Novell Doc: Novell iChain Administration Guide - Designing a Basic Form Fill Policy

14.2 Designing a Basic Form Fill Policy

The purpose of a Form Fill policy is to tell iChain what data to use when filling in the form. The following sections discuss the components you use to create a Form Fill policy:

For information about the advanced features and tags not described in this section, see Section 14.4, Using Additional Form Fill Policy Options.

14.2.1 Basic Components of a Form Fill Policy

Form Fill policies follow standard XML document structure. Unless otherwise specified, each tag requires that an ending tag also be present. The ending tag is simply </tag>, where “tag” is the name of the tag. For example, the ending tag for <urlPolicy> is </urlPolicy>. If no ending tag is required (because the tag requires no data), the tag name ends with a slash (/). For example, <post/> or <debugPost/>.

When defining a basic Form Fill policy, you need to decide the following:

Determine how many <urlPolicy> elements are needed. See <urlPolicy> Element.
Identify which form uses the policy. See Header.
Determine which elements to use for filling in the fields. See Input Actions.
Provide commands for posting the information. See Post Actions.
Determine how the data should be saved and provide commands for saving it. See Storing Form Fill Data.
Specify a redirection policy if values are saved. See Handling Login Failures.

<urlPolicy> Element

The <urlPolicy> is the main element in a Form Fill policy. You can have multiple <urlPolicy> sections in a Form Fill policy, each representing a separate set of criteria or actions to perform. If you are doing Form Fill for multiple URLs or HTML pages, you can have multiple <urlPolicy> sections in your Form Fill policy. You can also have multiple <urlPolicy> sections if you need to handle conditions such as login failures or error messages for the same URL.

Header

The header tags identify the policy and the form that uses it.

Tag	Purpose
<name>	Specifies the name of the policy. Although this tag is optional, you should give each of your policies a unique name. Having policy names is especially important when using <redirect> or <deleteRemembered> policies. NOTE:The tag value cannot contain spaces.
<url>	(Required) Specifies the URL or form for the iChain Form Fill policy to match. The URL defined in this tag needs to match the name of the protected resource, not the name of the back end Web server. It is a common practice to include the scheme (http, https, ftp, gopher) with the URL in the <url> tag. For a Form Fill policy, do not include this part of the URL; specify only www.address.com NOTE:An asterisk at the end of the URL means the policy is not an exact match.

Tag

Purpose

<name>

Specifies the name of the policy. Although this tag is optional, you should give each of your policies a unique name. Having policy names is especially important when using <redirect> or <deleteRemembered> policies.

NOTE:The tag value cannot contain spaces.

<url>

(Required) Specifies the URL or form for the iChain Form Fill policy to match.

The URL defined in this tag needs to match the name of the protected resource, not the name of the back end Web server.

It is a common practice to include the scheme (http, https, ftp, gopher) with the URL in the <url> tag. For a Form Fill policy, do not include this part of the URL; specify only www.address.com

NOTE:An asterisk at the end of the URL means the policy is not an exact match.

The following tags are used to distinguish among multiple forms that use the same URL. For best performance, use as few of these tags as possible to distinguish one form from another.

