Experts Help!! Fiendish BlazeDS / Single Sign-on (NTLM) problem
Guys,
I've been tearing my hair out for a month with this problem - any help would be most gratefully appreciated!
I need to get a flex app working with single-signon on the windows platform.
I want to grab the windows username and domain from the browser without having users enter by hand.
I will then authenticate against my own repository tables accessed via remote objects (blazeds + spring flex + spring + hibernate)
I have a servlet that uses NTLM authentication challenge response. The servlet works on its own returning usename and domain.
See below for servlet code
HOWEVER - no matter how i call the servlet from flex it seems to totally screw up blazeds. No further remote object calls are possible.
The same remote call works before but not after the servlet has been called. Its driving me insane!!!
I suspect the problem is related to how the single initial call to the servlet from Flex results in a further two executions of the servlet.
I assume Internet Explorer is initiating further calls.
I've tried calling it in the following ways...
- HTTPServce with URL
- HTTPServive with blaze destination
- From within actionscript
- From MXML
- From a flex module
- from the javascript wrapper using XMLHttpRequest and flashvars
- With one trouser leg rolled up and my finger in my ear
Every single time it stops any further remote object calls from working they get as far as
[BlazeDS][DEBUG] FlexSession created with id 'ADF15BED993AD562EEA9249EE6B33CED' for an Http-based client connection.
[BlazeDS][DEBUG] Deserializing AMF/HTTP request
but know further.
Clever people please help - before i blow my brains out!! ;-)
Thanks in advance
Gary
I have the same problem.
1) Open page with a swf using BlazeDS for remoting. Works fine
2) Go to other page doing NTLM authentication. Works fine.
3) Go back to the first page, BlazeDS remoting does not work anymore.
Did you find a solution?
Similar Messages
-
can any one give me some reference documents or reference links which can be used
for single sign on to the Portal server and to several other applications.
I need also some documents which should be able to connect to an AS400 application
and to a peoplesoft application thro' my portal.
plz help me in this regard. i really don't have any idea regarding this and i
have been asked to do this. plz send me the documents which should clearly explain
everything
Thanx in Advance
PrasannaHello Prasanna,
There is a new code sample on dev2dev ( http://dev2dev.bea.com/index.jsp ) that
shows how to modify the login framework for Portal to support single signon. This
code example modifies the security and portal webflows to allow you to plug in a
custom login implementation.
The example is called "WebLogic Portal Login Framework" and it is located at
http://dev2dev.bea.com/code/codedetailcontent.jsp?productType=weblogic+portal&codeType=code+sample&filepath=components%2Fdev2dev%2Fcodelibrary%2Fcodesamples%2Fcodesample_wlplogin.htm
Prasanna wrote:
can any one give me some reference documents or reference links which can be used
for single sign on to the Portal server and to several other applications.
I need also some documents which should be able to connect to an AS400 application
and to a peoplesoft application thro' my portal.
plz help me in this regard. i really don't have any idea regarding this and i
have been asked to do this. plz send me the documents which should clearly explain
everything
Thanx in Advance
Prasanna--
Ture Hoefner
BEA Systems, Inc.
4001 Discovery Drive
Suite 340
Boulder, CO 80303
www.bea.com
[att1.html] -
Hi All,
Based on the article on http://www.oracle.com/technology/oramag/oracle/08-jan/o18identity.html, I tried to implement the Single Sign on, as it was mentioned in the article.
I installed the Oracle Application Server 10.1.3.1 and Obiee 10.1.3.4 and the Identity management 10.1.4.0.1.
I setup the single sign on server as mentioned in the article.
But when I login to the analytics server it first routes me to the Single sign on server, I enter the user name/password (I use orcladmin/passwd) to login. It then takes the browser to the analytics screen where it shows "Logging in" (for some time) and after that it takes me directly to the "Not Logged In" saying "If you have already logged in, your connection might have timed out, or a communications or server error may have occurred."
Can anyone please suggest me what possibly I am doing wrong.
ThanksHi...
See this, hope this what you want...??
If not .. ignore...
Thanks & Regards
Kishore Guggilla -
Using the Portal Single Sign-On for java applet clients
Hi
We have a task to build a java applet working within a portlet and comunicating to some session EJB(wrapped BC4J) running on the OC4J. The applet is presumably connecting to server via RMI. This connection should be restricted to some groups of portal users.
When a user is entering the applet he is supposed to be already logged into the Portal.
