1.Configur i ngSi ngl eSi gnOn( SSO)f orT24br owser: T24 Browser implements implements a Single Sign-On (SSO) mechanism. This allows already authenticated users to provide credentials in the login request so to suppress the standard T24 Browser login page. To configure the SSO mechanism the following must be done:
ngl eSi gnOnFi l t e r 1)Si Un c omme ntt hes i gn l e s i g no nfi l t eri nt hewe b. x ml ml equest 2)HTTPr -To ensure that the single sign on filter is invoked all http requests should contain a ‘ Principal’, i.e. an object that implements the public abstract interface java.security.Principal. For further information on SSO configuration including LDAP, Certificates & Identities refer to the ‘ Security Service – Installation & Configuration Guide – Release 1.5 ’
This document is aimed at providing guidance to configure the TCServer, TCClient for setting up the environment for T24 Browser, ARC-IB with !A" !irector# server$ server$ This setup ena%les to add &B$&'T&R(A$)S&R into the !A" server and authenticating the e*ternal user using the !A" server$
2.Configur i ngHTTPBASI CAut hent i cat i onf orT24 Br owser : The T24 Browser servlet can be protected by the standard HTTP BASIC Authentication mechanism. The implementation o this access authentication mechanism in T24 Browser relies on the Java Authentication and Authorization Service !"AAS#. $# Secure the BrowserWeb application % &ncomment the BasicAuthentication'ilter in the web.(ml 2# Specify the JAAS Realm for BrowserWeb % This will be specific to the web server that the BrowserWeb is deployed on. •
In Tomcat 5.5 locate the Context configuration file:
\conf\Catalina\localhost\.xml In a typical installation the path would be: \conf\Catalina\localhost\BrowserWeb.xml •
") #oin to $%" Once the above has been configured correctly, and the web server full reset, it is possible to test this functionality by attempting to login to T24. As soon as the user navigates to the T24 Browser URL e.g. http://localhost:8080/BrowserWeb/servlet/BrowserServlet A dialog will appear to prompt for a User name & Password. The T24 user name and password should be supplied and ‘OK’ pressed.
If the credentials supplied are valid then the user will be presented with the appropriate T24 home page. If the credentials are not valid and result in a ‘SECURITY VIOLATION’ then the servlet will respond with a HTTP error 401 unauthorised . NOTE: Due to web browsers such as IE & Firefox caching the user credentials and automatically resubmitting them when required, it is necessary to close the browser window before an alternative set of credentials can be supplied. This is standard behaviour of web browsers and BASIC authentication.
") BASC Authentication as a Sinle Sin'(n echanism It is possible to override the authentication dialog by supplying the user credentials in a specified format in the HTTP header section of the request.
To receive authorisation, the client sends the user name and password, separated by a single colon (":") character, within a base64 encoded string in the credentials If the user agent wishes to send the username "Aladdin" and password "open sesame", it would use the following header field: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Users can be authorised & logged on to T24 in one step. If the credentials are not valid and result in a ‘SECURITY VIOLATION’ then the servlet will respond with a HTTP error 401 unauthorised .
3* Sinle Sin'(n with Sitemin+er, T24 Browser uses an interactive screen to allow the users to log into the T24 system. With this enhancement, no login screen will be displayed. Users will click a hyperlink from a third party web application to access T24 browser. T24 Browser request will intercepted by a filter called CookieFilter, the filter will extract the User Name from the cookie and pass the sign on name to the T24. No password is stored in the request and no password will be passed to the T24. This user is already authenticated by external systems so password validation will be bypassed in T24. T24 users are authenticated externally by third party system. Cookie-name is configurable in the serv.config property file, the location of the property file should be mentioned in the system property of the server. Perform the following changes in the /BrowserWeb/WEB-INF/web.xml To process the request by CookieFilter, remove the comment from the below tags. With this your request and response will be processed by CookieFilter.
A generic customisable page is designed for sign out from t24 and for other error scenarios.
To allow the user to log into the T24 Browser, following changes need to be done in the OFS.SOURCE record of browser.
OFS.SOURCE record updated
If the value for the field ATTRIBUTES is set as “ PREAUTHENTICATED ” and if value for the field SOURCE.TYPE is set as SESSION, T24 BROWSER user will be treated as pre authenticated user. Only sign on name authentication will be done.