How to pass WebSEAL security context from JSP/Servlet to EJB

3.2k views Asked by At

I have JSP with calling to my Session Bean, I've implemented this via JNDI InitialContext(). Session Bean class is having a @RolesAllowed annotation with one defined user. I want to restrict users who can call methods of this bean.

Application Sever connected to TAM/WebSEAL via junction. So I can see that authenticated users have defined "iv-user", "iv-groups", "iv-creds" http request header values, unauthenticated - don't. But then I trying to call any of bean methods I've got a Security Exception like trying to access as unauthenticated user. Moreover, I don't see userPrincipal when at the response of request.getUserPrincipal()

How to pass security context from WebSEAL / Tivoli Access Manager into EJB and use it for JAAS annotations?

1

There are 1 answers

0
coms On BEST ANSWER

I've found one solution:
1. Switch WebSphere to use a Standalone LDAP registry, set link as Trusted (actually it not necessary)
2. Setup LTPA authentication between WAS and WebSEAL
after these JSP should get security context and pass to the called methods.
3. Define security constraints inside target web application.