FileNet P8 Application Engine, Version 5.2.1            

Workplace application

Workplace is a user web application that provides access to the document management and business process management capabilities of FileNet® P8. Workplace also supports extended FileNet P8 capabilities such as forms management, records management, and portals.

Workplace is one example of a Java-based thin client solution, as described in the section Browser-based clients of Java EE™ application servers. (Most of the considerations that are discussed in that section apply for the Workplace application.)

Workplace is built using the Web Application Toolkit, and runs within a web container on a Java EE application server, positioning it well to participate in the JAAS-based authentication framework of FileNet P8. The Web Application Toolkit is an extensible framework for building web applications. Programmers can use the toolkit to customize Workplace functionality or to build customized web applications.

The following topics discuss how each of the high-level authentication options discussed in Browser-based clients of Java EE application servers apply to the Workplace application.

Application-managed authentication

Application-managed authentication (the mode supported by earlier versions of Workplace) is basically a forms-based authentication, but the Workplace application performs the redirection of unauthenticated user requests to a log in page, and encodes the credentials supplied to the log in page, in the user's Java™Server Pages (JSP) session. This mode supports only user name and password credentials. The credentials that are collected from the Application Engine custom login page are used to programmatically perform a JAAS login. This mode is still the current default behavior of Workplace.

Container-managed authentication

In this mode, the application does not control the authentication process. The deployment descriptor for the application specifies the security constraints required to access application pages.

The deployment descriptor specifies the authentication method that should be used. The following standard methods that are defined by the Servlet specification are supported:

  • Forms-Based Authentication: The container redirects the user to an HTML page, where the user's credentials are collected.
  • Basic Authentication: The container uses standard HTTP options to direct the user's browser to prompt for user name and password credentials.
  • HTTPS Client Authentication: This mechanism requires each user to have its own Public Key Certificate (PKC), and requires the use of an HTTPS (SSL) connection between the client and the server.
Perimeter authentication

This option is how most SSO products integrate with a Java EE application server. Client browsers running Workplace are redirected to a proxy server that authenticates the caller, and places a token in an HTTP header for them. When the request reaches the server, the container extracts the credentials and invokes SSO provider software that performs a JAAS login using them. This is known as a perimeter authentication because the actual authentication occurs outside of the container. Clients are already authenticated before their servlet requests arrive at the server. See JAVA-based client authentication and the examples in Single sign-on integrations via JAAS for more information.

Perimeter authentication lets Workplace leverage standard integrations between the application server vendors and the SSO technology vendors.

Restriction: Support for SSO in Workplace is limited to two specific combinations that FileNet P8 has qualified, as discussed in Single sign-on integrations via JAAS. If you are implementing SSO in an IBM Tivoli Access Manager WebSEAL 6.0 environment, you must configure WebSEAL for transparent junctions. For more information, see your IBM product documentation.


Last updated: October 2015
p8psn001.htm

© Copyright IBM Corporation 2015.