JAAS Authentication Authorization 2 ldaps

Similar Messages

• Authentication & Authorization with SSO, JAAS and Database Tables mix

  Hi,
  I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
  I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
  I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
  Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
  A lot of thanks in advanced.
  And sorry, excuse my so bad english.
  See you.

  Marcel,
  Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
  I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
  We currently plan to have the patch release available sometime in the second half of May.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• JAAS-authentication and wls-authorization in a webapp

  Hi,
  I am developing a webapp with jsp, servlets and ejbs.
  My question:
  Is it possible to use JAAS-authentication together with wls-authorization in a
  webapp?
  thanks
  /Chriz

  Hi, Office 365 tenants indeed include an Azure AD tenant in the background and you can implement Single Sign-On against that. The authentication scenario for this case is documented
  here. For the code samples (with steps to create them) see the
  samples' Github repository, especially the
  WebApp-WSFederation-DotNet sample. 
  For the SQL database it's a bit different. Azure SQL Database connection can't be authenticated like this - there's no integration to the "domain" accounts there. So you should create one service account for the SQL connection and use that for
  all the traffic in your web app. If you need authorization for accessing certain data in SQL, you have to implement that on your web application side.

• Authentication & Authorization Component

  hi!
  please introduce to me components for Authentication & Authorization that
  i use in the web application and i use it for Authentication & Authorization
  plesae help me .
  thanks.....

  Having a look at LDAP Protocol may give you some ideas. LDAP (Local Directory Access Protocol) is a cross platform protocol for authenticating and authorising users onto a network.

• Weblogic 103 Authentication & Authorization using extenal openldap

  Can somebody point to a documentation for implementing Authentication & Authorization for Weblogic 10.3 web app using openLdap ?
  Thanks

  This is what I did. My environment is openldap, weblogic 10.3 on a windows machine. Still having trouble
  dn: cn=fd_user1,ou=people,dc=example,dc=com
  objectClass: person
  cn: fd_user1
  dn: cn=FD,ou=groups,dc=example,dc=com
  objectClass: groupOfNames
  cn: FD
  member: cn=fd_user1,ou=people,dc=example,dc=com
  Here is my weblogic.xml entries
  <wls:security-role-assignment>
  <wls:role-name>FD</wls:role-name>
  <wls:externally-defined/>
  </wls:security-role-assignment>
  My web.xml
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>SecuredArea</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>FD</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>myrealm</realm-name>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>FD</role-name>
  </security-role>
  Inside the login.jsp I do have the j_security_check as the action parameter value. I am able to view the ldap users in the admin console too. Still not able to access the resource. I am in the process of debugging the ldap messages on the openldap console.
  Thanks

• How can I implement Authentication in LDAP

  How can I implement Authentication in LDAP.

  Hi,
  If ur using JAAS, then use NTLoginModule in ur conf file and your own defined CallbackHandler for validating and obtaining the Subject (user connected to your domain).
  Remember the user is the one which the code obtains when u login to your Domain based machine.
  Apart from this, Apache Http Server also provides you with a popup window asking for the user's credentials when u set the SSPIDomain in the httpd.conf file.
  httpd.conf
  ========
  <Location /Seet/servlet/ >
  SSPIAuth On
  AllowOverride None
  Order allow,deny
  Allow from all
  AuthName "seet190 auth"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  require valid-user
  SSPIDomain seet190
  </Location>
  seet190 is the domain name
  Actually so far in the Security Forum, u might refer to some of the replies posted for more help but actual LDAP authentication can be done by passing the user's info too.
  HTH,
  Seetesh

• Authentication/Authorization across Apache/Weblogic?

  Hello,
  We are considering a setup with Apache handling Servlet/JSP and WLS for EJB/etc.
  I heard WLS has some plug-in for Apache. Does this plug-in enable Authentication/Authorization
  with my (custom RDBMS-based) security realm in WLS? Any gotcha? Any live experience?
  TIA
  chuck

  This is what I did. My environment is openldap, weblogic 10.3 on a windows machine. Still having trouble
  dn: cn=fd_user1,ou=people,dc=example,dc=com
  objectClass: person
  cn: fd_user1
  dn: cn=FD,ou=groups,dc=example,dc=com
  objectClass: groupOfNames
  cn: FD
  member: cn=fd_user1,ou=people,dc=example,dc=com
  Here is my weblogic.xml entries
  <wls:security-role-assignment>
  <wls:role-name>FD</wls:role-name>
  <wls:externally-defined/>
  </wls:security-role-assignment>
  My web.xml
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>SecuredArea</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>FD</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>myrealm</realm-name>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>FD</role-name>
  </security-role>
  Inside the login.jsp I do have the j_security_check as the action parameter value. I am able to view the ldap users in the admin console too. Still not able to access the resource. I am in the process of debugging the ldap messages on the openldap console.
  Thanks

