Show TOC

Specifying Authentication for Java ApplicationsLocate this document in the navigation structure

Prerequisites

To specify the authentication type, you modify the web.xml file in SAP NetWeaver Developer Studio

Context

After you specify the authentication method, only users who have authenticated successfully on the AS Java can access the application.

There are four types of authentication available: BASIC, FORM, CLIENT-CERT and DIGEST.

Procedure

  1. Open the web.xml file.
  2. Specify the authentication method.

    For more information about the different methods, see the Java™ Servlet 2.5 Specification at http://java.sun.comInformation published on non-SAP site.

    Add the following code to the file (for this example we assume that the authentication type to use is CLIENT-CERT):

                      <login-config>
                  <auth-method>CLIENT-CERT</auth-method>
                  </login-config>

    The authentication method specifies the following:

    • The authentication mechanism used to protect the application

      In SAP NetWeaver, the authentication mechanisms are implemented as policy configurations of type template. These policy configurations contain an authentication stack with one login module.

      Authentication Mechanism

      Required Credentials

      Policy Configuration

      Login Module

      BASIC

      User ID and password

      basic

      BasicPasswordLoginModule

      FORM

      User ID and password

      form

      BasicPasswordLoginModule

      CLIENT_CERT

      Client certificate

      client_cert

      ClientCertLoginModule

      The AS Java assigns the corresponding template when the application is deployed. View this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.

      For more information, see Managing Authentication Policy for AS Java Components .

      If you do not specify an authentication method in the web.xml, the AS Java assigns the authentication stack template defined in the authentication property ume.login.context. The default value is ticket. You can view and edit this assignment on the Properties tab of the Authentication plug-in of SAP NetWeaver Administrator.

      For more information, see Configuring Authentication Properties .

    • The way the server communicates with the client to request the required credentials, as required by the servlet specification.

      Example

      • BASIC

        The server returns an Authorization header and the browser displays a popup with field for user ID and password.

      • FORM

        The server directs the client to a login page.

      During deployment, the AS Java writes this information to the authentication property auth_method of the policy configuration. View this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.

      For more information, see Managing Authentication Policy for AS Java Components .

      If you do not specify an authentication method in the web.xml, the AS Java uses the value defined in the authentication property ume.login.auth_method to determine how the server should communicate with the client. The default value is form. You can view and edit this assignment on the Properties tab of the Authentication plug-in of SAP NetWeaver Administrator.

      For more information, see Configuring Authentication Properties .

  3. Enter any required parameters for your authentication method.

    • If you chose the BASIC authentication method in the previous step, enter an authentication realm. This string is then entered in the Realm field of the logon screen that the browser displays.

      Add the following code to the file (for this example we assume that the authentication type to use is BASIC):

                              <login-config>
                        <auth-method>BASIC</auth-method>
                        <realm-name>myRealm</realm-name>
                        </login-config>

    • If you chose the FORM authentication method, you can also specify the location of the resource (HTML page, servlet, or JSP page) that provides the login page and the page that responds to a failed authentication attempt. Enter the locations of the pages.

      • If you specify own login pages, they are applied as policy configuration properties to the policy configuration of your application. After you deploy the application, view this assignment on the Components tab of the Authentication plug-in of SAP NetWeaver Administrator.

        For more information, see Managing Authentication Policy for AS Java Components .

      • If you do not specify your own login and error pages, the AS Java uses the corresponding pages of its own default logon application. We recommended that you use the default pages to ensure a consistent user experience across all applications and because those pages contain built-in security features.

      Add the following code to the file (for this example we assume that the authentication type to use is FORM):

                              <login-config>
                        <auth-method>FORM</auth-method>
                        <form-login-config>
                        <form-login-page>/mylogin.jsp</form-login-page>
                        <form-error-page>/myerror.jsp</form-error-page>
                        </form-login-config>
                        </login-config>
  4. Save your entries.