Authentication_Type for custom authenticator

Hi,
I need to use custom authentication, For this I have to change the nqsconfig.ini Authentication type.what is the type I should give…
Could you sent some useful link or document about this authentication.
Thank you,
karthikeyan

Hi Dann,
Thank you for your reply, I gone through those documents and I think there is no need to specify Authentication_Type for custom authenticator.
Have you did custom authentication earlier, If you know the configuration please let me know how to do.
According to this document http://www.rittmanmead.com/files/OBIEE_Access_Control.pdf , I configured everything but custom authentication is not working.
Help me if you can.
Thank you,
karthikeyan

Similar Messages

OWA_SEC.CUSTOM package - Custom authentication procedures...

Folks -
I haven't ever used the OWA_SEC.CUSTOM package for custom authentication of a psp application - and now need to do so. The documentation doesn't have any examples of what I need to do. Although there is plenty of documentation - it all says the same stuff, without saying what developers need to do to get it to work.
For example I have updated the following files in the following ways - and still it doesn't work:
owapriv.sql - updated the line that says:
auth_scheme := OWA_SEC.NO_CHECK;
to :
auth_scheme := OWA_SEC.CUSTOM;
owacust.sql - updated to say:
create or replace package body OWA_CUSTOM is
/* Global PLSQL Agent Authorization callback function - */
/* It is used when PLSQL Agent's authorization scheme is set to */
/* GLOBAL or CUSTOM when there is overriding OWA_CUSTOM package.*/
/* This is a default implementation. User should modify. */
function authorize return boolean is
v_username varchar2(30);
v_pass varchar2(30);
BEGIN
owa_sec.set_authorization(OWA_SEC.CUSTOM);
owa_sec.set_protection_realm('my_app');
v_username := owa_sec.get_user_id;
v_pass := owa_sec.get_password;
IF v_username = 'cmanning' THEN
return TRUE;
ELSE
return FALSE;
END IF;
end;
end;
show errors
wdbsvrapp.sql looks like this:
[DAD_mydad]
connect_string = my_connect_string
password = my_password
username = my_username
default_page = my_default_package.procedure
;document_table =
;document_path =
;document_proc =
;upload_as_long_raw =
;upload_as_blob =
name_prefix =
;always_describe =
;after_proc =
;before_proc =
reuse = Yes
connmax = 20
;pathalias =
;pathaliasproc =
enablesso = No
;custom_auth =
Can anyone tell me what I am missing / doing wrong.
For example:
When I take out the username/password reference from the wdbsvr.app file - the browswer tries to authenticate me and the only username/password that validates is the username/password of the database user.
I don't want to have to have database users for every application user that should be authenticated in my application. I want to put a routine in the owacust.sql file that authenticates users (via my own routine or an optional LDAP/radius/SecurID lookup). In this basic example - I am only validating with the cmanning/cmanning combination.
From what I understand in the documentation - if I use OWA_SEC.CUSTOM - then I don't have to put a .authorize function in every package - the OWA agent simply authenticates every request via the OWA_CUSTOM.authorize function.....
Dude - what's up?
Can someone from the Big O help a brother out?
cfm
null

