Automate Login with Custom Login Module
Hi. I have successfully created a custom login module that calls a database stored procedure for our login procedures. However, there are conditions/cases where in a login will not be required (ie login page don't need to be displayed and it should direct to the home page right away).
I thought that putting these conditions/checks within the pl_sql will take care of it but that isn't the case. It turns out that the login page is always called before it goes to the pl_sql procedure we indicated in the orion-application.xml file. Now I am stumped on how to intercept the login page call.
Any help would be greatly appreciated. I have been working on this issues for months and haven't gotten a solution.
Thank you.
Edited by: 829489 on Jan 19, 2011 7:17 AM
You can not do this in a login module. Here's why:
1). You must (in web.xml) indicate which resources are secured and which are not. You cannot say "it's secured sometimes"
2). Once a login module indicates that a user is successfully authenticated, they are authenticated for the remainder of their session.
3). Now, in your login module, if you bypass any username/password check and mark them as authenticated (allowing them to access the secure resources), they will be authenticated for all requests in that session - including ones that you don't want to give them access to.
I'm guessing by your reference to orion-application.xml that you are using JDev 10g, therefore my suggestion of a task flow with a router to route users to either secure or not secure page is not applicable for you (it's only available in 11g).
John
Similar Messages
-
Problem with Customer Interaction Module in Web Channel Builder
Hello Everyone,
Facing an issue with Web Channel Builder Customer Interaction Module.
In Web channel builder we have done all the required configuration changes, but still we are not able to get the reviews and rating part in the product detail page.
We have created a new application and all the other module are working fine ,but the only module that is causing problem is Customer Interaction module. Every time we are activating this module rest modules stops working.
Can anyone please let us know what could be the root cause of this problem.
Are there any setting that has to be done ...that we are missing in?
I have studied that Product Catalogue is integrated with this module. Are there any setting that are to be done in the Product Catalogue module in Web channel builder?
Thanks in advance!
Regards,
PBHi PB,
Did you please get any proper error / exception in log file? Did you please check the web.xml as well that there is no same application name defined.
Can you please also copy paste the log please.
Thanks,
Hamendra -
Problems with customizing blog modules.
I was wondering how to customize blog modules in dreamweaver. In dreamweaver when I add the "list of post module" into a template, then click on data, I do not see the tags to insert archive blog posts, or older and newer posts tags. How can I add and edit those tags. In the end I am looking to get a blog that looks like this. Also, is there not a way to edit the blog post detail in Dreamweaver? In BC I see that it is possible to add an image in the older and newer blog post tags. How do I do that? Thanks for all the help!
Hi,
If you download application you can see source.
I have not write any instructions, sorry.
If you are on Apex 4 you can just load jQuery UI autocomplete library and take ideas from my app.
If you download my sample in zip there is uncompressed htmldbQuery library.
You can see that and take only function htmldbAutocomplete.
Then check jQuery UI document
http://jqueryui.com/demos/autocomplete/#method-search
There is method search that you can use open list just by click of input.
I hope this helps at start.
Regards,
Jari -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Third party SSO with a custom login module
Hello everyone,
I've found a few posts on the forum with questions similar to mine, but none have been answered. I'm using a 3rd party authentication product along with a custom implementation of the AbstractLoginModule interface.
The setup is standard: A 3rd party agent is installed on a reverse proxy web server to SAP. The agent is configured to protect SAP resources, and it handles the login screens and authentication. Once the user has been authenticated, the AbstractLoginModule implementation kicks in, decrypts and validates an SSO token, retrieves the username from it and creates an SAP Principal.
The login ticket template is configured as follows:
1. EvaluateTicketLoginModule SUFFICIENT
2. MyLoginModule REQUISITE
3. CreateTicketLoginModule OPTIONAL
One of the integration's key requirements is that direct interaction with standard SAP authentication must be avoided. More specifically, the user should never need to enter an SAP password. I'm only seeing two problems, both of which violate this requirement.
The first is in cases where there is no existing SAP user that matches the authenticated user. In this case, the third party token and SAP Principal are created, the abort method is called, and the user is redirected to the SAP login page. I need to either bring to user back to the third party login page or to a custom error page~.
