After sharing a strategy for a poor-man’s SSO solution last month (Logging-in from another application (poor man’s SSO)) I got into contact with one of my readers asking for similar functionality. As i helped t hem pro bono, i figured i could share the proof of concept, additionally giving insight in how to create a TAI.
The problem:
We want a certain Content Navigator Desktop to be accesible by everyone. If a person is not already authenticated, he should be authenticated as ‘guest’.
The solution:
A Trusted Association Interceptor, that intercepts url’s with a specific format (containing desktop=guest) and authenticates any un-authenticated users’s as guest.
The source can be found here, a compiled jar here.
Instructions:
1. Make sure the TAI.jar is loaded in WAS.
This can be done by placing it in the AppServer\lib\ext folder, or even better, by attaching the jar via a shared-library.
2. Configure the TAI
In the wasadmin (ibm/console) go to Security -> Global Security -> Trust association.
Check ” Enable trust association” and configure the following interceptor:
Interceptor class-name: nl.ivojonker.icn.samples.GuestDesktopSSOLogin
Properties:
urlRegexPattern: <a pattern that will match the TAI to an url> – e.g.; http.*9080.*desktop=guest
guestDN = <The guest account> e.g.: CN=GuestUser,CN=Users,DC=DEVELOPMENT,DC=LOCAL
3. Reboot websphere
These kind of changes require a websphere reboot.
Next: Access your guest desktop, without logging in and observe you’ll be entering as guest 🙂
Cheers!
Hi Ivo Jonker. I tried the procedure given bt you, but SSO is not working for me.
This is procedure I followed. Please let me know any additional steps are needed for this or not
1) Created a new desktop called SSO in ICN
2) Copied the GuestDesktopSSOLogin.jar into the AppServer\lib\ext folder
3) In the wasadmin (ibm/console) go to Security -> Global Security -> Trust association.
Check ” Enable trust association” and configure the following interceptor:
Interceptor class-name: nl.ivojonker.icn.samples.GuestDesktopSSOLogin
Properties:
urlRegexPattern: http.*9081.*desktop=SSO
guestDN : CN=p8admin,OU=FileNet,DC=internal,DC=com
Accessed the SSO desktop but it is still asking or User name and password and not logging with use p8admin.
Please advice what might be wrong.
Thanks in advance
Hi Amit,
Thanks a lot for your reply! It sounds like everything was done right, so i’m guessing that Content Navigator isn’t running with container-managed security.
In order for websphere to manage the authentication for an application, the application needs to allow itself to have security managed by the ‘container’ (Websphere).
Could you try to redeploy the navigator.war, but with “Application server form-based authentication” ? (This can be done via the Configuration Manager and is part of the step ‘ Configure the IBM Content Navigator Web Application’). Note that after configuring you’d need to deploy as well.