Secure Your Enterprise Application with Authentication in SAP NetWeaver Web AS Java

  • by Robert Heidasch, Senior Manager/Senior Principal, Accenture
  • December 2, 2009
One of a company’s worst nightmares is the theft of customer or other confidential data. To avoid having unauthorized parties view this data, you should secure your enterprise applications. Find out how you can carry this out by using the Java Authentication and Authorization Service in SAP NetWeaver Application Server Java.
Key Concept
In SAP NetWeaver, authentication includes the process of establishing and verifying the identity of a person or system component as a prerequisite for allowing the person or system component access to an SAP NetWeaver server system. The authentication process is initiated by SAP NetWeaver when a client system requests access to various system resources, such as back-end resources.

With the increasing use of distributed systems based on open standards and flexible information sharing with multiple business partners, establishing the identities of the communicating parties has become an important element in protecting your business operations. You need to protect your business sensitive data provided by the business application against unauthorized access, such as protecting the list of your customers from your competitor. This is especially relevant for Web applications that access external resources (e.g., Web container-based applications such as Java servlets or Web services running on Java-based servers called JEE servers). In these situations, the authorization concept applies to the following two factors:

  • Is the user authorized to access this resource?
  • Can the client load the resource, or is the client prevented from loading it?

The JEE server supports the Java Authentication and Authorization Service (JAAS) standard, which in turn supports authentication of installed applications (e.g., Web applications that are running in a Web container). The JAAS standard allows you to configure policy to determine the mechanism that the system uses to authenticate an application’s users.

SAP NetWeaver Application Server (SAP NetWeaver AS) Java is a JEE server and supports JAAS-based authentication of Java applications. The authentication concept is based on the Web application’s authentication, which is integrated with SAP User Management Engine (SAP UME). SAP UME provides a centralized user management for all Java applications running in SAP NetWeaver AS Java (or the SAP JEE server).

I will show you the authentication functionality available in the SAP JEE server, including the JAAS standard configuration and SAP-specific extensions that are required to configure the authentication mechanism in Java-based applications. Additionally, I will demonstrate how to develop a JAAS-compliant login module that is integrated with SAP UME and can be used in custom Java applications. You can implement the authentication mechanism in SAP NetWeaver AS ABAP and Java. In this article, I concentrate on authentication functionality available in SAP JEE server.

Robert Heidasch

Robert Heidasch is senior manager/senior principal in the Accenture & SAP Business Solution Group, which designs and develops new business solutions and applications provided jointly by Accenture and SAP based on the newest SAP technology. He is co-author and trainer of a couple of SAP technology-related areas (e.g., SAP HANA solution architect, SAP HANA technical architect, Business Suite on SAP HANA, and SAP HANA as a development platform delivered in Europe, US, and Asia). Robert has more than 21 years’ experience designing and developing IT systems. He has published several technical and business articles about SOA, SAP NetWeaver and its integration with non-SAP systems (e.g., Microsoft and Oracle), and SAP HANA technology. Robert is also an inventor of 18 patents granted in the US--for example, Ranking in Cascading Learning Systems, Learnable Contextual Network, Machine Learning for a Memory-Based Database, Modular Secure Data Transfer, Managing Software Component Versions within a Service Oriented Architecture, Machine Learning for a Memory-based Database, Adaptive and Secure Modular Connection, and Asynchrony Debugging Using Web Services Interface.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.