Charles
It looks to me like you want your users authenticated when they try to view your pl/sql-generated html pages, but you want to control the validation with custom code.
You appear to be trying to use owa_custom.authorize to authorize each request, which seems like a good approach.
This whole area is quite complex and I have never found any really comprehensive doco on it. Here are my thoughts which others might like to comment on.
This is a simple version of owa_custom:
PACKAGE BODY OWA_CUSTOM IS
FUNCTION authorize return boolean is
BEGIN
owa_sec.set_protection_realm('aRealm');
if owa.user_id is null then
return false;
else
return my_validate_user
(owa.user_id,owa.get_password);
end if;
exception
RETURN FALSE;
END authorize;
begin
owa_sec.set_authorization(OWA_SEC.GLOBAL);
end;
Note the begin block that applies to the package and sets authorization to GLOBAL when the package is loaded.
The authentication mode in the DAD will need to be Global Owa (afaik) and you will need to supply an oracle username and password in the DAD. ie. you will authenticate the userid/password supplied by the user and then the user will connect to the database as the oracle user specified in the DAD.
I cannot test this code at the moment. Nor can I give you complete instructions to set up authentication from scratch. But here's a brief description of what the code should do.
1. It sets authorization to GLOBAL. So mod_plsql will call owa_custom.authorize for every request. That is, you don't call owa_custom.authorize, it will be done for you and the internals probably look like this:
if owa_custom.authorize then
user_requesed_page(user_supplied_args);
else
send_access_denied;
end if;
2. It sets up a realm, which is relevant to HTTP Basic Authentication and its challenge/response. (You don't have to use HTTP Basic Authentication. An alternative is to present a login form to the user, then you manage the userid/password.)
3. It looks in owa.user_id which will hold the userid supplied by the browser after a HTTP Basic Authentication challenge/response.
4. It uses your custom code to validate the userid and password once the user has been challenged to provide these. You obviously have to create the my_validate_user procedure in the schema and package of your choice.
5. It does not time users out, it does not sustain multi-sessions per user via cookies and it does not support logout without shutting the browsers. But it is simpler for lacking these features.
If this is a way you want to try then your first aim should be to make sure owa_custom is called globally and that it lets you into the database via the DAD-supplied userid and password. You may need some way of writing debug on the server using utl_file to confirm it is being called. Or you could make it return true unconditionally, request a page, then make it return false and request a page.
This is just a start, but let me know if it is on topic.
It would be great to hear suggestions and comments from others on authentication for an htp application under iAS.
Has anyone tried DB Prism?
null

Restful Web Services - First Party Authentication with custom authentication schemes

Hi
I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts.
Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
Thanks
Kes

Hi Gemma,
unfortunately at the moment you are caught between a rock and a hard place:
- As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
- Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
Thanks,
Colm Divilly

Is there a standard way to plug in custom authentication code

Is there a standard way to plug in use my own custom authentication code using forms authentication when I am using servlets/jsp for my website. I read the spec and found that the spec requires servlet containers to support forms authentication, but, the process seems to be transparent to the developer. This restricts me to store user information in the format imposed by the container provider. I cannot use, MS Active directory for example, to store user attributes and use it for forms authentication. Also, I could not find any standard way in which HttpServletRequest.getRemoteUser() works. Shouldn't there be a set of interfaces abstracting authentication process, which developers can implement for customized authentication mechanisms.
Thanks
Nikhil.

Greetings,
Is there a standard way to plug in use my own custom authentication code using formsNo. There are standard "authentication mechanisms" but that's not quite the same thing. Like most things in J2EE, the "what" of things are specified but the "how" them are left to the vendor. Consult your vendor docs.
authentication when I am using servlets/jsp for my website. I read the spec and found that the spec
requires servlet containers to support forms authentication, but, the process seems to be transparent
to the developer. This restricts meFor the most part, "forms" authentication is transparent to the developer - at least, with respect to directly responding to and handling the request. The developer, however, does have some significant work to do with regard to the form itself and any associated error "pages". The point of the "standard authentication schemes", however, is to delegate the work of actual authentication processing to the container and, thereby, make it transparent to the developer (one of the many "application services" provided by the application server ;).
to store user information in the format imposed by the container provider. I cannot use, MS Active
directory for example, to store user attributes and use it for forms authentication. Also, I could notAgain read your vendor docs on how to "plug in" your own authentication handler(s). Most support it in some fashion which typically involves implementing some interface(s) and/or abstract class(es). Many also support it through their own "standard" component handlers, like an EJB invoker, where the invoked component is expected to function in a pre-determined way.
Of course, there's nothing in the specification that says authentication must be handled by the container (only that it must be supported)! You're free to implement a login mechanism through your own proprietary JSP page and/or servlet (and/or EJB), and bypass the container entirely. ;)
find any standard way in which HttpServletRequest.getRemoteUser() works.Regardless of the standard authentication scheme used (i.e. handled by the container), the user's authenticated login ID is returned by the method. Unfortunately, this means the method is useless if your own "authentication system" is used in lieu of the container - but, of course, in such a case the method should also be un-needed. ;)
Shouldn't there be a set of interfaces abstracting authentication process, which developers can
implement for customized authentication mechanisms.It's a matter of debate.
Thanks
Nikhil.Regards,
Tony "Vee Schade" Cook

