HTTP Authentication Security Provider

Use HttpAuthenticationLoginModule provider to use Basic authentication to enable automatic application registration. This provider is required when registration is set to automatic. It can also be used to enable SSO into SAP servers in place of the deprecated SAPSSOTokenLoginModule.

The LoginModule validates standard username/password style credentials by passing them to a Web server. Configure the URL property to point to a Web server that challenges for basic authentication.

This provider is enhanced to authenticate the user by validating a token specified by the client by sending the configured client values to the HTTP backend in the specified format (header/cookie). Any parameter value, for example personalization parameter, http header, or http cookie can be specified in the ClientHttpValuesToSend property so that the provider can retrieve the value of the configured parameter(s) and pass them to the Web server in the format required by the SendClientHttpValuesAs configuration property.

For example, to extract the cookie "MyCookie" from the client session to Unwired Server and pass it along to the Web server as the cookie "testSSOCookie", set the properties ClientHttpValuesToSend to "MyCookie" and set SendClientHttpValuesAs to cookie:testSSOCookie.

Note: Note that if "ClientHttpValuesToSend" property is configured, the provider only attempts to authenticate the user using those values. It does not set the username/password credentials in the http session to the Web server. If the specified client values are not found in the client session to SUP or if the Web server fails to validate the specified token, then this provider fails the authentication unless the property "TryBasicAuthIf TokenAuthFails" is set to true to enable it to revert to passing the username/password credentials to respond to the BasicAuth challenge.

Best practice guidelines include:

Using an HTTPS URL to avoid exposing credentials.
If the Web server's certificate is not signed by a well known CA, import the CA certificate used to sign the Web server's certificate into the Unwired Server truststore.jks. The truststore is prepopulated with CA certificates from reputable CAs.
If this Web server returns a cookie as part of successful authentication, set the SSO Cookie Name configuration property to the name of this cookie. Upon successful authentication, this login module places the cookie value into an HttpSSOTokenCredential object and attaches it to the java.security.Subject as a public credential.
Note: The HTTP Basic login module is the module that can either be used for SSO tokens or HTTP basic without SSO. The sole condition being that the backend support HTTP Basic authentication.
When using this module in lieu of the deprecated SAPSSOTokenLoginModule, the cookie name is typically "MYSAPSSO2".

For example, SiteMinder is often used in mobile deployments to protect existing Web-based applications. Existing users point their browser at a URL, and SiteMinder intercepts an unauthenticated session to challenge for credentials (Basic). When the authentication succeeds, it returns a SMSESSION cookie with a Base64-encoded value that can be used for SSO into other SiteMinder enabled systems.

See HTTP Basic Authentication Properties.