The only authentication methods currently supported
are name and password credentials, and digital certificates.
A user can be authenticated by explicitly logging in to the system via a login page, or the user can browse a Web site without logging in, as long as they access only unprotected URLs.
When the plug-in intercepts an HTTP request and determines that the URL is protected, it follows this procedure to authenticate the user:
The plug-in tries to find a cookie (generated by the plug-in during authentication) in the HTTP request.
If there is no cookie, the plug-in looks for the client’s certificate in the HTTP request.
If the certificate is found, the plug-in attempts to authenticate the user.
If the certificate is not found, the plug-in redirects the user to the login page to enter his or her user name and password.
The plug-in attempts to authenticate the user via the PortalSession EJB.
If authentication is successful, the security plug-in sets the session password in a PSPK_TEMPORARY cookie that is sent back to the Web browser. Any back-end application that manages security objects on behalf of the authenticated user must obtain this session password from the cookie. The security plug-in sets the PSPK_TEMPORARY cookie as follows:
For HTTP requests, the cookie is set as a regular (insecure) cookie, which is passed freely between the client and the Web server.
For HTTPS requests, the cookie is set as a secure cookie. As long as the client continues to use HTTPS, the cookie is transmitted between the client and the Web server. If the client requests a URL using HTTP, the cookie is not sent to the Web server.
If the user cannot be authenticated, the plug-in ends the HTTP request processing and redirects the user to an error page indicating the failure.
Once authenticated, the user does not need to be reauthenticated to access protected URLs, as long as the session is valid; that is, the session has not timed out, and the user has not explicitly logged out of the system.
If the user session terminates or becomes invalid, the plug-in removes the session from the internal cache and the user must log in to the system again to access protected URLs.
