Show TOC Start of Content Area

Background documentation Authentication  Locate the document in its SAP Library structure

The logon stacks enable you to choose different combinations of authentication types for every application you create, and for each of the components on the server with applied security restrictions.

Interface IAuthentication

The SAP WebAS Java provides an API to check if a user is logged in, to enforce that a user is logged in and to get the logged in user object.

The interface has following methods:

public interface IAuthentication {

  

    //Returns the logged on user or null, if no user is logged on.

    public IUser getLoggedInUser(HttpServletRequest req,

                                 HttpServletResponse resp);

  /*

 * Checks if a user is logged on and returns the user id if it is.

 * If the user is not logged on, a logon page is displayed,

 * written as ServletResponse. 

 */

    public IUser forceLoggedInUser(

        HttpServletRequest req,

        HttpServletResponse resp)

        throws UserManagementException;

        

    //Logs the user out

    public void logout(

        HttpServletRequest req,

        HttpServletResponse resp);

}

 

Example: Enforcing Logon

IUser user =
   UMFactory.getAuthenticator().forceLoggedInUser(request, response);
if (user == null)
   return;

The user object can be used for access control and to get the profile of the user.

Caution

The method forceLoggedInUser() changes the response if the user is not logged on.

To avoid exceptions an application must stick to the following recommendations:

§         do not write to the response before calling method forceLoggedInUser().

§         do not write to the response after calling method forceLoggedInUser() when the method returned value null.

Session Handling for SAP WebAS Java Applications

If a SAP WebAS Java application stores confidential or user relevant data in the session context, the application has to make sure that the data/session is destroyed when the user logs off. The application has to check if a user is logged on at every request with the method getLoggedInUser().

Whenever a user logs on, a reference to the logged on user is stored in the session context. If the session already contains a reference to another user (this includes the case that the session contains a user reference but the user is not logged on), use the method forceLoggedInUser() to initiate a new log on and to cancel the existing session. When the user logs off, the SSO cookie is removed and the session is closed.

For a good performance of the method getLoggedInUser(), the UME caches the information to verify the log on status of user.

Caution

See the Sun Microsystems servlet specification for more details about the HTTP session object when you have to create a SAP WebAS Java application.

In the SAP Enterprise Portal the session is controlled by the portal. So the portal application does not have to take care about user data stored in the sessioncontext itself.

 

Single Sign-On (SSO)

Authentication with SSO works as follows:

·        After a user is logged on, an encrypted cookie is created for the user.

·        In the following requests, this cookie can be used for SSO. The method getUser() verifies the cookie and retrieves the available user information.

The method forceLoggedInUser() works in the same way.

·        When the user is not logged on or the cookie is for any reason invalid and method forceLoggedInUser() is called, the method will automatically display the log on page. The requested URL (for example, servlet, HTML page, JSP and so on) is passed on to the log on page. When the user is logged on again, the requested URL is called.

 

End of Content Area