Changing login module stack for Netweaver Portal?

G'day,
I want to change the login stack for Netweaver Portal (at http://<host:50100/irj).
Currently portal is configured in Visual Administrator to use the "ticket" authentication template. I can change this authentication template and change how I authenticate to portal.
But changing "ticket" authentication template also changes how other applications perform authentication. So I changed the login module stack for the "com.sap/irj*irj" component to not use an authentication template, and added my own login modules.
But when I access portal again, the "ticket" authentication is still used. I restarted the cluster to be sure but no matter what login modules I configure for "com.sap/irj*irj", only changes to "ticket" have any effect.
So: how do modify the login module stack for portal, without modifying the "ticket" authentication template?
--Geoff

Hi,
If you'd like to change the authentication stack only for the EP but not for all applications that use UME authentication, then you have to modify the descriptor authschemes.xml. You have to change the scheme "default" to point to another LM stack instead of "ticket" as it is shipped.
Kind regards,
Tsvetomir

Similar Messages

  • How to configure Login Modules Stack for Kerberos/LDAP

    Hello collegues,
    currenty we are working on UME configuration for the following use case.
    Clustered portal instance NW2004s running on AIX should be able to authenificate two groups of users.
    The first one is described by LDAP Data Source (Sun Directory Server) and using some artificial unique userID. Based on this userID, the SSO Ticket is created to get acces to the backend R/3 system. The LDAP schema has an "userdomain" attribute in it.
    The new group using ADS. These users are happy using it, because they have windows-based authentification and don't forced to type any credentials during login.
    There are plenty of blogs decribing how to connect ADS (even as a second DataSource) to UME.
    There are two unsolved problems: 
    1. ADS account attributes does not have the userID needed to get an SSO Ticket
    2. LDAP DataSource has no ADS password and can not be used for Kerberos authentification.
    What could be a solution for this case? I am sure we need an extra login module which enrich the Subject (user, which is already authentificated by SPNego module) with userID, selected from LDAP DataSource based on user attributes.
    Is there any other solution? May be I can mix some attributes in a DataSource configuration file?
    Best regards
    Sergej Naimark

    Hi Frank,
    did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
    You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
    Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
    Let me know if this helps...
    Yonko

  • Custom Login Module, SSO Ticket validity & Login Module Stack

    Hi everybody,
    we have a portal (running on jboss) which links to a J2EE web application (running on SAP WAS 6.40) which itself is protected by a custom login module and redirects to different WebDynpro applications (running on same WAS as the J2EE app) depending on some parameters.
    So when we go from the portal to the J2EE web application, the custom login module authenticates the user, creates a MYSAPSSO2 Cookie and then redirects to a webdynpro app.
    What happens is that the webdynpro app doesn't accept the cookie and redirects to the login mask.
    Looking at the request header parameter HOST we have the request coming from sub1.sub2.mycompany.com, which is the portal.
    The WAS is located on sub3.mycompany.com.
    If we manipulate the HOST parameter to sub2.mycompany.com everything works fine and the webdynpro app successfully authenticates the user.
    This does sound either like a domain relaxing issue or a multi domain issue, which we added as parameters to the CreateTicketLoginModule in the Login Module Stack for the J2EE web app.
    Unfortunately without result.
    Did anybody have a similar problem and can give some hints on how to solve this?
    Any help is appreciated
    Regards,
    md
    Edited by: Minh-Duc Truong on Jul 17, 2008 7:18 PM
    Edited by: Minh-Duc Truong on Jul 17, 2008 7:19 PM
    Edited by: Julius Bussche on Jul 18, 2008 7:25 PM

    Hi md,
    I have split your 2nd question into a seperate thread => That would make them easier to answer as well, which will help.
    You can find it here: Custom Login Module, LM Stack ignored
    Cheers,
    Julius
    Edited by: Julius Bussche on Jul 18, 2008 7:26 PM

  • Portal authentication using two login module stacks?

    G'day,
    I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
    Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
    <authscheme name="mylogon">
      <authentication-template>mystack</authentication-template>
      <priority>21</priority>
      <frontendtype>2</frontendtype>
      <frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
    </authscheme>
    <authscheme-refs>
      <authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
      <authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
    </authscheme-refs>
    When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
    Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
    This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
    Message : LOGIN.OK
    User: tu-1
    Authentication Stack: mystack
    Message : LOGOUT.OK
    User: tu-1
    Authentication Stack: mystack
    Message : LOGIN.OK
    User: Administrator
    Authentication Stack: mystack
    The "mylogonform" page is shown when logon is required in both cases.
    However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
    Message : LOGIN.FAILED
    User: N/A
    Authentication Stack: ticket
    Message : LOGIN.OK
    User: tu-1
    Authentication Stack: ticket
    For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
    This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
    I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
    Message : LOGIN.OK
    User: tu-1
    Authentication Stack: mystack
    Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
    Message : LOGOUT.OK
    User: tu-1
    Authentication Stack: mystack
    Message : LOGIN.FAILED
    User: N/A
    Authentication Stack: ticket
    Message : LOGIN.OK
    User: tu-1
    Authentication Stack: ticket
    (Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
    This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
    Message : LOGIN.FAILED
    User: Administrator
    Authentication Stack: mystack
    Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
    com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception  false      true       authscheme not sufficient: basicauthentication<mylogonform
    Central Checks                                                                                exception             Call logout before login.
    I guess one cannot authenticate as a new user until the current user has been logged out.
    So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
    What is the logic behind portal authentication and showing a logon page?
    If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?

