angapi

Token is for: u:user\:wpsldap\:389/uid=vagarwal,cn=people,dc=organizationName,dc=com
Token expires at: 2008-08-21-18:26:19 CDT

Full token string : u:user\:wpsldap\:389/uid=vagarwal,cn=people,dc=organizationName,dc=com%1219361179281%dI8CxUr7Xc4O2bPp57g0KMbRgQQs00IcJf+EoQUcaZuz8i7SOp08Uq4tikwcJ5xIgwhSeWLFIuW9VAjZe2Ux5FIU+znrQxkXZKrD3IdwLyMcJ/K1chog7YqqExQm4M0n3j6p+SYysBIKCmx545p4Q5TLI+VMbBXtvFLnO+DY2qg=

So, once you get the username/expiration time, you can use that on the JBoss end to verify user identity/authentication.

Hope this helps!

Thanks for your really interesting article.

With this class I can decode the LTPA cookie. However what can we found inside it ? The idea is to use WebSphere portal with deployed portlets + LTPA (or other) as SSO + JBoss with deployed application which the portlets call.

However, I cannot figure how to integrate this LTPA stuffs with existing application based on JAAS. Have you got idea on that ?

Regards,
Denis.

Iam writing to you my deployment/design issue. please suggest me how i will be able to overcome the same.

The set up or the high level architecture is as follows

Websphere Portal Extend Suite is being used.

1. IBM HTTP Server
2. WPS 6.1 /WAS 6.1
3. WPS 5.0 /WAS 5.0
4. Tomcat 5.0
5. LDAP server
6. ADS for authentication and authorization for WAS

We have a IBM HTTP Server, which accepts requests from a user.
It is then redirected thru Iframes to WPS for authentication done thru ADS and LDAP.

Some applications are deployed in WAS 6.1.
There is an application BOSS 2 which was developed long back and it is simple jsp/java pages.
This was to be deployed to WAS as portlet and since they were not aware of
interportlet communication and use of session variables between these two applications.

They deployed it in Tomcat as simple jsp portlets. This application is called Boss2

Now the menus and sub menus for this application is loaded from WAS.

The issue is if I know the url for the pages this application can be accessed by anyone because its assumed authentication is done and if i know the username and the values to pass i can acess any page.

Problems

1. Sharing of session variables between portlets – how to do this?
2. How to prevent session variables being hijacked during penetration testing? Securing the Session variables
3. How to do authentication for Tomcat server?
4. How to do authorization for Boss2 application in Tomcat server so that only those menus/ submenus get loaded based on the user logged in and also based on the role available?

So now we need to do the same authentication and authorization for this Boss2 application as done for WAS.

Regards,
Vani

Iam writing to you my deployment/design issue. please suggest me how i will be able to overcome the same.

The set up or the high level architecture is as follows

Websphere Portal Extend Suite is being used.

1. IBM HTTP Server
2. WPS 6.1 /WAS 6.1
3. WPS 5.0 /WAS 5.0
4. Tomcat 5.0
5. LDAP server
6. ADS for authentication and authorization for WAS

We have a IBM HTTP Server, which accepts requests from a user.
It is then redirected thru Iframes to WPS for authentication done thru ADS and LDAP.

Some applications are deployed in WAS 6.1.
There is an application BOSS 2 which was developed long back and it is simple jsp/java pages.
This was to be deployed to WAS as portlet and since they were not aware of
interportlet communication and use of session variables between these two applications.

They deployed it in Tomcat as simple jsp portlets. This application is called Boss2

Now the menus and sub menus for this application is loaded from WAS.

The issue is if I know the url for the pages this application can be accessed by anyone.

Problems

1. Sharing of session variables between portlets – how to do this?
2. How to prevent session variables being hijacked during penetration testing? Securing the Session variables
3. How to do authentication for Tomcat server?
4. How to do authorization for Boss2 application in Tomcat server so that only those menus/ submenus get loaded based on the user logged in and also based on the role available?

So now we need to do the same authentication and authorization for this Boss2 application as done for WAS.

Regards,
Vani

agcuong

I want to implement SSO for websphere and Tomcat application servers. can you please tell me if this requires a domino server ? Also how i can implement the same in steps. would be grateful for the same..

After reading your article i thought i would be able to get more details from you.

Vani