2.6.4 Authentication and User Provisioning

Before users can access an OHI Components application, the following prerequisites must be met:

• Users need to authenticate themselves by entering a valid combination of username and password credentials. All pages (other than the login page) are only available to authenticated (and properly authorized) users.
• A user must be provisioned to access an OHI Components application. The main purpose of OHI Components user accounts is authorization: the administration of (role-based) access rights for users is handled in OHI Components applications.

The following paragraphs provide details on authentication and provisioning.

2.6.4.1 Authentication

Although user accounts are stored in the application, user passwords are not. OHI Components delegates authentication to configurable WebLogic Authentication Providers. WebLogic comes with various predefined Authentication Providers, e.g. to support LDAP based authentication. The Authentication Providers can be configured via the WebLogic Console.

Users in the LDAP server are expected to be defined using the industry standard inetOrgPerson object class (which is derived from the organizationalPerson object class). Typically, in that class, the properties uid and userpassword are used to store the credentials used for logging in.

The following picture shows the flow of the authentication process:

Credentials are passed by the user via the application's Login page.

In the authentication process, the user account data that is stored in OHI Components is accessed, for example for logging the last time the user successfully logged in to the system. Before someone can authenticate and subsequently access OHI Components, an account has to be set up. For that purpose, OHI Components offer a user provisioning service.