| Author |
How to validate LTPA token in a WAS java application?
|
|
|
| Hi, all:
How could I validate the current user identity? My application is deployed in WAS5.x and I want to implement SSO via LTPA.I know it's a token stored in Http header
but how could I validate this token and get the current User ID from it? What's more if the token is timeout how could my application reply the user's request? logout this session or something else?
Blue Juice
| |
| Paul Ilechko 2005-09-17, 2:48 am |
| sunch_2002@hotmail.com wrote:
> Hi, all:
>
> How could I validate the current user identity? My application is
> deployed in WAS5.x and I want to implement SSO via LTPA.I know it's
> a token stored in Http header but how could I validate this token and
> get the current User ID from it? What's more if the token is timeout
> how could my application reply the user's request? logout this
> session or something else?
You don't validate the token, the container does. You don't get the
current userid from the token, you should use the standard J2EE methods
of asking the container for the user. See the J2EE spec for info on
getUserPrincipal() and getCallerPrincipal().
If the LTPA token expires there will automatically be a challenge issued
of whatever type you have configured - basic, form based or
certificate. WebSphere takes care of this automatically.
Expiration of a security token has nothing to do with expiration of the
HTTP Session, they have completely independent lifecycles.
| |
|
| Can you give me some examples about how to handle LTPA timeout? Can I redirect the login form to a special page?
| |
| Paul Ilechko 2005-09-19, 6:04 pm |
| sunch_2002@hotmail.com wrote:
> Can you give me some examples about how to handle LTPA timeout? Can I redirect the login form to a special page?
The only way i know that you might be able to tell that you're in a
timeout rather than an initial login, is that in an initial login
situation there will be no jsessionid cookie. You could write a servlet
filter to check for this.
|
|
|
|