File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Websphere and the fly likes LTPA and JAAS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Websphere
Bookmark "LTPA and JAAS" Watch "LTPA and JAAS" New topic


Ann Kanu
Ranch Hand

Joined: Feb 01, 2004
Posts: 30
Could someone please explain what the difference between LTPA authentication mechanism and JAAS custom login is?
Kyle Brown
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
First of all, read the WebSphere 5.0 Security handbook. This explains everything.

Now, the short answer is that you (as a programmer) don't do anything with LTPA -- LTPA is the mechanism that WebSphere uses to validate a user's credentials AFTER they have been authenticated. Authentication in WebSphere happens in a number of ways -- most commonly through one of the mechanisms declared in the web.xml deployment descriptor (form based login, or HTTP basic authentication, for instance).

However, if you need (for some reason) to be able to log from somewhere OTHER than a web application, such as a Java Swing application, then you would use the JAAS LoginModule API in WebSphere to do so.


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at for other WebSphere information.
Ann Kanu
Ranch Hand

Joined: Feb 01, 2004
Posts: 30
Thanks Kyle. I will start with the security handbook.
Shaun Ashdowne

Joined: Jan 20, 2009
Posts: 1
I have been searching for what should be a simple answer.
We are about to have an environment with WebSEAL, IBM HTTP Server and WebSphere Application Server.

This will be configured where WebSEAL will:
* determine if a URI requires authentication
* provide the user/password page
* authenticate the user
* create an LTPA token
* pass the token to WAS
* pass protected page back to WebSEAL

This is described in 13.3.3 of the "Websphere Application Server v6.1 Security Handbook" Redbook.

My question is:
Once Websphere has a session with credentials (userID), how does an application access the userID?

I agree. Here's the link:
subject: LTPA and JAAS
It's not a secret anymore!