Logging in the Infinity Portal

This chapter describes the procedure to log in to the Infinity Process Platform Portal and to optionally adjust the predefined connection timeout.

Note
It is recommended to clear your browser cache on every upgrade of your Infinity Portal version to avoid issues with the scrolling functionality. To clear your cache please follow the instructions of your browser help accordingly.

Login URL

To log in the Infinity Process Platform Portal, start your application server and enter the following URL in your Web browser:

http://<hostname>:<portnumber>/<context-root>

Note
Opening another Portal URL with the same host name and the same context root as the original one is not possible in the same browser. For example using myhost:8080/ipp and myhost:9090/ipp in two different tabs in one browser does not work.

This URL will lead you to the Infinity Process Platform Portal's login screen, whereby

For example:

http://localhost:8080/DemoProject/

Tenant Specific Login

Use the following URL for a tenant specific login:

http://<server>:<port>/<context-root>/index.jsp?tenant=<partitionId>

For example:

http://localhost:8080/carnot/ipp-portal/index.jsp?tenant=infinity

Using this URL will cause a login at the specific partition. If you have logged out via the Logout link in the Portal, you would be logged-in in the same partition as you have been before.

Note: If the session has expired this information is lost and you have to use the tenant-specific login URL again. Also note that this URL is currently only working for internal authentication. In a principal based environment it is not working.

Context-Root - Advanced

This section gives an advanced description on how to set the context-root depending on the different kind of deployment.

Application Server deployment:

If you deploy the ipp-portal.war residing in the carnot.ear, the supplied context is /carnot/ipp-portal. It is possible to change the context-root in the carnot.ear/META-INF/application.xml file.

Tomcat (standalone)

If you deploy the ipp-portal.war directly to Tomcat, the context-root is /ipp-portal. This can be changed inside the context.xml file, residing in the META-INF folder in your ipp-portal.war. Note, that if once the war-file is deployed, a configuration file called ipp-portal.xml will be created, which is located in the %Tomcat-Home%/conf/Catalina/localhost folder. This file contains the context path. If you add a context.xml file later, this will be ignored.

Tomcat inside Eclipse

If you deploy with Tomcat from inside Eclipse (as described in the tutorial chapter The Support Case Example of the Infinity Process Platform Documentation - Developer Guide) The Support Case Example) you can determine the context-root in the last property dialog Web Module, while creating a new dynamic Web project:

Set Context Root
Figure: Set Context Root

If you skip the last property dialog with the context-root setting, the name of the project is used by default.

User Authentication

In order to be able to use the Infinity Process Platform Portal, users have to identify themselves by entering the name and password. The user must have been previously created by the Infinity Process Platform administrator and assigned the necessary roles or organizations. The default values for your account and password are motu/motu. In the login screen fill in your name and account:
 

Login
Figure: Logging in the Infinity Process Platform Portal

If the properties Security.PromptPartition, Security.PromptDomain or Security.PromptRealm are set in your carnot.properties file, additional entry fields for partition, domain and realm appear accordingly. Otherwise their default values will be used. For more information see the chapter Infinity Process Platform Services of the Infinity Process Platform Documentation - Programming Guide. section Providing Additional Fields for Login Screens in the Infinity Process Platform Services chapter.

Forgot Password Option

Below the password field you find a link Forgot Password. In case you forgot your password click on this link to receive a new one. Note that this link is not available, in case the property Security.Authentication.Mode is set to Principal in your carnot.properties file.

Forgot Password Button
Figure: Forgot Password Option

A dialog opens, where you are prompted to enter your credentials.

Selecting Cancel closes the dialog without sending an email. The initial login screen is displayed again.

Selecting Continue closes the dialog and the new password is sent to the email address which has to be set for the requesting user. In case no email address is configured, you have to contact the administrator. The email contains a generated password as well as instructions on how to reset your password.

Forgot Password
Figure: Forgot Password Dialog

You will receive an e-mail with a generated token. To complete the password request click the link provided in the e-mail.

Note
The URL in the e-mail is formed by reading the property Security.Password.ResetServletUrl. If this property is not set, the e-mail does not provide the URL to reset the password. Please refer to section Security of chapter Server Side Properties in the Operation Guide Security of chapter Server Side Properties in the Documentation - Operation Guide for details on this property.

If you like to abort the password request login the Portal as usual and disregard the e-mail.

Token Generation E-mail
Figure: Token Generation E-mail

In case you clicked the URL, a notification appears in the opening browser to confirm that the password is generated and sent to your registered e-mail address.

Password changed notification
Figure: Password changed notification

Now an e-mail is sent with the changed password.

Confirmation E-mail
Figure: Changed Password confirmation E-mail

To change the temporary password, return to the Infinity Process Platform Login screen.

In case you provide the property Security.Password.LoginDialogUrl in your carnot.properties file, containing the URL of the portal login page, this URL will be contained in the notification mail as well. To change the new password, click this URL to go directly to the Infinity Process Platform Login screen. For example:

localhost:8080/ipp-portal/resetServlet?oid=1234&token=ed2a80a33212a6425bede78737826814ab90999e

In the login screen, login with your account and the temporary password provided in the mail. Now the Change Password dialog opens.

