Declarative and Programmatic Authentication (SAP Library - Configuring Authentication and Single Sign-On)

Declarative and Programmatic Authentication

The AS Java enables applications to use two options for authenticating users:

· Declarative authentication (also known as container-based authentication):

The application container of the AS Java handles authentication. A component running on the AS Java declares protected resources and the desired authentication mechanism in its deployment descriptor. When a protected resource of this component is accessed, the container in which the component runs performs authentication.

● Programmatic authentication (also known as UME authentication):

Components running on the AS Java authenticate directly against the User Management Engine (UME) using the UME API. The component explicitly triggers authentication and afterwards the authentication process is controlled by the authentication framework.

Both declarative and programmatic authentication use login modules and authentication stacks as their underlying technology.

You can configure the authentication policy for both types of applications using declarative or UME programmatic authentication with their deployment descriptors web.xml and web-j2ee-engine.xml.

For more information, see Protecting Java Web Applications.

After deployment, you can change this assignment in SAPNetWeaver Administrator.

For more information, see Editing the Authentication Policy of AS Java Components.

Portal applications and iViews have their own implementation of programmatic authentication that includes authentication schemes. The authentication scheme in turn references a login module stack.

For more information, see Login Modules and Login Module Stacks and Authentication Schemes.

Integration

The different types of applications can use different means for defining the login module stack to use in its policy configuration. For more information, see the table below:

Application Type	Type of Authentication	Where is Login Module Stack defined
Web applications	Declarative authentication	Declared in the web.xml deployment descriptor of the Web application. For more information, see Protecting Java Web Applications.
Web applications	Programmatic authentication	This depends on how the application is programmed. Applications can define an authentication scheme in their calls to the API. By default, if they do not define an authentication scheme, these applications use the login module stack referenced by default in the authentication schemes file.
Web Dynpro applications	Programmatic authentication	For more information, see Security Aspects of Web Dynpro for Java.
Portal iViews	Programmatic authentication	An iView property defines which authentication scheme the iView uses. The authentication scheme references a login module stack. For more information, see Assigning an Authentication Scheme to an iView.

Declarative and programmatic authentication are integrated so that if an application uses programmatic authentication to authenticate its users, the container where it runs on the AS Java is also aware that the users are authenticated. Inversely, if an application uses declarative authentication to authenticate its users, UME is also aware that the users are authenticated. Calls to the APIs of both the container and UME return the authenticated user.

Note

If you change the default authentication scheme, this also affects any portal iViews and Web applications that use the default authentication scheme.