如何使用 LTPA 令牌中的信息
考虑以下设置:
- 部署在 Websphere Application Server 上的 Web 应用程序(6.1,如果重要的话)
- 该应用程序将通过 Webseal 反向代理进行访问
- Webseal 负责身份验证并传递 LTPA 令牌作为有效身份验证的标志
如果我得到没错,LTPA 令牌包含用户名、角色等信息。
问题:如何从 Java Web 应用程序中的 LTPA 令牌访问此信息?
Consider the following setup:
- A webapplication deployed on a Websphere Application Server (6.1 if it matters)
- the app will get accessed through a webseal reverse proxy
- the webseal takes care of the authentication and passes on an LTPA token as sign of valid authentication
If I got it right, the LTPA token contains information like username, roles and so on.
Question: how do I access this information from the LTPA token in my java web application?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
查看 LTPA 令牌的内部对于调试来说非常有用,我们经常使用它。您需要 ltpa 密钥和密码才能正常工作
/* Copyright notice # Copyright (C) 2007, Cosmin Stejerean (http://www.offbytwo.com) # # You are free to use this code under the terms of the Creative Commons Attribution license # available at http://creativecommons.org/licenses/by/3.0/ # so long as you include the following notice 'includes code from Cosmin Stejerean (http://www.offbytwo.com)' */ import java.security.Key; import java.security.MessageDigest; import java.security.spec.KeySpec; import java.sql.Date; import java.text.SimpleDateFormat; import java.util.Arrays; import java.util.StringTokenizer; import javax.crypto.Cipher; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESedeKeySpec; import sun.misc.BASE64Decoder; //The shared 3DES key is itself encrypted using the SHA hash value of the LTPA password (padded with 0x0 upto 24 bytes). public class LtpaDecoder { private String ltpa3DESKey = "JvJRzwdhKk6o40FuATa9acKD2uaXswVHlUsn2c2+MKQ="; private String ltpaPassword = "secretpassword"; private String sUserInfo = ""; private Date dExpiry; private String sFullToken = ""; private String sSignature = ""; public static void main(String[] args) { String tokenCipher = "vsof5exb990sb2r5hRJ+bneCnmBTuLQ3XF+......"; try { LtpaDecoder t = new LtpaDecoder(tokenCipher); System.out.println("UserInfo: " + t.getUserInfo()); System.out.println("Expiry: " + t.getExpiryDate()); System.out.println("Full token: " + t.getFullToken()); } catch(Exception e) { e.printStackTrace(); } } public LtpaDecoder(String fulltoken) throws Exception { byte[] secretKey = getSecretKey(this.ltpa3DESKey, this.ltpaPassword); String ltpaPlaintext = new String(decryptLtpaToken(fulltoken, secretKey)); extractTokenData(ltpaPlaintext); } private void extractTokenData(String token) { System.out.println("\n"); StringTokenizer st = new StringTokenizer(token, "%"); sUserInfo = st.nextToken(); String sExpires = st.nextToken(); sSignature = st.nextToken(); dExpiry = new Date(Long.parseLong(sExpires)); sFullToken = token; } public String getSignature() { return sSignature; } public String getFullToken() { return sFullToken; } public String getUserInfo() { return sUserInfo; } public String getExpiryDate() { SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss z"); return sdf.format(dExpiry); } private byte[] getSecretKey(String shared3DES, String password) throws Exception { MessageDigest md = MessageDigest.getInstance("SHA"); md.update(password.getBytes()); byte[] hash3DES = new byte[24]; System.arraycopy(md.digest(), 0, hash3DES, 0, 20); Arrays.fill(hash3DES, 20, 24, (byte) 0); // decrypt the real key and return it BASE64Decoder base64decoder = new BASE64Decoder(); return decrypt(base64decoder.decodeBuffer(shared3DES), hash3DES); } public byte[] decryptLtpaToken(String encryptedLtpaToken, byte[] key) throws Exception { BASE64Decoder base64decoder = new BASE64Decoder(); final byte[] ltpaByteArray = base64decoder.decodeBuffer(encryptedLtpaToken); return decrypt(ltpaByteArray, key); } public byte[] decrypt(byte[] ciphertext, byte[] key) throws Exception { final Cipher cipher = Cipher.getInstance("DESede/ECB/PKCS5Padding"); final KeySpec keySpec = new DESedeKeySpec(key); final Key secretKey = SecretKeyFactory.getInstance("TripleDES").generateSecret(keySpec); cipher.init(Cipher.DECRYPT_MODE, secretKey); return cipher.doFinal(ciphertext); } }Looking inside LTPA tokens is great for debugging, we use this alot. You'll need the ltpa-key and password for this to work
