Configuration Guide

Configuring IBM WebSphere Application

Server 7.0 for Web Authentication with
SAS 9.3 Web Applications

Configuring the System for Web Authentication

ThisdocumentexplainshowtoconfigureWebauthenticationwithIBMWebSphereApplicationServerforthe
SASWebapplications.Beforeusingthisdocument,reviewWebAuthenticationinSAS9.3IntelligencePlatform:
SecurityAdministrationGuidetounderstandandverifythatWebauthenticationistheappropriatechoiceforyour
environment.
ThedefaultsecuritymechanismforSASWebapplicationsistoauthenticateagainsttheauthenticationprovider
oftheSASMetadataServer.Analternativeauthenticationmechanism,Webauthentication,istoconfigure
WebSphereApplicationServertoauthenticateagainstauserregistry,suchasanLDAPserver,andtoconfigure
SASWebapplicationstotrusttheauthenticationthatWebSphereApplicationServerperforms.
HerearethehighlevelstepsthatyoumustperformtoconfigureWebauthentication.
1.

Updatethelogin.configfileinyourSASconfigurationdirectorysothatitcontainsthenecessary
referencestothewebdomain.

2.

Addinformationaboutsecurityconstraints,anauthenticationmethod,andsecurityrolestotheSAS
LogonManagerapplication.Whenyoureinstalltheapplication,provideasecurityroletouserorgroup
mappingtoindicatewhichusershavepermissiontoaccesstheapplication.

3.

CopySASJARfilestotheWebSphereApplicationServerinstallation.

4.

UsingtheIBMWebSphereIntegratedSolutionsConsole(knownastheadministrativeconsole),update
informationabouttheloginmodulesthattheserverusesforauthenticationandauthorizationwhenthe
systemisconfiguredforWebauthentication.Youmustmodifyinformationforsomeloginmodulesand
addinformationforothers.

5.

ConfiguretheSASRemoteServicesapplicationsothatitsclasspathincludesthelocationofthe
WebSphereApplicationServerclassesthatrepresentJavaAuthenticationandAuthorizationService
(JAAS)principals.LogonManagerretrievesthecurrentSubjectfromWebSphereApplicationServer
andpassesittoRemoteServices.

6.

EnsurethatthecorrectJREisused.

7.

RestartRemoteServicesandWebSphereApplicationServer.YoucanalsorestarttheMetadataServer.

8.

Verifytheconfiguration.Youmightneedtocreateawebauthenticationdomainandaddnewaccounts
inthatdomainforusers.

Before Starting This Configuration

BeforeyoutrytoconfigureWebauthentication,youmustenableWebSphereApplicationServerapplication
securityandhavealreadyconfiguredtheusersandauserregistry,suchasanLDAPserverforauthentication.To
enablethesecurity,usetheWebSphereadministrativeconsoleandfollowthesesteps:
1.
2.

SelectSecurityGlobalSecurity.
UnderUseraccountrepositoryAvailablerealmdefinitions,selectFederatedrepositories.

3.
4.

ClickSetascurrent.
SelectConfigureOntheconfigurescreen,typeinyouradminusernameinPrimaryadministrative
usernameandexceptallotherdefaults.
5. ClickOktogotothenextscreen.
6. TypeintheadminpasswordandclickOk.
7. SelectGlobalsecurity.
8. CheckEnableadministrativesecurityandEnableapplicationsecurity.
9. Optionally,UseJava2securitytorestrictapplicationaccesstolocalresources.
10. ClickOkandsavethechanges.

YoumustrestartyourDMGRforthechangestotakeeffect.

ToconfigureWebSphereusersforauthentication,followthesesteps:
SelectManageUsers.
SelectCreate
TypeinuserID,suchassasdemo,andfillinotherfields.ClickCreate.YoucancreateasmanyuserIDsas
needed.

Formoreinformationaboutconfiguringauserregistry,seeChapter2:Configuringtheuserregistryinthe
WebSphereApplicationServerV7.0SecurityGuide.IfyouhaveDefaultApplication.earinstalledanditsroleAll
Roleismappedtoauserorgroup,youcanverifytheconfigurationbyaccessingaWebapplicationonthe
server.YoucanusesnoopbyopeningaWebbrowsertohttp://HOSTNAME:9080/snoop.IfWebSphere
ApplicationServerisconfiguredcorrectly,WebSphereApplicationServerasksyouforcredentialsthatarestored
intheuserregistry.