There is a lot of information on building custom secure portlets using only a pure HTML(same as JSP) client whith the help of the Portal Single Sign-On.
But, is it possible to use the Single Sign-On for establishing a secure RMI connection from applet to OC4J without entering a password in the applet once more?
YuriyPerhaps you can write a small JSP page or PLSQL
web procedure that will grab user name from
the SSO Server (via SSOSDK/mod_osso)
and invoke the applet with encrypted user name.
The applet will receive the encrypted username
and decrypt it to get the clear user name.
This help to get Single Sign-On.
To make sure that environment is secure, encrypted
user name parameter should have random salt,
user name, and time stamp to prevent replay attack.
Applet must make sure that the encrypted users name
time stamp set by the JSP/PLSQL page has value
within a reasonable time limit like 5 minutes -
With Arun Kumar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
Example question topics include:
SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
Basic configuration of IdPs
Interaction between IdPs and Cisco WMS
Difference between the cloud client implementation and Cisco WMS
Meeting access behavior in a split-horizon network topology with SSO
How to enable public access to Cisco WMS
Cisco WMS ELM operations
Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
Remember to use the rating system to let Arun know if you have received an adequate response.
Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Mobile Service,
CWMS and Jabber integrations:
http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
then move to section: Add Cisco WebEx Meetings Server to a Profile
Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
Attached CWMS - AFDS integration doc.
Please let me know if any furhter question.
Thanks, Arun -
Oracle Single Sign-On: Use NTLM inside LAN
hi,
i want to configure oracle single sign-on to use NTLM authentication when accessing a protected resource from the LAN (specific IP-range). when a user is accessing a protected resource from the internet it should still show up the login-page.
how can i achieve that?
regards,
matthiasHi Darsh,
1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
HTH.
Ghassan -
NTLM and Single Sign On with WebLogic 8.1
Hi guys,
I've only been using WebLogic for about 3 weeks now, I have developed a small web app using servlets and need to add "single sign-on" functionality to it. One of my colleagues advised me to use NTLM, but he doesnt have any experience in implementing it with WebLogic.
Could anyone send me some instructions or directions? Sample code maybe? I dont have much experience with security.
Thanks guys,
TommyHi Tommy,
I used to work for a security company that built an off-the-shelf product that did NTLM SSO (along with SPNEGO), so I feel that I can give you a little bit of advice here. If you want a quick solution, buy it from Quest. The product is called Vintela SSO. If you want to actual build this your self however, I have given a rough guide of how to start.
Essentially, you will need to develop new Identity Assertion and Authentication provider MBeans. There are guides on how to do this in the WebLogic SSPI documentation.
http://edocs.bea.com/wls/docs81/dvspisec/index.html
The Authentication provider should be pretty trivial (just making mappings from autheticated users to roles), but the Identity Assertion provider is a whole other kettle of fish. You will need to do some serious reading on NTLM:
http://davenport.sourceforge.net/ntlm.html#whatIsNtlm
You will also need to pickup a copy of an NTLMSSP java library. You can get one called jCIFS from http://jcifs.samba.org/
Your identity assertion provider needs to parse the NTLM credential from the WWWAuthenticate line in a HTTP Request from IE. You then need to validate the token using JCIFs. You then use JAAS to create a JAAS Login Principal that is passed to the new Authentication Provider which will match the authenticate user against groups. Then you slip to the normal SSPI role-mapping process from there.
Once you have created the new providers, you need to wrap them in JMX MBeans so that WebLogic can use them.
This is all going to be quite a big job to implement. -
Single sign on using IDM??????...plz help
hey friends,,i need to make single sign on using IDm without system access mananger,,but using identity manager,,,i have netbean in which i have deployed idm war,,,now i have company site in which various subb-sites r thr,,,i need to make single sign on for all these,,,i dont know how to proceed so plz help...
You need to have J2EE Policy Agent on the Appserver mechine where you will have your IDM server running. There are set of configuration steps involved in-order to acheive SSO/Pass thorugh Authentication.
Thanks
--ANJI -
Oracle single sign-on scenario. pls help.
Hi,
I have following basic Oracle single sign-on setup in place along with integration with Active Directory 2003.
All the users are provisioned in AD, which is then synchronized with OID. The OID users is then manually synchronized to Oracle
E-business suite (FND_USER table).
