Step-up authentication

I was going through What's new in the IBM WebSphere Portal 6.0.1 and 6.1 Programming Model, slides and it has couple of Step-up Authentication- Application Flow.



The basic idea is if your not logged in you see data but when you want to perform say write operation or operation that requires user be logged in then you ask user to log in.

By default portal has concept of Anonymous User and All Authenticated Users. If you want to display a public page or display portlet on public page you can assign anonymous user rights and it works.

In Portal 6.1 there is concept of Remember Me cookie, that can remember the user who logged in from that browser and give you access to his name even before he is logged in. Because of Remember Me cookie portal has one additional authentication state identified, which happens when user's id is stored as persistent cookie on the browser and when he accesses the portal page the portal can identify user even before he logs in.

You can use identified authentication level to display few portlets or pages to user even if he is not logged in but if portal can identify the user from the remember me cookie.

In order to try this feature i decided to create Remember Me page, on that page i did add Remember Me portlet, which reads user name and prints it to System.out,(You can change it to display it on screen). I wanted to display this to only identified user. I followed these steps to do that


  • Assign Anonymous User - User access rights to both Remember Me page and Remember Me portlet

  • Then use Resource Permission Portlet to change access level of the Remember Me page and Remember Me portlet, like this. On this screen click on Standard Link


  • On the next page you will see three authentication levels like this

    Change the authentication Level to Authenticated. Assign authenticated level to both Remember Me page and Remember Me portlet




Now when you access portal and your not identified you wont see remember me page and portlet. But if your identified you will see that page.

This is list of authentication levels.

  1. Standard: Default and context-related authentication level

  2. Identified: User authentication using a persistent HTTP cookie

  3. Authenticated:User authentication using username and password



When you try to access authenticated resource user would be redirected to the login page.

No comments: