The Aggregation Proxy and the IBM® XDMS application provide mechanisms for authentication and authorization. (The Trust Association Interceptor (TAI) provides additional security mechanisms as well.)
The Aggregation Proxy performs HTTP digest authentication using a TAI, which requires the provisioning and configuration of an Lightweight Directory Access Protocol (LDAP) repository containing the subscriber identity and passwords of all users needing access to the system. (In digest authentication, encryption is used so that a user's credentials can be established without the need to transmit a password in plaintext over the network.)
The Aggregation Proxy can also reject authentication attempts after a pre-configured number of failed attempts. This function requires maintaining user session affinity with the initial Aggregation Proxy instance using techniques such as source IP address affinity.
IBM XDMS uses a TAI, which is included with the IBM WebSphere® IP Multimedia Subsystem Connector and which enables consumption of the private extension security headers for both HTTP and Session Initiation Protocol (SIP) traffic. This TAI consumes the headers created by the HTTP Digest TAI that runs with the Aggregation Proxy.
If the Aggregation Proxy is not used in the environment and authentication security is still required, then authentication mechanisms can be configured directly on the WebSphere Application Server that is running IBM XDMS. These mechanisms can include a Digest authentication (using a custom TAI), or the built-in WebSphere Application Server global security.
Any IBM-supplied TAI can be replaced with a custom version if the function does not suit your environment.
For authorization access to user documents, IBM XDMS provides a default behavior that gives each user automatic universal access to all documents that user creates and read access to all global documents. This behavior can be changed through comprehensive or selective provisioning of document authorization documents for affected users.