Authorization Implementation of JAAS
Weblogic comes with JAAS based authentication and association of
authenticated Subject
with the caller thread of each Subject.doAs call.
Now on the other side of the subject.doas call, all you can get back is the
weblogic.security.acl.User object by calling Security.getUser(). I think
this is quite a limitation that we can't get a full Subject object including
all the prinicpals. Reason: I want to implement my own Authorization(JAAS
based) and only user aint' gonna help me. This has been a major
show-stopper in our Security Module which we had planned to make a totally
pluggable solution.
Any answers on how Weblogic can help guys like us, would be of great help.
Narinder Gaheer - 408-808-6458
mailto:[email protected]
http://www.CallidusSoftware.com/
The Business Performance Systems Company
Weblogic comes with JAAS based authentication and association of
authenticated Subject
with the caller thread of each Subject.doAs call.
Now on the other side of the subject.doas call, all you can get back is the
weblogic.security.acl.User object by calling Security.getUser(). I think
this is quite a limitation that we can't get a full Subject object including
all the prinicpals. Reason: I want to implement my own Authorization(JAAS
based) and only user aint' gonna help me. This has been a major
show-stopper in our Security Module which we had planned to make a totally
pluggable solution.
Any answers on how Weblogic can help guys like us, would be of great help.
Narinder Gaheer - 408-808-6458
mailto:[email protected]
http://www.CallidusSoftware.com/
The Business Performance Systems Company
Similar Messages
-
Active server implementation using jaas
Active server implementation using jaas----------can someone suggest me how to go about it
help needed immediatelyHave you programed your server? Can you communicate with me about the subject? My email is [email protected] QQ: 540028839
-
Anlysis authorization implemented after Cascading is not working
Anysis authorization implemented after Cascading is not working.
Example: i have 3 dropdownboxes in WAD . Frist dropdownbox State, second dropdownbox District, third dropdownbox Town.In the first dropdown box i selected state AP ,it should show only districts in AP in the second dropdownbox.
But it is not showingin the second dropdownbox.
Please help meHi Priya,
The issue may be due to the SQL Reporting Services maximum number of parameter items. We can try to add following code to Web.config file to resolve the issue.
<appSettings>
<add key="aspnet:MaxHttpCollectionKeys" value="30000" />
<add key="aspnet:MaxJsonDeserializerMembers" value="30000" />
</appSettings>
(Note: We can according to our requirement to set these values. After that, restart all SQL Server services. )
By default, the Web.config file is located in:
C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportManager
C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer
More detail information, you can refer to the article about SQL Reporting Services maximum number of parameter items.
http://sqlsrv4living.blogspot.in/2012/10/sql-reporting-services-maximum-number.html
Regards,
Alisa Tang
Alisa Tang
TechNet Community Support -
Using Non-Oracle Implementations of JAAS in JDeveloper TP2
Hi,
We have developed an application using JDeveloper TP2. We need to secure the web application using JAAS. However, we are not using ADF as we met into some browser incompatibility problems and as such the project's Technology Scope are as follows:
HTML
JSP
JSP and Servlets
JAVA
XML
We are using a Native Datasource for handling database connections.
We would like to know how we can implement a CustomLoginModule without using oracle (ADF) implementation of JAAS and preferably without using the ADF Security Wizard as it does not work within our application ( i suppose this is because we are not using ADF)
Cheers,
Jankee YogeshDuplicate of Re: Using Non-Oracle Implementations of JAAS in JDeveloper TP2
-
Authorization, JNDI, JNI, JAAS - views on a problem.
Hiya,
It appears that JAAS only authenticates and authorizes to whomever has initiated the JVM on the server machine. I'm trying to develop an application that is web-based, and allows the user to view documents anywhere on the network (accessible from the server). Of course, the user may not have the appropriate permissions to view a document, therefore we looked at JAAS to provide some authentication/authorization for us.
This has not proved successful, as mentioned above.
This leads us to the conclusion that we may have to write a JNI native app that attempts to read/open the document on the target machine, where the document is physically located, with the username/password of the person at the client. If unsuccessful it throws an exception, otherwise it allows the user to view the document.
I'm looking for views on this. Given the above, do you believe this might be the best way for the moment? Of course, a JNI app would need to be written for each platform and it would need to be registered with JNDI for easy accessiblility from our Java Server application.
Any thoughts would be appreciated.
