+

Search Tips   |   Advanced Search

Portlet authentication


For resources protected by the portal, IBM WebSphere Portal uses CORBA credentials and an encrypted LTPA cookie to authenticate users. However, for backend systems that require their own authentication, portlets need to provide some form of authentication to access these remote applications. To provide a single sign-on user experience, portlets must be able to store and retrieve user credentials for their particular associated application and use those credentials to log in on behalf of the user. WebSphere Portal supports the use of a credential vault where users and administrators can safely store credentials for authentication. Portlets written to extract the user's credentials from the vault can hide the login challenge from the user.

The credential vault provides exactly this functionality. Portlets can use it through the credential vault portlet service (CredentialVaultService). See Portlet services for an overview of portlet services and how to access them. The following sections provide more information about the credential vault.


Credential vault organization

The portal administrator can partition the vault into several vault segments.

A vault segment contains vault slots, which are "drawers" where portlets store and retrieve a user's credentials. Each slot holds one credential.

A vault implementation is the place where users credentials are actually stored. Examples of vault implementations include the default database vault or the Tivoli Access Manager lock box.

The resource within the vault implementation corresponds to an application or backend system that requires its own authentication. Examples of resources include Lotus Notes, personnel records, or a bank account.


Vault segments

A vault segment is flagged to be either administrator-managed or user-managed. While portlets (on behalf of a portal user) can set and retrieve credentials in both types of segments, they are permitted to create vault slots only in user-managed vault segments. The following figure shows how administrator-managed vault segments can be distributed among different vault implementations. There is only one user-managed vault segment, and it resides in the default-customization vault provided by WebSphere Portal.


Vault slots

The credential vault provided by WebSphere Portal distinguishes between four different types of vault slots:

The following tables shows the constraints applicable for the available vault slot types:

Vault Slot Type Segment type Shared Creation through Secret Sharing
System Slot administrator-managed true Credential Vault administrative portlet one secret per system - shared among all users and portlets
Administrative Slot administrator-managed false Credential Vault administrative portlet one secret per user - shared among all of user's portlets
Shared User Slot user-managed true Credential Vault portlet service one secret per user - shared among all of user's portlets
Portlet Private Slot user-managed false Credential Vault portlet service one secret per user and portlet entity - not shared among portlets


Credential objects

The credential vault portlet service returns credentials in form of credential objects. The following are the base interface classes for all credential objects:
Standard portlet API

com.ibm.portal.portlet.service.credentialvault.credentials.Credential

IBM Portlet API

com.ibm.wps.portletservice.credentialvault.credentials.Credential

WebSphere Portal differentiates between passive and active credential objects.

Active credential objects allow portlets to trigger authentication to remote servers using standard mechanisms such as basic authentication, HTTP form-based authentication, or POP3 authentication, without obtaining the credential secrets. They can ask the portal to authenticate on their behalf and then use already authenticated connections. From a security point of view the portlets never access the credential secrets and thus there is no risk a portlet could violate any security rules like, for example, storing the secret on the portlet session. While there might not always be an appropriate active credential class available, it is the preferred type of credential object to use.

All credential types available within the portal are registered in a credential type registry. WebSphere Portal provides a small set of credential types, but additional credential objects can be registered in this registry.

The ActiveCredential and PassiveCredential interfaces inherit from the Credential base interface. The following topics describe the different types of active and passive credential objects provided by WebSphere Portal:


Credential vault usage scenarios

Portlets that need a credential to complete their service have two options:

  1. Use an existing slon that has been defined by the portal administrator in an administrator-managed vault segment.

  2. Create a new slot in the user-managed vault segment.

The option you choose depends on how the portlet will be used. Generally, the best solution hides the technical details of the credential vault from users. Additionally, Active Credentials of the type JaasSubjectCredential provide the portlet with the ability to access resources within the same single sign-on domain as the portal. The following are some example scenarios for the use of slots.


Credential vault samples

This section contains sample code for using the credential vault service.

See the Portlet API Javadoc documentation for further information about the methods of the CredentialVaultService.


Change the credential vault encryption

WebSphere Portal supports plugging in different vault adapters for the storage and retrieval of credentials. The default vault adapter that ships with WebSphere Portal stores user credentials in the portal configuration database. By default, the passwords are only obfuscated, but not encrypted.

See the How to change the encryption of the credential vault in WebSphere Portal technote for information on how to extend the default vault adapter to use our own encryption code for encrypting and decrypting the passwords.


Parent: Understand the basics