WebSphere Commerce authentication model
The WebSphere Commerce authentication model is based on the following concepts: challenge mechanisms, authentication mechanisms and user registries.
WebSphere Commerce security model
Challenge mechanisms
A challenge mechanism specifies how a server challenges and retrieves authentication data from a user. WebSphere Commerce supports the following authentication methods or challenge mechanisms:
- Form-based or custom authentication
- This authentication mechanism permits a site or store specific login through an HTML page or a JSP form.
- Certificate-based authentication (X.509 certificate)
- The certificate challenge mechanism implies that the Web server is configured to perform mutual authentication over SSL. The client is required to present a certificate in order to establish the connection. This certificate is then credential mapped to a user registry.
Authentication mechanisms
An authentication mechanism verifies user authentication data against an associated user registry. WebSphere Commerce issues an authentication token that is associated with a user on every subsequent request after the authentication process. It is terminated when the user logs off or closes the browser.
- Database authentication
- This is the process of verifying that the logon ID and password supplied by the user are valid when compared to the authentication information stored in the WebSphere Commerce database.
- LDAP bind
- This is process of verifying that the logon ID and password supplied by the user are valid by performing an LDAP bind operation.
- Third-party authentication
- This is the process of verifying the logon ID and password supplied by the user against a third-party user registry. To use third-party authentication, you need to provide an implementation of the ExternalSystemAuthenticationCmd interface.
- Certificate validation
- This is the process of verifying that the X.509 client certificate is trusted by the Web server and that it complies with the Web server's certificate policy. WebSphere Commerce also verifies the X.509 certificate against the WebSphere Commerce database. The Web server performs the coarse-grain access control on the certificate, while WebSphere Commerce performs a fine-grain access control on the certificate.
To configure the authentication mechanism to be used by your WebSphere Commerce instance, select the following options as the authentication mode in the Instance Properties > Member Subsystem node of the Configuration Manager:
- Database for database authentication
- Member Manager for LDAP bind
- Other for third-party authentication
To configure certificate validation, see Enabling X.509 certificates.
User registry
The user registry is a repository that contains user information, and the user's authentication information (for example, the password). Authentication information provided by a principal (that is, the representation of a human user or system entity in a user registry) can be verified or validated against the user registry.
WebSphere Commerce supports user registries based on two user domains: LDAP user registry and the WebSphere Commerce database.
WebSphere Commerce supports the following LDAP providers:
- CA Directory
- IBM Security Directory Server
- IBM Lotus Domino Enterprise Directory Server
- Microsoft Windows Server Active Directory
- NetIQ eDirectory
An LDAP server is typically used when multiple software applications need to interact with a common set of users and organizations. For example, in a WebSphere Commerce enabled Portal solution, WebSphere Commerce and WebSphere Portal both interact with a common LDAP server. Another scenario where the use of an LDAP server is needed is in a WebSphere Commerce Single Sign-On solution.