The second problem occurs when an SAP password change is required. Again in this case, an SAP form is displayed after the module has created the Principal (although once the user changes the SAP password, all's well). If I were to disable mandatory password changes, would this apply to fat client access as well? If so, then it's not a viable option.
The general idea in both instances is that the SAP I'd appreciate any help or suggestions.
Thanks
~ Since the SSO token applies to applications outside of SAP, I may add a login module parameter to make this a configurable choice. (I.e. allow the administrator to decide whether to inform the user that SAP authentication failed while preserving the SSO token, or to destroy the token and force re-authentication). However, if there is a way to configure the "bad credentials" URL outside of the module's code/parameters, it may be better to place the choice there.Hi Julius,
Thank you for the quick response - and on a Sunday, no less!
I have considered verifying that the user existed in SAP before creating the Principal. One might argue that that would be the common sense thing to do. The reason I've held off is that the error should be so rare that it may not justify the overhead. There's a requirement to have a one-to-one username mapping between SAP and the authentication application. It would be more efficient to assume that this requirement has been met and to handle the Exception when it hasn't been. Of course, that doesn't mean that it's the right way to go.
+_Julius Bussche wrote:_+
For the first concern, if they can access the logon page directly (anyway) you could disable it as you do not want any password based logons (right?) and redirect it to your external page or an error page.
Yes, this is what I'm hoping to do, but I'm not sure how to do it. Here are some comments and questions about this:
1. What's involved in disabling the login page? I would think you'd need to replace it with something else rather than just switch it off. Could I limit this change to the login ticket template so that other templates (basic authentication, for example) are still available?
2. Keep in mind that users will never get past the "real" login page unless they have been authenticated. This complicates matters because we're dealing with a scenario in which the user has already been authenticated but doesn't exist in SAP. Therefore, it wouldn't make sense to go back to either login page.
3. What's involved in redirecting to an external page? Is this an explicit redirect in the module code, or can it be decoupled from the module? It's not a big deal, but it would be nice to avoid mandatory module parameters for relative paths to error pages.
I think the question I'm after is: "Can I simply change an SAP login URL parameter to point to a custom error page, and allow everything to work as it does now (where SAP handles the redirect)". If so, could I limit the scope of the change to the login ticket template? What would be even better is if I could configure SAP's response to this error. Somewhere, it's currently configured to display the login page. Ideally, I'd be able to configure it to display myErrorPage, and then set myErrorPage to the appropriate URL.
+_Julius Bussche wrote:_+
For the second concern, I assume that there are no valid passwords involved here which might have expired, so as long as the user does not have the option to activate a password again and anyway cannot logon via password as the option is not presented... then you should be fine here as well with a forward proxy. Not sure which Java APIs are offered here, but you could check this together with the existence check and react to both prior to accessing SAP "from the outside".
The problem here is that the SAP passwords are needed outside of the integration. It's true that whether an SAP password has expired is irrelevant to the integration. However, this is a Web-based integration; SAP passwords must still be available to users who have access to other clients. With this in mind, could I create a user password policy that disables password expiration and automatic password change, but only apply it to Web client access? If not, do you know how I might override SAPu2019s behavior?
Once again, thank you for taking your time to help me out. I am very grateful.
- John -
Problems with custom login module/authscheme in Portal iViews
Hi,
In our portal users must login with their username and password ("ticket" login module stack) to access most of the content. For some of the iViews containing confidential data we would like to ask the users some personal questions before giving them access.
I followed all the steps described in the [official documentation |http://help.sap.com/saphelp_nw04s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/content.htm]:
- created a custom login module
- added it to a custom login module stack
- added a custom authscheme in the authschemes.xml file
- assigned the iView to this authscheme
I also create a PortalComponent that reads the user entries and calls my login module (JSP not shown):
public void doContent(IPortalComponentRequest request, IPortalComponentResponse response) {
HttpServletRequest req = request.getServletRequest();
HttpServletResponse resp = request.getServletResponse(false);
ILogonAuthentication ila = UMFactory.getLogonAuthenticator();
Subject subject = ila.logon(req, resp, "myauthscheme");
// if authenticated what to do next??
