Configure TAI for the Liberty profile

We can configure the Liberty profile to integrate with a third-party security service using Trust Association Interceptors (TAI). The TAI can be called before or after single sign-on (SSO).

Before starting, install a third-party security server as a reverse proxy server. The third-party security server can act as a front-end authentication server when the Liberty profile server applies its own authorization policy onto the resulting credentials, which are passed by the proxy server. Also have a JAR file containing the custom TAI class, which implements interface...

com.ibm.wsspi.security.tai.TrustAssociationInterceptor

There is no support for monitoring changes of this JAR file.

A TAI is used to validate HTTP requests between a third-party security server and a Liberty profile server. The TAI inspects the HTTP requests from the third-party security server to see whether they contain any security attributes. If the process of validating a request by the TAI is successful, the Liberty profile server authorizes the request by checking whether the client user has the required permission to access the resources.

See:

• Develop a custom TAI
• Customize SSO configuration using LTPA cookies

We can also use the developer tools to configure a TAI service.

Procedure

1. Enable the appSecurity-2.0 Liberty feature in server.xml.

   <featureManager> 
       <feature>appSecurity-2.0</feature> 
   </featureManager> 

2. Deploy the applications to the Liberty profile server, and enable all Liberty features, such as, jsp-2.2 and jdbc-4.0.

3. Place the TAI implementation library simpleTAI.jar in the server directory.

4. Update server.xml with the TAI configuration options and location of the TAI implementation library.

   In the following server.xml file, the custom TAI is enabled, but does not do any authentication for unprotected URIs, and does not allow to fallback to application authentication method if the TAI authentication fails.

   <trustAssociation id="myTrustAssociation" 
                     invokeForUnprotectedURI="false" 
                     failOverToAppAuthType="false">
   
       <interceptors id="simpleTAI" 
                     enabled="true"  
                     className="com.sample.SimpleTAI" 
                     invokeBeforeSSO="true" 
                     invokeAfterSSO="false" 
                     libraryRef="simpleTAI"> 
   
           <properties prop1="value1" prop2="value2"/>
   
       </interceptors> 
   </trustAssociation> 
   
   <library id="simpleTAI"> 
   
       <fileset dir="${server.config.dir}" 
                includes="simpleTAI.jar"/> 
   
   </library> 
   ...    

   The property name cannot start with a period (.), config., or service. Also, the property name id or ID is not allowed.

   By default, the invokeBeforeSSO property is set to true. By using this setting TAI is invoked even when the SSO token is present and valid. However, if the expected behavior is to invoke TAI only when the SSO token is invalid or not present, then this property can be disabled by setting it to false, and enabling the invokeAfterSSO property. By using this setting TAI is invoked only when the SSO token is not present or is invalid. In some cases, this setup might improve the performance of the system.

Subtopics

• Configure TAI on the Liberty profile using developer tools
  

Parent topic: Authenticate users

Concepts: Authentication
Trust associations
Develop a custom TAI
Configuration elements in server.xml