Login Modules
Use
The AS Java enables you to use JAAS login modules to authenticate user access requests. The JAAS login modules represent the basic building blocks for the authentication mechanisms that you configure for access to applications and components running on the AS Java.
Integration
The AS Java
provides a number of predefined login modules that contain authentication
logic to enable the application of different security policies for
authenticating server access. In addition, you can create your own login
modules to implement custom authentication logic. For more information, see
Developing
Authentication Enhancements.
You can combine the standard and custom login modules in login module stacks. Such login module stacks can be assigned to the policy configurations of various applications on the AS Java to determine the authentication mechanisms to use.
Standard AS Java Login Modules
For an overview of the standard login modules that are delivered with the AS Java, see the following sections.
Login Modules for User ID and Password Logon
The login modules in the table below support the available methods for logon with user ID and password.
For more
information about configuring the use of these login modules, see
Using User ID and
Password for AS Java Logon.
Login Module Name |
Description |
BasicPasswordLoginModule |
Performs logon for Basic or Form authentication. You can use this login module to perform authentication with user ID and password. |
DigestLoginModule |
You can use this logon module for user authentication for applications that define the Digest authentication method in their deployment descriptors. Digest authentication is a more advanced form of the Basic authentication type. Here the user’s password is hashed to protect its integrity and confidentiality during its transport and storage. |
Login Modules for Logon Tickets
The login modules in the table below support SSO with logon tickets.
For more
information about configuring the use of these login modules, see
Using Logon Tickets
with AS Java.
Login Module Name |
Description |
EvaluateTicketLoginModule |
Login module to evaluate logon tickets used for SSO. |
CreateTicketLoginModule |
Login module to create logon tickets after successful user logon. |
Login Modules for Client Certificates
The login modules in the table below support authentication with client certificates.
For more
information about configuring the use of these login modules, see
Using X.509 Client
Certificates with AS Java.
Login Module Name |
Description |
ClientCertLoginModule |
You use this login module for user authentication with client certificates. |
CertPersisterLoginModule |
Performs automatic certificate mapping on first user logon. You use this login module in authentication stacks with the ClientCertLoginModule. |
Login Modules for SAML
The login module in the table below supports SAML authentication.
For more
information about configuring the use of this login module, see
Configuring AS Java as
a SAML Destination Site.
Login Module Name |
Description |
SAMLLoginModule |
Performs user authentication using the SAML Browser/Artifact profile. |
Login Modules for Kerberos
The login modules in the table below support Kerberos authentication with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO).
For more
information about configuring the use of these login modules, see
Using Kerberos
Authentication.
Login Module Name |
Description |
SPNegoLoginModule |
Used for Kerberos authentication with SPNego. This login module implements the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) on the AS Java. SPNEGO is a standard Generic Security Services Application Program Interface (GSS API) pseudo-mechanism. It is used to determine which GSS API mechanisms are shared, select one and then establish a security context for communication with it. |
Krb5LoginModule |
The login module is invoked to obtain the AS Java credentials from the Kerberos keytab file. The Krb5LoginModule succeeds only if the attempt to log in to the Kerberos KDC as a specified entity is successful. Therefore, the Krb5LoginModule is a required login module for Kerberos authentication. |
MappingModule |
The MappingModule is used to retrieve the service user for the AS Java on the Kerberos KDC. |
Login Modules for Header Variables
The login module in the table below supports authentication with header variables.
For more
information about configuring the use of this login module, see
Using Header
Variables.
Login Module Name |
Description |
HeaderVariableLoginModule |
Login module for SSO using header variables. |
Login Modules for Resource Adapters
The login modules in the table below support the available methods for SSO with assertion tickets.
For more
information about configuring the use of these login modules, see
Single Sign-On for
Resource Adapters and JCA.
Login Module Name |
Description |
EvaluateAssertionTicketLoginModule |
Login module used to evaluate Authentication Assertion Ticket. used for SSO. |
CreateAssertionTicketLoginModule |
Login module to create Authentication Assertion Tickets after successful logon. |
In addition, the Java Connector Architecture for the AS Java can use the following login modules.
For more
information, see
Single Sign-On for
Resource Adapters and JCA.
Login Module Name |
Description |
CallerImpersonationMapping |
Used when the credentials of the caller principal are directly passed to the Enterprise Information System (EIS) and used for authentication of the resource principal. |
ConfiguredIdentityMapping |
Used when all caller principals obtain a connection to the EIS using the same preconfigured identity. You have to specify either a user store that contains the identity, or a user name and a password for the configured identity. |
CredentialsMappingLoginModule |
Used when the credentials of the caller principal are replaced by the credentials that are used for authentication to the EIS; in this case, you have to specify a user store where the EIS credentials are stored. |
PrincipalMappingLoginModule |
Used when particular caller principals are mapped to an EIS principal. Only authorized caller principals can obtain a connection using a specific identity. You can either specify the user store where this identity is stored, or enter the name and the password of the resource principal. |
Other Login Modules
CSILoginModule |
Login module for the IIOP service. |
SecuritySessionLoginModule |
Login module used by download.ear. It uses the tickets that are generated by the Security Provider service on the engine. |