ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/secauthm.htm

47 lines
3.6 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Authentication mechanism</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="secauthm"></a>Authentication mechanism</h5>
<p>Authentication is the process of establishing whether a client is valid in a particular context. A client can be either an end user, a machine, or an application. An authentication mechanism defines rules about security information (for example, whether a credential is can be forwarded to another Java process), and the format of how security information is stored in both credentials and tokens.</p>
<p>An authentication mechanism in WebSphere Application Server - Express typically collaborates closely with a user registry. The user registry is the repository of user and groups accounts that the authentication mechanism consults when it performs authentication. The authentication mechanism is responsible for creating a credential, which is an internal product representation of a successfully authenticated client user. The abilities of the credential are determined by the configured authentication mechanism.</p>
<p>The WebSphere Application Server - Express provides two authentication mechanisms: Simple WebSphere Authentication Mechanism (SWAM) and Lightweight Third Party Authentication (LTPA). These two authentication mechanisms differ primarily in the distributed security features each supports. Only one configured authentication mechanism can be active at a given time. The active authentication mechanism is selected when you configure WebSphere global security.</p>
<p><strong>Authentication process</strong></p>
<p>This figure shows the authentication process:</p>
<p><img src="rzamy510.gif" width="595" height="325" alt="WebSphere Application Server - Express authentication process"></p>
<p>These steps describe what occurs during the authentication process:</p>
<ol>
<li><p>Authentication is required for Web clients when they access protected resources. Web clients use the HTTP or HTTPS protocol to send the authentication information. The authentication information can be either basic authentication (user ID and password), credential token (in case of LTPA), or client certificate. The Web authentication is performed by the Web authentication module.</p></li>
<li><p>The Authentication module is implemented using Java Authentication and Authorization Service (JAAS) login module. The Web authenticator passes the authentication data to the login module.</p></li>
<li><p>The login module can use either Lightweight Third Party Authentication (LTPA) or Simple WebSphere Authentication Mechanism (SWAM) for authentication.</p></li>
<li><p>The authentication module uses the user registry that is configured on the system to perform the authentication. There are three types of registries supported: the local operating system (LocalOS), Lightweight Directory Access Protocol (LDAP), and custom registries.</p></li>
<li><p>The login module creates a JAAS subject after authentication and stores the CORBA credential that is derived from the authentication data in the public credentials list of the subject. The credential is returned to the Web authenticator.</p></li>
<li><p>The Web authenticator stores the received credentials in the ORB that is current for the authorization service and uses it to perform further access-control checking.</p></li>
</ol>
</body>
</html>