Assigning a login module to a single WebDynpro to authenticate against LDAP

Similar Messages

• Assigning a login module to a Web Dynpro application

  Hi everybody,
  I would like a Web Dynpro application to use a custom login module for authentication. How can I do this?
  What I found is the Security Provider (in the Visual Administrator tool) where I can add a login module to the "form" authentication mechanism for example. But if I do this I think all applications using this mechanism have to use my custom login module, right?
  I wonder if I have to add my Web Dynpro application as a component to the Security Provider so that I can assign login modules to it. Am I on the right way? If yes, how can I do this? If I choose "Add" from the "Policy Configurations" tab a popup appears where I can enter the name for a new component. How do I specify my application there?
  Thanks in advance for all answers,
  Torben

  Hi,
  Web Dynpro applications use the ticket authentication template. U wud need to add your login module to the ticket template's login stack.
  Incase you are accessing the Web Dynpro applications thru the EP u wud need to make changes to the authschemes.xml file too.
  regards,
  Vishal

• OpenSSO Enterprise Login Module for IDM 7.1

  I have a fully configured OpenSSO Enterprise environment running on Glassfish v2.1 and am trying to implement SSO into an IDM 7.1 environment that is also running on a Glassfish 2.1 server with a centrally managed v3.0 policy agent.
  While working my way through the "Integration Guide" for IDM and OpenSSO I've come to the step where I am to change the Identity Manager Login Module Groups. We are not provisioning directly from IDM to OpenSSO but rather to the LDAP that OpenSSO authenticates with so I have not configured the OpenSSO resource adapter.
  When I get to Assigning the Login Module I initially did not have the Sun OpenSSO Realm Login Module so i want back and added a custom resource called: com.waveset.adapter.SunAccessManagerRealmResourceAdapter which was available because I had put the openssoclientsdk.jar in the idm/WEB-INF/lib folder and added that to the class suffix in the JVM settings.
  The Realm resource adapter appears to work as I can create a new instance and am prompted for the correct fields.
  When i go back to assign the Login Module I now get a Sun Access Manager Realm Adapter in the dropdown box but cannot select it.
  The question is, where do I get the custom login module that will allow IDM 7.1 to work with OpenSSO Enterprise?
  Thanks, Craig

  Hi ,
  I am a colleague of Peter, just to straighten out our problem.
  Our custom login module extends AMLoginModule and when the Access Manager instantiates the object it calls the method defined in AMLoginModule :
  " public Callback[] getCallback(int index) "
  This method contains a call to "AMModuleProperties.getModuleProperties(fileName);"
  Our problem is, das the method is already called with filename being null, which is the cause for the Exception to be thrown.
  So could anybody give us a hint what filename is supposed to be at this point? As it seems that Access Manager is lacking a property which it normally would associate with filename.
  My first guess was that it is looking for <moduleName>.xml, but this file is properly located in "/etc/opt/SUNWam/config/xml" and accessible.
  Any help appreciated.
  Thank you in advance!

• Dynamically Assign Login Module

  I have a customer that requires users be able to log into the end user interface using either 2-factor or single factor authentication depending on the actions they wish to initiate while in the interface. Determining which login group the user belongs to during login is not an option because all users are End Users.
  One possible way to implement this feature would be to create a jump off page with links for the two different login types; for example: <a href='http://idm/user/login.jsp?manager=true">manager login</a> and <a href="http://idm/user/login.jsp?manager=false>user login</a>.
  A login constraint rule could then be created that would base the login module off of the manager=true or false value in the page request. 
  Im wondering if anyone has had a similar requirement from a customer and how they went about implementing it?  What about modifying the /user/login.jsp to include a checkbox that when checked would set the login module to use two-factor authentication?
  -Kevin Elle

  Try this code.. at the initialize event for textfield...
  if $record.<context_node_name>.level.rawValue == "1" then
    textfield.rawValue == "Sample1"
  else
    textfield.rawValue == "Sample2"
  endif
  Regards,
  Reema Shahbazkar.