Tag	Purpose
<cgiCriteria>	Evaluates the query string of a URL (portion after the ?) to differentiate pages having the same URL. The <cgiCriteria> tag complements the <url> tag. If a <cgiCriteria> tag exists in a policy, the text in that section must appear on the query string for the specified URL in order for the policy to be deemed a match. Consider the following URL: http://webaccess.novell.com/servlet/webacc?Action=User.login For this URL, the following policy has been defined: <url>webaccess.novell.com/servlet/webacc</url> <cgiCriteria>Action=User.login</cgiCriteria> This policy limits the match to the login page and cannot be used to match either of the following URLs: http://webaccess.novell.com/servlet/webacc http://webaccess.novell.com/servlet/webacc?Action=User.logout
<formCriteria>	Causes iChain to find a match if the text specified in the <formCriteria> tag is found on the page. The text contained between the beginning and ending tags must appear in the document returned by the origin server for the page to be a match. For example: <formCriteria><TITLE>iChainTestPage</TITLE></formCriteria> iChain searches the HTML page for this string. If the text is found in the document, the page is a match for the policy. If the text is not found, the policy does not match. If the <formCriteria> spans multiple lines, the text on each line must either be left-justified, or appear in the document exactly as specified in the policy. White space is not ignored. For example: <formCriteria> <TITLE>iChainTestPage</TITLE> loginForm </formCriteria> In the example above, the text <TITLE>iChainTestPage</TITLE> must appear in the document preceded by ten spaces, but the text loginForm can appear anywhere in the document at any position in a line. Both lines must appear in the document for the page to be a match. NOTE:iChain searches all of the information in these tags. The more specific your information is, the faster iChain can match the form. Parsing <formCriteria> is a very intensive process for iChain to perform. If possible, using other criteria (such as <cgiCriteria>, <formName>, and <formNum>) is preferred and can increase performance.
<formName>	Causes the policy to match the page only when the name of the form is <name>. This tag has priority over the <formNum> tag. If both <formNum> tag and <formName> tags exist in the same policy, the <formName> tag is used, and you are notified (on the SSO Debug screen) that both tags are present. For example: <urlPolicy> <name>test</name> <url>www.novell.com/signon_welcome/screen</url> <formNum>2</formNum> <formName>name</formName> </urlPolicy> Using the <formName> tag is useful either as an additional way to determine whether or not to process the page with Form Fill (such as when the same URL is used for both login and content display), or when multiple forms exist on the same HTML page.
<formNum>	Causes the policy to process form N, where N represents the form instance within the document. Forms instances are counted sequentially from the top of the document down. For example: <formNum>1</formNum> The first form on the page is number one; the second, number two; and so on. For example: <urlPolicy> <name>test</name> <url>www.novell.com/signon_welcome/screen</url> <formNum>2</formNum> </urlPolicy> This example causes the second form on the page to be processed. If multiple forms exist in a page and neither the <formName> or <formNum> sections are specified in the policy, the first form in the page is processed by Form Fill and all other forms on the page are ignored.

Input Actions

The input tags identify which fields are to be filled and where the information can be obtained.

Tag or Attribute	Purpose
<injectStaticValue>	Specifies information that you want to inject into the form instead of having the user enter this information. The <injectStaticValue> tag overrides any information the user enters in the field. For example: <injectStaticValue>city=Provo</injectStaticValue> For more information about injecting static values, see Section 14.4.2, Injecting Static Values.
<actions>	Specifies various actions for iChain to perform for this policy. The <actions> tag can contain <fill>, <post/>, <debugPost/>, <maskedPost/>, <redirect>, <errorRedirect> and <deleteRemembered> elements.
<fill>	Delimits a section of the form that requires input. It is a subordinate element of <actions> and must contain either an <input> element, a <select> element, or both. For example: <actions> <fill> <input name="role" type="radio" value="~title"> </fill> <post/> </actions> This example fills in one field.
<input>	Specifies the form fields that need information and specifies how that information is to be obtained. The fill section of the policy can have multiple <input> fields. The <input> fields you place within the <fill> element must be specified in the order they appear on the form. The <input> element has three required attributes (name, type, and value) and one optional case modifier attribute (ff_lower_upper). For example: <fill> <input name="username" type="text" value="~cn"> </fill>
name	Specifies the name of the field. This must match the name specified in the form.
type	Specifies the type of field. This must match the type specified in the form and can be radio, checkbox, or text. The <select> element is used for list boxes.
value	Specifies how the information is to be obtained. The tilde operator allows you to determine whether the user must enter the information or whether an eDirectory™ attribute can be used to obtain the information. For more information on how to use this operator, see The Tilde (~) Operator.
ff_lower_upper	Converts the resulting value to either all uppercase or all lowercase. Valid values for this attribute are “lower” or “upper.” For example, to force lowercase conversion: <fill> <input name="username" type="text" value="~cn" ff_lower_upper="lower"> </fill> To force uppercase conversion: <fill> <input name="username" type="text" value="~cn" ff_lower_upper="upper"> </fill> If the attribute value is not specified as either “lower” or “upper”, no case conversion is performed on this field.
<select>	Sets up a list box field and specifies how that information is to be obtained. The fill section of the policy can have multiple <select> fields. The <select> fields you place within the <fill> element must be specified in the order they appear on the form. The <select> element has three required attributes (name, type, and value) and one optional case modifier attribute (ff_lower_upper). For example: <fill> <select name="webserv" type="listbox" value="~"> </fill>
name	Specifies the name of the select field. This must match the name specified in the form.
type	Specifies the type of field, and for a <select> element, it must be set to listbox.
value	Specifies how the information is to be obtained. The tilde operator allows you to determine whether the user must enter the information or whether an eDirectory attribute can be used to obtain the information. For more information on how to use this operator, see The Tilde (~) Operator.
ff_lower_upper	Converts the resulting value to either all uppercase or all lowercase. Valid values for this attribute are “lower” or “upper”. For example, to force lowercase conversion: <select> <input name="username" type="listbox" value="~cn" ff_lower_upper="lower"> </select> To force uppercase conversion: <select> <input name="username" type="listbox" value="~cn" ff_lower_upper="upper"> </select> If the attribute value is not specified as either “lower” or “upper,” no case conversion is performed on this field.