Yours
David.Hi David,
It can be very well done through JNDI, Netscape Directory Server.
Here with I am giving you a sample code which was tested under Netscape Directory server 4.13, JNDI and with Iplanet Web Server.
It will ask for Login Page, and then it will invoke the corresponding HTML page. But you can make changes over there as per your request. Since you can keep all the common things in an LDAP server ie in Netscape Directory server.
Here is the steps for it.
DESCRIPTION:
I am trying to use LDAP to control access to a HTML page. I want an authentication
box to pop up, allowing the user to authenticate to the HTML page through a LDAP server.
If they succesfully authenticate, I need to check their username against a list
of valid usernames that's stored in a database, then give access to the page
based on that list. How can I implement this solution?
SOLUTION:
The best way is to use Basic Authentication solution with JNDI and LDAP server,
Netscape Directory server(for example) with a simple servlet program. Java Naming
and Directory Interface (JNDI) API is standardized, and enable to use different
directory services such as Netscape Directory server. LDAP server can be used
for storing some common data's used in the sample solution.
It can be done through a servlet to check the user and its password which is
stored in the LDAP server.
In order to demonstrate a sample solution, I will use the Netscape Directory
Server 4.13 as the LDAP server, which is loaded my own LDIF file with customized
attributes. The basic authentication algorithm will be used in this sample
solution.
The following steps are to implement this sample solution:
1. Creating our own LDAP data Interchange format (LDIF) file.
2. Loading(Import) the Ldif file in Netscape Directory Server.
3. Creation of user schema files for customized attributes.
4. Load the user schema files in the Netscape Directory Server.
5. Restart the Directory Server
6. A simple servlet program for basic authentication.
7. A sample HTML file is given last, used in servlet program.
Here are the detail description of the above steps:
STEP 1: Creating our own LDAP data Interchange format (LDIF) file:
Here is the LDIF (LDAP data Interchange format) file is a text based format used to work
on LDAP data, with both our application and end users.
Through this LDIF file, I am having an attribute "customerid: timb" for which I will
be preparing the authentication, which will have its own password
"userpassword: bakrudeen", through which it can be maintained in a common place.
Here again in the same LDIF file, other information related to the "customerid: timb"
such as common name "cn: Tim Briggs", sur name "sn: Briggs" etc are maintained.
The data in LDAP is organized in a tree, called a Directory Information tree(DIT).
Each leaf in DIT is called an entry. The first entry in DIT is called the root entry.
Here is a sample LDIF File which is used in our sample solution:-
Here the DIT is maintained in such a way data is organized in LDAP, is fairly simple. In this
sample we store all of our entries in a common root o=fedup.com, with the following branches
Customers - Customer Entries with " customer id: timb" , userpassword: bakrudeen, and other
information related to this customer is kept in a common place.
dn: uid=timb,ou=Customers,o=fedup.com
changetype:add
objectclass: customer
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Tim Briggs
uid: timb
givenname: Tim
customerid: timb
sn: Briggs
facsimiletelephonenumber: 4101
telephonenumber: 4145
creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
createtimestamp: 20000501084001Z
aci: (target="ldap:///uid=timb,ou=Customers,o=fedup.com")(targetattr="*")(version 3.0; acl "unknown"; allow (all)(userdn = "ldap:///anyone");)
ou: Customers
mail:
userpassword: bakrudeen
modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
modifytimestamp: 20000605084001Z
STEP 2: Loading(Import) the Ldif file in Netscape Directory Server:-
Once after creating the above sample LDIF File, it should be added in Netscape Directory Server.
It should be imported in order to add the neccessary atributes in the Netscape Directory server,
so that we can make use of the Common data.
Steps for Importing the LDIF file in the Directory Server:-
1) Create an instance of the Directory Server.
2) Bind it to the different port with different organizational unit
(Here in this program, it is 1124).
3) Press the Configuration from the menu.
4) Then select import from the Console menu.
5) Choose the LDIF file you are going to import.
6) There also you have to provide a file for rejected entries, ie it will list all the entries
which is not added while loading.
STEP 3: Creation of our own USER SCHEMA Files:-
It is necessary for adding the attributes which are not defined in the
Netscape directory server. In the above, customerid which is defined in ldif
file is not existing in the directory server.
Here is the Schema file for attributes:(ie for defining for eg customer id).
