websphere-libertyopen-libertyltpa

Ignore LtpaToken in WebSphere Liberty

My organization already has some web applications deployed on a liberty server, using its SSO, which sets an LtpaToken cookie for the entire intranet domain.

Now we are switching to openidconnect authenticated, sessionless (with JWT) secured web applications.

Authentication is working fine - only the browser is involved - and authorization is also working fine (with feature mpJwt-1.1).

But when the user comes from another web application (within the same session), the browser sends LtpaToken2 cookie and liberty rejects the request with 401 (unauthorized).

I'd like to:

  1. completely ignore whichever LtpaToken cookie happens to come in the request (yes, completely ignore, as if it was never there, either valid or invalid, or expired or whatever, our new applications could never care less for the older SSO scheme);
  2. never ever generate an LtpaToken once the first request with a valid JWT token comes in.

EDIT

The 2nd point above is not really happening (to be clear, this new liberty server is not generating an LtpaToken).

I've managed to create a MWE, comprising (in fact so minimal that you only need the server.xml and any index.html):

(server.xml)

<server>

  <featureManager>
    <feature>servlet-3.1</feature>
    <feature>mpJwt-1.1</feature>
  </featureManager>

  <applicationManager autoExpand="true" />

  <webApplication location="mysample.war" contextRoot="/" />

  <httpEndpoint host="*" httpPort="9080" id="defaultHttpEndpoint"/>

  <mpJwt id="server.xml-&lt;mpJwt/&gt;"
    issuer="sso-issuer"
    keyName="sso-jwk"
  />
</server>

(index.html)

any content will do

I could positively reproduce the 1st point (rejecting with 401) with a simple 'Cookie: LtpaToken2' header (yes, don't event need a value):

$ curl -v http://localhost:9080/index.html -H 'Cookie: LtpaToken2'

This returns the index.html file indeed, but with HTTP Status 401. For html this is fine. For the javascript files this is not (the browser refuses to run the scripts).

Response headers are:

HTTP/1.1 401 Unauthorized
X-Powered-By: Servlet/3.1
WWW-Authenticate: Bearer realm="MP-JWT", error="invalid_token"
Date: Wed, 01 Jul 2020 22:18:52 GMT
Content-Type: text/html
Last-Modified: Wed, 01 Jul 2020 21:51:32 GMT
Content-Length: 11
Content-Language: en-US

At startup the server reports:

...
[AUDIT   ] CWWKS4104A: LTPA keys created in 1.716 seconds. LTPA key file: .../target/liberty/wlp/usr/servers/mysample/resources/security/ltpa.keys
...
[AUDIT   ] CWWKF0012I: The server installed the following features: [appSecurity-2.0, cdi-1.2, distributedMap-1.0, jndi-1.0, jsonp-1.0, jwt-1.0, mpConfig-1.3, mpJwt-1.1, servlet-3.1, ssl-1.0].`
...

Change the request header "Cookie" to anything other than "LtpaToken2", and the result is the very same index.html, but with status 200 instead.

Solution

  • Found a workaround:

    <server>
  ...
  <webAppSecurity ssoCookieName="" useOnlyCustomCookieName="true"/>
  ...
</server>