To complete my series posts on writing Trust Association Interceptors (TAI’s) for Websphere Application Server I wanted to show a real-life example. Not a good example necessarily but an example never the less… 🙂
The below example is a very simple TAI that simply does the following:
- The initialize() method reads a cookie name from the configuration done in the Websphere Application Server ISC. It illustrates how you can configure a TAI externally without having to hard code it.
- The isTargetInterceptor() method looks at the request and sees if a cookie with the configured name is available. If yes it continues to process the request and if not it aborts processing (from the TAI point of view).
- The negotiateValidateandEstablishTrust() method does the actual work by simply telling WAS that the username of user is the value from the cookie.
As you see writing a TAI is very simple but extremely powerful. Imagine what could be done if you did SSO between Websphere Application Server and Lotus Domino.
import java.util.Properties; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.ibm.websphere.security.WebTrustAssociationException; import com.ibm.websphere.security.WebTrustAssociationFailedException; import com.ibm.wsspi.security.tai.TAIResult; import com.ibm.wsspi.security.tai.TrustAssociationInterceptor; public class ExampleTAI implements TrustAssociationInterceptor { // declarations private String cookie = null; @Override public void cleanup() { } @Override public String getType() { return String.format("Example TAI %s", this.getVersion()); } @Override public String getVersion() { return "1.0"; } @Override public int initialize(Properties props) throws WebTrustAssociationFailedException { System.out.println("ExampleTAI.initialize()"); // read properties from configuration in WAS this.cookie = props.getProperty("cookieName"); // return 0 to indicate success return 0; } @Override public boolean isTargetInterceptor( HttpServletRequest req) throws WebTrustAssociationException { System.out.println("ExampleTAI.isTargetInterceptor()"); for (Cookie c : req.getCookies()) { if (c.getName().equals(this.cookie)) return true; } return false; } @Override public TAIResult negotiateValidateandEstablishTrust( HttpServletRequest req, HttpServletResponse res) throws WebTrustAssociationFailedException { System.out.println("ExampleTAI.negotiate...()"); for (Cookie c : req.getCookies()) { if (c.getName().equals(this.cookie)) { // send 200 to signal we're okay return TAIResult.create(HttpServletResponse.SC_OK, c.getValue()); } } // not authenticated return TAIResult.create(HttpServletResponse.SC_UNAUTHORIZED); } }
Supose I am accessing a web resource which caused TAI to be invoked.
If TAI returns SC_UNAUTHORIZED then blank page is shown.
Is it correct behaviour ? Ot it should be automatically redirected to some page say, welcome page of web application ?
Or is page where it should redirect is configurable ?
Or I need to write in my TAI impletementation to responce.redirect("somepage.jsp");
LikeLike
I’m pretty sure that sending an unauthorized back such cause the webapp to show a login page if the protected web page is set up to require authentication.
LikeLike
hi
can you explian what configuration you have done in the Websphere Application Server ISC for initialize() method to read a cookie name ?
LikeLike
When you configure the TAI you can add socalled custom properties which can be read as I do.
LikeLike
Pretty cool!!!
LikeLike
I have created the TAi configuration, During the start of the server i can see the initialize method is getting called, But from my webapplication i am not able to invoke any one of the methods like isTargetInterceptor, negotiateValidateandEstablishTrust..etc..
May i know what kind of setup i need to do in web.xml ??
LikeLike
We already have a TAI on the Portal Server which is a Siteminder TAI.
I would like to add another TAI.
Once added I would like both the TAIs to function but would like the new TAI to be first in order. Is this possible to do and if yes can you please help with the intructions to achieve ordering of TAIs.
LikeLike