0

We are trying to use TAI interceptor, same application working fine with single node cluster but in case of multi node cluster it is not getting invoke the TAI instead it is prompting for Default realm credentials.

Here is the isTargetInterceptor method....

    public boolean isTargetInterceptor(HttpServletRequest arg0)throws WebTrustAssociationException {
    Enumeration enum1 = arg0.getAttributeNames();
    while(enum1.hasMoreElements()){
        String str=(String)enum1.nextElement();
        logger.log("Request Attributes :"+str);
        logger.log("Attribute value for "+str+"is :"+(String)arg0.getAttribute(str));
    }

    logger.log("Authentication Custom TAI [URI]:"+arg0.getRequestURI());

    String strArtifact = arg0.getParameter("samlartifact");

    logger.log(" isTargetInterceptor Receive user saml is: " + strArtifact);
    if (strArtifact == null)
        return false;
    else
        return true;}

and requested url format is

https://hostname:443/NASTAIClient/loginServlet?samlartifact=artifactstring

even if I am giving with out port number also its working in WAS(single node) and this is the actual format we are using in Not working WAS(multi node)

https://hostname/NASTAIClient/loginServlet?samlartifact=artifactstring

If we given the proper credentials for default realm, It is creating Ltpa cookies in browser.

And so on its creating WS Subject. But TAI interceptor not getting invoked. We compared the different level security settings of working(single cluster) WAS and non-working(multi cluster) WAS. We didn't found any particular reason for the why TAI not getting invoked instead why Default realm is prompting

srinivas-sri
  • 11
  • 4
  • Did you check, if TAI is successfully starting on other nodes? (maybe you didnt distribute TAI classes to other nodes). Did you check, if nodes are synchronized and were restarted after configuring TAI?. Otherwise add some tracing to your isTargetInterceptor method, as it looks that it returns false and thats the reason for default auth. – Gas Aug 26 '15 at 09:42
  • Thanks for reply Gas, TAI distribution and restart of all nodes done already, of course we have trace in isTargetInterceptor method where we are able see other log for other application's request, but coming to our application request we are not even able to see that log and more over its asking for default realm. and we return false for all other request where it is true for our url request we filtering like that based on one parameter. So our overall observation for our url request it is not even calling isTargetInterceptor method, instead it is asking for default realm. help us in this. – srinivas-sri Aug 26 '15 at 11:46
  • Thnks for your reply @Gas – srinivas-sri Aug 26 '15 at 12:43
  • Can you post your isTargetInterceptor method and url you are trying to access? As I dont understand - TAI is invoked for other apps, but not your app? This is rather impossible. And realm has nothing to do with it, its just a name in the basic auth popup. Also single node or multi node shouldn't change anything. I assume you are accessing in multi via IHS, so the hostname/port might be different. Check if your interceptor is not relaying on that. – Gas Aug 26 '15 at 12:53
  • Thanks Gas, I updated the question with isTargetInterceptor method and url formates that we are using in both cases. Yes Gas, we changing hostname accordingly but i don't think that port number need to mention why because its default port we are using in both WAS. The problem in multi WAS is that when ever we hit above url immediately it is asking for default realm where as in single node its not asking for that. is der any possibility for asking default realm if nodes are not in sync?. v r able to see this log 'logger.log("Authentication Custom TAI [URI]:"+arg0.getRequestURI())' 4 othr rqsts – srinivas-sri Aug 27 '15 at 06:22
  • TAI should be called assuming that loginServlet is protected resource. Are you sure that logs for other apps are from the same JVM? Maybe you share log between various JVMs? The only reason, that comes to my mind is that TAI is not configured/enabled on that JVM and that is the reason why it is not invoked and you have default prompt. Try to do full resynchronize, restart node and servers and try to access app from the new browser. – Gas Aug 27 '15 at 09:23
  • Thanks Gas, I will check by your points and let you know, I hope with these checkings we will come to overcome this problem thanks once again. – srinivas-sri Aug 27 '15 at 10:12
  • Thanks Gas, the problem got solved with restart of all nodes and fully resync. – srinivas-sri Aug 31 '15 at 09:10

1 Answers1

0

We found the problem as Node synchronization, so we recheck all the nodes by restarting, and by full resynchronize as Gas suggested in above comments.

srinivas-sri
  • 11
  • 4
  • Hi Gas, can you comment on this problem http://stackoverflow.com/questions/32864175/not-able-to-see-special-subject-allauthenticatedintrustedrealms-while-mapping @Gas – srinivas-sri Sep 30 '15 at 10:54