Authentication and Authorization question.

Hi All,
I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
Authentication.
1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
2. The end result of this process is true/false.
Authorization.
1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
2. The end result of this process is true/false.
Role mapping.
1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
2. The end result is list of roles for a user.
Security policy configuration.
Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
Thanks,
Prashanth Bhat.

The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
My question is whether thess(DAs and VEs) can also be put
our datastore for access rights??
Thanks,
Prashanth Bhat.

Similar Messages

AAA authentication and authorization question

Hi Everyone,
I have a situation that is driving me crazy.
I am using Cisco Freeware TACACS running on RedHat
Enterprise Linux 3. I've modified the source code
so that I can assign each individual users his/her
own enable password. So far so good.
I create two groups: group_A and group_S. group_A
is for advanced users and group_S is for super
users. Users that belong to group_A can have
privilege level 15 but there are certain commands
that they can not perform such as "write mem"
or "reload". users that belong to group_S can do
EVERYTHING.
Here is my configuration on the TACACS configuration
file:
user = xyz {
member = admin
name = "User X"
login = des 6.z8oIm9UGHo
user = $xyz$ {
member = admin
name = "User X"
login = des c2bUC43cmsac.
user = abc {
member = advanced
name = "User abc"
login = cleartext "cisco123"
user = $abc$ {
member = advanced
name = "User abc"
login = cleartext "cisco123"
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
group = admin {
default service = permit
configuration of the router:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa session-id common
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
However, what I would like to do is to assign users
in group_A the ability to go into "configuration t"
but I do NOT want them to have the ability to peform
"no tacacs-server host x.x.x.x key cisco". Furthermore,
I would like to do everything via TACACS, I don't
want configure "privilege level" on the router itself.
Is that possible? Thanks.
David

Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

Please guide me for user authentication and authorization in WebDynPro App

Hi,
I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
I need to ask you some question to clarify my doubt :
1. SAP Portal is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
3.Could you please suggest the best practice for authentication and authorization in webDynPro.
Many Thanks
Noppong J

in most case you don't have to write code to deal with session, authentication and authorization.
1. yes,
2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

An issue with authentication and authorization on ISE 1.2

Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
end

Yes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.

