The new Trust Association Interceptor (TAI) interface, com.ibm.wsspi.security.tai.TrustAssociationInterceptor, supports several new features and is different from the existing com.ibm.websphere.security.TrustAssociationInterceptor interface. Although the existing interface is still supported, it is being deprecated in a future release.
The isTargetInterceptor method determines whether the request originated with the proxy server associated with the interceptor. The implementation code must examine the incoming request object and determine if the proxy server forwarding the request is a valid proxy server for this interceptor. The result of this method determines whether the interceptor processes the request.
A true value tells WebSphere Application Server to have the TAI handle the request.
A false value, tells WebSphere Application Server to ignore the TAI.
The negotiateValidateandEstablishTrust method determines whether to trust the proxy server from which the request originated. The implementation code must authenticate the proxy server. The authentication mechanism is proxy-server specific. For example, in the product implementation for the WebSEAL server, this method retrieves the basic authentication information from the HTTP header and validates the information against the user registry used by WebSphere Application Server. If the credentials are invalid, the code throws the WebTrustAssociationException, which indicates that the proxy server is not trusted and the request is denied. If the credentials are valid, the code returns a TAIResult, which indicates the status of the request processing along with the client identity (Subject and principal name) to be used for authorizing the Web resource.
TAIResult | Explanation |
---|---|
public static TAIResult create(int status); | Indicates a status to WebSphere Application Server. The status should not be SC_OK because the identity information is provided. |
public static TAIResult create(int status, String principal); | Indicates a status to WebSphere Application Server and provides the user ID or the unique ID for this user. WebSphere Application Server creates credentials by querying the user registry. |
public static TAIResult create(int status, String principal, Subject subject); | Indicates a status to WebSphere Application Server, the user ID or the unique ID for the user, and a custom Subject. If the Subject contains a Hashtable, the principal is ignored. The contents of the Subject becomes part of the eventual user Subject. |
Example
// Modify the HttpServletResponse object
// The response code is meaningful only on the client
return TAIResult.create(HttpServletResponse.SC_CONTINUE);
// modify the HttpServletResponse object
return TAIResult.create(HttpServletResponse.SC_OK, userid);
// create Subject and place Hashtable in it
Subject subject = new Subject;
subject.getPublicCredentials().add(hashtable);
//the response code is meaningful only the client
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);
//log error message
// ....
throw new WebTrustAssociationFailedException("TAI failed for this reason");
There are a few additional methods on the TrustAssociationInterceptor interface that are discussed in the Java documentation. These methods are used for initialization, shut down, and for identifying the TAI to WebSphere Application Server.
Related tasks
Configuring inbound identity mapping