The AS Java enables you to use JAAS login modules to authenticate user access requests. The JAAS login modules represent the basic building blocks for the authentication mechanisms that you configure for access to applications and components running on the AS Java.
The AS Java provides a number of predefined login modules that contain authentication logic to enable the application of different security policies for authenticating server access. In addition, you can create your own login modules to implement custom authentication logic. For more information, see Developing Authentication Enhancements.
You can combine the standard and custom login modules in login module stacks. Such login module stacks can be assigned to the policy configurations of various applications on the AS Java to determine the authentication mechanisms to use.
For an overview of the standard login modules that are delivered with the AS Java, see the following sections.
The login modules in the table below support the available methods for logon with user ID and password.
For more information about configuring the use of these login modules, see Using User ID and Password for AS Java Logon.
Login Module Name |
Description |
BasicPasswordLoginModule |
Performs logon for Basic or Form authentication. You can use this login module to perform authentication with user ID and password. |
DigestLoginModule |
You can use this logon module for user authentication for applications that define the Digest authentication method in their deployment descriptors. Digest authentication is a more advanced form of the Basic authentication type. Here the user’s password is hashed to protect its integrity and confidentiality during its transport and storage. |
The login modules in the table below support SSO with logon tickets.
For more information about configuring the use of these login modules, see Using Logon Tickets with AS Java.
Login Module Name |
Description |
EvaluateTicketLoginModule |
Login module to evaluate logon tickets used for SSO. |
CreateTicketLoginModule |
Login module to create logon tickets after successful user logon. |
The login modules in the table below support authentication with client certificates.
For more information about configuring the use of these login modules, see Using X.509 Client Certificates with AS Java.
Login Module Name |
Description |
ClientCertLoginModule |
You use this login module for user authentication with client certificates. |
CertPersisterLoginModule |
Performs automatic certificate mapping on first user logon. You use this login module in authentication stacks with the ClientCertLoginModule. |
The login module in the table below supports SAML authentication.
For more information about configuring the use of this login module, see Configuring AS Java as a SAML Destination Site.
Login Module Name |
Description |
SAMLLoginModule |
Performs user authentication using the SAML Browser/Artifact profile. |
The login modules in the table below support Kerberos authentication with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO).
For more information about configuring the use of these login modules, see Using Kerberos Authentication.
Login Module Name |
Description |
SPNegoLoginModule |
Used for Kerberos authentication with SPNego. This login module implements the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) on the AS Java. SPNEGO is a standard Generic Security Services Application Program Interface (GSS API) pseudo-mechanism. It is used to determine which GSS API mechanisms are shared, select one and then establish a security context for communication with it. |
Krb5LoginModule |
The login module is invoked to obtain the AS Java credentials from the Kerberos keytab file. The Krb5LoginModule succeeds only if the attempt to log in to the Kerberos KDC as a specified entity is successful. Therefore, the Krb5LoginModule is a required login module for Kerberos authentication. |
MappingModule |
The MappingModule is used to retrieve the service user for the AS Java on the Kerberos KDC. |
The login module in the table below supports authentication with header variables.
For more information about configuring the use of this login module, see Using Header Variables.
Login Module Name |
Description |
HeaderVariableLoginModule |
Login module for SSO using header variables. |
The login modules in the table below support the available methods for SSO with assertion tickets.
For more information about configuring the use of these login modules, see Single Sign-On for Resource Adapters and JCA.
Login Module Name |
Description |
EvaluateAssertionTicketLoginModule |
Login module used to evaluate Authentication Assertion Ticket. used for SSO. |
CreateAssertionTicketLoginModule |
Login module to create Authentication Assertion Tickets after successful logon. |
In addition, the Java Connector Architecture for the AS Java can use the following login modules.
For more information, see Single Sign-On for Resource Adapters and JCA.
Login Module Name |
Description |
CallerImpersonationMapping |
Used when the credentials of the caller principal are directly passed to the Enterprise Information System (EIS) and used for authentication of the resource principal. |
ConfiguredIdentityMapping |
Used when all caller principals obtain a connection to the EIS using the same preconfigured identity. You have to specify either a user store that contains the identity, or a user name and a password for the configured identity. |
CredentialsMappingLoginModule |
Used when the credentials of the caller principal are replaced by the credentials that are used for authentication to the EIS; in this case, you have to specify a user store where the EIS credentials are stored. |
PrincipalMappingLoginModule |
Used when particular caller principals are mapped to an EIS principal. Only authorized caller principals can obtain a connection using a specific identity. You can either specify the user store where this identity is stored, or enter the name and the password of the resource principal. |
CSILoginModule |
Login module for the IIOP service. |
SecuritySessionLoginModule |
Login module used by download.ear. It uses the tickets that are generated by the Security Provider service on the engine. |