'Disabling' LTPA things in a Liberty server - am I missing something? - websphere-liberty

I am investigating the notion of 'disabling' LTPA things in Liberty and would like some guidance. There are 2 ideas I am pursuing - first, is it possible to prevent a Liberty server from generating LTPA keys? and second, is it possible to prevent a Liberty server from sending an LTPA token/cookie to a client browser?
Before making this post, I went through the Liberty documentation. This topic in the Liberty KC https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_ltpa.html states the following - "The LTPA is configured by default when security is enabled for a Liberty server for the first time." This is pretty clear that as long as I have security enabled for a Liberty server, it is going to generate LTPA keys; and disabling security in the Liberty server is not an option for me. So I do not believe that I can prevent the Liberty server from generating LTPA keys in my particular environment.
As for preventing a Liberty server from sending an LTPA token/cookie to a client browser, there appears to be an attribute called disableLtpaCookie that exists for a Liberty server. However, according to the Liberty documentation, I can use the disableLtpaCookie attribute in only 2 cases - when I am using the OpenID Connect Client https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.base.doc/ae/rwlp_config_openidConnectClient.html OR when I am using SAML Web SSO 2.0 Authentication https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.base.doc/ae/rwlp_config_samlWebSso20.html . If I am not implementing either of these authentication mechanisms, then I cannot use the disableLtpaCookie attribute...and thus I cannot prevent a Liberty server from sending an LTPA token/cookie to a client browser.
Am I missing something? Is there a way to prevent a Liberty server from generating LTPA keys or a way to prevent a Liberty server from sending an LTPA token/cookie to a client browser that I have not yet discovered through the Liberty documentation?
Any and all guidance is deeply appreciated and thank you in advance!

The LTPA cookie is required for Form login and Single-Sign-On to work out of box. If you are completely relying on other authentication mechanisms/tokens to achieve these (SAML, custom, OIDC etc), and have no reason to use the LTPA cookie, you can use set the singleSignonEnabled attribute to false in the webAppSecurity element.
<webAppSecurity singleSignonEnabled="false">
This should prevent the LTPACookie from being sent to the browser. The LTPA keys are still generated.
We can update the description of this property to make it more clear # https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.liberty.autogen.nd.doc/ae/rwlp_config_webAppSecurity.html
You can open an issue to have an option to disable the creation of the LTPA keys.

In this question/thread - OpenID SSO in Websphere Liberty requires authentication every time I reopen a browser the following statement was made:
Liberty openid connect client can be configured to use ltpa expiration time as session time, or use id_token life time as session time. The default behavior is ltpa expiration time.
I have not been able to find clear Liberty documentation explaining how to configure the Liberty openid connect client to use id_token life time as the session time....any guidance is greatly appreciated :-)

Related

How jmeter works on HTTPS without using certificates

I am working on HTTPS calls in jmeter. When I started to do the configuration I took help of stackoverflow. Surprisingly I found all I have to do is to change protocol from HTTP to HTTPS and it actually worked. Which makes me wonder how jmeter bypasses the certificate without any configuration?
Some sites use simple mode of HTTPS which doesn't require client installation
SSL and TLS encryption can be configured in two modes: simple and mutual. In simple mode, authentication is only performed by the server. The mutual version requires the user to install a personal client certificate in the web browser for user authentication.
As per 1.2.4 SSL Encryption chapter:
The JMeter HTTP samplers are configured to accept all certificates, whether trusted or not, regardless of validity periods, etc. This is to allow the maximum flexibility in testing servers.
If the server requires a client certificate, this can be provided.

