Friday, 9 January 2015

Enabling HTTP Basic Authentication In IBM WebSphere Portal Server


IBM® WebSphere® Portal provides an HTTP Basic Authentication Trust Association Interceptor that can be enabled to allow specific clients to log into the portal by using HTTP Basic Authentication instead of HTTP Form Based Authentication.

HTTP Basic Authentication has the following two main disadvantages compared to HTTP Form based authentication:

  • With HTTP Basic Authentication, the Web client sends the user ID and password information used for authentication with each individual request to the IBM® WebSphere® Application Server. This typically requires using transport layer security (SSL) for the complete portal related network traffic. Otherwise the user password is exposed on the network. Compared to this, when you use HTTP form based authentication, it can be sufficient that you use the transport layer security to cover only the user login flow.

  • With HTTP Basic authentication the Web client sends the user credentials with each request, therefore, users cannot log out from the portal except by completely closing the Web client. For example, if a user logs out of the portal and leave the browser open, another user might be able to access pages that the first user visited previously.

The HTTP Basic Authentication Trust Association Interceptor

The HTTP Basic Authentication Trust Association Interceptor (TAI) can be used to authenticate incoming requests using the HTTP Basic Authentication Protocol.

If the HTTP Basic Authentication TAI is enabled, it decides on every incoming request whether it is responsible for the authentication of that request or not. This decision is based on black and white lists for the requested URL and the client's user agent. The TAI is responsible only if none of the patterns in the black lists match and at least one of the patterns in one of the white lists match. Therefore, if the TAI is configured with empty white lists, it will never authenticate a request.


If the TAI decides to authenticate the request and that request contains an authorization header that contains a user ID and password, the TAI tries to log on with that credential. If no user ID and password is provided, the TAI will challenge the client according to RFC 2617.



Property Name
Description
enabled
If you set this property to true, the TAI authenticates requests. If you set this property to false, the TAI does not authenticate requests.
loginTarget
Use this property to specify the alias of the JAAS login configuration that is used by the TAI. The default value is Portal_LTPA. By this default, the TAI uses the same JAAS login configuration as the one that is used by portal HTTP form based login.
authenticationRealm
The TAI challenges the client to authenticate against this realm. The default is WPS. By this default, the TAI uses the same authentication realm name as the one that is used by portal HTTP form based login.
userAgentBlackList
Use this property to specify a list of patterns for which you do not want the TAI to handle the requests. Separate the patterns by whitespaces. Every product name in the HTTP header field User-Agent of incoming requests is compared with each of the patterns specified for this parameter. If the TAI is enabled and the URL matches at least one of the patterns specified for the userAgentBlackList property, the TAI will not handle the request.
urlBlackList
( /wps/myportal* ). Use this property to specify a list of patterns for which you do not want the TAI to handle the requests. Separate the patterns by whitespaces.
The full path information of the URL of the incoming request is compared with each of the patterns specified for this parameter. Before comparing the URL to the patterns, the protocol, server, port, and query information is removed from the URL. If the TAI is enabled and the URL matches at least one of the patterns specified for the urlBlackList property, the TAI will not handle the request.

userAgentWhiteList
Use this property to specify a list of patterns for which you want the TAI to handle the requests. Separate the patterns by whitespaces. Every product name in the HTTP header field User-Agent of the incoming request is compared with each of the patterns specified for this parameter.

If the TAI is enabled and the pattern specified for this property has at least one match and neither of the userAgentBlackList or the urlBlackList have a match, then the TAI handles the request.

urlWhiteList
( /wps/mycontenthander* ). Use this property to specify a list of patterns for which you want the TAI to handle the requests. Separate the patterns by whitespaces. The full path information of the URL of the incoming request is compared with each of the patterns specified for this parameter. Before comparing the URL to the patterns, the protocol, server, port, and query information is removed from the URL.

If the TAI is enabled and the pattern specified for this property has at least one match and neither of the userAgentBlackList or the urlBlackList have a match, then the TAI handles the request.
useRegExp
Use this property to determine whether or not the patterns that you specified for the black list and white list the previous properties are to be interpreted as Java regular expressions. Possible values are true or false. The default value is false.


1 comment:

  1. Free Blacklists Suck!


    We specialize in serving intelligent network administrators high quality blacklists for effective, targeted inline web filtering leveraging Squid proxy. We are the worlds leading and ONLY publisher of blacklists tailored specifically for use with Squid Proxy Native ACL. We also publish the worlds LARGEST adult domain blacklist, as well, as the worlds first blasphemy blacklist. Our works are available in several alternative formats for compatibility with multiple other web filter platforms. There is a demand for a better blacklist. And with few alternatives available, we intend to fill that gap.

    Squidblacklist.org Est. 2012. Owned and maintained by Benjamin E. Nichols & Co. It is an extension of the work I have been doing for years applying filters to my own networks with squid proxy and firewalls. Squidblacklist.org is platform whereby I hope to share the amalgamation of these works with the community, in the hopes that it will serve the greater good, helping to secure networks while providing a useful resource for individuals looking for a reasonable level of control of http traffic on their respective networks using a range of filtering solutions.


    It would be our pleasure to serve you,

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

    ReplyDelete