Search code examples
jakarta-eewebspheresingle-sign-onwebsphere-8ltpa

Using a Trust Association Interceptor (TAI) to obtain a LTPA2-Token


we have a custom web application hosted on a tomcat server and want to achieve to get an LTPA2Token when logging into this application on tomcat. All applications on both application servers are using the same LDAP.The application on the tomcat server cannot be hosted on a Web Sphere Application Server (WAS).

The idea is the following:

1.Type in username and password on the tomcat web application via web browser. 2 Generate a custom token with the credentials 3. Send those credentials to a custom TAI on a Web Sphere Application Server

The question is, if we can obtain a LTPA2Token from the TAI after the succesful login and send it back to the tomcat application so that the LTPA2Token can be set in the browser?

Thanks and best regards Benjamin


Solution

  • This might work, but both servers should be on the same sso domain e.g. tomcat.company.com and websphere.company.com. In WebSphere admin console in Security > Global security > Single sign-on (SSO) specify in Domain name for example .company.com. You could define several domains there, but will be easier to debug, if there will be only one.

    The easiest approach would be to create dummy web app with one jsp that would send redirect to your tomcat app. Protect that application with JEE security and create TAI that would intercept call to this app, and create TAIResult based on passed token with user id using:

    public static TAIResult create(int status, String principal);
    

    This will find a principal user in WAS registry, authenticate it and create LTPA token. Then will pass to your page, which in turn will redirect to tomcat, setting cookie in the browser.

    Maybe it would be possible to just do it in the TAI, but I've never tried that solution (and the solution with custom app will work).

    However you have to create good custom token, otherwise someone else might be able to use your TAI to authenticate as someone else.

    PS.
    Why your tomcat app cannot be deployed on WAS? Maybe it will be easier to solve that than to create this TAI solution?