MBeanMaker is not creating Schema folder in JAR file for custom authenticat

I have created a custom authentication provider.I am using following code of build.xml to generate jar file for custom authentication provider
<target name="build.mdf" depends="copyConfigFiles">
<java classname="weblogic.management.commo.WebLogicMBeanMaker" fork="true" failonerror="true">
<jvmarg line="-Dfiles=./build/mili -DMDF=./build/mili/MILIAuthenticator.xml -DcreateStubs=true"/>
<classpath>
<pathelement path="${java.class.path}"/>
<pathelement location="./build/mili"/>
<pathelement location="./lib/weblogic.jar"/>
<pathelement location="./lib/wlManagement.jar"/>
<pathelement location="./lib/jcifs-1.2.0.jar"/>
</classpath>
</java>
</target>
<target name="copySrcFiles" depends="build.mdf">
<copy todir="./build/mili" flatten="true" overwrite="true">
<fileset dir="./src/java">
<include name="**/MILI*.java"/>
</fileset>
</copy>
</target>
<target name="SecurityProviderJar" depends="copySrcFiles">
<java classname="weblogic.management.commo.WebLogicMBeanMaker" fork="true" failonerror="true">
<jvmarg line="-Dfiles=./build/mili -DMJF=./build/MiliSecurityProviders.jar"/>
<classpath>
<pathelement path="${java.class.path}"/>
<pathelement location="./build"/>
<pathelement location="./lib/wlManagement.jar"/>
<pathelement location="./lib/weblogic.jar"/>
<pathelement location="./lib/jcifs-1.2.0.jar"/>
</classpath>
</java>
</target>
Build.xml is running fine without giving any error,but it is not generating schema folder in the jar file.
beacause of that my custom authentication provider is not comming in admin console.
Kindly help me to resolve this.

Hi Ramesh,
Try out the following
1) Copy mediator.jar from SOA_HOME>/soa/modules/oracle.soa.mediator_11.1.1 to <MW_HOME>//soa/modules/oracle.soa.ext_11.1.1/classes
2) Goto <MW_HOME>//soa/modules/oracle.soa.ext_11.1.1/classes and run the following command:
a. jar -xvf mediator.jar
3) Now remove the jar file, i.e., mediator.jar from classes folder.
4) Restart the server.
Regards,
Srijith

URGENT help required : Custom Authentication Plugin for validation of users

Hi Experts.
I'm a newbie and am stuck in middle of nowhere.
I have been asked to develop a custom authentication plug-in which would validate a user using the attributes such as a userid and a shared-userid.
shared-userid is just a custom id that would be generated on the basis of some logic.
Currently I'm using OAM 10.1.4.3.0 on WINDOWS server and as everybody, I'm also not able to find any sample files or sample folder structure.
As per one of the other threads https://forums.oracle.com/forums/thread.jspa?messageID=3838474, sample code and sample folders are removed from this particular version and were present in some previous version.
So, can anyone please help me out with the following:
1. How can I proceed to accomplish this task, i.e. to check whether a user-id and a shared-userid both are validated and a user is granted access.
2. Are all of these files required to create a custom authentication plug-in or can we proceed only with the ".c" file (i.e. make file, authn.c, and a dll file made using the make file and .c file)
3. Can anybody provide me with a sample file or a sample code written in "C" wherein the plug-in connects to the LDAP and searches for a particular dn for comparison or something. Also a sample make file for windows to convert the .c file to .dll.
PLEASEEEE help me ASAP.
Regards
Edited by: 805912 on Nov 15, 2011 7:18 PM

