Show TOC Start of Content Area

Background documentation Policy Configurations and Authentication Stacks  Locate the document in its SAP Library structure

Definition

The AS Java enables you to define the use of groups of login modules that contain different authentication logic. Such groups are referred to as login module stacks or authentication stacks.

You assign the authentication stacks to the policy configurations of the applications you create or the AS Java components. Thereby, you can implement different combinations of authentication mechanisms for the AS Java applications.

You can use the Web-based SAP NetWeaver Administrator to configure runtime options for the policy configurations of AS Java components.

Policy Configuration Types

You can use the filtering functions in NWA to display and configure the policy configurations for the following AS Java components:

·        Web – policy configurations of all Web application types, for example servlets, portlets, Web Dynpro, and composite applications.

·        Service - policy configurations of services, such as service.iiop, service.telnet and service.naming.

·        EJB - policy configuration type for the migration of existing EJB applications.

·        Template –policy configuration type for standard authentication stacks to use as templates for standard authentication scenarios.

·        Custom - policy configuration type for authentication templates created with the administration tools for the AS Java.

·        Other - policy configuration type for applications that are not covered by the other types.

Standard Authentication Stack Templates

You can use the AS Java policy configurations of type Template as authentication templates for standard authentication scenarios.

The standard authentication templates on the AS Java are as shown below:

·        SAP-J2EE-Engine – the default authentication stack for the AS Java. Includes the BasicPasswordLoginModule for Basic or Form authentication..

·        Basic – supports basic authentication. By default, includes the BasicPasswordLoginModule.

·        Client – supports client certificate authentication. By default, includes the ClientCertLoginModule.

·        Digest – supports Digest authentication. By default, includes the DigestLoginModule.

·        Form  – supports form authentication. By default, includes the BasicPasswordLoginModule.

·        Ticket – supports SSO with logon tickets. By default, includes the following login modules:

       EvaluateTicketLoginModule to evaluate logon tickets.

       BasicPasswordLogonModule for Basic or Form authentication for the case when the authenticated user does not have a valid logon ticket.

       CreateTicketLogonModule to create a logon ticket on successful authentication with the BasicPasswordLoginModule.

·        Evaluation assertion ticket – used for verifying assertion tickets (tickets used between systems). By default includes the EvaluateAssertionTicketLoginModule.

You can also use the NWA to extend the standard authentication templates by defining custom templates for authentication stacks. The AS Java registers such custom authentication stacks in policy configurations of type Custom. Therefore, to apply a custom policy configurations that you create, you can choose it from the Custom policy configuration types. You can use the standard authentication templates as a basis to develop your own templates or to customize the use of authentication for AS Java components.

Login Module Flags

You can combine login modules to create authentication stacks that combine the authentication logic for several authentication mechanisms. To perform authentication, the complete set of login modules is processed according to their place in the authentication stack. The order in which these login modules are called during the authentication process corresponds to the order in which a client can be authenticated to the AS Java. Following the JAAS specification, each module is processed according to its login module flag that you configure.

For more information about the flags that you can use for login modules in an authentications stack, see the table below:

Flag

Required to Succeed

Description

OPTIONAL

No

Authentication proceeds down the list if the module has succeeded or has failed.

REQUIRED

Yes

Authentication proceeds down the list of modules if the module has succeeded or has failed.

REQUISITE

Yes

If successful, the authentication proceeds down the list, otherwise control returns to the application – that is, the authentication does not proceed.

SUFFICIENT

No

If the authentication is successful, control returns to application; otherwise, the authentication proceeds.

Example

The following table shows how a login module stack is processed based on these flags.

Login Module Stack Processing

Module

Flag

Pass/Fail

Pass/Fail

Pass/Fail

Module 1

SUFFICIENT

Pass

Fail

Fail

Module 2

REQUISITE

*

Pass

Fail

Module 3

OPTIONAL

*

Pass

*

Overall authentication

 

Pass

Pass

Fail

 

 

End of Content Area