Show TOC

Policy Configurations and Authentication StacksLocate this document in the navigation structure

Definition

The AS Java enables you to define the use of groups of login modules that contain different authentication logic. These groups are called login module stacks or authentication stacks.

You assign the authentication stacks to the policy configurations of the applications you create or the AS Java components. This means that you can implement different combinations of authentication mechanisms for the AS Java applications.

You can use the Web-based SAP NetWeaver Administrator (NWA) to configure runtime options for the policy configurations of AS Java components.

Policy Configuration Types

You can use the filtering functions in NWA to display and configure the policy configurations for the following AS Java components:

  • Web - policy configurations of all Web application types, for example servlets, portlets, Web Dynpro, portal, and composite applications
  • Service - policy configurations of services, such as service.iiop, service.telnet, and service.naming
  • EJB - policy configuration type for migrating existing EJB applications
  • Template -policy configuration type for standard authentication stacks to use as templates for standard authentication scenarios
  • Custom - policy configuration type for authentication templates created with the administration tools for the AS Java
  • Other - policy configuration type for applications that are not covered by the other types
Standard Authentication Stack Templates

You can use the AS Java policy configurations of type Template as authentication templates for standard authentication scenarios.

The standard authentication templates on the AS Java are listed below:

  • SAP-J2EE-Engine - the default authentication stack for the AS Java. Includes the BasicPasswordLoginModule for Basic or Form authentication.
  • Basic - supports basic authentication. By default, it includes the BasicPasswordLoginModule.
  • Client - supports client certificate authentication. By default, it includes the ClientCertLoginModule .
  • Form  - supports form authentication. By default, it includes the BasicPasswordLoginModule.
  • Ticket - supports SSO with logon tickets. By default, it includes the following login modules:
    • EvaluateTicketLoginModule to evaluate logon tickets
    • BasicPasswordLogonModule for Basic or Form authentication for cases when the authenticated user does not have a valid logon ticket
    • CreateTicketLogonModule to create a logon ticket on successful authentication with the BasicPasswordLoginModule
  • Evaluation assertion ticket - used for verifying assertion tickets (tickets used between systems). By default includes the EvaluateAssertionTicketLoginModule .

You can also use the NWA to extend the standard authentication templates by defining custom templates for authentication stacks. The AS Java registers custom authentication stacks of this type in policy configurations of type Custom . Therefore, to apply a custom policy configuration that you create, you choose it from the Custom policy configuration types. You can use the standard authentication templates as a basis to develop your own templates or to customize the use of authentication for AS Java components.

Login Module Flags

You can combine login modules to create authentication stacks that combine the authentication logic for several authentication mechanisms. To perform authentication, the complete set of login modules is processed in accordance with their place in the authentication stack. The order in which these login modules are called during the authentication process corresponds to the order in which a client can be authenticated to the AS Java. Following the JAAS specification, each module is processed in accordance with its login module flag, which you configure.

For more information about the flags that you can use for login modules in an authentications stack, see the table below:

Flag

Required to Succeed

Description

OPTIONAL

No

Authentication proceeds down the list regardless of whether the module has succeeded or has failed.

REQUIRED

Yes

Authentication proceeds down the list of modules regardless of whether the module has succeeded or failed.

REQUISITE

Yes

If successful, the authentication proceeds down the list, otherwise control returns to the application - that is, the authentication does not proceed.

SUFFICIENT

No

If the authentication is successful, control returns to application; otherwise, the authentication proceeds.

Logon Policy Configuration

You can configure a logon policy for each policy configuration. By performing this configuration, you set rules and conditions for user authentication. If you do not specify a logon policy, the system generates a default one that allows every user to log on. To enable the use of logon policies of this type, you have to set the property ume.logon.apply_logon_policies. For more information, see Setting a Logon Policy for a Policy Configuration .

Example

The following table shows how a login module stack is processed based on these flags.

Login Module Stack Processing

Module

Flag

Pass/Fail

Pass/Fail

Pass/Fail

Module 1

SUFFICIENT

Pass

Fail

Fail

Module 2

REQUISITE

*

Pass

Fail

Module 3

OPTIONAL

*

Pass

*

Overall authentication

 

Pass

Pass

Fail