Trust Association Interceptor (10.1 release)

Release 10.1 (Beta)

Jump to

• Create a Java Rest Application
• web.xml setup
• server.xml

Create a Java Rest Application

Involves following steps.

1. Define rest resource.

      import jakarta.annotation.security.RolesAllowed;
      import jakarta.ws.rs.GET;
      import jakarta.ws.rs.Path;
      import jakarta.ws.rs.Produces;
      import jakarta.ws.rs.core.MediaType;
   
      @RolesAllowed("TAIUserRole")
      @Path("/hello")
      public class HelloResource {
   
         @GET
         @Produces(MediaType.TEXT_PLAIN)
         public String sayHello() {
            return "Hello from Jakarta REST with Jersey!";
         }
      }
   

2. Add a security role as a class annotation in your Java servlet.

     @RolesAllowed("TAIUserRole")
   

web.xml setup

Add a security constraint and a security role to the web.xml file of the IBM WebSphere® Application Server Liberty Core.

<security-constraint>
   <web-resource-collection>
      <web-resource-name>TrustAssociationInterceptor</web-resource-name>
      <url-pattern>/rest/hello</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>TAIUserRole</role-name>
   </auth-constraint>
</security-constraint>

<security-role id="SecurityRole_TAIUserRole">
   <description>This is the role that PMF OAuthTAI uses to protect the resource, and it is mandatory to map it to 'All Authenticated in Application' in 'ALL_AUTHENTICATED_USERS' in WebSphere Application Server Liberty.</description>
   <role-name>TAIUserRole</role-name>
</security-role>

server.xml

Modify the IBM WebSphere Application Server Liberty Core server.xml file to your external resource.

Configure the feature manager to include the following features.

1. Add the following features.

      <featureManager>
         <feature>restfulWSClient-3.1</feature>
         <feature>servlet-6.0</feature>
         <feature>xmlBinding-4.0</feature>
         <feature>usr:OAuthTai-10.0</feature>
      </featureManager>
   

2. Add application element inside server element with security role attached.

      <application contextRoot="TAI" id="rest-application" location="tai.war" name="rest-application">
         <application-bnd>
         <security-role name="TAIUserRole">
            <special-subject type="ALL_AUTHENTICATED_USERS"/>
         </security-role>
         </application-bnd>
      </application>
         
      <basicRegistry id="basic" realm="defaultRealm">
         <user name="admin" password="adminpwd" />
         <user name="demoUser" password="demoPwd" />
         <group name="TAIUserRole">
            <member name="demoUser" />
         </group>
      </basicRegistry>
   

3. Configure OAuthTAI to protect resources/tai/.

    <usr_OAuthTAI id="myOAuthTAI" authorizationURL="http://localhost:9080/mfp/api" clientId="jtv" clientSecret="jtv" cacheSize="500">
        <securityConstraint httpMethods="GET POST" scope="accessRestricted" securedURLs="/rest-application/rest/hello"></securityConstraint>
    </usr_OAuthTAI>