Authorization in DBTableOraDataSourceLoginModule ??

Dear all,
first of all, I want to say sorry if my English is not too good.
I'm a newbie who trying to developed a database oriented authentication using Jdeveloper 10.1.3.3.0 . I use DBTableOraDataSourceLoginModule and exactly follow the instruction in www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm successfully.
But still there's something that I don't understand, for example :
A is a USER
B is a MANAGER
PageA can be accessed by USER or MANAGER
PageB can be accessed only by MANAGER
In PageA there is a button that connect into PageB
And then, A login successfully into PageA and then click the button into PageB
Theorically, A cannot acces PageB and get "permission denied" error
But, in my code, A still can access PageB.
According to the tutorial, I've only add
<security-constraint>
<web-resource-collection>
<web-resource-name>manager_only</web-resource-name>
<url-pattern>/faces/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MANAGER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>MANAGER</role-name>
</security-role>
in web.xml
Is there any documentation that can help me more understand about this and can make me know what to do? Thanx.
P.S in my country there's not much people who developed Jdev so I encourage myself to ask into this forum.

Wow...
It works..
Thanx Mr. Frank..
May I ask another question?
I declare security roles and security constraints in web.xml file. Can I make my application create new security roles with it's security constraints at runtime condition? I mean, I try to make a form to generate addition into web.xml file. Is it possible? Is there any documentation I can take?
Thanx before.

Similar Messages

Database Auth in J2EE and Page authorization, Attn: Frank

Frank:
(1) In one of your replies to my queries, you said that page authorization and permissions (the way it is available now in a file based security where one can go to Edit Authorization on each page and grant read/write) is not available in a J2EE Container managed Security with database schema table based security provider that used custom LoginModules till JDev 11. Till then, is there an alternative way?
(2) Is a tool of some sort in the works for page authorization that can be given to customers? Otherwise it will be nightmare if customers call in and say they want to change authorizations every second and one has to go to JDeveloper to manually check the checkboxes on the pages from "Edit Authorization" and deliver another release after changes.
(3) Lastly, from your replies, it looks like LoginModules are powerful. You mentioned that you can write one to access multiple database connections to access different tables in different schema etc. is there a link to a how-to that addresses this? (Something that may apply to accessing APPLICATION_USERS in one schema and APPLICATION_ROLES and all the SRDemo tables (as a test case)in another schema. I recall it being there somewhere. I want to get "very" familiar with it. By the way, your DBTableOraDataSourcesLoginModule is working very well with the tables in my Oracle JExpress database. Thanks...
Thanks

Hi, Frank,
I followed your how-to document of Database Authentication and Authorization in J2EE Container Managed Security to set up a test application. However, I came to a point that the authentication and authorization seemed ok but received 401 unauthorized error. Here is the log I received
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
細緻: [DBTableOraDataSourceLoginModule]Logon Successful = true
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Subject contains 5 Principals after auth
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Cleaning internal state!
2007年11月7日下午04:52:53 oracle.adfinternal.view.faces.application.ViewHandlerImpl _checkTimestamp
資訊: ADF Faces is running with time-stamp checking enabled. This should not be used in a production environment. See the oracle.adf.view.faces.CHECK_FILE_MODIFICATION property in WEB-INF/web.xml
What may go wrong? web.xml? system-jazn-data.xml ? application.xml ? or data-sources.xml?
Your advice would be appreciated.

