Where z/OS Connect EE is configured for basic authentication, but selected requests do not present the required credential, a Trust Authentication Interceptor (TAI) can be developed, configured and deployed with a z/OS Connect EE server to allow selected unauthenticated requests to be processed.
For example, where an API gateway component has already authenticated requests that presented a credential, such as a client certificate, and no associated credential is available for the onward request to z/OS Connect EE, a TAI can be developed to identify such requests and allow them to be processed under a fixed application or task identity. Requests that do not match the criteria of the TAI must still present the required credential to proceed. The criteria by which a TAI decides to block or allow a request is entirely due to the design of the TAI implementation.
In the event that the TAI allows an unauthenticated request to be processed, it is possible, depending upon overall configuration, that one or more warning messages are written to the log for each unauthenticated request. For example:
CWWKS1100A: Authentication did not succeed for user ID cn=unknown,o=ibm,c=us. An invalid user ID or password was specified.
ACF2 users might see one instance of the ACF1097
message per associated request:
ACF01097 NO USERID SPECIFIED ON SYSTEM ENTRY VALIDATION REQUEST
To avoid these warning messages, you can use the Liberty configuration element, webAppSecurity
, to set the useAuthenticationDataForUnprotectedResource
attribute to false
. For example: