Entering content frame

Process documentation Using Login Modules to Protect Web Applications Locate the document in its SAP Library structure

Purpose

This process refers to developing the login modules. It describes the activities you must perform later to set the login modules stack up in the Security Provider Service and how you reference the login modules from your Web application.

As far as the development of login modules is concerned, you use the standard JAAS APIs and a few SAP proprietary classes to program their functions. The process flow is outlined in the next section. The SAP proprietary classes are described in the SAP Specific HTTP Callbacks.

Process Flow

...

       1.      Developing the login modules

Each login module must implement the javax.security.auth.LoginModule interface that define five methods:

¡        Perform initialization of the login module in the initialize() method. A CallbackHandler class is passed as a parameter to it. In order to use the SAP-specific HTTP callbacks, pass the com.sap.engine.services.servlet_jsp.server.security.HttpCallbackHandlerImpl.

¡        Perform the first phase of the login in the login() method. You can use the CallbackHandler here to communicate the authentication information with the user. The HttpCallbackHandlerImpl can handle the specific HttpGetterCallback and HttpSetterCallback callbacks in this process.

¡        Assign principals and credentials to the Subject (that is the object that represents the user being authenticated) and populate them if the authentication is successful in the commit() method.

¡        Abort the authentication process using the abort() method.

¡        Log the user out by removing the principals and credentials from the Subject in the logout() method.

Note

You can use any of the template login modules provided with the SAP J2EE Engine and enhance them to develop your custom login module. For more information about the template login modules provided, see Using Authentication Templates.

       2.      Register the login modules that you have created with the Security Provider Service. You can then configure the stack of login modules that your application will use to authenticate the users. For more information about this, see Managing Authentication Modules.

       3.      Reference the login modules stack from your web application by specifying the name of the stack in its web-j2ee-engine.xml descriptor. For more information about the procedure, see Configuring Authentication.

Code to Use in Your Web Application

To perform the authentication using the login modules that you have developed, you must do the following in your servlet or JSP code:

...

       1.      Create a new LoginContext:

LoginContext lc = new LoginContext("Example");

where Example is the name of the login modules stack as you defined it step 3 of the above process.

       2.      Call the login() method to start the authentication:

try {

      // start authentication

      lc.login();

    // user authenticated successfully

} catch (LoginException le) {

      // handle the cases of failed authentication here

   }

 

 

Leaving content frame