If the HTTP Basic Authentication TAI is enabled, it decides on every incoming request whether it is responsible for the authentication of that request or not. This decision is based on black and white lists for the requested URL and the client's user agent. The TAI is responsible only if none of the patterns in the black lists match and at least one of the patterns in one of the white lists match. Therefore, if the TAI is configured with empty white lists, it will never authenticate a request. If the TAI decides to authenticate the request and that request contains an authorization header that contains a user ID and password, the TAI tries to log on with that credential. If no user ID and password is provided, the TAI will challenge the client according to RFC 261
You can enable BASCI Authentication related TAI by following these steps. By default it is enabled for /wps/mycontenthandler
- Login into WAS Admin Console for WebSphere portal Server
- Go to Security -< Global Security page
- On the Global security page Go to Web and SIP Security -< Trust Association like this
- On the Trust Association page make sure that Enable Trust Association check box is checked if yes click on Interceptors
- On the Interceptors page you should see
com.ibm.portal.auth.tai.HTTPBasicAuthTAI
link like this so click on that link and you will get details page
As you can see by default /wps/myportal/* is blocked and /wps/mycontenthandler is open, i will keep it as it is and test basic authentication with /wps/mycontenthandler
In my case i did not change the default TAI settings so i tested the Basic Authentication by going to http://localhost:10039/wps/mycontenthandler URL in the browser and i got prompted for userid, password using native browser window. This is the response that browser got, you can see it is 401 Authentication required
Once i entered the authentication information and clicked submit this is what browser does it takes the userid password that i entered and submits it, thereafter every time i navigation to any page it submits same login information
Hi Sunil, how do we register a custom TAI on Websphere. Im on WAS7.
ReplyDeleteJust go Global Security. Under Web and SIB secuirity go to Trust associates. Click Interceptors. Add new. Specify the fully qualified class name of your TAI.
ReplyDeletePut the jar file of your Custom TAI in your /lib/ext folder
Hi Sunil,
ReplyDeleteI have implemented a custom TAI.
public TAIResult negotiateValidateandEstablishTrust(
HttpServletRequest request, HttpServletResponse response)
throws WebTrustAssociationFailedException {
String samlResponse=request.getParameter("SAMLResponse");
Subject subject = createSubject(samlResponse, samlResponse,
samlResponse);
TAIResult taiResult=TAIResult.create(HttpServletResponse.SC_OK, "notused",
subject);
if(samlResponse.equals("Y")){
System.out.println("YYYYYYYYYYYYYY");
taiResult=TAIResult.create(HttpServletResponse.SC_OK,"test1234");
}
System.out.println("authenticated taiResult "+taiResult.getAuthenticatedPrincipal());
System.out.println("subject taiResult "+taiResult.getSubject());
return taiResult;
}
private Subject createSubject(String userid, String uniqueid,
String key) {
Subject subject = new Subject();
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, userid);
System.out.println("Subject cache key is " + key);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, key);
subject.getPublicCredentials().add(hashtable);
//AttributeNameConstants.
String word1 = userid.toUpperCase();
System.out.println("TAI using word " + word1);
return subject;
}
but when I access the authenticated resource,I am getting empty page without theme
Thanks for info
ReplyDeleteWeb Design Company in Bangalore
Website development in Bangalore