The logon stacks enable you to choose different combinations of authentication types for every application you create, and for each of the components on the server with applied security restrictions.
The SAP WebAS Java provides an API to check if a user is logged in, to enforce that a user is logged in and to get the logged in user object.
The interface has following methods:
public interface IAuthentication { |
Example: Enforcing Logon
IUser user = |
The user object can be used for access control and to get the profile of the user.
The method forceLoggedInUser() changes the response if the user is not logged on.
To avoid exceptions an application must stick to the following recommendations:
§ do not write to the response before calling method forceLoggedInUser().
§ do not write to the response after calling method forceLoggedInUser() when the method returned value null.
If a SAP WebAS Java application stores confidential or user relevant data in the session context, the application has to make sure that the data/session is destroyed when the user logs off. The application has to check if a user is logged on at every request with the method getLoggedInUser().
Whenever a user logs on, a reference to the logged on user is stored in the session context. If the session already contains a reference to another user (this includes the case that the session contains a user reference but the user is not logged on), use the method forceLoggedInUser() to initiate a new log on and to cancel the existing session. When the user logs off, the SSO cookie is removed and the session is closed.
For a good performance of the method getLoggedInUser(), the UME caches the information to verify the log on status of user.
See the Sun Microsystems servlet specification for more details about the HTTP session object when you have to create a SAP WebAS Java application.
In the SAP Enterprise Portal the session is controlled by the portal. So the portal application does not have to take care about user data stored in the sessioncontext itself.
Authentication with SSO works as follows:
· After a user is logged on, an encrypted cookie is created for the user.
· In the following requests, this cookie can be used for SSO. The method getUser() verifies the cookie and retrieves the available user information.
The method forceLoggedInUser() works in the same way.
· When the user is not logged on or the cookie is for any reason invalid and method forceLoggedInUser() is called, the method will automatically display the log on page. The requested URL (for example, servlet, HTML page, JSP and so on) is passed on to the log on page. When the user is logged on again, the requested URL is called.