The following steps describe how to Install a custom Trust Association Interceptor for WebSphere.
1.) Develop a class that extends TrustAssociationInterceptor
- Fully qualified class for WebSphere is com.ibm.wsspi.security.tai.TrustAssociationInterceptor
- Need to override the following methods:
- initialize: initializes the TAI
- isTargetInterceptor: determines if this TAI should be used as the one to check for Trust Association for the requested resource
- negotiateValidateandEstablishTrust: this method does the actual checking to see if we can create the custom TAI Subject that is passed to the underlying protected resource
- sas.jar
- wssec.jar
- Needs to be installed in the
/lib/ext directory on all nodes for the application server - Any other necessary jar files used by the TAI should be placed in the /lib directory
Security > Authentication Mechanisms > LPTA > Trust Association > Interceptors - Choose to create a new Interceptor
- Enter the fully qualified class name of the Interceptor class (package + class name)
- Apply, then Ok
You should be able to see a print out at Server start up indicating it has loaded the new TAI.
Posts
you have no idea how much this helped me.
ReplyDeleteThanks x100000
Hi,
ReplyDeleteThank you very much for your guide. I developped an interceptor reading it, but I have a serious problem because we can't install it in the WebSphere. We copy the jar with the interceptor in the node in which the interceptor is necessary (in the path /lib/ext). In the log this error appears: " Trust Association Init Unable to load Trust Association class es.ceca.mir.CECAInterceptor." And in other log this is the error: java.lang.NoClassDefFoundError: com.ibm.wsspi.security.tai.TrustAssociationInterceptor. We don't understand. Do you think that we have to copy the jar in all nodes? Any idea about this error?
Thank you
I believe (and it's been a while) that you need the jar in all nodes. When I did this it was for WebSphere 5.1.x, and the interface was in the wssec.jar. I believe WebSphere comes with a couple TAI's configured in the security, so that's my guess on the jar needing to be in all nodes.
ReplyDeleteHi,
ReplyDeleteThank you for your help. We copied the jar file in /usr/IBM/WebSphere/AppServer/lib/ext/, and we added the interceptor in the interceptor list in the Websphere Administration Console, and the error is always the same. We tried to copy the jar in the path /usr/IBM/WebSphere/AppServer/java/jre/lib/ext/, and the error is the same. The version of Websphere is the 6.1.
We don't undertand the problem, because we are following all the steps and it doesn't work.
Thank you
Off the top of my head, I would try looking at 2 things:
ReplyDelete1. User permissions on the jars in that directory
2. Whether there is a duplicate jar in the directory/on the classpath that's causing a conflict.
Let me know if that works.
Thank you for your help. Finally, Websphere loads the Interceptor, the problem has changed and now the Interceptor doesn't work. Websphere administrators have recovered the initial security configuration, and for this the Interceptor is loaded. But the "Applications security" is not checked in the security configuration of Websphere, and probably this is the problem. What do you think?
ReplyDeleteThanks again
I would also check to make sure you've declared the page you're trying to hit as protected.
ReplyDelete