Search code examples
javawebspheresingle-sign-onjnlpportal

How to enable single sign-on between web portal and java rich client?

I saw some of the related questions but my situation is slightly different.

We have this web portal that provides a user access to many applications, among them a rich client(desktop) hosted on the web portal. Here is what happens.

  1. User logs into a web portal (WebSphere portal I believe).
  2. Launches the java rich client hosted on the web server, using JNLP.
  3. The rich client then asks the user to login (again).
  4. The user provides the same userid/password they used to log into the web portal.
  5. The userid/password is verified by the rich client against the same source that was used to the verify the login to the web portal.

That's how the system is currently set up. I would like to get rid of the second login. However, the rich client needs to know the userid and needs to ensure that the user is actually logged on to the web portal at the time of the launch of the application.

The web portal and the rich client are completely different applications. However, it is my understanding that the JNLP file can contain arguments that can be passed to the java application. Based on that, I was wondering if the following would be an option.

  1. The JNLP is actually coming from a JSP file. So the web portal can pass the user id to the JSP file, which can generate the JNLP with the user id as an argument.
  2. JNLP would start the rich client passing the user id as an an argument.
  3. The rich client application can query (a web service call or something similar) the portal to see if the user is logged on. If the user is logged on to the web portal then the rich client allows the user access.

I am trying to see what are my options or if I could use any other technology/solution.

Solution

  • If the hosting server is WebSphere Portal, then you have an additional benefit that the login process automatically creates an LTPA token cookie for the client. Your page can then pass this token to the JNLP rich client as a parameter.

    The rich client can then query an authenticated resource on your portal server with this LTPA cookie set in the header, and test the response code to check whether the authentication succeeded.

    LTPA token is an enteprise-grade secure SSO solution that is standard across WebSphere products, and works well across WebSphere server clusters or farms as well.

    Note that LTPA tokens may have an expiry time that is different to the session expiry time. This can be set in the WebSphere Application Server Administration Console.