javawebspherejaastivoliwebseal

How to pass WebSEAL security context from JSP/Servlet to EJB


I have JSP with calling to my Session Bean, I've implemented this via JNDI InitialContext(). Session Bean class is having a @RolesAllowed annotation with one defined user. I want to restrict users who can call methods of this bean.

Application Sever connected to TAM/WebSEAL via junction. So I can see that authenticated users have defined "iv-user", "iv-groups", "iv-creds" http request header values, unauthenticated - don't. But then I trying to call any of bean methods I've got a Security Exception like trying to access as unauthenticated user. Moreover, I don't see userPrincipal when at the response of request.getUserPrincipal()

How to pass security context from WebSEAL / Tivoli Access Manager into EJB and use it for JAAS annotations?


Solution

  • I've found one solution:
    1. Switch WebSphere to use a Standalone LDAP registry, set link as Trusted (actually it not necessary)
    2. Setup LTPA authentication between WAS and WebSEAL
    after these JSP should get security context and pass to the called methods.
    3. Define security constraints inside target web application.