Secure Your Enterprise Application with Authentication in SAP NetWeaver Web AS Java
- by Robert Heidasch, Senior Manager/Senior Principal, Accenture
- December 2, 2009
One of a company’s worst nightmares is the theft of customer or other confidential data. To avoid having unauthorized parties view this data, you should secure your enterprise applications. Find out how you can carry this out by using the Java Authentication and Authorization Service in SAP NetWeaver Application Server Java.
In SAP NetWeaver, authentication includes the process of establishing and verifying the identity of a person or system component as a prerequisite for allowing the person or system component access to an SAP NetWeaver server system. The authentication process is initiated by SAP NetWeaver when a client system requests access to various system resources, such as back-end resources.
With the increasing use of distributed systems based on open standards and flexible information sharing with multiple business partners, establishing the identities of the communicating parties has become an important element in protecting your business operations. You need to protect your business sensitive data provided by the business application against unauthorized access, such as protecting the list of your customers from your competitor. This is especially relevant for Web applications that access external resources (e.g., Web container-based applications such as Java servlets or Web services running on Java-based servers called JEE servers). In these situations, the authorization concept applies to the following two factors:
- Is the user authorized to access this resource?
- Can the client load the resource, or is the client prevented from loading it?
The JEE server supports the Java Authentication and Authorization Service (JAAS) standard, which in turn supports authentication of installed applications (e.g., Web applications that are running in a Web container). The JAAS standard allows you to configure policy to determine the mechanism that the system uses to authenticate an application’s users.
SAP NetWeaver Application Server (SAP NetWeaver AS) Java is a JEE server and supports JAAS-based authentication of Java applications. The authentication concept is based on the Web application’s authentication, which is integrated with SAP User Management Engine (SAP UME). SAP UME provides a centralized user management for all Java applications running in SAP NetWeaver AS Java (or the SAP JEE server).
I will show you the authentication functionality available in the SAP JEE server, including the JAAS standard configuration and SAP-specific extensions that are required to configure the authentication mechanism in Java-based applications. Additionally, I will demonstrate how to develop a JAAS-compliant login module that is integrated with SAP UME and can be used in custom Java applications. You can implement the authentication mechanism in SAP NetWeaver AS ABAP and Java. In this article, I concentrate on authentication functionality available in SAP JEE server.
Would you like to see this full item?