test

Sun Java System Access Manager 7 2005Q4 Technical Overview

Authentication Chaining

You can configure one or more authentication module instances so that a user must pass authentication credentials to all authentication modules instances before the user is allowed access. This feature is called as authentication chaining. Determining access is based upon control flags you specify for the chain. Access Manager uses the Java Authentication and Authorization Service (JAAS) framework to implement authentication chaining. The JAAS framework is integrated in the Authentication Service.

You can configure authentication chaining by realm, user, role, or service configuration. Authentication modules use a control flags to indicate requirements for successful authentication.

Each registered authentication module type is assigned one of the following control flags:

Requisite.

The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).

Required.

Authentication to this module is required to succeed. If any of the required modules in the chain fails, the whole authentication chain will ultimately fail. However, whether a required module succeeds or fails, the control will continue down to the next module in the chain.

Sufficient.

The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.

Optional.

The LoginModule is not required to succeed. Whether it succeeds or fails, authentication still continues to proceed down the LoginModule list.

Once authentication to all modules in the chain is successful, control is returned to the Authentication Service from the JAAS framework. The JAAS framework validates all user IDs used during the authentication process, and then maps them all to one user. The mapping is based on the configuration of the User Alias List attribute in the user's profile.

If all the maps are correct, then a valid session token is issued to the user. If all the maps are not correct, then the user is denied a valid session token.