Bind authenticated Subject to container

In a web application I use JAAS to authenticate users of the web application. When the authentication is successful, I retrieve the authenticated Subject from my LoginContext using the getSubject() method. As a result of the successful authentication, one or more Principal objects will be associated with this Subject.
Here is the point: After the user has been authenticated, I want to use the isUserInRole() method to check whether the user possesses certain roles (i.e. Principal objects). However, in order to do so, the container which runs the web application (JBoss 4) must know about the authenticated Subject. In other words: Before I can use the isUserInRole() method, I must somehow bind the authenticated Subject to the container. Is there a way in which this can be accomplished?
Note: I do not want to use container managed security by enabling FORM authentication in web.xml because this has as disadvantage that I lose the control over the authentication process (JBoss wil then under the hood instantiate a LoginContext object and there is no way, as far as I know, to obtain a reference to this LoginContext).
Thanks for any help.
Ronald

We have a howto for custom login modules here:
http://www.oracle.com/technology/tech/java/oc4j/1013/how_to/howtocustomjaasprovider/doc/howtocustomjaasprovider.html
As far as adding a third field, I think this would be managed in a login module's callback handler. This is from our docs:
A callback handler is a javax.security.auth.callback.CallbackHandler
instance that allows a login module to interact with a user to obtain login information.
The only method specified by CallbackHandler is the handle(Callback[])
method, which takes an array of callbacks, which are instances of a class that
implements the java.security.auth.callback.Callback interface. Callbacks
do not retrieve or display requested information from the underlying security service,
but simply provide the functionality to pass the requests to an application and, as
applicable, to return the requested information back to the security service.
Callback implementations in the javax.security.auth.callback package include: a
name callback handler (NameCallback) to handle a user name, a password callback handler (PasswordCallback) to handle a password, and a text input callback
handler (TextInputCallback) to handle any field in a login form other than a user
name or password field.
If authentication succeeds, then the authenticated subject can be retrieved by invoking
the getSubject() method of the LoginContext instance.
Different login modules can be configured with different applications, and a single
application can use multiple login modules. The JAAS framework defines a two-phase
authentication process to coordinate the login modules configured for an application.
You would probably follow these steps:
1. Create a LoginContext
2. Pass the CallbackHandlers to the LoginContext for gathering/processing authentication data
3. Then authenticate by calling the LoginContext's login() method
I think you can google examples of the TextInputHandler callback

Similar Messages

  • How to access the authenticated Subject?

    Hello
    I'm using WS Security, and I have made a custom login module. I have registered the login module and he is working fine. But I have problems accessing later the authenticated subject.
    Any suggestions ?

    Hi,
    where do you store the authenticated Subject ?
    Frank

  • Ws-security runtime authentication subject

    Hi,
    When the ws-runtime performs the authentication based on the security token, does it attach the authenticated subject to the current thread?
    In the server-side handler for a webservices on which ws-security is enabled via ws-policy, if I call
    SubjectUtils.getUsername(weblogic.security.Security.getCurrentSubject()
    I am not getting the username i passed in the token as the authenticated subject.
    Can you please tell me which user does it attach to the current thread in webservices?

    Thanks for reply.
    Does that mean - there is NO WAY for X.509 certificate Authentication between OEG and OAM - regardless any OEG filter ?
    Cliff

  • How To tell ADF Framework to use my authenticated subject?

    Hi,
    let's say that I have a subject instance which is authenticated through Weblogic server. Now I want to use this authenticated subject to protect my resources using ADF Security. So how should I tell this to ADF framework programmaically. For example I can think of storing my principal and roles in some type of objects and store it in session in a format that's understandable by the framework. By understandable I mean ADFContext.getCurrent.getSecurityContext.isUserAuthenticated returns true, getPrincipal returns my authenticated principal. I appreciate your helps.
    Best Regards,
    Salim

    Hi Chris,
    I want to implement programmatic authentication. I was able to authenticate given the LoginModule (weblogic.security.auth.login.UsernamePasswordLoginModule), LoginContext (javax.security.auth.login.LoginContext) and a callback handler.
    try {
    loginContext.login();
    Subject subject = loginContext.getSubject();
    It authenticates successfully. But he problem is that it does not push authenticated subject into session. My guess is that there should be a way to configure application server to use this subject for the session. I understand that adf security just delegates calls to application server. I thought may be there is a way to do it with adf. Thanks for the reply.
    Best Regards,
    Salim

  • Storing authenticated Subject

    I am creating a database application in which certain resources are restricted to certain resources. Such users with access can login. I am using the JAAS authentication so I use the LoginContext.login function and retrieve a Subject from the loginContext object. However, where should I store it so that whenever I execute code with the Subject.doAsPrivileged()?
    Someone sujested using a custom security manager extending the standard SecurityManager and setting that as the security manager with System.setSecurityManager(). A variable of type Subject or the LoginContext would be stored in this security manager and can be retrieved with System.getSecurityManager().

