Adjusting the Login Module Stacks for Using Header Variables (SAP Library

Adjusting the Login Module Stacks for Using Header Variables

Use

When a user is authenticated on the SAP Web Application Server Java, the server processes the stack of login modules that apply to the application that the user accesses. The header variable login module is not automatically included with the default login module stacks. Therefore, if you wish to use header variables for authentication, you must adjust the login module stacks for those applications that will use header variables to authenticate a user. For more information, see Managing Login Modules.

Prerequisites

The login module HeaderVariableLoginModule exists in the active user store. (To check if it exists, in the Security Provider service, choose Runtime → Policy Configurations, select any component in the component list, and choose the Add New button to add a new login module to the login module stack. A list of all available login module appears.) If it does not exist, then make it available as follows:

...

a. In the Visual Administrator, choose Security Provider.

b. Choose This graphic is explained in the accompanying text (Switch to edit mode).

c. Choose the User Management tab and choose Manage Security Stores.

The currently active user store and the login modules for that user store are displayed.

d. Choose Add Login Module.

A dialog box prompting you to choose an editor for the login module option appears.

e. Choose OK.

A dialog box prompting you to add a login module appears.

f. Fill in the fields as follows:

Field name	Field value
Class Name	com.sap.security.core.server .jaas.HeaderVariableLoginModule
Display Name	HeaderVariableLoginModule

g. Choose OK.

The HeaderVariableLoginModule now appears in the list of login modules for the active user store.

Procedure

Add the HeaderVariableLoginModule to the appropriate login module stack or template and configure the options as follows:

...

1. In the Visual Administrator, choose Security Provider.

2. Choose This graphic is explained in the accompanying text (Switch to edit mode).

3. Choose Policy Configurations → Authentication.

4. For each template or application that is to support header variable authentication:

a. Add the login module HeaderVariableLoginModule to the login module stack.

See the Examples section below for an example of what position in the login module stack to add the module.

b. Set the option Header to the name of the header variable that contains the user ID. The default value is REMOTE_USER.

Example

The following login module stack first checks if the user has a SAP logon ticket. If yes, the authentication succeeds and control returns to the application. If not, the next login module checks for a value (user ID) in the header variable <header_name>, where <header_name>is the header variable in which an authentication tool writes the authenticated user ID. If there is a value, a logon ticket is issued for this user ID. If there is not a value in the header variable, the BasicPasswordLoginModule authenticates the user with user ID and password. If this authentication is successful, the user is issued a logon ticket.

In this example, authentication with user ID and password is used as a fallback authentication method in case authentication with header variables does not succeed.

Example of a Login Module Stack with Header Variable Authentication

Login Modules	Flag	Options
EvaluateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true}
HeaderVariableLoginModule	OPTIONAL	{ume.configuration.active=true, Header=<header_name>}
CreateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true}
BasicPasswordLoginModule	REQUISITE	{}
CreateTicketLoginModule	OPTIONAL	{ume.configuration.active=true}