InfoCenter Home >
5: Securing applications -- special topics >
5.6: Establishing trust association with a reverse proxy server >
5.6.2: Frequently asked questions about trust associationbetween WebSphere Application Server and WebSeal
Can I still submit requests directly to WebSphere Application Server,
without passing through Web Seal?
Yes. WebSphere Application Server will behave in the usual manner when
requests are not received from the WebSeal server. However, please review the
above section about the WebSeal36 interceptor.
What happens if security is not enabled in WebSphere Application Server,
and the HTTP request is given to the WebSeal server?
The WebSeal server will still try to authenticate the user. If authentication
is successful, WebSphere Application Server is going to serve the request
whether or not the user has permissions to access the resource.
Can I have trust associations with several WebSeal servers, possibly
from different locations, at the same time?
Yes, to the extent that different WebSeal servers are allowed to create
junctions to the same Web server.
Will WebSphere Application Server single sign-on (SSO) work with WebSeal
3.6 as a front-end?
Yes. If your setup is such that there is only one WebSeal server and
several junctions to Web servers, SSO itself is taken care of by WebSeal,
and in this case, the SSO domain name of WebSphere Application
Server installation might not even matter. WebSphere Application Server
SSO will work the usual way even for a setup consisting of several WebSeal
servers, each one having a junction to a Web server being used by
WebSphere Application Server.
Can I use the same LDAP directory for my WebSeal server and WebSphere
Application Server?
Yes. However, users and groups that were created by the Policy Director
itself may not be shared with WebSphere Application Server as schema specific
to the Policy Director might be in use.
What if I want to demand that all requests pass through my WebSeal server?
To have all requests pass through the WebSeal server, simply
do none of the optional configuration of the interceptor.
In that case, every HTTP request is processed by the interceptor.
Can I use custom login with trust association?
No. There is no point in doing so. Remember that WebSeal does the
authentication. Therefore, when the request reaches WebSphere Application
Server, it ignores any challenge type declared for your application.
What happens if I disable trust association and access a WebSphere
Application Server resource through the WebSeal server?
The WebSeal server will still try to authenticate the user. However, because
there is no interceptor involved, WebSphere Application Server will apply
whatever challenge type is appropriate for the resource requested. If the
challenge type is basic, the WebSeal ID and password will always
be used. Thus, the end user ID and password will be ignored.
Certificate challenge type will not work. Custom login will not
work either.
|