Logout with frank nimpus custom login provider
i am using container managed security described in
http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
i got no clue on how to handle logout ? any help greatly appriciated
I finally found out how to make this works :-)
Here are the steps I setup to have custom authentication with my Azure Mobile Services using a JavaScript backend:
In the GetSecurityToken, I change the code a bit to use the "aud" variable
var payload = new
exp = (int)now.Add(periodBeforeExpires).Subtract(utc0).TotalSeconds,
iss = "urn:microsoft:windows-azure:zumo",
ver = 2,
aud = aud,
uid = userId
I called the GetSecurityToken method with a custom user ID and a custom "Aud" parameter
token = AmsHelper.GetSecurityToken(
TimeSpan.FromMinutes(30),
"Custom",
"my-user-id,
"masterKey");
I changed the way I create a MobileServiceUser from
MobileServiceUser user = await this.mobileService.LoginWithMicrosoftAccountAsync("auth-token-from-liveid-sqk");
To
MobileServiceUser user = new MobileServiceUser("my-user-id") { MobileServiceAuthenticationToken = authToken };
this.mobileService.CurrentUser = user;
Hope it will help :-)
Similar Messages
-
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom Login Module with Adf 11g and and weblogic server
I have configured adf security on my application. I have checked the authentication and authorization are working fine with the default authenticator.
I am trying to create a custom login module. I have downloaded the custom login module implementation jaasdatabaseloginmodule.zip http://www.oracle.com/technetwork/developer-tools/jdev/index-089689.html. I have added the DBLoginModule.jar to my application. post written by Frank Nimphius and Duncan Mills
I have configured the jps config under the application resources with these entries.
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
<property value="true" name="custom.provider"/>
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
<serviceInstance name="CustomFFMLoginModule"
provider="jaas.login.provider">
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="log.level" value="FINEST"/>
<property name="debug" value="true"/>
<property name="addAllRoles" value="true"/>
<property name="loginModuleClassName"
value="oracle.sample.dbloginmodule.DBTableLM.ALSDBTableLoginModule"/>
<property value="jdbc/ApplicationDBDS" name="data_source_name"/>
</serviceInstance>
<jpsContexts default="FFMSecurityDAM">
<jpsContext name="FFMSecurityDAM">
<serviceInstanceRef ref="CustomFFMLoginModule"/>
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
When I run the application this custom login is not getting invoked.
I even tried to add these contents to DefaultDomain\config\fmwconfig\jps-config.xml still no result.
Can anyone who has configured custom login module direct me how to correct my application.Hi Frank,
After following the documentation suggested. I am able to create custom authenticator. But when I login I getting the below exception. When I debugged login method returned true. But this error is being thrown after that. Any clue.
java.lang.IllegalArgumentException: [Security:097531]Method com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals) was unable to sign a principal
at com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(PrincipalValidationServiceImpl.java:188)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy10.sign(Unknown Source)
at weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject(WLSIdentityServiceImpl.java:63)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:119)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:237)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:186)
at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:254)
at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:209)
at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:92)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2204)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) -
i've been following franks' tutorial on how to use a custom login module. but no matter what i do, i cant get the jsp to authenticate my valid database account.
jazn-data.xml file
<!-- JAZN Realm Data -->
<name>scott</name>
<credentials>!tiger</credentials>
<jazn-loginconfig>
<application>
<name>foo</name>
<login-modules>
<login-module>
<class>oracle.sample.dbloginmodule.DBTableLM.DBSystemLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
<option>
<name>jdbcUrl</name>
<value>jdbc:oracle:thin:@localhost:1521:orcl</value>
</option>
<option>
<name>log_level</name>
<value>ALL</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</jazn-data>
orion-application.xml
<jazn provider="XML" location="jazn-data.xml"
default-realm="jazn.com">
<property name="role.mapping.dynamic" value="true"/>
<property name="jaas.username.simple" value ="true" />
</jazn>
is there anything wrong with the settings?I've followed the tutorial to the last step. yet i cant get anything. Please help!Sorry about the incomplete previous post:
I am trying to do the authentication using a customized login module in a stand alone OC4J server. I put some debug statements and found out that the authentication works but fails to authorize. I get the following error:
NOTIFICATION J2EE RMI-00005 Login permission not granted for myApp (testUser)
The only way I have been able to get this to work is to add the user 'testUser' in system-jazn-data.xml and specify that 'testUser' has the role 'USERS'. It's not practically possible to specify all the users in system-jazn-data.xml. Is there a workaround this? I have pasted below snippets of orion-application.xml and system-jazn-data.xml. Any help is greatly appreciated. Thanks in advance
I have specified the following in orion-application.xml
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="USERS"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping>
<group name="USERS"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>
In system-jazn-data.xml I have given permission for the role 'USERS' to login.
