cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Question about login module flag SUFFICIENT

Go to solution
Former Member

on ‎01-20-2009 3:16 PM

0 Kudos

Hi,

I have configured a web application with a login module stack in the security provider (AS Java 7.0 SP14). The login module stack has 2 login modules. Both are flagged as SUFFICIENT. According to SAP and JAAS documentation, when using this flag, if auhentication succeeds in the first module, control should return to the application immediately (i.e. the second module should not be called), however I've been watching the behaviour of the stack and the second module's login method is always executed, even if the first one succeeds Is this normal behaviour? Am I misreading the documentation? Can somebody provide any insight?

Mind you, the second one is not required to succeed for the overall login to succeed, so this behaves as expected.

Thanks.

Carlos

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member293232
Explorer
‎02-05-2009 9:59 AM
0 Kudos

Hi Carlos, Can you post here the contents of the corresponding "LOGIN.OK" log message from security logs? The log message contains a table of all login modules used during the authentication, their control flags, the sequence of invocation of their methods and the results they return. This information will help analyze what happens.

You can extract the log message either from Log Viewer tool, or directly from the file (/usr/sap/<SystemID>/J<ComponentID>/j2ee/cluster/server<ServerNumber>/log/system/security_xx.x.log) in the file system.

Show replies
Show replies
Former Member
‎02-10-2009 11:40 PM
0 Kudos

Hi Stephan,

sorry for the delay in responding.. I just came back from holidays

here is the log entry .. it doesn't contain much

LOGIN.OK

User: PIAPPLUSER

Authentication Stack: sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok true true

2. com.sap.CustomLoginModuleClass SUFFICIENT ok true

Central Checks true

I must add that there is also the following entry produced in the log (this one appears first, but belongs to the same login attempt):

LOGIN.FAILED

User: N/A

Authentication Stack: sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok false false

2. com.sap.CustomLoginModuleClass SUFFICIENT ok exception true Authentication did not succeed.

Thanks.

Carlos

former_member293232
Explorer
‎02-11-2009 8:31 AM
0 Kudos

Hi Carlos,

The table structure (first table) is not clearly visible in the forum message because all whites paces are handled by the browser the same way. I am able to reconstruct it from the HTML source and it looks like this:

-

Login Module

Control Flag

Login

Commit

Abort

BasicPasswordLoginModule

SUFFICIENT

true

true

CustomLoginModuleClass

SUFFICIENT

true

-

This means that the custom login module's login method has not been invoked, but its commit method has. This is the expected behavior.

The custom login module's login method has been invoked during the failed authentication (second table). This is also the expected behavior.

Can you confirm that when watching the behavior of the stack you see method "login" (and not "commit") being executed in both cases?

Former Member
‎02-11-2009 2:20 PM
0 Kudos

Hi Stephan,

Thanks for your prompt reply.

Correct, it is method "login()", and not "commit()" being executed in both cases. And that is exactly my question - why are both login methods being executed for the same login attempt? Since SUFFICIENT is used, I would have expected the login sequence to stop after succeeding in the first module of the stack (BasicPassword).

Can you shed some light on why this is the expected behaviour?

I'm still a bit confused: It would seem that the login module stack is being executed in reverse order (since the failed login appears first in the log) ???

Mind you, this is not causing a problem. I'm just trying to understand why it happens.

Thanks.

Carlos

former_member293232
Explorer
‎02-11-2009 2:40 PM
0 Kudos

I would like to focus on a specific of the server here. One logon attempt may involve several loops over the same JAAS login stack. In your case there are two of them. The first one fails because there are no credentials with the client request to the server. Thus the server responds to the browser asking for credentials. At this time you see the pop-up that asks you for user name and password. When you provide them there is another loop over the login module stack and this time it is successful. This should explain why the logs appear in the reverse order - each log is for a separate JAAS authentication, and not for a separate login module.

In some cases there may be additional loops if additional credentials are requested by another login module, or if the user must change password, etc.

So the table shown by the log message proves your login module's "login" method was not invoked after the previous sufficient login module succeeds.

Does this answer your question?

Former Member
‎02-11-2009 2:48 PM
0 Kudos

That explains it very well.

Thanks a lot for your help!

Awarding top points...

Carlos

Answers (0)

Ask a Question