• Using Identity Server as a JAAS authentication provider

  My client wants to use Identity Server to provide JAAS authentication for the Java application they're developing.
  The JAAS tutorial shows how the name of the Java class that provides the authentication service is provided, then an instance of this class is instantiated and the .login method invoked to actually perform the authentication.
  The stated principle behind the tutorial is one of using a pluggable authentication framework, and one should not care how authentication is performed. As long as the callbacks to allow the authentication framework to ask for the credentials required, it should not matter.
  The example of how to do LDAP authentication using Identity server requires using some identity server classes. ie the com.sun.identity.authentication.AuthContext class. They specifically want to use pure JAAS authentication rather than creating a dependance in their application on Identity Server.
  Is a Java class available which provides this functionality?
  Thanks

  In Apache you can specify the authentication parameters in the virtual host configuration

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• SAP J2EE Engine -Config Tool authentication test(LDAP only)

  Hello. Can i know what causes the directory server authentication test(LDAP only) in the SAP J2EE Engine config Tool to fail to authenticate.
  Error message i got was: authentication failed: Unprocessed Continuation Reference(s).
  Please advise.

  Hi,
  what kind of directory server are you using?
  I'm not sure but it is possible that your ds uses referrals returns a referral to your client and the client does not follow them. Do you have any referrals configured?
  Cheers

• 11g hybrid authentication / authorization: WLS plus external table

  I've implemented external table authentication / authorization in 11g. Now I'd like to add a twist.
  I have an external table containing users B, C, and D. That external table contains all of the columns I need for authentication (including a clear text password) and for authorization (roles, log level, a dynamic table name, and so forth). I have authentication in one initialization block, authorization in another. Everything works fine. I can log in as B, C, or D and see exactly what I'm supposed to see, based on the ROLES.
  The clear text passwords are generally not a problem, because this is a training instance and almost all of the passwords are the same. However, I want to add a user whose password should not be held in clear text. For that reason, I'd like to add that user into WLS. I've done that, and I'm able to log in to OBIEE. After confirming that I could log in to OBIEE with user A from the WLS, I added User A to the external table, left its password field blank, and filled in the other columns (roles, loglevel, etc...) that I need to assign into session variables.
  Here's the problem: the authorization init block properly assigns ALL session variables for users B, C, and D. It assigns all session varaibles EXCEPT the ROLES variable for user A. I've confirmed this by creating an Answers analysis that shows me the values of the session variables. The ROLES session variable for user A shows "authenticated-role;BIConsumer;AuthenticatedUser". For all other users (those who are authenticated using the clear text passwords in the external table) the ROLES variable is populated correctly, based on the values in the ROLES column in the external table. In short, the authorization init block is properly assigning the ROLES session variable only for those users that were authenticated using the authentication init block, but is assigning all other session variables correctly for all users, even the one in WLS.
  Here's my authentication init block code:
  select bi_user
  from bi_auth_ldap
  where bi_user = ':USER'
  and bi_user_pwd = ':PASSWORD'
  Here's the authorization init block code:
  select roles, bi_user_name, to_number(loglevel,0), channel_tbl
  from bi_auth_ldap
  where bi_user = ':USER'
  (returned results are assigned into ROLES, DISPLAYNAME, LOGLEVEL, and CHANNEL_TBL session variables, respectively)
  It feels like the ROLES session variable is populated in conjuction with the user logging on and being authenticated via WLS, and that the initialization block isn't able to overwrite that variable. Can an OBIEE developer confirm that for us, please? Once set in WLS, is it not possible to overwrite the ROLES session variable with SQL from an initialization block? If it IS possible, can you post some code that will accomplish it?
  Thanks!

  It occurs to me that Oracle's support model is a fantastic way to make money. Let's see, I wonder if I could become a billionaire doing this:
  Create some software. Sell that software. Then, charge customers several thousand MORE dollars, year after year, plus about $60 per bug, so that they have the right to report MY bugs to me. Yeah, that's the ticket - people PAYING for the right to report bugs to me. Oh, and if more than one person reports the same bug, I get to keep ALL of the money from ALL of them.
  Let's summarize, make sure I haven't missed something: You buy my software, you PAY ME additionally to report MY bugs to me, I don't necessarily have to fix the bugs (but I keep your money whether I fix it or not), and I can collect multiple times from different people who report the same bug.
  Sweeeeeeet.........
  Billionaire Acres, here I come!

• Authentication & Authorization programming

  Hello all,
  I am in process to create a new application, My requirement here is that I want to create a reusable module that I want to use for authentication & authorization. Further I want that when ever a user logs-in, his/her privileges get stored in the session and based on the data stored in the database s/he should be able to view the page and event the fields/components on it.
  Can any one help me with the design of the above requirement.
  Thanks in advance for the same.

  Hi,
  if you want 2 applications share the same session you should give them the same login cookie name in the authentication scheme.
  >
  1. convey relevant values from the custom auth app (these cannot be one app)
  >
  Setup a database context to share values between the applications.
  Or use apex_util.fetch_app_item http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35127/apex_util.htm#BABIBAID
  >
  2. make certain that users don't just bookmark the target app and bypass my authentication/authorization outcomes -- something here with session ID?
  >
  Set the URL for the "session not valid" section of the authentication scheme to the login page of your custom auth app
  regards,
  Erik-jan