Changing the login and logout pages

After completing the configuration to enable External Authentication, follow these steps to verify TAI operation:

Use one of these addresses to test the TAI from a Web browser:
- https://WebSEAL_hostname:WebSEAL_port/junction/wps/myportal
- http://SM_agent_hostname:SM_agent_port/wps/myportal
WebSEAL or eTrust SiteMinder should challenge you to authenticate. After you log in, you should be directed to the secure and personalized myportal page. If you are directed to the login screen or the public page, there is a problem with the TAI configuration.
Make backup copies of the following two files:
- was_profile_root/installedApps/node_name/wps.ear/wps.war/themes/html/theme_name/banner_toolbar.jspf
- was_profile_root/installedApps/node_name/wps.ear/wps.war/themes/html/theme_name/mainMenu.jsp

In each of the themes directory and subdirectories, there is a banner_toolbar.jspf file. Edit the appropriate banner_toolbar.jspf file and find the login button section. By default, WebSphere Portal Express ships the banner_toolbar.jspf with the Login screen section commented out, and the second section (Login Portlet) is uncommented. Replace each uncommented anchor href (each href is highlighted in bold ), depending on whether you use the Login Screen or the Login Portlet, with the following anchor tag:

<a class=wpsToolBarLink href='<%= wpsBaseURL %>/myportal'><wps:text key="link.login" 
    bundle="nls.engine"/></a>

The following example shows what the banner_toolbar.jspf will look like after adding the above anchor tag:

<%-- comment this to enable screen login --%> 
	<portal-logic:if loggedIn="no">
	<portal-navigation:urlGeneration contentNode="wps.Login">
<!--commented out the next href for Changing the Login Page
		<a tabIndex="7" class="toolbarLink" href='<% wpsURL.write(escapeXmlWriter); 
     %>'><portal-fmt:text key="link.login" bundle="nls.engine"/>
		</a>
	 -->
		<a tabIndex="7" class="toolbarLink" href='<%= wpsBaseURL %>/myportal'>
		 <portal-fmt:text key="link.login" bundle="nls.engine"/>
		 </a>
	</portal-navigation:urlGeneration>
	</portal-logic:if>
	
	<%-- Uncomment this to enable screen login  
	<portal-logic:if loggedIn="no" notScreen="Login">
		<a class="toolbarLink" href='<%= wpsBaseURL %>/myportal'><portal-fmt:text 
			key="link.login" bundle="nls.engine" /></a>
	</portal-logic:if>
	--%>

Note: The previous example uses the 'wps:' prefix to designate JSP tags from the tag library in portal.tld. Your custom JSPs might use a different tag prefix.

The following example shows what the mainMenu.jsp will look like after adding the above anchor tag:

<%-- Login button --%>
	<%-- Comment out to enable screen login --%>
	<portal-logic:if loggedIn="no">
		<portal-navigation:urlGeneration contentNode="wps.Login" themeTemplate="">
			<c:set var="menuTitle"><portal-fmt:text key="link.login" 
       bundle="nls.engine" /></c:set>
			<% if ( menuItemCount > 0 ) { %>,<% } %>
      "asynchDoFormSubmit('<%= wpsBaseURL %>/myportal');",
			'<c-rt:out value="<{menuTitle}" escapeXml="true" />',"
       <{defaultPageIconUrl}"
			<% menuItemCount++; %>
		</portal-navigation:urlGeneration>
	</portal-logic:if>
	<%-- Uncomment to allow screen login 
	<portal-logic:if loggedIn="no">
			<c:set var="menuTitle"><portal-fmt:text key="link.login" 
       bundle="nls.engine" /></c:set>
			<% if ( menuItemCount > 0 ) { %>,<% } %>
      "asynchDoFormSubmit('<%= wpsBaseURL %>/myportal');",
			'<c-rt:out value="<{menuTitle}" escapeXml="true" />',"
       <{defaultPageIconUrl}"
			<% menuItemCount++; %>
	</portal-logic:if>
	--%>

Important for every operating system: Touch the Default.jsp file after editing any JSP files and before any restart. This updates the timestamp on the file to the current time and will signal a recompile of Default.jsp to incorporate the edit changes from other JSP files. Type:touch Default.jspAn alternative is to edit (open and save) Default.jsp, which has the same effect as the touch command.