• SOAP Web Service +  Custom Login Module issue

  Hi Guys,
  We faced an authentication issue in our project. Could you please give any advice how the issue could be resolved.
  Environment: A simple SOAP Web Service on top of POJO class created in a Web Application. The web application deployed to the SAP NetWeaver 7.10 Application Server in the Enterprise Application Archive.
  Configuration:
        Single Service Administration Application(NetWeaver Administration -> SOA Management -> Application and Scenario Communication -> Single Service Administration)
         The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
      Authentication Application(NetWeaver Administration-> Configuration Management->Security->Authentication)
        The application(<vendorName>/<earName>*<vendor>~<webAppName>) has Authentication Stack configured to use our custom login module.
  Issue:  BasicPasswordLoginModule used by the J2EE when we are trying to execute the web service using Web Service Navigator(checked in debug mode). It seems that we missed something in configuration.
  Idea: The main Idea is to use our custom login module when we are executing a web service.
  Could you help me to resolve the issue.
  Thanks,
  Dmitry
  Edited by: Dmitry Eidin on Jul 17, 2009 3:46 PM

  > The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
  That's the point.

• Accessing LDAP in a custom JAAS login module

  Hi,
  I have developed a custom jaas login module in CE 7.1. I created a java dc which contains a class extending AbstractLoginModule. This DC is deployed on to the server using an EAR DC. I am trying to access LDAP in the custom login module. I am trying to establish an SSL connection to LDAP. For this purpose i have created a custom socket factory class which extends SSLSocketFactory. I used the code below to establish the connection.
            Hashtable<String,String> env=new Hashtable<String,String>();
            DirContext dirContext=null;
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL,ldapURL);
                  env.put(Context.SECURITY_PROTOCOL,"ssl");
                  env.put("java.naming.ldap.factory.socket", "com.test.ldap.MySSLSocketFactory");
                  dirContext=new InitialDirContext(env);
  MySSLSocketFactory is the name of custom socket factory.
  During a login process, the above code results in error because the connection to LDAP server could not be established. However the same code when executed in a webdynpro DC is working without any problem. What could be the reason for this?
  This is the error i could see in defaultTrace
  javax.naming.CommunicationException: js24.na.domain.net:636 [Root exception is java.lang.ClassNotFoundException: com.test.ldap.MySSLSocketFactory
  Loader Info -
  ClassLoader name: [service:security]
  Living status: alive
  Direct parent loaders:
     [system:Frame]
     [library:j2eeca]
     [service:timeout]
     [service:com.sap.security.core.ume.service]
     [service:adminadapter]
  Resources:
     /usr/sap/SV3/J10/j2ee/cluster/bin/services/security/lib/private/sap.comtcjesecurityimpl.jar
  at com.sun.jndi.ldap.Connection.<init>(Connection.java:205)
  at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
  at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1579)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2681)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
  at com.sap.engine.system.naming.provider.DefaultInitialContext._getDefaultInitCtxt(DefaultInitialContext.java:64)
  at com.sap.engine.system.naming.provider.DefaultInitialContext.<init>(DefaultInitialContext.java:45)
  at com.sap.engine.system.naming.provider.DefaultInitialContextFactory.getInitialContext(DefaultInitialContextFactory.java:41)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
  at javax.naming.InitialContext.init(InitialContext.java:223)
  at javax.naming.InitialContext.<init>(InitialContext.java:197)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)

  Hi,
  I used an EJB to perform the LDAP search and called the EJB from the login module. It is working as expected.
  Regards,
  Shabeer

• Use of multiple Applications for single webdynpro component in ABAP WEB DYNPRO

  I am working on a object which have multiple webdynpro applications for single webdynnpro component.How to assign a different functionality to each application bcoz when we right click on webdynnpro component and select create webdynpro applications ,it just creates a application how so we assign diff functionality to each of them .Also in the parameter tab of the webdynpro applications ,there is a diff config id mentioned for each application.what is its relavance

