FileNet P8 Application Engine, Version 5.0.+       Application server:  WebSphere Application Server     

Editing web.xml for SSO

You can use SSO with a proxy server in your Application Engine environment. To enable this optional approach, edit the web.xml file on the WebSphere® Application Server.

  1. Make a backup copy of web.xml.

    AE_install_path/Workplace/WEB-INF/web.xml

  2. Open web.xml for editing, search for the parameter challengeProxyEnabled, and set it to false.
    <param-name>challengeProxyEnabled</param-name>
    <param-value> false </param-value>
  3. Search for the first instance of <web-resource-collection>, and uncomment the <url-pattern> as noted in the file comments.
    <web-resource-collection>
    <web-resource-name>action</web-resource-name>
    <description>Define thecontainer secured resource</description>
    <url-pattern>/containerSecured/*</url-pattern>
    
     <!--
    Uncomment this section if all resources that require credentials must be 
    secured in order to obtain a secured Thread. If using WebSphere, this section 
    must be uncommented. --> Move this commenting tag here from just
    before the </web-resource- collection> closing tag below.
    
    <url-pattern>/containerSecured/*</url-pattern>
    <url-pattern>/</url-pattern>
    <url-pattern>/author/*</url-pattern>
    <url-pattern>/Browse.jsp</url-pattern>
    <url-pattern>/eprocess/*</url-pattern>
    <url-pattern>/Favorites.jsp</url-pattern>
    <url-pattern>/GetPortalSitePreferences.jsp</url-pattern>
    <url-pattern>/GetTokenSignIn.jsp</url-pattern>
    <url-pattern>/GetUserInformation.jsp</url-pattern>
    <url-pattern>/GetUserToken.jsp</url-pattern>
    <url-pattern>/HomePage.jsp</url-pattern>
    <url-pattern>/IntegrationWebBasedHelp.jsp</url-pattern>
    <url-pattern>/is/*</url-pattern>
    <url-pattern>/operations/*</url-pattern>
    <url-pattern>/properties/*</url-pattern>
    <url-pattern>/redirect/*</url-pattern>
    <url-pattern>/regions/*</url-pattern>
    <url-pattern>/Search.jsp</url-pattern>
    <url-pattern>/select/*</url-pattern>
    <url-pattern>/SelectReturn.jsp</url-pattern>
    <url-pattern>/Tasks.jsp</url-pattern>
    <url-pattern>/UI-INF/*</url-pattern>
    <url-pattern>/utils/*</url-pattern>
    <url-pattern>/WcmAdmin.jsp</url-pattern>
    <url-pattern>/WcmAuthor.jsp</url-pattern>
    <url-pattern>/WcmBootstrap.jsp</url-pattern>
    <url-pattern>/WcmCloseWindow.jsp</url-pattern>
    <url-pattern>/WcmDefault.jsp</url-pattern>
    <url-pattern>/WcmError.jsp</url-pattern>
    <url-pattern>/WcmJavaViewer.jsp</url-pattern>
    <url-pattern>/WcmObjectBookmark.jsp</url-pattern>
    <url-pattern>/WcmQueueBookmark.jsp</url-pattern>
    <url-pattern>/WcmSignIn.jsp</url-pattern>
    <url-pattern>/WcmSitePreferences.jsp</url-pattern>
    <url-pattern>/WcmUserPreferences.jsp</url-pattern>
    <url-pattern>/WcmWorkflowsBookmark.jsp</url-pattern>
    <url-pattern>/wizards/*</url-pattern>
    <url-pattern>/Author/*</url-pattern>
    <url-pattern>/axis/*.jws</url-pattern>
    <url-pattern>/Browse/*</url-pattern>
    <url-pattern>/ceTunnel</url-pattern>
    <url-pattern>/CheckoutList/*</url-pattern>
    <url-pattern>/downloadMultiTransferElement/*</url-pattern>
    <url-pattern>/ExternalUrl/*</url-pattern>
    <url-pattern>/findRecordTarget</url-pattern>
    <url-pattern>/formCallback/*</url-pattern>
    <url-pattern>/getAnnotSecurity/*</url-pattern>
    <url-pattern>/getCEAnnotations/*</url-pattern>
    <url-pattern>/getContent/*</url-pattern>
    <url-pattern>/getForm/*</url-pattern>
    <url-pattern>/getISAnnotations/*</url-pattern>
    <url-pattern>/getISAnnotSecurity/*</url-pattern>
    <url-pattern>/getISContent/*</url-pattern>
    <url-pattern>/getMultiContent/*</url-pattern>
    <url-pattern>/getPreview</url-pattern>
    <url-pattern>/getProcessor/*</url-pattern>
    <url-pattern>/getRealms/*</url-pattern>
    <url-pattern>/getUsersGroups/*</url-pattern>
    <url-pattern>/Inbox/*</url-pattern>
    <url-pattern>/integrationCommandProxy</url-pattern>
    <url-pattern>/integrationResponse</url-pattern>
    <url-pattern>/integrationResponseProxy</url-pattern>
    <url-pattern>/integrationWebBasedCommand</url-pattern>
    <url-pattern>/keepAlive</url-pattern>
    <url-pattern>/launch/*</url-pattern>
    <url-pattern>/PublicQueue/*</url-pattern>
    <url-pattern>/putContent/*</url-pattern>
    <url-pattern>/QuickSearch/*</url-pattern>
    <url-pattern>/signingServlet/*</url-pattern>
    <url-pattern>/transport/*</url-pattern>
    <url-pattern>/upload/*</url-pattern>
    <url-pattern>/vwsimsoapservlet</url-pattern>
    <url-pattern>/vwsoaprouter</url-pattern>
    <url-pattern>/Workflows/*</url-pattern>   Move the closing comment tag from 
    here to the location indicated at the beginning of this example.
    </web-resource-collection>
  4. Locate the section <auth-constraint>, comment the wildcard (*) <role-name> as noted in the file comments.
    <auth-constraint>
    <!-- <role-name>*</role-name> -->
    <!-- For WebSphere 6, use
    the role-name line below instead of the wildcard role above.
    -->
    
