File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Websphere and the fly likes creating Authentication Cookie Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Websphere
Bookmark "creating Authentication Cookie " Watch "creating Authentication Cookie " New topic
Author

creating Authentication Cookie

Stee Renwick
Greenhorn

Joined: Jan 27, 2004
Posts: 8
Hi,
I have been working on authentication using JAAS for wsad5.1 and have managed to get the users to be authenticated, but I'm a wee bit lost as to the kind of cookie that needs to be generated for the was container to recognise it. I intend on creating the kind of cookie that other systems might have created like the FormLoginServlet (j_security_check), so that once there logged in the container can check there role and continue like normal.
I presume that theres a standard format the cookie should be in, so that was and wsad knows exactly what it is, but as yet sifting through the infocenter and the like hasn't produced the goods for me.
Any pointers would be smashin
Stee
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
You can't manually create the LTPA token (cookie). This is yet another reason why you should NOT use JAAS. This API is not exposed. Only the container can create that cookie once you have successfully authenticated a user (using JAAS or one of the more standard approaches in WAS like form login with j_security_check).
My question to you (as it has been to Louise in her similar questions...) is what do you REALLY want to do? Why do you want to do authentication with JAAS? What do you intend to get out of this exercise?
And have you read the WAS 5.0 security redbook?
Kyle


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
Stee Renwick
Greenhorn

Joined: Jan 27, 2004
Posts: 8
Hi,
Thanks for your speedy reply, I can appreciate your frustration with people trying to do this things when there seems to be a much simpler way to do it.
In essence j_security_check is not up to scratch when developing in JSF (Java server Faces), which is an extention of JSP. the root of the problem is JSF pages all have a faces/ prefix in there path, when was/wasd redirects an unauthorised request to the login page, context is lost, this happens with most of the other redirects (including - your authenticated, lets redirect you to the page you previously requested), a work around which I can't use, as its too messy for others users.
I have read up on Authentication and Authorisation both on infocenter, and any other resources I could find including your book (which was quite helpful - bar the fact that it was not intended for JSF - understandably, its very new)
All documentation seems to eventually led to the same thing - JAAS is the way forward (I think this is because the other ways were too easy, we wern't sweating enough).
ServerSideAuthentication I read somewhere is depreicated, and another site (infocenter I think) recomended using JAAS instead of SSOAuthenticator, so thats what I done.
If you have any links to documentation on creating LTPA tokens, it would be great.
Thanks
Stee
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Sigh. Yeah, j_security_check doesn't work for JSF, you're right. However, remember that JSF isn't even *supported* right now since the spec isn't finalized, either. This is a technology preview, and we don't guarantee that *anything* will work...
OK, if you log in using the JAAS API (as described in page 694-695 of my book) then the LTPA cookie should be automatically created for you. If it's not being created, then something else is wrong. Have you configured your server for LTPA properly?
Kyle
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
Kyle,
You mentioned that if we use the JAAS login API, the LTPA cookie will be created automatically. By cookie I assume you mean a cookie is stored into the HttpServletResponse, but how can this be since the request object is not passed into the JAAS api (nor should it, imho). Here is the code I found from boulder:

Is there another api I should be using, or did you mean to say an LTPA token would be generated and sent to downstream servers?
Thanks for clarifying.
--Dave.
Wilbur Smith
Greenhorn

Joined: Jan 13, 2005
Posts: 1
Dave / Kyle

Did you ever manage to resolve the issue of getting the LTPA token, as I am in in exactly the same situation and have looked everywhere for the answer, this thread being the most informative that I have seen so far, but as with all the other resources that i have looked at It terminates just short of the winning post.

Wilbur
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: creating Authentication Cookie