Beforebeginningthisconfiguration,besurethattheWebSphereApplicationServerthatishostingSASWeb
applicationsisrunning.Attheendoftheprocedure,youmuststartorrestartRemoteServicesandall
WebSphereApplicationServerprocesses.

Update the login.config Configuration File

UpdatetheSASconfigdir/Lev1/Web/Common/login.configfilesothatthealiasdomainpropertyissetto
web.Thefilecontentshouldresemblethisexample:
PFS {
com.sas.services.security.login.OMILoginModule
"host"="metadataserverhost"
"port"="8561"
"repository"="Foundation"
"domain"="DefaultAuth"
"trusteduser"="sastrust@saspw"
"trustedpw"="encodedpassword"
"aliasdomain"="web"

required

"debug"="false";
};
SCS {
com.sas.services.security.login.OMILoginModule

required

"host"="metadataserverhost "
"port"="8561"
"repository"="Foundation"
"domain"="DefaultAuth"
"trusteduser"="sastrust@saspw"
"trustedpw"="encodedpassword"
"aliasdomain"="web"
"holdopenconnection"="true";
"debug"="false";
};
ThedefaultvalueofaliasdomainisMidtierInternal.

Modify Logon Manager

TomakethenecessarychangestoLogonManager,youmustedittheweb.xmlfile.Theweb.xmlfileislocated
intheWEB-INFdirectory.Toextractandeditthefile,followthesesteps.
1.

UsetheWebSphereadministrativeconsoletostopanduninstallSASWebInfrastructurePlatform
applications(SASWebInfrastructurePlatformApplications9.3).Youneedtomakechangestothe
correspondingSASconfigdir/Lev1/Web/Staging/sas.wip.apps9.3.ear(EAR)file.

2.

Extractthesas.wip.apps9.3.earfilesothatyoucanaccesstheWEB-INFdirectoryforLogon
Manager.
a.

Inatemporarydirectory,extracttheEARfile.Youcanusethejarcommandtodothis:
jar xvf sas.wip.apps9.3.ear
Filesas.svcs.logon.warisavailableintheextracteddirectory.

b. Inasecondtemporarydirectory,extractsas.svcs.logon.war.YounowhaveaccesstotheLogon
Manager WEB-INFdirectory.
3.

Editthefileweb.xmlintheWEB-INFdirectorytoaddinformationaboutsecurityconstraints,an
authenticationmethod,andsecurityroles.Forexample,justabovetheclosing</web-app>tag,you
mightaddtheseelements:
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SASWebUser</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<role-name>SASWebUser</role-name>
</security-role>
Inthisexample,allpagesareprotectedandonlyuserswhohavebeenassignedtheSASWebUserrolecan
accessthem.
4.

BeforeyourebuildtheWARandEARfiles,changedirectoriesfromtheWEB-INFdirectorytothelib
directoryinsideit,andcopytheseJARfilestoatemporarylocation:
sas.core.jar
sas.oma.omi.jar
sas.security.sspi.jar
sas.svc.connection.jar
sas.svc.sec.login.jar
sas.svc.sec.login.websphere.jar
log4j.jar

Note:ThisstepisnotpartofupdatingSASWebInfrastructurePlatformapplications.However,itis
preparationforalaterstepinconfiguringWebauthentication.
5.

RebuildtheWARandEARfiles.Youcanusethejarcommandtocreatethesefiles:
jar cvf sas.svcs.logon.war *
jar cvf sas.wip.apps9.3.ear *

6.

CopytheEARfiletoyourstagingdirectory.However,donotoverwritetheoriginalEARfileunlessyou
alreadymadeabackupcopy.

Reinstall the SAS Web Infrastructure Platform Applications EAR File

UsetheWebSphereadministrationconsoletoreinstalltheEARfileandthenmaptheroleSASWebUsertousers
orgroups.ToreinstalltheSASWebInfrastructurePlatformapplications,followthesesteps.
1.

SelectApplicationsEnterpriseApplications.

2.

ClickCheck:SASWebInfrastructurePlatfomApplications9.3.ear.SelectUninstall.Savetheresults.

3.

ClickInstall.

4.

OntheSpecifytheEAR,WAR,JAR,orSARmoduletouploadandinstallpage,selecttheLocalfile
systemorRemotefilesystemradiobutton,andthenbrowsetothelocationoftheEARfile.Selectthe
EARfileandclickOK.ClickNext.

5.

Finishrunningtheinstallationwizardbyacceptingalldefaults.

