For each Web application that you want to use with the J2EE Agent, you need to configure the Web application to use the J2EE Agent for login and for logout. You do this by configuring the application’s web.xml file:
The web.xml file of the sample application (PayrollApp.ear) has these modifications. The location of this sample payroll application is platform-specific:
On a Linux J2EE server, this application is copied to the /opt/novell/nids_agents/examples directory.
On a Windows J2EE server, this application is copied to the <Install_Directory>\sampleapp directory.
For more information on the sample payroll application, see Section 1.2, Overview of the Sample Payroll Application and Section 7.0, Deploying the Sample Payroll Application.
The Web application needs to be able to log in to the Identity Server that you have configured the J2EE Agent to trust. You accomplish this by specifying that the Web application uses FORM authentication. This is specified in the <login-config> section of the application's descriptor in the WEB-INF/web.xml file. For example:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login</form-error-page> </form-login-config> </login-config>
The <form-login-page> and <form-error-page> elements need to be set to a URL that is mapped to the following servlet class:
com.novell.nids.agent.auth.LoginServlet
The above <login-config> element specifies /login as the login page and the error page. The /login URL needs a servlet mapping within the application's web.xml file:
<servlet> <servlet-name>LoginServlet</servlet-name> <servlet-class> com.novell.nids.agent.auth.LoginServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name>LoginServlet</servlet-name> <url-pattern>/login</url-pattern> </servlet-mapping>
As part of single sign-on and single logout, the J2EE Agent supports the following:
Notifying the Identity Server about application-level logout events.
Informing the J2EE applications when the Identity Server logs a user out.
For global logout to function, you need to add a logout servlet and its servlet mapping to the web.xml file:
<servlet> <servlet-name>LogoutServlet</servlet-name> <servlet-class> com.novell.nids.agent.auth.LogoutServlet </servlet-class> <init-param> <param-name>postLogoutURL</param-name> <param-value>/loggedOut</param-value> </init-param> <init-param> <param-name>websphereLTPAMechanism</param-name> <param-value>false</param-value> <description> This should be set to true in order to clear LTAP cookies and tokens in case of websphere with LTPA as authentication mechanism </description> </init-param> </servlet> <servlet-mapping> <servlet-name>LogoutServlet</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping>
Two parameters are defined in this servlet: the postLogoutURL parameter and the WebsphereLTPAMechanism parameter.
The URL pattern of the LogoutServlet can be customized for the application's requirements. To cause the LogoutServlet to notify the Identity Server about a user logging out, the user is redirected to the URL in the Web module as specified by the postLogoutURL servlet initialization parameter. If it is not specified, the LogoutServlet defaults the postLogoutURL to /.
The <param-value> for the WebsphereLTPAMechanism parameter is set to false by default. When the WebSphere server is configured to use the LTPA authentication mechanism, the <param-value> must be set to true so that when the global logout is performed, the Novell J2EE Agent clears the LTPA cookie.
If the <param-value> is not set to true and the LTPA cookie is not cleared during the logout, the users have problems connecting from a browser that was not closed after a previous logout.
This<param-value> is also available in the web.xml file of the sample PayrollApps.
More than one <url-pattern> value can be specified for the LogoutServlet. The function of the LogoutServlet is to notify the Identity Server about the application logout. The Identity Server is responsible for notifying all other components about the logout.