Authentication & Authorization Component

Similar Messages

• Authentication & Authorization with SSO, JAAS and Database Tables mix

  Hi,
  I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
  I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
  I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
  Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
  A lot of thanks in advanced.
  And sorry, excuse my so bad english.
  See you.

  Marcel,
  Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
  I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
  We currently plan to have the patch release available sometime in the second half of May.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• Weblogic 103 Authentication & Authorization using extenal openldap

  Can somebody point to a documentation for implementing Authentication & Authorization for Weblogic 10.3 web app using openLdap ?
  Thanks

  This is what I did. My environment is openldap, weblogic 10.3 on a windows machine. Still having trouble
  dn: cn=fd_user1,ou=people,dc=example,dc=com
  objectClass: person
  cn: fd_user1
  dn: cn=FD,ou=groups,dc=example,dc=com
  objectClass: groupOfNames
  cn: FD
  member: cn=fd_user1,ou=people,dc=example,dc=com
  Here is my weblogic.xml entries
  <wls:security-role-assignment>
  <wls:role-name>FD</wls:role-name>
  <wls:externally-defined/>
  </wls:security-role-assignment>
  My web.xml
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>SecuredArea</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>FD</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>myrealm</realm-name>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>FD</role-name>
  </security-role>
  Inside the login.jsp I do have the j_security_check as the action parameter value. I am able to view the ldap users in the admin console too. Still not able to access the resource. I am in the process of debugging the ldap messages on the openldap console.
  Thanks

• 11g hybrid authentication / authorization: WLS plus external table

  I've implemented external table authentication / authorization in 11g. Now I'd like to add a twist.
  I have an external table containing users B, C, and D. That external table contains all of the columns I need for authentication (including a clear text password) and for authorization (roles, log level, a dynamic table name, and so forth). I have authentication in one initialization block, authorization in another. Everything works fine. I can log in as B, C, or D and see exactly what I'm supposed to see, based on the ROLES.
  The clear text passwords are generally not a problem, because this is a training instance and almost all of the passwords are the same. However, I want to add a user whose password should not be held in clear text. For that reason, I'd like to add that user into WLS. I've done that, and I'm able to log in to OBIEE. After confirming that I could log in to OBIEE with user A from the WLS, I added User A to the external table, left its password field blank, and filled in the other columns (roles, loglevel, etc...) that I need to assign into session variables.
  Here's the problem: the authorization init block properly assigns ALL session variables for users B, C, and D. It assigns all session varaibles EXCEPT the ROLES variable for user A. I've confirmed this by creating an Answers analysis that shows me the values of the session variables. The ROLES session variable for user A shows "authenticated-role;BIConsumer;AuthenticatedUser". For all other users (those who are authenticated using the clear text passwords in the external table) the ROLES variable is populated correctly, based on the values in the ROLES column in the external table. In short, the authorization init block is properly assigning the ROLES session variable only for those users that were authenticated using the authentication init block, but is assigning all other session variables correctly for all users, even the one in WLS.
  Here's my authentication init block code:
  select bi_user
  from bi_auth_ldap
  where bi_user = ':USER'
  and bi_user_pwd = ':PASSWORD'
  Here's the authorization init block code:
  select roles, bi_user_name, to_number(loglevel,0), channel_tbl
  from bi_auth_ldap
  where bi_user = ':USER'
  (returned results are assigned into ROLES, DISPLAYNAME, LOGLEVEL, and CHANNEL_TBL session variables, respectively)
  It feels like the ROLES session variable is populated in conjuction with the user logging on and being authenticated via WLS, and that the initialization block isn't able to overwrite that variable. Can an OBIEE developer confirm that for us, please? Once set in WLS, is it not possible to overwrite the ROLES session variable with SQL from an initialization block? If it IS possible, can you post some code that will accomplish it?
  Thanks!

