Previous Topic

Book Contents

Book Index

Next Topic

AuthenticationManager_jaas.config

The 'Authentication Manager_jaas.config' file is intended for detailed specification of the login configurations set in the 'AuthenticationManager.properties' file.

The login configurations are predefined sets of login modules which should all succeed during the authentication process so that the authentication would be considered successful.

Note: You can also create your own login configuration or edit an existing login configuration.

Example: A dummy login configuration

Help Image

The individual login modules do the following:

  • (1) Connects the Valuemation dbsession using the DB credentials. This connection is required.
  • (2) Connects the History dbsession using the DB credentials. This connection is required.
  • (3) Tries to connect the EXPORT_ORIG DB dbsession (searches for it in the domain). This connection is optional.
  • (4) Tries to verify the identity of the user using LDAP. If it fails, it proceeds with the next step.
  • (5) Tries to verify the identity of the user using the Windows credentials (work with the Rich client only). If it fails, it proceeds with the next step.
  • (6) Tries to verify the identity of the user with an SSO mechanism. If it fails, it proceeds with the next step.
  • (7) The last attempt: A login dialog asking for a username and password is offered to the user.

     

Note that the login modules use the following control flags: Required, Requisite, Sufficient, Optional.

The flag value controls the overall behavior as the authentication proceeds down the stack. The following represents a description of the valid values for flag and their respective semantics:

  • Required

    The LoginModule is required to succeed. If it succeeds or fails, the authentication still continues to proceed down the LoginModule list.

  • Requisite

    The LoginModule is required to succeed. If it succeeds, the authentication continues down the LoginModule list. If it fails, the control immediately returns to the application (the authentication does not proceed down the LoginModule list).

  • Sufficient

    The LoginModule is not required to succeed. If it does succeed, the control immediately returns to the application (the authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.

  • Optional

    The LoginModule is not required to succeed. If it succeeds or fails, the authentication still continues to proceed down the LoginModule list.

The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed.

If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.

Available Login Modules

  • DBLoginModule

    This module is used for the DBsesstion connectivity. It succeeds only when a connection to the database using the provided db user name and password is possible.

    Example:

    de.usu.s3.authentication.DBLoginModule optional dbsessions="HISTORY" dbuser="DBuser" dbpassword="DBpassword"

  • JNDIDBLoginModule

    It is a database login module using the JNDI database connection. It succeeds only when a connection to the database is possible by the JNDI lookup.

    Example:

    de.usu.s3.authentication.DBLoginModule required dbsessions="VALUEMATION" dbuser="USER" dbpassword="PASSWORD";

  • JNDILoginModule

    Succeeds only when the provided user name and password from the login dialog is matching the username/password against the LDAP server.

    Example:

    de.usu.s3.authentication.JNDILoginModule sufficient s3user="true"

  • S3UserLoginModule

    Succeeds only when the provided user name and password (from the login dialog) is matching the username/password of the Valuemation user.

    Example:

    de.usu.s3.authentication.S3UserLoginModule required s3user="true" blockOnUnsuccessfulAttempt="true"

    Delay among unsuccessful login attempts

    You can set a delay after each failed login attempts.

    If the the 'blockOnUnsuccessfulAttempt' parameter is set to 'true', the waiting intervals among the failed login attempts are getting longer. After 3 consecutive unsuccessful login attempts, it is not possible to login for 10 seconds. With every other unsuccessful login attempt, the delay is doubled (20, 40, 80.... seconds).

    If the user account gets blocked, the user must wait for the corresponding time or the account can be unblocked immediately using the 'Unblock Account' button on the 'Users' tab in the User Manager.

    Note that the button in the User Manager is available just if the following settings are applied:

    de.usu.s3.authentication.S3UserLoginModule required s3user="true" blockOnUnsuccessfulAttempt="true"

    The button is enabled after 3 consecutive unsuccessful login attempts as the the account gets blocked.
  • SingleLogonLoginModule

    SSO for the Rich client. It takes the current user from the Operating System (Windows only).

    Example:

    de.usu.s3.authentication.SingleLogonLoginModule sufficient s3user="true"

  • SimpleLoginModule

    SSO for the Web client. Succeeds when the username provided by SSO exists in the Valuemation DB (or there is the username from mapping). No password verification is processed by Valuemation – the SSO authentication module is responsible for providing the username only of the really authenticated user.

    Example:

    de.usu.s3.authentication.SimpleLoginModule sufficient s3user="true"

    Login module

    Notes

    Notes

    DBLoginModule

    DB authentication

    Username and password need to be specified

    JNDIDBLoginModule

    DB authentication

    JNDI lookup

    JNDILoginModule

    User authentication

    LDAP lookup

    S3UserLoginModule

    User authentication

    Authentication against the VM DB

    SingleLogonLoginModule

    User authentication

     

    SimpleLoginModule

    User authentication

     

Notes on the Valuemation Configuration

  • The database login modules (e.g. DBLoginModule) must precede the user login modules (e.g. S3UserLoginModule, JNDILoginModule).
  • The main database login module should have the 'Requisite' flag.
  • It is possible to use more than one user login module in one configuration. User login module must be marked as 'Suffcient' and the last one must be marked as 'Required'. It means that the first user login module which succeeds starts Valuemation.

In This Chapter

Authentication of the Database Connection

Valuemation with ServiceConnector

See Also

Configuration of the Database Connection and Authentication Basics

Session.properties

AuthenticationManager.properties

Enhancing Security of Oracle Database Connection