Message layer authentication
Message layer authentication defines credential information and then sends that information across the network so that a downstream server can interpret it. When we send authentication information across the network using a token the transmission is considered message layer authentication because the data is sent with the message inside a service context.
- A pure Java client uses Kerberos (KRB5) or basic authentication (GSSUP), as the authentication mechanism to establish client identity.
- A servlet can use GSSUP, KRB5 or Lightweight Third Party Authentication (LTPA), to send security information in the message layer. Use KRB5 or LTPA by authenticating or by mapping the basic authentication credentials to the security mechanism of the server.
The security token contained in a token-based credential is authentication mechanism-specific. The way that the token is interpreted is only known by the authentication mechanism. Therefore, each authentication mechanism has an object ID (OID) representing it. The OID and the client token are sent to the server, so that the server knows which mechanism to use when reading and validating the token.
BasicAuth (GSSUP) oid:2.23.130.1.1.1 KRB5 OID: 1.2.840.113554.1.2.2 LTPA oid:1.3.18.0.2.30.2 SWAM (Deprecatd) No OID because it is not forwardable On the server, the authentication mechanisms can interpret the token and create a credential, or they can authenticate basic authentication data from the client, and create a credential. Either way, the created credential is the received credential that the authorization check uses to determine if the user has access to invoke the method. We can specify the authentication mechanism using the following property on the client side:
- com.ibm.CORBA.authenticationTarget
Basic authentication (BasicAuth) and KRB5 are currently the only valid values. We can configure the server through the administrative console. When perform basic authentication is enabled, if the client is not similarly configured (and does not pass a credential such as a user ID and password).
Configure authentication retries
Have a prompt display again if we entered our user ID and password incorrectly, or retry when a particular error occurs back at the client. If we can correct the error by information at the client side, the system automatically performs a retry without the client seeing the failure, if the system is configured appropriately. Some of these errors include:
- Entering a user ID and password that are not valid
- Having an expired credential on the server
- Failing to find the stateful session on the server
By default, authentication retries are enabled and perform three retries before returning the error to the client. Use the com.ibm.CORBA.authenticationRetryEnabled property (True or False) to enable or disable authentication retries. Use the com.ibm.CORBA.authenticationRetryCount property to specify the number of retry attempts.
Immediate validating of a basic authentication login
In WAS v6.x, a behavior is defined during request_login for a BasicAuth login. In releases prior to v5, a BasicAuth login takes the user ID and password entered through the loginSource method and creates a BasicAuth credential. If either the user ID or the password is not valid, the client program does not find out until the first method request is attempted. When the user ID or password is specified during a prompt or programmatic login, the user ID and password are authenticated by default with the security server, with a True or False returned as the result. If False, an org.omg.SecurityLevel2.LoginFailed exception is returned to the client indicating that the user ID and password are not valid. If True, then the BasicAuth credential is returned to the caller of the request_login. To disable this feature on the pure client, specify com.ibm.CORBA.validateBasicAuth=false. By default, this feature is set to True. On the server side, specify this property in the security dynamic properties.
Select an authentication mechanism Secure communications