Most alternative authentication schemes are capable of populating the REMOTE_USER variable with the authenticating user ID. If not, then you must ensure that the servlet APIs return the appropriate value, using a custom servlet filter to wrap the HttpServletRequest. See Configure Custom Authentication Filter for more information.

Before you can configurePTC Arbortext Content Delivery for form-based authentication, you must select a form-based authentication solution and make any required modifications for its use withPTC Arbortext Content Delivery. There are a variety of form-based authentication solutions ranging from SiteMinder to the form-based authentication support built into JBoss. Although the individual configuration details are specific to the solution and are not documented here, the following sections includePTC Arbortext Content Deliverydetails that are important to understand. For details on setting up a form-based authentication solution, see the documentation provided by the solution.

Since the log out capability that is available with form-based authentication is not available with the default basic authentication and, therefore, is not described in detail in end user documentation, users may not be aware of the ability to log out. When rolling out a PTC Arbortext Content Delivery environment in which form-based authentication is enabled, alert users as to how they can log out. If you change the default log out behavior for theLog Out menu option (described later in this section), be sure to also communicate the new behavior to users.

As part of setting up a form-based authentication solution, you must establish a login page that produces a simple XHTML representation of your login form that can be used by clients (for example, Java command line utilities and browsers) to collect login data and post it to the URL specified by the wt.auth.form.submitUrl property. This page is necessary since non-browser clients need assistance in handling form-based authentication (which is, after all, an application convention intended for browser clients). Also login form allows browsers to detect when re-authentication is needed (after user session expires for example) and display the login form within the web application.

PTC provides thelogin.jspfile as the required login page representation. The file is located in <WT_HOME>/codebase.war/login. Since thelogin.jspfile is used to represent the credential data fields required by the login form, you can edit the file to include appropriate display labels and form field names.

To support HTTP for servlet-based form authentication, remove the <secure> tag under the <cookie-config> section in the $HOME/codebase.war/WEB-INF/web-orig.xml file. By default, the servlet-based form authentication is supported for HTTPS.

The following notes can helpful when considering which form-based authentication solution to use and implementing required changes:

When using a JBoss built-in form-based authentication, the session timeout and the authentication timeout are the same and are set in<WT_HOME>/codebase.war/WEB-INF/web-orig.xmlaccording to the J2EE standard. When using another file-based authentication solution, there are settings that can include an idle timeout as well as a hard timeout for limiting the maximum session duration.