OAuth trust association interceptor (TAI) custom properties

The following tables list the custom properties for the OAuth TAI. You can define these properties in the custom properties panel for the OAuth TAI by using the administrative console.

To assign unique property names that identify each possible OAuth provider, a provider_<id> is embedded in the property name and used to group the properties that are associated with each provider. The provider_<id>s are numbered sequentially for each service provider.

The following table describes the OAuth TAI custom properties:

Table 1. OAuth TAI custom properties
Property name Values Description
provider_<id>.name You can specify any string value.

This property specifies the name of the OAuth provider. This value must be the same as the name of the provider configuration file, without the .xml file extension.
This property is required.

provider_<id>.filter This property does not have a default value.

This property is used to specify a condition, that is checked against the HTTP request, to determine whether the HTTP request is selected for processing by the OAuth service provider.
This property is required.

For more information about this property, see the OAuth TAI filter property section.

provider_<id>.oauthOnly You can specify one of the following values:
  • true (Default)
  • false

If a client request does not contain the OAuth credentials, such as an access token, this property specifies whether a resource protected by OAuth TAI is allowed to be started by other authentication mechanisms like basic authentication.
This property is optional.

If this property is set to false, OAuth protected resources can be started by other authentication methods when OAuth authentication fails.

OAuth TAI filter property

The provider_<id>.filter OAuth TAI filter property is a required property that is used to specify resources that are protected by the OAuth provider.

The filter property specifies a set of conditions that are compared against the HTTP request of the client to select an OAuth provider for processing the HTTP request. Each condition is specified by three elements:
  • input required - the input element usually specifies an HTTP header name, but request-url and remote-address can also be used as special elements
  • operator - the operator element specifies one of the following values: ==, !=, %=, ^=, <, and >
  • comparison value - this element usually specifies a string, but IP address ranges are also allowed

The conditions are evaluated from left to right, as specified by the comparison value. If all the filter conditions specified by an OAuth provider are met in an HTTP request, the OAuth provider is selected for the HTTP request.

The input element identifies an HTTP request header field to extract from the request and its value is compared with the value that is specified in the filter property. If the header field that is identified by the input element is not present in the HTTP request, the condition is treated as not being met. Any of the standard HTTP request header fields can be used as the input element in the filter condition. See the HTTP specification for the list of valid headers.

In addition to the standard HTTP header fields, the following special input elements can be used in the filter property:
  • request-url - the comparison value of this input is compared against the URL address that is used by the client application to make the request
  • request-uri - this element is similar to request-url, but the query string contained in the request URL address is not used in the comparison
  • remote-address - the comparison value of this input is compared against the TCP/IP address of the client application that sent the HTTP request

Examples

In the following example, the filter property specifies an HTTP header field From as the input with oauthuser@xyz.com as the comparison value and == as the operator:
provider_1.filter=From==oauthuser@xyz.com
In this case, if a client request contains an HTTP header field From with a value of oauthuser@xyz.com, the OAuth TAI selects the provider of this provider_1 filter for processing the client request.
In the following example, the filter property specifies a URL with ivtlanding.jsp as the comparison value and %= as the operator:
provider_2.filter=request-url%=ivtlanding.jsp
In this case, if the URL of the protected application started by the client contains the string ivtlanding.jsp, the OAuth TAI selects the provider of this provider_2 filter for processing the client request.
In the following example, the filter property specifies an application name with DefaultApplication as the comparison value and == as the operator:
provider_3.filter=applicationNames==DefaultApplication
In this case, if the name of the target application started by the client application is DefaultApplication, the OAuth TAI selects the provider of this provider_3 filter for processing the client request.
The following table lists the different operators used in the filter property:
Table 2. Filter property operators
Operator Condition Example
== This operator specifies an exact match. The input element must be equal to the comparison value. From==jones@my.company.com
%= This operator specifies a partial match. The input element contains the comparison value. user-agent%=IE 6
^= The input element contains one of the comparison values. request-url^=urlApp1|urlApp2| urlApp3
!= The input element does not contain the comparison value. request-url!=SPNEGO
> The input element is greater than the comparison value. remote-address>192.168.255.130
< The input element is less than the comparison value. remote-address<192.168.255.135

Ícone que indica o tipo de tópico Tópico de Referência



Ícone de registro de data e hora Última atualização: July 9, 2016 7:52
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rwbs_oauthtaiproperties
Nome do arquivo: rwbs_oauthtaiproperties.html