Now when I try to access the protected iView, I see my screen to answer the questions, I press submit and my login module is called. But, I never get redirected to the iView I'm supposed to go. So I still have two questions:
1) Which login modules should be in the login module stack? Should I include the BasicPasswordLoginModule?
For the moment I have:
EvaluateTicketLoginModule (SUFFICIENT)
MyCustomLoginModule (REQUISITE)
CreateTicketLoginModule (OPTIONAL)
2) How can I be redirected to the protected iView after the user is being authenticated? Is it the portal framework who is responsible to navigate there automatically? Or is it in my own code after the logon() call? In that case how can I retrieve the destination URL?
Thanks,
MartinI'm using the version 10.1.3.0.4 (SU5).
The error is:
06/09/28 18:09:05 WARNING: Application.setConfig Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
28/09/2006 18:09:05 com.evermind.server.Application setConfig
WARNING: Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
2006-09-28 18:09:05.390 WARNING J2EE 0JR0013 Exception initializing deployed application: current-workspace-app. null
My JAAS-oc4j-app content is:
<log>
<file path="JAAS-oc4j-app.log" xmlns=""/>
</log>
<jazn provider="XML" location="JAAS-jazn-data.xml">
<property name="role.mapping.dynamic" value="true"/>
<property name="custom.loginmodule.provider" value="true"/>
<property name="jaas.username.simple" value="true"/>
</jazn>
<data-sources path="JAAS-data-sources.xml"/>
Thanks for reply. -
JDEV deployment of web app with custom JAAS login module fails
For the first time, I am trying to implement a custom JAAS login module.
JDEV deployment to standalone OC4J only fails when my orion-application.xml is included. The deployment fails with a java.lang.InstantiationException.
This what I have done:
1) Wrote a custom LoginModule called com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule.
2) Put it and its dependent classes in a jar named sjtcjaas.jar.
3) Put the jar in $ORACLE_HOME\j2ee\home\lib
4) Changed library_path in $ORACLE_HOME\j2ee\home\config\application.xml to
<library path="../../home/lib/scheduler.jar;../../home/lib/sjtcjaas.jar" />
5) Added an orion-application.xml to the JDEV project. (I used an Oracle How-to as a pattern, see below.)
I think I'm close but no cigar, yet. Any help would be appreciated.
Regards,
Al Malin
=============== orion-application.xml ========================================
<?xml version="1.0"?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.0.0" default-data-source="jdbc/OracleDS" schema-major-version="10" schema-minor-version="0" >
<security-role-mapping name="sr_manager">
<group name="managers" />
</security-role-mapping>
<security-role-mapping name="sr_developer">
<group name="developers" />
</security-role-mapping>
<log>
<file path="application.log" />
</log>
<!-- Configuring a Login Module in an Application EAR file. -->
<jazn-loginconfig>
<application>
<name>customjaas</name>
<login-modules>
<login-module>
<class>com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</orion-application>Starting OC4J from c:\oc4j\j2ee\home ...
2006-09-07 13:45:28.484 NOTIFICATION JMS Router is initiating ...
06/09/07 13:45:29 Oracle Containers for J2EE 10g (10.1.3.0.0) initialized
2006-09-07 13:45:58.609 NOTIFICATION Application Deployer for aam STARTS.
2006-09-07 13:45:58.640 NOTIFICATION Copy the archive to C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.656 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear begins...
2006-09-07 13:45:58.656 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear...
2006-09-07 13:45:58.687 NOTIFICATION Unpacking aam.ear
2006-09-07 13:45:58.687 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam.ear in C:\oc4j\j2ee\home\applications\aam
2006-09-07 13:45:58.750 NOTIFICATION Done unpacking aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war...
2006-09-07 13:45:58.750 NOTIFICATION Unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam\aam.war in C:\oc4j\j2ee\home\applications\aam\aam
2006-09-07 13:45:58.765 NOTIFICATION Done unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war
2006-09-07 13:45:58.812 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear ends...
