IBM WFSS Ideas Portal



Our team welcomes any feedback and suggestions you have for improving our offerings. This forum allows us to connect your product improvement ideas with IBM product and engineering teams.


For product documentation, see Knowledge Center.
Create and View Support Cases and Use the Discussion Forum here


Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases


The shorter URL for this site is:

IBMers, please visit the WFSS Internal Ideas portal

OAC login and authorization by means of TAI that populates WSSubject with user and groups

My customer is using a Trust Association Interceptor (TAI) which provides the end user authentication and authorization. The TAI is setting up the Principal (username) and his Groups in the WSSubject. Their federated repository that is configured with WebSphere is only used for admin users and doesn´t contain the users that login to the OAC. The OAC users are authenticated and authorized by the TAI.

However currently the OAC expects its users to be existing in the user repository because the OAC is doing a getGroupsForUser call on the WAS UserRegistry api. This api call will not return any groups for my customer´s configuration and therefore the OAC user login fails. This request is about having the OAC login take the Principal and Groups from the WSSubject (J2EE api) instead of the WAS UserRegistry api.

I have attached sample code (see SampleCode.pdf) that shows how the groups of a user can be retrieved from the WSSubject.
  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Apr 9 2019
  • Planning to Implement
Component Security
Priority Urgent - Blocker
  • Attach files