10.1 Overview

 < Day Day Up > 

When integrating different back-end systems, portlets often need to provide some type of authentication to access these back-end systems. WebSphere Portal provides the use of a Credential Vault to store and retrieve user credentials. By using Credential Vault portlets, you can provide a single sign-on experience to the user .

After reading this chapter, you will be able to:

  • Understand the value of Credential Vault for portlet development

  • Identify the different components of Credential Vault

  • Build portlet applications using Credential Vault technology and active and passive objects

Portlets running on WebSphere Portal may need to access remote applications that require some form of authentication by using appropriate credentials. In this section, we provide an overview of the Credential Vault components.

Credentials

Examples of credentials are user IDs and passwords, SSL client certificates and private keys. In order to provide a single sign-on user experience, portlets should not ask the user for the credentials of individual applications each time the user starts a new portal session. Instead, they must be able to store and retrieve user credentials for their particular associated application and use those credentials to log in on behalf of the user. The Portal back-end secure access is illustrated in Figure 10-2 on page 321.

Figure 10-2. Credential Vault in action

graphics/10fig02.gif

The Credential Vault provides this functionality and portlets can use it through the Credential Vault Portlet Service.

Components of the Credential Vault organization

The organization of Credential Vault in WebSphere Portal consists of vault segments and credential slots. Figure 10-3 on page 322 shows an overview of these components.

Figure 10-3. Credential Vault organization

graphics/10fig03.gif

Vault segments

The Credential Vault is partitioned into segments and a vault segment contains one or more credential slots.

There are two different types of vault segments:

  • Administrator-managed segments: in this type of vault segment, the creation of new slots is restricted to the portlet administrator.

  • User-managed segments: in this type of vault segment, portlets can also create new slots on behalf of the user.

Note : Setting and retrieving credentials can be performed by portlets for both types of vault segments.

Vault implementations are the actual locations where the credentials are stored. This can be for example the default database of WebSphere Portal or the Tivoli Access Manager lock box.

Credential slots

As mentioned previously, every vault segment contains one or more credential slots. Slots are "drawers" where portlets store and retrieve a user's credentials. Each slot holds one credential and links to a resource in a vault implementation. There are four different types of slots:

  • A system slot stores system credentials where the actual secret is shared among all users and portlets.

  • An administrative slot allows each user to store a secret for an administrator-defined resource (for example, Lotus Notes).

  • A shared slot stores user credentials that are shared among the user's portlets.

  • A portlet private slot stores user credentials that are not shared among portlets.

Note : In the sample scenario included in this chapter, only private slots will be used.

Credentials objects

WebSphere Portal differentiates between passive and active credential objects:

  • Passive credential objects are containers for the credential's secret. Portlets that use passive credentials need to extract the secret out of the credential and do all the authentication communication with the back-end resource. The following passive credential support is provided with WebSphere Portal:

    - UserPasswordPassive, which stores secrets in the form of user ID/password pairs

    - SimplePassive, which stores secrets in the form of serializable Java objects

    - JaasSubjectPassive (Java Authentication and Authorization Service), which stores secrets in form of javax.security.auth.Subject objects

    Currently, the vault service in WebSphere Portal only supports UserPasswordPassive.

  • Active credential objects hide the credential's secret from the portlet; there is no way of extracting it out of the credential. In return, active credential objects offer business methods that take care of all the authentication. The following active credential support is provided with WebSphere Portal:

    - HttpBasicAuth

    - HttpFormBasedAuth

    - JavaMail

    - LtpaToken

    - SiteMinderToken

    - WebSealToken

Note : When using active credentials, portlets never get in touch with the credential secrets and thus there is no risk a portlet could violate any security rules such as, for example, storing the secret on the portlet session. While there might not always be an appropriate active credential class available, this is the preferred type of credential objects to use.

Sample scenario

In this sample scenario, you will create a sample portlet based on a Basic portlet type using the Portlet Wizard. You will also use this wizard to enable Credential Vault to interact with back-end resources.

In this scenario, the protected back-end resource is a servlet and requires a user ID and password credentials to log in to the Web application (servlet). The servlet application has been secured with HTTP Basic Authentication.

The sample scenario illustrates the following:

  • How the Credential Vault with active credentials is used

  • How the Credential Vault with passive credentials is used

  • How to store credentials

  • How to retrieve credentials

  • How to log in to the Web application

  • How to retrieve the Web application content in the portlet's View mode

In the first part of this scenario, active credentials are used to access a secure Web application using HTTP Basic Authentication, as shown in Figure 10-4.

Figure 10-4. Credential Vault sample scenario

graphics/10fig04.gif

The sequence flow for this scenario is as follows :

  1. The initConcrete method is used to initialize the Credential Vault Service.

  2. Portal invokes the portlet doView method. Since initially, no credentials have been stored, a message is written indicating that a user ID and password must be entered in Edit mode.

  3. In the portlet View mode, a message is shown directing the user to use the Edit mode to enter credentials.

  4. The user clicks Edit to go into Edit mode.

  5. The Edit mode screen is displayed, that is, the doEdit method is executed and a JSP displays a form to enter credentials and submit the action.

  6. The user enters a user ID and password and selects Submit .

  7. The actionPerformed method is executed to process the action. It creates a slot and stores the user ID/password information.

  8. The doView method is executed to complete the cycle. The following tasks are executed in this mode:

    1. An HttpBasicAuth active credential object is retrieved from the credential service. Because authentication is done in this object, we never get in touch with the real credentials.

    2. The authorization header is set in the request HTTP header.

    3. The connection to the back-end resource (protected servlet in this scenario) is invoked.

    4. The user is authenticated and the servlet executes.

    5. The received content is rendered in View mode.

 < Day Day Up > 


IBM WebSphere Portal V5 A Guide for Portlet Application Development
IBM Websphere Portal V5: A Guide for Portlet Application Development
ISBN: 0738498513
EAN: 2147483647
Year: 2004
Pages: 148

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net