DBTableOraDataSourceLoginModule issues

I am trying to get ADF security to work with my web application using DBTableOraDataSourceLoginModule custom login module.
I have setup the tables and set the configuration files using the documentation listed here:
http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
I see that my user is authenticating correctly and is pulling the appropriate rolls. The problem is that I am getting a 401 when accessing a page that I have granted access to within the page definition for the given roles that I have defined within the db tables.
The log also shows that it is not finding the view permissions for the view.pageDefs.mbjPageDef.
Here is the dump of the log:
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]login called on DBTableLoginModule
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Calling callbackhandler ...
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username returned by callback = mjones
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username changed to case as defined by null to mjones
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User query string: select username,password from personnel where username= (?)
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User primary key value found = mjones
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Password encoded by: oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User mjones authenticated successfully
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Roles query string: select role_name from application_roles where username= (?)
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBUser Principal Name: mjones
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: TestRole
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: TESTROLE
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Logon Successful = true
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 3 Principals after auth
May 12, 2008 9:46:56 PM oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Cleaning internal state!
May 12, 2008 9:46:56 PM oracle.adf.share.security.authentication.AuthenticationServlet processRequest
INFO: AuthenticationServlet processRequest...
May 12, 2008 9:46:56 PM oracle.adf.share.security.authentication.AuthenticationServlet processRequest
INFO: User principal mjones
May 12, 2008 9:46:56 PM oracle.adf.share.security.authentication.AuthenticationServlet processRequest
INFO: Success url /osilas/mbj.jsp
May 12, 2008 9:46:56 PM oracle.adf.share.security.providers.jazn.JAZNSecurityContext hasPermission
FINE: -- AccessController.checkPermission view.pageDefs.mbjPageDef, view
May 12, 2008 9:46:56 PM oracle.adf.share.security.providers.jazn.JAZNSecurityContext hasPermission
FINE: checkPermission no permission: view.pageDefs.mbjPageDef, view
May 12, 2008 9:46:56 PM oracle.adf.share.security.providers.jazn.JAZNSecurityContext hasPermission
FINE: -- AccessController.checkPermission view.pageDefs.mbjPageDef, view
May 12, 2008 9:46:56 PM oracle.adf.share.security.providers.jazn.JAZNSecurityContext hasPermission
FINE: checkPermission no permission: view.pageDefs.mbjPageDef, view
Here is the the system-jazn-data.xml snippet:
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>TestRole</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>view.pageDefs.mbjPageDef</name>
<actions>customize,edit,grant,personalize,view</actions>
</permission>
</permissions>
</grant>
Does anyone see why the user I selected is getting a permission denied? How can I get more visibility into why it does not see the permission?
Any help would be appreciated.
I am running JDeveloper build 10.1.3.3.0.4157
Marty Jones

From what I can tell, authentication is successful but authorization to a given page definition access is not working. I have ensured that the web.xml role name matches what is in the database role table.
The question I have is when you use the custom database login module, where does JDeveloper pull the page definition rights from? Is it from the system-jazn-data.xml file like it does when using the standard jazn.com file security?
The application works as expected if I do not use the database custom login module.
What gives???

JDev11 R.1. ADF Security Authorization

Hi,
I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
Best Regards.

Hi
I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
in TP4 you had a db login module , don't know if this is supported in 11g production.
jps-config.xml
<serviceInstance provider="jaas.login.provider" name="testlogin">
<description>Sample LoginModule</description>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="ovs_user" name="table"/>
<property value="jdbc/OVSDS" name="data_source_name"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="password" name="passwordField"/>
<property value="ovs_user_role_view" name="groupMembershipTableName"/>
<property value="role_name" name="usernameField"/>
<property value="role_name" name="pw_encoding_class"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
</serviceInstance>
<serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="true" name="addAllRoles"/>
<property value="passwd" name="passwordField"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="jdbc/authschemaDS" name="data_source_name"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="application_roles" name="groupMembershipTableName"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="FINEST" name="log.level"/>
<property value="username" name="usernameField"/>
<property value="application_users" name="table"/>
<property value="username" name="user_pk_column"/>
<property value="username" name="roles_fk_column"/>
<property value="tolower" name="casing"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
</serviceInstance>
thanks Edwin
Edited by: biemond on Oct 19, 2008 10:50 AM

Anyone have a sample app to test authorization?

