2007年6月28日
#
Authentication是j2ee engine在用户访问Web Application Resource之前验证用户身份的一种mechanism。J2EE规范里定义了四个标准的authentication schemes(authentication types):
(1)BASIC:在浏览器中输入用户名和密码;
(2)FORM:在form中输入用户名和密码;
(3)DIGEST:高级的BASIC,用户名和密码在发送时做编码处理。
(4)CLIENT-CERT:使用数字签名(digital certificates)。需要使用https protocal。
Pluggable Authentication using JAAS Login Modules:
意思是可以开发自己的Login Modules,然后在j2ee engine的security provider中注册。要把自己开发的Login Modules应用到Web Application中去,只要在web-j2ee-engine.xml 中设置一下就可以了。
Overview of the Login Process in JAAS:
1. The application calls the login()method of the LoginContext class.
2. 2、The LoginContext calls the login() method of each of the login modules in the stack in the order they are configured.
Each login module completes the user authentication in two phases:
a. First, when its login() method is called, it uses a CallbackHandler class to negotiate the required authentication information with the user.
b. The second phase refers to calling the commit() method of the login module if the user has successfully authenticated, or the abort() method, if the authentication fails.
The login process is successful if the user is authenticated by all the required login modules in the stack (that is, the commit() method of all login modules that successfully authenticated the user returns).
2007年6月27日
#
UME Data Source:
1、安装WAS时,可以选database或abap system作为UME data source。
abap+java安装模式自动使用abap user management,配置文件为dataSourceConfiguration_abap.xml
java alone的安装模式可以选用:
(1)java system database:方便以后修改data source的配置,如改为LDAP directory,配置文件为:dataSourceConfiguration_database_only.xml。
(2)ABAP system:配置文件为:dataSourceConfiguration_abap.xml。
data source的配置并不是可以随意的转换配置文件,配置文件的转换存在着依赖性,所以在配置data source时请先仔细阅读note 718383。
2、安装完成后使用data source configuration files配置UME data source。
在参数ume.persistence.data_source_configuration中输入要使用的SAP已经预先配置好的data source configuration file的名字。
3、安装完成后使用customized data source configuration file配置UME data source 。(SAP不推荐使用)
UME用户类型:
Guest Users:还不属于一个company,或是已经注册为一个company用户,但正在被审批的用户,默认组为Authenticated Users。
Company Users:属于一个company的用户,默认组为Authenticated Users。
Anonymous Users:可以匿名登陆的用户,可以在UME的ume.login.guest_user.uniqueids属性中查看所有的匿名用户,默认组为Anonymous Users。
如果portal中没有创建任何company,则所有除Anonymous Users以外的用户都是Guest Users。
UME默认组:
Everyone:包含了Anonymous Users组和Authenticated Users组;
Anonymous Users:包含了所有的匿名用户;
Authenticated Users:包含了portal中除匿名用户以外的其他用户。
这三个组不能被删除,如果删除了则在portal下次启动时重新生成;在portal中不要建与这三个组同名的组,在用户管理界面下尝试建同名组会收到系统提示的错误信息,在portal data source如LDAP中可以建同名组,但若建了同名组,用户管理将无法正确运行。可以在j2ee engine Config Tool中修改这三个组的名字。
用户注册:
把UME属性ume.logon.selfreg设置为TRUE(默认值),则允许用户自行注册,注册的用户不需要administrator审批,类别为Guest Users;若在portal里配置了company再把UME属性ume.admin.selfreg_company设置为TRUE,且用户在注册时选择了company,则用户需要company的administrator审批,审批通过的用户类别为Company Users,未通过的类别为Guest Users,在User Admin->user->New User Requests下审批。
激活Emergency User:
在j2ee engine Config Tool中修改UME参数ume.superadmin.activated=true,ume.superadmin.password=<password>,将激活SAP*用户,但此时其他用户均不能使用portal,在使用完SAP*用户后请重新禁用此用户。
用户管理控制台:
UME standalone:http://<J2EE_Engine_Server>:<port>/useradmin
UME with EP:User Administrator Role
用户参数修改:ume.admin.allow_selfmanagement=true且用户在portal中被赋予了一个拥有UME.Manage_My_Profile action的Role。如果使用ABAP user management with read-write access,则默认情况下,所有用户都能够修改自己的profile。
拓展用户的profile:
ume.admin.addattrs – defines additional attributes that are only visible to administrators;
ume.admin.self.addattrs – defines additional attributes that are only visible to non-administrators.
