Authentication is the act of verifying a user's identity
based on credentials that the user provides. IBM® Content
Navigator supports several different
authentication configurations.
Before you configure and deploy
IBM Content
Navigator, you should determine
whether you want:
- All users to be able to access the deployed IBM Content
Navigator application
- Only users who have authenticated to the web application server
where IBM Content
Navigator is deployed
to access the web application
The choice that you make determines the initial method
by which users are authenticated.
IBM Content
Navigator supports two primary
types of authentication:
- Application-managed authentication
- If you want all users to be able to access the deployed IBM Content
Navigator application, you can
use application-managed authentication. With application-managed authentication,
the web application server allows the IBM Content
Navigator desktop to load without
authenticating the user. The IBM Content
Navigator desktop
is responsible for the initial user authentication.
If you want
to use application-managed authentication, select IBM Content
Navigator desktop authentication when
you configure and deploy IBM Content
Navigator.
When you select this option, the initial user authentication is performed
by the repository that you specify as the authenticating repository.
Important: Users who access the desktop must be defined in the
authenticating repository.
However,
IBM Content
Navigator attempts to authenticate
with the application server before the authenticating repository in
the following situations:
- When an administrator logs in to IBM Content
Navigator
- When the authenticating repository is an IBM FileNet® P8 repository
- When the authenticating repository is an IBM Content
Manager or IBM Content
Manager OnDemand repository that is enabled
for single sign-on.
When a user selects a different repository from the desktop, IBM Content
Navigator prompts the user for
the user’s credentials.
Tip: This
is the default authentication method for
IBM Content
Navigator. (In
IBM Content
Navigator Version 2.0 and Version
2.0.1, application managed authentication was the only alternative
to SSO authentication.)
- Container-managed authentication
- If you want only users who have authenticated to the web application
server where IBM Content
Navigator is
deployed to access the web application, you can use container-managed
authentication. With container-managed authentication, the web application
server is responsible for the initial user authentication. User's
credentials are authenticated by the Java Platform, Enterprise Edition
application server where IBM Content
Navigator is
deployed. The application server uses the Java Authentication and
Authorization Service (JAAS) to authenticate users.
Application
server authentication provides an extra layer of security for IBM Content
Navigator because it prevents
users who are not authenticated on the web application server from
accessing the web client.
Container-managed authentication works
best when users use the same credentials to log on to all of the repositories
that they have access to in the web client. If users do not use the
same credentials, IBM Content
Navigator prompts
the user for their credentials when they try to access other repositories
in the desktop configuration.
If
you want to use container-managed authentication, select one of the
options when you configure and deploy
IBM Content
Navigator:
- Application server authentication
- When you select this option, the initial user authentication is
performed by the web application server where IBM Content
Navigator is deployed.
You should
configure application server authentication if one of the following
situations applies to your environment:
- You want to use an LDAP server to authenticate users
The users must be defined in the LDAP server that
is specified when you configure and deploy IBM Content
Navigator. When an LDAP server
is configured on the web application server, JAAS uses the LDAP server
to authenticate users
- You want to use a single sign-on (SSO) solution authenticate users:
You can configure your web application server to
use SSO to authenticate web clients by using SPNEGO/Kerberos, CA SiteMinder,
or IBM Tivoli® Access Manager for e-business.
You can configure your web application
server to use LTPA keys to authenticate trusted users if your IBM Content
Manager library server is configured
for trusted logon.
You can configure
your IBM Content
Manager OnDemand server to
accept LTPA keys from your web application server.
- Application server form-based authentication
- WebSphere Application
Server users only.
When you select this option, the initial user authentication is performed
by the web application server where IBM Content
Navigator is deployed.
Form-based
authentication enables you to create a single login point for multiple
applications and web sites in your environment. For example, you can
use form-based login to enable users to access the applications within
your company intranet after they provide their credentials through
the login form. This reduces the number of times that users must provide
their credentials when accessing applications that are hosted within
your intranet.
You should configure application server form-based
authentication if you use a form to gather and send user credentials
to your web-application server. To use a form-based login, you must
have the following JSP pages deployed in your environment:
- A login page
- A login error page
Restriction: Regardless of the type
of authentication that you specify when you deploy IBM Content
Navigator, the web application
server always authenticates IBM Content
Navigator administrators.
Administrators must be application server administrative users or
directory service (LDAP) users.
Limiting access to desktops
As an additional
measure of security, you can limit access to a desktop to a specific
set of users and groups. The users and groups must be defined in the
authenticating repository for the desktop.
There are several restrictions
that apply if you limit access to the desktop:
- If you authenticate users against an IBM Content
Manager OnDemand repository, the user and
group names that you enter are not validated on the server. You must
ensure that you enter the names correctly.
- If you authenticate users against an OASIS Content Management Interoperability
Services repository, this
option is not available.
If a user tries to access a desktop that they are not
authorized to access, the desktop does not load and IBM Content
Navigator displays a message that
the user is not authorized to access the desktop.
Authorization
What an authenticated user
can and cannot do is called authorization. After a user is authenticated,
the user is authorized to carry out the actions that are described
by the access rights that are associated with the objects the user
is accessing. For example, a user might have access rights to check
out a class of documents and edit them; however, the user is not authorized
to delete those documents.
Security and user permissions must
be set on and controlled by the repository.
IBM Content
Navigator can be used to provide
a small level of restrictive control in the web client, but it is
not a substitute for well-planned security on the repository. You
can adjust users’ authorization from the
IBM Content
Navigator:
Restricting actions by using desktops and teamspaces
You
can customize IBM Content
Navigator desktops
to hide certain actions from users. For example, you can create a
desktop in which users have only view rights by removing actions such
as Edit or Add from
the menus in the desktop.
You
can also use teamspaces to restrict the content that users see when
they are in the teamspace.
When
an item is added from within the teamspace, the item inherits the
security settings from the teamspace. If an item is added to the repository,
and then added to the teamspace, the item does not inherit the security
settings from the teamspace. In addition, if a user adds a document
or folder to a teamspace and selects an item type that has item-type
level security, the item uses the security that is specified by the
item type rather than the security settings of the teamspace.
Restricting
actions by using desktops and teamspaces does not prevent users from
taking actions or accessing content from another application or API.
Desktops and teamspaces are not a replacement for file-level or folder-level
security. To secure an object, the security administrator for the
repository should use the security features of IBM Content
Navigator to grant or deny specific
access rights in accordance with the security model that is defined
for the repository.