Authentication & Extra Validation (JAAS)

Similar Messages

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• MV45AFZZ extra validations

  Hi all,
  I'm trying to set some more validations on USEREXIT_SAVE_DOCUMENT_PREPARE.
  If some of these validations are not true, is it possible to not allow to save?
  Thanks,
  Luis Cruz

  Dude... You got to be kidding me. Have you at least tried it? The error message will be displayed, then the users can go back and change anything they want and then do Save again. In the worst case add
  fcode = 'ENT1'.
  before the error message.

• Need Extra Validation for Attachments in Leave Requests

  Hi All,
  We intend to validate whether a user requesting for leave (ex.: Sick Leave) using SSHR has attached any documents or not (in case the request is for more than 5 days).
  Can someone please help me out with this? I tried to do this by using 'User Hooks' but the hooks that I have used so far (create_absence_entry BP, per_absence_attendances RH) validate the data on the absence entry page itself (i.e. even before the review page where files are attached is reached).
  Is there any user hook available on the review page in SSHR? Or, is there any alternative to this method?
  - Vikram

  Hi,
  If so your Message Flow is -
  RFC->XI->Http->RFC(R/3)->File
  After getting the response you need to send the Response back to the R/3 and same time the response should be sent to File system. Now you can go for BPM here.
  This blog will give you some idea-
  /people/arpit.seth/blog/2005/06/27/rfc-scenario-using-bpm--starter-kit
  So your BPM will contain these steps-
  1) Receive the RFC Request
  2) Send the RFC request Synchronoulsy
  3) Recieved Response will be mapped to the file system structure
  4) send the Mapped file structure
  Asumption is Mapping i.e Request to Http Request and Http Response to RFC response is done outside the BPM.
  Hope this helps,
  regards,
  Moorthy

• Weblogic 6.1 and JAAS Authentication

  We are trying the authentication funda that JAAS provides. It is said that the class weblogic.security.auth.Authenticate has a method authenticate which does the actual job of validating the given username\password (passed as parameters)
  Now,
  1. Where will this method look for the available list of username \ passwords ie. Database table or JNDI etc.
  2. Can this method look up a available database table values and do the authentication, if so where do we associate weblogic with the database, so that this method would connect to that database and fetch the username\password.
  3. If the user is valid, then how is the client authencation info maintained for subsequent requests, so that it need not validate every time. Is it stored in the userHTTPSession or how?
  Kindly answer!
  Thanks!

  1. Where will this method look for the available list of username \passwords ie. Database table or JNDI etc.
  It depends, if you are using the file realm than it checks against
  filerealm.properties,
  If you have LDAP realm, it will check against LDAP server that you have
  configured.
  and so on...
  2. Can this method look up a available database table values and do theauthentication, if so >>where do we associate weblogic with the database, so
  that this method would connect to >>that database and fetch the
  username\password.
  All you need to setup is the Realm, and it will look for users as per the
  setup that you have.
  Weblogic comes with the JAAS example, you can find it under
  WL_HOME/examples/security/jaas. Please take a look at the example.
  -Utpal

• Using JAAS for third-party webapp

  I'm developing a webapp that will be marketed to enterprise customers. Right now, it handles its own authentication by validating the userid/password against its own user table. I'd like to give customers the ability to plug in whatever type of authentication they want, for example, one that authenticates a user against an Active Directory domain.
  It seems like JAAS was expressly designed for this purpose, but as I read up on it, I forsee all sorts of problems that could be caused by it. If I'm missing something, I'm hoping someone here can set me straight.
  According to the docs, when an app creates a LoginContext and provides it with CallbackHandlers, the LoginContext will check the Configuration to see if any LoginModules are configured for the app (based on the name parameter passed into the LoginContext). If it doesn't find one, it will look for a set of LoginModules for "other".
  Here's the behavior I would like: If there is no set of LoginModules configured specifically for my app, I do NOT want the LoginModule(s) for "other" used, since I have no clue what it/they will be. Instead, I would like to my code to be gracefully notified that no LoginModules are configured, so it can default back to its own authentication mechanism. From the looks of the API docs, however, there doesn't seem to be any surefire way to tell why a LoginException has thrown.
  I thought I might be able to check programattically to see if there's a LoginModule configured for my webapp with Configuration.getConfiguration().getAppConfigurationEntry(appName), but, 1) it looks like that will probably throw a SecurityException, and 2) it also looks like it would return the AppConfigurationEntries for "other" in the event there's no entry for my app.
  It's important that my app not require the appserver administrator to explicitly configure a LoginModule for it, since that could turn into a support nightmare; I simply want to give powerusers the ability to do so if they choose to.
  Is it possible to get the behavior I want from JAAS, without a lot of contortions and workarounds? As I said, I may be missing something, but it doesn't seem like I can.