6.

FromtheEnterpriseApplicationspage,selectthenewlyinstalledapplication.

7.

Onthepageforthatapplication,settheclassloadingbehaviorfortheEARfile:
a.

ClickClassloadingandupdatedetection.

b. OntheClassloaderpage,setClassloaderordertoClassesloadedwithlocalclassloaderfirst.
(LeavetheWARclassloaderpolicysettoClassloaderforeachWARfileinapplication.)

8.

ForeachWARfileintheEARfile,settheclassloaderbehavior:
a.

Onthemainpageforconfiguringtheapplication(EAR),clickManageModules.

b. ClickthenameoftheWebmodule(WARfile)thatyouwanttoconfigure.
c.

OntheconfigurationpagefortheWARfile,changethevalueofClassloaderordertoClassesloaded
withlocalclassloaderfirstandclickOK.

d. ClickOKtoclosetheManageModulepage.
9.

SetthestartuporderbyselectingStartupbehavior,settheStartupordervalueto3,andthenclickOK.

10. SetthesecuritymappingbyclickingtheSecurityroletouser/groupmappinglink.Maptherole
SASWebUsertousers.Ifthisoptionisnotappropriateforyoursite,thenconsidermappingtheroleto
groupsthataredefinedinyouruserregistry.Thefollowingfigureshowsanexampleofmappingtherole
tothegroupsasusersthatisdefinedintheuserregistry.

Note:IfyoudonotseetheRolethatyouenteredintheweb.xmlfile,thencheckthatthecorrectEARfile
isdeployedandthatthechangestotheweb.xmlfilearecorrect.

Copy SAS JAR Files to the WebSphere Installation

TheModifyLogonManagersectioninstructedyoutocopySASJARfilestoatemporarylocation.Copythose
filesnowtotheWAS_INSTALL_ROOT/lib/extdirectory.

Make Changes to Application JAAS Logins

UsingtheWebSphereadministrativeconsole,changetheJAASapplicationloginsforPFSandSCS.Tochange
applicationlogins,followthesesteps.
1.

SelectSecurityGlobalSecurityJavaAuthenticationandAuthorizationServiceApplication
logins.

2.

ForthePFSalias,makethesechangestotheloginmodule.
a.

Writedownthepropertiesusedforthismodule,forexample:

b. Deletethemodule.
c. Createanewmoduleofclassname:
com.sas.services.security.login.TrustedLoginModule
d. Addthepropertiesyourecordedandanewcustompropertywiththesevalues.

e.
f.

Name:aliasdomain
Value:DefaultAuth

Note:IfyouchoseanauthenticationdomainvalueotherthanDefaultAuthwhenyouranthe
SASDeploymentWizard,thenusethevalueyouchose.
ChangethevalueofthecustompropertydomainfromDefaultAuthtoweb.
Makesureitsorderis 1(one)andauthenticationstrategyisSufficient.

3.

FortheSCSalias,changethepropertiesassociatedwiththeloginmodulecom.sas.services.
security.login.OMILoginModule.

4.

Addanewcustompropertywiththesevalues.
Name:
Value:

aliasdomain
web

Add a Login Module to the System JAAS Login WEB_INBOUND

UsingtheWebSphereadministrativeconsole,assignanewJAASloginmoduletotheWEB_INBOUNDJAASalias.
1.

SelectSecurityGlobalSecurityJavaAuthenticationandAuthorizationServiceSystemlogins
WEB_INBOUNDJAASloginmodules.

2.

ClickNew,providethisinformation,andclickOK.
Moduleclassname:com.sas.services.security.login.websphere.WSTrustedLoginModule
Authentication strategy: OPTIONAL

3.

SelectthemodulethatyoujustcreatedandthenclicktheCustomPropertieslink.

4.

