Sun Java System Access Manager 7.1 Developer's Guide


The Access Manager Authentication Service has the capability to process requests from multiple browser type clients. Thus, the service can be used to authenticate users attempting to access applications based in HTML, WML or other protocols.

Caution – Caution –

The Access Manager console though cannot be accessed from any client type except HTML.

The client detection API can be used to determine the protocol of the requesting client browser and retrieve the correctly formatted pages for the particular client type.

Client Detection Process

Since any user requesting access to Access Manager must first be successfully authenticated, browser type client detection is accomplished within the Authentication Service. When a client’s request is passed to Access Manager, it is directed to the Authentication Service. Within this service, the first step in user validation is to identify the browser type using the User-Agent field stored in the HTTP request.

Note –

The User-Agent field contains product tokens which contains information about the browser type client originating the HTTP request. The tokens are a standard used to allow communicating applications to identify themselves. The format is software/version library/version.

The User-Agent information is then matched to browser type data defined and stored in the amClientData.xml file.

Caution – Caution –

User-Agent information is defined in amClientData.xml but this information is stored in Directory Server under Client Detection Service.

Based on this client data, correctly formatted browser pages are sent back to the client for authentication (for example, HTML or WML pages). Once the user is validated, the client type is added to the session token (as the key clientType) where it can be retrieved and used by other Access Manager services. (If there is no matching client data, the default type is returned.)

Note –

The userAgent must be a part of the client data configured for all browser type clients. It can be a partial string or the exact product token.

ProcedureEnabling Client Detection

By default, the client detection capability is disabled; this then assumes the client to be of the genericHTML type (For example Access Manager will be accessed from a HTML browser). The preferred way to enable the Client Detection Service is to use the Access Manager console and select the option in the Client Detection Service itself. For more information, see the Administration Guide. To enable client detection using the amClientDetection.xml, the iplanet-am-client-detection-enabled attribute must be set to true. amClientDetection.xml must then be deleted from Directory Server and reloaded using amAdmin. The following procedure illustrates the complete enabling process.

  1. Import client data XML file using the amadmin command /AccessManager-base amadmin_DN -w amadmin_password -t name_of_XML_file

    This step is only necessary if the client data is not already defined in amClientData.xml.

  2. Restart Access Manager.

  3. Login to Access Manager console.

  4. Go to Service Configuration and click ClientDetectionproperties.

  5. Enable Client Detection.

  6. Make sure the imported data can be viewed with Access Manager console.

    Click on the Edit button next to the Client Data attribute.

  7. Create a directory for new client type and add customized JSPs.

    Create a new directory in /AccessManager-base/SUNWam/web-src/services/config/auth/default/ and add JSPs for the new client type. Client Detection Process is a login page written for a WML browser.

    <?xml version="1.0"?>
    <!-- Copyright Sun Microsystems, Inc.  All Rights Reserved -->
    <meta http-equiv="Cache-Control" content="max-age=0"/>
     <card id="authmenu" title="Username">
    <do type="accept" label="Enter">
    <go method="get" href="/wireless">
    <postfield name="TOKEN0" value="$username"/>
    <postfield name="TOKEN1" value="$password"/>
    Enter username:
    <input type="text" name="password"/>
    Enter password:
    <input type="text" name="username"/>