A sample system-jazn-data , a jspx setting example would help. I have hit a road block.
I set up an app to test this out. This just has two jspxs. You click the link from one page to go to the second page which has two input fields. If the role is a "technician" I want the field to be non-editable based on PageDef settings. I confirmed that the role returned was indeed "technician."
I have set the pagedef to "read" for PositionNbr. However, when I go to that page after signing in as a technician, I can edit the field. When I hardcode the readOnly properties on the SearchInfoPos.jspx to "true," I get a readonly field. The field is not honoring the property
readOnly="#{!bindings.SimpleTestPositionNbr.updateable}"
This seems to confirm that authorization via pageDef is not working and I am missing something. This is a simple app with no other attachments. What is wrong? Anyone else have a scenario like this?
Authentication via DBtableOraDataSourceLoginModule still works as before. It authenticates and returns the roles "technician" for "DFAVIET" from APPLICATION_ROLES table on my Oracle Express schema.
here are the releveant settings for reference.
bd_SearchPosInfo.jspx
<af:inputText value="#{bindings.SimpleTestPositionNbr.inputValue}"
label="#{bindings.SimpleTestPositionNbr.label}"
required="#{bindings.SimpleTestPositionNbr.mandatory}"
columns="#{bindings.SimpleTestPositionNbr.displayWidth}"
binding="#{backing_bd_SearchPosInfo.inputText1}"
id="inputText1"
readOnly="#{!bindings.SimpleTestPositionNbr.updateable}"
>
navigation rule faces-config
MainMenu.jspx -----> SearchPosInfo.jspx (has two inputtext fields (PositionNbr, PrimeOrg)
system-jazn-data.xml
<grant>
<grantee>
<principals>
<principal>
<realm-name>secure-web-app</realm-name>
<type>role</type> <class>oracle.security.jazn.login.module.db.principals.DBRolePrincipal</class>
<name>technician</name>
</principal>
</principals>
</grantee>
<permissions>
<permission> <class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>view.pageDefs.bd_SearchPosInfoPageDef</name>
<actions>grant,view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.AttributePermission</class> <name>BudAppModuleDataControl.SimpleTest.PositionNbr</name>
<actions>read</actions>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>secure-web-app</realm-name>
<type>role</type>
<class>oracle.security.jazn.login.module.db.principals.DBRolePrincipal</class> <name>technician</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.AttributePermission</class>
<name>BudAppModuleDataControl.SimpleTest.PositionNbr</name>
<actions>read</actions>
</permission>
</permissions>
</grant>

Currently there isn't a book on Oracle9i Forms yet. (Except the regular documentation).
I believe that someone who will learn from the books on 6i and then will read the new features papers about Oracle9i Forms and the online help can become efficient developer.
Also if you prefer there are Oracle University courses on Forms 6i and Oracle9i Forms - These are usually the best way to learn Forms.

[SOLVED] ADF Security: No success with DBTableOraDataSourceLoginModule

Hi,
because do not have success to implement simple ADF Security to my application for weeks I try it again with this post.
Hopefully someone who was already successful with this issue can give me the hint, missing step or something else.
I have read many forum posts, blogs and documentation (10.x) but because ADF security has been changed from 10g to 11g I'm never sure if a documented step from 10g is necessary for 11g also.
I also posted my problem to posts with similar problems but no response :-(
I use 11g, TP4.
My Requirement:
=============
- user accounts and roles are stored within database tables
- roles are not used (every user has the same rights) but stored in the database table
- Custom Login-Page (jspx)
- At login ADF Security only needs to check if the entered user/password is stored in the database table (no password encryption is used at the moment)
Steps I have done:
ADF Security wizard:
================
Step 1: Enforce Authorization NOT checked (Also tried to CHECK this checkbox)
Redirect upon sucessfull Authentication CHECKED
generate Default CHECKED
Step 2: No identity store CHECKED
Step 3: Enable Credital Store CHECKED
Step 4: No Policy Store CHECKED
Step 5: Enable Anonymous Provider
Step 6: Manage Login Modules --> Add "oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
Name = oracledb.loginmodule
Login Control Flag = Required
Log Level = fine
--> Add "oracledb.loginmodule" as the only "Selected login module"
Step 7: Form-Based Authentication
Generate default is CHECKED
Step 8: WebResources: allPages
Selected Roles: valid-users
Step 9: FINISH Wizard
Then I edit jps-config.xml manually. Here the actual content:
=============================================================
<serviceInstance provider="jaas.login.provider"
name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="true" name="addAllRoles"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
name="loginModuleClassName"/>
<property value="FINE" name="log.level"/>
<property value="jdbc/TLS-BOBDS" name="data_source_name"/>
<property value="passwort" name="passwordField"/>
<property value="rol_rolle" name="groupMembershipGroupFieldName"/>
<property value="bediener_rollen" name="groupMembershipTableName"/>
<property value="user_kennung" name="usernameField"/>
<property value="bediener" name="table"/>
<property value="persnr" name="user_pk_column"/>
<property value="bed_persnr" name="roles_fk_column"/>
<property value="toupper" name="casing"/>
</serviceInstance>
====================================
Then I start the application. Re-direction to the login-page works fine.
I enter username/password and press submit --> Following error occures in OC4J log:
===================
WARNUNG: TLS-BOB-ViewController-webapp: error encountered during authentication
java.util.MissingResourceException: Can't find resource for bundle oracle.security.jps.internal.common.resources.common.CommonResources, key JPS-02575
     at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
     at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
     at java.util.ResourceBundle.getString(ResourceBundle.java:285)
     at oracle.security.jps.util.JpsBundle.getString(JpsBundle.java:133)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:424)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:401)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:99)
     at oracle.security.jps.fmw.JpsUserManager.getUserFromIdmStore(JpsUserManager.java:1109)
     at oracle.security.jps.fmw.JpsUserManager.getUser(JpsUserManager.java:1022)
     at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
     at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
     at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3927)
     at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6965)
     at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3350)
     at com.evermind.server.http.HttpRequestHandler.doResolveRequestDispatcher(HttpRequestHandler.java:1005)
     at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:822)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:658)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:626)
     at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:417)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:189)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:163)
     at oracle.oc4j.network.ServerSocketReadHandler$ClientRunnable.run(ServerSocketReadHandler.java:275)
     at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:237)
     at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:29)
     at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:877)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
     at java.lang.Thread.run(Thread.java:595)
==================================================
My questions:
=============
1) Are there additional steps necessary to implement ADF Security for my requirements ?
2) If yes, which? Which files I have to edit manually after ADF security wizard has been finished?
Any help is warmly welcome !
regards
Peter