So, the flow is like this :
AD > OID > Ebiz suite
Problem :
We are now migrating users in AD 2003 to AD 2008 and i am being asked to perform impact analysis on Oracle Single sign-on environment while this AD migration is in process.
Any clues or your inputs on impact that this will create on single sign-on will be much appreciated.
Thanks in advanceHi Darsh,
1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
HTH.
Ghassan -
Difference between Federated single sign on and just Single sign on
Can anyone please give a clear definition of what is
1. Federated Single sign on?
2. Just Single Sign on ?
As a security expert if you were to Architect security what will you suggest ?
Lets take an example Landscape
NW1(ABAP + JAVA)- system, NW-2(ABAP+JAVA) system and EP( java only), LDAP
I am having a hard time convincing the customer to have both CONSUMER AND PRODUCER PORTAL for Federated single sign on? is this a bad idea. Customer says just give me SSO(with just one portal acting as CONSUMER/PRODUCER).
initial GOLIVE user load will be 700+ users.
Edited by: Franklin Jayasim on Jul 16, 2010 7:52 PM
Edited by: Franklin Jayasim on Jul 16, 2010 7:53 PM
Edited by: Franklin Jayasim on Jul 16, 2010 7:57 PM
Edited by: Franklin Jayasim on Jul 17, 2010 12:17 AMHi Denny Liao
The project is going to have BI(NW) and ECC/SRM/HR(NW) and sepparate portal ( EP - Java only )
I thought that normal SSO will help in the intranetwork, what happens if the employee(user) needs to work from home.
What about the external vendors suppliers etc...? -
Single sign-on and different usernames and passwords
Hello,
I am building a Portal with WLPS 3.5 and WLS 6.0. I tried to get
information about the background of single sign-on.
I understand, that I need a Realm (i.e. LDAP Realm) to authenticate the
user for the first login to the portal (with username and password).
Now I would like to integrate my webmail-programm (to get emails from
Lotus Notes via Internet) as a portlet.
For my understanding the user has to authorizate to get access to webmail.
Therefore I create a ACL for webmail and this ACL is assigned to my
security Realm.
I would like the portlet to show after login the number of mails for the
specific user. But where are the username and password for webmail stored
and how are they received and forwarded?
I understand that my ACL included all users that have access to webmail
(i.e. all users). But I only want emails for the specific user.
Does WLS get all usernames and passwords while the first login? Do I have to
implement a algorithmen to get the specific username and password for the
requested resource in my portlet?
Has anyone solved a similar problem or can tell me where I can get more
information. I read the WebLogic Security document but I cant find a
answer to my questions.
Thanks
LydiaLydia,
I'm not an expert in this area, but I can give you a start.
As for single sign-on, there are different levels. For single sign-on across web-apps,
the servlet spec requires this (section 12.6 of th 2.3 spec) and therefore Weblogic
does this.
What you are talking about is single sign-on across back-end applications through
a web-app. BEA has partnered with Securant (just acquired by RSA) to provide this
kind of functionality. Browse to http://www.rsasecurity.com/products/ and look
at the ClearTrust product. BEA has also partnered with Netegrity (www.netegrity.com)
with their SiteMinder product. Neither is included in the Weblogic license. I'm
sure either vendor would be excited to explain how their product will solve your
problem if you give them a call.
As for where the username and passwords are stored, that is up to the realm. If
you are using the default WLPS RDBMSRealm, the username and encrypted password
are stored in the WLCS_USER table. If you are using LDAPRealm, they are stored
in your LDAP server.
Hope this was useful!
PJL
[email protected] wrote:
Hello,
I am using PersonalizationServer 3.5 and WLS 6.0 SP 2.
Now I try to unterstand the functionality of Single sign-on when a user
has different usernames and passwords for different applications.
Can someone explain where the usernames and passwords for a user are
stored (all in the LDAP-realm or a RDBMS-realm?) When a user access the
application how username and passwords are mapped? Or usernames and
passwords for all applications are the same and will be equalized?
Precisely I would like to get access to a mail-account for a specific
user
(webmail from Lotus Notes).
Thanks for any help
Lydia -
Authentication and Single Sign-On
Does the Ironport support LDAP authentication with Single Sign-On. Or, is it only supported on NTLM? Can you setup multiple authentication realms to the same AD server, but call different AD groups? What I am trying to accomplish is to have single sign-on working and also have users places in certain access policies according to which AD group they are in. For instance, the marketing group would be placed into on access policy while HR would be place in another.
Hello,
Single Sign on is done on NTLM.
