Creating a Sign-In Policy
NOTE Most of the information provided in this section applies only when Workplace is configured for application-managed authentication. Developers are recommended to take note of the application of the material presented in this section.
The Toolkit provides a default sign-in policy implementation. It uses the
Content Engine to validate credentials, and persists credentials required
for Content Engine and Process Engine access.
The Toolkit includes a sign-in policy interface definition for
creating your own sign-in implementation. You may want to create your own
implementation to:
-
require additional credentials to access third-party servers.
-
customize how credentials are persisted in the session.
-
customize the credentials collection process (application-managed authentication only).
-
customize the secure sign-in scheme (application-managed authentication only).
This topic describes the default sign-in policy implementation provided in the Toolkit. It also outlines the requirements for creating a new sign-in policy implementation.
Default Implementation
The steps and diagram below summarize the default sign-in policy
implementation when Workplace is configured for application-managed authentication.
When the user submits a sign-in form:
-
WcmController's handleEvent( ) method is called.
-
WcmController dispatches the SignIn event to WcmSignInModule.
-
WcmSignInModule calls WcmSignInProcess..signIn(...).
-
WcmSignInProcess.signIn(...) calls the signInViaToken(...) method,
which passes credentials with a token. This method executes the 3.x
Toolkit sign-in behavior (the Toolkit's default configuration).
If you configure your application to use the 2.x Toolkit behavior,
WcmSignInProcess.signIn(...) calls either the signInLocal(...) method
to set credentials for a local session, or the
signInRemote(...) method to set credentials for an SSL-enabled session.
Use of 2.x or 3.x sign-in behavior is specified in the
internalTokensEnabled
setting.
- WcmSignInProcess.signIn(...) returns the destination page to
WcmSignInModule.
- WcmSignInModule passes the destination page to the WcmController's
sendRedirect method.
- WcmController.sendRedirect( ) sends a client-side redirect to the HTML
browser.

signInViaToken Method
The steps and diagram below summarize how credentials are passed with an internal
token (not to be confused with a user token), either for a local session or for a remote session in a
Toolkit-based application. This method is used when your application is
configured to use the 3.x Toolkit sign-in behavior.
- WcmSignInProcess.signInViaToken(...) is called.
- If the session is local, the method calls
InternalTokenPolicy.SignInViaToken(...) method to get and return the
token.
OR
If the session is remote, the method calls
WcmCredentialsServlet.getInternalTokenRequestURL(...), a static
utility method that constructs and returns a URL to access the
credentials servlet.
- If the session is remote, the returned URL is passed to
WcmHTTPUtil.sendHTTPCredentialsRequest(...), which performs a post
request based on the URL string, then returns the status of the
operation.

signInLocal Method
The steps and diagram below summarize how credentials are set for a local
session in an application configured to use the 2.x Toolkit sign-in
behavior.
- WcmSignInProcess.signInLocal(...) is called.
- The signInLocal(...) method calls the controller's
getSignInPolicy(...) method, which returns the WcmSignInPolicy object
-- the singleton instance of WcmSignInPolicyInterface.
- The signInLocal(...) method calls WcmSignInPolicy.setCredentials(...).
- The WcmSignInPolicy.setCredentials( ) method does the following:
- Constructs and returns a WcmServerCredentials object
(createServerCredentials). WcmServerCredentials maintains
credentials required for access to the Content Java™ API and the
Process Java API. In the construction of this object, a session is
created.
- Configures WcmServerCredentials object with Process Engine and
guest user information (configureServerCredentials) -- if any were
previously set by the administrator in the bootstrap and site
preferences pages.
- Calculates the destination JavaServer Pages (JSP) page (getDestinationPage). If the
Application Engine has not been previously configured and the user
is a member of the Content Engine's Application Engine
Administrators group, then the bootstrap page is returned (if the
user is not an administrator, FileNet P8 Workplace access is
denied). Otherwise, the requested JSP page is returned; if no JSP
page was requested, then the configured home page in the site
preferences is returned.
- WcmSignInPolicy returns the destination page to
WcmSignInProcessor.signInLocal(...).

signInRemote Method
The steps and diagram below summarize how credentials are set for an
SSL-enabled session in an application configured to use the 2.x Toolkit
sign-in behavior.
- WcmSignInProcess.signInRemote(...) is called.
- The signInRemote(...) method calls
WcmCredentialsServlet.getCredentialsRequestURL(...), a static utility
method that constructs a URL to access the credentials servlet.
The method sets the credentials remotely or locally, depending on
whether the SSL-enabled server is local or remote. If the server is
local, the method calls into WcmServerCredentials.getSessionToken, a
static method that returns a user token, which is included in the URL.
- WcmCredentialsServlet.getCredentialsRequestURL(...) returns the URL.
- The returned URL is passed to
WcmHTTPUtil.sendHTTPCredentialsRequest(...), which performs a post
request based on the URL string.
- The sendHTTPCredentialsRequest method returns the status of the
operation.

Creating a New Implementation
The following steps show you how to implement a sign-in policy and a
user-token policy in one class, as the Toolkit's default sign-in policy is
implemented. However, note that implementing the two interfaces in one
class is not a requirement.
This implementation may be utilized when either application-managed or container-managed authentication are employed by Workplace.
- Implement the following methods in
WcmSignInPolicyInterface:
- doSignIn(request, response) (application-managed authentication only)
- Initiates the process of collecting credentials.
- Calls to doSignIn should eventually result in
setCredentials(...) being called.
- Can involve UI entry of credentials, or retrieve credentials
from some persistence mechanism.
- Redirects to a sign-in web page (such as an SSL server).
- Queries a single sign-in service.
- Uses Challenge/Response protocol
- isSignedIn()
- Returns true if required credentials are present in the user
JSP session.
- Default implementation behavior is to store a credentials
object, WcmServerCredentials, in the data store
(controller.getDataStore()).
- setCredentials(user, password, extraParameters)
- Sets credentials in the user JSP session.
- Validates collected credentials against server(s).
- Successful call should result in isSignedIn() returning
"true".
- If you're using
ConfigurableController,
set the
signInPolicy
option in Workplace/WEB-INF/p8controller.xml.
OR
If you're implementing your own application controller based on the
abstract
WcmController
class, override the getSignInPolicy( ) method. This is a singleton
factory method, implemented in WcmController. For example:
public WcmSignInPolicyInterface getSignInPolicy() throws Exception
{
if ( signInPolicy == null )
{
String guestUser = null;
WcmSSLInfo ssl = new WcmSSLInfo(bootstrap.getSSLInfo(), dataStore);
if ( bootstrap.getAllowGuest() )
guestUser = bootstrap.getGuestUser();
signInPolicy = new WcmSignInPolicy(
this, ssl.getProtocol(), ssl.getSslHostDecoded(), guestUser, null,
(isBootstrapRequired() ? getBootstrapPage() : null) );
}
return( signInPolicy );
}
|
See Also
ConfigurableController Preferences
Implementing a Controller
User Tokens
in the Workplace Customization Guide