The name of the file is slapd.user_at.conf:-
attribute customerid customerid-oid cis single
attribute packageid packageid-oid cis single
attribute receivedate receivedate-oid cis single
attribute shipdate shipdate-oid cis single
attribute shipperid shipperid-oid dn single
attribute receiveid receiveid-oid dn single
#Java Attributes
# Schema for storing java objects and java object references
attribute javaClassName 1.3.6.1.4.1.42.2.27.4.1.1 ces single
attribute javaCodebase 1.3.6.1.4.1.42.2.27.4.1.6 ces
attribute javaSerializedData 1.3.6.1.4.1.42.2.27.4.1.7 bin single
attribute javaRemoteLocation 1.3.6.1.4.1.42.2.27.4.1.8 ces single
attribute javaFactory 1.3.6.1.4.1.42.2.27.4.1.4 ces single
attribute javaReferenceAddress 1.3.6.1.4.1.42.2.27.4.1.3 ces
Here is Schema file for your own object classes:-
The name of the file is Slapd.user_oc.conf:-
In the similar way as above there are no "customer" class in the object classes
defined in the LDAP, so we will have to create our own "customer" Object class.
Also it extends inetOrgPerson to add some new attributes such as "customerid".
The object class of an entry specifies what attributes are required and what
attributes are allowed in a particular entry.
Also for eg, Package classes in the object class is created.
Here is the sample file for creating the above:-
objectclass package
oid package-oid
superior top
requires
packageid,
receiveid,
shipdate,
shipperid
allows
description,
ou,
receivedate
objectclass customer
oid customer-oid
superior inetorgperson
requires
customerid
allows
c
#JAVA Schema
# Schema for storing java objects and java object references
objectclass javaContainer
oid 1.3.6.1.4.1.42.2.27.4.2.1
superior top
requires
cn
objectclass javaObject
oid 1.3.6.1.4.1.42.2.27.4.2.4
superior top
requires
javaClassName
allows
javaCodebase
objectclass javaSerializedObject
oid 1.3.6.1.4.1.42.2.27.4.2.5
superior javaObject
requires
javaSerializedData
objectclass javaRemoteObject
oid 1.3.6.1.4.1.42.2.27.4.2.6
superior javaObject
requires
javaRemoteLocation
objectclass javaNamingReference
oid 1.3.6.1.4.1.42.2.27.4.2.7
superior javaObject
requires
javaReferenceAddress,
javaFactory
STEP 4: Loading the USER SCHEMA files in Directory Server:-
All the attributes created above should be added to the corresponding directory server,
in order to make it as a common attribute.
Steps for adding the User Schema files to the Directory Server:-
1. Copy the above user schema files to the appropriate instance of Netscape Directory Server
created above so that the existing LDIF file which is used in the Netscape directory
server is not appended or overwritten.
2. For eg, put it in "NetscapeServer/slapd-HostName/config" to replace the empty
files "slapd.user_at.conf" and "slapd.user_oc.conf" by default.
3. Then restart the Directory Server.
STEP 5: Simple Servlet Program for BASIC AUTHENTICATION.
Here is the simple servlet program for Basic Authentication:-
Here the way the LDAP authentication works is by attempting to the server with a
DN and a password. No user in their right mind will remember their DN, so we use
some other attribute such as user-id. Then we search in the LDAP server to find
an entry that contains the attribute. Here we are maintaining SUBTREE_SCOPE using
JNDI, which starts its search starting from the base entry, and searches
everything below it including the base entry. Also I am maintaining Global
variables for LDAP setting.
// Importing the necessary Packages
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.naming.*;
import javax.naming.directory.*;
public class AuthServ extends HttpServlet {
// Here are our global variables of our LDAP Settings.
public static String MY_CUSTOMER_BASE = "ou=Customers,o=fedup.com";
public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
public static int MY_PORT = 1124;
public static String MY_HOST = "ldap://sundts1.india.sun.com:" + MY_PORT;
public static String MY_MGR = "cn=Directory Manager";
public static String MY_PWD = "password";
public static String MY_SEARCHBASE = "o=fedup.com";
Hashtable env = new Hashtable();
// Using the Get Method of Servlet
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/html");
// To Check to See if there is any data in the "Authorization" Http header from the browser.
// If not it will prompt for username and password.
