Change the login and logout pages for TAI

 

+
Search Tips   |   Advanced Search

 

 

Change Login page

By default, when unauthenticated users attempt to access the myportal page, they get redirected to the login screen located at...

wps/portal/.scr/Login

...to provide a user name and password.

When using a WebSEAL or eTrust SiteMinder TAI for authentication, you no longer need to use the WebSphere Portal login screen. Instead, the login icon should point to the myportal page.

1. Use one of these addresses to test the TAI from a Web browser:
   • https://WebSEAL_hostname:WebSEAL_port/junction/wps/myportal

     http://SM_agent_hostname:SM_agent_port/wps/myportal

   WebSEAL or eTrust SiteMinder should challenge us to authenticate. After you log in, you should be directed to the secure and personalized myportal page. If you are directed to the portal login screen at...

   wps/portal/.scr/Login

   ...or the public page, there is a problem with the TAI configuration.

2. Make backup copies of...

   WAS_HOME/installedApps/node/wps.ear/wps.war/themes/html/theme/ToolBarInclude.jsp

3. In each of the themes directory and subdirectories, there is a ToolBarInclude.jsp file.

   Edit the appropriate ToolBarInclude.jsp file and find the login button section. By default, WebSphere Portal ships the ToolBarInclude.jsp with the Login screen section commented out, and the second section (Login Portlet) is uncommented. Replace the uncommented anchor href's, depending on whether you use the Login Screen or the Login Portlet, with the following anchor tag:

   <a class=wpsToolBarLink href='<%= wpsBaseURL %>/myportal'><wps:text key="link.login" 
       bundle="nls.engine"/></a>
   

   The following example shows what the ToolBarInclude.jsp will look like after adding the above anchor tag:

   <%-- login button --%>
   
   <%--   
       Currently, this section is commented out. Uncomment this section to allow log 
       in via Login screen 
   --%>
   
   <%--
      <wps:if loggedIn="no" notScreen="Login">
          <td class="wpsToolBar" valign="middle" nowrap>
   
          <a class="wpsToolBarLink" 
             href='<%= wpsBaseURL %>/myportal'> 
   
          <wps:text key="link.login" 
                    bundle="nls.engine"/></a>
   
          </td>
      </wps:if>
   --%>
   
   <%--This section is not commented out and therefore will allow login via Login portlet --%>
   
   <wps:if loggedIn="no" notSelection="wps.p.Login" >
       <wps:urlGeneration 
              contentNode="wps.p.Login" portletWindowState="Normal">
   
   <td class="wpsToolBar" valign="middle" nowrap>
   
        <!--commented out the next href for Changing the Login Page      <a href="<% wpsURL.write(out); %>" class="wpsToolBarLink">
           <wps:text key="link.login" 
           bundle="nls.engine"/></a>  
   -->
   
   <!-- added next href line to reference /myportal directly -->
   
   <a class=wpsToolBarLink href='<%= wpsBaseURL %>/myportal'><wps:text 
      key="link.login" 
      bundle="nls.engine"/></a>
   
   </td>
   
   
          </wps:urlGeneration>
        </wps:if>
   

   The previous example uses the 'wps:' prefix to designate JSP tags from the portal tag library in portal.tld. Our custom JSPs might use a different tag prefix.

4. For TAM, test the TAI by adding a new user. From the pdadmin command line...

       pdadmin>user create user_name user_dn cn sn pwd     pdadmin> user modify user_name account-valid yes 

5. Open and save the versions of Default.jsp that include each of the files that you edited in a previous step.

6. Make a backup copy...

   was_profile_root/installedApps/node/wps.ear/wps.war/WEB-INF/web.xml

7. Make the following edits...

   <login-config id="LoginConfig_1">
       <auth-method>FORM</auth-method>
       <realm-name>WPS</realm-name>
       <form-login-config id="FormLoginConfig_1">
       <form-login-page>/myportal</form-login-page>
       <form-error-page/error.html/form-error-page>
       </form-login-config>
   </login-config>
   

 

Change Logoff page

Redirect the browser to navigate the external security manager's (ESM's) logoff page after the WebSphere Portal logoff command executes.

When a WebSphere Portal session is ended by clicking the Logoff button on the portal navigation screen, the ESM session is not invalidated. Subsequent requests to protected portal pages may still be allowed without providing a user name or password until both the ESM and the WebSphere Portal 's login sessions are properly terminated.

Tivoli Access Manager's WebSEAL by default provides...

http://webseal/pkmslogout

...as a special URL to terminate the WebSEAL single sign on session

In eTrust, the Web Agent configuration object contains a property named LogoffUri where we can supply a URL to terminate the eTrust SiteMinder login session

In addition to configuring the ESM to provide this logoff capability, enable WebSphere Portal to execute the ESM logoff URL after completing its logoff command....

1. Make a backup copy of...

   portal_server_root/shared/app/config/services/ConfigService.properties

2. Edit the file as specified here...

   redirect.logout= true redirect.logout.ssl=false or true, depending on the environment redirect.logout.url=protocol://host_name/logout_page 

   ...where...

   protocol	Protocol of the ESM machine: http or https.
   host_name	Fully qualified host name of the ESM machine.
   logout_page	ESM page that users will be directed to when they log out.

   The value for redirectlogout.url must appear on a single line.

Note: These parameters can also be set using the WAS console and Portal configuration services.

 

Change the web.xml form-login-page attribute

1. Access the WebSphere Application Server administrative console and export wps.ear. When using a cluster environment use the DMGR console.

2. From the exported ear file, edit the attribute form-login-page in the file...

   app_server_root/installedApps/node/wps.ear/wps.war/WEB-INF/web.xml

   ...and replace /redirect or /myportal with a JSP to be called if the TAI login is not invoked. The following example uses the sample file...

   /html/en/taiError.jsp

   ...but the file can have any name...

3. Copy the file wps.jsp to taiError.jsp and modify it to show a message if the TAI login fails.

   <%@ page session="false" buffer="none" %@>
   <TABLE border="0">                              
    <TBODY>
      <TR>
       <TD>
       <IMG border="0" src="../../images/welcome_5.gif"  height="46"> 
       <H2>You've reached this page in error. </H2></TD>
       <TD></TD>
      </TR>
      <TR>                      
       <TD>The TAI failed to authenticate you</TD>
       <TD><IMG border="0" src="../../images/microphone.gif" width="84" height="94"></TD>                                          
      </TR>
    <TBODY>
   </TABLE>
   

4. Repackage wps.ear.

5. Re-import wps.ear in the WAS administrative console.

6. Complete the following tasks:

   When using a cluster environment use the primary node to invoke the commands.

   1. cd portal_server_root/config/

   2. Type the following config task appropriate for the operating system:

          WPSconfig.{sh | bat} action-modify-attributes-ear-wps 

   3. Synchronize all the nodes

   4. Restart WebSphere Portal on the standalone server or on each portal cluster member if using a cluster environment

7. Restart WebSphere Portal.

 

Related information

• Using Tivoli Access Manager with WebSphere Portal
• Access Control

 

Parent Topic

External security managers

 

---