How to read the LTPA Token using API

Recently i had a requirement to read the LTPA Token from API and pass it to the third party application that i am using

We have two options to do this

  • Cookie: You can use the LtpaToken from the cookie. This approach works in all cases but one, which is that as soon as you login the first request wont have this cookie.

  • Programmatic API: You can always read the LtpaToken from the cookie

private String doesLTPATokenCookieExists(PortletRequest servletRequest){
HttpServletRequest servletRequest =(PortletRequest)request;

Cookie[] cookie =servletRequest.getCookies();
for(int i = 0 ; i < cookie.length ;i++){
System.out.println("Cookie Name " + cookie[i].getName() );
if( cookie[i].getName().equals("LtpaToken"))
return cookie[i].getValue();
return false;

In cases where the portlet is rendering on a first page that gets invoked after login the LtpaToken wont be there in the cookie. The basic idea is portal server will generate LtpaToken and send it in first response and thereafter the request will always have the LtpaToken cookie but that first request wont have the LtpaToken cookie, in those cases we can use this programmatic method for reading cookie

private String getSecurityToken(){
byte[] token = null;
// Get current security subject
Subject security_subject = WSSubject.getRunAsSubject();
if (security_subject != null){
// Get all security credentials from the security subject
Set security_credentials =

// Get the first credential
WSCredential security_credential =
String user = (String) security_credential.getSecurityName();
return null;
token = security_credential.getCredentialToken();
if(token == null){
return null;
String ltpaToken =;
return ltpaToken;
catch (Exception e){
return null;


Mihir Shah said...

Thanks sunil for a useful post. I guess this is more relevant when your third party application understands LTPA token. That means it is only valid for LTAP complient applications and not all applications for Ex MS Exchange. Correct me if I am wrong.

Sunil Patil said...

The LTPA token works only in IBM WebSphere and Lotus products.

If you want to use something like MS Exchange then you should think Tivoli Access Manager or Siteminder. THe basic remains same in those cases you will have to pass the token specific to the Access Manager that your using instead of LTPA Token

Vijay said...

Hi Sunil,
Thanks for your post, I am working with LTPA token will you kindly give some input for my problem.

I am working with IBM's content Manager(EDMS), to login to EDMS system it requires userid and password or the LTPA token. Users are in active directory. The challenge i face is, i need to login to active directory using LDAP and get the LTPA token programmatically and pass on to EDMS system. I may pass the userid and password to logon to EDMS system, but i need the LTPA token for feature use. Is it possible to get a LTPA token programmatically from LDAP? pls clarify.

Anonymous said...

this is also useful when you are migrating from a tai (generating ltpa) to tai++ with websphere generating LTPA.
In the fiorst case the token is always in the header, in the second case it isn't for the first hit (and to state the not quite obvious also if the page isn't protected in a jaas sense)

Amit(Nana) said...


I am implementing LTPA based SSO between java applications running on websphere app Server. I am able to generate LTPA token using admin console however i am not able to understand how the token will be generated using the application login page. Because i will not redirect everytime user to admin console to login. Please help.


Leslie Lim said...

First time I commented in a blog! I really enjoy it. You have an awesome post. Please do more articles like this. I'm gonna come back surely. God bless.


info2scs said...

Hi Sunil,
Thanks for the post. Was wondering if there is a way to check if the LTPAToken2 is expired or not (programmatically)?