FileNet P8 Platform, Version 5.2.1            

Web Service extensible authentication framework

Username and Kerberos token profiles can be used to authenticate against FileNet® P8 Web services. These are the only two credentials types built into FileNet P8 for use over the Web services transport.

For clients that must use the Web service transport but cannot make use of one of these two token types, FileNet P8 has provided a Web Services Extensible Authentication Framework (WS-EAF). This framework consists simply of a set of conventions for writing a JAAS Login Module that is able to interact with the Content Platform Engine Web service listener to obtain the credentials that are present in the WS-Security header of an incoming request packet. The next figure illustrates this interaction:

Web Services Extensible Authentication Framework.

The following steps occur in this graphic:

  1. A Content Platform Engine Web service client sends a request containing a custom set of credentials packaged in a WS-Security header.
  2. The request arrives at the Content Platform Engine Web service listener. The Web service listener extracts the WS-Security headers and examines them. It sees that they do not contain one of the built-in FileNet P8 credential types, so it invokes the FileNet P8 WS-EAF authentication mechanism. A JAAS CallbackHandler is created and seeded with the contents of the WS-Security header.
  3. A JAAS login is performed, specifying the FileNetP8Engine JAAS configuration and the CallbackHandler created in the previous step.
  4. The standard JAAS runtime looks up the login modules that are listed in the JAAS configuration file for the FileNetP8Engine stanza and invokes each of the listed Login Modules, passing in the CallbackHandler as a parameter.
  5. The custom WS-EAF JAAS Login Module instantiates one or more standard JAAS callbacks and passes these callbacks to the CallbackHandler's handle() method.
  6. For each callback that the client has requested, the Content Platform Engine Web service CallbackHandler supplies the callback with requested XML fragments from the incoming WS-Security header, such that they can be retrieved by the custom WS-EAF JAAS Login Module.
  7. The Login Module is now in possession of the WS-Security header information, and is able to use this information to perform its proprietary authentication process. If the authentication is successful, then a JAAS Subject is populated and returned.
  8. The Content Platform Engine Web service listener now has a valid JAAS Subject, and can call the Content Platform Engine Web service to handle the request, via the Content Platform Engine EJB.


Last updated: March 2016
p8psn045.htm

© Copyright IBM Corporation 2016.