Академический Документы
Профессиональный Документы
Культура Документы
Management
Junaid Asifali
Date 6/19/2007
Copyright © 2006-2007 EMC Corporation. All rights reserved.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without
notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION,
AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC2, EMC, and EMC Documentum product names are trademarks of EMC Corporation. All other trademarks used herein are the
property of their respective owners. All other brand names are trademarks or registered trademarks of their respective owners.
Introduction:
EMC Documentum web applications are based on the WDK framework. These act as web clients to the
Content Server and provide a way of leveraging content server functionality through the web. The web
clients are J2EE based and run on an application server. The following is a very simple diagram of this
setup :
Web Clients –
Webtop/WebPublisher/DCM/DAM
WDK Framework
DMCL
Content Server
As it is clear from the stack above, we need to have an understanding of how authentication and sessions
are managed and related in the above layers – WDK/Application Server, DFC, DMCL and the Content
Server. In the course of debugging/troubleshooting, we deal with both Http Sessions and Documentum
Sessions.
Http Session Management capabilities are provided by the application server. WDK and DFC provide
Documentum Session Management capabilities. WDK is also responsible for binding a user’s Http session
to Documentum sessions. By default, application server authentication is not used (except for principal
authentication). WDK and DFC are responsible for generating the appropriate authentication call to the
content server.
WDK framework gathers user information via different schemes and sends it over to the content server
through DFC for the actual authentication. The end result of any type of authentication is the generation
of a connect api call to the content server having the user name, password, docbase and any additional
parameters.
The following authentication schemes can be used with WDK. The next section will have details on how
these schemes can be setup.
In this scheme, a content server ticket is used instead of the user password for authentication. Typically,
this is used when a user has logged into a different non-documentum application and now needs to access a
Documentum app (say Webtop) without having to login in again. The first app generates a ticket and passes
it as part of URL arguments including an option ‘startupAction’ parameter that specified the action to be
run after login. The following is an example of the ticketed login URL:
http://localhost:8080/webtop/component/main?ticket=DM_TICKET%3d0000001a3dd7626e.viper
@denga0008&username=testuser&docbase=viper
Please note the ticket parameter above. Content server generated tickets usually start with a DM_TICKET
qualifier. One way to test ticketed authentication is to use IAPI to get the ticket from the content server and
manually construct the url above and invoke it.
Single sign-on lets a user log on once and access multiple applications in a corporate intranet without
having to go through a login process for each application. For example, if a single sign on is implemented
in EMC/Documentum intranet, we would be able to access the support website, dm_notes webtop,
powerlink etc. after logging in only once through the web agent. A login token and a user name is added to
the http request by the Web Agent. Each application (say Webtop) examines the request and extracts the
token and user name. The token is then used as a password for the user. Http requests to all applications are
routed through the SSO Web Agent.
Step 1 – SSO
cookie/user
name
The following are the detailed steps for logging into webtop using SSO. Please refer to the diagram above.
Please note that the user_source attribute of the dm_user object can be modified to indicate plugin
authentication. This eliminates the need to append the string in step 2 to the password.
Principal Authentication enables a single login to the application server as well as the content server.
J2EE Principal Authentication leverages the authentication support provided by the application server.
Each application server has its own way of authenticating users. Once the user is authenticated, the
application server adds a principal object
1. User accesses a WDK application URL and a standard windows login dialog is shown.
2. Authentication succeeds and the user is redirected to the WDK application. The application server
adds a principal object to the http request that contains the user/principal name that has been
successfully authenticated.
3. WDK grabs the principal/user name and uses super user credentials to create a ticket for this user.
4. Finally, a super user session is created and the session is ‘assumed’ to the principal user using the
ticket created in step 3.
Please note that principal authentication requires super user credentials to be setup in one of the property
files on the application server machine.
