• Entries (RSS)
  • Comments (RSS)

Develop a custom Trust Association Interceptor

Posted by | Posted in WebSphere | Posted on 02-07-2008

Tagged Under : , , , ,

If we are implementing an SSO solution using an external authentication provider, we need a Trust Association Interceptor (TAI) to assert the identity to WebSphere Application Server. If our authentication provider is an external tool like WebSEAL or Tivoli Accesses Manager, we need some mechanism to tell WAS that the user is authenticated. So the actual authentication happens in some external tools and by using TAI we would inform WebSphere about the user’s identity.

Today I will explain how to write a custom Trust Association Interceptor (TAI) for WebSphere. Since TAI is used for informing WebSphere Application Server about a user’s identity, first TAI needs to know which user is authenticated. Typically this is done by passing some parameter (like username) to WebSphere Application Server from authentication provider. The TAI which is present in the Application Server reads the parameters from request and returns the username to WAS. WAS then queries the user registry for the existence of the user. However WAS will not validate the password while it queries the user registry.

The first step in developing a custom TAI is to write a class that implements the TrustAssociationInterceptor interface. The TrustAssociationInterceptor interface contains a couple of methods that we need to implement.

The first method that will be executed when calling the TAI is initialize. Any initialization operations can be performed in this method if required. Then TAI would call the isTargetInterceptor method which evaluates the request and returns true if the request is the one that TAI needs to work with.

If the current request is for target interceptor, TAI would call negotiateValidateandEstablishTrust method which actually returns a TAIResult to the WebSphere Application Server. Finally the cleanUp method will be called. The complete code listing for a simple custom Trust Association Interceptor is given below.

The below code which is residing in the WAS expects a parameter named username from authentication provider. If the request contains the username it returns true and creates a trust with WAS.

import java.util.Properties;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
 * A simple custom Trust Association Interceptor.
public class TestInterceptor implements TrustAssociationInterceptor  {
    /* Validates the incoming request.
     * (non-Javadoc)
     * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#isTargetInterceptor(javax.servlet.http.HttpServletRequest)
    public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException {
        // Lets do some validation on the incoming request
        String username = req.getParameter("username");
        // If we got a username the request for TAI only.
        if (username != null)
            return true;
        return false;
    /* (non-Javadoc)
     * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#negotiateValidateandEstablishTrust(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req, HttpServletResponse resp) throws WebTrustAssociationFailedException {
       // Validate and establish trust with WebSphere Application Server.
       TAIResult result = null;
       String username = req.getParameter("username");
       // Create the TAIResult with username we got.
       result = TAIResult.create(HttpServletResponse.SC_OK, username);
       // return the TAIResult.
       return result;
    /* (non-Javadoc)
     * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#initialize(java.util.Properties)
    public int initialize(Properties arg0) throws WebTrustAssociationFailedException {
        // The TAI initialization code goes here.
        return 0;
    /* (non-Javadoc)
     * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getVersion()
    public String getVersion() {
        // The version of TAI we are using.
        return "1.0";
    /* (non-Javadoc)
     * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getType()
    public String getType() {
        // The type of TAI.
        return "Custom TAI 1.0";
    /* (non-Javadoc)
     * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#cleanup()
    public void cleanup() {
        // The TAI clean up code goes here.

Configuring a TAI in WAS will be covered in the next post.


Read More


2 comments posted onDevelop a custom Trust Association Interceptor

  1. :shock:

    Thanks for the post. I was just recently delegated the task of implementing the security of our system which is being deployed on websphere. Its taken me a while to figure out a solution. Now I know i need a TAI hopefully this will help me out.

  2. Can above method be used to intercept incoming webservice/soap requests at all? Would be nice to have some pointers on that. Thanks

Post a Comment