    Jayesh,
    there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
    - login module
    - logon stacks
    Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
    A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
    login module 1: check if valid sap logon ticket provided
    if module 1 fails: then login module 2: request user id/password
    if module 2 succeeds: then login module 3: create new sap logon ticket for user
    You can define multiple logon stacks and configure individual applications to use the one stack or the other.
    The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
    btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
    Regards,
    Dominik

  • What is so special about the "ticket" login module stack?

    G'day,
    I am observing some odd behaviour with login module stacks.
    I have a custom login module that performs authentication using information in the HTTP servlet request. This custom login module does not require any interaction from the user. I want to use this custom login module when I authenticate to the portal.
    By default, the portal uses an authentication scheme known as "uidpwdlogon", which uses the "ticket" login module stack, which is configured to perform basic password login. When I attempt to access the portal I am presented with a username/password page and I need to enter a username and password, hit the "submit" button, and access to the portal is granted.
    So I replaced the BasicPasswordLoginModule entry in the "ticket" login module stack with my custom login module, and now access to the portal is granted automatically, as expected. There is no username/password page displayed.
    But if I create a new login module stack that contains exactly the same modules as "ticket" login module stack, and modify the "uidpwdlogon" authentication scheme to use my new login module stack instead of the "ticket" login module stack, then something odd occurs: I am now presented with a username/password page again. I need to hit the "submit" button to navigate away from this page before the custom login module stack will process, which will then grant access to the portal.
    If I change the "uidpwdlogon" authentication scheme back to use the "ticket" login module stack (which is exactly the same as the previous login module stack), then access to the portal is granted automatically without showing a username/password page.
    So: if the (modified) "ticket" login module stack is used, there's no username/password page shown. If a copy of that login module stack is used, then a username/password page is shown.
    What's going on here?

    G'day,
    Thanks for the reply.
    The relevant parts of the authschemes.xml file are as follows:
            <authscheme name="uidpwdlogon">
                <authentication-template>myloginstack</authentication-template>
                <priority>21</priority>
                <frontendtype>2</frontendtype>
                <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
            </authscheme>
            <authscheme-ref name="default">
                <authscheme>uidpwdlogon</authscheme>
            </authscheme-ref>
            <authscheme-ref name="UserAdminScheme">
                <authscheme>uidpwdlogon</authscheme>
            </authscheme-ref>
    Note that I have changed the uidpwdlogon element to use "myloginstack" instead of "ticket", and changed the priority from 20 to 21, as suggested (but it should be noted that the outcome is the same regardless of priority).
    The "ticket" login module stack is defined as follows:
      EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
      MyLoginModule REQUISITE {...}
      CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
    and the "myloginstack" is defined identically as follows:
      EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
      MyLoginModule REQUISITE {...}
      CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
    When the "uidpwdlogon" authentication scheme is configured to use the "myloginstack" login module stack, the browser immediately opens up the normal username/password page. I wait for a few minutes (for logging reasons), then hit submit, and access to the portal is granted.
    The log output for this is as follows:
    Message : LOGIN.FAILED
    User: N/A
    Authentication Stack: myloginstack
    Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
    com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
    MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
    com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
    Message : LOGIN.OK
    User: testuser
    Authentication Stack: myloginstack
    Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
    com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
    MyLoginModule                                                           REQUISITE   ok          true       true                 
    com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
    Central Checks                                                                                true                 
    There are two login stack events because the first login stack event asks the browser to pass along authentication data, which is processed in the second login stack event.
    Also note that the time of the first login module event is a few minutes after the username/password page appears, suggesting that the portal is attempting to obtain information before it processes the login module stack.
    If I change the "uidpwdlogon" authentication scheme to use the "ticket" login module stack, then no username/password page appears and the security log is essentially identical to that of "myloginstack":
    Message : LOGIN.FAILED
    User: N/A
    Authentication Stack: ticket
    Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
    com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
    MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
    com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
    Message : LOGIN.OK
    User: testuser
    Authentication Stack: ticket
    Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
    com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
    MyLoginModule                                                           REQUISITE   ok          true       true                 
    com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
    Central Checks                                                                                true                 
    I am creating the "myloginstack" login module stack using the Visual Administrator tool, by clicking the "Add" button for the "Policy Configurations" tab of the SecurityProvider service. Note that when I do this the entry for "myloginstack" gets a diamond icon, while the entry for "ticket" has a different icon (resembling a graph). I do not know what these different icons beside each policy configuration imply (is "ticket" different to "myloginstack" somehow?) nor how to create a new policy configuration that will have different icon.
    I assume the username/password page is shown because the <frontendtarget> element in the "uidpwdlogon" authentication scheme is defined to use "com.sap.portal.runtime.logon.certlogon". Perhaps there is another value I can use here that displays nothing and redirects the browser directly to the portal?

