My customer is using a Trust Association Interceptor (TAI) which provides the end user authentication and authorization. The TAI is setting up the Principal (username) and his Groups in the WSSubject. Their federated repository that is configured with WebSphere is only used for admin users and doesn´t contain the users that login to the OAC. The OAC users are authenticated and authorized by the TAI.
However currently the OAC expects its users to be existing in the user repository because the OAC is doing a getGroupsForUser call on the WAS UserRegistry api. This api call will not return any groups for my customer´s configuration and therefore the OAC user login fails. This request is about having the OAC login take the Principal and Groups from the WSSubject (J2EE api) instead of the WAS UserRegistry api.
I have attached sample code (see SampleCode.pdf) that shows how the groups of a user can be retrieved from the WSSubject.