I’ve been at a couple of different client sites where there was a heavy IBM product presence, the use of IBM’s proprietary token format-LTPA2, and the need for a non-IBM technology such as JBoss EAP. Given the nature of the LTPA2 technology (IBM proprietary protocol), there isn’t any direct support that the JBoss community can provide for LTPA2 tokens.
But, do not give up! Last week, at JBoss World 2012, I presented a solution to this problem. The exact problem being framed as “How can you build a JAAS Subject inside of a JBoss container from an LTPAToken2 cookie that was past to it by WebSEAL?” We were exploring how to integrate TAMeb (WebSEAL) with JBoss EAP 6.0. We showed how this could be done using Tivoli Federated Identity Manager’s (TFIM) Security Token Service (STS) to perform an LTPAv2->SAML2 token transformation via a WS-Trust ISSUE call.
Support for the WS-Trust & SAML2 specifications are provided to JBoss by the PicketLink project. PicketLink is the Identity Management project for JBoss. It adds support for a variety of security use cases (including Federated Identity Management) to PicketBox (JBossSX)-the JBoss security subsystem.
PicketLink provides a JAAS Login Module called SAML2STSIssuingLoginModule that uses the WS-Trust client API provided by PicketLink to make WS-Trust ISSUE calls to validate tokens. This Login Module can be configured to use various inputs (HTTP Header values, cookie values, etc) as input tokens.
We have successfully integrated WebSEAL with JBoss using both LTPA2 tokens and ivcred tokens.
Check out the full presentation from JBoss World if you would like to know more.