2006-09-07 13:45:58.828 NOTIFICATION Starting application : aam
2006-09-07 13:45:58.828 NOTIFICATION Initializing ClassLoader(s)
2006-09-07 13:45:58.828 NOTIFICATION Initializing EJB container
2006-09-07 13:45:58.828 NOTIFICATION Loading connector(s)
2006-09-07 13:45:58.843 NOTIFICATION application : aam is in failed state
06/09/07 13:45:58 WARNING: Application.setConfig Application: aam is in failed state as initialization failedjava.lang.InstantiationException
Sep 7, 2006 1:45:58 PM com.evermind.server.Application setConfig
WARNING: Application: aam is in failed state as initialization failedjava.lang.InstantiationException
06/09/07 13:45:58 oracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:510)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
06/09/07 13:45:58 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
06/09/07 13:45:58 at java.lang.Thread.run(Thread.java:595)
06/09/07 13:45:58 Caused by: java.lang.InstantiationException
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:391)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:308)
06/09/07 13:45:58 at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
06/09/07 13:45:58 ... 6 more
2006-09-07 13:45:58.890 NOTIFICATION Application Deployer for aam FAILED.
2006-09-07 13:45:58.890 NOTIFICATION Application UnDeployer for aam STARTS.
2006-09-07 13:45:58.906 NOTIFICATION Removing all web binding(s) for application aam from all web site(s)
2006-09-07 13:45:59.015 NOTIFICATION Application UnDeployer for aam COMPLETES.
06/09/07 13:45:59 WARNING: DeployerRunnable.run java.lang.InstantiationExceptionoracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:126)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.InstantiationException
at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
at com.evermind.server.Application.setConfig(Application.java:391)
at com.evermind.server.Application.setConfig(Application.java:308)
at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
... 4 more
2006-09-07 13:45:59.031 WARNING java.lang.InstantiationException -
Problem with role mapping in custom login module
Hi all,
I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
I thought a source of the problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
Could anybody think of a solution to this problem ?
Thanks, AstridAstrid,
Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
I've tried to use the deploytool and deploy the module as a library...but I get a "cannot load a login module" in the logs when authenticating a user. -
How to get Custom Login Module to communicate with frontendtarget
We have created a custom login module and placed it in our login module stack.
So we have the following 3 Login Modules in our stack:
EvaluateTicketModule
OurCustomLoginModule
CreateTicketModule
Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
Question:
There are standard screens in the SAP login PAR:
changePasswordPage.jsp
umLogonProblemPage.jsp
umResetPasswordPage.jsp
How do I trigger one of these screens from my Login() method of my
custom login module? I thought if I throw some specific exception, these screens would
be called?A bit more info.
We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication.
I changed the Iview property "Authentication Scheme" to our custom one.
If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
Whis is what i expect.
I enter a username and password and click Logon button. I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
However, It always give iview runtime exception with Access Denied.
#1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
#1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
#1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true authscheme not sufficient: uidpwdlogon<cglogon
\#1 ume.configuration.active = true
2. companyname.com.CGLoginModuleClass REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
\#1 ume.configuration.com = true#
#1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36... com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
#1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
[EXCEPTION]
{0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
and here's my login method...
public boolean login() throws javax.security.auth.login.LoginException
this.succeeded = false;
String passwordString = "";
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
HttpGetterCallback httpgettercallback = new HttpGetterCallback();
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
catch (UnsupportedCallbackException e)
return false;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
else
username = userid;
if (password.length == 0)
throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
else
passwordString = new String(password);
String eccLoginResult = validateECCAuthentication(username, passwordString);
if (!eccLoginResult.equals(""))
myLoc.infoT(this.username + " - failed ECC authentication.");
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
myLoc.infoT(this.username + " - failed ECC authentication.");
this.succeeded = true;
if (this.succeeded)
try
refreshUserInfo(this.username);
catch (SecurityException e)
throwUserLoginException(e);
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, this.username);
this.nameSet = true;
else
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
return this.succeeded; -
Custom Login Module that should check only userId with out passwd
Hi All,
Can we write a custom login module which should check user name in the HTTPHeader and let the user login if the user id exists in the userstore(Active Directory Server).
It should not validate with the passwd, as the requesting server sends only the user id in the HTtp Header.
