Component Authentication Example

Requirements

The requirements for Java™ Authentication and Authorization Service (JAAS) authentication of components are:

1. An implementation of the JAAS LoginModule class.
2. A JAR file containing your custom Java class (component) and your LoginModule class implementation.
3. A JAAS login configuration file. This file contains a section (a LoginContext section) for your component that specifies your LoginModule class implementation and the associated login configuration context. The following entries must appear in this section:
   • Because Component Manager uses the Web services transport by default, the following FileNetP8 stanza is required for authentication on the Content Engine:

         FileNetP8
             {
                 com.filenet.api.util.WSILoginModule required debug=false;
             };

     Refer to the sample Content Engine JAAS configuration files located on the Content Engine host in the filenet_installation_directory\CE_API\config\samples directory.

   • The following entry is required in the JAAS stanza (not the FileNetP8 stanza) for the Content Engine to get a VWSession:

         filenet.vw.server.VWLoginModule required;

4. When creating a component queue, the LoginContext section identifier you use must be entered as the Configuration Context value in the JAAS Credentials section of the Add Component Queue Wizard in the Process Configuration Console.

Example: The Content-Extended Operations Component

The Content-Extended Operations component (CE_Operations) is installed with the Process Engine for Content Engine and Content Manager operations. This component uses the following:

• An implementation of the JAAS LoginModule class named CELoginModule.
• A JAAS login configuration file named taskman.login.config (described below). This file is installed in fileNet_installation_directory/Router on your Application Engine server.

See CELoginModule for an HTML version of the source for this class. For links to Sun's related JAAS documentation, see the instructions for creating JAAS authentication modules.

A JAAS login configuration file must have a LoginContext section for the login configuration contexts that the LoginModule will use. For the CE_Operations component, the LoginContext section in the taskman.login.config file is named CELogin. This section identifies and locates the program module or modules that are used for logins by the CE_Operations component.

The CELogin section looks like this:

CELogin
{
    filenet.vw.server.VWLoginModule required routerurl="localhost:32771/vwrouter";      
    com.filenet.wcm.toolkit.server.operations.util.CELoginModule required credTag=Clear;
};

• The LoginModules referenced are the VWLoginModule for the Process Engine and the CELoginModule for the Content Engine.
• The "required" argument on each line is a flag specifying that VWLoginModule and CELoginModule will succeed only if the name and password specified by the user (in the JAAS Credentials section of the Add Component Queue Wizard) are authenticated by each LoginModule.
• The "routerurl" is no longer used, and will be ignored if present.
• The "credTag=Clear" key value is a session credential option defined in the CELoginModule class.

When creating a component queue, "CELogin" is entered as the Configuration Context value in the JAAS Credentials section of the Add A Component Queue Wizard in the Process Configuration Console. See Create a Component Queue for instructions.