    I am creating a database application in which certain resources are restricted to certain resources. Such users with access can login. I am using the JAAS authentication so I use the LoginContext.login function and retrieve a Subject from the loginContext object. However, where should I store it so that whenever I execute code with the Subject.doAsPrivileged()?
    Someone sujested using a custom security manager extending the standard SecurityManager and setting that as the security manager with System.setSecurityManager(). A variable of type Subject or the LoginContext would be stored in this security manager and can be retrieved with System.getSecurityManager().

  • Rights for ldap bind authentication

    we have an external domain in the dmz and we need to allow external app to bind to our ad on the dmz, what kind of user/rights does they need to bind? 
    can i just create a regular user? 

    Hi,
    Thanks for your posting.
    I think the user should be a member of the "Authenticated Users" group.
    Meanwhile, please check this article to know about authentication mechanisms in AD LDS
    http://blogs.technet.com/b/idaguys/archive/2009/06/19/overiview-of-authentication-in-ad-lds.aspx
    https://ftps.nslc.org/doc/en/MOVEitDMZ_WebInterface_Settings_Security_EA_LDAPAuthOnly.htm
    Regards.
    If you have any feedback on our support, please click
    here
    Vivian Wang

  • DS 6: SSL certificate mapping with subject/issuer containing (")

    Hello,
    I got my personal test certificate from Verisgin, with an issuer: CN=VeriSign Class 1 Individual Subscriber CA - G2, OU=Persona Not Validated, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    The subject of the certificate ends with: ...OU=Digital ID Class 1 - Netscape, OU=Persona Not Validated, OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
    My certmap.conf looks like:
    certmap VeriSign [issuerDN]
    VeriSign:FilterComps cn
    VeriSign:verifycert on
    VeriSign:CmapLdapAttr certSubjectDN
    The question is what's the valid form of these strings containing (") in certmap.conf ([issuerDN]) to match the issuer and in certSubjectDN attribute - assuming it follows DirectoryString syntax. Note that they surround strings containing comma (,).
    I see in logs:
    conn=1 op=-1 msgId=-1 - SSL 128-bit RC4; client *OU=Digital ID Class 1 - Netscape,OU=Persona Not Validated,OU=\22www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98\22,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22; issuer CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22,C=US
    I tested configuration against cert strings from logs, but they don't work. Strings containing (") also don't work.
    Did anyone face the same issue?
    Thanks for help in advance.

    The DN normalized version of O="Verisign, Inc." is O=Verisign\, Inc.
    You may want to try this. BUt I must admit that I've never tried to do certificate mapping with quotes.
    The certificate mapping functionality hasn't changed since the Netscape DS 4 code when Sun and Netscape started to work together.
    Ludovic.

  • Configuring J2EE Appl to obtain security roles from authentication Subject

    http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm says
    "Oracle JDeveloper can be used to add the orion-application.xml file to a web project, choosing orion-application.xml from the list of Deployment Descriptors in the JDeveloper New Gallery."
    The wizard asks me to select the deployment description version I want to use, either 1.2 or 10.0. What's the difference and which is the preferred choice?
    Regards,
    Al Malin

    Al Malin.
    don't see a difference and usually use what is the default selected.
    Frank

  • Cisco wireless controller and AP-binding domain how do you integrate wireless domain authentication?

    With Cisco equipment wlc 2500 and AP 1600 combines windows 2008 r2 domain controller to achieve the following purposes, 
    1, all cell phones and laptops can access the wireless network with a domain user authentication. 
    2, the guest network should how to do it? 
    My idea is: 
    Made a total of two ssid below 
    Mobile users cnnewcity_mobile: Use webportal certification, so the center certification, local forwarding 
    Computer users cnnewcity_wifi: transparent certification, local forwarding, local authentication 
    The basic steps are as follows: 
    1, set the Radius server clients (AP or controller) 
    2, locking authorization group --- this should be based on the domain user group authorization radius server 
    3, the mobile roaming - different locations on the DHCP server choose to do this you have to consider the next 43 
    4, the establishment of a two vlan to a mobile user to the computer user, create a DCHP scope on the DHCP
    I do not know if you have wood there are better ways?