  It occurs to me that Oracle's support model is a fantastic way to make money. Let's see, I wonder if I could become a billionaire doing this:
  Create some software. Sell that software. Then, charge customers several thousand MORE dollars, year after year, plus about $60 per bug, so that they have the right to report MY bugs to me. Yeah, that's the ticket - people PAYING for the right to report bugs to me. Oh, and if more than one person reports the same bug, I get to keep ALL of the money from ALL of them.
  Let's summarize, make sure I haven't missed something: You buy my software, you PAY ME additionally to report MY bugs to me, I don't necessarily have to fix the bugs (but I keep your money whether I fix it or not), and I can collect multiple times from different people who report the same bug.
  Sweeeeeeet.........
  Billionaire Acres, here I come!

• Authentication & Authorization programming

  Hello all,
  I am in process to create a new application, My requirement here is that I want to create a reusable module that I want to use for authentication & authorization. Further I want that when ever a user logs-in, his/her privileges get stored in the session and based on the data stored in the database s/he should be able to view the page and event the fields/components on it.
  Can any one help me with the design of the above requirement.
  Thanks in advance for the same.

  Hi,
  if you want 2 applications share the same session you should give them the same login cookie name in the authentication scheme.
  >
  1. convey relevant values from the custom auth app (these cannot be one app)
  >
  Setup a database context to share values between the applications.
  Or use apex_util.fetch_app_item http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35127/apex_util.htm#BABIBAID
  >
  2. make certain that users don't just bookmark the target app and bypass my authentication/authorization outcomes -- something here with session ID?
  >
  Set the URL for the "session not valid" section of the authentication scheme to the login page of your custom auth app
  regards,
  Erik-jan

• Ask for help with form based authentication & authorization

  Hi:
  I encountered the following problem when I tried the form based authentication & authorization (see the attached part of the config files, web.xml, weblogic.xml & weblogic.properties)
  1. authorization seems not invoked against the rules specfied, it doesn't go the login error page as long as the user/pwd match, even though the user does not have the necessary role
  in the example below, user3 should be denied to access the signin page, but seems no login error page returned, actually I never see any page / error message which complain about the authorization / access control error
  2. after authenticate correctly, always get redirected to the / (context root) url, instead of the url prior the login page, for e.g., signin page
  Any idea ?
  Thanks in advance.
  HaiMing
  attach config files
  web.xml
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>MySecureBit1</web-resource-name>
  <description>no description</description>
  <url-pattern>/control/signin</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>default</realm-name>
  <form-login-config>
  <form-login-page>/control/formbasedlogin</form-login-page>
  <form-error-page>/control/formbasedloginerror</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>the customer role</description>
  <role-name>customer</role-name>
  </security-role>
  weblogic.xml
  <security-role-assignment>
  <role-name>
  customer
  </role-name>
  <principal-name>
  customer_group
  </security-role-assignment>
  weblogic.properties
  weblogic.password.user1=user1pass
  weblogic.password.user2=user2pass
  weblogic.password.user3=user3pass
  weblogic.security.group.customer_group=user1,user2

