Submit login form data directly to WebSEAL
It is possible to perform token (or forms) authentication to WebSEAL without being prompted by WebSEAL.
The following sequence describes the events that occur during a typical WebSEAL login where the user is prompted by WebSEAL with a login form.
Steps
- The user requests a protected resource.
- WebSEAL caches the user's request.
- WebSEAL returns a login form to the user.
- The user fills in the login form fields (providing the user name and passcode) and clicks a submit button.
- The submit button triggers a POST request to /pkmslogin.form. The request body contains the form field data. The pkmslogin.form management page is a management command to the WebSEAL server. It is not represented in the object space and we cannot attach policies to it.
- WebSEAL authenticates the user and, upon successful authentication, follows an order of precedence for redirecting the user to one of the following three locations:
- The location specified by the login-redirect-page entry in the [acnt-mgt] stanza, if configured.
- The user's originally requested resource (if known).
- The generic login_success.html page.
Some application integration implementations might require logging in directly without making an initial request for a protected resource or being prompted by WebSEAL to login. Such a direct login can be accomplished using a POST request directly to /pkmslogin.form.
The following sequence describes the events that occur during a direct login:
- The client sends a POST request to /pkmslogin.form with the proper form field data in the body of the request.
- WebSEAL authenticates the user and, upon successful authentication, follows an order of precedence for redirecting the user to one of the following two locations:
- The location specified by the login-redirect-page entry in the [acnt-mgt] stanza, if configured.
- The generic login_success.html page.
The format of the POST data must follow these conventions:
- The POST must be made to /pkmslogin.form.
- The POST request body must contain the field data for three fields:
- username
- password
- login-form-type
- The value of login-form-type must be "token" for token logins.
- The content-length header must indicate the length of the resulting request body.
Example (using telnet):
prompt> telnet webseal.example.com 80 Connected to webseal.example.com. Escape character is '^]'. POST /pkmslogin.form HTTP/1.1 host: webseal.webseal.com content-length: 58 username=testuser&password=123456789&login-form-type=token
Parent topic: Token authentication