The Windchill user authentication strategy is based on Java Platform, Enterprise Edition (Java EE). The Java EE authentication strategy removes the responsibility for authentication from the web application, and the responsibility is given to the Java EE web application container on which the application is deployed. The intent is to make the authentication mechanisms and policies that are used at runtime become properties of the environment in which the application is deployed. Authentication is not written in the application code.

Java EE web application containers are necessary to support the following:

Commercial web server security products, such as SiteMinder, may include these and add additional options for tokens (SecureID), Biometrics, or single sign-on across multiple sites. Mechanisms other than HTTP basic and SSL/TLS client authentication typically behave similar to form-based authentication. These mechanisms rely on client session tracking by using HTTP cookie headers to achieve their results.

Windchill is designed to rely on web server authentication to provide authenticated user names. Therefore, access controls that are maintained on the web server or servlet engine determine access privileges to an authenticated Windchill URL. These controls determine access based on a user name and password that is obtained by the web browser. The HTTP authentication implementation results in the following Windchill configuration requirements:

To understand how following a standard Java EE authentication strategy can still lead to problems, you must understand the mechanisms at work behind the scenes as described in the following sections.