About this task
It is possible to perform forms (or token) authentication to WebSEAL without
being prompted by WebSEAL.
The following sequence
describes the events that occur during a typical WebSEAL login where
the user is prompted by WebSEAL with a login form:
Procedure
- The user requests a protected resource.
- WebSEAL caches the user's request.
- WebSEAL returns a login form to the user.
- The user fills in the login form fields (providing the
user name and password) and clicks a submit button.
- The submit button triggers a POST request to /pkmslogin.form.
The request body contains the form field data.
Note: The pkmslogin.form management
page is a management command to the WebSEAL server. It is not represented
in the object space and you cannot attach policies to it.
- WebSEAL authenticates the user and, upon successful authentication,
follows an order of precedence for redirecting the user to one of
the following three locations:
- The location specified by the login-redirect-page entry
in the [acnt-mgt] stanza, if configured. See Automatic redirection after authentication.
- The user's originally requested resource (if known).
- The generic login_success.html page.
See Static HTML server response pages.
Results
Some application integration implementations might require
logging in directly without making an initial request for a protected
resource or being prompted by WebSEAL to login. Such a direct login
can be accomplished using a POST request directly to /pkmslogin.form.
The
following sequence describes the events that occur during a direct
login:
- The client sends a POST request to /pkmslogin.form with
the proper form field data in the body of the request.
- WebSEAL authenticates the user and, upon successful authentication,
follows an order of precedence for redirecting the user to one of
the following two locations:
- The location specified by the login-redirect-page entry
in the [acnt-mgt] stanza, if configured.
See Automatic redirection after authentication.
- The generic login_success.html page.
See Static HTML server response pages.
The format of the POST data must follow these conventions:
- The POST must be made to /pkmslogin.form.
- The POST request body must contain the field data for three fields:
- username
- password
- login-form-type
- The value of login-form-type must be "pwd"
for forms logins.
- The content-length header must indicate
the length of the resulting request body.
Example (using telnet):
prompt> telnet webseal.example.com 80
Connected to webseal.example.com.
Escape character is '^]'.
POST /pkmslogin.form HTTP/1.1
host: webseal.webseal.com
content-length: 56
username=testuser&password=my0passwd&login-form-type=pwd