Configuring Authentication in SAP Netweaver AS Java (Part 1 of 3)

Introduction

As part of an application development project based on the SAP Netweaver AS Java software platform, we were faced with the need to customize our own authentication schemes for developed applications. From here the idea was born, firstly, to structure the knowledge gained, and secondly, to share this knowledge with other specialists in the field of SAP Basis.

SAP Portal based on SAP NW AS Java 7.5 SP04 was used as an experimental test bench. I do not think that in terms of approaches to authentication, something has changed dramatically in all SAP NW AS Java, starting with version 7.0, but please keep in mind the version for which this series of articles is being written.

In the text I will use English terminology so that there would be no difficulty in translating if you need to search for additional information on the Internet or when setting up authentication directly in SAP NW AS Java.
')
In the first article - “From general to particular,” two topics will be covered:

1. How, from the point of view of authentication mechanisms, it is possible to classify applications based on the software platform SAP Netweaver AS Java;
2. How to determine the boundary between application developers / consultants and SAP Basis specialists in setting up authentication for applications.

From general to specific

When I was faced with the need to go into the authentication settings in SAP NW AS Java in more detail, I found through google.com a separate description of authentication modules, authentication stacks, or something else, but, unfortunately, I didn’t immediately come across where it was necessary to start the search. And it was necessary to start with what types of applications it is possible to run on SAP NW AS Java, since, depending on the types of applications, the approach to authentication settings is different.

So let's get started.

From the point of view of user applications, the following types of applications can be distinguished, for which the approaches to setting up authentication differ:

• Java web applications;
• Web Dynpro Java Applications;
• Portal applications;
• Portal iVIews (yes, this is a container for applications, but SAP in its documentation also refers to applications).

The following figure shows the types of applications in question and approaches to setting up authentication. The following text describes the approach to setting up authentication for each type of application.



Java Web Applications

Java Web Application is any Java application developed for the SAP Netweaver AS Java software platform (in the context of this article, of course). I want to note that SAP Portal is also a great Java application that contains its own structure, its own controls, etc. Authentication for Java Web Applications can be set in the following ways:

• Through the web.xml descriptor (authentication at the level of the Java application container);
• Through the handle of the web-j2ee-engine.xml. (authentication at the level of the Java application itself). If authentication is described in the web-j2ee-engine.xml descriptor, then the description in this descriptor is considered a higher priority than the description in the web.xml descriptor. Most often, the web-j2ee-engine.xml descriptor complements the description in the web.xml descriptor;
• If there is no authentication description in the web.xml and web-j2ee-engine.xml descriptors, then the Java application for user authentication uses the authentication scheme specified by the UME parameter: ume.login_context, as well as the user interface for authentication specified by the UME parameter: ume. login.auth_method;
  The ume.login.auth_method parameter can take 4 values: [FORM, BASIC, DIGEST, CLIENT-CERT]. The ume.login.auth_method and ume.login_context parameters should complement each other. For example, if ume.login.auth_method is set to BASIC, then the ume.login_context parameter should point to an authentication scheme with a login and password authentication module.
• Using the UME API. In this case, when developing a Java application, developers will refer to AuthScheme or AuthScheme-ref, described in a special XML file, which is defined by the UME parameter login.authschemes.definition.file. By default, login.authschemes.definition.file = authschemes.xml. The following image is an example of authschemes.xml.

A detailed description of the structure of the web.xml, web-j2ee-engine.xml descriptors, and the authschemes.xml XML file will be provided in the second part of this series of articles.

The web.xml and web-j2ee-engine.xml descriptors are edited by developers through the SAP Netweaver Development Studio. SAP Basis specialists can view the contents of these descriptors for a specific Java application in the following way:


It is not recommended to change these descriptors at the OS level, as in case of a redeployment of an application (Deploy Application) by developers, changes made at the OS level will be overwritten.