  • Login Module Stack of EP

    Hi guys,
    I am in the process to setup HeaderVariable Authentication for accessing to EP and have a some questions.
    1) What Login Module Stack needs to be adjusted to use the HeaderVariableLoginModule? SAP J2EE Root or Ticket or ....
    2) Are changes in the policy configurations (adding logon module) applied immediately or is a J2EE restart required?
    Thanks,
    Mario.

    Thank you Paul.
    I've found on my own also to question 1. I have to modify the Login Module stack of template "tiket" as following:
      1) EvaluateTicketLoginModule SUFFICIENT
      2) HeaderVariableLoginModule OPTIONAL     Header=REMOTE_USER
      3) CreateTickeLoginModule    SUFFICIENT
      4) BasicPasswordLoginModule  REQUISITE
      5) CreateTicketLoginModule   OPTIONAL
    Now I'd like to know if is it possible to test the header variable login configuration without using any external web server but connect directly to Enerprise Portal.
    When I try to connect directly to the Enerprise Portal using the URL
       http://<server>:<port>/irj/portal?REMOTE_USER=<userID>
    i'm not able to log into the system, but i'm redirected to the login page.
    If I type in userID and password, portal doesn't authenticate the user.
    Is the External Web Server mandatory for the Header Variable Login Module configuration?
    Thanks in advance,
    Mario.

  • Configure JAAS login module stack to support x.509 certificates without SSL

    I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
    I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
    What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
    EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
    CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    BasicPasswordLoginModule REQUISITE {}
    CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
    CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

    Hi Claus,
    you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
    There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
    Looking at this topic:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
    the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
    So with the above said your LM stack config should look like this:
    EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
    CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    BasicPasswordLoginModule REQUISITE {}
    CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    If this doesn't work I'd suggest opening a support ticket.
    Regards,
    Yonko

  • SPNEGO Login module Stack issue: Could not validate SPNEGO token

    Hello to all,
    We are deploying a SAP Netweavear 7.3 Enterprise Portal with SPNego login module activated.
    We are performing some tests (performances and concurrent accesses).
    During the tests we have found several times the folloiwing Issue linked to the spnego.
    Could not validate SPNEGO token.
    [EXCEPTION]
    java.lang.NumberFormatException: multiple points
    at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1082)
    at java.lang.Double.parseDouble(Double.java:510)
    at java.text.DigitList.getDouble(DigitList.java:151)
    at java.text.DecimalFormat.parse(DecimalFormat.java:1303)
    at java.text.SimpleDateFormat.subParse(SimpleDateFormat.java:1934)
    at java.text.SimpleDateFormat.parse(SimpleDateFormat.java:1312)
    at java.text.DateFormat.parse(DateFormat.java:335)
    at com.sap.security.core.server.jaas.spnego.util.Utils.generalizedTimeStringToData(Utils.java:167)
    at com.sap.security.core.server.jaas.spnego.krb5.KrbTicketEncryptedData.parseDecryptedData(KrbTicketEncryptedData.java:67)
    at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:94)
    at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:68)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.parseAndValidateSPNEGOToken(SPNegoLoginModule.java:315)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:474)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:160)
    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:254)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:352)
    at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.loginWithRequestCredentials(AuthenticationService.java:337)
    at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:321)
    at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:60)
    at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:163)
    at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doCached(RequestDispatcherImpl.java:655)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:488)
    at com.sap.portal.navigation.Gateway.service(Gateway.java:147)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
    at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
    at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
    at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
    at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:276)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
    at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
    at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
    at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
    at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
    at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
    at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
    at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
    The user rlinked to this user is Guest.
    could you please advice us how to solve this reccuring issue?
    Kind regards
    Julien LEFEVRE

    Hello Cathal,
    Thank you for your answer.
    In fact the new spnego wizard of the SAP Enterprise Portal 7.3 is used to get the the two keys files. The SAP Jvm is used in fact with the 1.6.1.
    And in fact , it functions perfectly sometimes. but during the test of massive access ( More than 30 conurent users), I have this error that comes frequently.
    Best regards
    Julien LEFEVRE

  • How to enable change password feature in SAP Netweaver Portal 7?

