InfoCenter Home >
5: Securing applications -- special topics >
5.6: Establishing trust association with a reverse proxy server >
5.6.2: Frequently asked questions about trust associationbetween WebSphere Application Server and WebSeal

5.6.2: Frequently asked questions about trust association between WebSphere Application Server and WebSeal

Can I still submit requests directly to WebSphere Application Server, without passing through Web Seal?
Yes. WebSphere Application Server will behave in the usual manner when requests are not received from the WebSeal server. However, please review the above section about the WebSeal36 interceptor.

What happens if security is not enabled in WebSphere Application Server, and the HTTP request is given to the WebSeal server?
The WebSeal server will still try to authenticate the user. If authentication is successful, WebSphere Application Server is going to serve the request whether or not the user has permissions to access the resource.

Can I have trust associations with several WebSeal servers, possibly from different locations, at the same time?
Yes, to the extent that different WebSeal servers are allowed to create junctions to the same Web server.

Will WebSphere Application Server single sign-on (SSO) work with WebSeal 3.6 as a front-end?
Yes. If your setup is such that there is only one WebSeal server and several junctions to Web servers, SSO itself is taken care of by WebSeal, and in this case, the SSO domain name of WebSphere Application Server installation might not even matter. WebSphere Application Server SSO will work the usual way even for a setup consisting of several WebSeal servers, each one having a junction to a Web server being used by WebSphere Application Server.

Can I use the same LDAP directory for my WebSeal server and WebSphere Application Server?
Yes. However, users and groups that were created by the Policy Director itself may not be shared with WebSphere Application Server as schema specific to the Policy Director might be in use.

What if I want to demand that all requests pass through my WebSeal server?
To have all requests pass through the WebSeal server, simply do none of the optional configuration of the interceptor. In that case, every HTTP request is processed by the interceptor.

Can I use custom login with trust association?
No. There is no point in doing so. Remember that WebSeal does the authentication. Therefore, when the request reaches WebSphere Application Server, it ignores any challenge type declared for your application.

What happens if I disable trust association and access a WebSphere Application Server resource through the WebSeal server?
The WebSeal server will still try to authenticate the user. However, because there is no interceptor involved, WebSphere Application Server will apply whatever challenge type is appropriate for the resource requested. If the challenge type is basic, the WebSeal ID and password will always be used. Thus, the end user ID and password will be ignored. Certificate challenge type will not work. Custom login will not work either.

Go to previous article: Configuring trust association between WebSphere and WebSeal Go to next article: Writing a custom interceptor

 

 
Go to previous article: Configuring trust association between WebSphere and WebSeal Go to next article: Writing a custom interceptor