Show TOC Entering content frame

Procedure documentation Adjusting the Login Module Stacks for Using Header Variables Locate the document in its SAP Library structure

Use

When a user is authenticated on the SAP Web Application Server Java, the server processes the stack of login modules that apply to the application that the user accesses. The header variable login module is not automatically included with the default login module stacks. Therefore, if you wish to use header variables for authentication, you must adjust the login module stacks for those applications that will use header variables to authenticate a user. For more information, see Managing Login Modules.

Prerequisites

The login module HeaderVariableLoginModule exists in the active user store. (To check if it exists, in the Security Provider service, choose Runtime ® Policy Configurations, select any component in the component list, and choose the Add New button to add a new login module to the login module stack. A list of all available login module appears.) If it does not exist, then make it available as follows:

...

                            a.      In the Visual Administrator, choose Security Provider.

                            b.      Choose the User Management tab and choose Manage Security Stores.

The currently active user store and the login modules for that user store are displayed.

                            c.      Choose Add Login Module.

A dialog box prompting you to choose an editor for the login module option appears.

                            d.      Choose OK.

A dialog box prompting you to add a login module appears.

                            e.      Fill in the fields as follows:

Field name

Field value

Class Name

com.sap.security.core.server
.jaas.HeaderVariableLoginModule

Display Name

HeaderVariableLoginModule

                              f.      Choose OK.

The HeaderVariableLoginModule now appears in the list of login modules for the active user store.

Procedure

Add the HeaderVariableLoginModule to the appropriate login module stack or template and configure the options as follows:

...

       1.      In the Visual Administrator, choose Security Provider.

       2.      Choose Policy Configurations ® Authentication.

       3.      For each template or application that is to support header variable authentication:

                            a.      Add the login module HeaderVariableLoginModule to the login module stack.

See the Examples section below for an example of what position in the login module stack to add the module.

                            b.      Set the options for the HeaderVariableLoginModule as shown in the table below:

Note

The options for integrated Windows authentication only apply when using the IISproxy module. However, except for specific applications that still require the use of the IISproxy module, we recommend using Kerberos authentication as described in Using Kerberos Authentication for Single Sign-On for integrated Windows authentication.

Option

Value

Description

Header

<any string>

Default value is REMOTE_USER

The header name that is to be fetched from the request.

For use with the IISproxy module only: For integrated Windows authentication this value must be REMOTE_USER.

windows_integrated

true, false

Default value is false

For use with the IISproxy module only: Specifies whether integrated Windows authentication is to be used or not.

domain

(Only relevant for integrated Windows authentication.)

 

<comma-separated list>

Default value is <empty>

For use with the IISproxy module only: Specifies a comma-separated list of Windows domains which are supported. If the list is not empty, the Windows user must be from one of the domains.

Background information:

With Windows authentication, the user IDs have the form <windows domain>\<user name> during logon. The HeaderVariableLoginModule only uses the <user name> part to log on the user. If there are local users or users from other domains with identical user IDs, unauthorized users may be able log on. To prevent this, you can configure the login module to accept users from specific domains only.

Example

The following login module stack first checks if the user has a SAP logon ticket. If yes, the authentication succeeds and control returns to the application. If not, the next login module checks for a value (user ID) in the header variable <header_name>, where <header_name>is the header variable in which an authentication tool writes the authenticated user ID. If there is a value, a logon ticket is issued for this user ID. If there is not a value in the header variable, the BasicPasswordLoginModule authenticates the user with user ID and password. If this authentication is successful, the user is issued a logon ticket.

In this example, authentication with user ID and password is used as a fallback authentication method in case authentication with header variables does not succeed.

Example of a Login Module Stack with Header Variable Authentication

Login Modules

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

HeaderVariableLoginModule

OPTIONAL

{ume.configuration.active=true, Header=<header_name>}

CreateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

REQUISITE

{}

CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

 

 

Leaving content frame