Message layer authentication
Defines the credential information and sends that information across the network so that a receiving server can interpret it.
When you send authentication information across the network using a token the transmission is considered message layer authentication because the data is sent with the message inside a service context.
A pure Java™ client uses Kerberos (KRB5) or basic authentication, or Generic Security Services Username Password (GSSUP), as the authentication mechanism to establish client identity.
However, a servlet can use either basic authentication (GSSUP) or the authentication mechanism of the server, Kerberos (KRB5) or Lightweight Third Party Authentication (LTPA), to send security information in the message layer. Use KRB5 or LTPA by authenticating or by mapping the basic authentication credentials to the security mechanism of the server.
The security token that is contained in a token-based credential is authentication mechanism-specific. The way that the token is interpreted is only known by the authentication mechanism. Therefore, each authentication mechanism has an object ID (OID) representing it. The OID and the client token are sent to the server, so that the server knows which mechanism to use when reading and validating the token. The following list contains the OIDs for each mechanism:
KRB5: OID: 1.2.840.113554.1.2.2
LTPA: oid:1.3.18.0.2.30.2
SWAM: No OID because it is not forwardable
received
credential that the authorization
check uses to determine if the user has access to invoke the method.
You can specify the authentication mechanism by using the following
property on the client side:- com.ibm.CORBA.authenticationTarget
Configuring authentication retries
Situations occur where you want a prompt to display again if you entered your user ID and password incorrectly or you want a method to retry when a particular error occurs back at the client. If you can correct the error by information at the client side, the system automatically performs a retry without the client seeing the failure, if the system is configured appropriately.
- Entering a user ID and password that are not valid
- Having an expired credential on the server
- Failing to find the stateful session on the server
Immediate validating of a basic authentication login
In WebSphere Application
Server Version 6.x
, a behavior is defined during request_login for a BasicAuth login.
In releases prior to Version 5, a BasicAuth login
takes the user ID and password entered through the loginSource method
and creates a BasicAuth credential. If either
the user ID or the password is not valid, the client program does
not find out until the first method request is attempted. When the
user ID or password is specified during a prompt or programmatic login,
the user ID and password are authenticated by default with the security
server, with a True or False returned
as the result. If False, an org.omg.SecurityLevel2.LoginFailed exception
is returned to the client indicating that the user ID and password
are not valid. If True, then the BasicAuth credential
is returned to the caller of the request_login.
To disable this feature on the pure client, specify com.ibm.CORBA.validateBasicAuth=false.
By default, this feature is set to True. On the
server side, specify this property in the security dynamic properties.