In our webapplication we need to store the authentication token (LtpaToken2 (websphere), JSESSIONID(tomcat)) in an external datastore after a successful login. I was hoping to retrieve the token after a login on the HttpServletRequest object.
LOG.debug("nr of cookies in request " + request.getCookies().length + " response header " + response.getHeaderNames().size());
request.login(employee.getUsername(), employee.getPassword());
URI uri = info.getBaseUri().resolve("/login2");
LOG.debug("new uri is: '"+ uri + "' nr of cookies in request " + request.getCookies().length + " response header " + response.getHeaderNames().size());
// Add the Higgs Cookie
The log output indicates an unchanged number of cookies an headers. Is there another way to retrieve the authentication token in the same request as the login is done, preferable platform independent? I probably can do a redirect and read the token out of the next request but I'm afraid this will impose some extra security threats.
Any reason why you want to store that cookie? As it changes after the certain timeout, so storing it doesn't provide much value. Below code that you can use to access it from request.
Authentication token is a cookie not a header. You have to access it using the following code (this code works in any page AFTER successful authentication) :
Cookie cookies[] = request.getCookies();
for(Cookie c : cookies){
if("LtpaToken2".equals(c.getName())) {
// do something with ltpa cookie
out.println(c.getName() + " : " + c.getValue());
}
}
UPDATE
To get token in the servlet that performs login use the following code:
Set<Object> credentials = WSSubject.getRunAsSubject().getPrivateCredentials();
for (Object credential : credentials) {
if(credential instanceof SingleSignonToken) {
SingleSignonToken token = (SingleSignonToken)credential;
System.out.println(token.getName());
System.out.println(token.getUniqueID());
System.out.println(token.getPrincipal());
System.out.println("LTPA Token encoded: " + Base64.encode(token.getBytes()));
}
}