  Hi, Paul:
  Thanks a lot for your reply.
  Firstly let me just correct a little in the attachment I put previously, I think I missed following lines :
  <auth-constraint>
  <description>no description</description>
  <role-name>customer</role-name>
  </auth-constraint>
  So, user1 & user2 are in the customer group, but user3 not, and /control/singin is protected by this security constraint, as a result, when anyone click the link to /control/singin, he was led to the login page, if he tries to login as user1 & user2, he should pass & led to original page (in this case /control/singin, and my code's logic, once /control/signin is used, means that he already login successfully & redirected to the login success page), but if he tries to login as user3, he should only pass the authentication check, but fail the authorization check, and led to login error page.
  What not happen are :
  1. user1 & user2 pass, but redirect to /
  2. user3 also pass, because I see that debug message shows also get redirected to /, instead of login error page
  (login error page will be displayed, only if I try to login as a user with either wrong userid, or wrong password)
  3. one more thing I notice after I first time post the message, the container does not remember the principal, after 1. is done, not even for a while
  And the similar configuration works under Tomcat 3.2.1, for all 3. mentioned above.
  Any idea ?
  HaiMing
  "Paul Patrick" <[email protected]> wrote:
  If I understand what your trying to do, everyone should get access to the
  login page since roles are not
  associated with principals until after they authenticate. If I follow what
  you specified in the XML files,
  authenticated users user1 and user2 are members of a group called
  customer_group.
  The principal customer_group (and therefore its members) is mapped in the
  weblogic.xml file to the role
  customer.
  I can't speak to the reason your being redirected to the document root.
  Paul Patrick
  "HaiMing" <[email protected]> wrote in message
  news:[email protected]...
  Hi:
  I encountered the following problem when I tried the form basedauthentication & authorization (see the attached part of the config files,
  web.xml, weblogic.xml & weblogic.properties)
  1. authorization seems not invoked against the rules specfied, itdoesn't go the login error page as long as the user/pwd match, even though
  the user does not have the necessary role
  in the example below, user3 should be denied to access the signinpage, but seems no login error page returned, actually I never see any page
  / error message which complain about the authorization / access control
  error
  2. after authenticate correctly, always get redirected to the / (contextroot) url, instead of the url prior the login page, for e.g., signin page
  Any idea ?
  Thanks in advance.
  HaiMing
  attach config files
  web.xml
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>MySecureBit1</web-resource-name>
  <description>no description</description>
  <url-pattern>/control/signin</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>default</realm-name>
  <form-login-config>
  <form-login-page>/control/formbasedlogin</form-login-page>
  <form-error-page>/control/formbasedloginerror</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>the customer role</description>
  <role-name>customer</role-name>
  </security-role>
  weblogic.xml
  <security-role-assignment>
  <role-name>
  customer
  </role-name>
  <principal-name>
  customer_group
  </security-role-assignment>
  weblogic.properties
  weblogic.password.user1=user1pass
  weblogic.password.user2=user2pass
  weblogic.password.user3=user3pass
  weblogic.security.group.customer_group=user1,user2

• Authentication / authorization in jsf

  hi all!
  how can I perform a authentication/authorization system in jsf?
  Last time i've checked the user form and created a userBean in session scope,if the user is valid.
  how can I check if the user is logged and witch page he try to retrieve,for every url?
  do you know of any on line resources on this?
  thanks a lot
  Luca

  hi all!
  how can I perform a authentication/authorization system in jsf?
  Last time i've checked the user form and created a userBean in session scope,if the user is valid.
  how can I check if the user is logged and witch page he try to retrieve,for every url?
  do you know of any on line resources on this?
  thanks a lot
  Luca

• Authentication/Authorization across Apache/Weblogic?

  Hello,
  We are considering a setup with Apache handling Servlet/JSP and WLS for EJB/etc.
  I heard WLS has some plug-in for Apache. Does this plug-in enable Authentication/Authorization
  with my (custom RDBMS-based) security realm in WLS? Any gotcha? Any live experience?
  TIA
  chuck

  This is what I did. My environment is openldap, weblogic 10.3 on a windows machine. Still having trouble
  dn: cn=fd_user1,ou=people,dc=example,dc=com
  objectClass: person
  cn: fd_user1
  dn: cn=FD,ou=groups,dc=example,dc=com
  objectClass: groupOfNames
  cn: FD
  member: cn=fd_user1,ou=people,dc=example,dc=com
  Here is my weblogic.xml entries
  <wls:security-role-assignment>
  <wls:role-name>FD</wls:role-name>
  <wls:externally-defined/>
  </wls:security-role-assignment>
  My web.xml
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>SecuredArea</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>FD</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>myrealm</realm-name>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>FD</role-name>
  </security-role>
  Inside the login.jsp I do have the j_security_check as the action parameter value. I am able to view the ldap users in the admin console too. Still not able to access the resource. I am in the process of debugging the ldap messages on the openldap console.
  Thanks

• Tacacs+ authentication/authorization based on user's subnet

  Hi Guys/Girls
  We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
  I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
  In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
  So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
  Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
  Your feedback will be appreciated and rated.
  Thanks
  Rizwan Rafeek