  This is from the javadocs
  public LoginContext(String name)
  throws LoginException
  Initialize the new LoginContext object with a name.
  LoginContext uses the specified name as the index
  into the Configuration to determine which
  LoginModules should be used. If the provided name
  does not match any in the Configuration, then the
  LoginContext uses the default Configuration entry,
  "other". If there is no Configuration entry for
  "other", then a LoginException is thrown.
  Throws:
  LoginException - if the specified name does not
  appear in the Configuration and there is no
  Configuration entry for "other", or if the
  auth.login.defaultCallbackHandler security property
  was set, but the implementation class could not be
  loaded.
  The or condition here could be ignored because you
  wouldnt be using CallbackHandlers or even if you are
  using them, you could ensure that the classes are
  'loadable'.The problem is, that LoginException is going to be called for anything that goes wrong inside a LoginContext. If there is an "other" LoginModule set, but it doesn't recognize my user's name and password, then it will throw a FailedLoginException. How is my code supposed to know that the user's name/password will never be accepted by that LoginModule?
  >
  2.
  An alternative would be to provide your own
  own implementation of the abstract class
  javax.security.auth.login.Configuration overriding
  the default implementation provided by Sun. Remember, this is a third-party webapp running in an appserver with other webapps from different providers. It has to use whatever Configuration is already there.
  This is
  the same technique if you wish to provide the login
  module information in any other location than a text
  file (as is required by the default implementation)
  You could then throw specific custom exceptions
  ons from your implementation code and choose to
  handle it in the manner you desire.Even if I could do that, which I can't, as I explained, I have to keep this SIMPLE for customers who might not be very knowledgeable in the more esoteric aspects of J2EE and Java.

• FI-REFX Add additional validation to monthly posting

  Dear,
  We would like to add extra validations to the standard posting programs RERAOP/RERAPP (and their reversal programs RERAOPRV/RERAPPRV). These are standard SAP transactions within Real Estate to make (monthly) postings on the contract. Each contract contains a rental object (= the building or part of the building).
  An additional validation should be made on the profit center used in the posting (which is derived from the rental object) if the profit center is active for the company code used.
  If not active, it should not generate any posting for the contract in which the rental object/profit center is used and generate a standard error log - as done by the default program & give a detailed error message.
  The problem is that there is no user exit available/found to add an additional validation or to add an error message to the error hierarchy + to prevent the posting.
  We can add the error message to the error hierarchy in display (transaction SLG1), but not in the execution (update mode) of the program.
  Can anyone please advice on how to proceed to have this additional validation added please?
  Many thanks!
  Steps to reconst
  RERAPP or RERAOP with contract which contains a rental object that is linked to a profit center which is not active for a certain company code.
  Error message should be given: For contract X, profit center Y is not active for company code Z.
  Indicator should be red (error) and no posting should be made.
  Many thanks!

  Dear Pk,
  Thank you for your idea. Eventually this would be the way to go as the validation I need is indeed based on data in gl_je_lines in status other than 'P' - Posted.
  There are several posting programs that are called in several ways.
  The posting programs are:
  - Posting -- Executable: GLPPOS
  - Posting: Single Ledger -- Executable: Posting: GLPPOS
  - Program - Automatic Posting -- Executable: GLPAUTOP (this will submit the GLPPOS)
  The ways to post journals in GL (except SLA journals) are:
  - run the Program - Automatic Posting
  - push the "Post" button on the journal entry form
  - use the Jpurnal -> Post navigator function
  In this case the validation I need would imply the forms customization + custom posting wrapping program.
  I was looking for a way of adding one more validation to the standard list of validations for the GLPPOS executable as this is the only executable being responsible for posting in GL.
  Thanks again for your response,
  Cosmnin