    Integrating the AD to the WLC Requires:
    1. AD to be registered:
     AT: Security->AAA
        AT: LDAP     
        CLICK: New
        Server IP:    <AD IP>
        Port Number:    389     
        Simple Bind:    Authenticated
        Bind User:    CN=Administrator,CN=Users,DC=testing,DC=local,DC=com
        Bind Pass:    <LDAP Admin pass>
        Confirm Pass: <LDAP Admin pass>
        User Base DN:    OU=WebAuth_Users,DC=testing,DC=local,DC=com
        User Attrib:    sAMAccountName      
        User Obj. Type:    person        
    Enable at WLAN Profile
    1. AT: WLAN->WLANs
        CLICK: <Desired WLAN> -typically web authentication
    2. AT: Security Tab
        AT: AAA Servers
    3. AT: LDAP Servers
        **Select Created LDAP
    4. Apply to Save
    Source: Tried it in implementations :))

  • EJBException when binding a map containing an entityContext.getEJBLocalObject()

    I am attempting to bind a map which contains keys that point to entityContext.getEJBLocalObject()
    in ejbPostCreate. This causes an exception to be thrown, which makes it appear
    that BEA is trying to prevent a remote client from getting an error if/when they
    lookup since they are not local. Are there any ways to get around this, or do
    this differently? We know that this lookup will only occur on the server, so we
    would like to store this in JNDI.
    Thanks so much, Jennifer
    METHOD:
    public void ejbPostCreate(int id){ Context initialContext = null; Hashtable ht
    = new Hashtable(); ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
    ht.put(Context.PROVIDER_URL,"t3://localhost:7001");
    try { initialContext = new InitialContext(ht); } catch (NamingException e) { try
    { initialContext.close(); } catch (Exception ex) { } } Object objref = initialContext.lookup("ABCMap");
    if (objref != null){ if (objref instanceof HashMap){ HashMap map = (HashMap)objref;
    ABCPrimaryKey key = (ABCPrimaryKey)entityContext.getPrimaryKey(); ABCLocal value
    = (ABCLocal)entityContext.getEJBLocalObject(); map.put(key, value); initialContext.rebind("ABCMap",
    map); /* exception is thrown */ } } }
    EXCEPTION:
    <Mar 12, 2002 3:49:44 PM CST> <Info> <EJB> <EJB Exception in method: ejbPostCreate:
    javax.ejb.EJBException: Attempt to pass a reference to an EJBLocalObject to a
    remote client. A local EJB component may only be accessed by clients co-located
    in the same ear or standalone jar file. javax.ejb.EJBException: Attempt to pass
    a reference to an EJBLocalObject to a remote client. A local EJB component may
    only be accessed by clients co-located in the same ear or standalone jar file.

    Clients of a local bean must be in the same .ear file or same .jar file. Even if you are only looking them
    up on the same server, they may not be referenced across application boundaries. So, you may not store them
    in the global JNDI tree.
    Bill
    Jennifer Mason wrote:
    I am attempting to bind a map which contains keys that point to entityContext.getEJBLocalObject()
    in ejbPostCreate. This causes an exception to be thrown, which makes it appear
    that BEA is trying to prevent a remote client from getting an error if/when they
    lookup since they are not local. Are there any ways to get around this, or do
    this differently? We know that this lookup will only occur on the server, so we
    would like to store this in JNDI.
    Thanks so much, Jennifer
    METHOD:
    public void ejbPostCreate(int id){ Context initialContext = null; Hashtable ht
    = new Hashtable(); ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
    ht.put(Context.PROVIDER_URL,"t3://localhost:7001");
    try { initialContext = new InitialContext(ht); } catch (NamingException e) { try
    { initialContext.close(); } catch (Exception ex) { } } Object objref = initialContext.lookup("ABCMap");
    if (objref != null){ if (objref instanceof HashMap){ HashMap map = (HashMap)objref;
    ABCPrimaryKey key = (ABCPrimaryKey)entityContext.getPrimaryKey(); ABCLocal value
    = (ABCLocal)entityContext.getEJBLocalObject(); map.put(key, value); initialContext.rebind("ABCMap",
    map); /* exception is thrown */ } } }
    EXCEPTION:
    <Mar 12, 2002 3:49:44 PM CST> <Info> <EJB> <EJB Exception in method: ejbPostCreate:
    javax.ejb.EJBException: Attempt to pass a reference to an EJBLocalObject to a
    remote client. A local EJB component may only be accessed by clients co-located
    in the same ear or standalone jar file. javax.ejb.EJBException: Attempt to pass
    a reference to an EJBLocalObject to a remote client. A local EJB component may
    only be accessed by clients co-located in the same ear or standalone jar file.