/* Copyright notice # Copyright (C) 2007, Cosmin Stejerean (http://www.offbytwo.com) # # You are free to use this code under the terms of the Creative Commons Attribution license # available at http://creativecommons.org/licenses/by/3.0/ # so long as you include the following notice 'includes code from Cosmin Stejerean (http://www.offbytwo.com)' */ import java.security.Key; import java.security.MessageDigest; import java.security.spec.KeySpec; import java.sql.Date; import java.text.SimpleDateFormat; import java.util.Arrays; import java.util.StringTokenizer; import javax.crypto.Cipher; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESedeKeySpec; import sun.misc.BASE64Decoder; //The shared 3DES key is itself encrypted using the SHA hash value of the LTPA password (padded with 0x0 upto 24 bytes). public class LtpaDecoder { private String ltpa3DESKey = "JvJRzwdhKk6o40FuATa9acKD2uaXswVHlUsn2c2+MKQ="; private String ltpaPassword = "secretpassword"; private String sUserInfo = ""; private Date dExpiry; private String sFullToken = ""; private String sSignature = ""; public static void main(String[] args) { String tokenCipher = "vsof5exb990sb2r5hRJ+bneCnmBTuLQ3XF+......"; try { LtpaDecoder t = new LtpaDecoder(tokenCipher); System.out.println("UserInfo: " + t.getUserInfo()); System.out.println("Expiry: " + t.getExpiryDate()); System.out.println("Full token: " + t.getFullToken()); } catch(Exception e) { e.printStackTrace(); } } public LtpaDecoder(String fulltoken) throws Exception { byte[] secretKey = getSecretKey(this.ltpa3DESKey, this.ltpaPassword); String ltpaPlaintext = new String(decryptLtpaToken(fulltoken, secretKey)); extractTokenData(ltpaPlaintext); } private void extractTokenData(String token) { System.out.println("\n"); StringTokenizer st = new StringTokenizer(token, "%"); sUserInfo = st.nextToken(); String sExpires = st.nextToken(); sSignature = st.nextToken(); dExpiry = new Date(Long.parseLong(sExpires)); sFullToken = token; } public String getSignature() { return sSignature; } public String getFullToken() { return sFullToken; } public String getUserInfo() { return sUserInfo; } public String getExpiryDate() { SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss z"); return sdf.format(dExpiry); } private byte[] getSecretKey(String shared3DES, String password) throws Exception { MessageDigest md = MessageDigest.getInstance("SHA"); md.update(password.getBytes()); byte[] hash3DES = new byte[24]; System.arraycopy(md.digest(), 0, hash3DES, 0, 20); Arrays.fill(hash3DES, 20, 24, (byte) 0); // decrypt the real key and return it BASE64Decoder base64decoder = new BASE64Decoder(); return decrypt(base64decoder.decodeBuffer(shared3DES), hash3DES); } public byte[] decryptLtpaToken(String encryptedLtpaToken, byte[] key) throws Exception { BASE64Decoder base64decoder = new BASE64Decoder(); final byte[] ltpaByteArray = base64decoder.decodeBuffer(encryptedLtpaToken); return decrypt(ltpaByteArray, key); } public byte[] decrypt(byte[] ciphertext, byte[] key) throws Exception { final Cipher cipher = Cipher.getInstance("DESede/ECB/PKCS5Padding"); final KeySpec keySpec = new DESedeKeySpec(key); final Key secretKey = SecretKeyFactory.getInstance("TripleDES").generateSecret(keySpec); cipher.init(Cipher.DECRYPT_MODE, secretKey); return cipher.doFinal(ciphertext); } }您不直接访问 LTPA 令牌,而是假设 WebSphere 已根据其认证过程为您建立了安全上下文。
然后,您可以使用
HttpServletRequest 对象来访问用户的身份。
角色特定于当前资源(servet、ejb ...),因此您可以使用 HttpServletRequest 方法
来确定用户是否处于角色中。
您还可以使用该方法
获取进一步的安全信息,包括组成员身份。
You don't directly access the LTPA token, rather you assume that WebSphere has established a security context for you on the basis of its authentication procedures.
You can then use
on your HttpServletRequest object to access the user's identity.
Roles are particular to the current resource (serlvet, ejb ...) and hence you use the HttpServletRequest method
to determine whether a user is in a role.
You can also use the method
to obtain further security information including group membership.