  Riswan,
  This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
  Here is an example of how the tacacs authentication is performed.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
  thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Oc4j authentication&authorization

  Hi,
  Please any body help me on how to create oc4j authentication and authorization to application in jdev10g.
  Thanks
  NR

  Hi,
  there is a lot of benefit in reading the documentation
  http://download-uk.oracle.com/docs/html/B25947_01/adding_security.htm#BGBGJEAH
  Frank

• Zend AMF Authentication & Authorization

  How do I secure my PHP services created with 'Connect To PHP' wizard?
  The web is full of tutorials on connecting to PHP but I found nothing on securing the services.
  The 'Connect to PHP' wizard generates a gateway.php which doesn't do authorization.
  Do I have to replace this endpoint with my own? Why doesn't Adobe have tutorials on this?
  maybe PHP apps are not meant to be safe?

  I've been struggling with it, and figured it all out - so, perhaps it could help others.
  The authentication is called on the server only if credentials supplied from the client (via the remote procedure call headers). This snippet illustrates the setup of custom auth (these are the last 6 lines of gateway.php script):
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  // Handle request
  $auth = new My_Amf_Auth(); // authentication
  $server->setAuth($auth);
  $acl = new Zend_Acl(); // authorization
  $server->setAcl($acl);
  echo $server->handle();
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Now, your custom auth should extend Zend_Amf_Auth_Abstract. Since I want to authenticate users from a database, I bring the Zend_Auth_Adapter_DbTable to play. But since I cannot extend both Zend_Amf_Auth_Abstract and Zend_Auth_Adapter_DbTable, I use a composition:
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  <?php
  require_once ('Zend/Amf/Auth/Abstract.php');
  * AMF auth class by Danko Kozar, dankokozar.com
  * @author dkozar
  class My_Amf_Auth extends Zend_Amf_Auth_Abstract {
      function __construct() {
      public function authenticate() {
          $adapter = My_Db_Adapter::getInstance();            
          $adapter->setIdentity($this->_username);
          $adapter->setCredential($this->_password);
          // the adapter call
          // you can wrap it into try.. catch and process DB connection errors
          $result = Zend_Auth::getInstance()->authenticate($adapter);
          return $result;
  ?>
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Here's the adapter class:
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  <?php
  * DB table adapter auth class for AMF by Danko Kozar, dankokozar.com
  * @author dkozar
  * Singleton
  class My_Db_Adapter extends Zend_Auth_Adapter_DbTable {
      protected static $_instance = null;
       * private!
       * @param My_Db_Adapter $adapter
      public function __construct(Zend_Db_Adapter_Abstract $adapter = null) {
          if (!$adapter)
              $adapter = new Zend_Db_Adapter_Mysqli(
                  array(
                      'dbname' => 'test',
                      'username' => 'root',
                      'password' => '')
          parent::__construct($adapter);
          $this
              ->setTableName('users')
              ->setIdentityColumn('username')
              ->setCredentialColumn('password')
          // just for testing
  //        $this
  //            ->setIdentity('username')
  //            ->setCredential('password')
       * @return  My_Db_Adapter
      public static function getInstance()
          if (null === self::$_instance) {
              self::$_instance = new self();
          return self::$_instance;
      public function authenticate() {
          $_authResult = parent::authenticate();