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/USERS</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant> -
hi guys
i have configured trusted identity provider for my public facing internet portal, but i dont want to use the login screen
since i have about 10 site collection which will use this authentication.
is there a class or property that gives me the url ready with the parameters like "wa" and "wtrealm" and the redirect url based on the place the user click the link from.You can create your own login page and specify the URL for it in the authentication provider settings of a Web Application or Zone. So the easiest way to do what you want would be to extend your existing Web Application to a new Zone, change the login
Page url to point to use your custom zone, and tell users to use the url of that zone to login with the custom provider you have built.
If you want a single zone then you will need to modify a copy of the login page you display above and have it redirect to a custom login page for your identity provider if the pick the correct entry in the dropdown.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
Custom login module for EP7.4 with Captcha
Hi
I am trying to create a custom login module which validates the captcha shown at the login screen using SAP help link:
http://help.sap.com/saphelp_nw73/helpdata/en/48/ff4faf222b3697e10000000a42189b/content.htm?frameset=/en/48/fcea4f62944e88e10000000a421937/frameset.htm¤t_toc=/en/74/8ff534d56846e2abc61fe5612927bf/plain.htm&node_id=20
The session is being set in the Captcha servlet which is used to render the image on the login page.
However when I am trying to compare it with input or print the session value, its throwing an exception.
I checked in the NWA logs and it just shows the following error message:
6. com.temp.loginModule.MyLoginModuleClass OPTIONAL ok exception true Authentication did not succeed.
Please help me analyse the error stack. Can someone point where do i check the detailed logs to trace the issue?
Please find below source of my login module.
package com.temp.loginModule;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import nl.captcha.Captcha;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.engine.lib.security.http.HttpCallback;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.Principal;
public class MyLoginModuleClass extends AbstractLoginModule{
private CallbackHandler callbackHandler = null;
private Subject subject = null;
private Map sharedState = null;
private Map options = null;
// This is the name of the user you have created on
// the AS Java so you can test the login module
private String userName = null;
private boolean successful;
private boolean nameSet;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
// This is the only required step for the method
super.initialize(subject, callbackHandler, sharedState, options);
// Initializing the values of the variables
this.callbackHandler = callbackHandler;
this.subject = subject;
this.sharedState = sharedState;
this.options = options;
this.successful = false;
this.nameSet = false;
* Retrieves the user credentials and checks them. This is
* the first part of the authentication process.
public boolean login() throws LoginException {
// HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
// httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
// httpGetterCallback.setName("captchaInput");
String value = null;
// try {
// callbackHandler.handle(new Callback[] { httpGetterCallback });
// String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
// if(arrayRequestparam!=null && arrayRequestparam.length>0)
// value = arrayRequestparam[0];
// } catch (UnsupportedCallbackException e) {
// throwNewLoginException("An error occurred while trying to validate credentials.");
// } catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
value = getRequestValue("captchaInput");
userName = getRequestValue("j_username");
HttpGetterCallback httpGetterCallbackSessionCaptcha = new HttpGetterCallback();
httpGetterCallbackSessionCaptcha.setType(HttpCallback.SESSION_ATTRIBUTE);
httpGetterCallbackSessionCaptcha.setName("myCaptchaLogin");
try {
callbackHandler.handle(new Callback[] { httpGetterCallbackSessionCaptcha });
Captcha arraySessionParam = (Captcha) httpGetterCallbackSessionCaptcha.getValue();
// System.out.println("****************************************************httpGetterCallbackSessionCaptcha" + (arraySessionParam==null?"null session":arraySessionParam.getAnswer())+
// "\n captchaInput" + value+"*********************");
if(arraySessionParam==null || !arraySessionParam.isCorrect(value)){
throwNewLoginException("Entered code does not match with the image code.Session:"+(arraySessionParam==null?"null":arraySessionParam.getAnswer())+" Param:"+ value);
// throwUserLoginException(new Exception("Entered code does not match with the image code."));
httpGetterCallbackSessionCaptcha.setValue(null);
} catch (UnsupportedCallbackException e) {
throwNewLoginException("An error occurred while trying to validate credentials.");
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// Retrieve the user credentials via the callback
// handler.
