Specifying Authentication for Java Applications

Prerequisites

To specify the authentication type, you modify the web.xml file in SAP NetWeaver Developer Studio

Context

After you specify the authentication method, only users who have authenticated successfully on the AS Java can access the application.

There are four types of authentication available: BASIC, FORM, CLIENT-CERT and DIGEST.

Procedure

Open the web.xml file.

Specify the authentication method.

For more information about the different methods, see the Java™ Servlet 2.5 Specification at http://java.sun.com Information published on non-SAP site .

Add the following code to the file (for this example we assume that the authentication type to use is CLIENT-CERT):

                  <login-config>
                  <auth-method>CLIENT-CERT</auth-method>
                  </login-config>

The authentication method specifies the following:

The authentication mechanism used to protect the application

In SAP NetWeaver, the authentication mechanisms are implemented as policy configurations of type template. These policy configurations contain an authentication stack with one login module.

Authentication Mechanism	Required Credentials	Policy Configuration	Login Module
BASIC	User ID and password	basic	BasicPasswordLoginModule
FORM	User ID and password	form	BasicPasswordLoginModule
CLIENT_CERT	Client certificate	client_cert	ClientCertLoginModule

The AS Java assigns the corresponding template when the application is deployed. View this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.

For more information, see Managing Authentication Policy for AS Java Components .

If you do not specify an authentication method in the web.xml, the AS Java assigns the authentication stack template defined in the authentication property ume.login.context. The default value is ticket. You can view and edit this assignment on the Properties tab of the Authentication plug-in of SAP NetWeaver Administrator.

For more information, see Configuring Authentication Properties .

The way the server communicates with the client to request the required credentials, as required by the servlet specification.
Example
- BASIC
  
  The server returns an Authorization header and the browser displays a popup with field for user ID and password.
- FORM
  
  The server directs the client to a login page.
During deployment, the AS Java writes this information to the authentication property auth_method of the policy configuration. View this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.

For more information, see Managing Authentication Policy for AS Java Components .

If you do not specify an authentication method in the web.xml, the AS Java uses the value defined in the authentication property ume.login.auth_method to determine how the server should communicate with the client. The default value is form. You can view and edit this assignment on the Properties tab of the Authentication plug-in of SAP NetWeaver Administrator.

For more information, see Configuring Authentication Properties .

Enter any required parameters for your authentication method.
- If you chose the BASIC authentication method in the previous step, enter an authentication realm. This string is then entered in the Realm field of the logon screen that the browser displays.
  
  Add the following code to the file (for this example we assume that the authentication type to use is BASIC):
```
                        <login-config>
                        <auth-method>BASIC</auth-method>
                        <realm-name>myRealm</realm-name>
                        </login-config>
                     
```
- If you chose the FORM authentication method, you can also specify the location of the resource (HTML page, servlet, or JSP page) that provides the login page and the page that responds to a failed authentication attempt. Enter the locations of the pages.
  - If you specify own login pages, they are applied as policy configuration properties to the policy configuration of your application. After you deploy the application, view this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.
    
    For more information, see Managing Authentication Policy for AS Java Components .
  - If you do not specify your own login and error pages, the AS Java uses the corresponding pages of its own default logon application. We recommended that you use the default pages to ensure a consistent user experience across all applications and because those pages contain built-in security features.
  Add the following code to the file (for this example we assume that the authentication type to use is FORM):
```
                        <login-config>
                        <auth-method>FORM</auth-method>
                        <form-login-config>
                        <form-login-page>/mylogin.jsp</form-login-page>
                        <form-error-page>/myerror.jsp</form-error-page>
                        </form-login-config>
                        </login-config>
                     
```
Save your entries.