Show TOC

Procedure documentationConfiguring Authentication Locate this document in the navigation structure

 

You configure policy configurations for your Web application to specify the mechanism to use for authenticating an application's users. You can choose from the standard policy configurations such as BASIC, DIGEST, FORM, and CLIENT-CERT, or use a custom login module. For more information about setting up policy configurations, see Managing Authentication Policy.

In addition, you can associate the application with a security policy domain that affects the local Single Sign-On (SSO) capabilities.

You configure login modules in both web.xml and web-j2ee-engine.xml descriptors from the SAP NetWeaver Developer Studio.

Procedure

On the web.xml screen, proceed as follows:

  1. Open the General screen.

  2. Enter an authorization mechanism in the Authentication method field.

    The possible values are BASIC, DIGEST, FORM and CLIENT-CERT.

    For more information about the different methods, see the Java™ Servlet 2.5 Specification at http://java.sun.com.

    The authentication method specifies the following:

    • The authentication mechanism used to protect the application

      In SAP NetWeaver, the authentication mechanisms are implemented as policy configurations of type template. These policy configurations contain an authentication stack with one login module.

      Authentication Mechanism

      Required Credentials

      Policy Configuration

      Login Module

      BASIC

      User ID and password

      basic

      BasicPasswordLoginModule

      FORM

      User ID and password

      form

      BasicPasswordLoginModule

      CLIENT_CERT

      Client certificate

      client_cert

      ClientCertLoginModule

      The AS Java assigns the corresponding template when the application is deployed. View this assignment on the Components tab of the Authentication plug-in of NetWeaver Administrator.

      For more information, see Managing Authentication Policy for AS Java Components.

      If you do not specify an authentication method in the web.xml, the AS Java assigns the authentication stack template defined in the authentication property ume.login.context. The default value is ticket. You can view and edit this assignment on the Properties tab of the Authentication plug-in of NetWeaver Administrator.

    • The way the server communicates with the client to request the required credentials, as required by the servlet specification.

      Example Example

      • BASIC

        The server returns an Authorization header and the browser displays a popup with field for user ID and password.

      • FORM

        The server directs the client to a login page.

      End of the example.

      During deployment, the AS Java writes this information to the authentication property auth_method of the policy configuration. View this assignment on the Components tab of the Authentication plug-in of NetWeaver Administrator.

      For more information, see Managing Authentication Policy for AS Java Components.

      If you do not specify an authentication method in the web.xml, the AS Java uses the value defined in the authentication property ume.login.auth_method to determine how the server should communicate with the client. The default value is form. You can view and edit this assignment on the Properties tab of the Authentication plug-in of NetWeaver Administrator.

  3. If you chose the BASIC authentication method in the previous step, enter an authentication realm in the Realm name field. This string is then entered in the Realm field of the logon screen that the browser displays.

  4. If you chose the FORM authentication method, you can also specify the location of the resource (HTML page, servlet, or JSP page) that provides the login page and the page that responds to a failed authentication attempt. To do this, choose Form login configuration and then enter the locations of the pages in the Form login page and Error login page fields, respectively.

    If you specify own login pages, they are applied as policy configuration properties to the policy configuration of your application. After you deploy the application, view this assignment on the Components tab of the Authentication plug-in of NetWeaver Administrator.

    For more information, see Managing Authentication Policy for AS Java Components.

    If you do not specify your own login and error pages, the AS Java uses the corresponding pages of its own default logon application. We recommended that you use the default pages to ensure a consistent user experience across all applications and because those pages contain built-in security features.

  5. Navigate to the web-j2ee-engine.xml screen.

  6. Open the Security screen.

  7. Select login configuration and you can configure the following settings:

    • Enter a security policy domain to which the application is associated in the Security policy domain field. This field accepts string values. This configuration affects the applications SSO behavior.

      For more information about the single sign-on environment on the AS Java, see Single Sign-on for Web Applications.

    • Specify application specific password change pages. To do this, you must provide the resources that provide the pages that display the password change form. You must enter the location of those resources in the Login page and the Error page fields in the Password change configuration pane, respectively.

      If you specify own password change pages, then they are applied as policy configuration properties to the policy configuration of your application. After you deploy the application, view this assignment on the Components tab of the Authentication plug-in of NetWeaver Administrator.

      For more information, see Managing Authentication Policy for AS Java Components.

      If you do not specify your own password change pages, the AS Java uses the corresponding pages of its own default logon application. We recommended that you use the default pages to ensure a consistent user experience across all applications and because those pages contain built-in security features.

      For more information about password change behavior on the AS Java, see Changing the User Password.

    • Configure an application-specific login module stack to use for user authentication. To do this, choose Add Element to add a new login module. Then enter the name of the login module in the Name field. The value of the field can either be the fully qualified Java class name of the class that implements the login module, or the name that it is registered with in the user store. Enter a priority flag for that module in the Priority field. The possible values are OPTIONAL, REQUIRED, REQUISITE, andSUFFICIENT.

      For more information about the semantics of those values, see Managing Authentication Policy.

      If you configure a custom login module stack here, then this setting overrides the corresponding settings (if any) for the authentication stack from web.xml and the global authentication property ume.login_context. After you deploy the application, view this assignment on the Components tab of the Authentication plug-in of NetWeaver Administrator.

      For more information, see Managing Authentication Policy for AS Java Components.