Is it possible to do this ?if so can anyone give me some inouts. I know how to configure cutom login module. But i am not sure with out validating th epasswd we can let the user log in through custom login module.
can anyone send me sample code.
Thanks a lot
LakshmiHi Lakshmi,
What describe the real issue you are trying to solve?
Regards
-Venkat Malempati -
Custom login module for EP7.4 with Captcha
Hi
I am trying to create a custom login module which validates the captcha shown at the login screen using SAP help link:
http://help.sap.com/saphelp_nw73/helpdata/en/48/ff4faf222b3697e10000000a42189b/content.htm?frameset=/en/48/fcea4f62944e88e10000000a421937/frameset.htm¤t_toc=/en/74/8ff534d56846e2abc61fe5612927bf/plain.htm&node_id=20
The session is being set in the Captcha servlet which is used to render the image on the login page.
However when I am trying to compare it with input or print the session value, its throwing an exception.
I checked in the NWA logs and it just shows the following error message:
6. com.temp.loginModule.MyLoginModuleClass OPTIONAL ok exception true Authentication did not succeed.
Please help me analyse the error stack. Can someone point where do i check the detailed logs to trace the issue?
Please find below source of my login module.
package com.temp.loginModule;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import nl.captcha.Captcha;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.engine.lib.security.http.HttpCallback;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.Principal;
public class MyLoginModuleClass extends AbstractLoginModule{
private CallbackHandler callbackHandler = null;
private Subject subject = null;
private Map sharedState = null;
private Map options = null;
// This is the name of the user you have created on
// the AS Java so you can test the login module
private String userName = null;
private boolean successful;
private boolean nameSet;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
// This is the only required step for the method
super.initialize(subject, callbackHandler, sharedState, options);
// Initializing the values of the variables
this.callbackHandler = callbackHandler;
this.subject = subject;
this.sharedState = sharedState;
this.options = options;
this.successful = false;
this.nameSet = false;
* Retrieves the user credentials and checks them. This is
* the first part of the authentication process.
public boolean login() throws LoginException {
// HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
// httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
// httpGetterCallback.setName("captchaInput");
String value = null;
// try {
// callbackHandler.handle(new Callback[] { httpGetterCallback });
// String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
// if(arrayRequestparam!=null && arrayRequestparam.length>0)
// value = arrayRequestparam[0];
// } catch (UnsupportedCallbackException e) {
// throwNewLoginException("An error occurred while trying to validate credentials.");
// } catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
value = getRequestValue("captchaInput");
userName = getRequestValue("j_username");
HttpGetterCallback httpGetterCallbackSessionCaptcha = new HttpGetterCallback();
httpGetterCallbackSessionCaptcha.setType(HttpCallback.SESSION_ATTRIBUTE);
httpGetterCallbackSessionCaptcha.setName("myCaptchaLogin");
try {
callbackHandler.handle(new Callback[] { httpGetterCallbackSessionCaptcha });
Captcha arraySessionParam = (Captcha) httpGetterCallbackSessionCaptcha.getValue();
// System.out.println("****************************************************httpGetterCallbackSessionCaptcha" + (arraySessionParam==null?"null session":arraySessionParam.getAnswer())+
// "\n captchaInput" + value+"*********************");
if(arraySessionParam==null || !arraySessionParam.isCorrect(value)){
throwNewLoginException("Entered code does not match with the image code.Session:"+(arraySessionParam==null?"null":arraySessionParam.getAnswer())+" Param:"+ value);
// throwUserLoginException(new Exception("Entered code does not match with the image code."));
httpGetterCallbackSessionCaptcha.setValue(null);
} catch (UnsupportedCallbackException e) {
throwNewLoginException("An error occurred while trying to validate credentials.");
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// Retrieve the user credentials via the callback
// handler.
// In this case we get the user name from the HTTP
// NameCallback.
// NameCallback nameCallback = new NameCallback("User name: ");
/* The type and the name specify which part of the HTTP request
* should be retrieved. For Web container authentication, the
* supported types are defined in the interface
* com.sap.engine.lib.security.http.HttpCallback.
* For programmatical authentication with custom callback
* handler the supported types depend on the used callback handler.