Hello
Many thanks to CP and Andre who gave the missing hints in this tread:
OC4J 11g and JAZN
The property custom.provider mentioned by cp was the "missing link" --> now it works.
BUT "Nobody knows the trouble I've seen ..." !
I made dozens of trials with the same application and always similar (strange) results.
When I CHECK "enforce Authorization" in the ADF security wizard then
the redirection to the Login Page does NOT work (reason is unclear for me)
If I UNCHECK "enforce Authorization" in the ADF security wizard then
the redirection to the login page works fine BUT the redirect upon succesful Authentication doesn't work.
--> In this case following code is missing in web.xml
=====================
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>welcome.jsp</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
=================================
I think (but not 100%) that SOMETIMES the propertie "<property value="true" name="custom.provider"/>" has been created by the ADF security wizard.
SOMETIMES I was not able to create the default welcome.jsp with the ADF Security Wizard, ....
Maybe someone can reproduce this behaviour and fills a bug.
regards
Peter

Problem w/ using DBTableOraDataSourceLoginModule w/ JDEV

I am using JDeveloper 10.1.3.2 and have configured security to use the DBTableOraDataSourceLoginModule. I receive the following message when I attempt to login via a form, so it looks like the RealmLogin is still being used instead of the DB. I have configured the application.xml and system-jazn-data.xml per Oracle's instructions. Any comments or suggestions? My system-jazn entry is below. Thanks.
javax.security.auth.login.LoginException: User [ABCDEF] does not exist in system.
     at oracle.security.jazn.login.module.RealmLoginModule.authenticate(RealmLoginModule.java:113)
     at oracle.security.jazn.login.module.RealmLoginModule.authenticate(RealmLoginModule.java:86)
     at oracle.security.jazn.login.module.AbstractLoginModule.login(AbstractLoginModule.java:265)
<jazn-loginconfig>
     <application>
          <name>Prototype</name>
<login-module>
<class>
oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule
</class>
<control-flag>required</control-flag>
<options>
<option>
<name>data_source_name</name>
<value>jdbc/devdata</value>
</option>
<option>
<name>table</name>
<value>USERS</value>
</option>
<option>
<name>roles_fk_column</name>
<value>GROUP_ID</value>
</option>
<option>
<name>groupMembershipGroupFieldName</name>
<value>GROUP_J2EE</value>
</option>
<option>
<name>user_pk_column</name>
<value>USER_ID</value>
</option>
<option>
<name>passwordField</name>
<value>PASSWD</value>
</option>
<option>
<name>groupMembershipTableName</name>
<value>USER_GROUP</value>
</option>
<option>
<name>usernameField</name>
<value>LOGIN</value>
</option>
<option>
<name>casing</name>
<value>toupper</value>
</option>
</options>
</login-module>
     </application>

