Wednesday, February 16, 2011

WebSEAL Landing Page Personalisation

Creating a Landing Page for WebSEAL authenticated users can be a useful technique for ensuring a consistent user experience, providing a means of delivering messages to end users and providing a personalised experience. This does not mean that you have to invest in a heavy-weight portal product to provide this functionality, though.

Simple ASPs, JSPs, PHP scripts, PERL scripts and any number of other scripting technologies can be used to greet the user and personalise the landing page without resorting to performing a lookup in the credential store for information. How can we do that? Well, to reuse a well-known modern-day philosopher's phrase, it's simples!

WebSEAL can pass the User ID of the user to the protected landing page in an HTTP header called IV_USER. We can pick this up as follows:

my $user = $ENV{"HTTP_IV_USER"};

String user = request.getHeader("iv-user");

user = Request.Headers["iv-user"];

$user = $_SERVER['HTTP_IV_USER'];

Note: The names of the HTTP Header will vary depending on the scripting technology being used.

So now I have my User ID, I can make use of this information in my page to say something like "Welcome sswann". I nice touch, I'm sure you will agree.

But of course, WebSEAL can be so much more powerful that that. It can also send IV_GROUPS out of the box which will be the groups that the user is a member of. With this information, we could build a list of hyperlinks that are available to that user. In code/pseudo code, that could look like this:

String groups = request.getHeader("iv-groups");
if (groups.indexOf("administrators") >-1) {
   // Show a link to the administrator's application
if (groups.indexOf("auditors") >-1) {
   // Show a link to the auditor's application

Wonderful, you might think, with the obvious next question being "what else can I do?"

Well, we could add any attribute assigned to the user object in the TAM LDAP as a similar HTTP header object. To do so, though, is a two-step process:

Step 1: WebSEAL Configuration
Let's assume that we want to make the forename and surname for our user available to our landing page. We need to configure WebSEAL to retrieve these attributes from the LDAP and make them available within the credential. To do so, the WebSEAL configuration file needs updated as such:

TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs

[aznapi-configuration ]
cred-attribute-entitlement-services = TAM_CRED_ATTRS_SVC

person = azn_cred_registry_id

tagvalue_credattrs_sn = sn
tagvalue_credattrs_givenname = givenname

Step 2: Junction Configuration
Next we need to ensure that we pass these attributes to our landing page. On the WebSEAL junction hosting this "personalised" landing page, we would perform the following pdadmin commands:

pdadmin> object modify /WebSEAL/webseal_instance/junction_name set attribute HTTP-Tag-Value credattrs_sn=surname
pdadmin> object modify /WebSEAL/webseal_instance/junction_name set attribute HTTP-Tag-Value credattrs_givenname=forename

Now, we can extract the HTTP header variables for forename and surname and provide a "Welcome Stephen Swann" message because these header attributes will be passed to our landing page process:

String surname = request.getHeader("surname");
String forename = request.getHeader("forename");

We haven't had to perform any lookups in a data repository and our landing page can be kept very simple indeed with just a couple of lines of scripting.


Unknown said...

Thanks for very informative blog abt the landing page.
I have one question here...
personalised landing page that you created, if we want to display some set of links the user particular is suppoe to access how do we achieve that ??
please reply

Unknown said...

Hello Stephen,
This is issue needs a very urgent resolution Could you please reply asap ?

Stephen Swann said...

I think you'll find that all the information you need to achieve what you are trying to do is already detailed in the blog post.

The blog post suggests that your "home page" is a non-static HTML page hosted using some application server. The blog post also shows the exact code you need if you want to base links on IV-GROUP memberships:

String groups = request.getHeader("iv-groups");
if (groups.indexOf("administrators") >-1) {
// Show a link to the administrator's application
if (groups.indexOf("auditors") >-1) {
// Show a link to the auditor's application

I've highlighted where you would need to place your link with the comments above. Using pseudo code, it would look like this:

if (groups.indexOf("auditors") >-1) {
print "Auditor Link";

NOTE: Ordinarily, I wouldn't reply to comments asking me to "reply asap" as I do have a day job to attend to and I don't like the idea of doing other people's work for them. There was more than enough information in this blog post as it stood.

Unknown said...

Thanks a lot Stephen for your clarifying it again....
I have some querries Kindly provide some pointers to it as I am very new TAM it will be very useful...

Assignment is as below:
There is a WebSEAL environment with SSO enabled, AD as user registry
and IBM websphere portal page is used as landing page (which is
displayed after WebSEAL's default login page). The requirement is to
replace the Websphere portal landing page by a jsp/servlet page(J2EE application). This jsp/servlet page should display a set of links that the user is authorized to access.

Approach for the solution:
1. J2EE application (jsp/servlet):
Develop the new J2EE application. This J2EE application has landing(home) page with scripting code(jsp/servlet) to retrieve user
and their groups from the http header "iv-user" and "iv-groups"
(default header attributes set by the WebSEAL) respectively.
This scripting code checks the group and links mapping and based on
the group of the user, it displays only those links that are
authorized for the user.
The group and link mapping is hard-coded in the code, or to make it
configurable we can store it in the one of the property file or

2. Deploy J2EE application.
Deploy this newly develop J2EE application to websphere.
Any additional configuration is required to do for websphere ?

3. WebSeal and junction configuration:
Update the existing junction or create the new junction on the
WebSEAL for directing the request to the new URL of the J2EE application-landing page. I think
the update the existing junction will be good as the required ACLs and
POPs are already attached to it. pls provid ur inputs.

** Can we update the existing junction for this ? Or creating new
junction will be better approach?
** Any additional configurations are required at junction or WebSEAL end?

Unknown said...

and if new junction needs to be created kindly provide me with type of junction to be created and the required attributes to be passed