Specifying Authentication Mechanisms for Java Applications

Prerequisites

Each of the login modules you use must be registered on the AS Java. For more information, see Managing Login Modules .

Context

The authentication mechanism used for an application, is determined by the login modules protecting it. Each application that is deployed on the AS Java can have different login modules protecting it. By combining different login modules you can achieve different authentication logic for each of your applications, which makes the authentication process more flexible.

To apply the authentication mechanism to your application, you must also specify which policy domains on the AS Java use this authentication, for example, either the root domain for the application or a set of subdomains.

Procedure

Open the web-j2ee-engine.xml deployment descriptor file.
Enter the login module information and the domain name to protect.
- Configure an application-specific login module stack to use for user authentication. To do this, enter the name of the login module.
  Caution
  
  There are two ways to specify the name of a login module in the <login-module-name> tag:
  - By using the display name of the login module, for example: MyLoginModule;
  - By using the full classpath of the login module, for example: com.sap.example.authentication.MyLoginModule.
  When using the display name of a login module, you cannot define options in the deployment descriptor. In this case the system uses the globally defined options for this login module.
  
  When using the full classpath of a login module, the system ignores the globally defined options for this login module and uses the options that you define in the deployment descriptor.
  Enter a priority flag for the module. The possible values are OPTIONAL , REQUIRED , REQUISITE , and SUFFICIENT .
  
  For more information about the semantics of those values, see Managing Authentication Policy .
  
  If you configure a custom login module stack here, then this setting overrides the corresponding settings (if any) for the authentication stack from web.xml and the global authentication property ume.login_context. After you deploy the application, view this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.
  
  For more information, see Managing Authentication Policy for AS Java Components .
- Specify application specific password change pages. To do this, you must provide the resources that provide the pages that display the password change form.
  - If you specify own password change pages, then they are applied as policy configuration properties to the policy configuration of your application. After you deploy the application, view this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.
    
    For more information, see Managing Authentication Policy for AS Java Components .
  - If you do not specify your own password change pages, the AS Java uses the corresponding pages of its own default logon application. We recommended that you use the default pages to ensure a consistent user experience across all applications and because those pages contain built-in security features.
    
    For more information about password change behavior on the AS Java, see Changing the User Password .
- Enter a security policy domain to which the application is associated. This configuration affects the applications SSO behavior.
  
  For more information about the single sign-on environment on the AS Java, see Single Sign-on for Web Applications .
For the following example we assume that the login module to use is a custom login module that authenticates a user with a user name and password. The login module has one option, which determines the user name prefix. Only users whose user name starts with the specified prefix can access the application. The authentication protects a domain called /MyApplicationDomain:
```
                  <login-module-configuration>

        <login-module-stack>
        

                <login-module>
                

                        <login-module-name>com.sap.example.authentication.MyLoginModule</login-module-name>

                        <flag>SUFFICIENT</flag>

                        <options>

                                <option>
                                
                                <name>UserNamePrefix</name>
                                <value>Admin</value>
                                </option>

                        </options>

                </login-module>

        </login-module-stack>
                
        <password-change-config>
                <login-page>/mylogin.jsp</login-page>
                <error-page>/myerror.jsp</error-page>
        </password-change-config>
        
        <security-policy-domain>/MyApplicationDomain</security-policy-domain>
        

</login-module-configuration>
               
```
Save your entries.