Form-based authentication is one of the standard authentication mechanisms in the J2EE architecture. It is an authentication mechanism that uses a custom login form supplied by the application to collect a user name and password.
There are three forms based login modules that support the forms based authentication method:
- J2EE-FORM – used when connecting to a server enabled to support the J2EE-FORM login method standard.
- The method can be used to connect to a WebSphere® Portal Server, however, as session tokens are not returned upon submission of the form, sessions may expire without notice. The recommended authentication type for connecting to a WebSphere Portal Server is PORTAL-FORM.
- TAM-FORM – used when connecting to a TAM protected resource such as a WebSphere Portal Server.
- The backend resource is assumed to be configured to accept a TAM session cookie as authorization.
- SM-FORM – used when connecting to a SiteMinder protected resource such as a WebSphere Portal Server.
- The backend resource is assumed to be configured to accept a SiteMinder session cookie as authorization.
- PORTAL-FORM - used when connecting directly to a WebSphere Portal Server.
- If Global security is enabled on the WebSphere Application Server, and Lightweight Third-Party Authentication (LTPA) is specified as the authentication mechanism, then when user authentication succeeds, the form based authentication login module returns an LTPA token and a JSESSION ID token.
The form-based authentication login modules also supports single sign-on, which means that users only have to log into the remote server once and can access any services available from that server for which they have permissions.
When you utilize the form-based authentication login module, the PBEKeyReaderModule
reads the password from the key store. If the credentials are not found in the inputs supplied by the caller, the login module invokes the callback handlers supplied by the caller to get the username and password. The login module persists the password retrieved from the callback handlers in a shared list maintained by the calling account and updates the user name in the AuthProperties object in the subject. The correct forms based login module validates the password, and then the PBEKeyWriterModule
writes the validated password to the key store. Additionally, this login module adds an object of com.ibm.rcp.security.auth.SingleSignonToken
type, which contains the LTPA token, to the list of private credentials in the Subject.
To utilize form-based authentication, perform the following steps:
- Create an account or retrieve an existing account.
- Call account.setProperty() to set the values of each of the following properties:
Log in using the specified account.
- SERVER – Complete URL for the server, containing the protocol (HTTP or HTTPS), domain, path, and optionally, the port.
- USER_NAME – The HTTP user name.
- CREDENTIAL_ID – An alias, which references a password in the key store. If the password does not already exist, it is created and this value is set as its alias. Accounts sharing the same password must have the same credential id property value.
- AUTH_SERVER -- The URL used for authentication only. This can be a complete URL like the SERVER value, or it can be a path, which is appended to the base domain of the SERVER value. Callers can just use this property as long as it contains both the context URL and the host name.
- AUTH_TYPE -- Tells JAAS which login configuration to use. This property must be set to J2EE-FORM, TAM-FORM, SM-FORM, or PORTAL-FORM . The default value is HTTP.
- MASTER_PROPS: (Optional) – The UID of another Account. Master properties are useful when two or more accounts are accessing services that use the same user directory and share more than just passwords. When account.getLoginContext() is called the “master” account is used to authenticate instead of the account making the method call. The “slave” account can then access the “master” account's authenticated credentials through the Subject and use them to communicate with the service. If this value is set, only the SERVER property needs to have a value; the login module retrieves values for the other properties from the Master account.
Use the following method to extract the LTPA token from the Subject:
SingleSignonToken token =
method returns the authenticated Subject which contains a session cookie, such as an LTPA token or other session token.
Using any of the forms based login modules causes the initial authentication request to contain the username and password in plaintext unless HTTPS is used.
Parent topic: Logging into remote servers: XPD622