Hi,
I need to pass a secure HTTP session from one application server and domain 
(the company?s web gateway ? where authentication occurs) onto another appli
cation server in a different domain (our application). Both servers are runn
ing Websphere 5.1. Is this
possible? How?
Thanks,
Deon
dvaarde@momentum.co.za

[ Post a follow-up to this message ]

I've been asked this kind of question several times, and it appears people
don't want to pass the HTTP session, but to pass some information that
happens to sit in the HTTP session.

You'd need to think the design again. Passing the HTTP session object is a
weird design. Notice it can contain non-serializable objects, so you could
be stuck at some point.

Session usually also contains stuff that's irrelevant for the functionnal /
business problem you need to solve. Be it technical data or business
information that's not necessary to the other server.

Depending on what you need, you could just pass a security token, a unique
id that the second application could use to query a back-end and get details
it needs, etc.

By making the two applications communicate, you definitely need to detail
the "protocol" and know what you are passing as information.

Just pushing a bulk of data to the next hop is not a good design. :-)

[ Post a follow-up to this message ]

I don?t want to pass data from the one Session to another but rather the sec
urity context to make sure the request comes from a reputable source.  How d
o you suggest can this security token be past?
Thanks, Deon

[ Post a follow-up to this message ]

dvaarde@momentum.co.za wrote:
> I don?t want to pass data from the one Session to another but rather
> the security context to make sure the request comes from a reputable
> source.  How do you suggest can this security token be past? Thanks,
> Deon
>
>


WebSphere already has a complete security infrastructure that includes
security tokens, and the ability to extend and customize them. Why are
you reinventing this?

[ Post a follow-up to this message ]

As Paul said, there may already be what you need in WebSphere.

Do you trust the authentication made by the gateway ?

If so, use the credentials it asserts.

If not, it's not an "authentication" gateway and you need to authenticate
the user.

It's not clear to me who / what you want to authenticate. Also, are the two
servers under your control ?

[ Post a follow-up to this message ]

The authentication is done on a Websphere server outside of our control and 
domain. This server is trusted and creates a secure session for the user. Wh
en the user access functionality on our part, this session / security contex
t needs to be passed on to
our server so that we can trust & identify the user. This could be a trivial
 question, but I?m not aware of Websphere?s abilities regarding this. Thanks
.

[ Post a follow-up to this message ]

Will Single Sign-On help you out here?

[ Post a follow-up to this message ]

dvaarde@momentum.co.za wrote:
> The authentication is done on a Websphere server outside of our
> control and domain. This server is trusted and creates a secure
> session for the user. When the user access functionality on our part,
> this session / security context needs to be passed on to our server
> so that we can trust & identify the user. This could be a trivial
> question, but I?m not aware of Websphere?s abilities regarding this.
> Thanks.

If the other WebSphere uses the same registry and LTPA keys you can
share the LTPA tokens across WAS instances, even across cells.

Otherwise, you can use a trust association interceptor (TAI) to
implement this model. Please see my paper at:

http://www-128.ibm.com/developerwor... />
antar.html

[ Post a follow-up to this message ]