2

We want to realize a SSO-infrastructure with some IBM Domino / Websphere products and one custom web application. All IBM products are configured for SSO. Therefore, the WebSphere Application Server 8 generates an LTPAToken2 after successful login in one of the IBM products. We want to achieve the same behaviour for our own custom web application. After login into this web app, a LTPAToken2 should be generated. Therefore my question: Is it possible to generate a valid LTPAToken2 in our custom web application? Or maybe, is it possible to use the WebSphere Application Server APIs for this generation? Which steps would be nessecary to achieve this? At the moment, our custom web application is not hosted in a WAS, but on a Tomcat.

Thanks and best regards Ben

Ben
  • 1,579
  • 4
  • 20
  • 34

2 Answers2

3

As long as you have your application hosted on a tomcat server that is not possible. There is no open API from IBM for creating LTPA tokens.

If you would have had the same user directory and using standard Java Security Mechanisms you could move your application to WAS, where SSO is configured. Not only would it be possible, your LTPA tokens would be created on login to your web application without any further configuration.

As it seems have a solution with two different user directories, sharing the same user id but not the password, you need to take other measures to achieve SSO.

  • One is to have an Access manager software which handles login for all your applications,
  • A second solution is to write some custom code. Login into the tomcat server could generate a custom cookie. You need to write code to generate this cookie. Then you can write a TAI to intercept it on the WebSphere server thus accepting the login. The TAI would be configured in the container rather than in a separate application itself. (example)
  • I also assume you could solve this by writing servlet filters to handle the login, rather than a TAI.
DanielBarbarian
  • 5,093
  • 12
  • 35
  • 44
  • So when I understand you correctly, I do not have to develop a custom JAAS Login module using special WAS-APIs for that? Porting the Application to WAS would be enough? – Ben May 26 '14 at 09:44
  • Correct. As long as you are using the login as defined in Java Security in your Web Application, the WAS container will create the token for you (with the correct SSO configuration). – DanielBarbarian May 26 '14 at 10:18
  • Depending on your UI requirement for the login user experience, you can just use `FORM` or `BASIC` auth in your web app and the user will get an `LtpaToken2` token cookie on successful authn. Note that if you put the app on a different WAS instance than the target WAS server you want to SSO to, you'll have to sync the two servers' LTPA keys. Example tutorial: http://www-10.lotus.com/ldd/portalwiki.nsf/m_Home.xsp?documentId=AC0295A8B2C8665A852577A40049E0F9 – Scott Heaberlin May 26 '14 at 14:36
  • So you mean that when you want to get an LtpaToken2 after successful login, the login procedures must be implemented with JAAS? Otherwise, it will not work? – Ben May 26 '14 at 14:46
  • Let's put it this way: How have you implemented login in your web application? – DanielBarbarian May 27 '14 at 08:02
  • We use an Open Source product named Activiti (Open Source Business Process Engine). This Engine uses its own user management and login-implementation. We want to achieve that a LTPA2Token is generated when login into this application. – Ben May 27 '14 at 10:21
  • But if these two installation have their own user directories, how would you achieve SSO between them? Same user ID? – DanielBarbarian May 27 '14 at 11:04
  • Exactly: using LDAP and the same user ID – Ben May 27 '14 at 19:13
  • Changed my answer to include the scenario you have. – DanielBarbarian May 31 '14 at 08:11
  • Thanks very much for this. Solving it with a servlet filter on the WAS would assume having a WAS-API to retrieve the current LTPAToken2. Because normally, the WAS sets the LTPAToken2 in the users browser. Does the WAS offer such an API? – Ben Jun 05 '14 at 11:08
  • API for setting LTPA tokens? No! – DanielBarbarian Jun 18 '14 at 08:46
  • You wrote: "I also assume you could solve this by writing servlet filters to handle the login". So the procedure would be: I have a servlet on the WAS accepting credentials from my tomcat webapp. The WAS servlet will perform a login on the WAS, a LTPA Token will be generated. Now, I must hand off this token to my tomcat app so that it can be set in the browser (the WAS servlet cannot set the cookie in the browser, because I login with the browser in the tomcat app). The question is how my WAS Servlet can get the generated LTPA Token to hand it off to my tomcat application. Thank you very much – Ben Jun 24 '14 at 13:17
  • The LTPAToken cookie is set per domain so you must have the two servers on the same domain. You also need to decrypt the LTPA token. I have seen some blogs about people that have done it, but if you are at this level, why not create your own custom cookie for this. Then you will have full control over the entire process. – DanielBarbarian Jun 24 '14 at 14:18
  • You wrote " As long as you are using the login as defined in Java Security in your Web Application, the WAS container will create the token for you". What do you mean with "using the login as defined in Java Security"? – Ben Aug 13 '14 at 14:03
1

If your Tomcat app is on the same domain as (one of) the WebSphere servers, and the Tomcat server has network access to the WebSphere instance, you could have a servlet in your Tomcat app accept credentials on its request and pass them in an outbound http request to something like /<secured app>/j_security_check on the WAS instance, record the LtpaToken2 if successful and then add a cookie with its value in the servlet response on Tomcat.

As long as the two servers are on the same domain the browser will send the cookie back if the Tomcat app links/redirects the user to a secured URI on the WAS app, and you have SSO.

Scott Heaberlin
  • 3,364
  • 1
  • 23
  • 22
  • The question is how an LTPA Token can be recorded? I want to create a login page on the tomcat application as you said. The user enters username and password. Those two values will be send to a servlet on the WAS. The servlet extracts those values. What happens then? How can I record an LTPA token in a way that I can put it in the servlet respone on tomcat? Thanks for your answers – Ben Aug 13 '14 at 12:54