Show TOC Start of Content Area

Procedure documentation Implementing Security Functions  Locate the document in its SAP Library structure

Use

The implementation of the security contract is a very important aspect in the development of a resource adapter because it enables the proper user authentication when a connection to the EIS is obtained. The security functions of a resource adapter include its support for ManagedConnection initialization with security information, as well as throwing an exception in case of supplied erroneous credentials. Optionally, the resource adapter might support a reauthentication mechanism.

The security-related settings for a resource adapter are configured at deployment time. For more information, see Resource Adapter Security.

Procedure

Passing Security Information

The security information required for the establishment of a physical connection, and the instantiation of a connection handle for it, is encapsulated in the following objects:

·        Subject – in a container-managed sign-on the application server passes an instance of javax.security.auth.Subject, which encapsulates the credentials used for authentication to the EIS. The credentials are typically of type javax.resource.spi.security.PasswordCredential or javax.resource.spi.security.GenericCredential.

·        ConnectionRequestInfo – the instance of javax.resource.spi.ConnectionRequestInfo contains request-specific information, as well as resource adapter generic data. In an application-managed sign-on, the ConnectionRequestInfo object encapsulates the security information used for authentication to the EIS – for example, user name and password.

For more information about container-managed and application-managed sign-on, see Using Resource Adapter to Obtain Connection.

If the security information is erroneous or insufficient, the application must get a javax.resource.spi.SecurityException. The resource adapter throws a SecurityException in the case of a security-related error in the following methods:

·        ManagedConnectionFactory – createManagedConnection() or matchManagedConnection()

·        ManagedConnection – getConnection()

·        ConnectionManager – allocateConnection()

·        GenericCredential – getCredentialData()

PasswordCredential and GenericCredential

The resource adapter may support one of the following credential types:

·        javax.resource.spi.security.PasswordCredential – an instance of this class holds a user name and a corresponding password. This interface is typically used for the BasicPassword authentication type.

·        javax.resource.spi.security.GenericCredential – this is a generic interface for accessing a mechanism-specific representation of a credential. For example, the GenericCredential instance may be a wrapper for a Kerberos ticket.

The interface provides method for retrieving credential data, as well as the resource principal name and the security mechanism type represented by the credential. The resource adapter must handle the use of the generic credential. It may use it in the following ways:

¡        If the EIS supports the security mechanism of the credential, the adapter may use the credential in an EIS-specific way.

¡        If both the resource adapter and the underlying EIS support the GSS-API, the adapter may use this API to pass the credential to the EIS.

The mechanism type of the credential is retrieved using the getMechType() method of the interface. The result of this method is an Object Identifier (OID)-based representation of the mechanism type, as defined in the Generic Security Service Application Programming Interface (GSS-API) specification. For example, the OID-based representation of a Kerberos Version 5 mechanism is 1.2.840.113554.1.2.2.

If any security-related error occurs, for example if there are wrong credentials or if the mechanism type is not supported, the getCredentialData() method of the interface must throw a SecurityException.

Reauthentication Support

Reauthentication support implies the ability of the resource adapter to switch the security context of an existing connection. It is implemented in the getConnection() method of the ManagedConnection.

The security context of a connection is established for a particular resource principal. If the adapter supports reauthentication, it can reauthenticate the physical connection to the EIS with another security context when the getConnection() method of the ManagedConnection is invoked. The new security context is defined by the subject passed as a parameter of the method. If the subject is null, the security information is encapsulated in the ConnectionRequestInfo instance.

 

 

 

End of Content Area