Bind authenticated Subject to container
In a web application I use JAAS to authenticate users of the web application. When the authentication is successful, I retrieve the authenticated Subject from my LoginContext using the getSubject() method. As a result of the successful authentication, one or more Principal objects will be associated with this Subject.
Here is the point: After the user has been authenticated, I want to use the isUserInRole() method to check whether the user possesses certain roles (i.e. Principal objects). However, in order to do so, the container which runs the web application (JBoss 4) must know about the authenticated Subject. In other words: Before I can use the isUserInRole() method, I must somehow bind the authenticated Subject to the container. Is there a way in which this can be accomplished?
Note: I do not want to use container managed security by enabling FORM authentication in web.xml because this has as disadvantage that I lose the control over the authentication process (JBoss wil then under the hood instantiate a LoginContext object and there is no way, as far as I know, to obtain a reference to this LoginContext).
Thanks for any help.
Ronald
We have a howto for custom login modules here:
http://www.oracle.com/technology/tech/java/oc4j/1013/how_to/howtocustomjaasprovider/doc/howtocustomjaasprovider.html
As far as adding a third field, I think this would be managed in a login module's callback handler. This is from our docs:
A callback handler is a javax.security.auth.callback.CallbackHandler
instance that allows a login module to interact with a user to obtain login information.
The only method specified by CallbackHandler is the handle(Callback[])
method, which takes an array of callbacks, which are instances of a class that
implements the java.security.auth.callback.Callback interface. Callbacks
do not retrieve or display requested information from the underlying security service,
but simply provide the functionality to pass the requests to an application and, as
applicable, to return the requested information back to the security service.
Callback implementations in the javax.security.auth.callback package include: a
name callback handler (NameCallback) to handle a user name, a password callback handler (PasswordCallback) to handle a password, and a text input callback
handler (TextInputCallback) to handle any field in a login form other than a user
name or password field.
If authentication succeeds, then the authenticated subject can be retrieved by invoking
the getSubject() method of the LoginContext instance.
Different login modules can be configured with different applications, and a single
application can use multiple login modules. The JAAS framework defines a two-phase
authentication process to coordinate the login modules configured for an application.
You would probably follow these steps:
1. Create a LoginContext
2. Pass the CallbackHandlers to the LoginContext for gathering/processing authentication data
3. Then authenticate by calling the LoginContext's login() method
I think you can google examples of the TextInputHandler callback
Similar Messages
-
How to access the authenticated Subject?
Hello
I'm using WS Security, and I have made a custom login module. I have registered the login module and he is working fine. But I have problems accessing later the authenticated subject.
Any suggestions ?Hi,
where do you store the authenticated Subject ?
Frank -
Ws-security runtime authentication subject
Hi,
When the ws-runtime performs the authentication based on the security token, does it attach the authenticated subject to the current thread?
In the server-side handler for a webservices on which ws-security is enabled via ws-policy, if I call
SubjectUtils.getUsername(weblogic.security.Security.getCurrentSubject()
I am not getting the username i passed in the token as the authenticated subject.
Can you please tell me which user does it attach to the current thread in webservices?Thanks for reply.
Does that mean - there is NO WAY for X.509 certificate Authentication between OEG and OAM - regardless any OEG filter ?
Cliff -
How To tell ADF Framework to use my authenticated subject?
Hi,
let's say that I have a subject instance which is authenticated through Weblogic server. Now I want to use this authenticated subject to protect my resources using ADF Security. So how should I tell this to ADF framework programmaically. For example I can think of storing my principal and roles in some type of objects and store it in session in a format that's understandable by the framework. By understandable I mean ADFContext.getCurrent.getSecurityContext.isUserAuthenticated returns true, getPrincipal returns my authenticated principal. I appreciate your helps.
Best Regards,
SalimHi Chris,
I want to implement programmatic authentication. I was able to authenticate given the LoginModule (weblogic.security.auth.login.UsernamePasswordLoginModule), LoginContext (javax.security.auth.login.LoginContext) and a callback handler.
try {
loginContext.login();
Subject subject = loginContext.getSubject();
It authenticates successfully. But he problem is that it does not push authenticated subject into session. My guess is that there should be a way to configure application server to use this subject for the session. I understand that adf security just delegates calls to application server. I thought may be there is a way to do it with adf. Thanks for the reply.