Spring security Oauth and SSO

Can anyone Tell me if it is possible to combine SSO from Spnego and Spring security with Oauth
This is my problem :
The Client I now represent has chosen Spnego as their SSO solution.
This requires us to use a full blown appServer (Liberty) in all scenarios.
At the same time, the knowlegde and skills about Spnego in the developent team is very limited.
Due to issues with creating the keytab files, Spnego is only available in the formal test environment and not our local test enviroment.
This makes it very difficult/time consuming to test and devlop due to the long deployment time to the formal test enviroment.
Not over to my question:
If possible I would like to be able to "log in" to a service in the formal test enviroment (OAUTH2 authentication server ?) using SPNEGO SSO and get a token back that I can use in further requests towards my services located locally and/or in any other test enviroment.
Is this even possible ? I have not seen any examples where the authenticantionServer is using another sso provider to actually authenticate the user.
A different possibility might be to to do some sort of redirect from the login service in the test environment but I fear the Spnego token created only will be valid on a sever in the same domain..
I`m sorry if this question is confusing or not clear.
My knowledge of this domain (security) is limited and I struggle to get a grasp of how I can test my code locally with security enabled.
Links to any resources on the net that addresses some of these issues will be greatly appreciated.

session management in server application

i am developing a server application of building rest web services in java using spring-hibernate,where this service will be used by other clients.i have followed this link http://www.beingjavaguys.com/2014/08/spring-restful-web-services.html.
my question here is
1>should i maintain session in server application?if yes how?
2>should i do any validation in server side?
3>To validate user while login should i use spring security for that or just comparing username and password in database is enough?
4>when user doesnot interact with server for particular time there should be session timeout ,should this be implemented in sserver application or client side?
i am very new to java and web service,any suggestions,links and guidence are appreciated.
1>should i maintain session in server application?if yes how?
Rest web services do not depend on client session since they are stateless, so there is no need to think about session management.
2>should i do any validation in server side?
What kind of validation?
3>To validate user while login should i use spring security for that or just comparing username and password in database is enough?
You can use both, but I think a token based authentication (Based on spring security) will be the best way.
4>when user does not interact with server for particular time there should be session timeout ,should this be implemented in server application or client side?
Since server does not keep track of user session, timeout should be implemented on client side.
You can check the following project if you want its a excellent starting point.
https://github.com/dhavaln/spring-rest-boilerplate
1>should i maintain session in server application?if yes how?
Web-services are stateless means server does not store any state about the client session on the server side.You should manage the session on the client side, other wise you will end-up handling an heavy load of sessions on the server side and I am sure you don't want to do that.
2>should i do any validation in server side?
If by validation you mean data integrity, I think you will have to do it for the favor of data integrity and your application well being.
3>To validate user while login should i use spring security for that
or just comparing username and password in database is enough?
You can do both, using spring security is a good choice , and you will have to configure or build your own AuthentificationManager which will compare credentials withe those stored in the database
4>when user doesnot interact with server for particular time there
should be session timeout ,should this be implemented in sserver
application or client side?
You can set a session timeout , and this should be implemented on the client-side.

Sessions with(no) cookies

For a web application I could figure no session cookies stored . There was a string as
SSLJSESSION=0000SESSIONMANAGEMENTAFFINI:-1
From my understanding , this cannot be used to handle sessions , Still the application is handling the sessions properly .
Can anyone please tell me how session handling is done with the above technique ?
After a bit of browsing through WebSphere’s documentation, I found out that WebSphere (actually IBM HTTP Server as well as SUN One Web Server) support a feature called SSL ID Session Tracking. Basically, what this does is bind web application sessions to SSL sessions. This further does not require the web application to do almost any session handling since the server performs this on behalf of the application.

SSO Between Websphere Portal and Moodle

We have a vendor portal that is public and a Moodle site that is also public. They are both setup to use the same Active Directory.
Is there a way to configure sso between them?
I've looked into this issue before, and all that I've found is about keeping the user credential in the global Portal session and posting them to the server Moodle login form.
It seems that Moodle does not support LTPA, since this is a proprietary IBM protocol designed for Websphere and Domino. Also the LTPA token do not include the actual password, so Moodle would have to trust Websphere when it says that a particular user has been authenticated at a certain time (timestamp).
May be some one else might have more input on the subject...

Resources