All calls to the backend system will require authentication. The
authentication process is handled by IFS Middleware Server.
This process consist of three separate steps:
Client transmit credentials over HTTP/S to security interceptor which then
validates the credentials either with Active Directory or with the Oracle
database.
The user authentication process is managed by IFS Middleware Server before the call even reach the IFS Applications backend. All calls from clients pass a security interceptor in the application server before the call reaches the IFS client gateway, thus, all such calls are intercepted and all users are authenticated before the call can continue.
Two authentication schemes are supported, either HTTP Basic authentication, where the user credentials are validating using either Active Directory or the Oracle database, or Negotiate where Windows Integrated Authentication is used to achieve Single Sign-On.
During the authentication process, the supplied user name and password is
verified and the granted application roles are added to the authenticated user.
If the user has been granted the IFSUser role, access to middle-tier Services and
Activities
are allowed, if not, an exception is returned from the application server (HTTP
401 - Unauthorized).
If access to the called Activity or Service method was allowed, the second security layer is
reached - Activity authorization. In this layer the call to the method is
intercepted by the Java Server Framework, which first maps the authenticated
user identity to an existing Foundation1 user (using the Foundation1 user's
Directory Id) and then checks if the called
activity/service is granted to the user. If true, the call proceeds to the
actual implementation, otherwise a security exception preventing the user from
calling the method is thrown from the Java Server Framework.
Authentication for web services exposed using IFS Connect and the SOAP Gateway handled by the application server in the same way as for interactive clients. Services are configured for username/password authentication using the HTTP Basic scheme.
The credentials are not included in the SOAP XML message, but are instead included in the HTTP Authorization header field.
Web Service consumers connecting to the IFS Connect SOAP Gateway must be configured for the same authentication mode as the IFS application server's security interceptor. Also the web service client must be configured with valid credential (i.e. a username/password) for authenticating with the IFS Middleware Server.