Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

(WS 6.1) fat client wants to use authentification obtained with EJB also for web communication

Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I have given a standalone fat client F, a websphere server W (6.1) with servlet container W_Web and EJB2 container W_EJB, and an LDAP server L. F opens a SSL connection to W, authenticates towards W_EJB by username and password and then uses services provided by my SLSB over there. W contacts L for the authentification.

My key question is:

what do I have to do that F, when it has authenticated successfully with W_EJB, can call W_Web such that W does not consult L a second time? (and of course, that F cannot connect to W_Web when the authentication with W_EJB failed)

This is somehow a reversed identity propagation.

I have three ideas to solve this problem.

1) When F logs into W_EJB, it uses a LoginContext. After successful authentication, the LoginContext ha a Subject s which contains username and password. I could take username and password from s to make a Basic authentication with W_Web; however I do not know whether W does contact L a second time.

2) Actually, I have tried (1), but I am not able to find out whether W contacts L a second time or not *). However, I have observed that the communication of F with W_Web contains a LTPA token (as cookie), and that this token seems to contain information that F is authenticated. Therefore, if I could extract the LTPA token somehow from the communication with W_EJB, I could just send it to W_Web. However, I have read that LTPA token is of no use in a non-container environment, and F is not running inside a container. Anyway (I dare say anyway, as F does receive a LTPA token when communicating with W_Web, so it is in a way useful on the fat side, F), I see no way to get hold of the LTPA token in the W_EJB communication - I do not even know whether a LTPA token is contained in the stream.

3) If I cannot see the LTPA token on the W_EJB communication, I could send an user defined token and configure both W_EJB and W_Web login to produce and acccept this token.

What is the correct, recommended approach? One of the three? Something else??

Best greetings,

*) This is because my development setup can not use L. It falls back to the file based authentication DB.
    Bookmark Topic Watch Topic
  • New Topic