Show TOC

 Login ModulesLocate this document in the navigation structure

Use

The SAP NetWeaver Application Server (AS) Java enables you to use Java Authentication and Authorization Service (JAAS) login modules to authenticate user access requests. The JAAS login modules represent the basic building blocks for the authentication mechanisms that you configure for access to applications and components running on the AS Java.

Integration

The AS Java provides a number of predefined login modules. You can create your own login modules to implement custom authentication logic.

For more information, see Developing Authentication Enhancements on the AS Java .

You can combine the standard and custom login modules in login module stacks. To configure the authentication mechanisms of your applications, assign login module stacks to their policy configurations.

Standard AS Java Login Modules

The following tables provide an overview of the standard login modules delivered with the AS Java.

Login Modules for User ID and Password Logon

The login module in the table below support the available methods for logon with user ID and password.

For more information about configuring the use of these login modules, see Using User ID and Password for AS Java Logon .

Login Module Name Description

BasicPasswordLoginModule

Performs logon for Basic or Form authentication. You can use this login module to perform authentication with user ID and password.

Login Modules for Logon Tickets

The login modules in the table below support Single Sign-On (SSO) with logon tickets.

For more information about configuring the use of these login modules, see Using Logon Tickets with AS Java .

Login Module Name Description

EvaluateTicketLoginModule

Login module to evaluate logon tickets used for SSO.

CreateTicketLoginModule

Login module to create logon tickets after successful user logon.

Login Modules for Client Certificates

The login modules in the table below support authentication with client certificates.

For more information about configuring the use of these login modules, see Using X.509 Client Certificates with AS Java .

Login Module Name Description

ClientCertLoginModule

You use this login module for user authentication with client certificates.

CertPersisterLoginModule

Performs automatic certificate mapping on first user logon. You use this login module in authentication stacks with the ClientCertLoginModule .

Login Modules for SAML 1.x

The login module in the table below supports SAML 1.x authentication.

For more information about configuring the use of this login module, see Configuring AS Java as a SAML Destination Site .

Login Module Name Description

SAMLLoginModule

Performs user authentication using the SAML assertions.

Login Modules for SAML 2.0

The login module in the table below supports SAML 2 authentication.

For more information about configuring the use of this login module, see Configuring AS Java as a Service Provider .

Login Module Name Description

SAML2LoginModule

Performs user authentication using the SAML assertions.

Login Modules for Kerberos

The login modules in the table below support Kerberos authentication with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO).

For more information about configuring the use of these login modules, see Using Kerberos Authentication .

Login Module Name Description

SPNegoLoginModule

Used for Kerberos authentication with SPNego.

This login module implements the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) on the AS Java.

SPNEGO is a standard Generic Security Services Application Program Interface (GSS API) pseudo-mechanism. It is used to determine which GSS API mechanisms are shared, select one and then establish a security context for communication with it.

Krb5LoginModule

The login module is invoked to obtain the AS Java credentials from the Kerberos keytab file.

The Krb5LoginModule succeeds only if the attempt to log on to the Kerberos KDC as a specified entity is successful. Therefore, the Krb5LoginModule is a required login module for Kerberos authentication.

MappingModule

The MappingModule is used to retrieve the service user for the AS Java on the Kerberos KDC.

Login Modules for Header Variables

The login module in the table below supports authentication with header variables.

For more information about configuring the use of this login module, see Using Header Variables .

Login Module Name Description

HeaderVariableLoginModule

Login module for SSO using header variables.

Login Modules for Resource Adapters

The login modules in the table below support the available methods for SSO with assertion tickets.

For more information about configuring the use of these login modules, see Single Sign-On for Resource Adapters and JCA .

Login Module Name Description

EvaluateAssertionTicketLoginModule

Login module used to evaluate Authentication Assertion Ticket. used for SSO.

CreateAssertionTicketLoginModule

Login module to create Authentication Assertion Tickets after successful logon.

In addition, the Java Connector Architecture for the AS Java can use the following login modules.

Login Module Name Description

CallerImpersonationMapping LoginModule

Used when the credentials of the caller principal are directly passed to the Enterprise Information System (EIS) and used for authentication of the resource principal.

ConfiguredIdentityMapping LoginModule

Used when all caller principals obtain a connection to the EIS using the same preconfigured identity. You have to specify either a user store that contains the identity, or a user name and a password for the configured identity.

CredentialsMappingLoginModule

Used when the credentials of the caller principal are replaced by the credentials that are used for authentication to the EIS; in this case, you have to specify a user store where the EIS credentials are stored.

PrincipalMappingLoginModule

Used when particular caller principals are mapped to an EIS principal. Only authorized caller principals can obtain a connection using a specific identity. You can either specify the user store where this identity is stored, or enter the name and the password of the resource principal.

Other Login Modules

Login Module Name Description

CSILoginModule

Login module for the IIOP service.

SecuritySessionLoginModule

Login module used by download.ear. It uses the tickets that are generated by the Security Provider service on the engine.