TAI subject creation by using TAIResult
The com.ibm.wsspi.security.tai.TrustAssociationInterceptor
trust
association interceptor (TAI) interface supports a multiphase, negotiated authentication process.
For example, some systems require a challenge response protocol back to the client.
The TrustAssociationInterceptor
interface includes a method that is called
negotiateValidateandEstablishTrust
, which includes the TAIResult
return type. The TAIResult
object indicates the status of the request
processing.
The
TAIResult
class has three static methods for creating a
TAIResult
result. The TAIResult
create methods take an int type as
the first parameter. WebSphere® Application Server expects the result to be a valid HTTP request return code and is
interpreted in one of the following ways:- If the value is
HttpServletResponse.SC_OK
, this response tells WebSphere Application Server that the TAI completed its negotiation. The response also tells WebSphere Application Server to use the information in the TAIResult result to create a user identity. - Other values tell WebSphere Application Server to return the TAI output, which is placed into the HttpServletResponse response, to the web client. Typically, the web client provides additional information and then calls the TAI again.
The following table explains the meaning of different
TAIResult
constructors.
TAIResult constructor | Explanation |
---|---|
public static TAIResult create(int status); |
Indicates a status to WebSphere Application Server. The status cannot be SC_OK because the identity information is provided. |
public static TAIResult create(int status, String
principal); |
Indicates a status to WebSphere Application Server and provides the user ID or the unique ID for this user. WebSphere Application Server creates credentials by querying the user registry. |
public static TAIResult create(int status, String principal, Subject
subject); |
Indicates a status to WebSphere Application Server, the user ID or the unique ID for the user, and a custom Subject. If the Subject contains a hashtable, the principal is ignored. The contents of the Subject become part of the eventual user Subject. |
The following examples show ways that you can create a
TAIResult
object to
return from the negotiateValidateandEstablishTrust
method in your TAI.The
following code sample indicates that additional negotiation is
required.
// Modify the HttpServletResponse object
// The response code is meaningful only on the client
return TAIResult.create(HttpServletResponse.SC_CONTINUE);
The following code sample indicates that the TAI determined the user identity.
WebSphere
Application Server receives the user ID only and queries the user registry for additional
information.
// modify the HttpServletResponse object
return TAIResult.create(HttpServletResponse.SC_OK, userid);
The following code sample indicates that the TAI determined the user identity.
WebSphere
Application Server receives the complete user information that is contained in the hashtable. For more information about the hashtable, see Configuring inbound identity mapping. In this code sample, the hashtable is placed in the
public credential portion of the
Subject.
// create Subject and place Hashtable in it
Subject subject = new Subject;
subject.getPublicCredentials().add(hashtable);
// the response code is meaningful for only the client
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);