> AquaLogic .NET Portlet Toolkit WSRP Development Guide > > Managing SSO Authentication with WebLogic Portal > Using UNT Authentication with WebLogic Portal

AquaLogic .NET Portlet Toolkit WSRP Development Guide

     Previous Next  Open TOC in new window   View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Using UNT Authentication with WebLogic Portal

To implement single-sign on (SSO) with WebLogic Portal using UNT (User Name Token) authentication, you must configure the WSRP Producer.

UNT authentication can be used with IIS (Windows) authentication or ASP.NET Forms Authentication. The steps below cover both options.

Caution: Using UNT in the manner described below results in passwords being sent between the WSRP Consumer and the WSRP Producer in plain text. Ensure that the Consumer-Producer channel is secured by https before using this approach for transmitting a security token.

  1. Enable authentication for your remote ASP.NET portlet. For more information on configuring ASP.NET authentication, consult MSDN and the following resources: http://msdn2.microsoft.com/en-us/library/eeyk640h%28VS.80%29.aspx, http://msdn2.microsoft.com/en-us/library/ms978378.aspx, http://support.microsoft.com/kb/324274.
  2. Add the UNT security policy declaration to the WSRPService.wsdl and wsrp_v1_bindings.wsdl files.
    1. Open the wsdl file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\WSRPService.wsdl.
    2. If it is not already present, add the following policy declaration to the WSRPService.wsdl file as a child of the root element (<wsdl:definitions>) and before the <wsdl:service> element. (The WSRPService.wsdl file installed with the WSRP Producer includes the UNT policy by default.) 
      <wsp:Policy s1:Id="UNTAuth.xml" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:s1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
		<wssp:SupportedTokens>
			<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
				<wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
			</wssp:SecurityToken>
		</wssp:SupportedTokens>
	</wssp:Identity>
</wsp:Policy>
    3. Open the wsdl bindings file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\wsrp_v1_bindings.wsdl.
    4. Find the <wsdl:input> elements with the names “getMarkup” and “performBlockingInteraction”. If not already present, add the <Policy> element shown below. (The bindings file installed with the WSRP Producer includes this code within comments; to enable the code, remove the comment tags.) The complete xml should look as follows: 
      <wsdl:input name="getMarkup">
	<soap:body use="literal"/>
		<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
			<wsp:PolicyReference URI="#UNTAuth.xml"/>
		</wsp:Policy>
</wsdl:input>

<wsdl:input name=" performBlockingInteraction ">
	<soap:body use="literal"/>
		<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
			<wsp:PolicyReference URI="#UNTAuth.xml"/>
		</wsp:Policy>
</wsdl:input>
  3. Map each WLP user to a user that can access the ASP.NET portlet application. For instructions, see Configuring User Name Token Security: Configuring the Consumer in the WLP Federated Portals guide.
  4. If you are using ASP.NET Forms Authentication, you must provide information about the login form to the WSRP Producer. In wsrp-producer.xml, add a <forms-authentication> entry as the last child element of the <portlet> element for each portlet that uses ASP.NET Forms Authentication. Each entry should include the following elements, as shown in the example that follows. For a full list of portlet configuration elements, see WSRP Producer Configuration Elements (wsrp-producer.xml).
    Note: If you omit the <forms-authentication> element, the WSRP Producer will still try to authenticate to one of the IIS forms of authentication (Basic, Windows Integrated, or even Digest) if the ASP.NET is using one of those and the UNT is provided, but it will be unable to authenticate to ASP.NET Forms.
    Element Description
    <IsSSOConfigured> Whether or not SSO through ASP.NET Forms Authentication is enabled or not (true or false).
    <loginpage> The name of the login page configured for ASP.NET Forms Authentication in the remote portlet application.
    <username-field-name> The name of the login form field that references the user name.
    <password-field-name> The name of the login form field that references the password.
    <login-button-name> The name of the submit button in the login form.
    <login-button-value> The value of the submit button in the login form.
    <always-use-anonymous-login> Whether or not to use anonymous login (true or false). If true, you must provide <anonymous-username> and <anonymous-password> elements. 
    <portlet>
...
<forms-authentication>
	<IsSSOConfigured>true</IsSSOConfigured> 
	<loginpage>login.aspx</loginpage> 
	<username-field-name>txtUserName</username-field-name> 
	<password-field-name>txtPassword</password-field-name> 
	<login-button-name>cmdSubmit</login-button-name> 
	<login-button-value>Submit</login-button-value> 
	<always-use-anonymous-login>true</always-use-anonymous-login> 
		<anonymous-username>userid</anonymous-username> 
		<anonymous-password>pwd</anonymous-password> 
</forms-authentication>	
</portlet>
Note: The WSRP specification treats external resources used by a portlet application different from the portlet markup. An external resource is anything that is referenced by the portlet markup but not contained in the markup, such as externally referenced javascript files, images, or CSS style sheets. Portlet markup is retrieved from and proxied by the WSRP Producer; in the process the Producer can negotiate the authentication requirements of portlet applications. However, WSRP resources are retrieved directly by the WSRP Consumer without assistance from the WSRP Producer. As a result, external resources generally should not require authentication when using the WSRP Producer unless you can configure your WSRP Consumer to directly authenticate. If you are using Windows (IIS) authentication, you must move all external resources to a virtual directory or separate server that is configured to not require authentication in IIS. Take note that many ASP.NET controls and components use the WebResources feature to dynamically emit external javascript and image references in your markup. To make sure that WebResources references do not require authentication, ensure that any virtual paths from which these references originate do not require authentication.
Parent topic: Managing SSO Authentication with WebLogic Portal

  Back to Top      Previous Next