Trust associations
Trust association enables the integration of WebSphere® Application Server security and third-party security servers. Demand for an integrated configuration is compelling, especially when a single product cannot meet all of the needs of a specific web environment or when migration is not a viable solution.
When you use trust association, the third-party security server authenticates the user, then WebSphere Application Server can authorize the user and take advantage of its fine-grained access control.
Example uses of trust association are web single sign-on (SSO) and reverse proxy. Examples of web SSO are SAML web SSO and OpenId Connect (OIDC). For reverse proxy, a reverse proxy server acts as a front-end authentication server and forwards credentials to WebSphere Application Server in the form of a header that a trust association interceptor (TAI) can consume. In the web SSO scenario, the TAI is directly involved in the authentication process. In either case, after the TAI authentication is complete, WebSphere Application Server then applies its authorization policy onto the resulting credentials.
Authentication and authorization with Trust Association Interceptors
When trust association is enabled, WebSphere Application Server invokes
the initialize method for each configured TAI during server startup. Whenever the
initialized server receives a web request for a URL that has a security-constraint with a
role-requirement, the server invokes the isTargetInterceptor method for each TAI.
This method determines which TAI can service the request. If all of the
isTargetInterceptor methods return false, web authentication
proceeds through the standard Java EE flow. When an isTargetInterceptor method
returns true, the server invokes the
negotiateValidateAndEstablishTrust method for the TAI so that the TAI can attempt
to authenticate the request.
After a successful authentication, the WebSphere Application Server authorization proceeds in the same manner as a Java EE web login. The username and any group names are evaluated against the security role to user or group mappings within the application configuration. If a match is found, the Subject is mapped to the matched role. The server can then determine whether the Subject has the required role for the requested URL.
Trust association interceptor interface
The intent of the trust association interceptor interface is to allow interceptors to perform authentication, while WebSphere Application Server enforces authorization and further fine-grained access control. The interceptor can be a web SSO or reverse proxy client. The trust association interface is com.ibm.wsspi.security.tai.TrustAssociationInterceptor.