  Hi Sam,
  Different functionalities for a single webdynpro component can be achieved by many ways. Among them is the use of multiple applications. Say for example if you want different views/windows to be displayed at the start up, you can achieve it by specifying at the default window, for each every webdynpro application.
  And if you want control the fields, say for example you want to display input fields as editable for one application and read only for other application, you can achieve it through application parameters. Based on parameters, in HANDLEDEFAULT method of window controller , you can specify the type of behaviour , whether it has to editable or not based on parameters and same can be used at context binding of UI properties. 
  Application configuration can be used for personalization.Web Dynpro ABAP Application Configuration. This tutorial would help you understanding the concept much better. There can be multiple application configurations for a single application.
  Regards,
  Harsha

• Looking for example: JAAS login module using ADF BC

  Hello all,
  I have seen the article at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm by Frank and Duncan detailing how to put together a login module that uses the database for authentication. Great idea. I would like to take it to the next level and use an ADF BC View Object to do the authentication and role assignment for users, but am stuck on a few points. First of all, is there anyone out there who has done this and would care to share? If not:
  1). How do I get a reference to the AM so that I can look up a view object in the login module?
  2). I assume that I am going to need to add my model project classes to the system classpath, correct?
  3). What are the other gotchas?
  4). Or should this be the first question, is this even possible?

  Hi John,
  I am trying to find a relevant example on JAAS login module with ADF BC,
  i have this application that is ready to go in production deployed on a test application server
  everything seems to work fine but it is totally deprived of security :o(
  i have sent post to get some information i read most of it i even came across your blog on the matter
  i am sort of understanding the things needed to do but i would need a working example to get a better grasp on the this subject. I need i think to built a custom login module but i dont know what exactly can be coded inside the jar file that is read from the application and that forces the authentification so if you could help in my research for an example you OR anyONE
  it would be appreciated
  Carl

• Create new JAAS login module & have to deploy in OC4J

  Dear Experts,
  Is it possible to create number of user roles under the group oc4jadmin. Then have to assign task for each user in group. please suggest me.
  Thanks,
  Rajesh
  Edited by: Rajesh A on Mar 12, 2009 10:15 AM
  Edited by: Rajesh A on Mar 12, 2009 6:48 PM

  h5. James,Anirudh
  Is it possible to define new JAAS module that would first check with Oracle DB & then check with LDAP directory. Actually my requirement was to authenticate user with the help of backends. Here backend denotes both Oracle DB & LDAP. In the sense when user enters valid id & password it checks for existence in DB & if exist DB returns a new value (role) then have to check new value with LDAP( what are the privileges available for specified role & who is the superior for the same). The details maintaining in LDAP are dynamic so we cant able to move into DB. Every process involving here is automatic in the sense no external server connection should provide for authentication. The custom login module should be deploy in same OC4J container. Always available as service. I want to know about the following
  1) How to define costom JAAS login module
  2) How to configure coutom JAAS login module over OC4J
  3) How to make use of it
  Thanks,
  Rajesh

• Problem with role mapping in custom login module

  Hi all,
  I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
  Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
  Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
  Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
  I thought a source of the  problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping  in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
  Could anybody think of a solution to this problem ?
  Thanks,  Astrid

  Astrid,
  Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
  I've tried to use the deploytool and deploy the module as a library...but I get a "cannot  load a login module" in the logs when authenticating a user.

• URGENT: JAAS Login Module in Clustered Environment

  Hello all,
  I've created out own JAAS Login Module which works perfectly on a single-node environment... i dropped the jar in /server/additional-lib and modified library.txt and authschemes.xml as needed.
  Now that we need to deploy it in a clustered node environment, we added the jar file into the additional-lib folders of all the nodes and edited all the library.txt files of all nodes.
  UME cant seem to find our jar file anymore and we get the "missing handler" error when we try to login.
  Any ideas?
  Thanks,
  Yves

  If you are using SAP J2EE PL21+ there is a separate node called state controller (you have dispatcher, application nodes and state controller nodes). Basically the state controller makes sure all application nodes (server nodes) are synchronized
  You can find the dispatcher under cluster\dispatcher, servers under cluster\server and state under cluster\state .
  If you are using SAP J2EE PL20 or less this does not apply.

