You can configure Liberty to integrate with a third-party security service by using Trust
Association Interceptors (TAI). The TAI can be called before or after single sign-on
(SSO).
Before you begin
Make sure that you have already installed a third-party security server as a reverse proxy
server. The third-party security server can act as a front-end authentication server when the
Liberty server applies its own authorization policy onto the resulting credentials, which are passed
by the proxy server. You must also have a JAR file that contains the custom TAI class, which
implements the
com.ibm.wsspi.security.tai.TrustAssociationInterceptor interface.
Note: There is no support for monitoring changes of this JAR file.
About this task
A TAI is used to validate HTTP requests between a third-party security server and a Liberty
server. The TAI inspects the HTTP requests from the third-party security server to see whether they
contain any security attributes. If the process of validating a request by the TAI is successful,
the Liberty server authorizes the request by checking whether the client user has the required
permission to access the resources.
For more information of custom TAI and SSO configuration with LTPA, see Developing a custom TAI for Liberty and Customizing SSO configuration using LTPA cookies in Liberty.
You can also use the developer tools to configure a TAI service.
For more information about the tools support, see Configuring TAI on Liberty by using developer tools.
Procedure
- Enable the appSecurity-2.0 Liberty
feature in the server.xml file.
<featureManager>
<feature>appSecurity-2.0</feature>
</featureManager>
- Deploy your applications to the Liberty server and enable all Liberty features, such as,
jsp-2.2 and jdbc-4.0.
- Place the TAI implementation library simpleTAI.jar in
your server directory.
- Update the server.xml file with the
TAI configuration options and location of the TAI implementation library.
In the following
server.xml file, the
custom TAI is enabled, but does not do any
authentication for unprotected URIs and does not allow to fallback
to application authentication method if the
TAI authentication fails. As shown in the
example, the following configuration elements are available for TAI
support:
- trustAssociation
- interceptors
- properties
<trustAssociation id="myTrustAssociation" invokeForUnprotectedURI="false"
failOverToAppAuthType="false">
<interceptors id="simpleTAI" enabled="true"
className="com.sample.SimpleTAI"
invokeBeforeSSO="true" invokeAfterSSO="false" libraryRef="simpleTAI">
<properties prop1="value1" prop2="value2"/>
</interceptors>
</trustAssociation>
<library id="simpleTAI">
<fileset dir="${server.config.dir}" includes="simpleTAI.jar"/>
</library>
...
Note: The property name cannot start with
a period (.), config., or service.
Also, the property name id or ID is
not allowed.
Note: By default, the invokeBeforeSSO property
is set to true. By using this setting TAI
is invoked even when the SSO token is present and
valid. However, if the expected behavior is to invoke TAI
only when the SSO token is invalid or not
present, then this property can be disabled by
setting it to false, and enabling the invokeAfterSSO
property. By using this setting TAI is invoked
only when the SSO token is not present or
is invalid. In some cases, this setup might improve the
performance of your system.
For more information
about the <trustAssociation>, <interceptors> and <properties> elements,
see also **** MISSING FILE ****.