Topic
  • 3 replies
  • Latest Post - ‏2010-12-14T21:04:06Z by drdamour
awpl
awpl
7 Posts

Pinned topic BusinessSpace and Custom J2EE Application - how to share container LTPA's?

‏2010-12-09T10:30:21Z |
Hi All,

I'm currently using a custom JSP / J2EE Application to launch filenet workflow. so far, no authentication module used in my j2ee application, so anyone directly calls my jsp, fill details and click launch button then it launches the workflow in filenet. (this custom application reads the userid and password from a property file).

consider: the user calling directly the URL http://fnserver:9080/clientservices/launchWorkflow.jsp

The Question is:-

how to share the LTPA token between BusinessSpace / ECM Widget and my custom j2ee application? so that my application launch the workflow and it set the owner as the logged user of/from business space.

Or any other idea or code snippet or reference url would be much appreciated?.

Thanking you
Prakash
Updated on 2010-12-14T21:04:06Z at 2010-12-14T21:04:06Z by drdamour
  • drdamour
    drdamour
    23 Posts

    Re: BusinessSpace and Custom J2EE Application - how to share container LTPA's?

    ‏2010-12-10T22:30:32Z  
    this is a complicated issue, but what you're looking for can be done.

    First you need to authenticate to the JEE container, and not the application. BusinessSpace & WorkplaceXT do this by default, Workplace does not. This will set up your LTPA identity token in the form of a cookie. You can see this cookie if you sniff the http traffic with a tool like fiddler.

    The next thing is you have to make sure websphere provides the identity to your application. I bet this is where your problem is, as by default WebSphere won't provide LTPA identity to a web module unless the resource is secured, as in your web.xml config file. If your resource is not secure, the request is treated as if it is from an anonymous user and you'll get the "no guest access" error when trying to connect to a P8 engine. You can make websphere provide the identity always by changing it's configuration @ Security->Global Security->Web and SIP security->General settings in WAS 7. If you check the "Use available authentication data when an unprotected URI is accessed" your LTPA identity will be available even if the URI is not secured. (FYI: certain filenet applications instruct you to disable this checkbox, so it might not be compatable with all environments. Mashup Center requires it to be enabled i believe, so there's some confusion here).

    Finally in your server code just don't supply the username/pw. The CE and PE API code has special checks to look for LTPA identity if you don't supply it, so your code is simply:
    
    Factory.Connection.getConnection(endpointURL)
    


    to get a connection with your LTPA identity

    I am Just a new Boy,
    A Stranger in this Town,
    Where are All the Good Times,
    Who's Gonna Show this Stranger Around?
  • awpl
    awpl
    7 Posts

    Re: BusinessSpace and Custom J2EE Application - how to share container LTPA's?

    ‏2010-12-14T07:20:38Z  
    • drdamour
    • ‏2010-12-10T22:30:32Z
    this is a complicated issue, but what you're looking for can be done.

    First you need to authenticate to the JEE container, and not the application. BusinessSpace & WorkplaceXT do this by default, Workplace does not. This will set up your LTPA identity token in the form of a cookie. You can see this cookie if you sniff the http traffic with a tool like fiddler.

    The next thing is you have to make sure websphere provides the identity to your application. I bet this is where your problem is, as by default WebSphere won't provide LTPA identity to a web module unless the resource is secured, as in your web.xml config file. If your resource is not secure, the request is treated as if it is from an anonymous user and you'll get the "no guest access" error when trying to connect to a P8 engine. You can make websphere provide the identity always by changing it's configuration @ Security->Global Security->Web and SIP security->General settings in WAS 7. If you check the "Use available authentication data when an unprotected URI is accessed" your LTPA identity will be available even if the URI is not secured. (FYI: certain filenet applications instruct you to disable this checkbox, so it might not be compatable with all environments. Mashup Center requires it to be enabled i believe, so there's some confusion here).

    Finally in your server code just don't supply the username/pw. The CE and PE API code has special checks to look for LTPA identity if you don't supply it, so your code is simply:
    <pre class="jive-pre"> Factory.Connection.getConnection(endpointURL) </pre>

    to get a connection with your LTPA identity

    I am Just a new Boy,
    A Stranger in this Town,
    Where are All the Good Times,
    Who's Gonna Show this Stranger Around?
    Many Thanks Chris.

    i've made it work.

    BusinessSpace sends some set of cookies, when you call any custom application from it.

    in my custom app; written following code to extract the ltpatoken2.


    out.println("
    User: " + request.getRemoteUser());

    final Cookie[] myCookies = request.getCookies();

    String ltpa = null;

    for (int i=0;i < myCookies.length; i++)
    {

    if (myCookies[i].getName().equalsIgnoreCase("LtpaToken2") )
    {

    ltpa = (String) myCookies[i].getValue();
    break;
    }
    }
    VWSession peSession = new VWSession();

    peSession.logonWithToken(ltpa, "PEConnectionPoint");

    in web.xml
    <security-role>
    <description>ALL_AUTHENTICATED</description>
    <role-name>ALL_AUTHENTICATED</role-name>
    </security-role>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Resources</web-resource-name>
    <description></description>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>ALL_AUTHENTICATED</role-name>
    </auth-constraint>
    </security-constraint>
    Basically, you have to modify your custom application to do container authentication.
    thanks a lot

    Cheers!
    Prakash
  • drdamour
    drdamour
    23 Posts

    Re: BusinessSpace and Custom J2EE Application - how to share container LTPA's?

    ‏2010-12-14T21:04:06Z  
    • awpl
    • ‏2010-12-14T07:20:38Z
    Many Thanks Chris.

    i've made it work.

    BusinessSpace sends some set of cookies, when you call any custom application from it.

    in my custom app; written following code to extract the ltpatoken2.


    out.println("
    User: " + request.getRemoteUser());

    final Cookie[] myCookies = request.getCookies();

    String ltpa = null;

    for (int i=0;i < myCookies.length; i++)
    {

    if (myCookies[i].getName().equalsIgnoreCase("LtpaToken2") )
    {

    ltpa = (String) myCookies[i].getValue();
    break;
    }
    }
    VWSession peSession = new VWSession();

    peSession.logonWithToken(ltpa, "PEConnectionPoint");

    in web.xml
    <security-role>
    <description>ALL_AUTHENTICATED</description>
    <role-name>ALL_AUTHENTICATED</role-name>
    </security-role>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Resources</web-resource-name>
    <description></description>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>ALL_AUTHENTICATED</role-name>
    </auth-constraint>
    </security-constraint>
    Basically, you have to modify your custom application to do container authentication.
    thanks a lot

    Cheers!
    Prakash
    that'll work for your limited use case, but as i mentioned, if your code is running in the already authenticated container, then you don't need to supply a token, the PE API handles it for you. This is the better approach cause it hides you from some weird scenarios where the cookie name could change, or if token was passed in URL.

    I am Just a new Boy,
    A Stranger in this Town,
    Where are All the Good Times,
    Who's Gonna Show this Stranger Around?