Best Regards,
Salim -
I am creating a database application in which certain resources are restricted to certain resources. Such users with access can login. I am using the JAAS authentication so I use the LoginContext.login function and retrieve a Subject from the loginContext object. However, where should I store it so that whenever I execute code with the Subject.doAsPrivileged()?
Someone sujested using a custom security manager extending the standard SecurityManager and setting that as the security manager with System.setSecurityManager(). A variable of type Subject or the LoginContext would be stored in this security manager and can be retrieved with System.getSecurityManager().I am creating a database application in which certain resources are restricted to certain resources. Such users with access can login. I am using the JAAS authentication so I use the LoginContext.login function and retrieve a Subject from the loginContext object. However, where should I store it so that whenever I execute code with the Subject.doAsPrivileged()?
Someone sujested using a custom security manager extending the standard SecurityManager and setting that as the security manager with System.setSecurityManager(). A variable of type Subject or the LoginContext would be stored in this security manager and can be retrieved with System.getSecurityManager(). -
Rights for ldap bind authentication
we have an external domain in the dmz and we need to allow external app to bind to our ad on the dmz, what kind of user/rights does they need to bind?
can i just create a regular user?Hi,
Thanks for your posting.
I think the user should be a member of the "Authenticated Users" group.
Meanwhile, please check this article to know about authentication mechanisms in AD LDS
http://blogs.technet.com/b/idaguys/archive/2009/06/19/overiview-of-authentication-in-ad-lds.aspx
https://ftps.nslc.org/doc/en/MOVEitDMZ_WebInterface_Settings_Security_EA_LDAPAuthOnly.htm
Regards.
If you have any feedback on our support, please click
here
Vivian Wang -
DS 6: SSL certificate mapping with subject/issuer containing (")
Hello,
I got my personal test certificate from Verisgin, with an issuer: CN=VeriSign Class 1 Individual Subscriber CA - G2, OU=Persona Not Validated, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
The subject of the certificate ends with: ...OU=Digital ID Class 1 - Netscape, OU=Persona Not Validated, OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
My certmap.conf looks like:
certmap VeriSign [issuerDN]
VeriSign:FilterComps cn
VeriSign:verifycert on
VeriSign:CmapLdapAttr certSubjectDN
The question is what's the valid form of these strings containing (") in certmap.conf ([issuerDN]) to match the issuer and in certSubjectDN attribute - assuming it follows DirectoryString syntax. Note that they surround strings containing comma (,).
I see in logs:
conn=1 op=-1 msgId=-1 - SSL 128-bit RC4; client *OU=Digital ID Class 1 - Netscape,OU=Persona Not Validated,OU=\22www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98\22,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22; issuer CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22,C=US
I tested configuration against cert strings from logs, but they don't work. Strings containing (") also don't work.
Did anyone face the same issue?
Thanks for help in advance.The DN normalized version of O="Verisign, Inc." is O=Verisign\, Inc.
You may want to try this. BUt I must admit that I've never tried to do certificate mapping with quotes.
The certificate mapping functionality hasn't changed since the Netscape DS 4 code when Sun and Netscape started to work together.
Ludovic. -
Configuring J2EE Appl to obtain security roles from authentication Subject
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm says
"Oracle JDeveloper can be used to add the orion-application.xml file to a web project, choosing orion-application.xml from the list of Deployment Descriptors in the JDeveloper New Gallery."
The wizard asks me to select the deployment description version I want to use, either 1.2 or 10.0. What's the difference and which is the preferred choice?
Regards,
Al MalinAl Malin.
don't see a difference and usually use what is the default selected.
Frank -
With Cisco equipment wlc 2500 and AP 1600 combines windows 2008 r2 domain controller to achieve the following purposes,
1, all cell phones and laptops can access the wireless network with a domain user authentication.
2, the guest network should how to do it?
