Authentication against LDAP

AuthenticationManager.properties

-has to be set in order for the whole authentication to work

AUTH_TYPE=AuthenticationManagerWEBLogon

AuthenticationManager_jaas.config

-file containing definitions of authentication procedures, e.g. AuthenticationManagerS3User or AuthenticationManagerJNDI and many others

AuthenticationManagerWEBLogon{
de.usu.s3.authentication.DBLoginModule requisite dbsessions="VALUEMATION" dbuser="system" dbpassword="cryptedPassword";
de.usu.s3.authentication.DBLoginModule optional dbsessions="EXPORT_ORIG" dbuser="system" dbpassword="cryptedPassword";
de.usu.s3.authentication.DBLoginModule optional dbsessions="HISTORY" dbuser="system" dbpassword="cryptedPassword";
de.usu.s3.authentication.SimpleLoginModule sufficient s3user="true";
de.usu.s3.authentication.S3UserLoginModule required s3user="true";
};

Each row describes one login module, which will be triggered during user logon.There are two different types - with flag "s3user=true" and without. Login modules marked as "s3user=true" tries to authenticate VM user. Modules without such flag do other things, e.g. database logon. Names of login modules express what they will do and of course, each expect different parameters.

DBLoginModule - expects authentication info to connect to DB
S3UserLoginModule - authenticates given username/passsword as VM internal user
SimpleLoginModule - takes username/password and maps it to VM intenal user - used for SSO, where password is not known for VM
JNDILoginModule - authenticates given username/passsword against LDAP server and finaly maps it to VM internal user

User name / password is taken from login dialog or SSO.

You can create any combination of these modules.

Control Flags

There are control flags which are also described within the AuthenticationManager_jaas.config file. Flag value controls the overall behavior as authentication proceeds down the stack. The following represents a description of the valid values for flag and their respective semantics:

Required
- The LoginModule is required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.
Requisite
- The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).
Sufficient
- The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.
Optional
- The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.

The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.

Configuration of Valuemation

1. Database login modules (e.g. DBLoginModule) must precede user login modules (e.g. S3UserLoginModule, JNDILoginModule).

2. Main database login module should have flag Requisite.

3. It is possible to use more than one user login module in one configuration. User login module must be marked as Sufficient and the last one must be marked as Required. It means, that the first user login module, which succeeds, starts Valuemation.