Authentication through forms

Edit online

Use this flow as an example to reduce 302 operations for forms authentication.

Assume that the following configuration entries have been set in the WebSEAL configuration file.


[eai]
eai-auth = https

[eai-trigger-urls]
trigger = /jct/cgi-bin/eai-post

[acnt-mgt]
enable-local-response-redirect = yes

[local-response-redirect]
local-response-redirect-uri = [login] /jct/cgi-bin/eai

The traditional flow is as follows:

The traditional flow.
Note: The /index.html file is just an example. It can be any document from WebSEAL or its junctions that require an authenticated session for access.

To configure WebSEAL to internally process 302 operations, first specify the maximum number of 302 operations it can sequentially follow. A value of 2 is suitable for typical scenarios:


[server]
maximum-followed-redirects = 2

Secondly, configure WebSEAL to process 302 redirects internally for any request that results in a Local Response Redirect with the following entry:


[server]
follow-redirects-for = !LRR!

This configuration avoids the initial Local Response Redirect 302 (shown at point 1).

Note: Ensure that the browser does not cache the form that is returned from the EAI against the resource that is being accessed (/index.html). Also, as the browser believes that the request for /index.html returned the form, all page-relative URLs in the form are relative to /index.html, not /jct/cgi-bin/eai.

Thirdly, set WebSEAL to process redirects internally for any request that would result in a 302 redirect back to the same URL that was originally requested (shown at point 2). To achieve this, add the following configuration entry:


[server]
follow-redirects-for = POST /jct/cgi-bin/eai-post*
Note: WebSEAL returns the content of /index.html for what the browser believes to be the resource /jct/cgi-bin/eai-post. All page-relative URLs in index.html or any other URLs that were intercepted by the authentication are relative to /jct/cgi-bin/eai-post from the browser's point of view. Thus do not use any page-relative URLs if you use this technique. To solve this issue, it might be necessary to not remove the second 302 (shown at point 2).

The final flow is shown as follows:

The final flow to reduce 302 operations.