1

Actual situation:

I have a Liberty Server where my JEE - Application is running. If you enter the application liberty runs a Login Form where you can enter your userid and password, which will be checked by Ldap-Registry and eventually you´ll be authenticated and liberty create a Session with your credentials. Now you can see the App and the app can use the SessionContext and knows - who you are...

As my company now has changed its security philosophy, we gotta use a F5 APM. So far: on entering the Application you´ll be redirected to the F5 APM which will redirect to a IDP where you can login. Afterwards its redirecting back to the App with an IV-User in Http-Header. Good news is, i can still use the Lioberty Formlogin from here - but this is kinda stupid, cause you gotta login twice...

Now my Question is, how can i use this IV-User to create the UserSession with liberty or maybe to check against the LdapRegistry?

CR92
  • 97
  • 1
  • 8
  • 2
    If you are changing to philosophy to company wide auth, it would be more logical to use some proven standard like OIDC, SamlWebSSO, OAuth, for which Liberty has already available features, rather than something proprietary. If you need to use proprietary way, then probably the easiest would be to create your custom TAI (https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_dev_custom_tai.html) that would read IV-User from header and logged in the user without form login. – Gas Jul 15 '20 at 13:29
  • @Gas thanks, this is kinda helpful. I did build a custom TAI which returns a principal with the iv-user from header. Somehow this still needs the Ldap-registry to work. If i remove the registry, the form-login pops up again. Also this TAI Interceptor is called like everytime theres a Request , which needs to be fixed too. – CR92 Jul 16 '20 at 08:11

1 Answers1

4

If you dont want to query registry you need to create full subject. So instead of this:

return TAIResult.create(HttpServletResponse.SC_OK, userid);

you need to do this in your TAI:

// stash in hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groupList); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid);    
Subject subject = new Subject();
subject. getPublicCredentials().add(hashtable);
return TAIResult.create(HTTPServletResponse.SC_OK, "userid", subject);

For more information check these pages:

Successful authentication should create LTPA cookie and not require additional authentications, so if you dont see such behavior something is still misconfigured.

I did a very quick look at the F5 APM and it looks like it supports OIDC so you should at least also consider that option.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Using OIDC auth with Liberty - can we still expect an LTPA cookie? https://stackoverflow.com/questions/68610805/why-is-ltpa-cookie-missing-in-my-was-liberty-environment – Jatin Aug 03 '21 at 23:39