          // NOTE: The point is that $result->_identity is an OBJECT (of type stdClass), NOT string
          // with Zend_Auth_Adapter_DbTable it is internally accomplished by calling its getResultRowObject() method
          // It constructs the stdClass with properties named after table attributes
  //        $user = new stdClass();
  //        $user->role = "administrator";
  //        $user->username = $_authResult->getIdentity();
          $identity = $this->getResultRowObject();
          $result = new Zend_Auth_Result($_authResult->getCode(), $identity);
          return $result;
  ?>
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  On the Flex side I have an auto-generated class (MyService) which extends another auto-generated class (_Super_MyService).
  The point is that the outer one is auto-generated only once (initially), and you can modify it, without worrying to be overwritten on service regeneration.
  There's a protected property _serviceControl (which is of type RemoteObject) which could be tweaked if needed.
  I'm tweaking it by of setting the endpoint (with string read from a client side config in preInitializeService() method). Plus, I'm adding 2 more methods, which expose setCredentials and setRemoteCredentials methods of _serviceControl, so I can acces it from my code.
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  package services.myservice
      public class MyService extends _Super_MyService
           * Override super.init() to provide any initialization customization if needed.
          protected override function preInitializeService():void
              super.preInitializeService();
              // Initialization customization goes here
              _serviceControl.endpoint = "http://localhost/myapp/gateway.php";
          public function setCredentials(username:String, password:String, charset:String=null):void
              _serviceControl.setCredentials(username, password, charset);
          public function setRemoteCredentials(username:String, password:String, charset:String=null):void
              _serviceControl.setRemoteCredentials(username, password, charset);
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
  So, before calling MyService methods, I'm setting the credentials with setCredentials() method and this runs the authentication on the PHP side:
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  private var service:MyService;
  service = new MyService(); // ServiceLocator.getInstance().getHTTPService("presetLoader");
  service.setCredentials("user1", "pass1");
  var token:AsyncToken = service.getData();
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
  The authentication via Zend_Amf_Server is, by the way, OPTIONAL! Meaning, with no credentials supplied, Zend_Amf_Server will NOT RUN IT. Thus you should rely on Zend_Acl (e.g. roles) to so your permissions and security! 
  Finally, here's the MySQL DB table I've been using for authentication: 
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
  -- Table structure for table `users`
  CREATE TABLE IF NOT EXISTS `users` (
    `id` int(11) NOT NULL AUTO_INCREMENT,
    `username` varchar(50) NOT NULL,
    `password` varchar(32) DEFAULT NULL,
    `role` varchar(45) DEFAULT NULL,
    `firstname` varchar(50) DEFAULT NULL,
    `lastname` varchar(50) DEFAULT NULL,
    `email` varchar(255) DEFAULT NULL,
    PRIMARY KEY (`id`),
    UNIQUE KEY `username` (`username`),
    UNIQUE KEY `id_UNIQUE` (`id`)
  ) ENGINE=InnoDB  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ; 
  -- Dumping data for table `users`
  INSERT INTO `users` (`id`, `username`, `password`, `role`, `firstname`, `lastname`, `email`) VALUES
  (1, 'user1', 'pass1', 'administrator', 'Danko', 'Kozar', NULL); 
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Cheers!
  Danko