OntheCustompropertiespage,foreachofthesenamevaluepairs,clickNew,enterthenamevalue
pair,andclickOK.
Name:

aliasdomain

Value:

DefaultAuth

Name:

debug

Value:

false

Name:

domain

Value:

web

Name:

host

Value:

metadata-server-host

Name:

port

Value:

8561 (or nondefault port)

Name:

repository

Value:

Foundation

Name:

trustedpw

Value:

encoded-password (for sastrust)

Name: trusteduser
Value:

sastrust@saspw

Set the CLASSPATH for the Remote Services JVM

ModifytheclasspathforRemoteServicessothattheJavaVirtualMachine(JVM)canlocatetheWebSphere
ApplicationServerclassesthatitneedswhenitstarts.TheseJARfilesarerequiredandcontainclassesthat
representJAASprincipalsthattheJVMacquiresfromyourWebSphereApplicationServer:

WAS_INSTALL_ROOT/plugins/com.ibm.ffdc.jar
WAS_INSTALL_ROOT/plugins/com.ibm.ws.admin.core.jar
WAS_INSTALL_ROOT/plugins/com.ibm.wsfp.main.jar
WAS_INSTALL_ROOT/plugins/com.ibm.ws.runtime.jar
WAS_INSTALL_ROOT/lib/bootstrap.jar
WAS_INSTALL_ROOT/plugins/com.ibm.ws.emf.jar
WAS_INSTALL_ROOT/plugins/org.eclipse.emf.ecore.jar
WAS_INSTALL_ROOT/plugins/org.eclipse.emf.common.jar
WAS_INSTALL_ROOT/lib/j2ee.jar

Important:Youmustentertheclasspathallononeline,withoutspacesorcarriagereturns.

Windows
ForWindowsmachines,theRemoteServices.batscriptshouldresemblethefollowingexample:
:start2
start "SAS Remote Services" "%JAVA_JRE_COMMAND%" ^
-classpath "%CLASSPATH%" ^
-Dsas.ext.config="D:\Program
Files\SAS\SASFoundationServices\9.3\sas.java.ext.config" ^
-Djava.system.class.loader=com.sas.app.AppClassLoader
-Dsas.app.launch.config="%PICKLIST%" ^
-Dsas.app.repository.path="%SASVJR_REPOSITORYPATH%" ^
-Dsas.app.class.path="%REMOTESERVICESDIR%;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.ffdc.jar;
C:\IBM\WebSphere\AppServer\lib\bootstrap.jar;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.admin.core.jar;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.wsfp.main.jar;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.runtime.jar;

C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.emf.jar;
C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.ecore.jar;
C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.common.jar;
C:\IBM\WebSphere\AppServer\lib\j2ee.jar" ^
-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false
-Dmulticast_udp_ip_ttl=1 ^
-Dsas.vjr.dir="%SASVJR_REPOSITORYPATH%"
-Dsas.lev.dir="%LEVEL_ROOT%" -Dsas.home.dir="%SAS_HOME%" ^
Dsas.services.information.types.path="D:\Program
Files\SAS\SASPlatformObjectFramework\9.3\plugins" ^
-Dsas.vm.identifier=Lev3:5093 ^
-Xms128m -Xmx128m -XX:+UseTLAB
-XX:+UseConcMarkSweepGC -XX:+DisableExplicitGC
-Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Xss256k
-XX:NewSize=16m -XX:MaxNewSize=16m -XX:PermSize=64m -XX:MaxPermSize=64m ^
com.sas.framework.services.bootstrap.SASRemoteServices
goto end
IfRemoteServicesisstartedasaWindowsservice,thenyoumustmakethesamemodificationtothe
SAS-config-dir\Lev1\Web\Applications\RemoteServices\wrapper.conf
file.Thepartofthefilethatsetstheclasspathshouldresemblethefollowingexample:
# This numbering starts at the endpoint of the including wrapper.conf
wrapper.java.additional.3=-Dsas.app.class.path="C:\SAS\Config\
Lev3\Web\Applications\RemoteServices;C:\IBM\WebSphere\AppServer\plugins\
com.ibm.ffdc.jar;C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.admin.
core.jar;C:\IBM\WebSphere\AppServer\plugins\com.ibm.wsfp.main.jar;C:\
IBM\WebSphere\AppServer\plugins\com.ibm.ws.runtime.jar;C:\IBM\WebSphere\
AppServer\lib\bootstrap.jar;C:\IBM\WebSphere\AppServer\plugins\com.
ibm.ws.emf.jar;C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.
ecore.jar;C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.common.jar;
C:\IBM\WebSphere\AppServer\lib\j2ee.jar"