Web Dynpro Java Applications

Web Dynpro Java Applications is a special case of Java Web Applications. These applications use the Web Dynpro (WD) Runtime Environment component for their execution (Application module: webdynpro / resources / sap.com / tc ~ wd ~ dispwda). From the point of view of authentication, in the WD Runtime Environment settings, there is a parameter:

sap.default.authentication = (true / false)

If sap.default.authentication = false, then the need for user authentication for each WD Java Application is specified by the developers. With the help of SAP NWDS, in the properties of the WD Java Application, developers can either activate the Authentication flag to force user authentication or deactivate it if user authentication is not required in the application.

If sap.default.authentication = true, then the WD Runtime Environment will require user authentication for all WD Java Applications through the authentication scheme specified by the UME parameter - login.authschemes.definition.file.

It should be mentioned that in all standard Web Dynpro Java Applications, the value of the authentication scheme is “default”. In authschemes.xml, this value should also be and is defined as a link to the authentication scheme (the part of the authschemes.xml file, which defines authscheme-ref name = “default”, is shown below.



Portal applications - portal components

When a developer creates a portal application through SAP NWDS, he creates portal components for that portal application. For each portal component, the developer can define their own authentication scheme. This is done through a special XML file - portalapp.xml, all in the same SAP NWDS. The developer can specify the authentication scheme - this is done using the directive:

<property name = "AuthScheme" value = "Authschemename">

The Authschemename should be either an authentication scheme (authscheme name) or a link to an authentication scheme (authscheme-ref name), which is predefined in the XML file, which is defined by the UME login.authschemes.definition.file parameter (i.e., all authschemes.xml by default).

Portal iviews

Portal iView is a portal container in which you can place various objects, including a Web Dynpro Java application, a Java web application, and more. And for each iView, regardless of what object it contains, you can customize your own approach to authentication. This is done using the “Authentication Scheme” parameter set in the settings of any iView. In turn, the “Authentication Scheme” parameter refers to the same XML file defined by the UME parameter: login.authschemes.definition.file = authschemes.xml (default). All standard iViews can be divided into two parts:

1. iViews, the “Authentication Scheme” parameter for which is equal to default;
2. iVIews, the parameter “Authentication Scheme” for which is equal to UserAdminScheme.

default is the “authscheme-ref name” for a custom iView; UserAdminScheme is the “authscheme-ref name” for iView user management.

The figure below shows the description of both “authscheme-refs” from the XML file defined by the UME parameter: login.authschemes.definition.file:

Conclusion

For all the types of applications considered, if you look at the picture at the beginning of this article, all the arrows converge in the UME Authentication: Policy Configurations element. This means that further configuration of login modules will be configured here for all types of applications.

The second part of this series of articles describes the approach to authentication using:

1. the web.xml and web-j2ee-engine.xml descriptors;
2. XML file Authschemes.xml.

The following is information on how to gain access in the System to the settings described in this article:

• Accessing the settings of the UME parameters;
• Accessing Policy Configurations;
• Accessing the sap.default.authentication configuration of the Web Dynpro Runtime Environment component.

application

Accessing UME Settings

• ume.login_context;
• ume.login.auth_method;
• login.authschemes.definition.file.

All UME parameters can be changed via Netweaver Administrator (/ nwa).

Configuration -> Security -> Identity Management



On the Identity Management screen, click “Configuration”:



Switch to Open Expert Mode:



All UME parameters that can be changed, if necessary, will be displayed.

Accessing Policy Configurations

Policy configurations can be accessed through Netweaver Administrator (/ nwa).

Configuration -> Security -> Authentication and Single Sign-On



An application opens where you can create, edit, or view existing policy configurations.



Accessing the sap.default.authentication configuration of the Web Dynpro Runtime Environment component

Parameters of the Web Dynpro Runtime Environment component can be accessed through Netweaver Administrator (/ nwa).

Configuration -> Infrastructure -> Application Modules



In the Module List, find webdynpro / resources / sap.com / tc ~ wd ~ dispwda:



Select this module. For it, select the “Web Dynpro Properties” tab. Property Sheet Name - default. Find the sap.default.authentication parameter and, if necessary, change it.