HTTP Basic Authentication Properties
The HttpAuthenticationLoginModule provider authenticates the user with given credentials (user name and password) against the secured Web server using a GET against a URL that requires basic authentication, and can be configured to retrieve a cookie with the configured name and add it to the JAAS subject to facilitate single sign-on (SSO).
- Using only the specified user name and password.
- Using only the specified client value or values.
- Attempting token authentication. If that fails, revert to basic authentication using the supplied user name and password. You may find this helpful when using the same security configuration for authenticating users with a token, such as device users hitting the network edge, and when DCN requests from within a firewall present a user name and password but no token.
| Configuration Option | Default Value | Description |
|---|---|---|
| URL | None | The HTTP or HTTPS URL that authenticates the user. For SSO, this is the server URL from which SAP Mobile Server acquires the SSO cookie/token. |
| Disable server certificate validation | False | (Optional) The default is false. If set to true, this property disables server certificate validation when establishing an HTTPS connection to the SWS using the configured URL. Set to true only for configuration debugging. |
| SSO cookie name | None | (Optional) Name of the cookie
set in the session between the LoginModule and the secured Web
server, and holds the SSO token for single sign-on. The provider
looks for this cookie in the connection to the secured Web
server. If the cookie is found, it is added to the authenticated
subject as a named credential. The authentication provider ignores the status code when an SSO cookie is found in the session; authentication succeeds regardless of the return status code. |
| Roles HTTP header | None | (Optional) The name of an HTTP header that the server may return. The header value contains a comma-separated list of roles to be granted. |
| Successful connection status code | 200 | HTTP status code interpreted as successful when connection is established to the secured Web server. |
| HTTP connection timeout interval | 60000 milliseconds (60 seconds) | The value, in milliseconds, after which an HTTP connection request to the Web-based authentication service times out. If the HTTP connection made in this module (for either user authentication or configuration validation) does not have a timeout set, and attempts to connect to a Web-based authentication service that is unresponsive, the connection also becomes unresponsive, which could potentially cause SAP Mobile Server to become unresponsive. Setting the timeout interval ensures that authentication failure is reported without waiting indefinitely for the server to respond. |
| SendClientHttpValuesAs | None | Comma-separated list of strings that indicate
how to send ClientHttpValuesToSend to the HTTP server. For
example: SendClientHttpValuesAs=header:<header_name>, cookie: <cookie_name> This property does not apply if the user is to be authenticated using only the supplied user name and password . |
| ClientHttpValuesToSend | None | A comma-separated list of client HTTP values
to be sent to the HTTP server. For example: ClientHttpValuesToSend=<client_personalization_key>, <client_cookie_name> Set this property if you are using token authentication. Setting this property triggers token authentication. Only token authentication is attempted, unless TryBasicAuthIfTokenAuthFails is configured to true in conjunction with ClientHttpValuesToSend. This property does not apply if the user is to be authenticated using only the supplied user name and password . |
| SendPasswordAsCookie | None | Deprecated. Use only for backward
compatibility. New configurations should configure token
authentication using SendClientHttpValuesAs and
ClientHttpValuesToSend. Sends the password to the URL as a cookie with this name. If not specified, the password is not sent in a cookie. This property is normally used when there is a cookie-based SSO mechanism in use (for example, SiteMinder), and the client has put an SSO token into the password. The token can be propagated from the personalization keys and HTTP header and cookies to the secured Web server without impacting the password field. |
| TryBasicAuthIfTokenAuthFails | False | Specifies whether the provider should attempt
basic authentication using the specified user name and password
credentials if token authentication is configured and fails.
This property is applicable only if token authentication is
enabled. This property does not apply if the user is to be authenticated using only the supplied user name and password . |
| UsernameHttpHeader | None | HTTP response header name returned by the
HTTP server with the user name retrieved from the token. Upon
successful authentication, the retrieved user name is added as
a SecNamePrincipal. This property does not apply if the user is to be authenticated using only the supplied user name and password . |
| regexForUsernameMatch | None | Regular expression used for matching the
supplied user name with the user name returned by the HTTP
server in the UsernameHttpHeader. The string "{username}" in the
regex is replaced with the specified user name before using it.
If specified, it matches the user name retrieved from the
UsernameHttpHeader to the user name specified in the callback
handler. If the user names do not match, authentication fails.
If the user names match, both the specified user name and the
retrieved user name are added as SecNamePrincipals to the
authenticated subject. This property does not apply if the user is to be authenticated using only the supplied user name and password . |
| TokenExpirationTimeHttpHeader | None | HTTP response header name that is returned by
the HTTP server with the validity period of the token in
milliseconds since the start of January 1, 1970. If the header
is returned in the HTTP response from the secured Web server,
the token is cached for the duration it remains valid unless
TokenExpirationInterval is also configured. If this response
header is not returned with the token, it might result in
unintended use of the token attached to the authenticated
context even after it has expired. This property does not apply if the user is to be authenticated using only the supplied user name and password . |
| TokenExpirationInterval | 0 | Specifies the interval, in milliseconds to be
deducted from the actual expiration time returned in
TokenExpirationTimeHttpHeader. This ensures that the token
credential retrieved from the authenticated session remains
valid until it is passed to the SWS for single sign-on to access
MBOs. Note This property does not apply if
the user should be authenticated using only the supplied
user name and password.
Note If the
configured TokenExpirationInterval value exceeds the amount
of time the token is valid, authentication by the
HttpAuthenticationLoginModule fails even if the token is
validated successfully by the secured Web server.
|
| CredentialName | None | Name to set in the authentication credential that contains the token returned in SSOCookieName. If this property is not configured, the SSOCookieName is set as the name of the token credential. |
| providerDescription | None |
(Optional). When enabled, allows the administrator to associate a description with the provider instance. Using a provider description makes it easier to differentiate between multiple instances of the same provider type: for example, when you have multiple login modules of the same type stacked in a security configuration, each targeting a different repository. |