UNIX
ForaUNIXmachine,theclasspathpropertyissetbeneaththestart2tagandthechangesshouldresemblethefoll
owingexample:
start2)
"$JAVA_JRE_COMMAND" -Dsas.ext.config="/opt/SAS/SASFoundation
Services/9.2/sas.java.ext.config" \ -classpath "$CLASSPATH" \
-Djava.system.class.loader=com.sas.app.AppClassLoader \
-Dsas.app.launch.config="$MERGER_PICKLIST" \
-Dsas.app.repository.path="$SASVJR_REPOSITORYPATH" \
-Dsas.app.class.path="$REMOTESERVICESDIR" \
com.sas.framework.picklist.PicklistMerger \
-primary"$PRIMARY_PICKLIST" \ "$PICKLIST" \ "$SECONDARY_PICKLIST1"
\ "$SECONDARY_PICKLIST2" cd $REMOTESERVICESLOGSDIR nohup
"$JAVA_JRE_COMMAND" -Dsas.ext.config="/opt/SAS/
SASFoundationServices/9.2/sas.java.ext.config" \
-classpath"$CLASSPATH" \

9
-Djava.system.class.loader=com.sas.app.AppClassLoader \
-Dsas.app.launch.config="$PICKLIST" \
-Dsas.app.repository.path="$SASVJR_REPOSITORYPATH" \
-Dsas.app.class.path="$REMOTESERVICESDIR:/opt/IBM/WebSphere/AppServer/
plugins/com.ibm.ffdc.jar:/opt/IBM/WebSphere/AppServer/plugins/com.
ibm.ws.admin.core.jar:/opt/IBM/WebSphere/AppServer/plugins/com.ibm.
wsfp.main.jar:/opt/IBM/WebSphere/AppServer/plugins/com.ibm.ws.runtime.
jar:/opt/IBM/WebSphere/AppServer/lib/bootstrap.jar:/opt/IBM/WebSphere/
AppServer/plugins/com.ibm.ws.emf.jar:/opt/IBM/WebSphere/AppServer/
plugins/org.eclipse.emf.ecore.jar:/opt/IBM/WebSphere/AppServer/plugins
/org.eclipse.emf.common.jar:/opt/IBM/WebSphere/AppServer/lib/j2ee.jar" \
-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false
-Dmulticast_udp_ip_ttl=1 \ ...

Use the Correct JRE

OpenC:\SAS_Home\wrapper.confandensurethataJava6JREisspecified,forexample:
wrapper.java.command=C:\Program Files (x86)\Java\jre6\bin\java.exe

Restart Remote Services and WebSphere Application Server

Atthispoint,restartRemoteServicesandtheWebSphereApplicationServerthatishostingSASWeb
applications.Afterrestart,whenyoulogintoaSASWebapplication,WebSphereApplicationServerhandles
authentication.YoudonotseetheLogonManagerWebpage;instead,adialogboxpromptsyouforyouruserID
andpassword.WebSphereApplicationServerauthenticatestheuserIDandpasswordthatyouenteragainstthe
userregistry,suchasanLDAPserver,thatyouconfiguredpreviously.Youmightnotneedtoreenteryouruser
IDandpasswordeachtimeyoustartaSASWebapplicationbecausecredentialsarecached.

Set the WebApp.AuthDomain Property

SomeapplicationssuchasSASEnterpriseGuideneedtoknowtheauthenticationdomainthatisassociatedwith
theSASWebapplications.Followthesesteps.
1.

StartSASManagementConsoleandconnecttotheSASMetadataServer.

2.

SelectApplicationManagementConfigurationManagerSASApplicationInfrastructure.

3.

RightclickSASApplicationInfrastructureandselectProperties.

4.

SelectAdvanced.

5.

ClickAdd.

6.

SelectPropertyName,enterWebApp.AuthDomain.

7.

SelectPropertyValue,enterweb.

8.

ClickOKuntilyouareoutofthedialogs.

Log On to Verify the Web Authentication Configuration

IfyoursitewasmigratedfromapreviousSASreleaseandhasuserIDsandauthenticationdomainsalready
registeredinmetadata,tryloggingontoaSASWebapplicationsuchasSASWebReportStudio.
Otherwise,followthesestepstotestandconfirmthatWebauthenticationisproperlyconfigured.

1.

UseSASManagementConsoletocreateanauthenticationdomainnamedweb.
a.

RightclickUserManagerandselectAuthenticationDomains.

b. ClickNew,enterwebintheNamefield,andclickOK.
2.

ChooseatrialuserIDthatexistsinyouruserregistry.UseSASManagementConsoletocreateauser
definitionfortheuserinthewebauthenticationdomain.Donotenterapasswordfortheaccount.

3.

TryloggingontoaSASWebapplicationwiththeuserID.

