Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Flexible single sign-on authentication and more in Open Liberty 20.0.0.7

July 17, 2020
Tom Jennings
Related topics:
SecurityJavaMicroservicesKubernetes

Share:

    Open Liberty 20.0.0.7 lets you disable the default of returning Lightweight Third-Party Authentication (LTPA) cookies for authentication when using Trust Association Interceptor (TAI) or Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) authentication. You can also disable JSON Web Token (JWT)  cookies when using JWT's single sign-on (SSO) feature. In this article, we introduce these improvements and more in the new Open Liberty 20.0.0.7 release:

    • How to run your apps using Open Liberty 20.0.0.7
    • How to disable LTPA cookies for TAI or SPNEGO
    • How to disable JWT SSO cookies
    • Significant bugs fixed in Open Liberty 20.0.0.7

    How to run your apps using Open Liberty 20.0.0.7

    Here are the coordinates if you're using Maven:

    <dependency>
        <groupId>io.openliberty</groupId>
        <artifactId>openliberty-runtime</artifactId>
        <version>20.0.0.7</version>
        <type>zip</type>
    </dependency>
    

    For Gradle, you would use:

    dependencies {
        libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[20.0.0.7,)'
    }
    

    If you're using a docker container, it's:

    FROM open-liberty
    

    Another option is to download the Kernel package as a ZIP file from the Open Liberty downloads page. You can then use the featureUtility command to add the features that you need to the kernel.

    How to disable LTPA cookies for TAI or SPNEGO

    LTPA cookies contain an encrypted authentication token with user identity and expiration information, which you can use for single sign-on (SSO) authentication. In Open Liberty 20.0.0.7, you can decide whether you want to receive the LTPA cookie when using TAI or SPNEGO for authentication.

    When a client (like a browser) is authenticated with an Open Liberty server, the default response is to receive an SSO LTPA cookie in the HTTP servlet. When that client accesses another protected resource in the Open Liberty server sharing the same LTPA configuration, authentication with the SSO LTPA cookie takes priority over any other authentication mechanism. Prioritizing authentication with the SSO LTPA cookie can cause unintended results if you are using another authentication mechanism. You can now work around this by disabling the creation of LTPA cookies when using TAI and SPNEGO authentication.

    Here's how to disable LTPA cookies for TAI in the server.xml:

    <server>
      <featureManager>
        <feature>appSecurity-2.0</feature>
      </featureManager>
      <trustAssociation id="sample" disableLtpaCookie="true" />
    </server>
    

    Here's how to disable LTPA cookies for SPNEGO (also in server.xml):

    <server>
      <featureManager>
        <feature>spnego-1.0</feature>
      </featureManager>
      <spnego id="sample" disableLtpaCookie="true" />
    </server>
    

    How to disable JWT SSO cookies

    When a client (like a browser) is authenticated with an Open Liberty server through the JSON Web Tokens SSO feature (jwtSso-1.0), the default response is a JWT SSO cookie in the HTTP servlet. When that client accesses another protected resource in the same Open Liberty server or a different one, authentication with the JWT cookie is prioritized over any other authentication mechanism. Prioritizing authentication with the JWT cookie can cause unintended results if you are using another authentication mechanism. You can now work around this issue by disabling JWT cookies when using the JWT SSO feature.

    Here's how to disable JWT cookies for JWT SSO in the server.xml:

    <server>
      <featureManager>
        <feature>jwtSso-1.0</feature>
      </featureManager>
      <jwtSso id="sample" disableJwtCookie="true" />
    </server>
    

    Bug fixes in Open Liberty 20.0.0.7

    In this section, we describe just a few of the issues that we've resolved with the 20.0.0.7 release. See fixed bugs in Open Liberty 20.0.0.7 for a complete review.

    Two bugs fixed in JAX-RS 2.1

    Issue 8048: NullPointerException: If you've seen a NullPointerException when writing multipart form data in your JAX-RS response, the good news is that we fixed it. See issue 8048 for details.

    Issue 12715: ContextResolver: A user needed a way to restrict JSON field serialization by a user's security role. They were able to make it work by using ContextResolver to specify the JSON-B visibility strategy and injecting the SecurityContext. Unfortunately, the injection into the ContextResolver wasn't working. We fixed that with issue 12715, which makes a pretty cool use case.

    Improvements to HTTP/2

    Issue 12599: HTTP/2 connection: A user reported a scenario involving excess CPU consumption when a client did not gracefully terminate an HTTP/2 connection. We've resolved the CPU consumption with issue 12599.

    Issue 12399: HTTP/2 flow control: In specific cases, Open Liberty was not updating its HTTP/2 read window quickly enough, causing the flow-control window to stall. We have improved the flow-control behavior with issue 12399.

    Resolving a missing dependency in MicroProfile Fault Tolerance 2.1

    Before this release, adding a dependency to the MicroProfile Fault Tolerance 2.1 feature in a maven or gradle build did not automatically add a corresponding dependency to the MicroProfile Fault Tolerance 2.1 API. In some cases, when writing or compiling an application that used the API, users received the error message:

    The import org.eclipse.microprofile.faulttolerance cannot be resolved

    We've resolved the missing dependency with issue 12567.

    Try Open Liberty 20.0.0.7 in Red Hat Runtimes

    Open Liberty is part of Red Hat Runtimes. If you're a Red Hat Runtimes subscriber, you can try this new Open Liberty release now.

    To learn more about deploying Open Liberty applications to Red Hat OpenShift, see our Open Liberty guide: Deploying microservices to OpenShift.

    Last updated: July 15, 2020

    Recent Posts

    • Ollama or vLLM? How to choose the right LLM serving tool for your use case

    • How to build a Model-as-a-Service platform

    • How Quarkus works with OpenTelemetry on OpenShift

    • Our top 10 articles of 2025 (so far)

    • The benefits of auto-merging GitHub and GitLab repositories

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue