Hi all, I have come to the conclusion that the declarative/reactive security model of the J2EE web container is insufficient for my needs. I plan on writting my own classes for enforcing authentication/authorization to web resources, and of course log into JAAS to allow credential information to be propagated to downstream servers (EJB's, etc). I hate to reinvent the wheel, but I'm using WebSphere which uses LTPA tokens to persist the client's logged-in state and for SSO. LTPA is a proprietary technology and from what I can tell IBM has no publically accessible API's for creating & validating these tokens. My question is: are there any patterns that relate to signon tokens that I can follow? I modeled mine after LTPA and used JCE to encrypt the user id and password and then placed it into a cookie. This works fine, but I am concerned with replay attacks and the fact that if someone were to decrypt the token, they would find a valid user id / password combination. Presumably WebSphere's LTPA has the exact same problems, but this isn't good enough for me I was thinking that it is a mistake to put the password into the token, and maybe only place the user id and a timeout value. Any thoughts? Thanks! --Dave.
Hi Dave, I'm coming to the same conclusion & also working in WebSphere... but haven't made as much progress on the research front. Sorry I can't help you with your problems; could you help with mine? :roll: Have you come across any useful resources that you could point me to? Also, in the same way as you are modelling your signon token after LTPA, are you modelling some of your other security classes along the lines of the java.security / javax.security classes (e.g. implementing the Principal interface)? Whilst I've been convinced by Kyle that one shouldn't use JAAS in WebSphere except for application client security, I'm thinking it may be worth reusing some of thier concepts since they should have been thoroughly designed. What do you think? Louise
Joined: Oct 09, 2002
Hi Louise, I'm still working through this so I don't have much to add to my original post. My current solution (well, iteration ) is to programmatically call IBM's WSLogin to create a loginContext, and then call lc.runAs(); see JAAS Login. I call my Struts action within the runAs(), allowing my actions to have access to the logged in user via WSSubject (can't use the JAAS Subject), as well as auto-propagation of credentials to down stream servers. I set this up and it works quite well - but I need a User id and password to log into the LoginContext. WS stores these in LTPA, which is preferable to use because if I create my own tokens, I will circumvent the web container's security model completely; I'm trying to find a way to co-exist. If you want links on this, google for "Session Management", SSO is also a good result narrower. Once I have my head wrapped around this, I will post the better links. I am concerned that Kyle says only use JAAS from java clients; I wonder if it is bad to use JAAS within a container or if he thinks the built in reactive security model of J2EE is sufficient. Please elaborate on your experiences in this regard. Thanks! --Dave
Joined: Apr 04, 2002
Hi Dave, Apologies for not replying sooner - in my case the security model just became lower priority for a while rather than I took a holiday - lucky you I haven't got any experience to elaborate on really. We're still at the stage of confirming what our approach to security will be. The impression I get is that many folks are in our position of thinking that the declaritive security model isn't configurable enough for what we need in real applications. However, there isn't much out there giving advice on more complex solutions. The approach we've come up with is to try declaritive security in the short term. This will give us an opportunity to investigate exactly what the limitations are, what our needs are & how we could solve them. I can envisage refactoring to a bespoke solution within say, 6 months. BTW, we're using the Spring framework & there seem to be moves afoot there to add in a security component in the next version. I think we'll probably pick this up if it looks reasonable. If you're interested, they're at the stage of figuring out requirements, so if you drop them a note on the forum there's a fair chance their solution could work for you. (Spring discussion) Cheers, Louise
Hi folks, I have the need to implement LTPA in our project (a brand new one) with WAS 5.0 or later with an LDAP server and DB authorization. We are overriding the Struts RequestProcessor at the front end and using a custom form for login. If you guys could give any info/ pointers on how u did it/ how to do it, that would be fantastic!!
Using LTPA keys for communication between WAS domains is an IBM WAS recommended approach...and I think you should able to store the LTPA keys in LDAP (I am not sure ...how this is done..should be typical to storing a cert).
In general J2EE scenarios, we choose to use Principal delegation - particularly when you find an issue of overriding authentication of the callee domain (your Web or EJB container) components, then you must configure Principal delegation to make sure the security context remain constant from the caller to callee. Using JAAS shared state (in case of JAAS based authentication) or making use of <use-caller-identity) declarative security should help.