Mapping Credentials in Info*Engine Tasks and JSPs

Info*Engine provides the capability of mapping the identity of a user to a specific username and password that is then passed to a back-end system through an adapter or to a Message-Oriented Middleware (MOM) through messaging software or the Info*Engine Web Event Service. This mechanism becomes active when an adapter webject or a webject that accesses the MOM is executed but no username and password information is explicitly provided in the webject.

With a credentials mapping mechanism in place, Info*Engine can dynamically add authentication parameters to these webjects through a site-defined credentials mapping task or a set of credentials files.

• If the author of a task or JSP explicitly specifies DBUSER and PASSWD parameters on a webject, those parameters take precedence over any other authentication information that might be available.

• If DBUSER and PASSWD parameters are not explicitly specified, Info*Engine attempts to provide values for them from the credentials mapping information.

• If no credentials mapping information is available, or if the credentials mapping does not provide valid DBUSER and PASSWD values for the adapter to which a webject is being routed or for the MOM, Info*Engine does not send any DBUSER or PASSWD values. In this case, the adapter obtains default values from its configuration properties. The Info*Engine messaging software or Web Event Service obtains default values from its configuration properties. If no default values are set, Info*Engine attempts anonymous access.

• Windchill is pre-configured to include a credentials mapping task. This task is configured through the Windchill adapter using the wt.federation.task.mapCredentials property value, which is set to /wt/federation/MapCredentials.xml. The contents of this task are dynamically generated, starting with the following file:

and uses the property values found in site.xconf. This credentials mapping task has the ability to provide credentials to adapters based on whether the current user is an administrator or a regular user. If you would like to modify mapped credentials, you can set properties in site.xconf. For more information, read the contents of MapCredentials.xml.template. Windchill’s LDAP access for user and group information relies on this credentials mapping task.

If you need to customize this task you should do so by modifying the MapCredentials.xml.template file. You should also keep a backup copy, because a patch or maintenance release installation may overwrite your customization.

• When Info*Engine is called to parse and execute a JSP page or a task that accesses an adapter, it checks to see if a credentials mapping task has been defined. If it discovers that one has been defined, it executes the specified task before executing the JSP page or task originally passed to it. The output group produced by the credentials mapping task is saved as a context group named Auth-Map.

• When Info*Engine encounters a webject that must be routed to an adapter, it checks the webject to see if DBUSER and PASSWD parameters have been specified explicitly. If they have not been specified, it uses the value of the webject INSTANCE parameter as a key to find DBUSER and PASSWD values in the Auth-Map context group. If values are found, it adds them to the webject as if they had been specified explicitly by the author of the task. Otherwise, the webject is routed to the adapter unmodified.

For more information, see Credentials Mapping. For descriptions of the credentials mapping properties, see the Info*Engine properties help that is accessible through the Info*Engine Property Administration utility.