Developing a custom TAI for Liberty

You can develop a custom trust association interceptor (TAI) class by implementing the com.ibm.wsspi.security.tai.TrustAssociationInterceptor interface provided in the Liberty server.

About this task

The trust association interface is a service provider API that enables the integration of third-party security services with a Liberty server. When processing the web request, the Liberty server calls out and passes the HttpServletRequest and HttpServletResponse to the trust association interceptors. The HttpServletRequest calls the isTargetInterceptor method of the interceptor to see whether the interceptor can process the request. After an appropriate trust association interceptor is selected, the HttpServletRequest is processed by the negotiateValidateandEstablishTrust method of the interceptor, and the result is returned in a TAIResult object. You can add your own logic code to each method of the custom TAI class.

See also the Java™ API document for the TAI interface. The Java API documentation for each Liberty API is detailed in the Programming interfaces (Javadoc) section of the online IBM® documentation, and is also available as a separate .zip file in one of the javadoc subdirectories of the ${wlp.install.dir}/dev directory.

Distributed: [AIX MacOS Linux Windows]Avoid trouble: There are several security configuration examples on the Open Liberty website for reference when configuring security for your applications on Liberty. See Configuring TAI on Liberty by using developer tools.

Example

Here is a sample TAI class called SimpleTAI, which also lists all available methods from the TrustAssociationInterceptor interface.

package com.ibm.websphere.security.sample;

import java.util.Properties;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;

public class SimpleTAI implements TrustAssociationInterceptor {
   public SimpleTAI() {
      super();
   }

/*
 * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#isTargetInterceptor
 * (javax.servlet.http.HttpServletRequest)
 */
   public boolean isTargetInterceptor(HttpServletRequest req)
                  throws WebTrustAssociationException {
      //Add logic to determine whether to intercept this request
      return true;
   }

/*
 * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#negotiateValidateandEstablishTrust
 * (javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
 */
   public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req,
                    HttpServletResponse resp) throws WebTrustAssociationFailedException {
        // Add logic to authenticate a request and return a TAI result.
        String tai_user = "taiUser";
        return TAIResult.create(HttpServletResponse.SC_OK, tai_user);
    }

/*
 * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#initialize(java.util.Properties)
 */
    public int initialize(Properties arg0)
                    throws WebTrustAssociationFailedException {
        return 0;
    }

/*
 * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getVersion()
 */
    public String getVersion() {
        return "1.0";
    }

/*
 * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getType()
 */
    public String getType() {
        return this.getClass().getName();
    }

/*
 * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#cleanup()
 */
    public void cleanup()

    {}
}

What to do next

Add the TAI class to the Liberty server.

Use one of the following methods to add the TAI class to the Liberty server: