cancel
Showing results for 
Search instead for 
Did you mean: 

JAAS Loginmodule for Websphere

Former Member
0 Kudos
135

Hello,

i would write a JAAS Loginmodule for Websphere. Websphere should authenticate against the SAP Enterprise Portal. The module should use the SSO2 Cookie verifing libary.

Does anybody write a JAAS Module for Websphere or have a example for this?

Best Regards,

Patrick

http://www.unternehmensportale.biz

Message was edited by: Patrick Höfer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

I haven't got a JAAS login module, but I was just working on a project were we needed SSO to domino and websphere.

The way it was solved was to use the SAP Logon ticket verifier for domino to convert the SAP logon ticket to an LTPA token, and this LTPA token was then setup to be accepted on websphere.

This was done on an "empty" iview which was included on the default framework page (so that it was done everytime the user logged on)

But you probably want to have it the other way around ?

Former Member
0 Kudos

> The way it was solved was to use the SAP Logon ticket

> verifier for domino to convert the SAP logon ticket

> to an LTPA token, and this LTPA token was then setup

> to be accepted on websphere.

> This was done on an "empty" iview which was included

> on the default framework page (so that it was done

> everytime the user logged on)

Hello Dagfinn,

thanks for your fast answer. The first paragraph i understand. You have a Domino verifyer that can check the SAPLogon Tickets.

But what did you done in the "empty" iView? An iView runs in the SAP Portal. But what is the job of the SAP Portal in your scenario? The Cookie validation was done by the Domino Server. For what you need the empty iView?

Best regards,

Patrick

Former Member
0 Kudos

Sorry, the empty iview was a bit mysterious

What the iview is doing is to fetch an 1x1 gif image which is on the domino server. This forces the generation of the LTPA token which is therefore given to the user directly after logon.

The reason why we need it, is that the user might access a page which references to websphere, before he has accessed any page on domino (which automatically creates the LTPA token). Without the "empty" iview the user would then not have the LTPA token (and there is no plugin for websphere to validate SAP logon tickets).

The reason why this solution was chosen was due to the fact the the LTPA SSO between domino and websphere allready existed.

A possible solution is to use the apache specific filter on the IBM http server in front of websphere (which is just a minor modified apache server) to convert the sap logon tickets. But I haven't heard of anyone doing this

Former Member
0 Kudos

Hello Dagfinn,

The reason why we need it, is that the user might

access a page which references to websphere, before

he has accessed any page on domino (which

automatically creates the LTPA token). Without the

"empty" iview the user would then not have the LTPA

token (and there is no plugin for websphere to

validate SAP logon tickets).

Ah, now i understand the strange "Empty iView" :-).

A possible solution is to use the apache specific

filter on the IBM http server in front of websphere

(which is just a minor modified apache server) to

convert the sap logon tickets. But I haven't heard of

anyone doing this

I see the Apache SSO-Cookie Filter in some presentations. But i didnt Found it here.

I think the Jaas login module for Websphere is the best solution. I do it this way.

Best regards,

Patrick

Message was edited by: Patrick Höfer

Former Member
0 Kudos

Hi Dagfinn,

how does the Websphere know for which User it has to issue the LTPA token ?

Do you have some more information about that ?

best regards,

Matthias Hlubek