Search code examples
javawebspheresingle-sign-onwebsealltpa

How to use the information in an LTPA token

Consider the following setup:

  • A webapplication deployed on a Websphere Application Server (6.1 if it matters)
  • the app will get accessed through a webseal reverse proxy
  • the webseal takes care of the authentication and passes on an LTPA token as sign of valid authentication

If I got it right, the LTPA token contains information like username, roles and so on.

Question: how do I access this information from the LTPA token in my java web application?

Solution

  • You don't directly access the LTPA token, rather you assume that WebSphere has established a security context for you on the basis of its authentication procedures.

    You can then use 

    getUserPrincipal()

    on your HttpServletRequest object to access the user's identity.

    Roles are particular to the current resource (serlvet, ejb ...) and hence you use the HttpServletRequest method

    isUserInRole()

    to determine whether a user is in a role.

    You can also use the method

     public static javax.security.auth.Subject getCallerSubject()

    to obtain further security information including group membership.