Spring Security LTPA2
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Spring Security LTPA2

Build Status Quality Gate License

Add Spring Security support for user pre-authentication using IBM Lightweight Third Party Authentication (LTPA) v2. LTPA2 tokens can be created as well.

Tokens are either taken from an HTTP header (default Authorization with prefix LtpaToken2) or a cookie (default LtpaToken2). Both names can be configured as needed, as well as the value prefix.


# default header and value prefix
curl -i -H "Authorization: LtpaToken2 <token-value>" http://localhost:8080/hello
# custom header name without value prefix
curl -i -H "My-Auth-Header: <token-value>" http://localhost:8080/hello
# default cookie
curl -i -b "LtpaToken2=<token-value>" http://localhost:8080/hello
# custom cookie name
curl -i -b "My-Auth-Cookie=<token-value>" http://localhost:8080/hello

An absolute minimum requirement for configuration are the shared secret key needed for decrypting the token and, in order to verify its signature, the public key from the identity provider that created the token.


Checkout my sample project for a complete example.


Add the library as an dependency together with your Spring Security dependencies.



Web Security Configuration

Add the Ltpa2Filter using Ltpa2Configurer. It needs a SecretKey instance of the shared key that is used for the symmetric encryption of the LTPA2 token. In order to verify the provided token, it also needs the PublicKey from the identity provider (for example IBM Secure Gateway / DataPower) that sends the LTPA2 token.

As the user is pre-authenticated, an instance of UserDetailsService is required to setup the security context and populate it with the granted roles for the authenticated user. In this example we will simply use InMemoryAuthentication with a hard-coded list of users and their roles.

public class WebSecurityConfig extends WebSecurityConfigurerAdapter

	protected void configure(HttpSecurity http) throws Exception
				.antMatchers("/", "/home").permitAll()
			// configure LTPA2 Support
			.apply(new Ltpa2Configurer())

	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception

Project info and Javadoc

Maven Site