String auth = req.getHeader("Authorization");
// Do we allow the user
if (!allowedUser(auth) ) {
// Not Allowed, so report unauthorized
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "BASIC realm=\"users\"");
// User is allowed in
else
// Using SSI to include and display the content of a Simple HTML Page
RequestDispatcher rd= this.getServletContext().getRequestDispatcher("/auth.html");
rd.include(req,res);
// This method checks to see whether the user exist in the LDAP database.
protected boolean allowedUser(String auth) throws IOException {
Hashtable env = new Hashtable();
boolean status = false;
try {
// No Authorization
if (auth == null) return false;
// Basic Authentication is Handled, Other possibilities are MD5 hash or SSL Certificates.
if (!auth.toUpperCase().startsWith("BASIC ")) {
return false; //only do BASIC
// Get encoded user and password, comes after BASIC
String userpassEncoded = auth.substring(6);
// Decode it, using any base 64 decoder
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
String userpassDecoded = new String(dec.decodeBuffer(userpassEncoded));
StringTokenizer st = new StringTokenizer(userpassDecoded,":");
String customerid = st.nextToken();
String pwd = st.nextToken();
Please Note:
LDAP Authentication works by attempting to bind to the server with a DN and a password.
No user will remember their DN so we use some other attribute such as user-id.
Then we search in the LDAP server to find an entry in the LDAP server to find an entry
that contains the attribute.
For a Secure System, we should use an attribute that will be unique per entry such as
uid, in our case the "customerid" attribute.
// Prepare for context
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
// Get a reference to a directory context
DirContext ctx = new InitialDirContext(env);
// Specify the scope of the search
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
// Perform the actual search
// We give it a searchbase, a filter and the constraints
// containing the scope of the search
NamingEnumeration results =
ctx.search(MY_CUSTOMER_BASE, "(customerid=" + customerid + ")", constraints);
String dn = null;
If it does not throw an exception,
then it is considered to be an Successful Authentication
// Now step through the search results
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
dn = sr.getName() + "," + MY_CUSTOMER_BASE;
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, pwd);
try {
DirContext ctx2 = new InitialDirContext(env);
status = true;
} catch (AuthenticationException e) {
log(e.toString());
} catch (NamingException x) {
log(x.toString());
return status;
STEP 6: Simple HTML file used in Servlet Program:-
Here is the Simple HTML File we are including in RequestDispatcher of the above program:-
<html>
<head>
<title> Authorisation</title>
</head>
<body>
<h1> Your Authorisation is Successful </h1>
</body>
</html>
I hope this will help you.
Thanks
Bakrudeen
Technical Support Engineer
Sun MicroSystems Inc, India -
J2ee implementation with jaas/LDAP
Hi;
I search a good j2ee implementation or light framework using jaas API and LDAP directory to authentifies and affects a profil to a user.
I have already analysed the framework : JGuard.
regards;If I understand you correctly, you want to have an application deployed in WebLogic (you don't say what version) use standard J2EE JAAS for declarative authentication and authorization, but use an LDAP provider for the actual implementation.
If that's the case, at least in WebLogic 8.1 (I don't know about older versions), you shouldn't need any third-party packages. You can configure your WebLogic domain with authentication and authorization providers that interface with an LDAP server. This will work with the JAAS implementation in WebLogic. You can go to <http://e-docs.bea.com/wls/docs81/secmanage/> to read about configuring security in WebLogic (including the LDAP authentication provider). -
Opinions on implementing a JAAS login module to achieve SSO
We are looking at implementing SSO from a sharepoint website to the portal. The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
the desired user experience looks something like this.
user--login> sharepoint site -no login--
>portal
One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
I would like to get your opinions on how viable you think this method is. One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
the method is basically this.
1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
3. we don't want the user to have to login to access the resource when they click on the link
4. to facilitate this, sharepoint has constructed the link in the following way
5. the link is an https link
6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
7. the parameters are
8. un = the users AD username
9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
10. the user clicks the link and is directed to the SAP portal
11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
If you think there is an easier way, please let us know. We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.Hey Gary,
I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
-Kevin -
Has anyone managed to get Authorization working with JAAS from CusLoginMod?
Hi everybody,
I am on a standalone oc4j 10.1.3.1.0
I want to be able to access a private resource using form based authentication
and I would like to use JAAS from with a custom login module.
The authentication part works just fine but the authorization doesn't seem to happen.