// try {
// callbackHandler.handle(new Callback[] {nameCallback});
// catch (UnsupportedCallbackException e) {
// return false;
// catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// userName = nameCallback.getName();
// if( userName == null || userName.length() == 0 ) {
// return false;
/* When you know the user name, update the user information
* using data from the persistence. The operation must
* be done before the user credentials checks. This method also
* checks the user name so that if a user with that name does not
* exist in the active user store, a
* java.lang.SecurityException is thrown.
// try {
// refreshUserInfo(userName);
// } catch (SecurityException e) {
// throwUserLoginException(e);
/* Checks if the given user name starts with the specified
* prefix in the login module options. If no prefix is specified,
* then all users are trusted.
// String prefix = (String) options.get("user_name_prefix");
// if ((prefix != null) && !userName.startsWith(prefix)) {
// throwNewLoginException("The user is not trusted.");
/* This is done if the authentication of the login module is
* successful.
* Only one and exactly one login module from the stack must put
* the user name in the shared state. This user name represents
* the authenticated user.
* For example if the login attempt is successful, method
* getRemoteUser() of
* the HTTP request will retrieve exactly this name.
if (sharedState.get(AbstractLoginModule.NAME) == null) {
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
successful = true;
return true;
* Commit the login. This is the second part of the authentication
* process.
* If a user name has been stored by the login() method,
* the user name is added to the subject as a new principal.
public boolean commit() throws LoginException {
if (successful) {
/* The principals that are added to the subject should
* implement java.security.Principal.You can use the class
* com.sap.engine.lib.security.Principal for this purpose.
Principal principal = new Principal(userName);
subject.getPrincipals().add(principal);
/* If the login is successful, then the principal corresponding
* to the <userName> (the same user name that has been added
* to the subject) must be added in the shared state too.
* This principal is considered to be the main principal
* representing the user.
* For example, this principal will be retrieved from method
* getUserPrincipal() of the HTTP request.
if (nameSet) {
sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
} else {
userName = null;
return true;
* Abort the authentication process.
public boolean abort() throws LoginException {
if (successful) {
userName = null;
successful = false;
return true;
* Log out the user. Also removes the principals and
* destroys or removes the credentials that were associated
* with the user during the commit phase.
public boolean logout() throws LoginException {
// Remove principals and credentials from subject
if (successful) {
subject.getPrincipals(Principal.class).clear();
successful = false;
return true;
private String getRequestValue(String parameterName)
throws LoginException {
HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
httpGetterCallback.setName(parameterName);
String value = null;
try {
callbackHandler.handle(new Callback[] { httpGetterCallback });
String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
value = arrayRequestparam[0];
} catch (UnsupportedCallbackException e) {
return null;
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
return value;
Regards
Ramanender SinghRamanender,
JAAS modules usually requires a restart whenever you need to change them. So be very careful with what you expect once you re-deploy your code.
Once the library is loaded it will never reload itself until you perform a restart of the VM.
Connect to the debug port may help, but basic debugging will not take you too far either.
I would recommend you to use the log tracing facility on your code. Just enter the following class attribute:
import com.sap.tc.logging.Location;
private static final Location trace = Location.getLocation(<your_classname_here>.class);
trace.warningT("Some Warning Text Here..." + variable here);
trace.debugT("Some Warning Text Here..." + variable here);
You may need to go NWA and set the Location Severity Level to Debug according to your needs.
Leave the trace code on your module for IT personnel to debug it if necessary. Don't forget to have the severity level of your code properly set.
Meaning: You don't want to have every trace message your module sills out with warningT() or infoT().
There is a excellent blog here on how this works
Then you will be able to inspect some variable contents while the callbackhandler is being executed.
Pay special attention with the timing - variables have a lifetime when dealing with login modules.
Use the entering(<method_name>) and exiting(<method_name> just ot make sure where in the code the variable should be populated and when.
BR,
Ivan -
Custom pluggable idm with custom login module
Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
Any suggestions? ThanksThanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
Thank you. -
Custom login module with 10.1.3
Hello all,
I've been trying out Frank N's custom login module (http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm) with JDev 10.1.3/OC4J 10.1.3 and am not having much luck.