Please note that to make the email notification possible, a valid technical user must exist. Per default this is the motu/motu user. For detailed information on how to configure a technical user, please refer to section Configuring Credentials for the Technical User of chapter Deploying Applications in the Infinity Process Platform Documentation - Deployment Guide. Configuring Credentials for the Technical User of the chapter Deploying Applications of the Deployment Guide.

Change Password Dialog

In the Change Password Dialog, enter the old password, a new password and confirm the new password in the Confirm Password entry.

Change Password Dialog
Figure: Change Password Dialog

Click Submit to submit the new password.

It might happen that the password cannot be changed because of one of the following reasons:

In that case, an error notification message appears, notifying that the password validation failed.

Error Notification
Figure: Error Notification

After being successfully authenticated, you are logged into the Infinity Process Platform Portal.

To close the dialog without changing the password, click Cancel. You will return to the user login screen.

Password Expired

When trying to login after selecting the Login button, the entered password is checked for expiration. In case your password has expired, the Change Password dialog opens, where you can enter a new password. Please refer to section Change Password Dialog for details.

Password Disabled

When your password has been disabled, a message appears in the Login dialog to indicate that the account is invalid. You will receive an email notification that your account got disabled and you should ask the administrator for assistance.

Account Disabled
Figure: Account Disabled

Modifying Authentication and Authorization Modes

You can change the modes for authentication and authorization in the server-side carnot.properties file via the following properties:

Per default, the value of these properties is internal. In case the Security.Authorization.Mode has been set to a different value then internal, authorization will be external. The Synchronization provider needs to be in place and configured. If Security.Authentication.Mode has been set to a different value then internal, authentication will be external and the Login Provider needs to be in place and configured.

The following scenarios are possible:

Authentication Authorization Behavior
internal internal Users and grants are handled completely internally.
internal external Users are handled internally, grants are handled externally.
external internal Users are handled externally, grants are handled internally.
external external Users and grants are handled completely externally.

Known Issue with LDAP Login Provider

Note that in case Infinity Process Platform is configured to use the LDAP Login Provider and internal security, a user is allowed to login without providing a password.

Activating Principal Login

To activate principal login in the Infinity Process Platform Portal, perform the following steps:

  1. Set Up Container Security
  2. Set Engine to Use Principal Login
  3. Update web.xml to Use Principal Login

Set Up Container Security

Set up your container specific security to provide a login module. For example if using Tomcat, add the following line to your Servers/Tomcat XXXX/tomcat-user.xml file:

<user name="motu" password="motu123" roles="Administrator"/>

Set Engine to use Principal Login

Set the engine to use principal login via the Security.Authentication.Mode property in your carnot.properties file:

Security.Authentication.Mode = principal

Update web.xml to Use Principal Login

Update the web.xml file with the following fragments to use principal login:

<context-param>
  <param-name>carnot.PRINCIPAL_PAGE</param-name>
  <param-value>/plugins/common/initializeSession.iface</param-value>
</context-param>
...
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Icefaces Main Page</web-resource-name>
    <url-pattern>/plugins/common/initializeSession.iface</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Administrator</role-name>
  </auth-constraint>
</security-constraint>
<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/ipp/common/loginProxy.iface</form-login-page>
    <form-error-page>/ipp/common/loginProxy.iface?failed=true</form-error-page>
  </form-login-config>
</login-config>

<security-role>
  <role-name>Administrator</role-name>
</security-role>

Session Timeout during Principal Login

In case a session timeout occurs with principal login and you are using WebLogic as application server, deactivate the keep alive option for WebLogic as described in section Deactivating the KeepAlive option of chapter WebLogic in the Infinity Process Platform Documentation - Deployment Guide. Deactivating the KeepAlive option of chapter WebLogic in the Deployment Guide.

Logging in without deployed Model

In some cases administrators like to login to the Portal without having a model deployed. To make this possible, make sure that the context parameter carnot.login.MODEL_REQUIRED is set to false in your Web Application deployment descriptor file web.xml.

  <context-param>
  	<param-name>carnot.login.MODEL_REQUIRED</param-name>
  	<param-value>false</param-value>
  </context-param>

Note that this is only applying to administrators, non-administrators always need a deployed model to be able to login. The login behavior is displayed in the following table:

carnot.login.MODEL_REQUIRED Model deployed Admin login allowed Non-admin user login allowed
true yes yes yes
false yes yes yes
false no yes no

Configuring the Connection Timeout

If any request from the Infinity Process Platform Portal does not get response within 60 seconds, the network connection gets interrupted and a message dialog opens.

Connection Timeout
Figure: Connection Timeout

You have the option to configure the timeout by setting the connectionTimeout parameter in your web.xml file. This parameter defines how long, in milliseconds, the bridge will wait for a response from the server for a user-initiated request before declaring the connection lost. The default value is 60000 (60 seconds).

<context-param>
         <param-name>com.icesoft.faces.connectionTimeout</param-name>
        <param-value>60000</param-value>
</context-param>

For advanced connection management, please refer to the ICEFaces Documentation - Connection Management directly.