The scenario considered here is where BPM Sign-on is used as the common Login page.
1. The bpmsignon.jar file is located in the <AppServer_Home>\sbm\WEB-INF\lib directory.
2. For each domain to be protected by BPM Sign-on API, you need to deploy a filter that will validate the current session and redirect to BPM Sign-on Login page if necessary. Your filter class needs to extend DomainFilter and override the following methods:
Protected boolean isSessionValid(HttpServletRequest request, HttpServletResponse response): checks whether the current session is valid or not. Similar to SBMFilter, you can verify the existence of session attributes or beans specific to your application.
Protected void createValidSession(HttpServletRequest request, HttpServletResponse response): this method creates a valid session according to your application needs.
3. To compile your filter, you need to add bpmsignon.jar in your classpath.
4. When you deploy your filter class, you can either copy it under the WEB-INF\classes directory or package it as a .jar file under WEB-INF\lib of your Web application, along with bpmsignon.jar.
5. To register your filter as part of your domain, you need to open WEB-INF\web.xml and edit the following deployment descriptors:
6. You need to provide the link to the BPM Sign-on Login page (in absolute path) as a context parameter (BizPassLoginURL). You also need to specify the domainLogoutURL context parameter, which indicates the URL to request a logout action from the domain.
You can give any name to your filter (<filter-name> element), but make sure that you reuse the same name inside the <filter-mapping> block. The <filter-class> element specifies the fully qualified name of the class implementing your filter.
The wildcard expression enclosed in the <url-pattern> element indicates that BPM Sign-on should protect every URL link under the Web application and that the user should be redirected to the common Login page if the session is invalid. You may decide to restrict the single sign-on watchdog functionality to a subset of JSP pages or servlets instead.
7. If you decide to use BPM Sign-on as an entry point for all your Web sites, you can customize the default login.jsp implementation in the <App server specific folder>\sbm\bpmportal directory.
8. Create <BizPassWebApp>\login\login.jsp directory or create your own Login page. However, you need to follow these guidelines:
Submit the user ID and password according to the HTTP parameters BizPassUserID and BizPassUserPassword respectively.
The BizPassHomeURL parameter should point to the default home page after a successful authentication. You also need the logout URL information corresponding to the default domain (domainLogoutURL context parameter). Finally, the BizPassFilter <url-pattern> in the web.xml of BPM Sign-on domain should specify the link to the Login page.
9. Edit the WEB-INF\web.xml deployment descriptor:
Protected boolean isSessionValid(HttpServletRequest request, HttpServletResponse response): checks whether the current session is valid or not. Similar to SBMFilter, you can verify the existence of session attributes or beans specific to your application.