Migrating trust association interceptors
The following topics are addressed in this document:
- Changes to the product-provided trust association interceptors
- Migrating product-provided trust association interceptors
- Changes to the custom trust association interceptors
- Migrating custom trust association interceptors
Changes to the product-provided trust association interceptors
For the product provided implementation for the WebSeal server a new optional property com.ibm.websphere.security.webseal.ignoreProxy has been added. If this property is set to true or yes , the implementation does not check for the proxy host names and the proxy ports to match any of the host names and ports listed in the com.ibm.websphere.security.webseal.hostnames and the com.ibm.websphere.security.webseal.ports property respectively. For example, if the VIA header contains the following information:
and the com.ibm.websphere.security.webseal.ignoreProxy is set to true or yes , the host name Fred is not be used when matching the host names. By default, this property is not set, which implies that any proxy host names and ports expected in the VIA header should be listed in the host names and the ports properties to satisfy the isTargetInterceptor method.HTTP/1.1 Fred (Proxy), 1.1 Sam (Apache/1.1), HTTP/1.1 webseal1:7002, 1.1 webseal2:7001Migrating product-provided trust association interceptorsThe properties located in the webseal.properties and trustedserver.properties files are not migrated from previous versions of the WebSphere Application Server. You must migrate the appropriate properties to WebSphere Application Server, Version 5 using the trust association panels in the GUI. For more information, see Configure trust association interceptors.
Changes to the custom trust association interceptors
If the custom interceptor extends, com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor , then implement the following new method to initialize the interceptor:
public int init java.util.Properties(props);
WebSphere Application Server checks the return status before using the Trust Association implementation. Zero (0) is the default value for indicating the the interceptor was successfully initialized.
However, if a previous implementation of the trust association interceptor returns a different error status you can either change your implementation to match the expectations or make one of the following changes:
Method 1:
- Add the com.ibm.websphere.security.trustassociation.initStatus property in the trust association interceptor custom properties. Set the property to the value that indicates that the interceptor is successfully initialized. All of the other possible values imply failure. In case of failure, the corresponding trust association interceptor is not used.
Method 2:
- Add the com.ibm.websphere.security.trustassociation.ignoreInitStatus property in the trust association interceptor custom properties. Set the value of this property to true, which tells WebSphere Application Server to ignore the status of this method. If you add this property to the custom properties, WebSphere Application Server does not check the return status, which is similar to previous versions of WebSphere Application Server.
The public int init java.util.Properties(props); method replaces the public int init (String propsFile) method.
The init(Properties) method accepts a java.util.Properties object which contains the set of properties required to initialize the interceptor. All the properties set for an interceptor (by using the Custom Properties link for that interceptor or using scripting) will be sent to this method. The interceptor can then use these properties to initialize itself. For example, in the product provided implementation for the WebSEAL server, this method reads the hosts and ports so that a request coming in can be verified to come from trusted hosts and ports. A return value of 0 implies that the interceptor initialization is successful. Any other value implies that the initialization was not successful and the interceptor will not be used.
All the properties set for an interceptor (by using the Custom Properties link in the administrative console for that interceptor or using scripting) is sent to this method. The interceptor can then use these properties to initialize itself. For example, in the product-provided implementation for the WebSEAL server, this method reads the hosts and ports so that an incoming request can be verified to come from trusted hosts and ports. A return value of 0 implies that the interceptor initialization is successful. Any other value implies that the initialization was not successful and the interceptor is ignored.
Note: The init(String) method still works if you want to use it instead of implementing the init(Properties) method. The only requirement is that the file name containing the custom trust association properties should now be entered using the Custom Properties link of the interceptor in the administrative console or by using scripts. You can enter the property using either of the following methods. The first method is used for backward compatibility with previous versions of WebSphere Application Server.
In Network Deployment, where the location of the file name can vary for different nodes, use the variable ${USER_INSTALL_ROOT} to refer to the WebSphere Application Server installation directory.
Method 1:
- The same property names used in the previous release are used to obtain the file name. The file name is obtained by concatenating the .config to the com.ibm.websphere.security.trustassociation.types property value. If the file name is called myTAI.properties and is located in the C:/WebSphere/AppServer/properties directory, set the following properties:
- com.ibm.websphere.security.trustassociation.types = myTAItype
- com.ibm.websphere.security.trustassociation.myTAItype.config = C:/WebSphere/AppServer/properties/myTAI.properties
Method 2:
- One can set the com.ibm.websphere.security.trustassociation.initPropsFile property in the trust association custom properties to the location of the file. For example, set the following property:
com.ibm.websphere.security.trustassociation.initPropsFile= C:/WebSphere/AppServer/properties/myTAI.properties
The previous line of code was split into two lines due to the width of the screen. Type as one continuous line.
However, it is highly recommened that your implementation be changed to implement the init(Properties) method instead of relying on init (String propsfile) method.
Migrating custom trust association interceptors
The trust associations from previous versions of WebSphere Application Server are not migrated to version 5. Users can manually migrate these trust asociations using the following steps:
- Recompile the implementation file, if necessary.
For more information, refer to the "Changes to the custom trust association interceptors" section previously discussed in this document.
To recompile the implementation file, type the following:
%WAS_HOME%/java/bin/javac -classpath %WAS_HOME%/lib/wssec.jar; %WAS_HOME%/lib/j2ee.jar <your implementation file>.java
Note: The previous line of code was broken into two lines due to the width of the page. Type the code as one continuous line.
- Copy the custom trust association interceptor class files to a location in your product class path. It is suggested that you copy these class files into the %WAS_HOME%/lib/ext directory.
In Network Deployment, copy this class file into the class path of each node and cell.
- Start the WebSphere Application Server
- Enable security to use the trust association interceptor. The properties located in your custom trust association properties file and in the trustedserver.properties file are not migrated from previous versions of WebSphere Application Server to version 5. You must migrate the appropriate properties to WebSphere Application Server, version 5 using the trust association panels in the GUI. For more information, see Configure trust association interceptors.
Configure trust association interceptors
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.