这个描述不太准确,详细描述请参照相应的SAP help文档。
修改用户密码:ume.logon.security_policy.password_change_allowed=true
Maintaining Certificate Mappings Manually :将来有环境的话实验一下!
UME Roles:
参见随笔:AS-java:UME Authorizaion
组:
user data source如果采用LDAP directory,则不能把database中的user和group加入到LDAP directory的group中,但能够把LDAP directory中的user和group加入到database的组中。
复制用户:
配置portal到SAP system的SSO连接,若使用logon tickets,则必须保证两个系统之间用户的ID相同,UME的replication功能确保了这一点,它能够把portal的用户replicate到最多三个SAP system(在j2ee Config Tool中配置portal与它们之间的连接)中,replication通常在import users到portal中或在portal中创建新用户时自动运行,若出现了错误,则可以手动replicate,操作位置:user admin->replication。
导入和导出用户数据:
用户必须拥有以下UME actions,才能使用import和export的功能。
UME.Batch_Admin:能够操作同一个company中的用户数据;
UME.Mange_All_Companies:能够操作所有的用户数据。
user、group和(UME)role不能够同时import。
UME用户类型:
Guest Users:还不属于一个company,或是已经注册为一个company用户,但正在被审批的用户,默认组为Authenticated Users。
Company User:属于一个company的用户,默认组为Authenticated Users。
Anonymous Users:可以匿名登陆的用户,可以在UME的ume.login.guest_user.uniqueids属性中查看所有的匿名用户,默认组为Anonymous Users。
UME默认组:
Everyone:包含了Anonymous Users组和Authenticated Users组;
Anonymous Users:包含了所有的匿名用户;
Authenticated Users:包含了portal中除匿名用户以外的其他用户。
这三个组不能被删除,如果删除了则在portal下次启动时重新生成;在portal中不要建与这三个组同名的组,在用户管理界面下尝试建同名组会收到系统提示的错误信息,在portal data source如LDAP中可以建同名组,但若建了同名组,用户管理将无法正确运行。可以在j2ee engine Config Tool中修改这三个组的名字。
2007年6月25日
#
Note 894884 - Hot-deployment of KMC components - Clarification
使用SAP Logon Tickets必须要有一个发放tickets的系统,可以是portal,也可以是其他SAP系统,但选portal会比较好,因为它是单点登陆的门户。
如把portal做为发放tickets的系统,则sso的过程如下:
1、在第一次启动portal server时,会产生一个cryptographic key pair(公钥和私钥),私钥用于产生tickets(digital signature)。
2、用户登陆portal,portal所在的底层Web AS发放一个logon ticket给用户,存放在用户客户端浏览器的一个暂时存在的cookie中。
3、每次用户通过portal访问外部系统,浏览器把ticket和对外部系统的请求一起发给外部系统。
4、外部系统利用从portal中down下来的公钥来验证这个tickets的有效性。如果有效,则从ticket中提取用户信息。
5、用户登陆到外部系统。
2007年6月24日
#
Use
When you use SAP logon tickets for Single Sign-On to SAP Systems, users must have the same user IDs in all SAP Systems that are configured to use SAP logon tickets. If the SAP user IDs are different to the portal user IDs, you must define an SAP reference system. Users then map their portal user ID to the user ID in the SAP reference system. The mapped user ID is included in the SAP logon ticket and enables Single Sign-On using logon tickets to all SAP Systems in which the user has the same user ID. Prerequisites Users have the same ID in all SAP component systems that are configured to use logon tickets for Single Sign-On. Passwords do not have to be identical.