  • Binds with string containing double quotes

    Hello there,
    I have the following SELECT statement which is run from a Delphi application :
    SELECT Customer, Last_Name
    FROM Customer
    WHERE UPPER(Last_Name) LIKE :last;
    :last has the string value of Smith"a".
    Is there a problem with binds and strings wich contain double quotes?.
    If so, how can I fix this problem?
    Thanks,
    Mia

    Hi
    There is no problem in this example. Content of bind variable is not part of syntc checking, so you can have any characters.
    Regards
    null

  • How to pass back Subject do Client app after authentication via identity assertion

    I have developed an Identity Assertion Provider based on
    SampleIdentityAsserterProviderImpl provided by BEA.
    It seams that all works fine, but I don't now how to pass back authenticated
    Subject to client application in order to call methods runAs(Subject,
    PrivillegedAction). I have tried build Subject from
    connection.getInputStream() but when I use Subject constructed in that way I
    have received an error:
    lava.lang.SecurityException: Invalid Subject: principals=[user, usergroup1,
    usergroup1]
    Thanks in advance for any suggestions.
    Jerzy Nawrot

    Hi,
    as per the below comment.
    We want to change this and do this dynamic way so that the XCM configuration application can read these dynamic parameters and behave accordingly(like customers with different languages, client systems etc). This is the 1st part .
    You have to use different scanrios to be set in XCM like (customer specific to language, and client), and that to be passed in
    Where language specifications should maintained in XCM settings only. also to be noted that Product catalog for those should also maintain in that specific language.
    "/init.do?scenario=value2;
    The 2nd part leading this scenario is after the portal user successfully lands into ISA application, if the user needs to go back to the WDP java screen, would the JSP based ISA application be able to navigate back to the original WD Java iView Screen. ? or would it open in a new window ? (probably this can be set to be launched in same window)
    I am not sure, but if you go back to WD from ISA , ISA Session will die.
    Let me know if you have any further queries.
    Regards,
    Devender V

  • How to implement Force password change during authentication

    Description of problem
    Our client requires web applications to support its internal security policy beyond
    normal authentication. This includes:
    - force password change periodically. This should be performed at logon time.
    - maintain password history so that a new password would not repeat any of its
    previous 15 changes.
    We already have an authentication server that satisfy these requirements. However,
    we would also like to base our solution on WebLogic security framework so that
    we can leverage the benefit of the container-managed declarative security (e.g.
    we don't need to use our special cookie to check whether a user is authenticated
    for every web page in the application). So the best scenario for us is to wrap
    up this authentication server using WLS 7.0 authentication SSPI.
    My initial investigation of WLS 7.0 security framework (based on edocs and the
    sample customer security provider codes) convinced me that overall, this is achievable.
    However, I am still left with quite a few questions, which I would like to get
    your help.
    Questions:
    1. (web container) The J2EE-standard container-based authentication is to specify
    <login-config> element. My understanding is that only FORM based authentication
    is applicable. The specified form elements:
    <form method="post" action="j_security_check">
    <INPUT TYPE="TEXT" NAME="j_username">
    <INPUT TYPE= "password" NAME="j_password">
    </form>
    is adequate for authentication. However, if the authentication service provider
    indicates that password change is needed, what would be the most appropriate way
    within WebLogic for the authentication service provider to pass such a flag to
    the web container know so that our application can access it? I guess, a simpler
    question, would be, using the standard <login-config>, webapp knows only about
    authentication fails or succeeds. Can it possibly know more information provided
    by the authentication service provider right after authentication?
    2) If we don't use standard FORM-based authentication, we will code up our own
    authentication control, which could give us a lot more flexibility, but can we
    then bind our Subject obtained through our authentication control to the WebLogic
    Subject that is running the webapp.
    3) (Authentication service provider) Our design is for the custom LoginModule
    to delegate login calls to the authentication server, and throws more refined
    exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
    (all subclassed from LoginException). Another approach is to provide detailed
    information such as password expired in callbacks. Either way, when Authentication
    service provider returns, how our web application can access this refined flag
    of authentication result.
    4) Can our customer authentication service provider use DataSource defined in
    a weblogic server? I ask this question because DataSource itself is a protected
    resource of WebLogic. Will referencing it during authentication initiate another
    authentication cycle?
    Can anyone who has experienced similar requirements and worked solutions please
    give me a hint? I appreciate your guidance.
    regards
    Licheng