// In this case we get the user name from the HTTP
// NameCallback.
// NameCallback nameCallback = new NameCallback("User name: ");
/* The type and the name specify which part of the HTTP request
* should be retrieved. For Web container authentication, the
* supported types are defined in the interface
* com.sap.engine.lib.security.http.HttpCallback.
* For programmatical authentication with custom callback
* handler the supported types depend on the used callback handler.
// try {
// callbackHandler.handle(new Callback[] {nameCallback});
// catch (UnsupportedCallbackException e) {
// return false;
// catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// userName = nameCallback.getName();
// if( userName == null || userName.length() == 0 ) {
// return false;
/* When you know the user name, update the user information
* using data from the persistence. The operation must
* be done before the user credentials checks. This method also
* checks the user name so that if a user with that name does not
* exist in the active user store, a
* java.lang.SecurityException is thrown.
// try {
// refreshUserInfo(userName);
// } catch (SecurityException e) {
// throwUserLoginException(e);
/* Checks if the given user name starts with the specified
* prefix in the login module options. If no prefix is specified,
* then all users are trusted.
// String prefix = (String) options.get("user_name_prefix");
// if ((prefix != null) && !userName.startsWith(prefix)) {
// throwNewLoginException("The user is not trusted.");
/* This is done if the authentication of the login module is
* successful.
* Only one and exactly one login module from the stack must put
* the user name in the shared state. This user name represents
* the authenticated user.
* For example if the login attempt is successful, method
* getRemoteUser() of
* the HTTP request will retrieve exactly this name.
if (sharedState.get(AbstractLoginModule.NAME) == null) {
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
successful = true;
return true;
* Commit the login. This is the second part of the authentication
* process.
* If a user name has been stored by the login() method,
* the user name is added to the subject as a new principal.
public boolean commit() throws LoginException {
if (successful) {
/* The principals that are added to the subject should
* implement java.security.Principal.You can use the class
* com.sap.engine.lib.security.Principal for this purpose.
Principal principal = new Principal(userName);
subject.getPrincipals().add(principal);
/* If the login is successful, then the principal corresponding
* to the <userName> (the same user name that has been added
* to the subject) must be added in the shared state too.
* This principal is considered to be the main principal
* representing the user.
* For example, this principal will be retrieved from method
* getUserPrincipal() of the HTTP request.
if (nameSet) {
sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
} else {
userName = null;
return true;
* Abort the authentication process.
public boolean abort() throws LoginException {
if (successful) {
userName = null;
successful = false;
return true;
* Log out the user. Also removes the principals and
* destroys or removes the credentials that were associated
* with the user during the commit phase.
public boolean logout() throws LoginException {
// Remove principals and credentials from subject
if (successful) {
subject.getPrincipals(Principal.class).clear();
successful = false;
return true;
private String getRequestValue(String parameterName)
throws LoginException {
HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
httpGetterCallback.setName(parameterName);
String value = null;
try {
callbackHandler.handle(new Callback[] { httpGetterCallback });
String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
value = arrayRequestparam[0];
} catch (UnsupportedCallbackException e) {
return null;
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
return value;
Regards
Ramanender SinghRamanender,
JAAS modules usually requires a restart whenever you need to change them. So be very careful with what you expect once you re-deploy your code.
Once the library is loaded it will never reload itself until you perform a restart of the VM.
Connect to the debug port may help, but basic debugging will not take you too far either.
I would recommend you to use the log tracing facility on your code. Just enter the following class attribute:
import com.sap.tc.logging.Location;
private static final Location trace = Location.getLocation(<your_classname_here>.class);
trace.warningT("Some Warning Text Here..." + variable here);
trace.debugT("Some Warning Text Here..." + variable here);
You may need to go NWA and set the Location Severity Level to Debug according to your needs.
Leave the trace code on your module for IT personnel to debug it if necessary. Don't forget to have the severity level of your code properly set.
Meaning: You don't want to have every trace message your module sills out with warningT() or infoT().
There is a excellent blog here on how this works
Then you will be able to inspect some variable contents while the callbackhandler is being executed.
Pay special attention with the timing - variables have a lifetime when dealing with login modules.
Use the entering(<method_name>) and exiting(<method_name> just ot make sure where in the code the variable should be populated and when.
