How PRPC URL takes us to portal via PRBasic Authentication

PRBasic Authentication:

When user hits PRPC URL,
 http://localhost:8080/prweb/PRServlet

1. how user would be redirected to PRPC login page.
2. how credentials would be validated, when user enters credentials and hits Submit
3. how user would be redirected to Designer Studio when logged in via developer access

Step by Step illustration:

#1 how user would be redirected to PRPC login page :

Servlet mapping would be checked first.

In your applicaiton server : example if it is tomcat, in web.xml you could find this servlet name with pattern PRServlet : and servlet definition for WebStandard.

Servlet Name: WebStandard

AuthenticationType: PRBasic

web.xml:\tomcat\webapps\prweb\WEB-INF\web.xml

AuthenticationType is set to PRBasic by default. For any other authenctaion schemes(PRCustom, PRSecuredBasic, PRExtAssign, J2EEContext) we have to pass the authentication scheme as the param-value (syntax highlighted in below screenshot).

#2 From above code, code would run and continue with initializing the browser type requestor. 

     

At this point, user who made the hit to browser is still unauthenticated. And now it should form an unauthenticated requestor. 

Requestor = Hash of (Access Group) // Access group is mandatory to form requestorID. 

i.e. the reason we have requestor type (Browser) rule with PRPC:Unauthenticated as the access group, which would support guest access. 

 And the starting activity of authentication would be specified in Activities tab of Requestor type : by default it is Code-.Web-Start (as highlighted below).

Activity Web-Start has JAVA code to present authentication challenge.

Ths is Pega Engine code, where pega presents challenge to the user (default rule used here with BASIC authentication is : Web-Login HTML Stream).
To understand Java code, we can check in Pega Engine API from designer studio, which would give an insight on what it does: pega.getAuthenticationHandle().presentAuthentication()

To check if you are following, lets cross question (Q/A):

Q : How unauthenticated requestor got access to the rule Code-.Web-Start ?
A :In the PRPC:Unauthenticated access group, you could notice PegaRULES:Guest access role, which grants access to Code- class, so we are able to run the activity with the guest access.

#2 how credentials would be validated, when user enters credentials and hits Submit

Username, password entered would be verified against the database table {Data-Admin-Operator-ID}

Once the credentials matches, then user would be redirected to the application. 

Note: {Data-Admin-Operator-ID} represents db table for this class Data-Admin-Operator-ID. 

Note: Once user is authenticated, we can see the authenticated requestorID. This we can observe, if we remote trace second unauthenticated session during login with the help of other PRPC session of the same instance. 

#3 how user would be redirected to Designer Studio when logged in via developer access

Once user is authenticated, we have activity (Data.Portal-ShowDesktop) which would display the portal to us. 

This activity would redirect us to the portal we are entitled to. Example it would open Designer Studio (if user is having access to developer portal).

We saw the steps right from hitting the PRPC URL to the point where we logged into portal i.e from unauthenticated requestor => to an authenticated requestor. 

Hope this helps!!!
Feel free to comment/share the same.