The Tilde (~) Operator

The tilde (~) operator is used to designate how the value for the given form element is obtained. It specifies whether the user is prompted for the information, or if it is provided automatically by iChain. The tilde operator can be used in the following three ways:

~: A tilde with no trailing text indicates a user-supplied value.

The first time users access the form, they are presented with the original page and are allowed to enter values for each of the fields. For the users, the page behaves as though they are accessing the origin server directly or as if Form Fill is not active for the page.

After the users submit the form, iChain stores (via LDAP) the values they entered for each of the fields in either the ichainFormFillCrib attribute or SecretStore, depending on how you have configured your system. When the users access this page again, iChain retrieves (via LDAP) the previously stored values for each of these elements.

Suppose your form requests a user’s Social Security Number (<input type="text" name="SSN">, and no SSN attribute exists in eDirectory. You can use the ~ operator to have iChain store the user-entered value. For this example, the corresponding Form Fill tag would be:
```
<input type="text" name="SSN" value="~">
```
The ~ operator can be used with all supported form element types including text, password, checkbox, radio, and select. Using this operator is especially useful in situations where the username or password for an application differs from the eDirectory username and password, or when the required value for an element is not already stored in the directory, such as in the SSN example above.
~LDAP Attribute: A tilde followed by the name of an LDAP attribute instructs iChain to obtain the value for this field from the named LDAP attribute on the user object.

When the value for a particular form element is already stored in eDirectory, you can use this value type to obtain the information and use it for the value of that element. For example, if a login form requests the user’s email address (<input type="text" name="EmailAddress">), and every user’s email address is stored in the Internet Email Address attribute in eDirectory, then the administrator can use "~mail" as the value for that input field as follows:
```
<input type="text" name="EmailAddress" value="~mail">
```
This causes iChain to do an LDAP query for the mail attribute on the user object, then use the resulting value for the EmailAddress form element.

The tilde operator requires the LDAP name for the attribute. In eDirectory, the attribute must be mapped to the LDAP attribute. In this example, the mail attribute of LDAP is mapped to the Internet Email Address attribute of eDirectory. To view or change your current LDAP attribute mappings, see the LDAP Group object for your LDAP server.
~password: A tilde followed by the word “password” instructs iChain to use the password the user supplied to authenticate to iChain as the value for this field.

When iChain encounters this in a Form Fill policy, it uses the user’s iChain password as the value for this field. The user’s password is not pulled from eDirectory, and no LDAP traffic is generated. For example:
```
<input type="password" name="password" value="~password">
```
NOTE:If you are using mutual authentication (certificate based), iChain does not have a password for the user, so this method might not work as expected.

If the user's password contains a double quote character ("), the form fill fails. Other special characters are allowed in the password. You'll need to instruct your users not to use the double quote character in their passwords.

The tilde operator is one method of adding values to fields. If you want to supply hard-coded values for fields in the form, you can use the <injectStaticValue> tag to do so. See Section 14.4.2, Injecting Static Values.

Post Actions

If you want the form to be submitted automatically, you need to use one or more of the following post tags. The <actions> tag only requires the post tags when filling a form. Other actions such as <redirect> and <deleteRemembered> do not require them.

Tag	Purpose
<post/>	Submits the form.
<maskedPost/>	When processing this tag, Form Fill replaces text input field values (username, password, etc.) with “nov-ss-ff-masked” instead of the value specified by the "value=" parameter. The appropriate corresponding values are replaced by iChain when the form is submitted to the origin server. The user’s browser never sees the actual values for these fields.
<debugPost/>	Requires a <post/> or <maskedPost/> element. This is a troubleshooting tag that lets you verify that your information is correct before you submit the form. We recommend that you use this tag when creating a new policy and that you remove it when you have determined that the policy is behaving as expected.