    <role-name>All Authenticated</role-name>
    
    <!-- For WebSphere 6, add this
    security-role element below the login-config element (below).
     <security-role>
    <description>All Authenticated</description>
    <role-name>All Authenticated</role-name>
     </security-role>
    -->
    </auth-constraint>
  5. Locate the end of the </login-config> element, and add the All Authenticated users role-element after the closing tag.
    <security-role>
    <description>All Authenticated</description>
    <role-name>All Authenticated</role-name>
    </security-role>
  6. Search for the first instance of a <security-constraint> tag, and add the following <security-constraint> tag before that tag.
    Important: Enter the information below as single lines without line breaks.
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>action</web-resource-name>
    <description>Define the non-secured resource</description>
    <url-pattern>/P8BPMWSBroker/*</url-pattern>
    </web-resource-collection>
    </security-constraint>
  7. At the end of web.xml, comment out the <login-config> element.
    <!--
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>AE Workplace</realm-name>
    <form-login-config>
    <form-login-page>/ContainerLogin.jsp</form-login-page>
    <form-error-page>/ContainerError.jsp</form-error-page>
    </form-login-config>
    </login-config>
    -->
  8. As needed, set the ssoProxyContextPath, ssoProxyHost, ssoProxyPort, and ssoProxySSLPort.

    These parameter values are used to modify one or more elements of the native URL that Workplace sees on a request. Wherever the value of an SSO proxy host element in the URL request is different from the equivalent information for the host where Workplace is deployed, you must set the corresponding SSO <proxy host element> parameter for that element in the URL to the value for the SSO proxy host.

    <init-param>
    <param-name>ssoProxyContextPath</param-name>
    <param-value></param-value>
    </init-param>
    <init-param>
    <param-name>ssoProxyHost</param-name>
    <param-value></param-value>
    </init-param>
    <init-param>
    <param-name>ssoProxyPort</param-name>
    <param-value></param-value>
    </init-param>
    <init-param>
    <param-name>ssoProxySSLPort</param-name>
    <param-value></param-value>
    </init-param>
    In general, the <init-param> parameters must be configured as follows:
    ssoProxyContextPath
    Set the value to the context path of the SSO proxy host URL. This is the path portion of the URL that appears after the server name, and which represents top-level access to the Workplace application.
    For example, if the Workplace deployment host URL is http://deploy_server:2809/Workplace and the SSO proxy host URL is http://sso_proxy_server.domain.com/fn/Workplace, then use the following setting:
    <param-name>ssoProxyContextPath</param-name>
    <param-value>/Workplace</param-value>
    ssoProxyHost
    Set the value to the SSO proxy host server name. Typically, this is a full domain-qualified host name.
    For example, if the host URL where Workplace is deployed is http://deploy_server/Workplace and the corresponding SSO proxy host URL is http://sso_proxy_server/Workplace, then use the following setting:
    <param-name>ssoProxyHost</param-name>
    <param-value>sso_proxy_server</param-value>
    ssoProxyPort
    Set the value to the http port on the SSO proxy host.
    For example:
    <param-name>ssoProxyPort</param-name>
    <param-value>80</param-value>
    ssoProxySSLPort
    Set the value to the https port on the SSO proxy host, if defined or used to access Workplace pages.
    For example:
    <param-name>ssoProxySSLPort</param-name>
    <param-value>443</param-value>
  9. Save your changes to web.xml and close the file.


Feedback

Last updated: November 2010


© Copyright IBM Corporation 2010.
This information center is powered by Eclipse technology. (http://www.eclipse.org)