the Ltpa token credential establish the connection:
- Pass the URL to the method
getAuthenticatedConnection() in order to get an URLConnection with the current Ltpa token(s) associated
- If necessary, set additional HTTP headers on the resulting URLConnection
- Send the request to a trusted server
Warning 1: Do not send the Ltpa cookie to servers outside the SSO domain! If those servers are hostile, they can use the Ltpa token
data to impersonate the user represented by the Ltpa token and compromise the system.
Warning 2:
This code does not respect the Secure attribute (as defiend by RFC 2109) of the Ltpa cookie(s). Therefore, the code
that uses the Ltpa token credential is responsible for deciding whether it is okay to send the token over unencrypted HTTP connections.
Preconditions:
See init(Map config)
- Since:
- 5.1.0.1
- See Also:
- Serialized Form
| Fields inherited from class com.ibm.wps.portletservice.credentialvault.credentials.Credential |
| LOGGER_NAME
|
| Methods inherited from class java.lang.Object |
| clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
|
ltpaToken
protected LTPATokenCredential ltpaToken
ltpaToken2
protected LTPATokenCredential ltpaToken2
LtpaTokenCredential
public LtpaTokenCredential()
init
public void init(java.util.Map config)
throws CredentialVaultException
- Initializes a new LtpaToken credential.
If you pass in a null pointer to the initialization of this credential for the JaasSubjectCredentialSecret,
this credential will get the current token(s) from the current WAS Security context.
- Specified by:
- init in interface Credential
- Specified by:
- init in interface JaasSubjectCredential
- Specified by:
- init in interface LtpaTokenCredential
- Overrides:
- init in class JaasSubjectCredential
- Parameters:
- config - The configuration needed to initialize this credential:
- Key: KEY_CREDENTIAL_SECRET, value: JaasSubjectCredentialSecret.
The credential's secret.
This paramter is optional.If null the current users caller subject will be used.
The JaasSubjectCredentialSecret can be obtained from the CredentialSecretFactory
See Also: CredentialSecretFactory
- Key: LTPA_TOKEN_TYPE, value: String.
You should use the LTPA_TOKEN_TYPE_VALUE_DEFAULT here, which means forward exaclty those Ltpa tokens available
on the incomming request. It is also possible to propagate only the Ltpa or only the Ltpa2 token or both tokens. The corresponding values
are represented by the constants: LTPA_TOKEN_TYPE_VALUE_LTPA_ONLY,
LTPA_TOKEN_TYPE_VALUE_LTPA2_ONLY, and LTPA_TOKEN_TYPE_VALUE_BOTH (mandatory)
- Key: HTTP_SERVLET_REQUEST, value: HttpServletRequest
The incomming HTTP request (mandatory)
- Throws:
- CredentialVaultException - If any mandatory parameter is missing or has a wrong object type as value.
- Since:
- 6.0.1 The key LTPA_TOKEN_TYPE is available.
getLtpaTokenCredential
protected void getLtpaTokenCredential()
throws CredentialVaultException
- Throws:
- CredentialVaultException
getLtpaToken2Credential
protected void getLtpaToken2Credential()
throws CredentialVaultException
- Throws:
- CredentialVaultException
getAuthenticatedConnection
public java.net.HttpURLConnection getAuthenticatedConnection(java.net.URL url)
throws java.io.IOException
- Returns a new Http Url connection with added authentication data.
- Specified by:
- getAuthenticatedConnection in interface JaasSubjectCredential
- Specified by:
- getAuthenticatedConnection in interface LtpaTokenCredential
- Specified by:
- getAuthenticatedConnection in class JaasSubjectCredential
- Parameters:
- url - The target URL for the connection. Note that it need not be
opened yet.
- Returns:
- HttpURLConnection A new authenticated (and yet uncommitted)
connection
- Throws:
- java.io.IOException - thrown if anything unexpected happened
getAuthenticatedConnection
public java.net.HttpURLConnection getAuthenticatedConnection(java.lang.String url)
throws java.io.IOException
- Returns a new HttpURLConnection with added authentication data.
- Specified by:
- getAuthenticatedConnection in interface JaasSubjectCredential
- Specified by:
- getAuthenticatedConnection in interface LtpaTokenCredential
- Specified by:
- getAuthenticatedConnection in class JaasSubjectCredential
- Parameters:
- url - The target URL for the connection
- Returns:
- HttpURLConnection A new authenticated (and yet uncommitted)
connection.
- Throws:
- java.io.IOException - thrown if anything unexpected happened.