BR,
Ivan -
Custom login module with 10.1.3
Hello all,
I've been trying out Frank N's custom login module (http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm) with JDev 10.1.3/OC4J 10.1.3 and am not having much luck.
Whenever I add <property name="role.mapping.dynamic" value="true"/> to orion-application.xml, the application fails to deploy with java.lang.InstantiationException. I even get this error when I try to set up a custom login module using the enterprise manager for OC4J 10.1.3. Is this a bug, or does the doc need to be updated? Without this item configured, I do get the basic login prompt, but no logging or anything - which indicates to me that the custom login module is not even being called. Nothing on metalink either.
Thanks,
Johnhmm i dont know... custom login module (db authentication) definitely works with standalone 10.1.3.0.0 and jdevloper standalone, but it doesnt work with jdev embeded oc4j (jdevstudio1013\jdev\system\oracle.j2ee.10.1.3.36.73\embedded-oc4j)
i have the code, and it works.. however the application is entirerly made in jdev 10.1.3.04 production, it is not migrated from previous jdev.. make sure to deploy from war file (i have prob to deploy from ear)
the only big problem i got is to setup ssl in separate oc4j standalone (ssl works with jdev standalone) and make client athentication to work
because it wont run as it should.. (i did not have this prob in 10.1.2.1) -
Issues with OSSO ,custom login module and form based authentication
Hi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
AnilHi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
Anil -
Error using 10.1.3 Security Provider:3rd party LDAP or Custom Login Module
Hello all,
After deploying my JSF/ADF application using Jdeveloper 10.1.3 to Oracle Application Server 10.1.3, I used the Application Server control to change the 'Security Provider' configuration:
1. Using 3rd Party LDAP Provider (Novell eDirectory)
I get the following error when restarting the application with the new config.
06/06/21 16:42:32 Error while configuring security provider MBean for application AccessList
06/06/21 16:42:32 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/CustomLDAPSecurityProvider
2. Using Custom Login Module (again programmatically talks to eDirectory and it works in UIX/10.1.2 application)
I get the following error when restarting the application with the new config.
06/06/21 14:31:19 Error while configuring security provider MBean for application AccessList
06/06/21 14:31:19 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/LoginModuleSecurityProviderAlso, I get this error with both the settings..
06/06/21 14:31:19 WARNING: Application.setConfig Application: AccessList is in failed state as initialization failedjava.lang.
InstantiationException
Jun 21, 2006 2:31:19 PM com.evermind.server.Application setConfig
WARNING: Application: AccessList is in failed state as initialization failedjava.lang.InstantiationException
06/06/21 14:31:19 java.lang.InstantiationException
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
java.lang.ClassNotFoundException error leads me to believe, I am just missing to include some libraries..
I have included "bc4j.security" in my web project and I am not sure if that is what is needed!
Will appreciate your help..
Thanks,
KarthikThe problem i had with my Custom login module was that JDeveloper includes the datasources listed in the connection tab.
When JDeveloper does that it writes the username and password in the jazn-data.xml. But with the Custom Login module the reference in de data-source declaration cannot find the password. that's why i got the InstantiationException at the initDataSources point.
In tools>preferences>deployment you can uncheck the option:
Bundle Default data-sources.xml During Deployment.
The problem with this is when i specify a datasource in the data-sources.xml i included myself, jdeveloper will also put de datasources under the Connections tab in the data-sources.xml.
Does anyone knows how to stop jdeveloper putting the datasources automatic in the file, or how to prevent jdeveloper storing the password in jazn-data.xml? -
Custom Role Provider has issue with AuthorizeAttribute for MVC
Hi, I am developing a MVC 5 application with custom role provider, but it seems that the AuthorizeAttribute never call my customer role provider, my code is as below:
My Customer provider:
namespace MyDomain
public class CustomRoleProvider : RoleProvider
public override string[] GetRolesForUser(string username)
using (MyContext objContext = new MyContext())
var objUser = objContext.Users.FirstOrDefault(x => x.Username == username);
if (objUser == null)
return null;
else
string[] ret = { objUser.Access_Levels.Name };
return ret;
public override bool IsUserInRole(string username, string roleName)
var userRoles = GetRolesForUser(username);
return userRoles.Contains(roleName);
My controller:
[Authorize(Roles = "Administrator")]
public class AdminController : Controller
And Web.Config:
<system.web>
<roleManager defaultProvider="CustomRoleProvider" enabled="true" >
<providers>
<clear />
<add name="CustomRoleProvider" type="Online_Storage_Portal.CustomRoleProvider" cacheTimeoutInMinutes="30"/>
</providers>
</roleManager>
</system.web>
Also my custom role provider is in the same project as my other controllers, I am able to call my custom role provider method with following code within my controller
String[] roles = Roles.GetRolesForUser(username)
but the controller with [Authorize(Roles = "Administrator")] always redirect the page to login screen, even the user login and role are both valued.