If you go to your GUI? Top Right Hand side > Support and Help Dropdown > Select On Line Help > Then search for working with authentication realms
You will see as follows :
An authentication realm is a set of authentication servers (or a single server) supporting a single authentication protocol with a particular configuration.
You can perform any of the following tasks when configuring authentication:
Include up to three authentication servers in a realm.
Create zero or more LDAP realms.
Create zero or one NTLM realm.
Include an authentication server in multiple realms.
Include one or more realms in an authentication sequence.
Include realms of different protocols in a single authentication sequence.
Assign a realm or a sequence to an Access Policy group.
You can do what you are trying to do with NTLM.
I hope this answers your query.
Regards,
Eric -
Smart View 11.1.2.1 - Single Sign On Error
Hello experts,
we are using EPM 11.1.2 (Essbase Standalone mode) with Smart View 11.1.2.1.
We have to authenticate several times and we get the following error:
"Single sign on external authentication is disabled.
Do you want to connect with user name and password?"
Do you have any idea?
thanks a lot
JonasI wasn't able to get it to work by creating a URL.
The way I got it to work was to open an old form created in the old version. It seems to "remember" the old connection, and I was able to work with the old forms.
However, I could not get an old connection to work with new forms, nor could I get SV to work with the old Essbase servers.
In all honesty I didn't try very hard to make it work. Working with the old forms was all I needed.
Hope this helps,
Tim Young -
Difference between eSSO, OSSO and other single sign on products of Oracle
Experts,
Don’t know if this is the right forum but let me put it.
I need to find a Single Sign on solution for my organization’s need from Oracle family.
However i see many related products in oracle family like ESSO, OSSO and may more.
I need to functions and differences of each of this product?
Please help me with right material, links and blogs.
Thanks in advance!
MSfind the detial about two product.However Esso will be easier to implement
ESSO
http://www.oracle.com/technetwork/middleware/id-mgmt/esso-datasheet-176365.pdf?ssSourceSiteId=ocomen
http://www.oracle.com/us/products/middleware/identity-management/oracle-enterprise-sso/overview/index.html
OSSO
http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/sso.htm#BJFECIAD -
Hello,
Please could someone explain how I can get my windows application to connect via single sign on. Currently the application gets the necessary connection string from the SAPLOGON.INI file (via the SAPLogonDestination) and attempts a connection after requesting client, username, password and language. Someone would like to use this application in their work environment (single sign on via Microsoft NTLM) and I wanted to know what needs to be done to implement this.
Thanks,
CharlesThere is quite a bit of information available in the NCo 2.x documentation (available in the VS online help): There is a whole chapter about SSO.
Here are the steps in short:
- You need a so-called GSS-provider that is install on both sides, client and SAP-Server.
- For Windows the easiest solution is to use GSSNTLM or GSSKERB5 (for NTLM or Active Directory based SSO).
- You need to configure the the provider on server side with some profile paramters and at the client side with some environment variables. OSS note 595341 contains the W2K-GSS-Provider as an MSI-Package that automatically sets the variables on client side.
- Make sure that SSO works with SAPGUI.
- Now you can use SSO also from NCo, by removing the password from the connection string and adding SSOPartnerName.
Maybe you are looking for
-
MSCS and Kernel patches: Can someone please refresh my memory?
Greetings, We run 4.7 Ent on a 2-node MSCS Cluster (SQL). I need to do a kernel upgrade, but I have forgotten the precise distribution of kernel files outside of the "run" directory for the cluster. I understand they are: Main Kernel Files shared_dri
-
Hi friends, I am trying to edit an ABAP object in workbench. The screen changes from "Display mode" to "Change mode". But all the fields in the object are greyed out. I have all the required authorizations, still unable to edit. What could be the rea
-
Hi, We have some problems with our portlet (deployed on portal 10g). We have two "applications". One is outputting a menu with links to the other JSP that is redirecting the user. In the first application we set a session variable that needs to be re
-
I recently uploaded pictures from my Sony dsc W7 digital camera to a friend's PC. I was able to see thumbnails of all the JPEG files on the camera, and only upload the desired photos. Returning to my Mac, I am unable to see the thumbnails. Any ideas
-
PDF Toolbar missing from Safari 5
The PDF toolbar no longer appears when viewing PDF files in Safari (5.1.2) on my MacBook Pro running the latest version of Lion. It is not running in 32 Bit mode. Any ideas? regards,