Ifthelogonattemptfails,viewtheSASMetadataServerlog.LookfortheformatoftheuserIDthatwasusedin
thelogonattempt.UseSASManagementConsoletomodifytheuserdefinitionsothattheuseraccountinthe
webauthenticationdomainmatchestheuserIDinthelog.Whileyouaretroubleshooting,donotentera
passwordintheuserdefinitionbecauseithasnoeffectonWebauthentication.Also,donottryloggingonwith
aninternalaccountsuchassasadm@saspw.
Note:AspartofWebauthentication,theuserIDbutnotthepasswordischeckedagainsttheuseraccountsthat
arestoredintheSASMetadataRepository.TheuserIDusedtoauthenticatewiththeuserregistrymustmatch
exactlytheuserIDstringfoundontheSASMetadataServerforauthenticationtosucceed.Forexample,ifjoeis
theuserIDinyouruserregistry,theexactuserIDstringjoemustalsobefoundintheSASMetadata
Repositorywithoutaprefixeddomainname.

FORM Authentication
UsethefollowinginstructionstosetupasimpleFORMauthenticationwithWebSphere7.0andSAS9.3.
1.

Toenablethecustomlogoffmessage,followtheinstructionsatSample36785:Creatingacustom
messagetodisplaywhenuserslogoffortimeoutoftheSASBusinessIntelligenceWebapplications.

2.

Extractthesas.wip.apps9.3.earandsas.scvs.login.warfilesusingtheinstructionsinsection
ModifyLogonManager.

3.

Modifythe<loginconfig>sectioninweb.xmlasshownintheexamplebelow.Thespecificationofthe
<formloginpage>and<formerrorpage>arerequired,buttheassociatedfilenamescandifferfromthe
example.Thefilesalsocanbe.jsp files insteadof.htmlfiles.
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form Auth</realm-name>
<form-login-config>
<form-login-page>/was_login.html</form-login-page>
<form-error-page>/form_error.html</form-error-page>
</form-login-config>
</login-config>

4.

Createaloginformanderrorpagefilethatarereferencedintheweb.xmlfile.Therestofthepagecanbe
formattedperthecustomersneeds.TheACTIONspecifiedintheexampleisrequiredforsuccessfullogin
withWebSphere.Alsousetheexactnamevaluesintheinputfields.
Loginformcodeexample(was_login.html):
<FORM METHOD=POST ACTION="j_security_check">
<p>
<font size="2"> <strong> Enter user ID and password: </strong></font>
<BR><br>
<strong> User ID</strong> <input type="text" size="20"
name="j_username">
<Br>

10

<strong> Password </strong> <input type="password" size="20"

name="j_password">
<BR>
<BR>
<font size="2"> <strong> And then click this button: </strong></font>
<input type="submit" name="login" value="Login">
</p>
Errorpagecodeexample(form_error.html):
<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<head><title>A Form login authentication failure occurred</head></title>
<body>
Error Message
</body>
</html>
5.

Savethefilesinrootlevelofsas.scvs.login.war.

6.

Modifythecustom_logoff.jspfile.Thefollowingexampleautomaticallyexecutesuponlogoff,and
redirectsyoubacktotheloginpage.

TheACTIONspecifiedintheexampleisrequiredtoinvalidatetheauthenticatedWebSpheresession.
Otherwise,customizetothecustomersrequirements.
<html>
<body onLoad="submitForm()">
<FORM METHOD=POST ACTION="ibm_security_logout" NAME="myForm" ID="myForm">
</form>
</body>
<script type='text/javascript'>
document.myForm.submit();
</script>
</html>
7.

Rebuildthe.warfileand.ear fileasdescribedinStep5oftheModifyLogonManager.

8.

Reinstallsas.wip.apps9.3.ear.

9.

RestartWebSphereserverinstance.

11

Recommended Reading
AsofDecember20 12:

IBMCorporation,2009.WebSphereApplicationServerV7.0SecurityGuide.
ibm.com/Redbooks.Availableathttp://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf.

SASInstitute,Inc.,2011.SAS9.3IntelligencePlatform:SecurityAdministrationGuide.Cary,NC:
SASInstitute,Inc.Availableat
http://support.sas.com/documentation/cdl/en/bisecag/63082/PDF/default/bisecag.pdf.

SAS and all other SAS Institute product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other
countries. Other brand and product names are registered trademarks or trademarks of their respective companies.
indicates USA registration.
Copyright 2012 SAS Institute Inc., Cary, NC, USA. All rights reserved.
12
December 12, 2012