Declarative and Programmatic Authentication (SAP Library - User Authentication and Single Sign-On)

Declarative and Programmatic Authentication

Use

Applications running on J2EE Engine have two options for authenticating users:

· Declarative authentication (also known as container-based authentication): The Web container (in this case, the J2EE Engine) handles authentication. A component running on the J2EE Engine declares its protected resources and its desired authentication mechanism in its deployment descriptor. When a protected resource of this component is accessed, the container in which the component runs triggers authentication.

· Programmatic authentication (also known as UME authentication): Components running on the J2EE Engine authenticate directly against the User Management Engine (UME) using the UME API. The component explicitly triggers authentication and then the authentication process is controlled by the authentication framework.

Web Dynpro applications and portal iViews always use programmatic (UME) authentication. J2EE Web applications can use either declarative or programmatic authentication depending on which the developer decides to use.

Both declarative and programmatic authentication use login modules and login module stacks as their underlying technology. Applications that use declarative authentication define which login module stack they use in their deployment descriptor. Programmatic authentication additionally introduces the concept of authentication schemes. Applications that use programmatic authentication are associated with an authentication scheme. The authentication scheme in turn references a login module stack. See also Login Modules and Login Module Stacks and Authentication Schemes.

It is important to know the difference between declarative and programmatic authentication so that you can understand how the J2EE Engine determines which login module stack each Java application uses and so that you know how to change the login module stack for a particular application.

Integration

Different types of applications use different means of configuring which login module stack is used. The following table provides an overview.

Application Type	Type of Authentication	Where is Login Module Stack defined
J2EE Web applications	Declarative authentication	Declared in the web.xml deployment descriptor of the J2EE Web application. See Configuring Authentication.
J2EE Web applications	Programmatic authentication	This depends on how the application is programmed. Applications can define an authentication scheme in their calls to the API. By default, if they do not define an authentication scheme, these applications use the login module stack referenced by default in the authentication schemes file.
Web Dynpro applications	Programmatic authentication	Web Dynpro applications always use the login module stack referenced by default in the authentication schemes file.
Portal iViews	Programmatic authentication	An iView property defines which authentication scheme the iView uses. The authentication scheme references a login module stack. See Assigning an Authentication Scheme to an iView.

Declarative and programmatic authentication are integrated in that if an application uses programmatic authentication to authenticate its users, the container (J2EE Engine) is also aware that the users are authenticated. Inversely, if an application uses declarative authentication to authenticate its users, UME is also aware that the users are authenticated. Calls to the APIs of both the container and UME return the authenticated user.

Activities

No activities are required, however, you should be aware that, for example, if you wish to change the authentication mechanism used by Web Dynpro applications, you have to change the authentication scheme referenced by default in the authentication schemes file. If you change the defaultauthentication scheme, this will also affect any portal iViews and J2EE Web applications that use the default authentication scheme.