This is the standard authentication where the user has to manually enter the user/password and select a
docbase to login.
scheme_class.1=com.documentum.web.formext.session.TicketedAuthenticationScheme
scheme_class.2=com.documentum.web.formext.session.SSOAuthenticationScheme
scheme_class.3=com.documentum.web.formext.session.UserPrincipalAuthenticationScheme
scheme_class.4=com.documentum.web.formext.session.SavedCredentialsAuthenticationScheme
scheme_class.5=com.documentum.web.formext.session.DocbaseLoginAuthenticationScheme
The WDK framework invokes all the schemes in the order they are specified. If one of the schemes
succeeds, the user is redirected to the WDK component requested. Custom schemes can also be configured
in this file. Please note that the last scheme is the Docbase Authentication. If all the other schemes fail, the
default login component that is part of this scheme is displayed.
Authentication Service:
Authentication service is responsible for managing the authentication process in WDK. The component
dispatcher (which serves requests for components) calls the authentication service when a component
requires authentication. Please refer to the sequence diagram below for the authentication flow:
Session Management:
WDK framework does not maintain a docbase session once the user logs on to a docbase. Docbase sessions
are requested and released by components and actions as needed. Thus, there can be multiple docbase
sessions requested/released in a single http session depending on the number of components that a user
navigates.
Each http session has a singleton instance of a DFC session manager (not a DFC session). Once the
authentication is complete, the authentication service creates an IDfLoginInfo object containing the user
name and password and sets it as an identity in the session manager. Any component or action requiring a
docbase session can request a session from this session manager by simply passing in the docbase name.
More than one identity can be set on the session manager. Thus, through the same http session we can
access multiple docbases.
The SessionManagerHttpBinding class provides an interface for getting access to a session manager
associated with the http session. It has static methods for getting the session manager, current user, current
docbase etc. Custom components can also use the SessionManagerHttpBinding class to get access to the
session manager.
Session Pooling:
Components usually get a docbase session from the session manager associated with the http session. Once
the docbase work is done, the session is released using the IDfSessionManager.release call. The released
docbase session may be internally pooled by DFC and DMCL.
In a default configuration, once a session is released, DFC keeps it in its pool for 5 seconds before releasing
it to dmcl. If another getSession call is made during this 5 second interval, DFC returns the same session
instead of requesting it from DMCL. This improves performance as session are rapidly requested and
released in a WDK application.
Please refer to the white paper on ‘DMCL and Session Management’ for understanding session pooling in
dmcl.
Timeouts:
Http Session Control Timeout is specific to WDK applications. This is triggered if the main frame of the
WDK application unloads. The main frame could unload if the user closes the browser window or
navigates to a different website (without logging off from WDK first). Once this event happens, the http
session for the user is invalidated after the time specified in the app.xml file which is set to 3 minutes by
default.
How do I:
//If the user name and passsword is not set return null. This means that the login
//component has not been invoked as yet.
if(user == null || password== null)
return null;
2. Create a new login component. This is not always required and depends on the need. Please refer
to the authentication steps to understand when the login component is invoked.
<config version='1.0'>
<scope>
</pages>
</component>
</scope>
</config>
JSP Page:
Java File
}
}
/*
* This event handler updates the label on the UI with a number
* stamp
*/
public void onButtonClick(Control ctrl,ArgumentList args)
{
//Get the label control to update
DropDownList docbaseList = (DropDownList) getControl("drDocbase", DropDownList.class);
String docbase = docbaseList.getValue();
SessionManagerHttpBinding.setCurrentDocbase(docbase);
3. Change the Authentication Schemes property file to add the new authentication scheme. This file
is located in WEB-INF/classes/com/documentum/web/formext/session.
Questionnaire:
1. How can you use the WDK Http Session Binding interface to create a docbase session? Write a
few lines of code.
2. List the steps necessary to create, deploy and test a new Authentication Scheme in WDK Apps?
3. If Netegrity SSO authentication is not working for a customer, what debugging steps would you
follow based on the authentication flow diagram for SSO given earlier in this white paper?