Show TOC Entering content frame

Background documentation Advanced Authentication Example Locate the document in its SAP Library structure

The portal allows the access to the http request for all custom logon modules during the authentication process. With access to the http request it is possible to read and set cookies or http header values, for example to reject certain namespaces.

In the following chapter we extend the example with an access to the http request.

Changes in the LoginModule Implementation

We extend the LoginModule implementation, described in section Customized Authentication Implementation, that in addition to the password the IP address of the client has to be in a predefined range.

initialize() Method

For the further coding, we need the options parameter, which is available in initialize(). We store the options parameter locally.

Extended initialize() method:

 Subject         _subject    = null;
 CallbackHandler _ch         = null;
 Map _options                = null;

 public void initialize(Subject subj, CallbackHandler ch,
                        Map sharedState, Map options)
 {
        _subject = subj;
        _ch      = ch;

        _options = options;

 }

 

login() Method

We extend the existing login() method, because, we still want to check the password. Therefore we create the com.sap.security.demo.DemoLoginModule2, inherit a new LoginModule class from our exsting LoginModule class from section Customized Authentication Implementation and overwrite the method login() method the following way:

Exception on_the_way    =   null;
String    client_ip_str =   null;
String ip_range_str=(String)_options.get("com.sap.security.demo.ip_mask"); 
String ip_match    =(String)_options.get("com.sap.security.demo.ip_match");
        
// First we check if the password login
// is successful
boolean rc = super.login ();
        
// In addition we perform the check whether
// The ip address is within a given range
        
// Get ip-range from options
byte [] iprange_as_byte_array = getIPAsByteArray (ip_mask);
// Get ip-address of client
byte [] client_ip = null
// Get ip-match
int [] ipmatch = getIPAsIntArray (ip_match);
        
try {
    client_ip_str =   getClientIP ();
catch (UnsupportedCallbackException e) {
    on_the_way = e;
catch (IOException e) {
    on_the_way = e;
}
        
client_ip = getIPAsByteArray (client_ip_str);        
        
if (on_the_way!=null) {
    on_the_way.printStackTrace ();
    throw new LoginException ("Exception occured");
}
        
if (!ip_address_in_range (client_ip, iprange_as_byte_array, ipmatch))
    throw new LoginException ("IP-address " + client_ip_str +

                              " is not in range" + ip_range_str);
        
return rc;

 

Utility Methods

The method ip_address_in_range() checks if the IP address of the client is in a given range. Therefore, it first flips all bits in the array iprange_as_byte_array and performs then a logical AND with the IP address. The result of the AND operation is zero, when all bits are in the allowed range.

The method getClientIP() gets the client IP. To get access to the http request object, we call the handle() method with an instance of WebCallback. The handle() method is the interface of the LoginModule to the calling environment and enables the access to the object data. Refer to the JAAS documentation for more details.

private boolean ip_address_ok (byte [] client_ip,
                               byte [] iprange_as_byte_array,
                               byte [] ipmatch)
{
        
    for (int ii=0; ii<4; ii++) {
        if (ipmatch[ii]!=(client_ip[ii] & iprange_as_byte_array[ii]))
            return false;
    }       
    return true;
}

private String getClientIP ()
    throws UnsupportedCallbackException, IOException
{
    WebCallback wcb = new WebCallback ();
    _ch.handle (new Callback [] { wcb });
        
    HttpServletRequest req = wcb.getRequest();
        
    return req.getRemoteAddr ();
}

Configuration

To use the com.sap.security.demo.DemoLoginModule2 implementation we have to add an authscheme to the authschemes.xml file.

The entry has following format:

<authscheme name="myNewLogon2">
  <loginmodule>
    <loginModuleName>
      com.sap.security.demo.DemoLoginModule2
    </loginModuleName>
    <controlFlag>REQUISITE</controlFlag>
    <options></options>
  </loginmodule>
  <priority>25</priority>
  <frontendtype>2</frontendtype>
  <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>

The priority of this authentication is higher, because the authentication mechanism is stronger.

 

Leaving content frame