Created as a direct result of authentication, credentials are usually time-limited objects that you can use to perform tasks such as authorization checks, attribution requests, and single sign-on (SSO).
In addition to principals, credentials help identify users to other remote services. For example, in SAP Mobile Platform where CSI is integrated as the primary security system, credentials perform single sign-on into other systems that are accessed to fulfill a client’s request. CSI provides a wrapper on the credential concept to associate a name with a credential. This is to aid SAP Mobile Server in selecting the correct credential to propagate to the remote service when multiple providers (or multiple instances of a provider) add credentials of the same type (class) to the JAAS subject.
You can configure the endpoint connection definition with a property to identify the NamedCredential that should be propagated to the remote service to perform SSO. Credentials can also be used by the providers to communicate session information. An authentication provider can store the session information necessary for the attribution and authorization providers to perform their functions.
Add credentials using the getPublicCredentials() and getPrivateCredentials() methods from the Subject class. CSI does not treat public and private credentials differently. Providers should follow standard JAAS best practices when using credentials. When the security context is destroyed using the destroy() method, each of the public and private credentials that implements the javax.security.auth.Destroyable interface has its destroy() method called. This can be used to close any security doors left open by the credential’s existence. For example, destroying the credentials may terminate a user's session that was kept open and stored in the credential for use by the authorization or attribution provider, or it may have the eventual effect of triggering a logout audit record in the underlying security system.
The interface com.sybase.security.SSOTokenCredential should be implemented by credentials that contain tokens to be used for single sign-on into an SAP® system. It is used to identify the credential to be forwarded to an SAP endpoint (both JCo and DOEC endpoints).
The interface com.sybase.security.CertificateCredential should be implemented by credentials that contain the certificate to be used for single sign on into an SAP system. It is used to identify the credential to be forwarded to an SAP endpoint (both JCo and DOEC endpoints).
The interface com.sybase.security.NamedCredential associates a name with a credential object so the Web service endpoints can be configured with the name of the credential to forward to the Web service for single sign-on.
The interface com.sybase.security.core.ExpiringCredential allows a credential to be marked with an expiration time. This is used by SAP Mobile Platform server to expire the user session in the authentication cache based on the credential expiration time instead of the configured authentication cache timeout interval.