Both login() and commit() from my LoginModule are called and after authentication takes place, the subject is populated with the right Principals, in my case "testers".
This Subject then it should be matched against the <security-role> defined in my application's web.xml
This is the part from my application's web.xml which holds the security information.
<security-role>
<description>Online User</description>
<role-name>testers</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>access to the private application</web-resource-name>
<url-pattern>/faces/user/*</url-pattern>
</web-resource-collection>
<!-- authorization -->
<auth-constraint>
<role-name>testers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>protected.htm</form-login-page>
<form-error-page>error.jspx</form-error-page>
</form-login-config>
</login-config>
Has anyone faced this scenario before?
Any advices much appreciated
thank you.I can't see what am I missing if I'm missing something.
This is my orion-application.xml
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
<jazn provider="XML" jaas-mode="doAsPrivileged" location="">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<jazn-loginconfig>
<application>
<name>JAAS</name>
<login-modules>
<login-module>
<class>jaas.JAASLoginModule</class>
<!-- <class>jaas.SampleLoginModule</class> -->
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
<option>
<name>log_level</name>
<value>ALL</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</orion-application> -
Authentication & Authorization with SSO, JAAS and Database Tables mix
Hi,
I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
A lot of thanks in advanced.
And sorry, excuse my so bad english.
See you.Marcel,
Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
We currently plan to have the patch release available sometime in the second half of May.
Kind regards,
Peter Ebell
JHeadstart Team -
Context Sensitive authorization implement in 4.6C
Dear all,
Is there any way to implement context sensitive authorization in 4.6C? Something like P_ORGINCON object in the newer version.
I know the easiest way is to create two IDs for one user; one with each respective role/ structural authorization. Is there any other option?
Thank you for all your input.Several years ago SAP were offering customers on release 4.6c the option of having the context sensitive solution retro fitted to their system. It involved someone from SAP remotely logging into the customer's system and installing the required objects.
I can't tell you what this cost, or even if they still do it, but you could check with your local SAP contact. It might be easier (and cheaper) to upgrade to ERP....
You can definitely map multiple portal users to one backend R/3 user quite easily, but I don't think you can do the reverse. -
Implemention of JAAS+servlet+jboss+sql database
Hi,
I am trying to implement JAAS for login module using code and CallbackHandler( ie lc = logincontext(...).), but i got a sample code which is used for commandline execution, but i need to implement in web application, what all are the files that i need to configure to implement JAAS in web application?, so that i can check the user name and password which is entered by the user against the value that inside my sql database. it would be appreciated if anyone send some sample code to start work on JAAS.
Regards
kumarKumar,
i am trying to do the same thing, but i am having a slight problem, maybe between the two of us we can figure it out. here is what i have come up with so far:
1. edit web.xml to specifiy which directories and pages are secured and accessed only by specific user roles (Optional)
2. edit login-config.xml which is found in JBOSS_directory/server/default/conf or JBOSS_directory/server/all/conf depending on which version of the server you are using. you need to add the following to login-config.xml file, to include the JAAS DatabaseServerLoginModule, the configuration is as follows:
<application-policy name = "testDB"> <! -- this is the name of the secrurity policy which you refer to in jboss-web.xml
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/testDB</module-option> <! -- this is the datasource the is used to connect to your database
<module-option name = "principalsQuery">SELECT password from Principals where PrincipalID =?</module-option>
<module-option name = "rolesQuery">SELECT Role, Rolegroup FROM roles WHERE principalid=?</module-option>
</login-module>
</authentication>
</application-policy>3. you edit jboss-web.xml with the following code
<jboss-web>
<security-domain>java:/jaas/testDB</security-domain>
<context-root>/testJBOSSsecurity</context-root>
</jboss-web>4. Create a Login Form with the action pointing to the servlet you will create in the next step
5. create the servlet that handles logging the user in
****loginservlet.java*****
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Locale;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.Set;
import javax.security.*;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
try {
SecurityAssociationHandler handler = new
SecurityAssociationHandler();
Principal user = new SimplePrincipal(request.getParameter("j_username"));
handler.setSecurityInfo(user, request.getParameter("j_password"));
LoginContext loginContext = new LoginContext("testDB",(CallbackHandler)handler);
loginContext.login();
Subject subject = loginContext.getSubject();
Set principals = subject.getPrincipals();
principals.add(user);
out.println(subject.toString());
//response.sendRedirect("securepage.java");
}6. create two database tables: one to hold the principalid (primary key) and password. this table is called pricipals. create another table to hold the user roles. call this table roles, and it has three fields. principalid as a primary key and a foreign key from the principals table, role and rolegroup
this is what i have so far, but it's not working, i have posted my problem in this link [http://forum.java.sun.com/thread.jspa?threadID=5293266|http://forum.java.sun.com/thread.jspa?threadID=5293266] as well an other forums since two nights ago, but so far no replies. so read the post and you will get a better picure and try it out, if you have luck wiith it, please let me know
Sam -
Authorization failed with JAAS in JBOSS
Hi all,
I write my own login module class (WusLdapLoginModule) for my web app. I can authenticate my user with username and password. But I failed in authorizing my user with roles.
