Posted by Albin Joseph | Posted in WebSphere | Posted on 03-07-2008
Configuring TAI in WebSphere Application Server.
Yesterday I posted about how to create a custom Trust Association Interceptor for WAS. Today I will be explaining how to configure the TAI in WAS. In order to configure the TAI in WebSphere Application Server, export the TAI project as a jar file. (Creating and exporting a jar is very easy in RAD. Right click on the project and select Export. From the export wizard window select ‘JAR file’. It will show all the projects available with the one we right clicked as selected. Enter the destination where we want to save our generated jar file and enter a name for the jar file say tai.jar and click on Finish. Our jar file is ready).
Once we completed generation of jar file for TAI, we need to copy the same jar file to WAS_INSTALL_DIR\lib\ext folder. Now we need to make an entry for our TAI inside the admin console. The steps for configuring a TAI in WebSphere are given below.
1. Login to WebSphere admin console.
2. Click on Global Security under Security menu.
3. From the page opened up expand Authentication Mechanisms and click on LTPA
4. The LTPA configuration page opens up. Click on Trust Association links.
5. Select the “Enable trust association” check box. And save the changes.
6. Come back to the same page if you are not there already.
7. Click on Interceptors
8. Click on New
9. Enter the fully qualified name of your TAI inside “Interceptor class name” text box.
10. Save the changes
We are done. Restart the server and our new custom TAI will be ready for use.
Posted by Albin Joseph | Posted in WebSphere | Posted on 02-07-2008
If we are implementing an SSO solution using an external authentication provider, we need a Trust Association Interceptor (TAI) to assert the identity to WebSphere Application Server. If our authentication provider is an external tool like WebSEAL or Tivoli Accesses Manager, we need some mechanism to tell WAS that the user is authenticated. So the actual authentication happens in some external tools and by using TAI we would inform WebSphere about the user’s identity.
Today I will explain how to write a custom Trust Association Interceptor (TAI) for WebSphere. Since TAI is used for informing WebSphere Application Server about a user’s identity, first TAI needs to know which user is authenticated. Typically this is done by passing some parameter (like username) to WebSphere Application Server from authentication provider. The TAI which is present in the Application Server reads the parameters from request and returns the username to WAS. WAS then queries the user registry for the existence of the user. However WAS will not validate the password while it queries the user registry.
The first step in developing a custom TAI is to write a class that implements the TrustAssociationInterceptor interface. The TrustAssociationInterceptor interface contains a couple of methods that we need to implement.
The first method that will be executed when calling the TAI is initialize. Any initialization operations can be performed in this method if required. Then TAI would call the isTargetInterceptor method which evaluates the request and returns true if the request is the one that TAI needs to work with.
If the current request is for target interceptor, TAI would call negotiateValidateandEstablishTrust method which actually returns a TAIResult to the WebSphere Application Server. Finally the cleanUp method will be called. The complete code listing for a simple custom Trust Association Interceptor is given below.
The below code which is residing in the WAS expects a parameter named username from authentication provider. If the request contains the username it returns true and creates a trust with WAS.
import java.util.Properties;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
/**
* A simple custom Trust Association Interceptor.
*/
public class TestInterceptor implements TrustAssociationInterceptor {
/* Validates the incoming request.
*
* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#isTargetInterceptor(javax.servlet.http.HttpServletRequest)
*/
public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException {
// Lets do some validation on the incoming request
String username = req.getParameter("username");
// If we got a username the request for TAI only.
if (username != null)
return true;
return false;
}
/* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#negotiateValidateandEstablishTrust(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req, HttpServletResponse resp) throws WebTrustAssociationFailedException {
// Validate and establish trust with WebSphere Application Server.
TAIResult result = null;
String username = req.getParameter("username");
// Create the TAIResult with username we got.
result = TAIResult.create(HttpServletResponse.SC_OK, username);
// return the TAIResult.
return result;
}
/* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#initialize(java.util.Properties)
*/
public int initialize(Properties arg0) throws WebTrustAssociationFailedException {
// The TAI initialization code goes here.
return 0;
}
/* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getVersion()
*/
public String getVersion() {
// The version of TAI we are using.
return "1.0";
}
/* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getType()
*/
public String getType() {
// The type of TAI.
return "Custom TAI 1.0";
}
/* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#cleanup()
*/
public void cleanup() {
// The TAI clean up code goes here.
}
} |
Configuring a TAI in WAS will be covered in the next post.