After updating banner_toolbar.jspf and mainMenu.jsp, you must restart WebSphere Portal Express unless reloading is enabled.

(For Tivoli Access Manager only): Test the TAI by using Tivoli Access Manager to add a new user. From the pdadmin command line, enter the following command on one line:
```
	pdadmin>user create user_name user_dn cn sn pwd
```
And then enter:
```
	pdadmin> user modify user_name account-valid yes
```
Open and save the versions of Default.jsp that include each of the files that you edited in a previous step. See the comments in each banner_toolbar.jspf file for more information.

Make a backup copy of the was_profile_root/installedApps/node_name/wps.ear/wps.war/WEB-INF/web.xml file. Edit the file as shown in bold here:

<login-config id="LoginConfig_1">
<auth-method>FORM</auth-method>
<realm-name>WPS</realm-name>
<form-login-config id="FormLoginConfig_1">
<form-login-page>/myportal</form-login-page>
<form-error-page/error.html/form-error-page>
</form-login-config>
</login-config>

Optional: Redirect the browser to navigate the logoff page of the external security manager (ESM) after the WebSphere Portal Express logoff command executes.
When a WebSphere Portal Express session is ended by clicking the Logoff button on the navigation screen, the ESM session is not invalidated. Subsequent requests to protected pages may still be allowed without providing a user name or password until both the ESM and the WebSphere Portal Express's login sessions are properly terminated. Learn how to invalidate the single sign on session of the ESM by reviewing the documentation provided by the ESM relating to logoff pages. Here is an example for each supported ESM:
- Tivoli Access Manager's WebSEAL by default provides http://webseal/pkmslogout as a special URL to terminate the WebSEAL single sign on session
In addition to configuring the ESM to provide this logoff capability, you should also enable WebSphere Portal Express to execute the ESM logoff URL after completing its logoff command. Enable WebSphere Portal Express to do this with the following configuration steps:
1. In configuration service, you can specify the following values:
  - redirect.logout= true
  - redirect.logout.ssl=false or true, depending on your environment
  - redirect.logout.url=protocol://host_name/logout_page
    where
    protocol is the protocol of the ESM machine: http or https.
    
    host_name is the fully qualified host name of the ESM machine.
    
    logout_page is the ESM page that users will be directed to when they log out. Refer to the ESM Administrator's Guide for more information about using logout forms.
2. Perform the following steps to run the update-properties configuration task:
  1. Locate the directory /PortalServer/config
  2. Type the following configuration task appropriate for your operating system on a command line:
    - Windows: WPSconfig.bat update-properties
    - Linux: WPSconfig.sh update-properties
Optional: Change the web.xml form-login-page attribute by completing the following substeps:
- Access the WebSphere Application Server administrative console and export wps.ear. When using a cluster environment use the DMGR console.
- From the exported ear file, edit the attribute form-login-page in the file app_server_root/installedApps/node_name/wps.ear/wps.war/WEB-INF/web.xml and replace (depending on current settings) /redirect or /myportal with a JSP to be called if the TAI login is not invoked. The following example uses the sample file /html/en/taiError.jsp but the file can have any name.
- Copy the file wps.jsp to taiError.jsp and modify it to show a message if the TAI login fails.
```
<%@ page session="false" buffer="none" %@>
<TABLE border="0">                              
 <TBODY>
   <TR>
    <TD>
    <IMG border="0" src="../../images/welcome_5.gif" width="120" height="46"> 
    <H2>You've reached this page in error. </H2></TD>
    <TD></TD>
   </TR>
   <TR>                      
    <TD>The TAI failed to authenticate you</TD>
    <TD><IMG border="0" src="../../images/microphone.gif" width="84" height="94"></TD>                                          
   </TR>
 <TBODY>
</TABLE>
```
- Repackage wps.ear.
- Re-import wps.ear in the WebSphere Application Server administrative console.
Restart WebSphere Portal Express.