Enabling HTTP Basic Authentication In IBM WebSphere Portal Server

IBM® WebSphere® Portal provides an HTTP Basic Authentication Trust Association Interceptor that can be enabled to allow specific clients to log into the portal by using HTTP Basic Authentication instead of HTTP Form Based Authentication.

HTTP Basic Authentication has the following two main disadvantages compared to HTTP Form based authentication:

• With HTTP Basic Authentication, the Web client sends the user ID and password information used for authentication with each individual request to the IBM® WebSphere® Application Server. This typically requires using transport layer security (SSL) for the complete portal related network traffic. Otherwise the user password is exposed on the network. Compared to this, when you use HTTP form based authentication, it can be sufficient that you use the transport layer security to cover only the user login flow.

• With HTTP Basic authentication the Web client sends the user credentials with each request, therefore, users cannot log out from the portal except by completely closing the Web client. For example, if a user logs out of the portal and leave the browser open, another user might be able to access pages that the first user visited previously.

The HTTP Basic Authentication Trust Association Interceptor

The HTTP Basic Authentication Trust Association Interceptor (TAI) can be used to authenticate incoming requests using the HTTP Basic Authentication Protocol.

If the HTTP Basic Authentication TAI is enabled, it decides on every incoming request whether it is responsible for the authentication of that request or not. This decision is based on black and white lists for the requested URL and the client's user agent. The TAI is responsible only if none of the patterns in the black lists match and at least one of the patterns in one of the white lists match. Therefore, if the TAI is configured with empty white lists, it will never authenticate a request.

If the TAI decides to authenticate the request and that request contains an authorization header that contains a user ID and password, the TAI tries to log on with that credential. If no user ID and password is provided, the TAI will challenge the client according to RFC 2617.

Property Name	Description
enabled	If you set this property to true, the TAI authenticates requests. If you set this property to false, the TAI does not authenticate requests.
loginTarget	Use this property to specify the alias of the JAAS login configuration that is used by the TAI. The default value is Portal_LTPA. By this default, the TAI uses the same JAAS login configuration as the one that is used by portal HTTP form based login.
authenticationRealm	The TAI challenges the client to authenticate against this realm. The default is WPS. By this default, the TAI uses the same authentication realm name as the one that is used by portal HTTP form based login.
userAgentBlackList	Use this property to specify a list of patterns for which you do not want the TAI to handle the requests. Separate the patterns by whitespaces. Every product name in the HTTP header field User-Agent of incoming requests is compared with each of the patterns specified for this parameter. If the TAI is enabled and the URL matches at least one of the patterns specified for the userAgentBlackList property, the TAI will not handle the request.
urlBlackList	( /wps/myportal* ). Use this property to specify a list of patterns for which you do not want the TAI to handle the requests. Separate the patterns by whitespaces. The full path information of the URL of the incoming request is compared with each of the patterns specified for this parameter. Before comparing the URL to the patterns, the protocol, server, port, and query information is removed from the URL. If the TAI is enabled and the URL matches at least one of the patterns specified for the urlBlackList property, the TAI will not handle the request.
userAgentWhiteList	Use this property to specify a list of patterns for which you want the TAI to handle the requests. Separate the patterns by whitespaces. Every product name in the HTTP header field User-Agent of the incoming request is compared with each of the patterns specified for this parameter. If the TAI is enabled and the pattern specified for this property has at least one match and neither of the userAgentBlackList or the urlBlackList have a match, then the TAI handles the request.
urlWhiteList	( /wps/mycontenthander* ). Use this property to specify a list of patterns for which you want the TAI to handle the requests. Separate the patterns by whitespaces. The full path information of the URL of the incoming request is compared with each of the patterns specified for this parameter. Before comparing the URL to the patterns, the protocol, server, port, and query information is removed from the URL. If the TAI is enabled and the pattern specified for this property has at least one match and neither of the userAgentBlackList or the urlBlackList have a match, then the TAI handles the request.
useRegExp	Use this property to determine whether or not the patterns that you specified for the black list and white list the previous properties are to be interpreted as Java regular expressions. Possible values are true or false. The default value is false.