Show TOC

Editing the Authentication Policy of SAP NetWeaver AS for Java ComponentsLocate this document in the navigation structure

The authentication management functions of SAP NetWeaver Administrator enable you to determine what kind of authentication is required for users to access a component.


You can create custom policy configuration templates and apply them to components. You can modify the policy configurations of components directly. These policy configurations determine what login modules are in the authentication stack and any configurations that apply to that stack.

When you change the configuration options for login modules in the authentication stack of a policy configuration, the login module options apply only to the component policy configuration where the login module is used. To apply a global change, modify the login module itself.

For more information, see Managing Login Modules.

The authscheme and authscheme reference policy configuration types are only useful if you have the SAP Portal available. For more information, see Portal Authentication Infrastructure in the portal documentation.


  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth.
  2. Choose Start of the navigation path Configuration Management Next navigation step Authentication and Single Sign-On Next navigation step Authentication Next navigation step Components End of the navigation path.
  3. Select a policy configuration.
  4. If you want to apply a logon policy to the policy configuration, select the logon policy.

    To enable the use of logon policies, set the property ume.logon.apply_logon_policies .

    For more information, see Setting a Logon Policy for a Policy Configuration.

  5. On the Authentication Stack tab, choose the Edit pushbutton.
  6. Determine whether you want to use an existing template, or to change the policy configuration of the current component.
    • To use an existing template, select a template from the Used Template field.

      For authscheme references, select a template from Used Authscheme.

      The component uses the settings and authentication stack from the template. To edit these settings, edit the settings of the policy configuration template. To create a new template, see Creating Authentication Stack Templates for Policy Configurations.

    • To change the policy configuration of the current component, proceed as follows:

      1. Add and remove login modules as required.

        The system applies the login modules in the order they appear in the list.

      2. Set a processing flag for each login module.

        For more information about login module flags, see Policy Configurations and Authentication Stacks.

      3. Add options to and/or remove options from the login modules.

      4. Set the authentication stack parameters in accordance with the type of policy configuration.

        The following table lists the parameters available for the different types of policy configurations.


        Policy Configuration Types


        Front-end Target

        • Authscheme

        • Authscheme Reference

        Defines which iView the system launches when a user's session does not satisfy the authentication scheme.

        Policy Domain


        A user that accesses a Web application in a policy domain can access another Web application in the same policy domain without reauthenticating.

        For more information, see Single Sign-on for Web Applications.


        • Authscheme

        • Authscheme Reference

        A user that accesses an iView with one authentication scheme can access an iView with a lower priority authscheme without reauthenticating.

        Session Fixation Protection

        • Custom

        • Template

        • Web

        Determines how the component handles parallel HTTP requests. By default, the Common Session Management applies a strict policy, allowing access to resources only when the authentication types are identical and within the grace period. By default, the grace period is 2 seconds.


        Use this property with caution.

        For more information, see Parallel HTTP Requests and Session Fixation Protection.

        • To allow parallel requests with different authentication types within the grace period, choose Grace Period.

        • Otherwise, choose Strict.

  7. Save your entries.