If you are not using SSL, you can increase your data security during a Form Fill operation by using the <maskedPost/> tag in the policy. When the actual posting of the data is done by the browser, a regular <post/> tag transmits the values for these fields across the wire from iChain to the browser. The data is then transmitted from the browser back to iChain as part of the POST request. This can be a security risk, especially if you are not using SSL for your site.

To use this feature, simply replace the <post/> tag with <maskedPost/> in the policy. A Form Fill policy should not have both of these tags in the same <urlPolicy> section.

NOTE:If your users can see the form on the browser (for example, during the first usage, or if there is an error), iChain displays the actual data without masked values.

For more information about the methods of submitting forms, see Section 14.4.3, Submitting Form Data to the Server.

Storing Form Fill Data

You can choose one of three ways to store Form Fill data:

In iChain, the ichainFormFillCrib is the default attribute that stores the user-entered data. For more secure storage of credentials, use Novell® SecretStore®. If you use SecretStore, you need to first install it. For instructions on installing SecretStore, see Section 14.6.1, Installing SecretStore.

Using the ichainFormFillCrib Attribute

The ichainFormFillCrib attribute is a user attribute in eDirectory that stores Form Fill credential information for the user in an encrypted format. It is created only when the Form Fill policy is configured to save the values associated with one of the login page's input fields. For example, if the Form Fill policy is configured with a <input type="text" name="userID" value="~"> statement, it saves the value of the userID field in the ichainFormFillCrib attribute for that user.

This attribute is created only when the following occurs:

iChain is not using Novell Shared Secret (NSSO).
The value type is defined as ~ with no attributes.

If you use this storage method, no other applications can access and use the data.

The default setting is to use the ichainFormFillCrib attribute. It works with both LDAP and Secure LDAP.

Using SecretStore Shared Secrets

To register user credentials for Form Fill and other applications, you can use the Form Fill Shared Secrets feature as long as the other applications also use Shared Secrets.

Some Web service applications use single sign-on or share application information. For some applications, you might want to preconfigure user credentials so your users never see them. Some Novell products, including Novell exteNd™ Director™, Novell SecureLogin, and iChain Form Fill need to share login credentials (usename and password).

You need to use the SecretStore interface to set the naming convention for your secret name for iChain. To function properly, the iChain naming convention must match the naming convention of the other applications. For example, the naming convention for Novell exteNd Director is //novell.com/nps/servlet. When you change this information in one application, such as Novell Secure Login, the change appears in all the other applications.

Novell SecretStore lets you overwrite credentials, but not read or retrieve the users' credentials.

IMPORTANT:Before you use Shared Secrets, you must install SecretStore version 3.x on the iChain Authorization Server. For installation instructions, see Installing SecretStore On NetWare or Installing SecretStore on Windows.

If you are using SecretStore, use the following tags to specify how the data is stored.

Tag	Purpose
<secretName>	Stores users' login credentials.
<sharedSecret>	Shares users' credentials with other applications. The sharedSecret tag contains a <migration/> sub-tag. The <migration/> tag means the original credentials are migrated to Shared Secrets. The original credentials are stored in eDirectory or in SecretStore, as specified in the Use Novell SecretStore for Form Fill check box in the Form Fill Policy tag (under the ISO object).
<migration/>	Migrates the original credentials to Shared Secrets. The original credentials are stored in eDirectory or in Novell SecretStore.

Tag

Purpose

Stores users' login credentials.

Shares users' credentials with other applications.

The sharedSecret tag contains a <migration/> sub-tag.

The <migration/> tag means the original credentials are migrated to Shared Secrets. The original credentials are stored in eDirectory or in SecretStore, as specified in the Use Novell SecretStore for Form Fill check box in the Form Fill Policy tag (under the ISO object).

Migrates the original credentials to Shared Secrets. The original credentials are stored in eDirectory or in Novell SecretStore.

Handling Login Failures

When doing form fill, you need to account for login failure behaviors. For example, you might be storing credential data for a user whose password was changed on the back-end server. When such a user authenticates through iChain, their old credential data is still used. Or you might be passing the user’s iChain password to a back-end server, but the user’s eDirectory password was changed recently. In this case, the user’s password on the back-end server might not match the iChain password any longer. When login fails, the user is presented with an error page, redirected back to the login page, or some other behavior. If this is not accounted for with a login failure policy, the login process appears to hang or loop, never taking the user to the desired application or giving any other indication of a problem with the login.