Hi,
Regarding question 2, you also need the header file is supplied in the Access Server installation directory, under ...access\oblix\sdk\authn_api and is called authn_api.h. you need this to build the dll which must then be placed in the Access Server's ...\access\oblix\lib directory.
Regarding question 3, if you install an earlier version of the Access Server, ie 10.1.4.2 or less, then you will get a \access\oblix\sdk\authentication\samples\authn_api directory that contains a basic sample authentication plugin. However, there is still documented in the 10.1.4.3 Developer Guide another sample plugin, simplapi.c, in the 10.1.4.3 Developer Guide with instructions on how to use it. It does work, but unfortunately requires a couple of edits to get it working after copy&pasting it (no code changes, just fairly obvious case changes eg changing ObanPlugin* to ObAnPlugin*). I used the following commands to get it to compile into a .so file on unix:
g++44 -c -fPIC -Wno-deprecated -m32 simpleapi.c
g++44 -shared -nostdlib -lc -m32 simpleapi.o -o simpleapi.so
but I really would not know if or how these translate into a Windows environment.
Regards,
Colin
Edited by: ColinPurdon on Nov 15, 2011 2:50 PM

New server and/or CA certificate for connection from custom authentication

We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
Relevant things I've tried so far:
Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
Import the IPS CA into the web server cert8 style db via the web admin server.
The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
Part of the stack:
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
The relevent bit of code from the SecureURL.retrieve looks as follows:
URL u = new URL(url);
if (!u.getProtocol().equals("https"))
throw new IOException("only 'https' URLs are valid for this method");
URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");
r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String line;
StringBuffer buf = new StringBuffer();
while ((line = r.readLine()) != null)
buf.append(line + "\n");
return buf.toString();
} finally { ...
The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
Thank you very much for any insights and help,
Ethan

I thought since this has had a fair number of views I would give an update.
I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
certutil: certificate is valid
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
certutil: certificate is invalid: Certificate type not approved for application.
root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
FSU Wildcard Certificate : Certificate type not approved for application.
So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

How to unconfigure a Custom Authentication Module for Convergence

After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
, I decided to try to revert back to the default.
How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
sudo /opt/SUNWappserver/bin/asadmin stop-appserv
sudo /opt/SUNWappserver/bin/asadmin start-appserv
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled
AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler
AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler
PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reason

jessethompson wrote:
After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
, I decided to try to revert back to the default.
How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.After enabling the custom login module using the steps in the earlier thread (http://forums.sun.com/thread.jspa?threadID=5318615), I performed the following steps to disable the custom module and re-enable the ldap auth module:
# Disable custom auth-module
cd /opt/sun/comms/iwc/sbin
./iwcadmin -w <admin password> -o auth.custom.servicename -v ""
./iwcadmin -w <admin password> -o auth.custom.loginimpl -v ""
./iwcadmin -w <admin password> -o auth.custom.callbackhandler -v ""
./iwcadmin -w <admin password> -o auth.misc.CredentialFile -v ""# Re-enable the LDAP auth-module
cd /opt/sun/comms/iwc/sbin
./iwcadmin -w <admin password> -o auth.ldap.callbackhandler -v com.sun.comms.client.security.auth.AppCallbackHandler
./iwcadmin -w <admin password> -o auth.ldap.loginimpl -v com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule# Restarte App Server
cd /opt/SUNWappserver/bin/
./asadmin stop-domain; ./asadmin start-domain# Login to iwc interface as user shjorth with password oldpwd
# Login successful with oldpwd -- custom auth module successfully disabled, LDAP re-enabled
Regards,
Shane.

Enable Custom Authentication for License Server for Packager Server

How to enable processing of Custom Authentication for License Server for Packager Server?
Please give examples.

If I understand your question, you want to use the Flash Access Manager and/or the Watched Folder Packager (both are components of the Reference Implementation) to package content for a license server that uses Custom Authentication. To accomplish this, you need to use the Flash Access SDK to create a policy that specifies Custom Authentication is used. For example:
Policy pol = new Policy(false);
LicenseServerInfo licServer = new LicenseServerInfo(AuthenticationType.Custom);
pol.setLicenseServerInfo(licServer);
// set rights and other policy attributes
Once you create the policy, place the policy file on the Packager Server, and you can use this policy to package content.

Issues while setting up custom authenticator for weblogic

whene can I find sample source code for setting up the custom authenticator.

send a test mail at [email protected], will send u d source code!!

