Using a Trust Association Interceptor (TAI) to obtain a LTPA2-Token

旧巷老猫 提交于 2019-12-06 09:13:51

This might work, but both servers should be on the same sso domain e.g. tomcat.company.com and websphere.company.com. In WebSphere admin console in Security > Global security > Single sign-on (SSO) specify in Domain name for example .company.com. You could define several domains there, but will be easier to debug, if there will be only one.

The easiest approach would be to create dummy web app with one jsp that would send redirect to your tomcat app. Protect that application with JEE security and create TAI that would intercept call to this app, and create TAIResult based on passed token with user id using:

public static TAIResult create(int status, String principal);

This will find a principal user in WAS registry, authenticate it and create LTPA token. Then will pass to your page, which in turn will redirect to tomcat, setting cookie in the browser.

Maybe it would be possible to just do it in the TAI, but I've never tried that solution (and the solution with custom app will work).

However you have to create good custom token, otherwise someone else might be able to use your TAI to authenticate as someone else.

PS.
Why your tomcat app cannot be deployed on WAS? Maybe it will be easier to solve that than to create this TAI solution?

You certainly don't want or need to pass credentials (e.g. password) to WebSphere; the TAI process has no need of an actual password - the very nature of the framework is to allow trust relationships via alternate means.

Additionally - there's also no pressing need to roll your own TAI class and associated proprietary SSO protocol (token, encryption, etc).

WebSphere 7+ ships with both OAuth and SAML TAIs out of the box (though configuration is required to set them up). This gives you two open standard specifications to choose from - both of whom have wide Java library support for your Tomcat app. You end up writing no code on the WebSphere side, and as an added bonus you can use IBM PMR support process if anything goes wrong or doesn't appear to work - not the case with the home brew TAI solution as it is purely custom code. Your Tomcat half of the solution would also work with other service provider applications on other platforms in the future. These SSO protocols are widely adopted and mature - vetted by an entire industry of web developers, with few or no attack vectors if implemented properly. DNS or domain alignment is also not necessary with these approaches - they are designed to work across domains.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!