Please help!!You should post this question to
ASP.NET MVC forums as problem relates more to that than C#. But the problem might relate to how you have set the principal the one that you can access from HttpContext.User property. I think that is the one where the roles are retrieved. -
I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
at javax.naming.InitialContext.lookup(InitialContext.java:351)
at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
Caused by: javax.naming.AuthenticationException: Not authorized
at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
The standalone application is setting these properties for JNDI lookup -
java.naming.security.principal=<user>
java.naming.security.credentials=<password>
java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
<jazn-policy>
<!-- Grant login permission for anyone in the user role -->
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>uk.co.card.jaas.SimplePrincipal</class>
<name>user</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
</jazn-policy>
The ejb-jar.xml also has this defined in the assembly-descriptor.
<assembly-descriptor>
<security-role>
<role-name>user</role-name>
</security-role>
</assembly-descriptor>
The orion-application.xml has the namespace access provided as -
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping impliesAll="true">
<group name="users" />
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping impliesAll="true">
<group name="users" />
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
Appreciate if someone can help me identify what I am missing.I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
at javax.naming.InitialContext.lookup(InitialContext.java:351)
at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
Caused by: javax.naming.AuthenticationException: Not authorized
at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
The standalone application is setting these properties for JNDI lookup -
java.naming.security.principal=<user>
java.naming.security.credentials=<password>
java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
<jazn-policy>
<!-- Grant login permission for anyone in the user role -->
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>uk.co.card.jaas.SimplePrincipal</class>
<name>user</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
</jazn-policy>
The ejb-jar.xml also has this defined in the assembly-descriptor.
<assembly-descriptor>
<security-role>
<role-name>user</role-name>
</security-role>
</assembly-descriptor>
The orion-application.xml has the namespace access provided as -
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping impliesAll="true">
<group name="users" />
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping impliesAll="true">
<group name="users" />
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
Appreciate if someone can help me identify what I am missing. -
Problems with custom login module/authscheme in Portal iViews
Hi,
In our portal users must login with their username and password ("ticket" login module stack) to access most of the content. For some of the iViews containing confidential data we would like to ask the users some personal questions before giving them access.
I followed all the steps described in the [official documentation |http://help.sap.com/saphelp_nw04s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/content.htm]:
- created a custom login module
- added it to a custom login module stack
- added a custom authscheme in the authschemes.xml file
- assigned the iView to this authscheme
I also create a PortalComponent that reads the user entries and calls my login module (JSP not shown):
public void doContent(IPortalComponentRequest request, IPortalComponentResponse response) {
HttpServletRequest req = request.getServletRequest();
HttpServletResponse resp = request.getServletResponse(false);
ILogonAuthentication ila = UMFactory.getLogonAuthenticator();
Subject subject = ila.logon(req, resp, "myauthscheme");
// if authenticated what to do next??
Now when I try to access the protected iView, I see my screen to answer the questions, I press submit and my login module is called. But, I never get redirected to the iView I'm supposed to go. So I still have two questions:
1) Which login modules should be in the login module stack? Should I include the BasicPasswordLoginModule?
For the moment I have:
EvaluateTicketLoginModule (SUFFICIENT)
MyCustomLoginModule (REQUISITE)
CreateTicketLoginModule (OPTIONAL)
2) How can I be redirected to the protected iView after the user is being authenticated? Is it the portal framework who is responsible to navigate there automatically? Or is it in my own code after the logon() call? In that case how can I retrieve the destination URL?
Thanks,
MartinI'm using the version 10.1.3.0.4 (SU5).