NAM 3.2.1 Custom Authentication Class for BASIC not loaded

Hi!
Im trying to write a custom authentication class for
BASIC/PROTECTED_BASIC, so I started with the PasswordClass sample from
SDK novell-nacm3_2-devel-2012.08.10.tar.gz, stripped out the
STSAuthenticationClass and changed the type to
AuthnConstants.PROTECTED_PASSWORD --> and it works!
public String getType() {
return AuthnConstants.PROTECTED_PASSWORD;
Next I wanted to create a custom BASIC auth class by changing the type
to AuthnConstants.BASIC / AuthnConstants.PROTECTED_BASIC
public String getType() {
return AuthnConstants.PROTECTED_BASIC;
but now IDP complains about the unsupported type.
<amLogEntry> 2012-12-20T15:11:17Z WARNING NIDS Application:
AM#300105006: AMDEVICEID#FC77EC2A45509E7B: Failed to load
authentication class due to unsupported type: ITdBasicTestClass
</amLogEntry>
Im running NAM 3.2.1 single box appliance for development/testing.
There is an old thread here, that looks like the same issue:
http://tinyurl.com/c6eawj6
Any hits?
regards
Thomas
PS: What i really want to solve is strip out the Domain from the
username on basic authentication since most MS apps/clients provide the
username in format DOMAIN\USER...
reibenwein
reibenwein's Profile: https://forums.netiq.com/member.php?userid=1382
View this thread: https://forums.netiq.com/showthread.php?t=46430

hmmm, well try writing the value out to stderr and see if you can at least make sure you are getting
a good read.
Like a System.out.println(AuthnConstants.PROTECTED_PASSWO RD);
I ran into some strange stuff where some constants had no values for no apparent reason when they
should.
I would also try supplying the actual value instead of the constant and see if it goes through that
way. ("ProtectedBasic")
On 1/10/2013 11:14 AM, reibenwein wrote:
>
> Hi!
>
>
> I copied com.novell.nam.authentication.PasswordClass to start with my
> test custom auth class. It includes a method getType() like this:
>
> /**
> * Get the authentication type this class implements
> *
> * @return returns the authentication type represented by this
> class
> */
> public String getType() {
> return AuthnConstants.PROTECTED_PASSWORD;
> }
>
>
> --> IDP loads my custom auth class, as long as a leave getType()
> returning AuthnConstants.PROTECTED_PASSWORD! But this is form base
> authentication. According to the API documentation (see page 17 in
> namc_enu.pfd within the sdk download), getType should
> returnAuthnConstants. PROTECTED_BASIC for secure Basic authentication
> (or AuthnConstants.BASIC for non SSL Basic auth). So i changed getType()
> like this:
>
>
> /**
> * Get the authentication type this class implements
> *
> * @return returns the authentication type represented by this class
> */
> public String getType() {
> return AuthnConstants.PROTECTED_BASIC;
> }
>
>
> --> and then IPD comes with the error "Failed to load authentication
> class due to unsupported type"...
>
>
> regards,
> Thomas
>
>

How are OAM custom authentication plugins used for concurrent requests

Custom authentication plug-ins are loaded by Access Server.
I want to understand how they are used or how they work when multiple concurrent request start pouring in.
Thanks.

The access server is a multi-threaded application. The "Fn" function of the plugin is executed in each of the thread of the access server.

Custom Authenticator not returning correctly

Hi,
I have written a custom authenticator to automatically migrate users from an oracle
SSO database into the default WLS8.1 realm (and ultimately to an LDAP Realm).
It all works fine, except that the over all login process fails.
The server is set up to use the default Authenticator initially (set to SUFFICIENT),
then, if this fails, the Migration authenticator (set to REQUIRED) is called.
If this finds the user on the Oracle db, it creates a user for them in the default
realm, and logs them in.
The problem is that even though my Migration Authenticator finishes successfully
(ie the commit() method is executed and returns true) WLS still calls the login
error page as set up in the web.xml file.
The last few lines of the login() method of the authenticator are :
loginSucceeded = true;
addUserToWLSRealm(userId, userPassword);
principalsForSubject.add(new WLSUserImpl(userId));
then the commit() method is :
public boolean commit() throws LoginException {
if(loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
System.out.println("OracleSSOLoginModule.commit - true");
return true;
} else {
System.out.println("OracleSSOLoginModule.commit - false");
return false;
If the user then tries to log in again, since they have been added to the WLS
realm, they are let in, but it should happen on the first attempt.
Any Ideas...?
TIA
Paul