How to get ADF authentication and authorization working on server

I am having an issue with deployment & ADF authentication and authorization.
From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
When making an attempt to log in I get the following results:
Running Locally with ADF Authentication:                                           Works Fine
Running Locally with ADF Authentication & Authorization:         Works Fine
Deployed to server with ADF Authentication:                                    Works Fine
Deployed to server with ADF Authentication & Authorization: Doesn’t Work
What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
JDeveloper Version: 11.1.2.4
Server Web Logic: 10.3.6
Server ADF: 11.1.1.16
Page Error when trying to log in:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Server error when trying to log in:
Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
        at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
        at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
        at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
        at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
        at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
        at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
        at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
        at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
        at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
        at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
        at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
        at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
        at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
        at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
        at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
        at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
        at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
        at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
        at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
        at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Web.xml
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">
<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
    <param-value>false</param-value>
</context-param>
<context-param>
    <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
    <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
    <param-value>false</param-value>
</context-param>
<context-param>
    <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
    <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
    <param-value>false</param-value>
</context-param>
<context-param>
    <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
    <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
    <param-value>differentOrigin</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
    <param-value>true</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
    <param-value>true</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.FACELETS_DECORATORS</param-name>
    <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
    <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
</context-param>
<filter>
    <filter-name>JpsFilter</filter-name>
    <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
</filter>
<filter>
    <filter-name>trinidad</filter-name>
    <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
</filter>
<filter>
    <filter-name>adfBindings</filter-name>
    <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>JpsFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
    <filter-name>trinidad</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
    <filter-name>adfBindings</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
    <filter-name>adfBindings</filter-name>
    <servlet-name>adfAuthentication</servlet-name>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<listener>
    <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
</listener>
<listener>
    <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
</listener>
<listener>
    <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
</listener>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
    <servlet-name>resources</servlet-name>
    <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet>
    <servlet-name>BIGRAPHSERVLET</servlet-name>
    <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
</servlet>
<servlet>
    <servlet-name>BIGAUGESERVLET</servlet-name>
    <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
</servlet>
<servlet>
    <servlet-name>MapProxyServlet</servlet-name>
    <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
</servlet>
<servlet>
    <servlet-name>adfAuthentication</servlet-name>
    <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
    <init-param>
      <param-name>success_url</param-name>
      <param-value>/faces/Pages/homePage.jspx</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>resources</servlet-name>
    <url-pattern>/adf/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>resources</servlet-name>
    <url-pattern>/afr/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>BIGRAPHSERVLET</servlet-name>
    <url-pattern>/servlet/GraphServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>BIGAUGESERVLET</servlet-name>
    <url-pattern>/servlet/GaugeServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>MapProxyServlet</servlet-name>
    <url-pattern>/mapproxy/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>resources</servlet-name>
    <url-pattern>/bi/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>adfAuthentication</servlet-name>
    <url-pattern>/adfAuthentication</url-pattern>
</servlet-mapping>
<mime-mapping>
    <extension>swf</extension>
    <mime-type>application/x-shockwave-flash</mime-type>
</mime-mapping>
<mime-mapping>
    <extension>amf</extension>
    <mime-type>application/x-amf</mime-type>
</mime-mapping>
<security-constraint>
    <web-resource-collection>
      <web-resource-name>test</web-resource-name>
      <url-pattern>/faces/pages/*.</url-pattern>
      <url-pattern>/faces/*.</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>valid-users</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
      <web-resource-name>adfAuthentication</web-resource-name>
      <url-pattern>/adfAuthentication</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>valid-users</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.html</form-login-page>
      <form-error-page>/error.html</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <role-name>valid-users</role-name>
</security-role>
</web-app>
Jazn-data.xml
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
<jazn-realm default="jazn.com">
    <realm>
      <name>jazn.com</name>
      <users>
        <user>
          <name>*****</name>
          <display-name>*******</display-name>
          <description>******</description>
          <credentials>********<credentials>
        </user>
      </users>
      <roles>
        <role>
          <name>support</name>
          <display-name>support</display-name>
          <members>
            <member>
              <type>user</type>
              <name>mobile</name>
            </member>
          </members>
        </role>
      </roles>
    </realm>
</jazn-realm>
<policy-store>
    <applications>
      <application>
        <name> myapp </name>
        <app-roles>
          <app-role>
            <name>mob_mobile_support</name>
            <class>oracle.security.jps.service.policystore.ApplicationRole</class>
            <display-name>mob_mobile_support</display-name>
            <description>support role</description>
            <members>
              <member>
                <name>mobile</name>
                <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
              </member>
            </members>
          </app-role>
        </app-roles>
        <jazn-policy>
          <grant>
            <grantee>
              <principals>
                <principal>
                  <name>SUPPORT</name>
                  <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
                </principal>
              </principals>
            </grantee>
            <permissions>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name> myapp.view.pageDefs.*</name>
                <actions>view</actions>
              </permission>
            </permissions>
          </grant>
          <grant>
            <grantee>
              <principals>
                <principal>
                  <name>mob_mobile_support</name>
                  <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                </principal>
              </principals>
            </grantee>
            <permissions>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name> myapp.view.pageDefs.addapplicationPageDef</name>
                <actions>view</actions>
              </permission>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name>Pages.addappmsgtypPageDef</name>
                <actions>view</actions>
              </permission>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name>Pages.addoperationPageDef</name>
                <actions>view</actions>
              </permission>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name> myapp.view.pageDefs.homePagePageDef</name>
                <actions>view</actions>
              </permission>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name> myapp.view.pageDefs.loggingSearchPageDef</name>
                <actions>view</actions>
              </permission>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name>myapp.view.pageDefs.workHistoryPageDef</name>
                <actions>view</actions>
              </permission>
            </permissions>
          </grant>
        </jazn-policy>
      </application>
    </applications>
</policy-store>
</jazn-data>

Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
Timo

Authentication and authorization capability in weblogic application server

Hi,
Need input from architecture point of view -
Requirement is typical - have to build a web center portal application with authentication and authorization capability.
I can think of three architecture options:
1. weblogic server (where webcenter portal application will be deployed) with oracle IDM (or any other full blown IDM suite)...
2. weblogic server with Active Directory (or any other LDAP directory), and a LDAP authenticator is configured in weblogic...
3. only weblogic server (users created in weblogic admin console)...
Obviously 1st one is costliest option (product cost, infrastructure cost, maintenance cost) and most flexible. However I am discarding it purely because of cost.
Confused between 2nd and 3rd.
2nd option - separate user store, user can be added/deleted without touching application server, cost wise - 1 extra server and 1 LDAP directory product (or open source LDAP server)...
3rd option - application server becomes very 'heavy' with all users information, you need to access server to add/delete users, probably cheapest option money wise... However it might affect application performance if users grow large...
Please let me know if I should consider more parameters/points before deciding. Is there any important thing I am missing? Your input appreciated.
Thanks.

