Show TOC

Basic Authentication (User ID and Password)Locate this document in the navigation structure

Basic authentication is an HTTP standard authentication method designed to allow a Web browser or another Web client to provide credentials - in the form of a user ID and password - when making a request to a server system.

Basic authentication is supported by the majority of Web clients and is the authentication mechanism that can be implemented with the least additional effort.

User ID and Password Authentication in SAP NetWeaver

SAP NetWeaver enables you to use several methods for user ID and password authentication:

  • basic - users provide their user IDs and passwords by entering them in a browser pop up. The user credentials are transported in the HTTP header as a base-64 encoded string.
  • digest - represents an advanced form of basic authentication. For this authentication mechanism, the user credentials are hashed using a message digest and sent over the network in hashed format.
  • form - users use a pre-configured Web page to enter their authentication credentials. The authentication information is then transported to the server in the URL as URL parameters.
Security Considerations

The different methods for Web-based access authentication with a user ID and password enable you to use a simple authentication mechanism that is widely supported by Web browsers.

The HTTP methods for authentication with a user ID and password, however, provide minimal protection for the authentication credentials during their transport and rely on the assumption that the connection between the Web client and the server can be trusted. Therefore, for increased security of the access to SAP NetWeaver systems, you have to use transport layer security mechanisms in combination with the HTTP methods for authenticating users with a user ID and password.

An additional security consideration is that when using only HTTP methods for authentication with a user ID and password, the server system is not authenticated. This can expose the user's credentials to certain attacks, for example phishing attacks, and thereby compromise the overall security of your systems.

Note

We recommend that you use a transport layer security mechanism, such as Secure Socket Layer (SSL) or a Virtual Private Network (VPN), when authenticating Web-based access requests with a user ID and a password.

For more information, see Network and Transport Layer Security .

For complex system landscapes, when users have to access a large number of systems, however, user ID and password authentication can increase your administrative costs for authentication management in multiple systems. In addition, users have to remember and securely store a large number of authentication credentials, which can lead to a decrease in the overall security of your SAP NetWeaver systems. The requirements for password secrecy can also expose your systems to social engineering attacks where user's passwords can be guessed or deceitfully acquired.

Note

For additional security when using authentication with a user ID and password, we recommend that you configure the use of rules for password complexity and require users to change passwords regularly.

As an alternative to user ID and password authentication, you can use multi-factor authentication or an alternative authentication mechanism or integrate your SAP NetWeaver systems in a Single Sign-On environment.

Configuration

SAP NetWeaver Application Server (AS) Java and AS ABAP are the underlying technology platforms that SAPsystems use to authenticate user access requests over HTTP with a user ID and a password. Configuring user ID and password authentication is specific to the underlying technology used by the application server platform.

For more information about configuring User ID and password authentication for Web based access, see Using User ID and Password Authentication .