Authentication is performed in the process of obtaining the Session object. Once obtained, all methods called on the Session object or on other Server API objects retrieved directly or indirectly through this Session object are executed under the identity of the user that obtained the Session object.
Authorization is performed on each method call. Before executing the requested call, the Server will determine whether the identity associated with the current session is authorized to execute that call.
The following authentication options are available:
The user is authorized as per the rights assigned to the SSL certificate user ID in the Server API User Registry.
When SSL is used and the remote client application uses Server API listener objects, the client application must have its own certificate that is trusted by the TDI Server (this is analogous to the setup for SSL client authentication). If there is no client certificate trusted by the TDI Server, the listener objects will not work and the remote client application will not be able to receive notifications from the TDI Server.
This authentication method works regardless of whether SSL is used and whether SSL client authentication is used. The user is authorized as per the rights assigned to the username user in the Server API User Registry.
An example authentication hook Javascript file is available in order to demonstrate what the Javascript of an authentication hook looks like. This example Javascript can also be used as the basis of real-world TDI authentication hooks.
You can view an JavaScript example that demonstrates how an authentication hook can use an LDAP server (Tivoli Directory Server, Active Directory, etc.) for authenticating client request in the examples/auth_ldap TDI Server folder. The example file is called ldap_auth.js.
In order to use LDAP authentication the appropriate properties must be configured in global.properties/solution.properties. These properties are described in the Administrator Guide.
It is strongly recommended that we use this authentication only for demo purposes, quick prototyping and in closed, trusted environments.
In order to use JAAS authentication the appropriate properties must be configured in global.properties or solution.properties and the JAAS Logon should be installed.
TDI 7.1 does not configure any JAAS authentication modules. It relies on the understanding that we have such implemented and properly configured. TDI can simply use them then.