| Author |
Passing HTTP session on WAS
|
|
|
| Hi,
I need to pass a secure HTTP session from one application server and domain (the company?s web gateway ? where authentication occurs) onto another application server in a different domain (our application). Both servers are running Websphere 5.1. Is this
possible? How?
Thanks,
Deon
dvaarde@momentum.co.za
| |
|
| I've been asked this kind of question several times, and it appears people
don't want to pass the HTTP session, but to pass some information that
happens to sit in the HTTP session.
You'd need to think the design again. Passing the HTTP session object is a
weird design. Notice it can contain non-serializable objects, so you could
be stuck at some point.
Session usually also contains stuff that's irrelevant for the functionnal /
business problem you need to solve. Be it technical data or business
information that's not necessary to the other server.
Depending on what you need, you could just pass a security token, a unique
id that the second application could use to query a back-end and get details
it needs, etc.
By making the two applications communicate, you definitely need to detail
the "protocol" and know what you are passing as information.
Just pushing a bulk of data to the next hop is not a good design. :-)
| |
|
| I don?t want to pass data from the one Session to another but rather the security context to make sure the request comes from a reputable source. How do you suggest can this security token be past?
Thanks, Deon
| |
| Paul Ilechko 2006-01-29, 9:47 pm |
| dvaarde@momentum.co.za wrote:
> I don?t want to pass data from the one Session to another but rather
> the security context to make sure the request comes from a reputable
> source. How do you suggest can this security token be past? Thanks,
> Deon
>
>
WebSphere already has a complete security infrastructure that includes
security tokens, and the ability to extend and customize them. Why are
you reinventing this?
| |
|
| As Paul said, there may already be what you need in WebSphere.
Do you trust the authentication made by the gateway ?
If so, use the credentials it asserts.
If not, it's not an "authentication" gateway and you need to authenticate
the user.
It's not clear to me who / what you want to authenticate. Also, are the two
servers under your control ?
| |
|
| The authentication is done on a Websphere server outside of our control and domain. This server is trusted and creates a secure session for the user. When the user access functionality on our part, this session / security context needs to be passed on to
our server so that we can trust & identify the user. This could be a trivial question, but I?m not aware of Websphere?s abilities regarding this. Thanks.
| |
|
| Will Single Sign-On help you out here?
| |
| Paul Ilechko 2006-01-29, 9:47 pm |
| dvaarde@momentum.co.za wrote:
> The authentication is done on a Websphere server outside of our
> control and domain. This server is trusted and creates a secure
> session for the user. When the user access functionality on our part,
> this session / security context needs to be passed on to our server
> so that we can trust & identify the user. This could be a trivial
> question, but I?m not aware of Websphere?s abilities regarding this.
> Thanks.
If the other WebSphere uses the same registry and LTPA keys you can
share the LTPA tokens across WAS instances, even across cells.
Otherwise, you can use a trust association interceptor (TAI) to
implement this model. Please see my paper at:
http://www-128.ibm.com/developerwor...8_benantar.html
|
|
|
|