WAS v8.5 > Secure applications > Secure the Liberty profile and its applications > Authenticate users in the Liberty profileConfiguring TAI for the Liberty profile
We can configure the Liberty profile to integrate with a third-party security service using Trust Association Interceptors (TAI). The TAI can be called before or after single sign-on (SSO).
Before beginning
This topic assumes that we have already installed a third-party security server as a reverse proxy server. The third-party security server can act as a front-end authentication server when the Liberty profile server applies its own authorization policy onto the resulting credentials, which are passed by the proxy server. Meanwhile, we have a JAR file containing the custom TAI class, which implements the com.ibm.wsspi.security.tai.TrustAssociationInterceptor interface.
There is no support for monitoring changes of this JAR file. A TAI is used to validate HTTP requests between a third-party security server and a Liberty profile server. It inspects the HTTP requests from the third-party security server to see if there are any security attributes. If the validation for a request is successful in the interceptor, the Liberty profile server authorizes the request by checking whether the client user has the required permission to access the resources.
See also Develop a custom TAI for the Liberty profile and Customizing SSO configuration using LTPA cookies for the Liberty profile.
We can also use the developer tools to configure a TAI service. See Configuring TAI on the Liberty profile using WebSphere Studio
- Enable the appSecurity-1.0 Liberty feature in server.xml.
- Deploy the applications to the Liberty profile server and enable all required Liberty features, such asjsp-2.2, jdbc-4.0, and so on.
- Place the TAI implementation library simpleTAI.jar in your server directory.
- Update server.xml with the TAI configuration options and location of the TAI implementation library.
See the following server.xml file as an example:
< featureManager> <feature>appSecurity-1.0</feature> </featureManager> < trustAssociation id="myTrustAssociation" invokeForUnprotectedURI="false" failOverToAppAuthType="false"> <interceptors enabled="true" className="com.ibm.websphere.security.sample.SimpleTAI" invokeBeforeSSO="true" invokeAfterSSO="false" libraryRef="simpleTAI"> < properties hostName="machine1" application="test1"/> </interceptors> </trustAssociation> < library > < fileset dir="${server.config.dir}" includes="simpleTAI.jar"/> </library> ...The custom TAI is enabled in the example, but it does not perform authentication for unprotected URIs and does not allow to fallback to application authentication method if the TAI authentication fails. As shown in the example, the following configuration elements are available for TAI support:
- trustAssociation
- interceptors
- properties
The property name cannot start with a period (.), config., or service. Also, the property name id or ID is not allowed.
For more information about the trustAssociation, interceptors and properties elements, see also Liberty profile: Configuration elements in server.xml.
See also
- Configuring TAI on the Liberty profile using WebSphere Studio
We can configure a TAI service for the Liberty profile using developer tools.
Parent topic: Authenticate users in the Liberty profile
Related concepts:
Liberty profile: Authentication
Trust associations
Related
Develop a custom TAI for the Liberty profile
Reference:
Liberty profile: Configuration elements in server.xml
|