Administration Guide > Pluggable Authentication Modules > About Pluggable Authentication Modules
 
About Pluggable Authentication Modules
Pluggable authentication modules let you enforce a secure authentication regime to regulate access to resources accessed through TDV. Each active authentication module, when consulted, must do one of the following.
Action at sign-on
If credentials are
Abort
Invalid
Approve
Valid
Disqualify itself
Not supplied or not relevant
The module can also add information to the security context in the session.
After using TDV to define user and group access profiles, you can begin to layer PAM security protocols. You can use one or more overlapping PAM implementations on the same server to achieve the desired level of user identification.
Login modules that implement PAM determine authentication based on the data in headers, properties, certificates, and on the user name and password provided.
Authentication Location
Description
HTTP Headers
Incoming HTML headers are passed to authentication modules.
JMS Properties
Properties associated with an incoming message object are passed to authentication modules.
SOAP Headers
Each distinct element in the SOAP Header element of an incoming SOAP envelope is added to the list of supplied properties, keyed by the QName of the element. When present, the header value is represented by an instance of org.apache.axiom.om.OMElement. This applies to the AuthenticationFilter and the WsapiServlet entry-points.
JDBC/ODBC/ADO.NET Properties
To pass into TDV, values must be encoded into a single, fixed, known property name. ADO.NET and ODBC uses semicolons as property separators; JDBC uses ampersands.
For user-legibility and compatibility with RFC-2396, security tokens in URL form are passed through using: "user_tokens=("NAME"="VALUE ( ","NAME"="VALUE)* ")". Nonalphanumeric characters within a NAME or VALUE must be URL-encoded.
GUI support deletes the parenthesis characters and removes all whitespace characters prior to processing. If a value for user-tokens is specified through the ODBC or ADO.NET UIs and is overridden by a user-specified value, the entire user-token value is replaced.
Incoming SSL certificates
If the user connects to TDV through mutually-authenticated SSL, the connection's public certificate is added to the security context for use by PAM modules.