Authenticating the Calling User - Java Service Connector
Every API call that the client application makes to the Java Service Connector must include an appropriate WS-Security token in the SOAP header.
The token must be either:
- a UsernameToken, which specifies the username and password of the user on whose behalf the call is being made. (This is termed direct authentication.)
- a signed SAML 2.0 token, if SSO authentication is being used. (This is termed Single Sign-on (SSO) authentication.)
BPM LDAP authentication uses this token to authenticate the calling user. If the token does not identify a known TIBCO ActiveMatrix BPM user, the call is rejected.
SampleApp uses UsernameToken to authenticate the calling user. The sample application allows a user to provide the username and password through the USERNAME and PASSWORD fields in login.jsp.
private String getUserName(HttpServletRequest req) throws ServletException { /**return the user name passed in the request*/ String username = req.getParameter("userName"); if (null == username) throw new ServletException("User Name cannot be null"); return username; } private String getPassword(HttpServletRequest req) throws ServletException { /**return the password passed in the request*/ String password = req.getParameter("pass"); if (null == password) throw new ServletException("Password cannot be null"); return password; } |
Every BPM runtime user is identified by a Global Unique IDentifier (GUID). This GUID is needed to identify the user when calling various API methods - for example, to display a work list. The method authenticate in the SampleApp authenticates the username specified using the BPM service API lookupUser. The method lookupUser looks up the username and returns the corresponding GUID. This information is then saved for that particular session.
/* * ===================================================== * METHOD : authenticate * ===================================================== */ /** * Authenticates the user login and retrieves the user guid. * * @param req * @param resp * @throws ServletException */ private void authenticate(HttpServletRequest req, HttpServletResponse resp) throws ServletException { try { String username = getUserName(req); String guid = null; LookupUserResponse lookupUserResponse = getServiceConnector(req).getEntityResolverService().lookupUser( getUserName(req), null, null, true); if (lookupUserResponse.getDetailArray().length > 0) { guid = lookupUserResponse.getDetailArray(0).getGuid(); } else { throw new ServletException("Unable to lookup user guid."); } lookupUserResponse.getDetailArray(0).getGuid(); LoginInfo loginInfo = new LoginInfo(username, guid); /**store the user info in the session*/ req.getSession().setAttribute(USER_INFO, loginInfo); displayWorklist(req, resp); } catch (InternalServiceFault e) { throw new ServletException(e); } catch (InvalidServiceRequestFault e) { throw new ServletException(e); } catch (com.tibco.n2.de.services.SecurityFault e) { throw new ServletException(e); } } |