Scenario: We are trying to architect a web application suite such that multiple EARs can support single sign-on on WebSphere 6. We are trying to piece together security technologies WebSphere provides in a sensible manner.
* Custom JAAS Module for authentication.
* LTPA tokens dropped into cookies for single-sign on.
* Custom User Repository that resides in a database.
* Custom callback mechanism because we require more than username/password for authentication.
* When using LTPA tokens and SSO, WebSphere seems to require a _single_ user repository. We want to have a private repository for the suite, but do not wish to store users that can access the admin console, etc. Is there a way to do this? Can two groups of applications perform SSO, each with their own user repository?
* If we try to "hide" the user repository in the JAAS module, we end up not being able to generate the LTPA tokens. According to the documentation LTPA tokens can only be generated and be translated back when attached to a user repository.
* If we use a custom JAAS module, there seems to be no easy way to generate SSO tokens without implementing a bunch of token interfaces. Are there WebSphere JAAS modules that can be configured to work in tandem with our custom module?
* LTPA tokens seem to be closely associated with SOAP requests. Given that we have a simple web application suite, are we on the wrong track with the LTPA approach?
Any comments, opinions, examples and pointers to documentation/articles are much appreciated. We have already looked at the vast IBM library. (Unfortunately, they explain each technology in great detail, but leave you in the dark as to which pieces go together.)