• JAAS Login Module using Deployable Web Service proxy

  Hi,
  We've created a JAAS Login Module that calls a deployable web service proxy to validate users on Netweaver Portal 2004 SP19. To do this the following steps were taken:
  1) created a deployable web proxy named 'SGU_proxy' and uploaded it to server. This project created 2 files: 'SGU_proxy.ear' (the one uploaded) and 'SGU_proxyClientAPI.jar'.
  2) created a Java project named 'AgregacaoLoginModule' with a single class to authenticate users, this is the class that calls the web service with the username and password. This project references the deployable web proxy project (Properties > Java Build Path > Projects > checkbox marked next to project SGU_proxy).
  3) exported the Java project class, not including the 'SGU_proxyClientAPI.jar'.
  4) created a 'J2EE Server Component' > 'Library' project named 'AgregacaoLoginModuleJ2EE'.
  On the 'provider.xml' file added 2 jars: 'AgregacaoLoginModule.jar' and 'SGU_proxyClientAPI.jar'. References were made to the standard portal libraries. No references were made to the proxy 'SGU_proxy' or the 'AgregacaoLoginModule' project.
  The library was uploaded to the server, everything was ok and no errors were reported.
  The login module was configured on the server and is called when users try to acess Portal server.
  The problem is that when trying to authenticate users: after getting a reference to the proxy using jndi I get a ClassCastException. Note that this proxy is used in a WebDyn Pro application and is working fine.
  The web service client proxy generated the interface 'pt.agregacao.ws.sgu.Servicos' and from jndi I get 'class pt.agregacao.ws.sgu.ServicosImpl'. So this seems to be ok, why the exception?
  Is it necessary to had a reference to 'SGU_proxy' on the 'AgregacaoLoginModuleJ2EE' project? If so, how?
  Thanks in advance.
  Alvaro

  Hi,
  We've created a JAAS Login Module that calls a deployable web service proxy to validate users on Netweaver Portal 2004 SP19. To do this the following steps were taken:
  1) created a deployable web proxy named 'SGU_proxy' and uploaded it to server. This project created 2 files: 'SGU_proxy.ear' (the one uploaded) and 'SGU_proxyClientAPI.jar'.
  2) created a Java project named 'AgregacaoLoginModule' with a single class to authenticate users, this is the class that calls the web service with the username and password. This project references the deployable web proxy project (Properties > Java Build Path > Projects > checkbox marked next to project SGU_proxy).
  3) exported the Java project class, not including the 'SGU_proxyClientAPI.jar'.
  4) created a 'J2EE Server Component' > 'Library' project named 'AgregacaoLoginModuleJ2EE'.
  On the 'provider.xml' file added 2 jars: 'AgregacaoLoginModule.jar' and 'SGU_proxyClientAPI.jar'. References were made to the standard portal libraries. No references were made to the proxy 'SGU_proxy' or the 'AgregacaoLoginModule' project.
  The library was uploaded to the server, everything was ok and no errors were reported.
  The login module was configured on the server and is called when users try to acess Portal server.
  The problem is that when trying to authenticate users: after getting a reference to the proxy using jndi I get a ClassCastException. Note that this proxy is used in a WebDyn Pro application and is working fine.
  The web service client proxy generated the interface 'pt.agregacao.ws.sgu.Servicos' and from jndi I get 'class pt.agregacao.ws.sgu.ServicosImpl'. So this seems to be ok, why the exception?
  Is it necessary to had a reference to 'SGU_proxy' on the 'AgregacaoLoginModuleJ2EE' project? If so, how?
  Thanks in advance.
  Alvaro

• HttpServletRequest in JAAS-Login Module in NetWeaver 7.3x

  I've developed for a company severall login modules where I use the com.sap.security.api.logon.WebCallback class to get the HttpServletRequest
  object.
  In NW 7.3x this class is now deprecated and is not working anymore.
  Is there any successor class or any other possibility to get the HttpServletRequest in the jaas-context?
  Best regards
  Thomas

