Some details about J2EE Agent property com.sun.identity.agents.config.login.form

The J2EE Agent property com.sun.identity.agents.config.login.form is used in the case of the application is protected by certain form based J2EE policies defined in the web.xml.

The following is a snippet of the web.xml for an application "agentsample" using form based login:
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/authentication/login.html</form-login-page>
            <form-error-page>/authentication/accessdenied.html</form-error-page>        </form-login-config>
    </login-config>

When a user request comes for this application, the container first checks if this user has been authenticated.
If not, the container sends the user the application login page /agentsample/authentication/login.html.  The user enters the credentials, and upon successful authentication (and/or authorization), the user is granted the access.

Now a j2ee agent is installed to protect the application, and we want to achieve Single Sign-On.  Meaning a user needs to authenticate only once, only to the opensso server.  However since the above form based login is defined in the web.xml, the user would have to login to the application login page as well.

To avoid a user having to login twice, the agent needs to prevent the user being sent the application login page, i.e. in the above example /agentsample/authentication/login.html.  For this, the agent needs to know the URIs for the form based login of the applications. 

The J2EE Agent property com.sun.identity.agents.config.login.form  is used for this purpose.  This is a list property so you can specify more than one URI by using the numeric index.
com.sun.identity.agents.config.login.form[0]=/agentsample/authentication/login.html
com.sun.identity.agents.config.login.form[1]=/agentsample2/authentication/login.html

If the j2ee agent receives a request whose URI matches with one of the URIs listed in the property com.sun.identity.agents.config.login.form, it knows that the request is for a form based login page.  It will suppress it so the end user will not see the login page.


Comments:

In issue 3609 you added support for wildcards in com.sun.identity.agents.config.login.form so it would be easier for many users to specify it as something like

<form-login-page>/authentication/AMlogin.html</form-login-page>

com.sun.identity.agents.config.login.form[0]=/-\*-/authentication/AMlogin.html

That way they don't have to update the com.sun.identity.agents.config.login.form for every new app they deploy. I'm going to add an RFE that their be a default wildcard'd login URL in com.sun.identity.agents.config.login.form, that way people never have to update this property if they use the same standard for their web.xml settings for the login URL.

Posted by Christopher Nebergall on November 11, 2008 at 01:30 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Hua Cui

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today