Installation and Upgrade > Advanced Deployment Considerations > Authentication > Configuring an Alternative Authentication in Windchill > Form-based Authentication > General Notes
  
General Notes
The following notes can helpful when considering which form-based authentication solution to use and implementing required changes:
Clients that are not Java applications or browser pages do not have a plugin mechanism for logging in and, therefore, cannot support form-based authentication unless a login can be affected through collection of simple inputs and a POST to a specified URL. If you cannot simply collect inputs and POST form data to a URL to log in with the form-based authentication solution you have selected, then it will likely be necessary to produce a custom form-based login handler for non-browser Java clients.
For information about creating a custom form-based login handler, see the Javadoc on com.ptc.fba.FormBasedLogin.
When implementing form-based authentication, you should be aware of how timeouts are handled. A default servlet session timeout of 30 minutes is set in <Windchill>/codebase/WEB-INF/web.xml. Additionally, you can provide an authentication timeout that is set within the form-based authentication solution. The authentication timeout is used whenever the form-based authentication solution is used and does not rely on the timeout of a servlet session.
When using a simple Tomcat-based file-based authentication, the session timeout and the authentication timeout are the same and are set in <Windchill>/codebase/WEB-INF/web.xml according to the J2EE standard. When using another file-based authentication solution, there are settings that can include an idle timeout as well as a hard timeout for limiting the maximum session duration.
Form-based authentication is not appropriate for all server access. It is intended for interactive, attended clients.
After becoming aware that there is a form-based authentication timeout (set in the authentication solution) and that credential data (such as dynamically generated SecurID tokens) is used, it becomes clear that you cannot rely upon form-based authentication for non-interactive, unattended clients. For such clients, access should either use an anonymous trusted client arrangement, or use protocol-based authentication:
For anonymous trusted client access (also known as Trusted Host Authentication), you can insert trustedAuth/ after the WindchillWebAppName/ in Windchill URLs.
You can use trusted authentication for both non-interactive authentication and for running tasks on behalf of various users without requiring authentication credentials. For more information, see the Javadoc on wt.httgw.filter.TrustedAuthFilter.
For protocol-based access, you can insert protocolAuth/ after the WindchillWebAppName/ in Windchill URLs.
Windchill Java command line utilities are generally treated as interactive, attended clients. If this is inappropriate for a given utility, the RMI authentication behavior of such clients can be adjusted.
For more information, see the Javadoc on wt.httpgw.HTTPLogin.