Hi, all:

How could I validate the current user identity? My application is deployed i
n WAS5.x and I want to implement  SSO via LTPA.I know it's a token stored in
 Http header
but how could I validate this token and get the current User ID from it? Wha
t's more if the token is timeout how could my application reply the user's r
equest? logout this session or something else?

Blue Juice

[ Post a follow-up to this message ]

sunch_2002@hotmail.com wrote:

> Hi, all:
>
> How could I validate the current user identity? My application is
> deployed in WAS5.x and I want to implement  SSO via LTPA.I know it's
> a token stored in Http header but how could I validate this token and
> get the current User ID from it? What's more if the token is timeout
> how could my application reply the user's request? logout this
> session or something else?

You don't validate the token, the container does. You don't get the
current userid from the token, you should use the standard J2EE methods
of asking the container for the user. See the J2EE spec for info on
getUserPrincipal() and getCallerPrincipal().

If the LTPA token expires there will automatically be a challenge issued
of whatever type you have configured - basic, form based or
certificate. WebSphere takes care of this automatically.

Expiration of a security token has nothing to do with expiration of the
HTTP Session, they have completely independent lifecycles.

[ Post a follow-up to this message ]

Can you give me some examples about how to handle LTPA timeout? Can I redire
ct the login form to a special page?

[ Post a follow-up to this message ]

sunch_2002@hotmail.com wrote:
> Can you give me some examples about how to handle LTPA timeout? Can I redirect the
 login form to a special page?

The only way i know that you might be able to tell that you're in a
timeout rather than an initial login, is that in an initial login
situation there will be no jsessionid  cookie. You could write a servlet
filter to check for this.

[ Post a follow-up to this message ]