Remote Authentication 

The remote clients that establish connection with J2EE Engine need to be authenticated in most cases. However, you can establish a Single Sign-On (SSO) connection only using a SAP Logon Ticket. The logon via RMI protocol to the J2EE Engine is similar to the authentication on the server that is in use. The authentication of the remote clients is also pluggable and flexible, that is, such authentication is not only possible using a SAP Logon Ticket, but is also opened up to other types of security credentials.

The remote login is based on the standard JAAS mechanisms. It is done via RemoteLoginContext that is given a CallbackHandler for retrieving the security credentials via callbacks.

The client has to provide a callback handler, which retrieves the requested credentials in an application-specific way. Such a CallbackHandler should support NameCallback, PasswordCallback, PasswordChangeCallback, HttpGetterCallback and HttpSetterCallback interfaces that are provided by the J2EE Engine. They are used respectively for handling the user name, password and the last two – for SAP Logon Ticket.

For more information, see Authentication for Web Applications Users on the J2EE Engine.

The graphic below shows how the authentication of remote clients is performed:

 

You can make this way a CallbackHandler for the remote client applications:

public class TemplateCallbackHandler implements CallbackHandler {     public void handle(Callback[] callbacks) throws IOException,          UnsupportedCallbackException {     for (int i = 0; i < callbacks.length; i++) {       if (callbacks[i] instanceof NameCallback) {         String userName = getUserName();         ((NameCallback) callbacks[i]).setName(userName);       } else if (callbacks[i] instanceof PasswordCallback) {         char[] password = getPassword();         ((PasswordCallback) callbacks[i]).setPassword(password);       } else if (callbacks[i] instanceof HttpGetterCallback) {         // This is a general type of callback, so it can be used         // for various types of credentials.         HttpGetterCallback getterCallback = (HttpGetterCallback) callbacks[i];           /**          * The type and the name identify what kind of credential is          * requested by the login module. Possible values for the type          * are defined in com.sap.engine.lib.security.http.HttpCallback.          * CallbackHandler can understand none, some or all of them.          * It also may be extended with other types, if the login module          * that is used along with this callback handler requests them.          * For SAP Logon Ticket the identifiers are:          * type = HttpCallback.COOKIE, name = "MYSAPSSO2".             */           /**          * The login module has set the type and the name of the          * security credential that is needed for the authentication.          */         byte type = getterCallback.getType();         String name = getterCallback.getName();           // CallbackHandler gets the specified credential.         Object value = getCredentialValue(type, name);           // The credential is passed back to the login module.         getterCallback.setValue(value);       } else if (callbacks[i] instanceof HttpSetterCallback) {         /**          * This type of callback is used by the login module to          * give some credentials back to the client. For example,          * after the user is authenticated successfully with user          * name and password, CreateTicketLoginModule could create          * and give back SAP Logon Ticket for that user.          */         HttpSetterCallback setterCallback = (HttpSetterCallback) callbacks[i];           byte type = setterCallback.getType();         String name = setterCallback.getName();         Object value = setterCallback.getValue();           storeCredential(type, name, value);       } else {         throw new UnsupportedCallbackException(callbacks[i], "Unsupported callback!");       }     }   }     /**    *  Retrieves the user name in an application specific way.    */   private String getUserName() {     ...   }     /**    *  Retrieves the user password in an application specific way.    */   private char[] getPassword() {     ...   }     /**    * Retrieves other security credentials that are required for    * the application authentication.    */   private Object getCredentialValue(byte type, String name) {     ...   }     /**    *  Stores the given security credentials of the client.    */   private void storeCredential(byte type, String name, Object value) {     ...   } }

Remote Login via Naming Context

The naming service also uses a JAAS extension of the security service both for remote and server authentication. In general, the remote clients can authenticate to the J2EE Engine when they get a new InitialContext. This can be done by setting security credentials in the properties that are given to the initial context instance. When the close() method is called on this initial context, the authenticated user is logged out. If the client application creates more than one initial context instances, then each of these contexts can perform or not perform the authentication, depending on whether the security credentials are passed on to it, and whether a previous authentication has been made:

·        If the current thread has not been authenticated, then it is authenticated with the given security credentials. If no credentials are supplied, then the thread remains with permissions of the anonymous user.

·        If the current thread has already been authenticated, then no authentication is performed when a new initial context is obtained, whether security credentials are supplied or not.

·        If the method close() is called on some of the instances, then this initial context instance is closed. If the authentication of the thread has been made by the naming service, then the user is logged out and, as a result, all other initial context instances already have the permissions of the anonymous user. If the authentication has been made a different way, then nothing happens with the user. The client can continue working with the other initial context instances on behalf of the authenticated user.

There are standard property names for setting user name and password in initial context properties. They are defined in javax.naming.InitialContext using the constants SECURITY_PRINCIPAL, which has value java.naming.security.principal, and SECURITY_CREDENTIALSwith value java.naming.security.credentials.

Non-standard credentials can be set with property names in the following format: sap.security.credential.<credential_type>.<credential_name>. The type and the name of the credential are identifiers of the nature of the credential. The login modules that are set in the naming authentication stack may request specific credentials that are required for their authentication. This is why the types and names (that is what property names) that are valid for naming authentication depends on the login modules in naming authentication stack.

For example, EvaluateTicketLoginModule requests from the client to give a SAP Logon Ticket by setting in HttpGetterCallbackHandler the type equal to HttpCallback.COOKIE and the name – MYSAPSSO2. Thus, the client application has to set in initial context properties the user ticket with property name sap.security.credential.2.MYSAPSSO2.