on 03-23-2009 6:05 PM
I have deployed two applications namely testapp and irj on SAP Web AS 7.0 on same protection domain i.e sap.com
I have protected these applications with an Authenticate template having two login modules:
1. Custom Login Module u2013 Requisite
2. Create Ticket Login Module -- Required
Now when I try accessing testapp application, my this architecture provides me SSO to testapp. And, in this case I am getting MYSAPSSO2 ticket and JSESSIONID.
The following logs were generated:
LOGIN.OK
User: Administrator
Authentication Stack: <template-name>
Login Module Flag Initialize Login Commit Abort Details
com.<custom-login-module> REQUISITE ok true true
com.sap.security.core.server.jaas.CreateTicketLoginModule REQUIRED ok true true
Central Checks true
And, when I try to access the irj portal in the same browser(which already has MYSAPSSO2 ticket), my Custom Login module is called up again and a new MYSAPSSO2 is again generated by Create Ticket Login Module.
The following logs were generated:
LOGIN.OK
User: Administrator
Authentication Stack: <template-name>
Login Module Flag Initialize Login Commit Abort Details
com.<custom-login-module> REQUISITE ok true true
com.sap.security.core.server.jaas.CreateTicketLoginModule REQUIRED ok true true
Central Checks true
So, my question here is that the behavior I am getting here is the expected one i.e. a new MYSAPSSO2 ticket should be generated again or the existing MYSAPSSO2 ticket should be consumed by the SAP Web AS?
Another scenario is when I add another login module into the stack. Here, the stack has:
1. Evaluate Ticket Login Module u2013 Sufficient
2. Custom Login Module u2013 Requisite
3. Create Ticket Login Module -- Required
In a new browser, when I try to access the testapp application, I got the gollowing logs:
LOGIN.OK
User: Administrator
Authentication Stack: sap.com/testappEar*testapp
Login Module
Flag Initialize Login Commit Abort De
tails
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule
SUFFICIENT ok false false
2.
com.netegrity.siteminder.sap.webas.jaas.SiteMinderLoginModule
REQUISITE ok true true
3. com.sap.s
ecurity.core.server.jaas.CreateTicketLoginModule REQUIRED
ok true true
Central Checks true
And, when I try to access the irj portal in the same browser(which already has MYSAPSSO2 ticket), this time the Evaluate Ticket Login Module invokes and no new MYSAPSSO2 ticket is generated. The following logs were generated:
LOGIN.OK
User: Administrator
Authentication Stack: ticket Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok true true
2. com.<custom-login-module> REQUISITE ok false
3. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUIRED ok false
Central Checks true
So, my question here is that the behavior I am getting here is the expected one i.e. a MYSAPSSO2 ticket should not be generated again and the existing MYSAPSSO2 ticket should be consumed by the SAP Web AS?
Yes, the second one is fine, if you already have a logon ticket, use it. Alternatively you can set the 'create ticket login module' to optional. In this case you will still be authenticated, even if the ticket cannot be created.
1. Evaluate Ticket Login Module u2013 Sufficient
2. Custom Login Module u2013 Requisite
3. Create Ticket Login Module -- Optional
-> if you already have a ticket, you're done (step 1)
-> if you don't have a ticket, do your custom logon module and if it succeeds, then create a ticket
[Sample Login Module Stacks for Using Logon Tickets|http://help.sap.com/erp2005_ehp_04/helpdata/EN/04/120b40c6c01961e10000000a155106/frameset.htm]
[Login Module Stacks|http://help.sap.com/erp2005_ehp_04/helpdata/DE/99/f66e424925c253e10000000a1550b0/frameset.htm]
Regards, Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.