Hi all,
I have come to the conclusion that the declarative/reactive security model of the
J2EE web container is insufficient for my needs. I plan on writting my own classes for enforcing authentication/authorization to web resources, and of course log into JAAS to allow credential information to be propagated to downstream servers (EJB's, etc).
I hate to reinvent the wheel, but I'm using WebSphere which uses LTPA tokens to persist the client's logged-in state and for SSO. LTPA is a proprietary technology and from what I can tell IBM has no publically accessible API's for creating & validating these tokens.
My question is: are there any
patterns that relate to signon tokens that I can follow? I modeled mine after LTPA and used JCE to encrypt the user id and password and then placed it into a cookie. This works fine, but I am concerned with replay attacks and the fact that if someone were to decrypt the token, they would find a valid user id / password combination.
Presumably WebSphere's LTPA has the exact same problems, but this isn't good enough for me
I was thinking that it is a mistake to put the password into the token, and maybe only place the user id and a timeout value.
Any thoughts?
Thanks!
--Dave.