Hi,
You are right your first requirement make more costly and complex environment.
I would recommend to go with Second option instead of the third one.
In cause in future if you want to use different server also you will have option to use external AD.
Well now you will think why I recommend you second option instead of the third option.
external LDAP is more secure than internal one.
If you have any further query let me know.
Regards,
Kal

Issue in External Table Authentication and Authorization in OBIEE11G

Hello Gurus,
Can anyone help me how to configure External Table Authentication and Authorization in OBIEE11g through weblogic server not like in 10g style(Through INIT Blocks).
I've followed the (Doc ID 1338007.1) document. But when i'm restart the Managed servers and Admin servers after configuring the SQLAuthenticator all my services are showing down.
I already raised the SR (SR 3-6286054151) on this issue. But still i didn't get any reply from them.
Can anyone help me out on this issue or can anyone me send the document for "how to configure External Table Authentication and Authorization in OBIEE11g" . It's really appreciate for your quick response.
my mail ID [email protected]
Thanks,
Syam.
Edited by: 942658 on Oct 13, 2012 10:55 AM

Hi John,
Thanks for your quick response.
We configured "ReadOnlySQL Provider" by following the Oracle's white paper(Doc ID 1338007.1) Please find the below steps what we configured in weblogic console.
1. Created the Data Source
2. In the data source specified the Database driver--> *Oracle's Driver Thin for service connections: Versions:9.0.1 and later.
3. Defined the connection Properties .
4. Selected targets as Admin server and bi_server.
Then Activate changes
5. Created new provider by using ReadOnlySQL Authenticator
6. In the provider specific tab we given the SQL statements and saved it.
7. Restarted the Admin and Managed servers.
After restarted the services when we open the Enterprise Manager page all the services are showed as Undefined - means red.
Apart from that we followed your suggested link http://askjohnobiee.blogspot.com/2012/09/how-to-oid-authentication-with-groups.html
For External table authentication do we need to configure BISQLAuthenticator or ReadOnlySQLAuthenticator ?
If we configure BISQLAuthenticator we just import Groups from database to Console application. Then how can it Authenticated to the User ?
Please let me know your ideas on this.
Thanks,
Syam

How to implement Custom Authentication and Authorization in Oracle SOA 11g

Can anyone please tell me, how to implement Custom Authentication in Oracle SOA 11g ?
Because in Oracle SOA 10.1.3.4 , i have implemented this custom authentication and authorization by implementing BPMAuthenticationService, BPMAuthorizationService, BPMIdentityService to verify againt my database systems.
implementation classes like the mentioned below
1).
public class SampleAuthenticationService extends SampleServiceBase implements BPMAuthenticationService {
2).
public class SampleAuthorizationService extends SampleServiceBase implements BPMAuthorizationService {
3).
public class SampleIdentityService extends SampleServiceBase implements BPMIdentityService {
Please help me to implement the authentication and authorization in Oracle SOA 11g .
thanks in advance

To start with please go through following document
http://docs.oracle.com/cd/E21764_01/integration.1111/e10231/adptr_jms.htm
http://docs.oracle.com/cd/E23943_01/integration.1111/e10231/adptr_file.htm
Regards
Arpit

How can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2

how can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2
I have configure NFS, I need help configuring the share that I created in the Sun ZFS STOR ZS3-2 to connect with the OS X Open Directory

Hi,
You may try checking the help page for ldap configuration :
https://<Appliance_IP>:215/wiki/index.php/Configuration:Services:LDAP
ZFS Storage supports LDAP, NIS, AD as directory service.
Hope Open Directory is also based on LDAP and may work in similar fashion.
Thanks
Nitin

JAXWS EJB3.0 Based WebService Authentication and Authorization - Weblogic

Hi Experts,
I need to Create a EJB3.0 WS where this Service has static Authentication and Authorization. How can I achieve it, any pointer.
TIA

