Show TOC Start of Content Area

Background documentation Remote Authentication  Locate the document in its SAP Library structure

Use

The J2EE Engine enables you to authenticate remote clients that establish Remote Method Invocation (RMI) connections to the J2EE Engine. Authentication of remote clients is pluggable and open to using several types of security credentials, including logon tickets.

The J2EE Engine can authenticate remote clients using the following methods:

      Logon via the naming context

      Logon using a JAAS callback handler

Remote Logon via Naming Context

For this remote logon method, authentication uses the JNDI policy configuration both for remote client and server authentication. You can use this logon method for scenarios when the remote client requires access to the JNDI to gain access to server side objects.

Authentication flow

Remote clients can authenticate to the J2EE Engine when they request a new InitialContext. This can be done by setting security credentials in the properties that are given to the initial context instance. When the close() method is called on this initial context, the authenticated user is logged out.

If the client application creates more than one initial context instance, then each of these contexts can perform or not perform authentication, depending on whether the security credentials are passed on, and whether a previous authentication has been made. The following cases are possible:

      If the current thread has not been authenticated, then it is authenticated with the given security credentials. If no credentials are supplied, then the thread remains with permissions of the anonymous user.

      If the current thread has already been authenticated, then no authentication is performed when a new initial context is obtained, whether security credentials are supplied or not.

      If the method close() is called on some of the instances, then this initial context instance is closed.

       If the authentication of the thread has been made by the naming service, then the user is logged out and, as a result, all other initial context instances already have the permissions of the anonymous user.

       If the authentication has been made in a different way, then no change of the authenticated user takes place. The client can continue working with the other initial context instances on behalf of the authenticated user.

Standard property names for authentication credentials

You can use standard property names for setting user ID and password for authentication credentials in initial context properties. These standard property names are defined in javax.naming.InitialContext. They use the following constants:

      SECURITY_PRINCIPAL, with a value java.naming.security.principal

      SECURITY_CREDENTIALS with a value java.naming.security.credentials.

Non-standard property names for authentication credentials

The login modules that are configured for the authentication stack of the JNDI policy configuration may request specific credentials for successful authentication. Therefore, the security credentials (the property names) that you can pass depend on the login modules in JNDI authentication stack.

You can use non-standard credentials by entering property names in the following format:

sap.security.credential.<credential_type>.<credential_name>

where credential_type and the credential_name identify the type and the name of the security credential that is requested by the login module.

Example

For example, EvaluateTicketLoginModule requests from the client to give a SAP Logon Ticket by setting in HttpGetterCallbackHandler the type equal to HttpCallback.COOKIE and the name – MYSAPSSO2. Thus, the client application has to set in initial context properties the user ticket with property name sap.security.credential.2.MYSAPSSO2.

You can use the property sap.security.callback.handler to specify a callback handler that must be used for authentication of the remote client upon log in to the server.

Note

In addition to setting this property to the InitialContext, you have to adjust the corresponding login module stack that the Naming service uses during the authentication process. More information about non-standard properties: RMI-P4 Specific InitialContext Properties.

Remote Logon using JAAS Callback Handlers

This remote logon scenario uses the JAAS authentication mechanisms of the J2EE Engine to protect access and enables you to configure authentication to apply specifically to the remote client. In this case, logon is performed using a RemoteLoginContextthat is passed a CallbackHandler for the security credentials that are provided via JAAS callbacks.

Note

You can also use a RemoteLoginContext constructor to pass a security policy configuration for use in the authentication. For this case you have to adjust the login modules in the authentication stack of the passed policy configuration for the authentication mechanism you use.

The remote client has to provide a callback handler for retrieving the requested credentials in an application-specific way. The CallbackHandler has to support the following interfaces that are provided by the J2EE Engine:

      NameCallback for handling user IDs.

      PasswordCallback for handling passwords.

      PasswordChangeCallback for handling password change requests.

      HttpGetterCallback and HttpSetterCallback for handling logon tickets.

Note

For more information, see Authentication for Web Applications Users on the J2EE Engine.

Authentication Flow

For an overview of the authentication flow for this case, see the figure below:

 This graphic is explained in the accompanying text

Creating Callback Handler

The code sample below shows an example of how to make a callback handler:

public class TemplateCallbackHandler implements CallbackHandler {

 

  public void handle(Callback[] callbacks) throws IOException,

         UnsupportedCallbackException {

    for (int i = 0; i < callbacks.length; i++) {

      if (callbacks[i] instanceof NameCallback) {

        String userName = getUserName();

        ((NameCallback) callbacks[i]).setName(userName);

      } else if (callbacks[i] instanceof PasswordCallback) {

        char[] password = getPassword();

        ((PasswordCallback) callbacks[i]).setPassword(password);

      } else if (callbacks[i] instanceof HttpGetterCallback) {

        // This is a general type of callback, so it can be used

        // for various types of credentials.

        HttpGetterCallback getterCallback = (HttpGetterCallback) callbacks[i];

 

        /**

         * The type and the name identify what kind of credential is

         * requested by the logon module. Possible values for the type

         * are defined in com.sap.engine.lib.security.http.HttpCallback.

         * CallbackHandler can understand none, some or all of them.

         * It also may be extended with other types, if the logon module

         * that is used along with this callback handler requests them.

         * For SAP Logon Ticket the identifiers are:

         * type = HttpCallback.COOKIE, name = "MYSAPSSO2".   

         */

 

        /**

         * The logon module has set the type and the name of the

         * security credential that is needed for the authentication.

         */

        byte type = getterCallback.getType();

        String name = getterCallback.getName();

 

        // CallbackHandler gets the specified credential.

        Object value = getCredentialValue(type, name);

 

        // The credential is passed back to the logon module.

        getterCallback.setValue(value);

      } else if (callbacks[i] instanceof HttpSetterCallback) {

        /**

         * This type of callback is used by the logon module to

         * give some credentials back to the client. For example,

         * after the user is authenticated successfully with user

         * name and password, CreateTicketLoginModule could create

         * and give back SAP Logon Ticket for that user.

         */

        HttpSetterCallback setterCallback = (HttpSetterCallback) callbacks[i];

 

        byte type = setterCallback.getType();

        String name = setterCallback.getName();

        Object value = setterCallback.getValue();

 

        storeCredential(type, name, value);

      } else {

        throw new UnsupportedCallbackException(callbacks[i], "Unsupported callback!");

      }

    }

  }

 

  /**

   *  Retrieves the user name in an application specific way.

   */

  private String getUserName() {

    ...

  }

 

  /**

   *  Retrieves the user password in an application specific way.

   */

  private char[] getPassword() {

    ...

  }

 

  /**

   * Retrieves other security credentials that are required for

   * the application authentication.

   */

  private Object getCredentialValue(byte type, String name) {

    ...

  }

 

  /**

   *  Stores the given security credentials of the client.

   */

  private void storeCredential(byte type, String name, Object value) {

    ...

  }

}

 

 

End of Content Area