Version 9.8
 —  Introduction to SIN  —

Overview of SIN

Software AG's webMethods suite of products has a common authentication infrastructure called SIN. It provides the products with security components for authentication of users, management of roles, and query of user, role, and group information. It works both on client-side applications and on server-side applications.

SIN's basic advantage is the re-use of existing security components. For example, SIN supports the same security mechanism for an application that uses Tamino and another one that uses LDAP directory without any change of code on the application level.

SIN is based on the Java Authentication and Authorization Service (JAAS). The JAAS framework allows you to define stacks of LoginModules that can be defined without code changes.

SIN is distributed as part of Software AG Common Platform. It consists of a set of bundles located in: <installDir>/common/runtime/agent/repository/plugins SIN bundle names start with com.softwareag.security.sin.

All interfaces and common classes used by an application programmer are contained in com.softwareag.security.sin.common_<versionNumber>.jar. The other SIN files contain LoginModules and OSGi services that you can configure according to your environment and the desired authentication process.

Functionality

SIN's functionality enables you to have the following set of capabilities:

Why Use JAAS in SIN?

The authentication "tool" of SIN is the LoginModules.

They are based on the Oracle JAAS framework, which is a security framework for authenticating users. JAAS accommodates the information for groups and roles in classes derived from java.security.Principal. The API is integrated in JDK since version 1.4.

With JAAS, you have the following benefits:

How Does SIN Work?

The process of authentication includes the successful calling of a LoginModule.

LoginModules can prompt for and verify a user name and a password. If authentication is successful, JAAS creates a Subject that contains one or more Principals with security-related attributes like passwords and cryptographic keys.

A particular application defines a LoginModules configuration that is instantiated from the application. The configuration specifies the LoginModule that is to be used with a particular application.

What is a LoginContext?

The LoginContext is a grouping of LoginModules. It provides the basic methods for user authentication. The stack of login modules allows you to configure applications to use more than one LoginModule. For example, you can configure both a KerberosLoginModule and an X500LoginModule.

graphics/functionality.png

How Does a System Authenticate a User?

  1. The LoginContext locates the JAAS configuration file of the appropriate LoginModule.

  2. The application uses the configuration file to authenticate the user.

  3. After the application has authenticated the user, the LoginContext creates Principals and adds them to the Subject.

What is the Difference Between a Principal and a Subject?

The Principal interface represents the abstract notion of a principal that can be any entity, such as an individual, a corporation, and a logon ID, while the Subject class represents a grouping of related information for a single entity. Such information includes the Subject's identities, as well as its security-related attributes (passwords and cryptographic keys).

For example, if a Subject is a person named "John", he may have two Principals:

graphics/subject_example.png

Both Principals refer to the same Subject even though each has a different name.

Top of page