After sharing a strategy for a poor-man’s SSO solution last month (Logging-in from another application (poor man’s SSO)) I got into contact with one of my readers asking for similar functionality. As i helped t hem pro bono, i figured i could share the proof of concept, additionally giving insight in how to create a TAI.
We want a certain Content Navigator Desktop to be accesible by everyone. If a person is not already authenticated, he should be authenticated as ‘guest’.
A Trusted Association Interceptor, that intercepts url’s with a specific format (containing desktop=guest) and authenticates any un-authenticated users’s as guest.
1. Make sure the TAI.jar is loaded in WAS.
This can be done by placing it in the AppServer\lib\ext folder, or even better, by attaching the jar via a shared-library.
2. Configure the TAI
In the wasadmin (ibm/console) go to Security -> Global Security -> Trust association.
Check ” Enable trust association” and configure the following interceptor:
Interceptor class-name: nl.ivojonker.icn.samples.GuestDesktopSSOLogin
urlRegexPattern: <a pattern that will match the TAI to an url> – e.g.; http.*9080.*desktop=guest
guestDN = <The guest account> e.g.: CN=GuestUser,CN=Users,DC=DEVELOPMENT,DC=LOCAL
3. Reboot websphere
These kind of changes require a websphere reboot.
Next: Access your guest desktop, without logging in and observe you’ll be entering as guest 🙂