To prevent this from happening, you should create a login failure policy. The Login Failure policy can be designed to recognize the URL of an error page or can utilize <formCriteria> or <cgiCriteria> to differentiate when the error page is displayed on the same URL as the login page. You can use any of the tags in Header to identity the page the user receives on login failure.

The following Form Fill tags, which are subcomponents of the <actions> element, are useful in designing a Login Failure policy:

Tag	Purpose
<deleteRemembered>	Deletes the user’s stored data for the named policy from either the ichainFormFillCrib attribute or SecretStore, depending on your system configuration. For example: <deleteRemembered>GroupWise</deleteRemembered> This example deletes the user’s credentials stored for the GroupWise® Form Fill policy.
<redirect>	Redirects the user to the specified URI. For example: <redirect>http://my.server.com/loginfailed.html</redirect> This example redirects the user to the http://my.server.com/loginfailed.html page. The format for the URI is scheme://host/path The scheme component is optional. It can be any valid scheme that the browser understands, such as http:// or https://. If not specified, iChain defaults to http://. The host component is the target server and can be specified by either IP address or DNS name. The path component is optional. It can be any valid path for the designated host and the resulting URI. Example URIs for the <redirect> tag and the resulting URI: https://www.company.com/ -> https://www.company.com/ www.company.com/loginfail.html -> http://www.company.com/loginfail.html /loginfailure.html -> http:///loginfailure.html (this is an invalid URL) GroupWise -> http:///GroupWise (this is an invalid URL) We recommend that you specify the complete URI for the new location.

Tag

Purpose

Deletes the user’s stored data for the named policy from either the ichainFormFillCrib attribute or SecretStore, depending on your system configuration. For example:

<deleteRemembered>GroupWise</deleteRemembered>

This example deletes the user’s credentials stored for the GroupWise® Form Fill policy.

Redirects the user to the specified URI. For example:

<redirect>http://my.server.com/loginfailed.html</redirect>

This example redirects the user to the http://my.server.com/loginfailed.html page. The format for the URI is

scheme://host/path

The scheme component is optional. It can be any valid scheme that the browser understands, such as http:// or https://. If not specified, iChain defaults to http://.

The host component is the target server and can be specified by either IP address or DNS name.

The path component is optional. It can be any valid path for the designated host and the resulting URI.

Example URIs for the <redirect> tag and the resulting URI:

https://www.company.com/  ->  https://www.company.com/

www.company.com/loginfail.html  ->  http://www.company.com/loginfail.html

/loginfailure.html  ->  http:///loginfailure.html (this is an invalid URL)

GroupWise  ->  http:///GroupWise (this is an invalid URL)

We recommend that you specify the complete URI for the new location.

If a Login Failure policy references the same URL as a Login policy, the Login Failure policy should appear first in the Form Fill policy. iChain Form Fill processing is from the top of the policy down, and the first matching policy is used.

For a sample Login Failure policy, see the iChainTestFailure policy in Section 14.2.2, Sample Form Fill Policy.

14.2.2 Sample Form Fill Policy

This sample policy can be used for the form displayed in Figure 14-1. The actions section follows the order of the fields in the form and uses the names and types defined in the HTML source.

This policy is designed so the user must enter the data once, but after the data has been entered, iChain stores the data and automatically logs the user in. If the data on the back-end server has changed and the stored data needs to be updated, the second <urlPolicy> element defines a Login Failure policy that deletes the stored data and allows the user to fill in the form again.

<urlPolicy>
   <name>iChainTest</name>
   <url>iChainTestserver.com/FullTest.html</url>
   <injectStaticValue>
      city=Provo
   </injectStaticValue>
   <sharedSecret>
   </sharedSecret>
   <formCriteria>iChain Form Test Page</formCriteria>
   <actions>
      <fill>
         <input name="username" value="~" ff_lower_upper="upper">
         <input name="password" value="~">
         <select name="webserv" type="listbox" value="~">
         <input name="role" type="radio" value="~">
         <input name="mail" type="checkbox" value="~">
         <input name="payroll" type="checkbox" value="~">
         <input name="selfservice" type="checkbox" value="~">
      </fill>
      <post/>
   </actions>
</urlPolicy>

   <name>iChainTestFailure</name>
   <url>iChainTestserver.com/FullTestFailure.html</url>
   <actions>
      <deleteRemembered>iChainTest</deleteRemembered>
      <redirect>iChainTestserver.com/FullTest.html</redirect>
   </actions>
</urlPolicy>