Specifying authentication options

Web Clipping portlets support accessing content that requires either HTTP Basic authentication, FORM-based authentication, or Integrated Windows Authentication (NTLM). The default setting for authentication options is No authentication required. Select No authentication required only if the URL you specified to clip does not require authentication.

Setting credentials

If authentication is required, you must set credentials for all forms of authentication. Web clipping portlets use WebSphere Portal's credential vault to store authentication information. The Modify authentication options page in the Web Clipping Editor portlet has a link to the credential settings page. On this page, you select to either use a shared credential slot or a non-shared slot. In either case, the slots must already have been configured on the Credential Vault administration page. The shared credential slot will already have the user ID and password credential, which cannot be modified on this page. The non-shared slot is a slot identifier only. If a non-shared slot is selected, a user ID and password is requested in order to create a credential for the administrator building this Web clipping portlet.

The editor will pull the user ID and password from the credential in order to log in to the backend system. From now on, the credential vault is required to store all credential information.

When the Web clipping portlet is later edited, the Authentication Settings page will pull up the credential of the user editing the Web clipping portlet and will show user ID and password if the credential is non-shared.

If the Web clipping portlet is using a shared credential, the portlet will access the backend content using that credential without requiring the user to log in first. If the Web clipping portlet specifies a non-shared slot, and an instance of that slot does not yet exist for this portlet and the user accessing it, then the user will have to edit the portlet and provide a user ID and password for logging into the backend system. This user ID and password are stored in a new slot instance for the defined non-shared slot. The next time that user accesses this portlet, the credential will be re-used and the user will not have to log in again.

Editing of the portlet at runtime is still available to users with existing credentials to allow them to modify the user ID and password.

Authentication options

The three authentication options are:

HTTP Basic Authentication: This is the simplest form of authentication. You need only specify the realm to which the document belongs.
Form-based authentication: If you are required to log into a site using a form before being allowed to browse the site, then you must set up the Web clipping portlet to emulate the same steps. This is referred to as form-based authentication. Web Clipping portlets support only one of a broad set of FORM-based authentication techniques. The supported technique assumes that the authentication server will send back one or more cookies in response to a successful authentication attempt. These cookies are then used on all subsequent calls within that Web clipping portlet. That is, it is assumed that the login (or challenge) location and the actual URL to display are separate entities. The first location is used only to authenticate and returns a cookie in a standard HTTP 1.1 2XX response message. The second and all subsequent locations use the cookies from the first response.
Before configuring form-based authentication in your Web clipping portlet, you need three things:
- URL that is the target of the login form's submission
- The input parameters used for the user ID and password
- Any hidden input fields on the form that might be used during the authentication process.
To locate the target URL of the form submission, look for the <FORM> tag on the login page (browse the source of the page) and locate the ACTION attribute. The URL in the ACTION is the URL that you need to specify as the Log-in URL value on the Web clipping portlet's Modify authentication settings page.

Next find the <INPUT> fields for the user ID and password. The values for the NAME attributes should be used for the User parameter name and Password parameter name values on the authentication settings page.

Finally, locate any <INPUT TYPE="hidden" ...> elements on the page. These provide name/value pairs to the system where the login is performed and might be important for the login process. The Web clipping portlet will have to send them as well. Enter the hidden values in the Additional key value pairs entry field on the authentication settings page as a series of "name=value" pairs, separated by an ampersand (&).
NTLM Authentication: This authentication scheme allows you to use a native NT user name and password to authenticate with a Windows server without ever sending a password to the server. When you modify the authentication options for a Web clipping portlet, the NT domain name and NT workstation name: fields are optional for all LM compatibility levels. See the NTLM documentation for your product for details on how this works. Note: The LM Compatibility level is directly proportional to security, so that 1 LM/NTLM is less secure than 2 LM/NTLM only. If the corresponding server has a security level of 5, the user must select a LM Compatibility level of 3 LMv2/NTLMv2. Any level less secure than 3 LMv2/NTLMv2 will not communicate with a server of level 5. Web pages and resources on Web servers that are secured using SSL (URLs using the https protocol) and that also require NTLM authentication cannot be displayed.