Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Client Authentication for EJB Using LTPA

169 views
Skip to first unread message

David Page

unread,
Oct 15, 2003, 5:50:34 PM10/15/03
to
Hello... I'm having a difficult time finding reference material regarding
JAAS based client authentication using a LTPA token. I've set authorization
levels in a session EJB that will be invoked by SSO participating external
clients in a secure manner. I'm able to access the EJB by creating a
LoginContext and then using the standard WSLogin module with the user name
and credentials passed into the CallbackHandler object, but I can't get the
damn LtpaToken cookie to be accepted by the byte[] constuctor of the
CallbackHandler. Do I have to decrypt it beforehand using the LTPA key? I
found some classes in the com.ibm.ws.secutiry.ltpa package (which I think
are used by the ltpaLogin module) but I can't find a shred of documentation
on using any of these classes. One of them is named LTPAToken and accepts a
String as a parameter to its constructor. I tried passing both the
LTPAToken and (Cookie.getValue().getBytes()) into the CallbackHandler but I
get a message stating that it's missing the authentication information.
What a headache. Am I going about this entirely the wrong way? I've seen
some messages about authentication taking place when the InitialContext is
first created by setting properties in the context environment, but the
limited number of examples that I have found all use JAAS for remote
authentication. Any help would be greatly appreciated.

Thanks in advance.

David Page


David...@dps.state.la.us

unread,
Oct 31, 2003, 1:48:30 PM10/31/03
to
For anyone interested (which if based on the number of replies thus far,
I'm going to guess is a whopping grand total of 0), I found a working
solution to this problem. Because of the overwhelming lack of
documentation for this procedure, I had to decompile IBM's source code and
dig around in their security API until I found a class that handles the
creation of the LTPACookie that is stored in the browser when the user is
authenticated. Without getting into too much detail, you can use the
'LtpaToken' cookie with the WSCallbackHandlerImpl class by passing the
cookie.getValue().getBytes() into the decode(byte[]) method of a class
called Base64Coder found in the com.ibm.ws.security.util.package. The
decode method returns a byte array which is then fed into the byte[]
constructor of the WSCallbackHandlerImpl class.

//relevant imports
import java.security.PrivilegedAction;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.servlet.http.Cookie;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
import com.ibm.ws.security.util.Base64Coder;

//This was an inner class that I defined to handle the execution of the
secured EJB call
class RMIAction implements PrivilegedAction {
public Object run() {
InvoiceForPmtRespDto[] invoices = null;
try {
//create an instance of the EJB and call the
protected method
return whatever;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
}

//This is the code within the servlet that handles the JAAS mumbo jumbo
(creation of the LoginContext and CallbackHandler, etc...)
Cookie[] cookies = null;
Cookie ltpaCookie = null;

if ((cookies = req.getCookies()) != null) for (int i=0; i<cookies.length;
i++) if (cookies[i].getName().equals("LtpaToken")) ltpaCookie =
cookies[i];

if (ltpaCookie != null) {
WSCallbackHandlerImpl cbHandler = new
WSCallbackHandlerImpl(Base64Coder.base64Decode(ltpaCookie.getValue().getBytes()));
LoginContext lc = new LoginContext("WSLogin",cbHandler);
lc.login();

Subject sub = lc.getSubject();
ejbReturnData = (EJBReturnDataType)WSSubject.doAs(sub,new
RMIAction());
}

A severe limitation of this is that the client application (the one which
the servlet above is running on) must be on the same domain as the server
that issued the LTPA cookie. If the client application is on a different
domain, then I don't think the cookie will be passed in the request to the
servlet. You could probabaly take care of this by storing the cookie
value as a session attribute when it is returned in the initial login
response header. Anyway, I'm still kind of new to all this, so if anyone
has an easier method of implementation, finds any problems with this, or
has any questions, then please feel free to post your comments. Uh, sorry
about digging around in your security module IBM, but the clock was
ticking and I was running out of options.

David Page

David Page

unread,
Nov 4, 2003, 2:10:41 PM11/4/03
to
Corrections:

1) Omit the following line from the RMIAction class:
InvoiceForPmtRespDto[] invoices = null;

2) The decode(byte[]) method described in the paragraph below should be
base64Decode(byte[]).
The example code is correct and does not need to be changed.

<David...@dps.state.la.us> wrote in message
news:bnuapu$9que$1...@news.boulder.ibm.com...

0 new messages