My idea is:
Made a total of two ssid below
Mobile users cnnewcity_mobile: Use webportal certification, so the center certification, local forwarding
Computer users cnnewcity_wifi: transparent certification, local forwarding, local authentication
The basic steps are as follows:
1, set the Radius server clients (AP or controller)
2, locking authorization group --- this should be based on the domain user group authorization radius server
3, the mobile roaming - different locations on the DHCP server choose to do this you have to consider the next 43
4, the establishment of a two vlan to a mobile user to the computer user, create a DCHP scope on the DHCP
I do not know if you have wood there are better ways?Integrating the AD to the WLC Requires:
1. AD to be registered:
AT: Security->AAA
AT: LDAP
CLICK: New
Server IP: <AD IP>
Port Number: 389
Simple Bind: Authenticated
Bind User: CN=Administrator,CN=Users,DC=testing,DC=local,DC=com
Bind Pass: <LDAP Admin pass>
Confirm Pass: <LDAP Admin pass>
User Base DN: OU=WebAuth_Users,DC=testing,DC=local,DC=com
User Attrib: sAMAccountName
User Obj. Type: person
Enable at WLAN Profile
1. AT: WLAN->WLANs
CLICK: <Desired WLAN> -typically web authentication
2. AT: Security Tab
AT: AAA Servers
3. AT: LDAP Servers
**Select Created LDAP
4. Apply to Save
Source: Tried it in implementations :)) -
EJBException when binding a map containing an entityContext.getEJBLocalObject()
I am attempting to bind a map which contains keys that point to entityContext.getEJBLocalObject()
in ejbPostCreate. This causes an exception to be thrown, which makes it appear
that BEA is trying to prevent a remote client from getting an error if/when they
lookup since they are not local. Are there any ways to get around this, or do
this differently? We know that this lookup will only occur on the server, so we
would like to store this in JNDI.
Thanks so much, Jennifer
METHOD:
public void ejbPostCreate(int id){ Context initialContext = null; Hashtable ht
= new Hashtable(); ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
ht.put(Context.PROVIDER_URL,"t3://localhost:7001");
try { initialContext = new InitialContext(ht); } catch (NamingException e) { try
{ initialContext.close(); } catch (Exception ex) { } } Object objref = initialContext.lookup("ABCMap");
if (objref != null){ if (objref instanceof HashMap){ HashMap map = (HashMap)objref;
ABCPrimaryKey key = (ABCPrimaryKey)entityContext.getPrimaryKey(); ABCLocal value
= (ABCLocal)entityContext.getEJBLocalObject(); map.put(key, value); initialContext.rebind("ABCMap",
map); /* exception is thrown */ } } }
EXCEPTION:
<Mar 12, 2002 3:49:44 PM CST> <Info> <EJB> <EJB Exception in method: ejbPostCreate:
javax.ejb.EJBException: Attempt to pass a reference to an EJBLocalObject to a
remote client. A local EJB component may only be accessed by clients co-located
in the same ear or standalone jar file. javax.ejb.EJBException: Attempt to pass
a reference to an EJBLocalObject to a remote client. A local EJB component may
only be accessed by clients co-located in the same ear or standalone jar file.Clients of a local bean must be in the same .ear file or same .jar file. Even if you are only looking them
up on the same server, they may not be referenced across application boundaries. So, you may not store them
in the global JNDI tree.
Bill
Jennifer Mason wrote:
I am attempting to bind a map which contains keys that point to entityContext.getEJBLocalObject()
in ejbPostCreate. This causes an exception to be thrown, which makes it appear
that BEA is trying to prevent a remote client from getting an error if/when they
lookup since they are not local. Are there any ways to get around this, or do
this differently? We know that this lookup will only occur on the server, so we
would like to store this in JNDI.
Thanks so much, Jennifer
METHOD:
public void ejbPostCreate(int id){ Context initialContext = null; Hashtable ht
= new Hashtable(); ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
ht.put(Context.PROVIDER_URL,"t3://localhost:7001");
try { initialContext = new InitialContext(ht); } catch (NamingException e) { try
{ initialContext.close(); } catch (Exception ex) { } } Object objref = initialContext.lookup("ABCMap");
if (objref != null){ if (objref instanceof HashMap){ HashMap map = (HashMap)objref;
ABCPrimaryKey key = (ABCPrimaryKey)entityContext.getPrimaryKey(); ABCLocal value
= (ABCLocal)entityContext.getEJBLocalObject(); map.put(key, value); initialContext.rebind("ABCMap",
map); /* exception is thrown */ } } }
EXCEPTION:
<Mar 12, 2002 3:49:44 PM CST> <Info> <EJB> <EJB Exception in method: ejbPostCreate:
javax.ejb.EJBException: Attempt to pass a reference to an EJBLocalObject to a
remote client. A local EJB component may only be accessed by clients co-located
in the same ear or standalone jar file. javax.ejb.EJBException: Attempt to pass
a reference to an EJBLocalObject to a remote client. A local EJB component may
only be accessed by clients co-located in the same ear or standalone jar file. -
Binds with string containing double quotes
Hello there,
I have the following SELECT statement which is run from a Delphi application :
SELECT Customer, Last_Name
FROM Customer
WHERE UPPER(Last_Name) LIKE :last;
:last has the string value of Smith"a".
