A TAI code example

To complete my series posts on writing Trust Association Interceptors (TAI’s) for Websphere Application Server I wanted to show a real-life example. Not a good example necessarily but an example never the less… 🙂

The below example is a very simple TAI that simply does the following:

  1. The initialize() method reads a cookie name from the configuration done in the Websphere Application Server ISC. It illustrates how you can configure a TAI externally without having to hard code it.
  2. The isTargetInterceptor() method looks at the request and sees if a cookie with the configured name is available. If yes it continues to process the request and if not it aborts processing (from the TAI point of view).
  3. The negotiateValidateandEstablishTrust() method does the actual work by simply telling WAS that the username of user is the value from the cookie.

As you see writing a TAI is very simple but extremely powerful. Imagine what could be done if you did SSO between Websphere Application Server and Lotus Domino.

import java.util.Properties;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;

public class ExampleTAI implements TrustAssociationInterceptor {
   // declarations
   private String cookie = null;

   public void cleanup() {

   public String getType() {
      return String.format("Example TAI %s", this.getVersion());

   public String getVersion() {
      return "1.0";

   public int initialize(Properties props)
      throws WebTrustAssociationFailedException {

      // read properties from configuration in WAS
      this.cookie = props.getProperty("cookieName");

      // return 0 to indicate success
      return 0;

   public boolean isTargetInterceptor(
      HttpServletRequest req)
      throws WebTrustAssociationException {
      for (Cookie c : req.getCookies()) {
         if (c.getName().equals(this.cookie)) return true;
      return false;

   public TAIResult negotiateValidateandEstablishTrust(
      HttpServletRequest req,
      HttpServletResponse res)
      throws WebTrustAssociationFailedException {
      for (Cookie c : req.getCookies()) {
         if (c.getName().equals(this.cookie)) {
            // send 200 to signal we're okay
            return TAIResult.create(HttpServletResponse.SC_OK,

      // not authenticated
      return TAIResult.create(HttpServletResponse.SC_UNAUTHORIZED);


7 thoughts on “A TAI code example”

  1. Supose I am accessing a web resource which caused TAI to be invoked.

    If TAI returns  SC_UNAUTHORIZED  then blank page is shown.

    Is it correct behaviour ? Ot it should be automatically redirected to some page say, welcome page of web application ?

    Or is page where it should redirect is configurable ?

    Or I need to write in my TAI impletementation to responce.redirect("somepage.jsp");



  2. hi

    can you explian what configuration you have done in the Websphere Application Server ISC for initialize() method to read a cookie name ?


  3.  I have created the TAi configuration, During the start of the server i can see the initialize method is getting called, But from my webapplication i am not able to invoke any one of the methods like isTargetInterceptor, negotiateValidateandEstablishTrust..etc..

    May i know what kind of setup i need to do in web.xml ??



  4. We already have a TAI on the Portal Server which is a Siteminder TAI.

    I would like to add another TAI.

    Once added I would like both the TAIs to function but would like the new TAI to be first in order. Is this possible to do and if yes can you please help with the intructions to achieve ordering of TAIs.


Comments are closed.