Procedure
Define a system object for the reference system ...
1. If the system you wish to use as SAP reference system has not yet been defined as a system in the portal, define it as described inCreating Systems.
2. Ensure that a system alias has been defined for the system. If it does not have a system alias, it will not appear in the user mapping tool. SeeMaintaining a System Alias List.
3. Set the user mapping properties. You must always set a value for the property User Mapping Type. For details, seeSystem Properties for User Mapping. Define the reference system in the user management configuration tool
4. In the user management configuration tool, choose Security Settings. For more information on the user management configuration tool, seeUser Management Configuration Tool.
5. In SAP Reference System, choose the system alias of the above system.
6. Restart the Java application server.
Result
When users start the user mapping function, one of the component systems that they can select is the SAP reference system. They can map their portal user ID to their user ID in this reference system. The user mapping function connects to the SAP reference system using the user ID and password to verify that the password entered by the user is correct. The next time the user logs on to the portal, the portal generates an SAP logon ticket for the user that contains both his or her portal user ID and mapped user ID.
1 Using Logon Tickets
用户获得的ticket做为暂时存在的cookie保存在用户的web浏览器中,cookie中保存了用户的信息,因此最好配置 Secure Sockets Layer (SSL) 连接。
能够把logon ticket标记为secure cookie,似的client端的浏览器只有在SSL连接中才发送cookie,通过把参数ume.logon.security.enforce_secure_cookie设置为True来实现,这个也是sap推荐设置的。
为了减少ticket被黑客拦截的风险,还可以把ticket的有效期缩短,默认的有效期为8个小时。
2 Using Logon Tickets with User Mapping
把portal的用户ID map到 SAP reference system中的abap用户ID,默认方式下,被匹配的用户ID被加密的保存在UME的数据库中。
也可以将portal的用户ID map 到LDAP directory中,但被匹配的用户ID的存放方式是不加密的,最好保证用户ID没有对LDAP directory的编辑权限。
3 Using User ID and Password with User Mapping When Single Sign-On with user ID and password is used, the user ID and password are sent across the network.
We strongly recommend that you protect the connections to the backend systems using HTTPS or SNC to prevent the user ID and password being read by an unauthorized user. We strongly recommend that you install the full version of the SAP Java Cryptographic Library if you use user mapping. This toolkit is required so that user mapping data can be stored in encrypted form. If the toolkit is not deployed, user mapping data is stored with weak encryption (base 64 encoding), which is not recommended for production systems.
Applications running on J2EE Engine have two options for authenticating users:
· Declarative authentication (also known as container-based authentication): The Web container (in this case, the J2EE Engine) handles authentication. A component running on the J2EE Engine declares its protected resources and its desired authentication mechanism in its deployment descriptor. When a protected resource of this component is accessed, the container in which the component runs triggers authentication.
· Programmatic authentication (also known as UME authentication): Components running on the J2EE Engine authenticate directly against the User Management Engine (UME) using the UME API. The component explicitly triggers authentication and then the authentication process is controlled by the authentication framework.
Web Dynpro applications and portal iViews always use programmatic (UME) authentication. J2EE Web applications can use either declarative or programmatic authentication depending on which the developer decides to use.
Both declarative and programmatic authentication use login modules and login module stacks as their underlying technology. Applications that use declarative authentication define which login module stack they use in their deployment descriptor. Programmatic authentication additionally introduces the concept of authentication schemes. Applications that use programmatic authentication are associated with an authentication scheme. The authentication scheme in turn references a login module stack.
Configuring user mapping between the portal and BSP systems exposes a security risk where the user ID and password is exposed in the HTTP header. You have the following options to eliminate this risk:
● Reconfigure the systems to use single sign-on with logon tickets. This requires that users have the same user ID in the portal as well as in the BSP systems.
● Upgrade the portal system to NetWeaver 2004s SPS 7 or later and upgrade the BSP system as described in SAP Note 904249. This enables both systems to support HTTP POST in combination with SSL.