Customizing the Authorization Filter for SSO in PTC Arbortext Content Delivery
PTC Arbortext Content Delivery provides the capability to ensure that the user authorization for a single sign-on (SSO) setup is successful. You can use a third-party SSO authentication system to work with PTC Arbortext Content Delivery. After the SSO system authenticates a user, the system adds either a header variable or the session cookie to the initial user request for further access to PTC Arbortext Content Delivery. The header variable or the session cookie contains the user’s identifier.
 |
It is assumed that you have set up an SSO gateway (such as SiteMinder, OpenAM) in front of PTC Arbortext Content Delivery to intercept all the traffic and perform authentication. After this SSO gateway allows the traffic through, PTC Arbortext Content Delivery verifies through this custom filter the existence of the user in the system. This section describes how to author this custom filter.
|
In PTC Arbortext Content Delivery, a custom authorization filter reads the user identifier from the header variable or the session cookie to check if the user exists in the system. The custom authorization filter must extend the wt.httpgw.filter.AbstractRemoteUserFilter filter and implement the getRemoteUser method. The getRemoteUser method retrieves the user name from the header variable or the session cookie of the user request and returns the user name to PTC Arbortext Content Delivery for further authorization. The following example shows a sample custom filter that extends the wt.httpgw.filter.AbstractRemoteUserFilter filter:
1. Stop all running coreServer, coreCMIserver, and JBoss services.
2. Perform the following steps to create the authentication filter JAVA class file:
a. Create the CustomUserAuthFilter.java file.
package com.acd.filter;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import sc.httpgw.filter.AbstractRemoteUserFilter;
import org.apache.log4j.Logger;
public class CustomUserAuthFilter extends AbstractRemoteUserFilter {
private Logger logger;
private static final String CLASSNAME = CustomUserAuthFilter.class.getName();
@Override
protected String getRemoteUser(HttpServletRequest servletRequest, HttpServletResponse servletResponse) throws IOException, ServletException {
logger = Logger.getLogger(CLASSNAME);
String userName = servletRequest.getRemoteUser();
logger.debug("RemoteUser: " + userName);
if (userName == null) {
String loginUser = servletRequest.getHeader("<customer provide header attribute value>");
if (loginUser!= null) {
userName = loginUser;
} else {
logger.debug("Header did not provide a value for the user response attribute.");
}
}
return userName;
}
}
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import sc.httpgw.filter.AbstractRemoteUserFilter;
import org.apache.log4j.Logger;
public class CustomUserAuthFilter extends AbstractRemoteUserFilter {
private Logger logger;
private static final String CLASSNAME = CustomUserAuthFilter.class.getName();
@Override
protected String getRemoteUser(HttpServletRequest servletRequest, HttpServletResponse servletResponse) throws IOException, ServletException {
logger = Logger.getLogger(CLASSNAME);
String userName = servletRequest.getRemoteUser();
logger.debug("RemoteUser: " + userName);
if (userName == null) {
String loginUser = servletRequest.getHeader("<customer provide header attribute value>");
if (loginUser!= null) {
userName = loginUser;
} else {
logger.debug("Header did not provide a value for the user response attribute.");
}
}
return userName;
}
}
b. Create the following directory structure: <INS_HOME>/InS_SW/SW/Applications/Windchill.ear/codebase.war/delivery/custom/com/acd/filter
c. Place the CustomUserAuthFilter.java file in the filter folder of the directory structure created above.
d. Change current directory to <WT_HOME>/bin from the command prompt.
e. Run the Windchill shell and from Windchill shell, change the directory to <WT_HOME>
f. Run the following command to compile the CustomUserAuthFilter.java file and create the CustomUserAuthFilter JAVA class file.
javac -classpath ".;%classpath%;
<INS_HOME>\InS_SW\SW\System\WildFly\modules\system\layers\base\javax\servlet\api\main\jboss-servlet-api_4.0_spec-1.0.0.Final" –g
InS_Home/InS_SW/SW/Applications/Windchill.ear/codebase.war/custom/com/acd/filter/CustomUserAuthFilter.java
<INS_HOME>\InS_SW\SW\System\WildFly\modules\system\layers\base\javax\servlet\api\main\jboss-servlet-api_4.0_spec-1.0.0.Final" –g
InS_Home/InS_SW/SW/Applications/Windchill.ear/codebase.war/custom/com/acd/filter/CustomUserAuthFilter.java
This compiles the CustomUserAuthFilter.java and places the CustomUserAuthFilter.class file inside <WT_HOME>/codebase.war/custom/com/acd/filter/CustomUserAuthFilter.class
g. Place the CustomUserAuthFilter.java class file in the directory <INS_HOME>/InS_SW/SW/Applications/Windchill.ear/codebase.war/WEB-INF/classes/com/filter
|
|
Create this directory structure, if not already present.
|
3. Perform the following steps to register the CustomUserAuthFilter.class JAVA class file as the custom filter.
a. Open the web-orig.xml file located in the directory <INS_HOME>\InS_SW\SW\Applications\Windchill.ear\codebase.war\WEB-INF
b. Add the following property in the web-orig.xml file to register the CustomUserAuthFilter custom filter in PTC Arbortext Content Delivery.
<filter>
<description>Filter to provide username for SSO</description>
<filter-name>CustomUserAuthFilter</filter-name>
<filter-class>com.acd.filter.HPUserAuthFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CustomUserAuthFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<description>Filter to provide username for SSO</description>
<filter-name>CustomUserAuthFilter</filter-name>
<filter-class>com.acd.filter.HPUserAuthFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CustomUserAuthFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
|
|
Add this as the first filter in the file.
|
c. Disable the HTTP basic authentication.
<!-- Custom - Begin (Single Sign-On) -->
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>InService</realm-name>
</login-config>
-->
<!-- End (Single Sign-On) -->
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>InService</realm-name>
</login-config>
-->
<!-- End (Single Sign-On) -->
d. Allow anonymous access to the PTC Arbortext Content Delivery application UI resources.
<!-- Custom - Begin (Single Sign-On) -->
<url-pattern>/servlet/servicecenter/rest/*</url-pattern>
<url-pattern>/core-ui/*</url-pattern>
<url-pattern>/delivery/*</url-pattern>
<url-pattern>/delivery/scadmin.jsp</url-pattern>
<!-- Custom - End (Single Sign-On) -->
<url-pattern>/servlet/servicecenter/rest/*</url-pattern>
<url-pattern>/core-ui/*</url-pattern>
<url-pattern>/delivery/*</url-pattern>
<url-pattern>/delivery/scadmin.jsp</url-pattern>
<!-- Custom - End (Single Sign-On) -->
4. Restart the coreServer, coreCMIserver, and JBoss services.