New, enhanced TAI Interface
The new TAI Interface has been introduced in WebSphere Application Server V5.1.1. This TAI interface...
com.ibm.wsspi.security.tai.TrustAssociationInterceptor...has been enhanced with the following new features:
- Support for a multi-phase negotiation during the authentication process.
- TAIResult is returned by the TAI and it indicates if more negotiation is required or the negotiation process is completed.
- Trust Association Interceptor is capable of asserting the userID and group information to WebSphere Application Server.
- Custom information may be added to the subject during the TAI processing and these can be returned as a JAAS Subject and can be used in application code.
There are two key methods in the new interface:
- public boolean isTargetInterceptor (HTTPServletRequest req) throws WebTrustAssociationException
This method determines if the request originated from one of the proxy servers associated with the Trust Association Interceptor. The code in this method must determine whether the incoming request originated from one of the configured Proxy Servers by examining the request object. The result of this method may be True or False. True value tells WebSphere Application Server to continue the processing of TAI. In case of false, the TAI is ignored.
- public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req, HttpServletResponse res) throws WebTrustAssociationFailedException
The code in this method must determine whether to trust the proxy server the request originated from. This code is proxy server specific and should authenticate the proxy server in some meaningful way. Also this method enables the TAI to use a trust negotiation protocols like SPNEGO to provide challenge and responses back to the client.
The return value of negotiateValidateandEstablishTrust is a TAIResult. This object indicates the status of negotiation or the final result of negotiation. The TAIResult class has three static methods for creating a TAIResult.
- create(int status)
We can set the int to something other than HttpServletResponse.SC_OK and the HttpServletResponse will be sent back to the client which will make another request to the TAI.
- create(int status, String principal)
We can set the status to HttpServletResponse.SC_OK and then provide the user ID or the unique ID for this user. WebSphere Application Server then queries the registry with this ID to get additional information for in order to create the credentials.
- create(int status, String principal, Subject subject)
We can set the status to HttpServletResponse.SC_OK thus indicating that no further negotiation is needed. WebSphere Application Server will create the Subject using the information provided in principal and subject.
There are a few additional methods on the TrustAssociationInterceptor interface. These additional methods are used for TrustAssociationInterceptor initialization, shut down, and its identification. For more information about these methods refer the WebSphere Application Server V6 Information Center or the WebSphere Application Server Java API documentation.