During runtime, the agent components interact directly or indirectly via the IBM WebSphere Application Server 6.0 infrastructure to accomplish their functional requirements. In a typical scenario, a client request for a protected application resource will in some way invoke each of these three components and the outcome of this invocation will largely govern the overall success of request processing. The following sequence illustrates how each of these components come into play during various stages of request processing:
The client makes a web request to access a hosted application resource protected by Agent for IBM WebSphere Application Server 6.0.
If the protected resource is protected by a role-based constraint and the user's identity is not yet established, the security infrastructure of IBM WebSphere Application Server 6.0 invokes the Agent's Trust Association Interceptor implementation.
The Trust Association Interceptor implementation ensures that the user is authenticated and populates the corresponding subject with appropriate credentials that are validated by the agent's Custom User Registry implementation. This results in the establishment of the user's security principal in the web tier and allows the security infrastructure to evaluate any membership information for that user as required.
If all the necessary requirements are satisfied, the security infrastructure allows the request to proceed to the application resource being protected. At this stage, the agent's Custom Servlet Filter implementation intercepts the request and enforces the applicable URL Policies. If the request bypassed the last two stages, the Custom Servlet Filter implementation assumes the task of authenticating the user and then performing the required processing. Note that the Custom Servlet Filter implementation does not establish or alter the Subject information associated with the user.