Authentication mechanism
Authentication is the process of establishing whether a client is valid in a particular context. A client can be either an end user, a machine, or an application. An authentication mechanism defines rules about security information (for example, whether a credential is can be forwarded to another Java process), and the format of how security information is stored in both credentials and tokens.
An authentication mechanism in WebSphere Application Server typically collaborates closely with a user registry. The user registry is the repository of user and groups accounts that the authentication mechanism consults when it performs authentication. The authentication mechanism is responsible for creating a credential, which is an internal product representation of a successfully authenticated client user. The abilities of the credential are determined by the configured authentication mechanism.
The WebSphere Application Server provides two authentication mechanisms: Simple WebSphere Authentication Mechanism (SWAM) and Lightweight Third Party Authentication (LTPA). These two authentication mechanisms differ primarily in the distributed security features each supports. Only one configured authentication mechanism can be active at a given time. The active authentication mechanism is selected when you configure WebSphere global security.
Authentication process
This figure shows the authentication process:
These steps describe what occurs during the authentication process:
Authentication is required for enterprise beans clients and Web clients when they access protected resources. Enterprise beans clients (a servlet, other enterprise beans, or a pure client) send the authentication information to Web application server through the CSIV2 or SAS protocol. Web clients use the HTTP or HTTPS protocol to send the authentication information. The authentication information can be either basic authentication (user ID and password), credential token (in case of LTPA), or client certificate. The Web authentication is performed by the Web authentication module and the enterprise bean is authenticated by the enterprise bean authentication module, which resides in either the CSIV2 or SAS layer itself.
The Authentication module is implemented using Java Authentication and Authorization Service (JAAS) login module. The Web authenticator and enterprise bean authenticator pass the authentication data to the login module.
The login module can use either Lightweight Third Party Authentication (LTPA) or Simple WebSphere Authentication Mechanism (SWAM) for authentication.
The authentication module uses the user registry that is configured on the system to perform the authentication. There are three types of registries supported: the local operating system (LocalOS), Lightweight Directory Access Protocol (LDAP), and custom registries.
The login module creates a JAAS subject after authentication and stores the CORBA credential that is derived from the authentication data in the public credentials list of the subject. The credential is returned to the Web authenticator or enterprise bean authenticator.
The enterprise bean authenticator and Web authenticator store the received credentials in the ORB that is current for the authorization service and uses it to perform further access-control checking.