LTPA token propagation from App to Adapter to final service

Question

I'm trying to use and understand the use of LTPA security in worklight and the propagation of the LTPA cookie.

I'm able to authenticate agains the WAS and using a sniffer I can see that worklight returns me the LtpaToken2 cookie but when I invoke the HTTP Adapter, that invokes a service in other WAS in the same machine as the Worklight server, that adapter does not propagate the cookies.

I think I have set the right configuration. (At the end)

Is it possible to configure worklight server for automatically propagate the LTPA token from the app to the adapters and from the adapters to the final service?

If it is not possible to do it automatically how can I retrieve the Ltpa cookie inside the adapter code for add it to the headers parameter of the WL.Server.invokeHTTP() method.

This is my security configuration:

For it work I have had to add the login.html by hand in the customized war generated in worklight studio.

Application-descriptor:

<ipad bundleId="xxxx" securityTest="BPMApp-strong-mobile-securityTest" version="1.0">

Adapter-descriptor:

<procedure connectAs="endUser" name="getRest" securityTest="BPMAdapter-securityTest"/>

Security configuration:

<realm loginModule="WASLTPAModule" name="BPMAuthRealm"> 
    <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
    <parameter name="login-page" value="/login.html"/>
    <parameter name="error-page" value="/login.html"/>
    <parameter name="cookie-name" value="LtpaToken2"/>
</realm>

<loginModule name="WASLTPAModule" canBeResourceLogin="true" isIdentityAssociationKey="false">
    <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
</loginModule>

<mobileSecurityTest name="BPMApp-strong-mobile-securityTest">
    <testUser realm="BPMAuthRealm"/>
    <testDeviceId provisioningType="none"/>
</mobileSecurityTest>

<customSecurityTest name="BPMAdapter-securityTest">
    <test isInternalUserID="true" realm="BPMAuthRealm" isInternalDeviceID="true"/>
</customSecurityTest>

Thank you.

Answer 1

I believe this is what you're looking for:

function getCurrentUser() {
path = '/snoop';
var attributes = WL.Server.getActiveUser().attributes;
var token = "LtpaToken=" + attributes.get('LtpaToken');

var input = {
    method : 'get',
    returnedContentType : 'html',
    headers: {"Cookie": token},
    path : path
};

return WL.Server.invokeHttp(input);

}

This code snipped is from 5.0.3, so I think the syntax may have changed for getting the token from the attributes object in newer versions.

You may need to change:

var token = "LtpaToken=" + attributes.get('LtpaToken');

to:

var token = "LtpaToken=" + attributes['LtpaToken'];

But this is the idea. The adapter is not sending the cookie upon subsequent requests, however the cookie is available to the adapter through the user's 'attributes' object. It's only a matter of getting the cookie and adding it to the header upon each adapter invocation.