Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

J2EE/WebAS Authentication Mechanisms

Former Member
0 Kudos

Hi..

Does anybody have experience with the different authentication mechanisms used for Single Sign On authentication to a J2EE/WebAS?

I am obviously looking for the most secure. I know that CA's SiteMinder has an agent for WebAS, but I can't figure out the different between using an agent and using e.g. Header Variables for User Authentication.

Thanks

vitofava

Links:

Configuring Authentication Mechanisms: [http://help.sap.com/saphelp_nw04s/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm]

CA SiteMinder: [http://ca.com/products/product.aspx?ID=5262]

Edited by: Vito Fava on Feb 26, 2008 10:45 AM

Edited by: Vito Fava on Feb 26, 2008 10:46 AM

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

vitofava,

For most secure, I suggest you consider those which use cryptography instead of HTTP header variables. With HTTP header variables it might be possible for somebody to send a HTTP message to SAP system contiaining the header variable so that they can pretend they have authenticated as this person. To avoid this many companies combine HTTP header login module with a firewall / packet filter in front of SAP system so they can be sure logins only come from trusted hosts. This adds additional complexity and cost, so is clearly not best solution. It is often possible to setup a very secure authentication without having to incure this additional cost and complexity.

You specifically mentioned SiteMinder - do you already use SiteMinder product ?

Thanks,

Tim

3 REPLIES 3

tim_alsop
Active Contributor
0 Kudos

vitofava,

For most secure, I suggest you consider those which use cryptography instead of HTTP header variables. With HTTP header variables it might be possible for somebody to send a HTTP message to SAP system contiaining the header variable so that they can pretend they have authenticated as this person. To avoid this many companies combine HTTP header login module with a firewall / packet filter in front of SAP system so they can be sure logins only come from trusted hosts. This adds additional complexity and cost, so is clearly not best solution. It is often possible to setup a very secure authentication without having to incure this additional cost and complexity.

You specifically mentioned SiteMinder - do you already use SiteMinder product ?

Thanks,

Tim

Former Member
0 Kudos

Hi Tim...

Thanks for a quick reply.

No, we are not using SiteMinder yet, as we are still in the design phase. I agree on your comment on firewalls. The solution will look like this:

1) VPN access via Cisco or Juniper

2) Authentication via PinSafe or Entrust IdentityGuard

3) Firewalls and DMZs everywhere!!

4) HTTPS and certification based communication between servers

Would HTTP header variables be ok then??

/vitofava

tim_alsop
Active Contributor
0 Kudos

Vitofava,

In step 2 when the user authenticates using PinSafe or IdentityGuard, I assume the authenticated identity will be stored somewhere ? If so, you need to make sure that this identity cannot be changed to something else, thus allowing somebody to authenticate using PinSafe or Entrust as themselves and then change the identity which is stored in the HTTP header when logging onto SAP.

If the user authentication is on a web server, and the web server is able to store the id in a header, and pass to SAP via header var, then as long as the web server is considered secure you will be ok. As I mentioned before, it should not be possible for somebody to open a web browser and send a HTTP request to SAP containing a HTTP header variable that is used to authenticate them to SAP. There are many plugins available for browsers that allow a user (e.g. an attacker) to do this, so you need to make sure this kind of tool will not be usable.

Otherwise, I think the use of HTTP header var is good for your situation, and I have certainly come across many SAP customers who have also used this method so it is quite common.

Regards,

Tim