"Paul Davies" <[email protected]> wrote in message
news:3f4f37b3$[email protected]..
>
Hi,
I have written a custom authenticator to automatically migrate users froman oracle
SSO database into the default WLS8.1 realm (and ultimately to an LDAPRealm).
It all works fine, except that the over all login process fails.
The server is set up to use the default Authenticator initially (set toSUFFICIENT),
then, if this fails, the Migration authenticator (set to REQUIRED) iscalled.
If this finds the user on the Oracle db, it creates a user for them in thedefault
realm, and logs them in.
The problem is that even though my Migration Authenticator finishessuccessfully
(ie the commit() method is executed and returns true) WLS still calls thelogin
error page as set up in the web.xml file.
Turn on security debugging and see if you are getting a login exception
in the debug output - set the DebugSecurityAtn attribute in the ServerDebug
mbean.

Custom Authentication Module on Identity Server

Hi,
I have a custom authentication module which I am trying to access through the policy agent.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
My login module code is something like this:
package com.iplanet.am.samples.authentication.providers;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import java.rmi.RemoteException;
import java.io.FileInputStream;
import java.util.Properties;
public class LoginModule1 extends AMLoginModule
private String userName;
private String userTokenId;
private HashMap usersMap;
private java.security.Principal userPrincipal = null;
public LoginModule1() throws LoginException
public void init(Subject subject, Map sharedState, Map options)
          System.out.println("LoginModule1 initialization");
          usersMap = new HashMap();
          ResourceBundle bundle = ResourceBundle.getBundle("users");
          Enumeration users = bundle.getKeys();
          while (users.hasMoreElements())
               String user = (String)users.nextElement();
               String password = bundle.getString(user.trim());
               usersMap.put(user, password);
public int process(Callback[] callbacks, int state) throws AuthLoginException
          int currentState = state;
          if (currentState == 1)
               userName = ((NameCallback) callbacks[0]).getName().trim();
               char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
               String passwdString = new String (passwd);
               if (userName.equals(""))
                    throw new AuthLoginException("names must not be empty");
               if (userName.equals("testuser") && passwdString.equals("testuser"))
                    userTokenId = userName;
                    return -1;
               if (usersMap.containsKey(userName))
                    if (usersMap.get(userName).equals(new String(passwd)))
                         userTokenId = userName;
                         return -1;
               return 0;
     public java.security.Principal getPrincipal()
          if (userPrincipal != null)
               return userPrincipal;
          else
          if (userTokenId != null)
               userPrincipal = new SamplePrincipal("testuser");
               return userPrincipal;
          else
               return null;
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Srinivas

Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

Custom Authenticator WL startup exception

Hi, I am using Weblogic 9.2 on Linux and have created an example custom authenticator.
I have followed several suggested method for creation/deployment, but still am having a exception upon startup and hoping someone could help.
from a previous post I have used the below instructions and have deployed the jar in $WL_HOME/server/lib/mbeantypes
$WL_HOME/server/providers: This is the base Directory for Customer security Provider.
$WL_HOME/server/providers/src This is the directory for the Source Code.
$WL_HOME/server/providers/providersjar This is the directory for the Custom Provider Jar file .
$WL_HOME/server/providers/created_files This is the Directory for the created schema file by Mbean maker.
After having the directory structure as mentioned above run the command as below:
cd $WL_HOME/server
$WL_HOME/samples/domains/wl_server/setExamplesEnv.sh
java -Dfiles=providers/created_files -DMDF=providers/src/MyAuthenticator.xml -DMJF=providers/providersjar/MyAuthenticator.jar -DpreserveStubs=true -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMakerStarted the WL server with the following exception:
starting weblogic with Java version:
java version "1.5.0_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04)
BEA JRockit(R) (build R27.4.0-90_CR358515-94243-1.5.0_12-20080118-1154-linux-ia32, compiled mode)
Starting WLS with line:
/home/A470231/bea/jrockit_150_12/bin/java -jrockit -Xms256m -Xmx512m -Xverify:none -Xverify:none -da -Dplatform.home=/home/A470231/bea/weblogic92 -Dwls.home=/home/A470231/bea/weblogic92/server -Dwli.home=/home/A470231/bea/weblogic92/integration -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/home/A470231/bea/patch_weblogic923/profiles/default/sysext_manifest_classpath -Dweblogic.configuration.schemaValidationEnabled=false -Dweblogic.Name=examplesServer -Djava.security.policy=/home/A470231/bea/weblogic92/server/lib/weblogic.policy weblogic.Server
<Aug 2, 2010 1:14:57 PM EDT> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
/home/A470231/bea/weblogic92/platform/lib/p13n/p13n-schemas.jar:/home/A470231/bea/weblogic92/platform/lib/p13n/p13n_common.jar:/home/A470231/bea/weblogic92/platform/lib/p13n/p13n_system.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_common.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_schemas.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_system.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/wsrp-common.jar>
<Aug 2, 2010 1:14:58 PM EDT> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with BEA JRockit(R) Version R27.4.0-90_CR358515-94243-1.5.0_12-20080118-1154-linux-ia32 from BEA Systems, Inc.>
<Aug 2, 2010 1:14:59 PM EDT> <Info> <Management> <BEA-141107> <Version: WebLogic Server 9.2 MP3 Mon Mar 10 08:28:41 EDT 2008 1096261 >
<Aug 2, 2010 1:15:03 PM EDT> <Info> <WebLogicServer> <BEA-000215> <Loaded License : /home/A470231/bea/license.bea>
<Aug 2, 2010 1:15:03 PM EDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Aug 2, 2010 1:15:03 PM EDT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Aug 2, 2010 1:15:04 PM EDT> <Notice> <Log Management> <BEA-170019> <The server log file /home/A470231/bea/weblogic92/samples/domains/wl_server/servers/examplesServer/logs/examplesServer.log is opened. All server side log events will be written to this file.>
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.CredentialMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.BulkRoleMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.BulkAuthorizationServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.RoleMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.RoleDeploymentServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************REALM:TestRealm
*****************ProviderMBean length:2
*****************ProviderMBean[0]weblogic.security.providers.authorization.DefaultAuthorizerMBeanImpl@a27aaa68([wl_server]/SecurityConfiguration[wl_server]/Realms[TestRealm]/Authorizers[DefaultAuthorizer])
*****************ProviderMBean[1]weblogic.security.providers.authorization.DefaultAdjudicatorMBeanImpl@c6697d45([wl_server]/SecurityConfiguration[wl_server]/Realms[TestRealm]/Adjudicator[DefaultAdjudicator])
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.AuthorizationServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.PolicyDeploymentServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.IsProtectedResourceServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.RoleConsumerServiceConfigHelper_TestRealm<
<Aug 2, 2010 1:15:07 PM EDT> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090877]Service Common AuthorizationService unavailable, see exception text: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at weblogic.security.service.AuthorizationManager.initialize(AuthorizationManager.java:147)
at weblogic.security.service.AuthorizationManager.<init>(AuthorizationManager.java:83)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doATZ(CommonSecurityServiceManagerDelegateImpl.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:273)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:444)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:459)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:540)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:376)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
Caused by: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:342)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:292)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:263)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:71)
at weblogic.security.service.SecurityServiceManager.getService(SecurityServiceManager.java:95)
at weblogic.security.service.AuthorizationManager.initialize(AuthorizationManager.java:137)
... 11 more
Caused by: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:40)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:340)
... 16 more
Can anyone have any ideas?
I have narrowed it down to having a problem retrieving the role and policy consumer services I believe
Thanks,
Bobby.

Hi All,
Found the reason for the exception. I was implementing the generated the CustomAuthenticatorImpl class (generated through WebLogic MBeanMaker utility) as the provider class by implementing the AuthenticationProvider interface. Keeping them separate solved the issue.
Able to create the jar without any issues and also no error or exception after restart.
Thanks.

Authentication_Type for custom authenticator

Similar Messages

Maybe you are looking for