Whenever I add <property name="role.mapping.dynamic" value="true"/> to orion-application.xml, the application fails to deploy with java.lang.InstantiationException. I even get this error when I try to set up a custom login module using the enterprise manager for OC4J 10.1.3. Is this a bug, or does the doc need to be updated? Without this item configured, I do get the basic login prompt, but no logging or anything - which indicates to me that the custom login module is not even being called. Nothing on metalink either.
Thanks,
Johnhmm i dont know... custom login module (db authentication) definitely works with standalone 10.1.3.0.0 and jdevloper standalone, but it doesnt work with jdev embeded oc4j (jdevstudio1013\jdev\system\oracle.j2ee.10.1.3.36.73\embedded-oc4j)
i have the code, and it works.. however the application is entirerly made in jdev 10.1.3.04 production, it is not migrated from previous jdev.. make sure to deploy from war file (i have prob to deploy from ear)
the only big problem i got is to setup ssl in separate oc4j standalone (ssl works with jdev standalone) and make client athentication to work
because it wont run as it should.. (i did not have this prob in 10.1.2.1) -
Custom Login Module with Adf 11g and and weblogic server
I have configured adf security on my application. I have checked the authentication and authorization are working fine with the default authenticator.
I am trying to create a custom login module. I have downloaded the custom login module implementation jaasdatabaseloginmodule.zip http://www.oracle.com/technetwork/developer-tools/jdev/index-089689.html. I have added the DBLoginModule.jar to my application. post written by Frank Nimphius and Duncan Mills
I have configured the jps config under the application resources with these entries.
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
<property value="true" name="custom.provider"/>
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
<serviceInstance name="CustomFFMLoginModule"
provider="jaas.login.provider">
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="log.level" value="FINEST"/>
<property name="debug" value="true"/>
<property name="addAllRoles" value="true"/>
<property name="loginModuleClassName"
value="oracle.sample.dbloginmodule.DBTableLM.ALSDBTableLoginModule"/>
<property value="jdbc/ApplicationDBDS" name="data_source_name"/>
</serviceInstance>
<jpsContexts default="FFMSecurityDAM">
<jpsContext name="FFMSecurityDAM">
<serviceInstanceRef ref="CustomFFMLoginModule"/>
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
When I run the application this custom login is not getting invoked.
I even tried to add these contents to DefaultDomain\config\fmwconfig\jps-config.xml still no result.
Can anyone who has configured custom login module direct me how to correct my application.Hi Frank,
After following the documentation suggested. I am able to create custom authenticator. But when I login I getting the below exception. When I debugged login method returned true. But this error is being thrown after that. Any clue.
java.lang.IllegalArgumentException: [Security:097531]Method com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals) was unable to sign a principal
at com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(PrincipalValidationServiceImpl.java:188)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy10.sign(Unknown Source)
at weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject(WLSIdentityServiceImpl.java:63)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:119)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:237)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:186)
at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:254)
at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:209)
at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:92)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2204)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) -
Issues with OSSO ,custom login module and form based authentication
Hi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
AnilHi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
Anil
Maybe you are looking for
-
My downloads are not appearing in the download folder
(using mac) My download window--I can click on items that are there and "show in finder" and then they appear in the finder...but otherwise, my downloads folder has no new items in it and even if I search with the right file name, it will not appear.
-
I am using Windows 7 and AVG
-
Wrongly Captured Excise Invoice
Dear all , I have an excise invoice in which the BED is 110/- which for some reason has been wrongly charged by the vendor. But as per my calculation BED should be 100/-. During MIGO the excise invoice was captured (only) with the system suggested va
-
HOWTO: accountActivation -step 1, step 2
I am really confused on how to do something. I am emailing my new users a URL with a parameter which has their account info I need to "activate" their account. I have a single session bean that is shared between two pages (registrationActivation.jsp
-
Adobe Form: Dynamic vlaue for Include text name. Script Coding
Hi, Situtation: Need to print an 'Include Text' in the Adobe form. The key texname for the include name is dynamic - invoice number + position number. I have created a Global Data variable item_textkey and assigned it to the inculde textname in 'Co