I believe that I missed something, please help me.
My web application run on WinXP, Jboss 4.2.3 GA, OpenLdap 2.0.2.9
Here is my login module class:
package wus.identity.security;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.security.auth.Subject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import wus.identity.Role;
import wus.identity.User;
import wus.identity.dao.UserDAO;
public class WusLdapLoginModule implements LoginModule
//properties
private Subject subject;
private CallbackHandler callbackHandler;
private Map<String,?> sharedStates;
private Map<String,?> options;
private boolean loginOk;
private User m_user;
//====== DAO ====================
private UserDAO m_userDao = new UserDAO();
private static final Log log = LogFactory.getLog(WusLdapLoginModule.class);
@Override
public boolean commit() throws LoginException
int i;
if(loginOk)
if(!subject.getPrincipals().contains(this.m_user))
this.subject.getPrincipals().add(this.m_user);
for(i=0;i<m_user.getRoles().size();i++)
this.subject.getPrincipals().add(m_user.getRoles().get(i));
AuthenticatedUser.setAuthenticatedUser(m_user);
return loginOk;
}Here is my Role class
package wus.identity;
import java.io.Serializable;
import java.security.Principal;
public class Role implements Principal, Serializable
private static final long serialVersionUID = 10797L;
//Properties
private String name;
private String note;
public Role()
name = "";
@Override
public String getName()
// TODO Auto-generated method stub
return name;
}Here is a part of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/sa/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<!-- <role-name>user</role-name> -->
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<!-- end security constraints -->
<!-- Example Login page - lists user names -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/ua/login-example.jsf</form-login-page>
<form-error-page>/ua/login-example.jsf?error=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>Thank in advance,
VuHow is this question related to JSF?
Try a forum devoted to JAAS or JBoss, depending on the root cause of the problem. -
Hi.
I'm new to server side java, so need some advice. I should make some kind of an authorization page.
There is a database on server with login/passwords and some other info. There are also different sites on server, all in cgi/php. I should make a common login structure to authenticate a user to access some resource/pages on this server using database info.
It should work similar to this:
user types in an address www.my.com/library (wants to see books, he is allowed to access library due to db info)
A login page appears (this is my jsp). he logs in and redirected/sent to library main page. From here he can use library links until session expires. There mustn't be a direct link to library without loggin in.
How to realize this? Again, sites are in cgi/php under apache.
I am not good in server technologies, so please help!Well, JSPs need a servlet engine, like Tomcat: http://jakarta.apache.org/tomcat/index.html
I would take a look through the documentation there and at: http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Servlets.html
(keep reading streight through servlets, JSP, and at least to the end of the WebServices section of the Tutorial).
The way I do it, I put filters on all the pages I want the user to be signed-in for. In the filter, I check if there is a 'User' object in the session. If there is not, I redirect the user to the login page, which then forwards them to where they wanted to go. If there is already a 'User' in the session, I just let the request go without any changes... -
ClassCircularityError in JAAS Authorization with Weblogic Server 10.3
We are implementing JAAS authorization in which roles and policies are stored in a custom JAAS policy file and users are stored in the embedded LDAP server provided by Weblogic. We are facing problem is authorizing users using the custom policy created.
