Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What is so special about the "ticket" login module stack?

Former Member

‎04-08-2008 12:28 PM

0 Kudos

G'day,

I am observing some odd behaviour with login module stacks.

I have a custom login module that performs authentication using information in the HTTP servlet request. This custom login module does not require any interaction from the user. I want to use this custom login module when I authenticate to the portal.

By default, the portal uses an authentication scheme known as "uidpwdlogon", which uses the "ticket" login module stack, which is configured to perform basic password login. When I attempt to access the portal I am presented with a username/password page and I need to enter a username and password, hit the "submit" button, and access to the portal is granted.

So I replaced the BasicPasswordLoginModule entry in the "ticket" login module stack with my custom login module, and now access to the portal is granted automatically, as expected. There is no username/password page displayed.

But if I create a new login module stack that contains exactly the same modules as "ticket" login module stack, and modify the "uidpwdlogon" authentication scheme to use my new login module stack instead of the "ticket" login module stack, then something odd occurs: I am now presented with a username/password page again. I need to hit the "submit" button to navigate away from this page before the custom login module stack will process, which will then grant access to the portal.

If I change the "uidpwdlogon" authentication scheme back to use the "ticket" login module stack (which is exactly the same as the previous login module stack), then access to the portal is granted automatically without showing a username/password page.

So: if the (modified) "ticket" login module stack is used, there's no username/password page shown. If a copy of that login module stack is used, then a username/password page is shown.

What's going on here?

5 REPLIES 5

tim_alsop
Active Contributor

‎04-08-2008 12:45 PM

0 Kudos

Geoffrey,

When you edited the authschemes.xml - did you change the priority of your new entry or did you leave it same as the uidpwdlogon entry ?

Perhaps if you include the authschemes.xml file you used, I can take a look and suggest changes.

Thanks,

Tim

Former Member

‎04-09-2008 2:46 AM

0 Kudos

G'day,

Thanks for the reply.

The relevant parts of the authschemes.xml file are as follows:


        <authscheme name="uidpwdlogon">
            <authentication-template>myloginstack</authentication-template>
            <priority>21</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
...
                 
        <authscheme-ref name="default">
            <authscheme>uidpwdlogon</authscheme>
        </authscheme-ref>

        <authscheme-ref name="UserAdminScheme">
            <authscheme>uidpwdlogon</authscheme>
        </authscheme-ref>

Note that I have changed the uidpwdlogon element to use "myloginstack" instead of "ticket", and changed the priority from 20 to 21, as suggested (but it should be noted that the outcome is the same regardless of priority).

The "ticket" login module stack is defined as follows:


  EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  MyLoginModule REQUISITE {...}
  CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

and the "myloginstack" is defined identically as follows:


  EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  MyLoginModule REQUISITE {...}
  CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

When the "uidpwdlogon" authentication scheme is configured to use the "myloginstack" login module stack, the browser immediately opens up the normal username/password page. I wait for a few minutes (for logging reasons), then hit submit, and access to the portal is granted.

The log output for this is as follows:


Message : LOGIN.FAILED
User: N/A
Authentication Stack: myloginstack

Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true       
MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true       

...

Message : LOGIN.OK
User: testuser
Authentication Stack: myloginstack

Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                 
MyLoginModule                                                           REQUISITE   ok          true       true                  
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                  
Central Checks                                                                                true

There are two login stack events because the first login stack event asks the browser to pass along authentication data, which is processed in the second login stack event.

Also note that the time of the first login module event is a few minutes after the username/password page appears, suggesting that the portal is attempting to obtain information before it processes the login module stack.

If I change the "uidpwdlogon" authentication scheme to use the "ticket" login module stack, then no username/password page appears and the security log is essentially identical to that of "myloginstack":


Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket

Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true       
MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true       


Message : LOGIN.OK
User: testuser
Authentication Stack: ticket

Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                 
MyLoginModule                                                           REQUISITE   ok          true       true                  
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                  
Central Checks                                                                                true

I am creating the "myloginstack" login module stack using the Visual Administrator tool, by clicking the "Add" button for the "Policy Configurations" tab of the SecurityProvider service. Note that when I do this the entry for "myloginstack" gets a diamond icon, while the entry for "ticket" has a different icon (resembling a graph). I do not know what these different icons beside each policy configuration imply (is "ticket" different to "myloginstack" somehow?) nor how to create a new policy configuration that will have different icon.

I assume the username/password page is shown because the <frontendtarget> element in the "uidpwdlogon" authentication scheme is defined to use "com.sap.portal.runtime.logon.certlogon". Perhaps there is another value I can use here that displays nothing and redirects the browser directly to the portal?

tim_alsop
Active Contributor
In response to Former Member

‎04-09-2008 8:43 AM

0 Kudos

Geoffrey,

I thought the priority might help. Maybe the <frontendtype> needs to be changed to something other than 2 ?

In our company, we spent quite some time experiminting with authschemes.xml to try and do similar things to what you are doing, and in the end we gave up. Our products are sold to customers who use portal, but they are not portal specific, so work with any Web based access to NetWeaver, e.g. ITS services, BSP pages etc. We therefore decide to use ticket stack and this seems to be acceptable to our customers.

I originally thought that authschemes.xml was for any application, but it seems it is only used by the portal.

You might also find it useful to understnad that the userid/password logon screen is not displayed by the login module, it is displayed by NetWeaver and when/if userid/password is entered on this screen, this information is passed to a login module, but if there is no login module configured that is waiting for such information the userid/password will be ignored - as you have noticed, when you press submit button without entering anything.

So, clearly there is some login in NetWeaver which decides whether to display the login page, and I think this might be broken. We certainly found some strange results when we experimented with various values in the authschemes.xml file, and we also found that with different support packs or versions of NetWeaver we got different results.

I think this area is part of NetWeaver that is not used that often, and is perhaps broken ? Maybe you need to open a message with SAP and get them to help you debug ?

Also, I am not sure about the icon in Visual Admin - I think the icon is different fo ticket since it is supplied by SAP and not added as a custom template.

Thanks,

Tim

Former Member
In response to Former Member

‎04-09-2008 4:09 PM

0 Kudos

G'day,

Thanks for the reply.

> I think this area is part of NetWeaver that is not used that often, and is perhaps broken ? Maybe you need to open a message with SAP and get them to help you debug ?It does seem odd that two login module stacks using the same login modules behave differently ... maybe the servlet code for the portal authentication is hard-coded to treat "ticket" login module stack in a special way?

The only other thing I can think of right now is how the "suitable authentication mechanisms" (such as form, basic, cert, etc) are defined for a login module. I'm not sure how these are handled but some experimenting may be required.

I guess the built-in SPNegoLoginModule should also handle automatic authentication to the portal. I'll hunt around the documentation to see if there is any special mention of authschemes.xml when this is used.

Failing that I'll just have to tell customers that the only solution is to modify the "ticket" login module stack.

tim_alsop
Active Contributor
In response to Former Member

‎04-09-2008 4:22 PM

0 Kudos

Geoffrey,

One of our login modules, also does not use a logon screen and we were unable to make it work only with portal by configuring authschemes.xml - we spent a few weeks working on it and trying things and asking people at SAP, but we didn't get it working the way we wanted. We therefore gave up and we tell customers to use ticket stack only. I think you will find the SPNEGO login module provided by SAP is also configured in ticket stack, as per the documentation.

Thanks,

Tim