Authentication for external data services

If your external data service needs to authenticate users, it must participate in the same single sign-on authentication configuration as the other IBM® Case Manager components, such as Case Manager Client or the IBM Case Manager REST protocol.

If Content Platform Engine and the external data service do not use the same WebSphere® Application Server profile, you must set up Lightweight Third Party Authentication (LTPA) security between the applications in WebSphere Application Server. Begin by exporting the LTPA key from the Content Platform Engine server.

The IBM Case Manager REST protocol passes one of the following headers to the external data service:
Basic
If basic authentication is used, the protocol passes an authorization header that contains the keyword Basic that is followed by the encoded user name and password pair.
LtpaToken2
If LTPA authentication is used, the protocol passes an LTPA token with the cookie LtpaToken2.

If the request contains either of these authentication values, WebSphere Application Server first authenticates with the LDAP server, if one is configured. WebSphere Application Server then sets up a JAAS subject in the calling context of the external data service. To retrieve this JAAS subject, you can use one of the WebSphere Application Server Java™ APIs. Alternatively, you can use the helper method javax.security.auth.Subject getAmbientSubject( ) that is defined for the UserContext class in the Content Engine Java API.

Parent topic: Implementing an external data service by using the REST protocol