Show TOC Start of Content Area

Background documentation Authentication  Locate the document in its SAP Library structure

The login module stacks enable you to choose different combinations of authentication types for every application you create, and for each of the components on the server with applied security restrictions.

Interface IAuthentication

The SAP NetWeaver Application Server (AS) Java provides an API to check if a user is logged in, to enforce that a user is logged in, and to get the logged in user object.

The interface has following methods:

public interface IAuthentication {

  

    //Returns the logged on user or null, if no user is logged on.

    public IUser getLoggedInUser(HttpServletRequest req,

                                 HttpServletResponse resp);

  /*

 * Checks if a user is logged on and returns the user id if it is.

 * If the user is not logged on, a logon page is displayed,

 * written as ServletResponse. 

 */

    public IUser forceLoggedInUser(

        HttpServletRequest req,

        HttpServletResponse resp)

        throws UserManagementException;

        

    //Logs the user out

    public void logout(

        HttpServletRequest req,

        HttpServletResponse resp);

}

 

Example: Enforcing Logon

IUser user =
   UMFactory.getAuthenticator().forceLoggedInUser(request, response);
if (user == null)
   return;

The user object can be used for access control and to get the profile of the user.

Caution

The method forceLoggedInUser()changes the response if the user is not logged on.

To avoid exceptions an application must stick to the following recommendations:

       do not write to the response before calling method forceLoggedInUser().

       do not write to the response after calling method forceLoggedInUser() when the method returned value null.

Session Handling for AS Java Applications

If an AS Java application stores confidential or user relevant data in the session context, the application must make sure that the data/session is destroyed when the user logs off. The application must check if a user is logged on at every request with the method getLoggedInUser().

Whenever a user logs on, a reference to the logged on user is stored in the session context. If the session already contains a reference to another user (this includes the case that the session contains a user reference but the user is not logged on), use the method forceLoggedInUser() to initiate a new log on and to cancel the existing session. When the user logs off, the SSO cookie is removed and the session is closed.

For a good performance of the method getLoggedInUser(), the UME caches the information to verify the log on status of user.

Caution

See the Sun Microsystems servlet specification for more details about the HTTP session object when you have to create an AS Java application.

 

Single Sign-On (SSO)

Authentication with SSO works as follows:

      After a user is logged on, an encrypted cookie is created for the user.

      In the following requests, this cookie can be used for SSO. The method forceLoggedInUser()verifies the cookie and retrieves the available user information.

      When the user is not logged on or the cookie is for any reason invalid and method forceLoggedInUser()is called, the method automatically displays the logon page. The requested URL (for example, servlet, HTML page, JSP and so on) is passed on to the logon page. When the user is logged on again, the requested URL is called.

 

End of Content Area