• HTTP Error 400 on Tomcat 5.0.28 and JAAS

  Hi
  I have this problem every time I send an Authentication Request using JAAS. I've a login form and, after I send my request, LoginModule starts to process it. The problem is that, viewing the tomcat log output, the authentication goes well, but Tomcat send me a HTTP error code 400 which means "Invalid direct reference to form login page".
  If I reload the login form, not back button, and retype my credentials, I reach to enter in my website. Tomcat send me a HTTP code 302, then load my home page.
  This is the login HTTP message:
  POST /j_security_check HTTP/1.1
  Host: localhost:1999
  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://localhost/xxxx/index
  Cookie: JSESSIONID=8F91E0B617B45C1BC772E370481C8FCF
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 65
  j_username=user&j_password=pass&Submit=LoginAnd this is the login form:
  <form method="post" action ="j_security_check" name="loginform" >
    <table width="100%" cellpadding="2" cellspacing="0" class="corpo">
       <tr>
        <td><div align="right">Username</div></td>
        <td width="20%"><input type="text" class="corpo" name="j_username" /></td>
      </tr>
      <tr>
        <td><div align="right">Password</div></td>
        <td width="20%"><input type="password" class="corpo" name="j_password" /></td>
      </tr>
      <tr>
        <td> </td>
        <td><div align="right">
           <input type="submit" class="bottone" name="Submit" value="Login" /><br />
             <a href="javascript:apriFinestra('<%= request.getContextPath() %>/jsp/password.jsp', '', '400px', '400px');" class="corpo"><%=lu.resource(rb, "HOME.forgot") %> </a>
        </div></td>
      </tr>
    </table>
  </form>

  There've been issues when running in the embedded OC4J server where logged messages don't appear at all - I suspect this is happening on both environments, but you're only seeing the message on Tomcat.
  If you look in the HTML, you'll see a <!-- ILLEGAL HTML: --> comment where the problem occurs, and you should be able to trace that content back to the components you're using at that spot. Could you let us know what combination of components produces this error? (The problem is exactly what the error message says: HTML does not allow <img> directly inside of <table>, but that's what got produced.)

• Regarding the validations in File Upload.

  Hi
  I am Using the X:InputFileUpload> for uploading of the my file and i am using validator class for checking the validation like if the file name is null. But i need one more validation to check the file format like if i have enter any special characters and invalid file format(SSS) i want give a message to the user.
  Please suggest me how can i approach using Myfaces.
  Thanks in advance.
  Regards
  Satish

  I have never used myfaces implementation but I am sure you can just define your own custom validator and attach it to this component or assign a method binding to its validator attribute to perform extra validation.

• EP 6.0 SP2 + external kerberos authentication

  We recently installed EP 6.0 SP2 Patch 4 HF 6 on an Aix 5.2 unix platform. We would like to create our own authentication scheme that uses a login module written in Java that does kerberos authentication externally. From reading the Portal Security Guide it appears that this is a doable approach. Has anyone actually done this with the portal on a unix platform? Which Java kerberos library implementation did you use?
  Thanks in advance.
  Sincerely,
  Steven McElwee, Duke University

  Hi,
  as mentioned above, you need a second server. This one could be Windows. People use this architecture in productive environments.
  If this does not work for you, you need to go the second approach: Custom JAAS login module using the WebCallback plus a kerberos library.
  Here some links:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-1/pluggable authentication implementing a jaas login module presentation
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-1/pluggable authentication implementing a jaas login module exercises
  Best regards,
  Oliver

• Some basic questions about JAAS

  I am confused about the general use of the JAAS mechanism in Java. Hopefully someone can answer these hopefully not too naive questions:
  1. Does it ever make sense to use java.net.Authenticator instead of JAAS?
  2. JAAS allows the definition of an assumedly text based Configuration file that instructs the LoginContext how to stack various login mechanisms on top of each other. Wouldn't this be easily hacked by the user, where one would only need to edit this known file and remove the authentication requirement(s)?
  3. I am confused about the utility of the Subject.doAs... priviledged security actions. Specifically, does this absolutely prevent a hacker from running the program in a debugger and running certain bytecode? I have read the tutorial section on what Subject.doAs... provides, but does this stop a hacker from obtaining the PrivilegedAction object (or code inside it) and somehow executing that code in a debugger or in a custom jar?
  Thank You,
  Eric

  I'll follow up to my own post with two more questions:
  4. The app I'm targeting here is a JavaWebStart client, that connects to a remote server app. Assuming I use JAAS on the client, do I also use it on the server to re-check the client-login (to prevent a hacker from circumventing the client-side JAAS authentication checks)?
  5. If I use JAAS for authorization in a JavaWebStart app, but I need the JNLP to include the following:
  <security>
  <all-permissions/>
  </security>
  Does this completely circumvent any authorization checks I need to do using JAAS, seeing as I'm already granting all-permissions to the Java security module?