Is there a problem with binds and strings wich contain double quotes?.
If so, how can I fix this problem?
Thanks,
MiaHi
There is no problem in this example. Content of bind variable is not part of syntc checking, so you can have any characters.
Regards
null -
How to pass back Subject do Client app after authentication via identity assertion
I have developed an Identity Assertion Provider based on
SampleIdentityAsserterProviderImpl provided by BEA.
It seams that all works fine, but I don't now how to pass back authenticated
Subject to client application in order to call methods runAs(Subject,
PrivillegedAction). I have tried build Subject from
connection.getInputStream() but when I use Subject constructed in that way I
have received an error:
lava.lang.SecurityException: Invalid Subject: principals=[user, usergroup1,
usergroup1]
Thanks in advance for any suggestions.
Jerzy NawrotHi,
as per the below comment.
We want to change this and do this dynamic way so that the XCM configuration application can read these dynamic parameters and behave accordingly(like customers with different languages, client systems etc). This is the 1st part .
You have to use different scanrios to be set in XCM like (customer specific to language, and client), and that to be passed in
Where language specifications should maintained in XCM settings only. also to be noted that Product catalog for those should also maintain in that specific language.
"/init.do?scenario=value2;
The 2nd part leading this scenario is after the portal user successfully lands into ISA application, if the user needs to go back to the WDP java screen, would the JSP based ISA application be able to navigate back to the original WD Java iView Screen. ? or would it open in a new window ? (probably this can be set to be launched in same window)
I am not sure, but if you go back to WD from ISA , ISA Session will die.
Let me know if you have any further queries.
Regards,
Devender V -
How to implement Force password change during authentication
Description of problem
Our client requires web applications to support its internal security policy beyond
normal authentication. This includes:
- force password change periodically. This should be performed at logon time.
- maintain password history so that a new password would not repeat any of its
previous 15 changes.
We already have an authentication server that satisfy these requirements. However,
we would also like to base our solution on WebLogic security framework so that
we can leverage the benefit of the container-managed declarative security (e.g.
we don't need to use our special cookie to check whether a user is authenticated
for every web page in the application). So the best scenario for us is to wrap
up this authentication server using WLS 7.0 authentication SSPI.
My initial investigation of WLS 7.0 security framework (based on edocs and the
sample customer security provider codes) convinced me that overall, this is achievable.
However, I am still left with quite a few questions, which I would like to get
your help.
Questions:
1. (web container) The J2EE-standard container-based authentication is to specify
<login-config> element. My understanding is that only FORM based authentication
is applicable. The specified form elements:
<form method="post" action="j_security_check">
<INPUT TYPE="TEXT" NAME="j_username">
<INPUT TYPE= "password" NAME="j_password">
</form>
is adequate for authentication. However, if the authentication service provider
indicates that password change is needed, what would be the most appropriate way
within WebLogic for the authentication service provider to pass such a flag to
the web container know so that our application can access it? I guess, a simpler
question, would be, using the standard <login-config>, webapp knows only about
authentication fails or succeeds. Can it possibly know more information provided
by the authentication service provider right after authentication?
2) If we don't use standard FORM-based authentication, we will code up our own
authentication control, which could give us a lot more flexibility, but can we
then bind our Subject obtained through our authentication control to the WebLogic
Subject that is running the webapp.
3) (Authentication service provider) Our design is for the custom LoginModule
to delegate login calls to the authentication server, and throws more refined
exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
(all subclassed from LoginException). Another approach is to provide detailed
information such as password expired in callbacks. Either way, when Authentication
service provider returns, how our web application can access this refined flag
of authentication result.
4) Can our customer authentication service provider use DataSource defined in
a weblogic server? I ask this question because DataSource itself is a protected
resource of WebLogic. Will referencing it during authentication initiate another
authentication cycle?
Can anyone who has experienced similar requirements and worked solutions please
give me a hint? I appreciate your guidance.
regards
Licheng"Licheng" == Licheng <[email protected]> writes:
Licheng> Description of problem
Licheng> Our client requires web applications to support its internal security policy beyond
Licheng> normal authentication. This includes:
Licheng> - force password change periodically. This should be performed at logon time.
Licheng> - maintain password history so that a new password would not repeat any of its
Licheng> previous 15 changes.
Licheng> ..