First, turn up your logging in your j2ee-logging.xml to be TRACE:32 instead of NOTIFICATION:1. This will allow you to see in more detail what is going on during the authentication stage.
Typically, when u are running into problems with the DB Login module it is the connectivity to it.
1) First, go into EM and check the Datasource and connection pool configured for the DB Table login module. There is a function within this screen to test the connection. Try doing a select from the tables you defined for your users and groups.
2) Look in your custom security provider settings and make sure:
a. You are specifying the correct jdbc namespace for the datasource
b. That you didn't misspell the any of the table settings.
I think you mentioned a 401 error, which is authorization error. So, most likely your DBTable is working correctly. Make sure that you specified your roles correctly in your web.xml and your role mapping in orion-application.xml
For example, in your orion-application.xml:
security-role-mapping name="sr_developer">
<group name="developers" />
</security-role-mapping>
<security-role-mapping name="sr_manager">
<group name="managers" />
</security-role-mapping>
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true"/>
     <property name="role.mapping.dynamic" value="true"/>
<property name="role.compare.ignorecase" value="true"/>
</jazn>
In your web.xml:
web-app>
<display-name>Simple Servlet for testing Custom Provider</display-name>
<distributable />
<servlet>
<servlet-name>SimpleServlet</servlet-name>
<description>Servlet retrieves remote user info</description>
<servlet-class>SimpleServlet</servlet-class>

<security-role-ref>
<role-name>ar_developer</role-name>
<role-link>sr_developer</role-link>
</security-role-ref>
<security-role-ref>
     <role-name>ar_manager</role-name>
     <role-link>sr_manager</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>SimpleServlet</servlet-name>
<url-pattern>/protectedA</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SimpleServlet</servlet-name>
<url-pattern>/protectedB</url-pattern>
</servlet-mapping>
<security-role>
<role-name>sr_developer</role-name>
</security-role>
<security-role>
     <role-name>sr_manager</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>protectedA</web-resource-name>
<url-pattern>/protectedA</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>sr_developer</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>protectedB</web-resource-name>
<url-pattern>/protectedB</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>sr_manager</role-name>
</auth-constraint>
</security-constraint>

Open and close posting period authorization control TCODE: S_ALR_87003642

HI All,
Is there any chance to control the user to open and close another company code posting period variant in TCODE: S_ALR_87003642.
In our system we are using the same client for different countries. So user can able to change the other country company code posting periods.
We would like to control either on the country (or) organizational unit(company code) (or) posting period variant so that user can only open/close their country / company code posting periods.
Our present authorization role for open and close posting period contain the auth.Obj. : S_TABU_DIS.
Please share your knowledge if you come across this problem..
Thanks in advance..

Hey Sandhya,
Congratz, this can be done using linbe item authorization with the object S_TABU_LIN.
Field ORG_CRIT - Value 02
Field ORG_FIeld1 - Value ZT001B
We have successfully done it in our client.
You need to contact your BASIS consultant for this.
Thanks,
Nitish

Analysis Authorization in BO 4.0 Webi report

Hi All,
I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
I have tried:
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
(BO 4.0 no service pack or fix pack installed on the system yet)
Thanks - Appreciate your help !
Prasad Rasam

Ingo,
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
>> Correct you need to setup you OLAP Connection with SSO.
>>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
>> The variable in the BEx query needs to be an authorization variable.
>>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
regards
Ingo Hilgefort

Analysis Authorization Issue 7.3

Hello Friends,
System BW 7.3, Currently there are 80 odd analysis authorization objects
We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
I do not want to change all the existing analysis authorization objects to add GL Account.
Your inputs are most welcome.
Thanks
Ed.

Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with GL Account only or do we have to add it to every existing analysis authorization
I have done the following steps
1. Made the GL Account object authorization relevant in RSA1,
2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
4. Created authorization variable in BEx.
5. No existing analysis authorization objects have been changed.
When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
Guess I am missing some thing here.
Do you need any other screen shots.
Thanks
Ed.

