Username and Kerberos token profiles can be used to authenticate
against FileNet® P8 Web services.
These are the only two credentials types built into FileNet P8 for use over the Web services
transport.
For clients that must use the Web service transport but
cannot make use of one of these two token types, FileNet P8 has provided a Web Services
Extensible Authentication Framework (WS-EAF). This framework consists
simply of a set of conventions for writing a JAAS Login Module that
is able to interact with the Content Platform Engine Web
service listener to obtain the credentials that are present in the
WS-Security header of an incoming request packet. The next figure
illustrates this interaction:

The following steps
occur in this graphic:
- A Content Platform Engine Web
service client sends a request containing a custom set of credentials
packaged in a WS-Security header.
- The request arrives at the Content Platform Engine Web service listener.
The Web service listener extracts the WS-Security headers and examines
them. It sees that they do not contain one of the built-in FileNet P8 credential types, so it
invokes the FileNet P8 WS-EAF
authentication mechanism. A JAAS CallbackHandler is created and seeded
with the contents of the WS-Security header.
- A JAAS login is performed, specifying the FileNetP8Engine JAAS
configuration and the CallbackHandler created in the previous step.
- The standard JAAS runtime looks up the login modules that are
listed in the JAAS configuration file for the FileNetP8Engine stanza
and invokes each of the listed Login Modules, passing in the CallbackHandler
as a parameter.
- The custom WS-EAF JAAS Login Module instantiates one or more standard
JAAS callbacks and passes these callbacks to the CallbackHandler's
handle() method.
- For each callback that the client has requested, the Content Platform Engine Web service CallbackHandler
supplies the callback with requested XML fragments from the incoming
WS-Security header, such that they can be retrieved by the custom
WS-EAF JAAS Login Module.
- The Login Module is now in possession of the WS-Security header
information, and is able to use this information to perform its proprietary
authentication process. If the authentication is successful, then
a JAAS Subject is populated and returned.
- The Content Platform Engine Web
service listener now has a valid JAAS Subject, and can call the Content Platform Engine Web service to handle
the request, via the Content Platform Engine EJB.