Licheng> We already have an authentication server that satisfy these requirements. However,
Licheng> we would also like to base our solution on WebLogic security framework so that
Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
Licheng> we don't need to use our special cookie to check whether a user is authenticated
Licheng> for every web page in the application). So the best scenario for us is to wrap
Licheng> up this authentication server using WLS 7.0 authentication SSPI.
I believe it's impractical to fit the requirement of forcing a password change
into the standard JAAS interface.
I think the only practical way to do this is to implement a servlet filter that
reads the persistent record of the logged-in user to check for a "force change
password flag". If it finds this, the servlet filter will forward to a page to
change your password. Note that the servlet filter may be hit again when
trying to get to the change password page, so it needs to know to not do the
check in that case.
If you implement this, I would strongly urge you to softcode the "change
password" page URL in your system configuration, and not hardcode it in the
servlet filter.
===================================================================
David M. Karr ; Java/J2EE/XML/Unix/C++
[email protected] ; SCJP; SCWCD -
How to get both JDNI context and JAAS Subject with EJB
I looked at the JAAS docs and sample, but I'm still confused about
something. There is a sample of JAAS in a regular, non-EJB scenario. The
client initializes the LoginContext, calls login(), then retrieves the
Subject (and possibly later does something with Subject.doAs()). However, in
the typical EJB scenario, the client initializes the JNDI context, then does
the lookup on the bean name (which implicitly does the authentication to the
container). How do they work together, thought? I.e., what does the client
code look like if JAAS authentication is to be used from an EJB client?
Thank you!In your login module you have to authenticate the user to the Weblogic Server as
well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
to login a subject with Weblogic Server.
Once logged in, any thread that is invoked within the context of a Subject.doAs
call gets that subject associated with it.
Hope that helps
"Allan" <dfusdfsdfsd> wrote:
I looked at the JAAS docs and sample, but I'm still confused about
something. There is a sample of JAAS in a regular, non-EJB scenario.
The
client initializes the LoginContext, calls login(), then retrieves the
Subject (and possibly later does something with Subject.doAs()). However,
in
the typical EJB scenario, the client initializes the JNDI context, then
does
the lookup on the bean name (which implicitly does the authentication
to the
container). How do they work together, thought? I.e., what does the client
code look like if JAAS authentication is to be used from an EJB client?
Thank you! -
JAAS: How can I access the JAAS subject in an EJB?
Hello,
I try to understand the JAAS integration in J2EE 1.3.
I know:
J2EE defines a role-based container managed authorization for the web and ejb container. Roles, users and their relationship are defined in the realm.
JAAS has a more sophisticated policy-based authorisation model. Since J2EE1.3 I can define a realm using JAAS having the role-based authorization of the container managed security.
My question:
How can I access the JAAS subject object in an EJB or servlet to use the policy-based authorization?
Thank you for your answers
PeterMay be I should redefine my question:
If I use JAAS as J2EE-Realm, how can I receive the subject?
All JAAS-Tutorials contains code fragments like
LoginContext lc = new LoginContext("entryFoo");
try {
// authenticate the Subject
lc.login();
System.out.println("authentication successful");
// get the authenticated Subject
Subject subject = lc.getSubject();But if I use JAAS as J2EE-Realm the container creates the LoginContext.
Whom can I ask for the subject now?
There is no such method implemented in the EJBContext, the HttpServlet or HttpServletRequest!
Peter
Maybe you are looking for
-
I am wanting to activate iTunes Match on my iPad. But I get a message saying I have to wait 90 days. Side note: I'm doing this for my mom and not knowing, she created a second Apple ID a while ago. I'm trying to get her ID's sorted out. Anyway, I am
-
hello, i have lost my ipod (5th generation) and i have tried to use ' find my iphone' but it says my ipod is offline so i think its dead....what should i do?
-
Question on WLS6.1 SP1 Caching Realm
Hi, I am trying to use caching realm with defaultRDBMSRealmForCloudscape on WLS6.1 SP1(Windows 2000). I can create user/password and login. The problem is if I shutdown/restart the server, the previously created user account is gone. Why is the user
-
I downloaded the latest iTunes update, and shortly thereafter my computer suddenly shut down. Upon restart the calendar had reset to 1969. Has anyone else experienced similar problems? iBook G4 Mac OS X (10.4.9)
-
Hi, I am using a materialized view as data source and took over all columns to the BMM & Presentation Layer. If I create a report in answers by selecting just an ID, I am getting the following error: Status: HY000. Code: 10058. [NQODBC] [SQL_STATE: H