Good day I have an incoming request to my application based on websphere 9 with ltpatoken2 cookie. Previously, the ltpa key was exported from my websphere and add to another server. The option Application security was enabled. How I can check, at websphere or at my application, that the token is exists and correct? And my application should be not avialable for requests without token.
In WebSphere 9, if request contains a LTPA cookie, LTPA cookie will be processed automatically. Inside your application code, if you call API com.ibm.websphere.security.auth.WSSubject.getRunAsSubject(), you will see a subject created form the ltpa token if LTPA token is presented and is also valid.
And you will see unauthenticated subject if ltpa is missing or invalid. Or inside your application, if you call HttpServletRequest.getPrincipal().getName(), you will see a user name represented by the LTPA cookie if it presents and valid, and you will see principal name or see unauthenticated user name if LTPA is missing or invalid.