com.ibm.portal.portlet.service.credentialvault.credentials
Interface LtpaTokenCredential

All Superinterfaces:

ActiveCredential, Credential, JaasSubjectCredential

All Known Implementing Classes:

LtpaTokenCredential

Deprecated. Since 8.5.

public interface LtpaTokenCredential
extends JaasSubjectCredential

Credential for authenticating at a back-end system that is within the same WebSphere SSO-Domain as the portal. This Credential can be used to establish an authenticated outbound URL connection by associating the users existing Ltpa cookie to that connection.

The Ltpa token credential can be retrieved via the vault service through

  CredentialVaultService.getLTPATokenCredential(String slotId, Map config, javax.portlet.PortletRequest request)

  where slotId = com.ibm.portal.portlet.service.credentialvault.CredentialVaultService.PREDEFINED_SLOT_USER_JAAS_SUBJECT;
  

Alternative the Ltpa token credential can be created by:

1. CredentialFactory.createCredential(CredentialTypes.LTPA_TOKEN);
   See CredentialFactory
   
   
2. Initialize the credential via the init(Map config) method

After retrieving the Ltpa token credential establish the connection:

1. Pass the URL to the method getAuthenticatedConnection() in order to get an URLConnection with the current Ltpa token(s) associated
2. If necessary, set additional HTTP headers on the resulting URLConnection
3. Send the request to a trusted server

Warning 1: Do not send the Ltpa cookie to servers outside the SSO domain! If those servers are hostile, they can use the Ltpa token data to impersonate the user represented by the Ltpa token and compromise the system.

Warning 2: This code does not respect the Secure attribute (as defiend by RFC 2109) of the Ltpa cookie(s). Therefore, the code that uses the Ltpa token credential is responsible for deciding whether it is okay to send the token over unencrypted HTTP connections.

Preconditions:
See init(Map config)

NOTE: This API may only be used in the scope of an HTTP request in WebSphere Portal, i.e. within a theme. The API can not be invoked directly by a custom servlet.

Since:

5.1.0.1

Field Summary

static java.lang.String	HTTP_SERVLET_REQUEST Deprecated. The incomming HTTP request.
static java.lang.String	LTPA_TOKEN_TYPE Deprecated. The name of the parameter in the VaultService.properties file to get the Ltpa Token configuration.
static java.lang.String	LTPA_TOKEN_TYPE_VALUE_BOTH Deprecated. Constant indicating that both the old style Ltpa token and the Ltpa2 token are available.
static java.lang.String	LTPA_TOKEN_TYPE_VALUE_DEFAULT Deprecated. Constant indicating that default configuration is used, which means that exaclty those Ltpa tokens available on the incomming request are forwarded.
static java.lang.String	LTPA_TOKEN_TYPE_VALUE_LTPA_ONLY Deprecated. Constant indicating that only the old style Ltpa token is configured.
static java.lang.String	LTPA_TOKEN_TYPE_VALUE_LTPA2_ONLY Deprecated. Constant indicating that only the Ltpa2 token is configured.

Fields inherited from interface com.ibm.portal.portlet.service.credentialvault.credentials.Credential

KEY_CREDENTIAL_SECRET

Method Summary

java.net.HttpURLConnection	getAuthenticatedConnection(java.lang.String url) Deprecated. Returns a new HttpURLConnection with added authentication data.
java.net.HttpURLConnection	getAuthenticatedConnection(java.net.URL url) Deprecated. Returns a new Http Url connection with added authentication data.
void	init(java.util.Map<java.lang.String,java.lang.Object> config) Deprecated. Initializes a new LtpaToken credential.

Methods inherited from interface com.ibm.portal.portlet.service.credentialvault.credentials.JaasSubjectCredential

getSecretType

Methods inherited from interface com.ibm.portal.portlet.service.credentialvault.credentials.ActiveCredential

isActive

Field Detail

LTPA_TOKEN_TYPE

static final java.lang.String LTPA_TOKEN_TYPE

Deprecated.

The name of the parameter in the VaultService.properties file to get the Ltpa Token configuration.