The error is:
06/09/28 18:09:05 WARNING: Application.setConfig Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
28/09/2006 18:09:05 com.evermind.server.Application setConfig
WARNING: Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
2006-09-28 18:09:05.390 WARNING J2EE 0JR0013 Exception initializing deployed application: current-workspace-app. null
My JAAS-oc4j-app content is:
<log>
<file path="JAAS-oc4j-app.log" xmlns=""/>
</log>
<jazn provider="XML" location="JAAS-jazn-data.xml">
<property name="role.mapping.dynamic" value="true"/>
<property name="custom.loginmodule.provider" value="true"/>
<property name="jaas.username.simple" value="true"/>
</jazn>
<data-sources path="JAAS-data-sources.xml"/>
Thanks for reply. -
My app store is not working after installing mavericks. When I open app store it repeatedly asking me to login with apple ID and to provide User name and Password for proxy authentication in a loop.I am a newbie to mac,Please help me.
Hmmmm... would appear that you need to be actually logged in to enable the additional menu features.
Have you tried deletting the plists for MAS?
This page might help you out...
http://www.macobserver.com/tmo/answers/how_to_identify_and_fix_problems_with_the _mac_app_store
Failing that, I will have to throw this back to the forum to see if anyone else can advise further.
Let me know how you get on?
Thanks. -
Question about registering custom STS as sharepoint trusted login provider
hi,
I created a Trusted Login Provider (SAML Sign-in) for SharePoint 2010 following the article
http://msdn.microsoft.com/en-us/library/ff955607.aspx
In Step 4: Setting Up Trust in SharePoint, the constructor of SPTrustedLoginProvider contains arguments of providerUri,
providerRealm. The providerRealm argument is a given web application’s url. If there are two web applications in a sharepoint farm, the first web app’s url is
http://lcoalhost:1000, the second is
http://localhost:2000. When registering the STS, I use
http://lcoalhost:1000 as the providerRealm argument value. Then, web app
http://lcoalhost:1000 uses the registerred STS as identity provider, can web app
http://lcoalhost:2000 uses the same STS as identity provider? If the second web app can’t use it, do I have to register another STS?If i register the STS using:
SPTrustedLoginProvider provider1 = new SPTrustedLoginProvider (manager, "MySTS","My STS","http://win2008r2:888", "http://win2008r2:1000/_trust", claimTypes, nameClaim);
then, web app http://win2008r2:2000 can not use provider1 as its identity provider. So, when there are multiple web apps in a sp farm need to use STS, i have
to register multiple STSs, each with different provierRealm. But when i try to register another STS, another problem occurs.
X509Certificate2 importCertificate = new X509Certificate2(certificatePath);
provider1.SigningCertificate = importCertificate;
manager.TrustedLoginProviders.Add(provider);
the code line "manager.TrustedLoginProviders.Add(provider);" throw an exception:"Exception of type 'System.ArgumentException' was thrown. Parameter name: newProvider".
I red the resouce code of manager.TrustedLoginProviders.Add with reflector. The exception is because i try to register another STS using the same certificate
that is used to register the first STS. So, one certificate can be used to register only one STS. It seems that i have to deploy multiple STS websites with each using different certificate to sign the token.
The relationship is as follow:
N web apps <--> N registered STSs <--> N certificates <--> N physical STS websites
But what my N web apps need is actually one physical STS website. Do I have to deploy N
physical STS websites using the same STS project?
Can you give me some advice? thank you. -
Problem with role mapping in custom login module
Hi all,
I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
I thought a source of the problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
Could anybody think of a solution to this problem ?
Thanks, AstridAstrid,
Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
I've tried to use the deploytool and deploy the module as a library...but I get a "cannot load a login module" in the logs when authenticating a user.
Maybe you are looking for
-
Regarding Goods issue date and order date.
Hi All, Could you please tell me from where we can fetch Goods issue date and Order date. Waiting for your reply.
-
Connecting iPod Nano 8GB video model to Windows 2k problems
Hello! I hope someone can help, I had a MacBook that died and now I need to move our 4 iPods to the windows 2k environment. When you plug in the iPod it says that it needs to be converted to Windows, not problem, I click "OK" then iTunes starts and g
-
Hi,... Is there any function in ABAP similar to GoalSeek function in Excel? thanks
-
Hi, I would like to set the column width of JTable. ======================================== JTable table; DefaultTableModel tableModel; tableModel = new DefaultTableModel(); table = new JTable( tableModel); JScrollPane scrollPane = new JScrollPane(t
-
'Access denied' when attempting to build/burn DVD, please help, urgent/desperate!
Recently bought CS3, overjoyed with most of it. Encore is giving me serious trouble though at the moment! The problem is that it simply will not burn to a dual layer disc! When we try to burn it to disc it begins the process, wizzing through differen