About Pluggable Authentication Modules
Pluggable authentication modules let you enforce a secure authentication regime to regulate access to resources accessed through TDV. Each active authentication module, when consulted, must do one of the following.
|
Action at sign-on |
If credentials are |
|
Abort |
|
|
Approve |
|
|
Disqualify itself |
The module can also add information to the security context in the session.
After using TDV to define user and group access profiles, you can begin to layer PAM security protocols. You can use one or more overlapping PAM implementations on the same server to achieve the desired level of user identification.
Login modules that implement PAM determine authentication based on the data in headers, properties, certificates, and on the user name and password provided.
|
Authentication Location |
Description |
|
Incoming HTML headers are passed to authentication modules. |
|
|
Properties associated with an incoming message object are passed to authentication modules. |
|
|
Each distinct element in the SOAP Header element of an incoming SOAP envelope is added to the list of supplied properties, keyed by the QName of the element. When present, the header value is represented by an instance of org.apache.axiom.om.OMElement. This applies to the AuthenticationFilter and the WsapiServlet entry-points. |
|
|
To pass into TDV, values must be encoded into a single, fixed, known property name. ADO.NET and ODBC uses semicolons as property separators; JDBC uses ampersands. GUI support deletes the parenthesis characters and removes all whitespace characters prior to processing. If a value for user-tokens is specified through the ODBC or ADO.NET UIs and is overridden by a user-specified value, the entire user-token value is replaced. |
|
|
If the user connects to TDV through mutually-authenticated SSL, the connection's public certificate is added to the security context for use by PAM modules. |