General J2EE: Rationalizing JAAS, SSO, LTPA, User Repositories on WebSphere 6

  1. Scenario: We are trying to architect a web application suite such that multiple EARs can support single sign-on on WebSphere 6. We are trying to piece together security technologies WebSphere provides in a sensible manner.

    Under consideration:
    * Custom JAAS Module for authentication.
    * LTPA tokens dropped into cookies for single-sign on.
    * Custom User Repository that resides in a database.
    * Custom callback mechanism because we require more than username/password for authentication.

    * When using LTPA tokens and SSO, WebSphere seems to require a _single_ user repository. We want to have a private repository for the suite, but do not wish to store users that can access the admin console, etc. Is there a way to do this? Can two groups of applications perform SSO, each with their own user repository?

    * If we try to "hide" the user repository in the JAAS module, we end up not being able to generate the LTPA tokens. According to the documentation LTPA tokens can only be generated and be translated back when attached to a user repository.

    * If we use a custom JAAS module, there seems to be no easy way to generate SSO tokens without implementing a bunch of token interfaces. Are there WebSphere JAAS modules that can be configured to work in tandem with our custom module?

    * LTPA tokens seem to be closely associated with SOAP requests. Given that we have a simple web application suite, are we on the wrong track with the LTPA approach?

    Any comments, opinions, examples and pointers to documentation/articles are much appreciated. We have already looked at the vast IBM library. (Unfortunately, they explain each technology in great detail, but leave you in the dark as to which pieces go together.)

    Thank you,

    Ferit Albukrek

    Threaded Messages (1)

  2. TAI[ Go to top ]

    We have similar problems when we tried integrating WebSphere Portal w/ our homebuilt authentication system (at least for Web-Apps)

    If it's for Web-Apps, take a look at the Trust Association Interceptor. It basically intercepts the authentication process and returns a subject - at least in our implementation, if the user did not exist in the current repository - we added said user (Much easier to do this when the repository is LDAP based). The generated LTPA token (done with by WAS later down the auth pipeline) works with all WAS servers and SSO is achieved (IBM specific products).