How to propage WebSphere security tokens when calling HTTP from EJB

Question

I have an EJB which makes a call to another server in the cell using HTTP (REST api).

At the EJB context the user is already authenticated and authorized, how can I propagate the security tokens to the other server avoiding the need to provide credentials in the request ?

Answer 1

It is possible to obtain WebSphere's Ltpa token from the security subject and pass it as a cookie for the HTTP call:

public static SingleSignonToken getSSOTokenFromSubject(final Subject subject) {
    if (subject == null) {
        return null;
    }
    return AccessController.doPrivileged(new PrivilegedAction<SingleSignonToken>() {
        public SingleSignonToken run() {
            Set<SingleSignonToken> ssoTokens = subject.getPrivateCredentials(SingleSignonToken.class);
                for (SingleSignonToken ssoToken : ssoTokens) {
                if (ssoToken.getName().equals("LtpaToken")) {
                    return ssoToken;
                }
            }

            return null;
        }
    });
}

// Get cookie to add to outgoing HTTP requests
SingleSignonToken ssoToken =  getSSOTokenFromSubject(subject);

String ssoTokenStr = null;
if (ssoToken != null) {
    byte[] ssoTokenBytes = ssoToken.getBytes();
    ssoTokenStr = com.ibm.ws.util.Base64.encode(ssoTokenBytes);
}
String ssoTokenCookie = "LtpaToken2=" + ssoTokenStr;

By adding the ssoTokenCookie to the request cookies there is no need to provider user credentials.

Answer 2

Cookie ltpaCookie = WebSecurityHelper.getSSOCookieFromSSOToken();

Extracts the SSO token from the subject of current thread and builds an SSO cookie out of it for use on downstream web invocations. Basically what the whole code in the post below does. This method is accessible from WAS 8.x I believe.

Following Jar is needed as compile reference: com.ibm.ws.admin.client-8.5.0.jar
(I'm using WAS 8.5.5.11 for this example)