User authentication is managed by
the Java EE application server for all clients to the middle tier.
The authentication process consists of three major parts:
Overview of how authentication works in the middle-tier
The user authentication process is always managed by the application server, before the call even reach IFS Applications. All calls from clients (Access Providers in the picture above) pass a "security interceptor" in the application server before the call reach the IFS client gateway, thus, all such calls are intercepted and users are authenticated before the call can continue.
The security layer surrounding the application can be configured to do authentication in different ways; one possibility is to use IFS database authentication (authenticating by validating a user's Oracle username and password), another is to use LDAP authentication.
During the authentication phase, the supplied user name and password is
verified and the granted Java EE roles are added to the authenticated user.
If the user has been granted the IFSUser Java EE role, access to the EJB-methods
are allowed, if not, an exception is returned from the application server (HTTP
401 - Unauthorized).
If access to the called EJB method was allowed, the second security layer is
reached - activity grants. In this layer the call to the EJB method is
intercepted by the Java Server Framework, which first maps the authenticated
user identity to an existing Foundation1 user (using the Foundation1 user's
Directory Id) and then checks if the called
activity/service is granted to the user. If true, the call proceeds to the
actual implementation, otherwise a security exception preventing the user from
calling the method is thrown from the Java Server Framework.
Overview of Username / Password authentication using JAAS
The middle-tier application can be configured for HTTP Basic password authentication. In this mode, the Security Interceptor filter will authenticate users using Java(TM) Authentication and Authorization Service (JAAS) login modules. Which login modules is supported by default varies between different Java EE servers, and for some Java EE application servers it is also possible to create custom login modules, supporting other authentication repositories.
JBoss support on distributed with IFS Applications includes LDAP, Active Directory and Oracle database. When using JAAS together with LDAP or Active Directory, it recommended to use the Domain Configuration option to simplify logon for users.
Directory ID for users should be set to the HTTP Basic Username when using Password / Username authentication mode.
The process of authenticating a Web Client user is managed by declarative Java(TM) Authentication and Authorization Service (JAAS), or by a supporting system (Externally identified). The authentication process is similar to that described in the section Authentication in Extended Server above.
In addition to authenticating the end user a special power user (config user) is authenticated and used for preliminary executions of the accessed pages. These raw pages are stored in the page pool. This config user is always authenticated against a Oracle database repository.
Overview of Username / Password authentication using JAAS
IFS Web Client can be configured to use FORM based declarative JAAS and login modules for authentication. In this mode, if the requested URL pattern matches a pattern that has been declared as secured then the Security Interceptor will prompt for username and password using a predefined login page. If the JAAS authentication process fails for any reason a predefined static error page will be displayed. However the actual cause of the failure may not be given depending on the mainly the repository used for authentication. The URL patterns that have been declared as secured, the login and error pages to be displayed by the security interceptor are defined in the web applications deployment descriptor (web.xml).
As mentioned above while authentication can be performed through custom login modules; the JBoss distribution of IFS Web Client includes LDAP,Active Directory and Oracle database support.
Directory ID for users should be set as the Username when using Username/Password authentication mode.
Externally identified using Remote User
IFS Web Client supports external authentication based upon Remote User variable in AJP13 protocol. For more details see >>
Authentication for web services exposed using IFS Connect and the SOAP Gateway handled by the application server in the same way as for interactive clients. Services are typically configured for Username / Password authentication using JAAS.
Illustration of 3rd party client software connecting to IFS Connect SOAP Gateway
The password (or other authentication credentials) are not included within the SOAP XML messages, but are included in the HTTP authentication stages. For example, in Username / Password authentication using JAAS authentication mode, the authentication credentials are in the HTTP Authorization header field.
The Web service client connecting to IFS Connect SOAP Gateway must be configured for the same authentication mode as the IFS application server's security filter. Also the web service client must be configured with valid credential (i.e. a username/password) for authenticating with the application server.