Creating a Login Module Using SAP NetWeaver Developer Studio

Purpose

If you find it necessary to secure an application you have developed, you can do this by using your own login module that enables you to perform authentication in a different way to that predefined by the J2EE Engine.

The login process is initiated by the Web container (when the user is prompted to log in at the first request to a protected resource of the application). A new instance of the LoginContextclass is created for this purpose, which uses the configuration information provided by the Web application, and initializes the appropriate login modules. The application user must authenticate the appropriate login modules from the stack (depending on their attributes) so that the login to the application is successful.

The login process consists of the following phases:

...

       1.      The application calls the login()method of the LoginContext class.

       2.      The LoginContext calls the login()method of each of the login modules in the stack in the order they are configured.

Each login module completes the user authentication in two phases:

                            a.      First, when its login()method is called, it uses a CallbackHandler class to negotiate the required authentication information with the user.

                            b.      The second phase refers to calling the commit()method of the login module if the user has successfully authenticated, or the abort()method, if the authentication fails.

The login process is successful if the user is authenticated by all required login modules in the stack (that is, the commit()method of all login modules that successfully authenticated the user returns).

Applications running on the J2EE Engine have two options for authenticating users:

·        Container-based authentication: The container (in this case, the J2EE Engine) handles authentication. Applications running on the J2EE Engine run in anonymous mode and assume that the container takes care of authentication. For more information about how to define the tags in the web-j2ee-engine.xml, see web-j2ee-engine.dtd in the Reference Manual.

·        UME-based authentication: Applications running on the J2EE Engine authenticate directly against the User Management Engine (UME) using the UME API.

We support an integration of these two types of authentication, so that if an application uses UME-based authentication to authenticate its users, the container (J2EE Engine) is also aware that the users are authenticated. Inversely, if an application uses container-based authentication to authenticate its users, UME is also aware that the users are authenticated. Calls to the APIs of both the container and UME return the authenticated user.

An application uses container-based authentication. The application itself does not authenticate users. Users are authenticated by the container and are issued a logon ticket. The application can get the current user through either a call to the container API or to the UME API. 

The steps described in this tutorial are not applicable to WebDynpro and Portal applications as is. The procedure is only relevant for pure J2EE Web applications that are managed by the Web container.

The implementation of the JAAS Specification enables you to use different login modules. You can use the template for implementing a login module. For more information, see Login Module Implementation Template.

In this tutorial you have to take the following steps:

...

...

       1.      Step 1: Create a new project using SAP NetWeaver Developer Studio

       2.      Step 2: Fill in the source code for the authentication template

       3.      Step 3: Set the classpath and compile

       4.      Step 4: Deploy the login module

       5.      Step 5: Configure the Login Module

For more information about managing the authentication modules on J2EE Engine, see Managing Authentication Modules.

Integration

Login modules available on the J2EE Engine:

·         BasicPasswordLoginModule – use this to perform a JSP logon using Basic or Form authentication. That is, you use this login module to perform user authentication with user name and password.

This login module can be used only if the auth-method tag specified in web.xml is Basic or Form.

·        ClientCertificateLoginModule – use this login module to perform a certificate logon to the J2EE Engine.

·        DigestLoginModule – use this login module to authenticate the applications, which defines their Digest authentication method in the deployment descriptors. This is a more advanced form of the Basic authentication type. Here the password of the user is digested (encoded).

·        SAMLLoginModule – the login module for SAML Browser/Artifact Profile.

·        SecuritySessionLoginModule – login module used by download.ear. It uses the tickets that are generated by the security service on the Engine.

·        CSILoginModule – login module for the IIOP service.

·        CreateTicketLoginModule – login module to create SAP Logon Tickets after successful logon.

·        EvaluateTicketLoginModule – login module to evaluate SAP Logon Tickets.

Using the stackable architecture, you can authenticate multiple services at the same time. We recommend that you use it in heterogeneous environments where multiple distinct authentication mechanisms coexist.

 

See also:

 

Protection Domains