We have implemented the JAAS authentication service with weblogic server 10g R3 and user's information stored in embedded LDAP server provided WLS. Given below are the details of implementation for JAAS Authorization:
Following are the custom classes created:
1. Custom Principal Class
public class Principal implements java.security.Principal, java.io.Serializable {
private String name;
public Principal() {
name = "";
public Principal(String newName) {
name = newName;
public boolean equals(Object o) {
if (o == null)
return false;
if (this == o)
return true;
if (o instanceof Principal) {
if (((Principal) o).getName().equals(name))
return true;
else
return false;
else
return false;
public int hashCode() {
return name.hashCode();
public String toString() {
return name;
public String getName() {
return name;
2. Custom Permission Class
public class ActionPermission extends Permission {
public ActionPermission(String name) {
super(name);
@Override
public boolean equals(Object obj) {
if ((obj instanceof ActionPermission)
&& ((ActionPermission) obj).getName().equals(this.getName())) {
return true;
} else {
return false;
@Override
public String getActions() {
return "";
@Override
public int hashCode() {
return this.getName().hashCode();
@Override
public boolean implies(Permission permission) {
if (!(permission instanceof ActionPermission)) {
return false;
String thisName = this.getName();
String permName = permission.getName();
if (this.getName().equals("*")) {
return true;
if (thisName.endsWith("*")
&& permName.startsWith(thisName.substring(0, thisName
.lastIndexOf("*")))) {
return true;
if (thisName.equals(permName)) {
return true;
return false;
Following are the configuration changes:
1. Added custom policy to weblogic.policy.
grant Principal com.scotia.security.authorization.Principal "test" <User defined in the embedded LDAP server of WLS>{
permission com.scotia.security.authorization.permission.ActionPermission "viewScreen";
2. Set the java security manager in startWeblogic.cmd file.
%JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.manager -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS%
3. Set Realm "Security Model" to "Custom Roles and Policies".
Right now we are facing the given below exception:
java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipal
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:247)
at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1381)
at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1268)
at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1231)
at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1167)
at sun.security.provider.PolicyFile.implies(PolicyFile.java:1122)
at weblogic.security.service.WLSPolicy.implies(Unknown Source)
at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:731)
at weblogic.utils.classloaders.DirectoryClassFinder.getSource(DirectoryClassFinder.java:36)
Please help if anyone has some clue regarding this exception. We tried checking the jdk version used by eclipse and weblogic and found it to be same.1. Custom Principal Class
public class Principal implements java.security.Principal, java.io.Serializable {Rename it. You are asking for trouble naming a class after an interface it implements.
java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipalWhat's that class? You haven't shown us. -
How to implement JAAS With Weblogic 10.3
I am working on a migration project. A project is to be migrated from JBOSS to Weblogic 10.3. JAAS has been used in JBOSS for security purpose.
Required classess like LoginModule, CallBackHandler are customized and put into a jar file. Next a Login page has been created with action=”j_security_check”, which is supposed to be called whenever protected resource has been requested. In web.xml Roles and Policies are defined. There is a jboss-web.xml in which roles are mentioned. In web.xml
There is a login-config.xml that has been put into Jboss server classpath. In this file, some sql queries are there.
In weblogic I am not able to understand that how to configure this login-config, how to map roles and policies. Exactly I am not able to find what are the steps needed to implement this JAAS in weblogic10.3. I also tried using the Read-Only SQL Authenticator Provider under security Realms but not sure how to use groups, because I have no Group related tables in my DB.
Kindly anyone share the knowledge.Hi,
I also want to do the same thing. Did you get any solution for this problem. If yes then please share it with me. I am struggling with this.
Thanks,
Sanjay
Maybe you are looking for
-
Help with new hard drive and data recovery
I have a macbook pro 13" from early 2011...last week the hard drive crashed and after a few hours at the genius bar had to got tekserv to recover my data and get a new hard drive and update to 8GB of Ram. When I got my macbook back I was given an e
-
Have downloaded Adobe Photoshop Elements 10 Editor from the Mac App Store onto my Mac Book Pro, set i photo preferences to Adobe PSE 10 editor, but when I try to open a file from my photo library, the following message appears: "could not complete yo
-
Hi Guys, I had encounter a very strange issue, my application suddenly crash and generate log below, # An unexpected error has been detected by HotSpot Virtual Machine: # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d69f2de, pid=2000, tid=2016 #
-
My Nano won`t play my tunes
can anyone help.. I can get playlists up and when i press play it just keeps jumping back to playlists......?
-
hi all, i have a text file as following linkstable linkname,linkpage linkpage xxxxxxxxxxxxnow i have to read the file ,ie., i have to get Strings in between the "#" ie., i have to find the occurance of the "# " and then the string between them how ca