Since:

6.0.1

See Also:

Constant Field Values

LTPA_TOKEN_TYPE_VALUE_LTPA_ONLY

static final java.lang.String LTPA_TOKEN_TYPE_VALUE_LTPA_ONLY

Deprecated.

Constant indicating that only the old style Ltpa token is configured.

Since:

6.0.1

See Also:

Constant Field Values

LTPA_TOKEN_TYPE_VALUE_LTPA2_ONLY

static final java.lang.String LTPA_TOKEN_TYPE_VALUE_LTPA2_ONLY

Deprecated.

Constant indicating that only the Ltpa2 token is configured.

Since:

6.0.1

See Also:

Constant Field Values

LTPA_TOKEN_TYPE_VALUE_DEFAULT

static final java.lang.String LTPA_TOKEN_TYPE_VALUE_DEFAULT

Deprecated.

Constant indicating that default configuration is used, which means that exaclty those Ltpa tokens available on the incomming request are forwarded.

Since:

6.0.1

See Also:

Constant Field Values

LTPA_TOKEN_TYPE_VALUE_BOTH

static final java.lang.String LTPA_TOKEN_TYPE_VALUE_BOTH

Deprecated.

Constant indicating that both the old style Ltpa token and the Ltpa2 token are available.

Since:

6.0.1

See Also:

Constant Field Values

HTTP_SERVLET_REQUEST

static final java.lang.String HTTP_SERVLET_REQUEST

Deprecated.

The incomming HTTP request.

See Also:

Constant Field Values

Method Detail

init

void init(java.util.Map<java.lang.String,java.lang.Object> config)
          throws CredentialVaultException

Deprecated.

Initializes a new LtpaToken credential. If you pass in a null pointer to the initialization of this credential for the JaasSubjectCredentialSecret, this credential will get the current token(s) from the current WAS Security context.

Specified by:

init in interface Credential

Specified by:

init in interface JaasSubjectCredential

Parameters:

config - The configuration needed to initialize this credential:

• Key: KEY_CREDENTIAL_SECRET, value: JaasSubjectCredentialSecret.
  The credential's secret.
  This paramter is optional.If null the current users caller subject will be used.
  The JaasSubjectCredentialSecret can be obtained from the CredentialSecretFactory
  See Also: CredentialSecretFactory
• Key: LTPA_TOKEN_TYPE, value: String.
  You should use the LTPA_TOKEN_TYPE_VALUE_DEFAULT here, which means forward exaclty those Ltpa tokens available on the incomming request. It is also possible to propagate only the Ltpa or only the Ltpa2 token or both tokens. The corresponding values are represented by the constants: LTPA_TOKEN_TYPE_VALUE_LTPA_ONLY, LTPA_TOKEN_TYPE_VALUE_LTPA2_ONLY, and LTPA_TOKEN_TYPE_VALUE_BOTH (mandatory)
• Key: HTTP_SERVLET_REQUEST, value: HttpServletRequest
  The incomming HTTP request (mandatory)

Throws:

CredentialVaultException - If any mandatory parameter is missing or has a wrong object type as value.

Since:

6.0.1 The key LTPA_TOKEN_TYPE is available.

getAuthenticatedConnection

java.net.HttpURLConnection getAuthenticatedConnection(java.net.URL url)
                                                      throws java.io.IOException

Deprecated.

Returns a new Http Url connection with added authentication data.

Specified by:

getAuthenticatedConnection in interface JaasSubjectCredential

Parameters:

url - The target URL for the connection. Note that it need not be opened yet.

Returns:

HttpURLConnection A new authenticated (and yet uncommitted) connection

Throws:

java.io.IOException - thrown if anything unexpected happened

getAuthenticatedConnection

java.net.HttpURLConnection getAuthenticatedConnection(java.lang.String url)
                                                      throws java.io.IOException

Deprecated.

Returns a new HttpURLConnection with added authentication data.

Specified by:

getAuthenticatedConnection in interface JaasSubjectCredential

Parameters:

url - The target URL for the connection

Returns:

HttpURLConnection A new authenticated (and yet uncommitted) connection.

Throws:

java.io.IOException - thrown if anything unexpected happened.