Analysis Authorization Issue

Hi:
I created an analysis authorization ZCO_CODE to trstrict it by a company code.
I added following objects in authorization with values.
0COMP_CODE = 1000
0TCAACTVT = 03
0TCAIFAREA = *
0TCAIPROV = *
0TCAVALID = *
Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
Help will be appreciated.

Hi Sachin:
Okay here is my issue.
I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
How can I see whether it has updated existing profile?????
Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

BW Analysis authorization issue on cost center range

Hello BIW security experts
I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
. Cost centers are numeric. Example: 2000100. In the drop down list they appear as such.
. I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
Thereofore 1000772 and 2000772 should not appear in the list.
. In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
Results: I get only 1 record from the report.... 2000772. (which is one I want to exclude..
Steps tried to debug:
. When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
. I tried putting ' ' delimiters since cost center is a char field but it fails.
. I tried adding leading and trailing zeros to fill up the char(10) but no luck.
. I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
. A hierarchy with single values work.
I do not know what else to try..
Thanks.
YB.

Good morning
Here it is from RSECVAL
ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
ZCC_TEST     0COSTCENTER                    I       EQ        #
ZCC_TEST     0COSTCENTER                    I       EQ        :
ZCC_TEST     0INFOPROV                         I       CP        *
ZCC_TEST     0TCAACTVT                        I       EQ        03
ZCC_TEST     0TCAIPROV                         I       CP        *
ZCC_TEST     0TCAKYFNM                       I       CP        *
Thank you for your help.

BW Analysis authorization issue... need help urgently....

We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of Contract Division are CNC, CNS, CNE and CNL.
Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
Now we have to restrict report to contract division. please help.
Thanks in advance

Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

BW Analysis authorizations issue in BO Webi Report

Dear All,
I have one webi report which is on BEx Query-universe.
Query has 6 authorization variables with ready for input(optional).
User has authorizations for all 6 fields.
But when we execute the webi report it is throwing error message like" query do not retrive data"
One of the 6 authorization fields has only few values , when we give " * " to this field the user can able to execute the report.
Could anybody tell me what is need be done here
regards
mhreddy

Hi!
Probabily the combination of authoriztions funcions are executing considering "and".
See your configuration to considerer "or".
Test one by one.
bye

Can I authorize 2 apple IDs on one computer?

I'm new to the communities so please bear with me if I post this inappropriately.
My husband and I both have iphones. My two children have itouchs. My husband has an ipad. We also have numerous ipods.
We have two computers in the house. When my husband first bought an ipod, we had a PC. All of his devices have always been synced on the PC using his apple id. When I got my iphone, I synced on our MAC using my apple id. When the kids got itouches, they synced on the MAC using their apple id.
We discovered that anything the kids and I purchased on itunes on the MAC is available to all of us.
We would now like to use home sharing. To do this, both computers must be authorized to one apple id. If the PC is deauthorized for my husband's apple id, I understand he will lose his purchases on the PC (or at least they won't be available until he authorizes it again).
I understand that an apple id may be authorized on up to 5 computers. But what about multiple apple id on one computer???
My questions are basically this...
Can we authorize 2 or more apple id on one computer?
Can I authorize my apple id on the PC and have my husband's apple id remain authorized on the PC?
Can my husband's apple id be authorized on the MAC and my apple id remain authorized?
Can the kids apple id be authorized on each of the PC and the MAC?
Can we have 4 different apple id authorized on a computer at once?
Will authorizing my apple id on the PC de-authorize my husband's apple id?
How's that for asking the same question in lots of different ways? I have seen a lot about a computer using the same id multiple times but nothing about whether I can authorize many different ids on one computer at once.
Thanks for the help.

Each person in your home can have their own Apple ID provided it is tied the their own separate email address.
iTunes permits up to five authorized computers connected to a single Apple ID: iTunes Store- About authorization and deauthorization.
For this all to work well, however, each user in your household should have a separate user account on the computer they commonly use.

Authorization in DBTableOraDataSourceLoginModule ??

Similar Messages

Maybe you are looking for