  Hi,
  We had the same problem.
  What we found was that Sap has a new Login Module called HeaderVariableLoginModule which you have to create using the class com.sap.security.core.server.jaas.HeaderVariableLoginModule. You can do this in NWA -> Configuration -> Authentication and Single Sign-On -> Login Module, then click on the create button and fill out the fields with the information i just gave you.
  The list of Login Modules should now include HeaderVariableLoginModule, which you can configure by selecting the row of this module, and adding two options-  ume.configuration.active=true and Header=REMOTE_USER.
  It appears that this Login Module is covertly delivered as a class in every Netweaver version >= 7.0.
  Good luck,
  Steven McElwee, Duke University
  PS- I tried to attach a word document that shows the procedure for this, but this system rejected it. I can email it you if you let me know where to send it. In our case we used "Header=uid" rather than "Header="REMOTE_USER".

• Custom Login Module, SSO Ticket validity & Login Module Stack

  Hi everybody,
  we have a portal (running on jboss) which links to a J2EE web application (running on SAP WAS 6.40) which itself is protected by a custom login module and redirects to different WebDynpro applications (running on same WAS as the J2EE app) depending on some parameters.
  So when we go from the portal to the J2EE web application, the custom login module authenticates the user, creates a MYSAPSSO2 Cookie and then redirects to a webdynpro app.
  What happens is that the webdynpro app doesn't accept the cookie and redirects to the login mask.
  Looking at the request header parameter HOST we have the request coming from sub1.sub2.mycompany.com, which is the portal.
  The WAS is located on sub3.mycompany.com.
  If we manipulate the HOST parameter to sub2.mycompany.com everything works fine and the webdynpro app successfully authenticates the user.
  This does sound either like a domain relaxing issue or a multi domain issue, which we added as parameters to the CreateTicketLoginModule in the Login Module Stack for the J2EE web app.
  Unfortunately without result.
  Did anybody have a similar problem and can give some hints on how to solve this?
  Any help is appreciated
  Regards,
  md
  Edited by: Minh-Duc Truong on Jul 17, 2008 7:18 PM
  Edited by: Minh-Duc Truong on Jul 17, 2008 7:19 PM
  Edited by: Julius Bussche on Jul 18, 2008 7:25 PM

  Hi md,
  I have split your 2nd question into a seperate thread => That would make them easier to answer as well, which will help.
  You can find it here: Custom Login Module, LM Stack ignored
  Cheers,
  Julius
  Edited by: Julius Bussche on Jul 18, 2008 7:26 PM

• Issues with OSSO ,custom login module and form based authentication

  Hi:
  We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
  authentication and Custom login module.
  Application is going in infinite loop when we we try to login using osso ,from the logs
  what I got is looks like tha when we we try to login from OSSO application goes to the login
  page and it gets the remote user from request so it forwards it to the home page till now
  it is correct behaviour ,but after that It looks like home page find that authentication is
  not done and sends it back to the login page and login page again sends it to the home as it
  finds that remote user is not null.
  Our web.xml form authentication entry looks like this :
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
  </form-login-config>
  </login-config>
  While entry in orion-application.xml has the following entry for custom login :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  </jazn>
  Whether If I change the authentication type to BASIC and add the following line
  in orion-application.xml will solve the issue :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  <jazn-web-app auth-method="SSO" >
  </jazn>
  Any help regarding it will be appreciated .
  Thanks
  Anil

  Hi:
  We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
  authentication and Custom login module.
  Application is going in infinite loop when we we try to login using osso ,from the logs
  what I got is looks like tha when we we try to login from OSSO application goes to the login
  page and it gets the remote user from request so it forwards it to the home page till now
  it is correct behaviour ,but after that It looks like home page find that authentication is
  not done and sends it back to the login page and login page again sends it to the home as it
  finds that remote user is not null.
  Our web.xml form authentication entry looks like this :
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
  </form-login-config>
  </login-config>
  While entry in orion-application.xml has the following entry for custom login :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  </jazn>
  Whether If I change the authentication type to BASIC and add the following line
  in orion-application.xml will solve the issue :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  <jazn-web-app auth-method="SSO" >
  </jazn>
  Any help regarding it will be appreciated .
  Thanks
  Anil