This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hi, I have been working on authentication using JAAS for wsad5.1 and have managed to get the users to be authenticated, but I'm a wee bit lost as to the kind of cookie that needs to be generated for the was container to recognise it. I intend on creating the kind of cookie that other systems might have created like the FormLoginServlet (j_security_check), so that once there logged in the container can check there role and continue like normal. I presume that theres a standard format the cookie should be in, so that was and wsad knows exactly what it is, but as yet sifting through the infocenter and the like hasn't produced the goods for me. Any pointers would be smashin Stee
You can't manually create the LTPA token (cookie). This is yet another reason why you should NOT use JAAS. This API is not exposed. Only the container can create that cookie once you have successfully authenticated a user (using JAAS or one of the more standard approaches in WAS like form login with j_security_check). My question to you (as it has been to Louise in her similar questions...) is what do you REALLY want to do? Why do you want to do authentication with JAAS? What do you intend to get out of this exercise? And have you read the WAS 5.0 security redbook? Kyle
Hi, Thanks for your speedy reply, I can appreciate your frustration with people trying to do this things when there seems to be a much simpler way to do it. In essence j_security_check is not up to scratch when developing in JSF (Java server Faces), which is an extention of JSP. the root of the problem is JSF pages all have a faces/ prefix in there path, when was/wasd redirects an unauthorised request to the login page, context is lost, this happens with most of the other redirects (including - your authenticated, lets redirect you to the page you previously requested), a work around which I can't use, as its too messy for others users. I have read up on Authentication and Authorisation both on infocenter, and any other resources I could find including your book (which was quite helpful - bar the fact that it was not intended for JSF - understandably, its very new) All documentation seems to eventually led to the same thing - JAAS is the way forward (I think this is because the other ways were too easy, we wern't sweating enough). ServerSideAuthentication I read somewhere is depreicated, and another site (infocenter I think) recomended using JAAS instead of SSOAuthenticator, so thats what I done. If you have any links to documentation on creating LTPA tokens, it would be great. Thanks Stee
Joined: Aug 10, 2001
Sigh. Yeah, j_security_check doesn't work for JSF, you're right. However, remember that JSF isn't even *supported* right now since the spec isn't finalized, either. This is a technology preview, and we don't guarantee that *anything* will work... OK, if you log in using the JAAS API (as described in page 694-695 of my book) then the LTPA cookie should be automatically created for you. If it's not being created, then something else is wrong. Have you configured your server for LTPA properly? Kyle
Kyle, You mentioned that if we use the JAAS login API, the LTPA cookie will be created automatically. By cookie I assume you mean a cookie is stored into the HttpServletResponse, but how can this be since the request object is not passed into the JAAS api (nor should it, imho). Here is the code I found from boulder:
Is there another api I should be using, or did you mean to say an LTPA token would be generated and sent to downstream servers? Thanks for clarifying. --Dave.
Did you ever manage to resolve the issue of getting the LTPA token, as I am in in exactly the same situation and have looked everywhere for the answer, this thread being the most informative that I have seen so far, but as with all the other resources that i have looked at It terminates just short of the winning post.