If you use a third-party authentication solution with IBM® BPM
Advanced, you can specify a list of headers and cookies
that the federated REST API must propagate.
Procedure
If you use IBM BPM
Advanced, configure the header
and cookie propagation settings for the federated REST API. If you want all headers and cookies to be forwarded, you can skip this step because that is
the default behavior.
Important: The deny and allow rules are defined
by Java™ regular expressions. The strings "" and ".*"
match all headers and cookies. The semantics of the forwarding rules for headers and cookies are
that the deny rule is evaluated before the allow rule. These semantics mean that headers and cookies
that match both the deny rule and the allow rule are forwarded.
- Connect to the wsadmin client:
wsadmin.bat -conntype NONE -lang jython
wsadmin.sh -conntype NONE -lang jython
- Get and display the BPMDispatchConfiguration object:
wsadmin>path='/Cell:%s/BPMFederationConfiguration:/BPMApiFederation:/BPMApiDomain:default
/BPMDispatchConfiguration:/' % cellName
wsadmin>dc=AdminConfig.getid(path)
wsadmin>dc
- Set the values of the denyForwardHttpHeader and
denyForwardHttpCookie attributes to deny the forwarding of all headers and
cookies:
wsadmin>AdminConfig.modify(dc,[['denyForwardHttpHeader','.*']])
wsadmin>AdminConfig.modify(dc,[['denyForwardHttpCookie','.*']])
wsadmin>AdminConfig.save()
- Set the value of the allowForwardHttpHeader and
allowForwardHttpCookie attributes to forward only the specified headers and
cookies. For example, if you use CA SiteMinder, enter the following commands:
wsadmin>AdminConfig.modify(dc,[['allowForwardHttpHeader',
'SM_TRANSACTIONID|SM_SDOMAIN|SM_AUTHTYPE|SM_USER|SM_USERDN|
SM_SERVERSESSIONID|SM_SERVERSESSIONSPEC|SM_TIMETOEXPIRE|
SM_SERVERIDENTITYSPEC']])
wsadmin>AdminConfig.modify(dc,[['allowForwardHttpCookie','SMSESSION']])
wsadmin>AdminConfig.save()
For
information about the header and cookie names that are used by other third-party authentication
products, see the documentation for those products.