< Day Day Up > |
When integrating different back-end systems, portlets often need to provide some type of authentication to access these back-end systems. WebSphere Portal provides the use of a Credential Vault to store and retrieve user credentials. By using Credential Vault portlets, you can provide a single sign-on experience to the user . After reading this chapter, you will be able to:
Portlets running on WebSphere Portal may need to access remote applications that require some form of authentication by using appropriate credentials. In this section, we provide an overview of the Credential Vault components. CredentialsExamples of credentials are user IDs and passwords, SSL client certificates and private keys. In order to provide a single sign-on user experience, portlets should not ask the user for the credentials of individual applications each time the user starts a new portal session. Instead, they must be able to store and retrieve user credentials for their particular associated application and use those credentials to log in on behalf of the user. The Portal back-end secure access is illustrated in Figure 10-2 on page 321. Figure 10-2. Credential Vault in action
The Credential Vault provides this functionality and portlets can use it through the Credential Vault Portlet Service. Components of the Credential Vault organizationThe organization of Credential Vault in WebSphere Portal consists of vault segments and credential slots. Figure 10-3 on page 322 shows an overview of these components. Figure 10-3. Credential Vault organization
Vault segmentsThe Credential Vault is partitioned into segments and a vault segment contains one or more credential slots. There are two different types of vault segments:
Note : Setting and retrieving credentials can be performed by portlets for both types of vault segments. Vault implementations are the actual locations where the credentials are stored. This can be for example the default database of WebSphere Portal or the Tivoli Access Manager lock box. Credential slotsAs mentioned previously, every vault segment contains one or more credential slots. Slots are "drawers" where portlets store and retrieve a user's credentials. Each slot holds one credential and links to a resource in a vault implementation. There are four different types of slots:
Note : In the sample scenario included in this chapter, only private slots will be used. Credentials objectsWebSphere Portal differentiates between passive and active credential objects:
Note : When using active credentials, portlets never get in touch with the credential secrets and thus there is no risk a portlet could violate any security rules such as, for example, storing the secret on the portlet session. While there might not always be an appropriate active credential class available, this is the preferred type of credential objects to use. Sample scenarioIn this sample scenario, you will create a sample portlet based on a Basic portlet type using the Portlet Wizard. You will also use this wizard to enable Credential Vault to interact with back-end resources. In this scenario, the protected back-end resource is a servlet and requires a user ID and password credentials to log in to the Web application (servlet). The servlet application has been secured with HTTP Basic Authentication. The sample scenario illustrates the following:
In the first part of this scenario, active credentials are used to access a secure Web application using HTTP Basic Authentication, as shown in Figure 10-4. Figure 10-4. Credential Vault sample scenario
The sequence flow for this scenario is as follows :
|
< Day Day Up > |