Component Authentication Example

Requirements

The requirements for Java™ Authentication and Authorization Service (JAAS) authentication of components are:

1. An implementation of the JAAS LoginModule class.
2. A JAR file containing your custom Java class (component) and your LoginModule class implementation.
3. A JAAS login configuration file. This file contains a section (a LoginContext section) for your component that specifies your LoginModule class implementation and the associated login configuration context. The following entries must appear in this section:
   • Because Component Manager uses the Web services transport by default, the following FileNetP8 stanza is required for authentication on the Content Platform Engine:

         FileNetP8
             {
                 com.filenet.api.util.WSILoginModule required debug=false;
             };

     Refer to the sample JAAS configuration files located on the Content Platform Engine server host in the filenet_installation_directory\CE_API\config\samples directory.

   • The following entry is required in the JAAS stanza (not the FileNetP8 stanza) for the server to get a VWSession:

         filenet.vw.server.VWLoginModule required;

4. When you create a component queue, enter the LoginContext section identifier as the configuration context for the JAAS credentials. For information about creating component queues, see Creating component queues.

Example: The Content-Extended Operations Component

The Content-Extended Operations component (CE_Operations) is installed with the workflow system for Content Platform Engine and Content Manager operations. This component uses the following:

• An implementation of the JAAS LoginModule class named CELoginModule.
• A JAAS login configuration file named taskman.login.config (described in the following section). This file is installed in fileNet_installation_directory/Router directory on your Application Engine server.

See CELoginModule for an HTML version of the source for this class. For links to Sun's related JAAS documentation, see the instructions for creating JAAS authentication modules.

A JAAS login configuration file must have a LoginContext section for the login configuration contexts that the LoginModule uses. For the CE_Operations component, the LoginContext section in the taskman.login.config file is named CELogin. This section identifies and locates the program module or modules that are used for logins by the CE_Operations component.

The CELogin section looks like this:

CELogin
{
    filenet.vw.server.VWLoginModule required routerurl="localhost:32771/vwrouter";      
    com.filenet.wcm.toolkit.server.operations.util.CELoginModule required credTag=Clear;
};

• The LoginModules referenced are VWLoginModule for a Process Java API session and CELoginModule for a Content Engine Java API session.
• The "required" argument on each line is a flag specifying that VWLoginModule and CELoginModule will succeed only if the name and password that is specified by the user (in the JAAS Credentials section of the Add Component Queue Wizard) are authenticated by each LoginModule.
• The "routerurl" is no longer used, and is ignored if present.
• The "credTag=Clear" key value is a session credential option that is defined in the CELoginModule class.

When you create a component queue, enter "CELogin" as the configuration context value for the JAAS credentials.