Forcing users to log in before they can access an application 

Change the access levels of members or groups to require them to provide credentials before they can access an IBM Connections application.

Before you begin

Do not perform this task if you plan to use the IBM Connections Multi-Service Portlet plug-in. This extension does not function as expected when IBM Connections is configured to force authentication.

The reader role of the Communities application is set to Everyone by default. If you perform this procedure to change the reader role access level for any of the applications that have widgets that are displayed within the Communities application, also make the same change to the Communities reader role or the widget will no longer work in Communities.

About this task

In an effort to invite people to join the social networking community, many of the IBM Connections applications allow users to read public information, such as public blogs or user profiles without requiring users to log in to the application first. In many cases, it is not until you want to edit your own profile or blog that credentials are required. If you do not want people or a subset of people to be able to freely browse through public information, you can force them to log in to each application before they can view any content. If you force authentication for an application, you should consider enabling it for all applications.

To force users to log in before they can access an application...


  1. Open the Integrated Solutions Console of the WAS hosting the application for which you want to restrict access.

  2. Expand Applications -> Application Types, and then select WebSphere enterprise applications.

  3. Select the application.

      Note: If you select the Profiles application and the Profiles directory service extension is enabled, also enable single sign-on for LDAP. See Enable single sign-on for standalone LDAP for more details.

  4. Click Security role to user/group mapping.

  5. Select the check box in the Select column next to the reader role.

  6. Click Map Special Subjects -> All Authenticated in Application's Realm.

  7. Repeat the previous steps for each application that you want to force users to authenticate with before using.


      • Activities, Home page, and Search require users to authenticate by default; the other applications do not. As a result, you do not need to perform this procedure on the Activities, Home page, or Search applications. However, if you do decide to change the reader role in Search to be mapped to "All Authenticated in Application's Realm," then map the reader role for all other applications to at least the same level of security as the Search reader role. The reason for this is that the public Atom feeds in Search are secured by the reader role which is mapped to "Everyone" in Search by default and all of the other applications use these atom feeds. Their reader roles must have at least the same level of security as the Search reader role.

      • As long as you have configured single sign-on between the applications, requiring authentication for each application does not prompt the same users for credentials as they move from one application to another within a single session. It only prompts for credentials when users log in to the first application. See Enable single sign-on between all applications for more information.

      • If you have kept the default configuration in which IBM Connections directory service extensions for Profiles is enabled and you want to force Profiles users to log in, perform Step 9.

  8. Click OK. Click Apply, and then click OK.

  9. Blogs only: Create rewrite rules in the configuration file for the IBM HTTP Server to redirect Atom API and feed requests so that they are authenticated properly. Open the httpd.conf file which is stored in the ibm_http_server_root/conf directory, and then add the following rules to the file:

      RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) 
      RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/feed/(.*) RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L]

Parent topic


Related tasks

Use the Profiles database as the user directory
Enable single sign-on between all applications
Enable single sign-on for standalone LDAP
Customize login attributes
Authenticating requests

August 17, 2011 12:44:40 PM


Aug 17, 2011 12:44:40 PM Updated the wording in Step 9 to clarify why you might want to complet... 2 Jun 20, 2011 2:26:57 PM 1