The below sample is for basic authentication and authorization.
Web service
========
import javax.ejb.Stateless;
import javax.ejb.TransactionAttribute;
import javax.ejb.Remote;
import javax.jws.WebMethod;
import javax.jws.WebService;
import javax.annotation.security.RolesAllowed;
import javax.ejb.SecurityRoles;
@Stateless(mappedName="com.slsbBean")
@Remote( { com.bea.Service.class})
@WebService(name="TransactionPortType", serviceName="TransactionService",
targetNamespace="http://example.org")
public class ServiceBean implements Service {
@WebMethod()
@RolesAllowed ( {"Admin","Manager"})
public void testMethod(String s) {
System.out.println("inside ejb method");
System.out.println("username : " + weblogic.security.SubjectUtils.getUserPrincipal(weblogic.security.Security.getCurrentSubject()));
Client
====
import java.util.Map;
import javax.xml.ws.BindingProvider;
public class Test {
public static void main(String[] args) {
TransactionService simple = new TransactionService();
TransactionPortType port = simple.getTransactionPortTypePort();
BindingProvider bindingProvider = (BindingProvider) port;
Map<String, Object> reqContext = bindingProvider.getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "XXXXXX");
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "XXXXXX");
port.testMethod("hello");
Regards,
Sunil P

Authentication and Authorization Problems with IIS 6 and Jrun 4

Hello all,
I am using IIS 6 with JRun 4 as my app server, and I am having problems trying to get authentication and role authorization with Windows Integrated Authentication to work. I have set up IIS 6 to pass-through the authentication credentials to Jrun, without using an anonymous user. What I have done is written a small test servlet that displays the username of the logged in user, and then tries to check if a user is in a test role that I set up in my database. I have specified that a roles table is to be used by specifying a JDBCLoginModule in Jrun's auth.config file. The code for the servlet is below:
package testauthenticationapp;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.*;
import javax.servlet.http.*;
public class SecureTestServlet extends HttpServlet {
   private static final String CONTENT_TYPE =
      "text/html; charset=windows-1252";
   public void init(ServletConfig config) throws ServletException {
      super.init(config);
   public void doGet(HttpServletRequest request,
                     HttpServletResponse response) throws ServletException,
                                                          IOException {
      response.setContentType(CONTENT_TYPE);
      PrintWriter out = response.getWriter();
      out.println("<h3>REMOTE USER: " + request.getRemoteUser() + "</h3>");
      if (request.getUserPrincipal() != null){
         out.println("<h3>" +request.getUserPrincipal().getName() + "</h3>");
      } else{
         out.println("<h3>User Principal is null</h3>");
      if (request.isUserInRole("Test_Role")){
         out.println("<h3>User is in Test_Role</h3>");
      } else {
         out.println("<h3>User is NOT in Test_Role</h3>");
      out.close();
1. What I am seeing is that when request.getRemoteUser() is called, the username information is what I expect it to be. It is of the form <Domain>\<Username>. When I try to redisplay the username using the request object's Principal object, the call to request.getUserPrincipal() returns null. This is a little confusing to me since I thought that essentially getRemoteUser() was a short cut for calling getUserPrincipal().getName(), and if I get something for getRemoteUser, getUserPrinicipal should return something as well. I guess they work differently at some level. Has anyone ever encountered this before?
2. When I call request.isUserInRole("Test_Role"), it returns false. I've checked the role name being called for typos in both my database and in the code, and that does not seem to be the case. I think the setup in auth.config is properly configured because I have created many other applications using declaritive FORM based authentication, and the role information was retrieved fine from the database. I would think that when I use request.isUserInRole in my servlet code it would use the same role information, but I could be wrong since this is a different type of authentication. Do you think that the reason request.isUserInRole() is returning false could be tied to the fact that request.getUserPrincipal() is returning null (even though getRemoteUser() is returning a valid username)? How does request.isUserInRole() get its user information, by using getUserPrincipal().getName() or getRemoteUser()?
Any help that is provided is appreciated. Thanks in advance.

Try This...
Close All Open Apps... Perform a Reset... Try again...
Reset ( No Data will be Lost )
Press and hold the Sleep/Wake button and the Home button at the same time for at least ten seconds, until the Apple logo appears. Release the Buttons.
http://support.apple.com/kb/ht1430

How to audit the the Authentication and Authorization in AM.

