Trust association interceptor support for Subject creation
The trust association interceptor (TAI) com.ibm.wsspi.security.tai.TrustAssociationInterceptor interface supports several features that are different from the existing com.ibm.websphere.security.TrustAssociationInterceptor interface. The TAI interface supports a multiphase, negotiated authentication process. For example, some systems require a challenge response protocol back to the client. The two key methods in this interface are:
- Key method name
- public boolean isTargetInterceptor (HttpServletRequest req)
The isTargetInterceptor method determines whether the request originated with the proxy server that is associated with the interceptor. The implementation code must examine the incoming request object and determine if the proxy server that forwards the request is a valid proxy server for this interceptor. The result of this method determines whether the interceptor processes the request.
- Method result
A true value tells WAS to have the TAI handle the request.
A false value, tells WebSphere Application Server to ignore the TAI.
The TAIResult class has three static methods for creating a TAIResult result. The TAIResult create methods take an int type as the first parameter. WAS expects the result to be a valid HTTP request return code and is interpreted in one of the following ways:
- Key method name
- public TAIResult negotiateValidateandEstablishTrust (HttpServletRequest req, HttpServletResponse res)
The negotiateValidateandEstablishTrust method determines whether to trust the proxy server from which the request originated. The implementation code must authenticate the proxy server. The authentication mechanism is proxy-server specific. For example, in the product implementation for the WebSEAL server, this method retrieves the basic authentication information from the HTTP header and validates the information against the user registry that WebSphere Application Serve uses. If the credentials are not valid, the code creates the WebTrustAssociationException exception, which indicates that the proxy server is not trusted and the request is denied. If the credentials are valid, the code returns a TAIResult result, which indicates the status of the request processing with the client identity (Subject and principal name) to use for authorizing the Web resource.
- Method result
- Returns a TAIResult result, which indicates the status of the request processing. You can query the Request object and modify the Response object can be modified.
- If the value is HttpServletResponse.SC_OK, this response tells WAS that the TAI completed its negotiation. The response also tells WAS to use the information in the TAIResult result to create a user identity.
- Other values tell WAS to return the TAI output, which is placed into the HttpServletResponse response, to the Web client. Typically, the Web client provides additional information and then places another call to the TAI.
The created TAIResults results have the following meanings:
TAIResult Explanation public static TAIResult create(int status); Indicates a status to WAS. The status cannot be SC_OK because the identity information is provided. public static TAIResult create(int status, String principal); Indicates a status to WAS and provides the user ID or the unique ID for this user. WebSphere Application Server creates credentials by querying the user registry. public static TAIResult create(int status, String principal, Subject subject); Indicates a status to WAS, the user ID or the unique ID for the user, and a custom Subject. If the Subject contains a hashtable, the principal is ignored. The contents of the Subject become part of the eventual user Subject.
Example
All of the following examples are within the negotiateValidateandEstablishTrust method of a TAI.The following code sample indicates that additional negotiation is required:// Modify the HttpServletResponse object
// The response code is meaningful only on the client
return TAIResult.create(HttpServletResponse.SC_CONTINUE);
The following code sample indicates that the TAI determined the user identity. WAS receives the user ID only and queries the user registry for additional information:// modify the HttpServletResponse object
return TAIResult.create(HttpServletResponse.SC_OK, userid);
The following code sample indicates that the TAI determined the user identity. WAS receives the complete user information that is contained in the hashtable. For more information on the hashtable, see Configure inbound identity mapping. In this code sample, the hashtable is placed in the public credential portion of the Subject:// create Subject and place Hashtable in it
Subject subject = new Subject;
subject.getPublicCredentials().add(hashtable);
//the response code is meaningful only the client
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);
The following code sample indicates that an authentication failure occured. WAS fails the authentication request://log error message
// ....
throw new WebTrustAssociationFailedException("TAI failed for this reason");
The following methods are additional methods on the TrustAssociationInterceptor interface. These methods are used for initialization, for shutdown, and for identifying the TAI to WAS. For more information, see the Java documentation.
- Method name
- public int initialize(Properties props)
- Method result
- This method is called during TAI initialization and is called only if custom properties are configured for the interceptor.
- Method name
- public String getVersion()
- Method result
- This method returns the version of the TAI.
- Method name
- public String getType()
- Method result
- This method returns the type of the TAI.
- Method name
- public void cleanup()
- Method result
- This method is called when stopping the WAS process. Stopping the WAS process provides an opportunity for the TAI to perform any necessary cleanup. This method is not necessary if cleanup is not required.
Related tasks
Configure inbound identity mapping
Reference topic