I am using a distributed ObjectGrid topology in WebSphere environment.
I am using RUN_AS_SUBJECT defined on a Servlet on the client application to authenticate with the ObjectGrid server. It uses the LTPA single sign on token internally to authenticate. However, the LPTA toekn carries an expiration of 120 minutes by default. Every time I make a call to the ObjectGrid server my application logic needs to check if the token has already expired. If expired, it makes a new connection to the Catalog Server again.
I would like to know what I am doing is right by having to check the LTPA token expiration time for every call. If not, is there any better way to implement security.
Attached is the java source file that handles the security and connects to the catalog server. Please start in getMyGrid() method.
While we're on this subject - is it OK to hang onto the GridManager, ClientClusterContext or Grid objects (say in an Servlet Context) or is it better to get each of these for each incomming request? What would happen if you held onto the ClientClusterContext and somehow after you connect the connection is severed? Do you have account for reconnection? Any thoughts?
We integrate natively with WebSphere LPTA. See this link http://publib.boulder.ibm.com/infocenter/wxsinfo/v7r0/index.jsp?topic=/com.ibm.websphere.extremescale.admin.doc/cxswassec.html for more details.
We'd recommend caching the ObjectGrid reference so that all you need to do on each servlet request is a grid.getSession().
Since you provide credentials when obtaining the ClientClusterContext http://upon gridManager.connect(.,credentials,.) - (which the origianl author says they do via extracting the the runAs user's credentials)...BEFORE obtaining the Grid object... if those credentials are LTPA... won't that LTPA token time out?? (default is 120 minutes) ... and if so what happens then?
Just wondering if anyone else experienced this issue. (you get a grid reference securely using LTPA)... and hang onto it via app context... only to have the LTPA token expire and along with it... all access to a secured grid :(
Ideally, when the LTPA token expires, the server will throw an exception indicating the credential has been expired. Upon receiving the exception, the client will re-generate the credential and pass to the server.
However, currently there is a bug in this path. At this moment, we are actively working with our dependency to resolve this issue. When this issue is resolved, we will provide the fix via iFix or next version of WXS.
Tags
Use the search field to
find all types of content in My developerWorks with that tag.
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular type of content or application that you're viewing.
My tags shows your tags for this particular type of content or application that
you're viewing.