• J2EE Authentication & Authorization

  Hi,
  We are using LDAP server for authentication and authorization.
  We configured WebSphere 6 to use LDAP server.
  Does anybody know, how to configure either the Web Application or the server to use only Authentication but not Authorization.
  In our web application, we want to allow access to any authenticated user, no matter which roles the user belong.
  Is there any way, we can configure in web.xml to allow access to url's for any authenticated user.
  I tried using this authconstaint
       <security-constraint>
            <display-name>All</display-name>
            <web-resource-collection>
                 <web-resource-name>AllResources</web-resource-name>
                 <url-pattern>/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>PUT</http-method>
                 <http-method>HEAD</http-method>
                 <http-method>TRACE</http-method>
                 <http-method>POST</http-method>
                 <http-method>DELETE</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>*</role-name>
            </auth-constraint>
       </security-constraint>
  But the above configuration allows access to non-authenticated users aswell, which is not intended.
  Any help is appreciated.
  Thanks,
  Vijay.

  Take a look at JAAS. It is designed expressly for J2EE authentication.
  - Saish

• Authentication - Authorization 101

  Hi there :)
  I'm quite new to this, so please be patient with me if I don't understand everything you explain to me, I promise I'll learn!
  Here´s the thing: I need to create an app for a sales team I work with. I work for a BDM area, so my main task is to figure out ways to sell more or to get more people interested in our products.
  We actually have a crm (oracle of coz) in which they enter their business leads and opportunities, but, we need something else: a place where they can all see, in the same way, how they are doing, but not refering to their leads (they already know those). I don't want to create a huge table to show them what they already know, only an app where they can see how they're doing regarding their "pipeline".
  I have been looking the demonstration apps that comes with htmldb, and I think that's 50% of what I need at least!. So after fooling around a bit with it, here are my questions
  1. I need to create an user for each sales rep. I checked with the demo app, and that's the way it's made, but, how do I tell the app that it should look in this table to validate users? I know there is an authentication schema, but I haven't found it yet.
  2. There will be probably a few more tables. One of them is equivalent to the "demo_orders" table from the demo app. But the idea here is not to ender POs, but numbers responding to different actions we do together (sales + bdm). So, how do I show each user only the information regarding that user and not everything else? I'm pretty sure it has to do with the "user_id" assigned to the users table, but I don't know how to customize a report so it will show that.
  Help please?
  Thanks!!

  AleC - A basic decision you need to make about any application you put out there is how users will authenticate. You have a number of choices:
  1. No authentication. The application is public. If users need to see only their own data, you let them "self-identify" on the honor system. Not very secure but easy to implement and administer.
  2. Use database accounts. Each user has an Oracle database account. Password management is done using standard database facilities. Administration can be a headache.
  3. Use HTML DB user accounts. These are the accounts you use to access the HTML DB development tools. Your end users can have accounts here too and they do not need to have access to the development tools. They can use these accounts to access the applications you build. Administration can be a headache.
  4. Use "accounts" you create using your own user tables. Similar to (3) but you get to control everything about it. Administration can be a headache.
  5. Use LDAP (Oracle OID, MS AD, etc.). This is great if a directory is already set up for your organization. Administration can be someone else's headache.
  6. Use Single Sign-On, e.g., Oracle 10gAS SSO or something else, most of which will also have an LDAP directory underneath. Administration here may actually be someone's mission.
  7. Other - For example Windows Domain login information a la NTLM. (Search this forum for NTLM.)
  An authentication scheme for your application can be built on any of these solutions. So that's the first step. Let us know your choice and we can get you hooked up.
  The next question is authorization. You will need to maintain a schema (unless your LDAP directory has all the information you need) to relate named user accounts with privileges that your application recognizes. The authenticated username as seen by your app is available as v('APP_USER') in a PL/SQL context, or :APP_USER in SQL bind variable notation, or &APP_USR. (trailing period required) in HTML areas. Then you go about defining and hooking up authorization schemes throughout the application. These are routines that usually do lookups on privileges table to figure out whether the current user can do this or that. Search this forum and read the User Guide for this topic.
  Scott

• JAAS Authentication Authorization 2 ldaps

  Hi,
  First, Sorry for my poor English. I have a problem with authentication and authorization in jboss portal. I need configure login-config.xml file with 2 login module(ldaps). The first ldap set the authentication and the second ldap set the authorization(roles). I have all user replicated in the two ldaps. Has anyone ever configured this?
  Thanks
  Regards
  Edited by: 872339 on 20-ene-2012 2:57

  Not a Kerberos/GSS question. Not an Oracle Java question. A JBoss question. Try a JBoss forum. Locking.

• Authentication/Authorization in an application server independent way

  Hello,
  I want to implement form based authentication and URL authorization (role based) in JSF(+AJAX+REST) application.
  I would like to use container manager authorization in an application server independent way. (e.g. using my code to authenticate against custom user database but using <security-constraint> of web.xml )
  How do I do that ?
  Else I would have to have implement authenticationAuthorizationFilter which reads URL permissions from custom XML file.
  (Filter based security as application uses JSF and AJAX & REST services)
  Are there other options ?
  How is acegi ? Ease of use ?
  Thank You.

  I noticed a project *'SecurityFilter'* (http://www.securityfilter.org/). Anyone using it please share experiences.
  I feel filter is the way to go, ensuring that in code that the 'forwards' are to authorized resources only. Direct GET/POST request to a protected resource will be protected by Filter.
  All: Please comment.