PRBasic Authentication:
When user hits PRPC URL,
http://localhost:8080/prweb/PRServlet
http://localhost:8080/prweb/PRServlet
- how user would be redirected to PRPC login page.
- how credentials would be validated, when user enters credentials and hits Submit
- how user would be redirected to Designer Studio when logged in via developer access
Step by Step illustration:
#1 how user would be redirected to PRPC login page :
Servlet mapping would be checked first.
In your applicaiton server : example if it is tomcat, in web.xml you could find this servlet name with pattern PRServlet : and servlet definition for WebStandard.
Servlet Name: WebStandard
AuthenticationType: PRBasic
web.xml:\tomcat\webapps\prweb\WEB-INF\web.xml
AuthenticationType is set to PRBasic by default. For any other authenctaion schemes(PRCustom, PRSecuredBasic, PRExtAssign, J2EEContext) we have to pass the authentication scheme as the param-value (syntax highlighted in below screenshot).
#2 From above code, code would run and continue with initializing the browser type requestor.
At this point, user who made the hit to browser is still unauthenticated. And now it should form an unauthenticated requestor.
Requestor = Hash of (Access Group) // Access group is mandatory to form requestorID.
i.e. the reason we have requestor type (Browser) rule with PRPC:Unauthenticated as the access group, which would support guest access.
And the starting activity of authentication would be specified in Activities tab of Requestor type : by default it is Code-.Web-Start (as highlighted below).
Activity Web-Start has JAVA code to present authentication challenge.
Ths is Pega Engine code, where pega presents challenge to the user (default rule used here with BASIC authentication is : Web-Login HTML Stream).
To understand Java code, we can check in Pega Engine API from designer studio, which would give an insight on what it does: pega.getAuthenticationHandle().presentAuthentication()
To check if you are following, lets cross question (Q/A):
Q : How unauthenticated requestor got access to the rule Code-.Web-Start ?
A :In the PRPC:Unauthenticated access group, you could notice PegaRULES:Guest access role, which grants access to Code- class, so we are able to run the activity with the guest access.

To understand Java code, we can check in Pega Engine API from designer studio, which would give an insight on what it does: pega.getAuthenticationHandle().presentAuthentication()
To check if you are following, lets cross question (Q/A):
Q : How unauthenticated requestor got access to the rule Code-.Web-Start ?
A :In the PRPC:Unauthenticated access group, you could notice PegaRULES:Guest access role, which grants access to Code- class, so we are able to run the activity with the guest access.

#2 how credentials would be validated, when user enters credentials and hits Submit
Username, password entered would be verified against the database table {Data-Admin-Operator-ID}
Once the credentials matches, then user would be redirected to the application.
Note: {Data-Admin-Operator-ID} represents db table for this class Data-Admin-Operator-ID.
Note: Once user is authenticated, we can see the authenticated requestorID. This we can observe, if we remote trace second unauthenticated session during login with the help of other PRPC session of the same instance.
Note: Once user is authenticated, we can see the authenticated requestorID. This we can observe, if we remote trace second unauthenticated session during login with the help of other PRPC session of the same instance.
#3 how user would be redirected to Designer Studio when logged in via developer access
Once user is authenticated, we have activity (Data.Portal-ShowDesktop) which would display the portal to us.
This activity would redirect us to the portal we are entitled to. Example it would open Designer Studio (if user is having access to developer portal).
We saw the steps right from hitting the PRPC URL to the point where we logged into portal i.e from unauthenticated requestor => to an authenticated requestor.
Hope this helps!!!
Feel free to comment/share the same.
Feel free to comment/share the same.
It will be good if u shared the answers in Food for Thought section
ReplyDeleteHi Deepa, Thanks for valuable feedback. I would definitely share answers for "Food for Thought" section soon.
DeleteHello Pavan, if we do some modification in Web.xml file. Can we change the link localhost:8080/prweb/PRServlet and how to do it.
ReplyDeleteHi Ravi,
ReplyDeleteYes we can change the Servlet name in the link. For example, we can have our own servlet name instead of PRServlet.
http://localhost:8080/prweb/MyOwnPRServlet
instead of
http://localhost:8080/prweb/PRServlet
I will give you step by step in other post.
HI Pavan, Can you elaborate on this?"Once user is authenticated, we can see the authenticated requestorID. This we can observe, if we remote trace second unauthenticated session during login with the help of other PRPC session of the same instance." How do we know which Browser session to trace, if there are multiple?
ReplyDeleteHi Reshmi,
DeleteBelow is the article how you can achieve the same via admin studio: http://www.howtopega.info/2020/05/trace-unauthenticated-requestor-from.html
Hi Pavan,
ReplyDeleteThanks for the expalnation.
For the PRBasic authentication this is the the HTML that need to be shown to end customer. Where it is mentioned? If it is in Enginer API, is there a way that I can look into that code. Please let me know.