I'm using AM7, I want to know how can I audit the Authentication and Authoriztion, for example, who? from where? when? Authentication/Authorization to which application?
I looked for the log files, but find they can't be used to show an audit result directly, is there any tool to do the audit job?
Thanks!

Assuming that you are using a Unix platform to run JES AM, you can find accesslog at /var/opt/SUNWam/logs. If you dont have any logs there, may be you have enable them in the AMConfig.properties and recycle AM.
Each WebServer or J2EE Web Container that is protected by JES Policy Agent is capable of producing Audit logs which will carry information you are looking for. For example every HTTP request that passes through a protected WebServer or Webcontainer can log UserID, SSOToken, Time of access, Authorization result, resource requested. By default PolicyAgents dont log "Success" authorizations. You can change that by enabling "LOG_BOTH" on the logging attribute.
If you can customize the WebServer access logs, then you can trap the User's source IP, UserID along with all other standard things that you can log on a webserver such as any HTTP Header element.
JES has pretty robust logging mechanism built for security audits.
If you still cant find what you are looking for, then be specific about where you are running into problems.
-Dexthor

Authentication and authorization for a custom connector

I have the following problem: I have a software which tries to connect with the server through its own custom RMI connector.
So I have the RMI Connector deployed via Mlet-Service. I have written a small TestClient and can get a RemoteMBeanServer with RemoteMBeanServer rs = getRemoteMBeanServer(), but if I try to call something like rs.getMBeanCount() I get :
com.sap.engine.services.jmx.exception.JmxSecurityException: Caller Guest not authorized, only role administrators is allowed to access JMX
So the WebAS considers someone who tries to connect with this connector as guest. How do can I get authentication and autorization to access the JMX parts? The manual seems only to cover JSP and webapplications, where it is possible to configure a role for them. I only have this connector.jar, configuration and mlet-file.
I still have the option to use JAAS authentication with this connector, then I have to configure it differently and, the more difficult, to implemend
a method "public Subject authenticate(Object credentials)" where credentials are two Strings with user and passwd. But I am not quite sure how to fill the Subject with useful information.
Thanks in advance
Nils

Jmx is secured resource and only administrator role user
can access it.
If your code is running in a servlet you can define
the servlet to run as administrator
1. Add in the web.xml
<security-role>
   <role-name>AnyName</role-name>
</security-role>
2. Add in the web-j2ee-engine.xml
security-role-map>
   <role-name>AnyName</role-name>
   <server-role-name>administrators</server-role-name>
</security-role-map>
If you are runnig from a remote client you just have to
Properties connectionProperties = new Properties();
connectionProperties.setProperty(
Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
connectionProperties.setProperty
(Context.PROVIDER_URL, "<host:p4port>");
connectionProperties.setProperty
(Context.SECURITY_PRINCIPAL, "<ADMIN USER>");
connectionProperties.setProperty
(Context.SECURITY_CREDENTIALS, "<PASSWORD>");
MBeanServerConnection mbsc =
                    JmxConnectionFactory.getMBeanServerConnection(
                         JmxConnectionFactory.PROTOCOL_ENGINE_P4,
                         connectionProperties);

Authentication and authorization for AD users in UCM11g

Hi all
we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
Thanks
Somesh

As you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
As for SSO, refer to the:
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
and
http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
Procedure steps are:
Create a user account for the hostname of the web server machine in Active Directory
Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
Generate the keytab file
Create a JAAS Login File named krb5Login.conf
Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
Configure the Identity Assertion Provider
Adjust Weblogic Server startup arguments for Kerberos authentication
Redeploy CS (and optionally other servers) server with the documentation given deployment plan
Check web browser configuration (IE and Firefox only)
Take a deep breath and test
If successful have a cake and cup of coffee else goto step one
Regards,
Boris

Simple authentication and authorization with a servlet and a filter

Could somebody point me to code example that do simple authentication/authorization using one servlet and one filter? (without Spring, Struts, JSF or any framework)
I’m having a lot of problems with that, apparently, easy task.
These are the rules:
- A simple login page
- Two roles (admin, registered).
- If the user loged is an admin, redirect to his entry page (private/admin/index.jsp).
- If the user loged is of role registered, redirect him to his entry page (private/registered/index.jsp).
- If it’s not a valid user, redirect again to login page.
- Admin’s users cannot go to private/registered/ area.
- Registered users cannot go to private/admin/ area.
- Non authenticated user cannot go to private/ area
Thanks a lot in advance!
Edited by: JLuis on 25-ago-2010 15:27

