Chapter 5. Programming 187
5.1.1 External authentication C API
In previous releases, custom authentication modules were built using the Tivoli
cross-domain authentication services or CDAS. This term is no
longer used because its scope is not wide enough to cover all the functions
performed by Web security resource manager authentication modules. The
replacement term is
external authentication C API. The new term reflects only a
change in terminology.
The external authentication C API performs the following tasks:
Receives authentication data from the runtime.
Organizes the data into a standard format.
Passes the data to the authentication modules.
Receives statuses, identity structures, or both back from the authentication
Passes the statuses, identity structures, or both back to the runtime.
As shown in Figure 5-4 on page 188, the external authentication C API enables
you to substitute the default built-in WebSEAL authentication mechanism with a
highly flexible shared library mechanism that allows custom handling and
processing of client authentication information.
Every authentication module implements one or more of four functions defined
by the external authentication module interface. This is true for the built-in
authentication modules as well as for custom modules that you can develop
Note: EAI is configured for the Plug-in for Web Servers in the [ext-auth-int]
stanza. This stanza can be qualified by virtual host if necessary.
The configuration options are similar to those used for WebSEAL. However,
there are some differences:
auth-url is the “start” page of the EAI application. When the EAI
authentication module is selected for authentication it will return this
page to the client to start EAI authentication.
– When the
trigger-url is matched by the EAI authentication post-authn
module it will request access to the response from this page. Multiple
trigger URLs can be specified.
– When the EAI Authentication response module is called it will look for
the configured headers. If appropriate headers are found, it will trigger
the building of a credential and an authentication event. If the headers
are not found, the response will be sent back to the client. The EAI
headers are configured in the same way as for WebSEAL.