How to enable Basic Authentication for WPS 7

IBM WebSphere Portal V7.0 provides an HTTP Basic Authentication Trust Association Interceptor that can be enabled to allow specific clients to log into the portal by using HTTP Basic Authentication instead of HTTP Form Based Authentication. The HTTP Basic Authentication Trust Association Interceptor (TAI) can be used to authenticate incoming requests using the HTTP Basic Authentication Protocol described in RFC 2617. This can be useful for clients that are not capable of doing HTTP FORM based authentication.

If the HTTP Basic Authentication TAI is enabled, it decides on every incoming request whether it is responsible for the authentication of that request or not. This decision is based on black and white lists for the requested URL and the client's user agent. The TAI is responsible only if none of the patterns in the black lists match and at least one of the patterns in one of the white lists match. Therefore, if the TAI is configured with empty white lists, it will never authenticate a request. If the TAI decides to authenticate the request and that request contains an authorization header that contains a user ID and password, the TAI tries to log on with that credential. If no user ID and password is provided, the TAI will challenge the client according to RFC 261

You can enable BASCI Authentication related TAI by following these steps. By default it is enabled for /wps/mycontenthandler

  • Login into WAS Admin Console for WebSphere portal Server

  • Go to Security -< Global Security page

  • On the Global security page Go to Web and SIP Security -< Trust Association like this


  • On the Trust Association page make sure that Enable Trust Association check box is checked if yes click on Interceptors


  • On the Interceptors page you should see com.ibm.portal.auth.tai.HTTPBasicAuthTAI link like this so click on that link and you will get details page

    As you can see by default /wps/myportal/* is blocked and /wps/mycontenthandler is open, i will keep it as it is and test basic authentication with /wps/mycontenthandler



In my case i did not change the default TAI settings so i tested the Basic Authentication by going to http://localhost:10039/wps/mycontenthandler URL in the browser and i got prompted for userid, password using native browser window. This is the response that browser got, you can see it is 401 Authentication required



Once i entered the authentication information and clicked submit this is what browser does it takes the userid password that i entered and submits it, thereafter every time i navigation to any page it submits same login information

4 comments:

  1. Hi Sunil, how do we register a custom TAI on Websphere. Im on WAS7.

    ReplyDelete
  2. Just go Global Security. Under Web and SIB secuirity go to Trust associates. Click Interceptors. Add new. Specify the fully qualified class name of your TAI.

    Put the jar file of your Custom TAI in your /lib/ext folder

    ReplyDelete
  3. Hi Sunil,

    I have implemented a custom TAI.
    public TAIResult negotiateValidateandEstablishTrust(
    HttpServletRequest request, HttpServletResponse response)
    throws WebTrustAssociationFailedException {

    String samlResponse=request.getParameter("SAMLResponse");
    Subject subject = createSubject(samlResponse, samlResponse,
    samlResponse);
    TAIResult taiResult=TAIResult.create(HttpServletResponse.SC_OK, "notused",
    subject);
    if(samlResponse.equals("Y")){
    System.out.println("YYYYYYYYYYYYYY");
    taiResult=TAIResult.create(HttpServletResponse.SC_OK,"test1234");
    }


    System.out.println("authenticated taiResult "+taiResult.getAuthenticatedPrincipal());
    System.out.println("subject taiResult "+taiResult.getSubject());
    return taiResult;
    }
    private Subject createSubject(String userid, String uniqueid,
    String key) {
    Subject subject = new Subject();
    Hashtable hashtable = new Hashtable();
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, uniqueid);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, userid);
    System.out.println("Subject cache key is " + key);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, key);
    subject.getPublicCredentials().add(hashtable);

    //AttributeNameConstants.
    String word1 = userid.toUpperCase();
    System.out.println("TAI using word " + word1);


    return subject;
    }
    but when I access the authenticated resource,I am getting empty page without theme

    ReplyDelete