AccessControl.java:
package com.tlsformacion.security;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.tlsformacion.utils.Log;
public final class AccessControl extends HttpServlet {
     private static final long serialVersionUID = 5741058615983779764L;
     private static final String USERNAME_ATTR = "username";
     private static final String PWD_ATTR = "password";
     private static final String LOGIN_PAGE_ATTR = "login_page";
     private static final String ROL_ATTR = "role";
     private boolean isAuthentic = false;
     private String role = null;
     private String loginPage = null;
     public AccessControl() {
        super();
     public void init(ServletConfig config) throws ServletException {
          loginPage = config.getInitParameter(LOGIN_PAGE_ATTR);
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          debug("Inside doGet");
          doAccessControl(request, response);
     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          debug("Inside doPost");
          doAccessControl(request, response);
     private void doAccessControl (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          debug("Inside doAccessControl");
          doAuthentication(request, response);
          if (isAuthentic) { //Authentic user
               doAuthorization(request, response);
          } else { //User NOT authentic
               doRejection(request, response);
     private void doAuthentication(HttpServletRequest request, HttpServletResponse response) {
          debug("Inside doAuthentication");
        String requestedURI = request.getRequestURI();
        if (requestedURI.contains("/AccessControl")) { //Comes from login page
             debug("Comes from login page");
              String username = request.getParameter(USERNAME_ATTR);
            String pwd = request.getParameter(PWD_ATTR);
             role = getRole(username, pwd);
             if (role != null) {
                  isAuthentic = true;
                  request.getSession().setAttribute(ROL_ATTR, role);
        } else { //Doesn't comes from login page
             debug("Doesn't comes from login page");
             if (isInSession(request)) {
                  debug("Rol is in session");
                  isAuthentic = true;
             } else {
                  debug("Rol is NOT in session");
     private void doAuthorization(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          debug("Inside doAuthorization");
          String requestedURI = request.getRequestURI();
          debug("requestedURI: " + requestedURI);
          if (requestedURI.contains("/AccessControl")) { //Comes from login page
               goHomePage(request, response);
          } else if (requestedURI.contains("/private/" + role)) { //Trying to access his private area
               goRequestedPage(request, response);
          } else { //Trying to access other roles private area
               goLoginPage(request, response);
    private void doRejection(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         debug("Inside goRejection");
         role = null;
          goLoginPage(request, response);
     private void goHomePage(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          debug("Inside goHomePage");
          String homePage = "private/" + role + "/index.jsp";
          goPage(request, response, homePage);
     private void goLoginPage(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          debug("Inside goLoginPage");
          goPage(request, response, loginPage);
     private void goRequestedPage(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          debug("Inside goRequestedPage");
          String contextPath = request.getContextPath();
          debug("contextPath: " + contextPath);
          String requestedPage = request.getRequestURI().replace(contextPath + "/", "");
          goPage(request, response, requestedPage);
     private void goPage(HttpServletRequest request, HttpServletResponse response, String page) throws IOException, ServletException {
          debug("Inside goPage ...trying to go to: " + page);
          //Option A
          response.sendRedirect(page);
          //Option B
          //RequestDispatcher requestDispatcher = request.getRequestDispatcher(page);
          //requestDispatcher.forward(request, response);
     private boolean isInSession(HttpServletRequest httpRequest) {
         boolean inSession = false;
          role = (String)httpRequest.getSession().getAttribute(ROL_ATTR);
          if (role != null && !role.equals("")) {
               inSession = true;
         return inSession;
    //PENDIENTE: mock method!
    private String getRole(String username, String pwd) {
         String role = null;
         if (username.equals("admin") && pwd.equals("admin")) {
              role = "administrator";
         } else if (username.equals("regis") && pwd.equals("regis")) {
              role = "registered";
         return role;
    private void debug(String msg) {
         Log.debug(msg);
}Proyect Folder Structure:
WebContent
     login.html
     private
          administrator
               index.jsp
          registered
               index.jspBasically, the problem is that if you try to log as admin/admin (for example) the servlet AccessControl executes infinitely
Edited by: JLuis on 26-ago-2010 8:04

Authentication and Authorization question.

Similar Messages

Maybe you are looking for