Show TOC

 Using Login Modules to Protect Web ApplicationsLocate this document in the navigation structure

Purpose

This process refers to developing the login modules. It describes the activities you must perform later to set up the login modules stack in the Security Provider Service and how you reference the login modules from your Web application.

As far as the development of login modules is concerned, you use the standard JAAS APIs and a few SAP proprietary classes to program their functions. The process flow is outlined in the next section. The SAP proprietary classes are described in the SAP Specific HTTP Callbacks .

Process Flow
  1. Developing the login modules

    Each login module must implement the javax.security.auth.spi.LoginModule interface that define five methods:

    • Perform initialization of the login module in the initialize() method. A CallbackHandler class is passed as a parameter to it.
    • Perform the first phase of the login in the login() method. You can use the CallbackHandler class here to communicate the authentication information with the user.
    • Assign principals and credentials to the Subject (that is the object that represents the user being authenticated) and populate them if the authentication is successful in the commit() method.
    • Abort the authentication process using the abort() method.
    • Log the user out by removing the principals and credentials from the Subject in the logout() method.
  2. Register the login modules that you have created with the Security Provider Service of the AS Java. You can then configure the authentication stack for your application's policy configuration for authenticating the user access. For more information about this, see Managing Login Modules .

You can use any of the policy configuration templates and their authentication stacks as a basis for enhancing them to develop your custom authentication templates. For more information about the template login modules provided, see Managing Authentication Policy .

  1. Reference the login module stack from your Web application by specifying the name of the policy configuration of the authentication stack in its web-j2ee-engine.xml descriptor. For more information about the procedure, see Specifying Authentication Mechanisms for Java Applications .

Code to Use in Your Web Application

To perform the authentication using the login modules that you have developed, you must do the following in your servlet or JSP code:

  1. Create a new LoginContext : 
    LoginContext lc = new LoginContext("Example");

    where Example is the name of the login modules stack as you defined it in step 3 of the above process.

  2. Call the login() method to start the authentication: 
    try {
      // start authentication
      lc.login();
    // user authenticated successfully
} catch (LoginException le) {
      // handle the cases of failed authentication here
…
   }