    "Licheng" == Licheng <[email protected]> writes:
    Licheng> Description of problem
    Licheng> Our client requires web applications to support its internal security policy beyond
    Licheng> normal authentication. This includes:
    Licheng> - force password change periodically. This should be performed at logon time.
    Licheng> - maintain password history so that a new password would not repeat any of its
    Licheng> previous 15 changes.
    Licheng> ..
    Licheng> We already have an authentication server that satisfy these requirements. However,
    Licheng> we would also like to base our solution on WebLogic security framework so that
    Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
    Licheng> we don't need to use our special cookie to check whether a user is authenticated
    Licheng> for every web page in the application). So the best scenario for us is to wrap
    Licheng> up this authentication server using WLS 7.0 authentication SSPI.
    I believe it's impractical to fit the requirement of forcing a password change
    into the standard JAAS interface.
    I think the only practical way to do this is to implement a servlet filter that
    reads the persistent record of the logged-in user to check for a "force change
    password flag". If it finds this, the servlet filter will forward to a page to
    change your password. Note that the servlet filter may be hit again when
    trying to get to the change password page, so it needs to know to not do the
    check in that case.
    If you implement this, I would strongly urge you to softcode the "change
    password" page URL in your system configuration, and not hardcode it in the
    servlet filter.
    ===================================================================
    David M. Karr ; Java/J2EE/XML/Unix/C++
    [email protected] ; SCJP; SCWCD

  • How to get both JDNI context and JAAS Subject with EJB

    I looked at the JAAS docs and sample, but I'm still confused about
    something. There is a sample of JAAS in a regular, non-EJB scenario. The
    client initializes the LoginContext, calls login(), then retrieves the
    Subject (and possibly later does something with Subject.doAs()). However, in
    the typical EJB scenario, the client initializes the JNDI context, then does
    the lookup on the bean name (which implicitly does the authentication to the
    container). How do they work together, thought? I.e., what does the client
    code look like if JAAS authentication is to be used from an EJB client?
    Thank you!

    In your login module you have to authenticate the user to the Weblogic Server as
    well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
    to login a subject with Weblogic Server.
    Once logged in, any thread that is invoked within the context of a Subject.doAs
    call gets that subject associated with it.
    Hope that helps
    "Allan" <dfusdfsdfsd> wrote:
    I looked at the JAAS docs and sample, but I'm still confused about
    something. There is a sample of JAAS in a regular, non-EJB scenario.
    The
    client initializes the LoginContext, calls login(), then retrieves the
    Subject (and possibly later does something with Subject.doAs()). However,
    in
    the typical EJB scenario, the client initializes the JNDI context, then
    does
    the lookup on the bean name (which implicitly does the authentication
    to the
    container). How do they work together, thought? I.e., what does the client
    code look like if JAAS authentication is to be used from an EJB client?
    Thank you!

  • JAAS: How can I access the JAAS subject in an EJB?

    Hello,
    I try to understand the JAAS integration in J2EE 1.3.
    I know:
    J2EE defines a role-based container managed authorization for the web and ejb container. Roles, users and their relationship are defined in the realm.
    JAAS has a more sophisticated policy-based authorisation model. Since J2EE1.3 I can define a realm using JAAS having the role-based authorization of the container managed security.
    My question:
    How can I access the JAAS subject object in an EJB or servlet to use the policy-based authorization?
    Thank you for your answers
    Peter

    May be I should redefine my question:
    If I use JAAS as J2EE-Realm, how can I receive the subject?
    All JAAS-Tutorials contains code fragments like
    LoginContext lc = new LoginContext("entryFoo");
        try {
            // authenticate the Subject
            lc.login();
            System.out.println("authentication successful");
            // get the authenticated Subject
            Subject subject = lc.getSubject();But if I use JAAS as J2EE-Realm the container creates the LoginContext.
    Whom can I ask for the subject now?
    There is no such method implemented in the EJBContext, the HttpServlet or HttpServletRequest!
    Peter

Maybe you are looking for