The AS Java enables you to define the use of groups of login modules that contain different authentication logic. These groups are called login module stacks or authentication stacks.
You assign the authentication stacks to the policy configurations of the applications you create or the AS Java components. This means that you can implement different combinations of authentication mechanisms for the AS Java applications.
You can use the Web-based SAP NetWeaver Administrator (NWA) to configure runtime options for the policy configurations of AS Java components.
You can use the filtering functions in NWA to display and configure the policy configurations for the following AS Java components:
You can use the AS Java policy configurations of type Template as authentication templates for standard authentication scenarios.
The standard authentication templates on the AS Java are listed below:
You can also use the NWA to extend the standard authentication templates by defining custom templates for authentication stacks. The AS Java registers custom authentication stacks of this type in policy configurations of type Custom . Therefore, to apply a custom policy configuration that you create, you choose it from the Custom policy configuration types. You can use the standard authentication templates as a basis to develop your own templates or to customize the use of authentication for AS Java components.
You can combine login modules to create authentication stacks that combine the authentication logic for several authentication mechanisms. To perform authentication, the complete set of login modules is processed in accordance with their place in the authentication stack. The order in which these login modules are called during the authentication process corresponds to the order in which a client can be authenticated to the AS Java. Following the JAAS specification, each module is processed in accordance with its login module flag, which you configure.
For more information about the flags that you can use for login modules in an authentications stack, see the table below:
Flag |
Required to Succeed |
Description |
OPTIONAL |
No |
Authentication proceeds down the list regardless of whether the module has succeeded or has failed. |
REQUIRED |
Yes |
Authentication proceeds down the list of modules regardless of whether the module has succeeded or failed. |
REQUISITE |
Yes |
If successful, the authentication proceeds down the list, otherwise control returns to the application - that is, the authentication does not proceed. |
SUFFICIENT |
No |
If the authentication is successful, control returns to application; otherwise, the authentication proceeds. |
You can configure a logon policy for each policy configuration. By performing this configuration, you set rules and conditions for user authentication. If you do not specify a logon policy, the system generates a default one that allows every user to log on. To enable the use of logon policies of this type, you have to set the property ume.logon.apply_logon_policies. For more information, see Setting a Logon Policy for a Policy Configuration .
The following table shows how a login module stack is processed based on these flags.
Login Module Stack Processing
Module |
Flag |
Pass/Fail |
Pass/Fail |
Pass/Fail |
Module 1 |
SUFFICIENT |
Pass |
Fail |
Fail |
Module 2 |
REQUISITE |
* |
Pass |
Fail |
Module 3 |
OPTIONAL |
* |
Pass |
* |
Overall authentication |
|
Pass |
Pass |
Fail |