Websphere 9，如何检查传入的 ltpatoken2

Question

Good day I have an incoming request to my application based on websphere 9 with ltpatoken2 cookie. Previously, the ltpa key was exported from my websphere and add to another server. The option Application security was enabled. How I can check, at websphere or at my application, that the token is exists and correct? And my application should be not avialable for requests without token.

Answer 1

There's no API to inspect that token, but you can test it implicitly. You can capture browser traffic with Firefox or Chrome developer tools, then after successful login, using either the browser tools or curl, send a modified request without the cookie, or with a bad cookie value, and you should get an authentication challenge since the cookie's not there.

Answer 2

In WebSphere 9, if request contains a LTPA cookie, LTPA cookie will be processed automatically. Inside your application code, if you call API com.ibm.websphere.security.auth.WSSubject.getRunAsSubject() , you will see a subject created form the ltpa token if LTPA token is presented and is also valid.

And you will see unauthenticated subject if ltpa is missing or invalid. Or inside your application, if you call HttpServletRequest.getPrincipal().getName() , you will see a user name represented by the LTPA cookie if it presents and valid, and you will see principal name or see unauthenticated user name if LTPA is missing or invalid.

Answer 3

The easiest would be to just add security constraints to your web.xml protecting whole application (you will find many examples), and map security role to All authenticated . Then your application will be available only, if user is already logged in (so the LTPA token exists and is correct), otherwise it will redirect you to login page that you can include in your application and redirect user somewhere, informed that he is not logged in, or whatever you want to do in case there is no valid LTPA token.