• OC4J, JavaSSO and standard Linux authentication

  Having "fixed" my earlier "problem" (<Problems using JavaSSO in simple scenario I've now been able to get JavaSSO working as expected using the default file-based security provider.
  What I would really like to do, however, is have the authentication performed against the users and groups known to the Linux O/S on which OC4J is running - i.e. by having the user provide their standard Linux username/password.
  I had initially thought that I could achieve this through use of com.sun.security.auth.module.UnixLoginModule - but soon(ish) realised that this was actually carrying out authentication of the user running the application server, rather than the user trying to log in.
  It looks like ShadowJAAS (<http://freshmeat.net/projects/shadowjaas/>) might be what I'm after... Does anybody have any experience of using this with OC4J? Or can anybody recommend any alternatives?
  Cheers,
  Alistair.

  Having not had much luck with ShadowJAAS, I thought I'd try a PAM based authentication module called JAAS-PAM:
  <http://jaas-pam.sourceforge.net/index.html>
  This took considerably more effort to get up and running than ShadowJAAS, but I seem to be suffering from essentially the same problem. Adding some debug output into the JAAS-PAM source provided me with the following, when I attempt to log in via JavaSSO:
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 INITIALIZE method has been invoked
  07/05/23 13:52:32 subject is Subject:
  07/05/23 13:52:32 options is {service=login}
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 LOGIN method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 HANDLE method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 HANDLE method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 Got a passwordcallback
  07/05/23 13:52:32 Password is supplied as [C@c7539
  07/05/23 13:52:32 Prompt is supplied as Password:
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 status is 0 which is Success
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 COMMIT method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 FREEPAM method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 INITIALIZE method has been invoked
  07/05/23 13:52:32 subject is Subject:
  07/05/23 13:52:32 options is {service=login}
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 LOGIN method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 HANDLE method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 HANDLE method has been invoked
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 Got a passwordcallback
  07/05/23 13:52:32 Password is supplied as null
  07/05/23 13:52:32 Prompt is supplied as Password:
  07/05/23 13:52:32 ******************************************************************
  07/05/23 13:52:32 java.lang.NullPointerException
  07/05/23 13:52:32       at java.lang.String.<init>(String.java:173)
  07/05/23 13:52:32       at java.lang.String.valueOf(String.java:2591)
  07/05/23 13:52:32       at ch.odi.jaaspam.PamLoginModule$JaasPamCallback.answer(PamLoginModule.java:300)
     :As with ShadowJAAS before it, it looks as though authentication is taking place twice: once with the password I've supplied, and then again with a null password.
  It's worth noting that the sample (Java SE) applications provided with both authentication modules work as expected - it's only when I try to use them with JavaSSO that I see these problems.
  This leads me to believe that the problem lies with JavaSSO (or, at least, the way I'm configuring it), rather than in the authentication modules themselves.
  I'm running out of ideas here, so if anybody has a nugget of useful information, please share!
  Many thanks,
  Alistair.

• Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

  Hello,
  I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
  mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
  <security-role>
       <role-name>Admins</role-name>
  </security-role>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>default</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/badlogin.html</form-error-page>
       </form-login-config>
  </login-config>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>empower</web-resource-name>
            <description>These pages are only accessible by authorized users.</description>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
  <auth-constraint>
  <description>These are the roles who have access</description>
  <role-name>Administrators</role-name>
  </auth-constraint>
       <user-data-constraint>
       <description>This is how the user data must be transmitted</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  My weblogic.xml has:
  <?xml version="1.0" encoding="UTF-8"?>
  <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
  <wls:security-role-assignment>
  <wls:role-name>Admins</wls:role-name>
  <wls:principal-name>Administrators</wls:principal-name>
  <wls:principal-name>dashap</wls:principal-name>
  </wls:security-role-assignment>
  </wls:weblogic-web-app>
  With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• 802.1x machine vs user authentication

  In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.

  OK, so assuming we're still talking the MSFT supplicant, you have some options:
  1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).
  2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.
  3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.
  Hope this helps.

• JAAS Authorization and Credentials

  Hi,
  I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.
  My question is: What is the role of a Subject's "credentials" in the authorization scenario?
  From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
  A ProtectionDomain also has an array of Principals rather than credentials.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!
  Any tips gratefully received.

  When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
  A ProtectionDomain also has an array of Principals rather than credentials.Again it doesn't need them. Only the JAAS login module needs them.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
  So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.
  From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to.