    Hi experts,
    I would like to provide a change password link just beside the logout link after user had successfully logged in to Sap Netweaver portal. When user clicks that link, a change password screen sill appear to allow user to change his/her password.
    Question:
    1) How do i create a link in portal header just beside the logout link?
    2) Is there any default change password page for Sap Netweaver Portal that I can use for this purpose?
    Thanks,
    Kenneth

    Hi,
    To get the change password link beside logout, get the masthead PAR file from portal, import into your NWDS, make the changes in the JSP and upload PAR file back to portal. Search with keyword "Masthead customization" in SDN. You will get many documents to achieve.
    SAP has password change functionality available. Chekc the link below for details.
    Re: Change Password Functionality
    Regards,
    Yoga

  • Login Module configuration for soap adapter ?

    Hi Guys,
    I have configured XISOAPAdapter for client certificate Authentication and i have created 1443 as the HTTPS port on the ABAP stack and defined this port in the instance profile.
    Under SSL provider i have selected 50101 as the HTTPS port and the user mapping to the certificate works fine and i was able to login directly.
    https://host:50101/XISOAPAdapter/MessageServlet - I was able to login with the user mapping to certifcate.
    but when i try https://host:1443/XISOAPAdapter/MessageServlet - it is asking for the basic password authentication and the automatic login with the certifcate is not working. Our customer will be using this url to send messages to soap adapter.
    under policy configurations for XISOAPAdapter, i have defined only clientcertificateloginmodule and define the rule as Rule1.getUserFrom=wholecert.
    any help or suggestions would be appreciated.
    Thanks,
    Srini

    Hi,
    We also experienced that limitation when a vendor is connecting to our XI SOAP Sender Adapter. It is asking for basic username/password. What we did was to create a Generic XI user with a password on it and use SSL authentication at the same time. Our Scenario was PI --> XI --> SAP R3, with the PI system using an HTTP RFC destination with a Basic Logon and Active SSL option to connect to the same system as yours https://host:portnumber/XISOAPAdapter/MessageServlet
    Let me know if this helped...
    Regards,

  • Change Login Module

    I think this is an old question. I’m trying to customizing the logon page. I’m using the document Customizing the Logon user Interface of SAP Enterprise Portal. I’m in the Enterprise Portal 6.0 SP 11, J2EE version 6.40.
    After executing all the changes that the document indicates:
    -     Like created a new project
    -     I change the authschemes.xml, to my project name
    When accessing the portal the Following error appears:
         Portal Runtime Error
    An exception occurred while processing a request for :
    iView : N/A
    Component Name : N/A
    The exception was logged. Inform your system administrator..
    See the details for the exception ID in the log file
    Those any one can Help me.
    Best Regards
    Thanks In advanced
    Pedro Miguel Rodrigues

    The problem exception is not a problem at this moment. 
    Now I have 2 problems:
    Frist:
    I’ have made the changes and create a Logon:
    User (Input Field)
    Password (Input field)
    Logon (Bottom).
    Now when I click in the logon, it executes the logon, but it “log” on the same page and those not refresh the page (I’have 2 headers, the first header disappears after using the button refresh off the IE.
    Second:
    When the user places a wrong password. The system call the standard logon, but I don’t want this situation.
    Those any one can help on this 2 situations

  • Custom Login Module, LM Stack ignored

    Moderator's note: This is a question split from another thread:
    Maybe someone with LoginModuleStack knowledge can give us a hand
    Another issue (which is isolated from the other question) we have is that somehow the defined Login Module Stack for the J2EE app
    doesn't get called when there exits already a MYSAPSSO2 cookie in the session.
    The Login Module Stack looks like this:
    Custom Login Module Position 1 Required (also tested with optional & requisite)
    CreateTicketLoginModule Position 2 Sufficient (also tested with optional)
    So if we call the J2EE web app with no existing MYSAPSSO2 cookie (e.g. open in new browser window), everything
    works fine and the defined login module stack is run through.
    If we call the app with existing MYSAPSSO2 cookie (e.g. open in same browser window after logout of previous app),
    the login module stack is ignored and it seems that the EvaluateTicketLoginModule is called straight away, despite not being defined in the stack.
    What could be the problem and how can this be solved?
    Signed with greetings and a happy weekend on behalf of Minh-Duc Truong,
    Your,
    Julius
    Edited by: Minh-Duc Truong on Jul 18, 2008 4:52 PM
    Edited by: Julius Bussche on Jul 18, 2008 7:29 PM

    Hi,
    I cannot believe that the EvaluateTicketLoginModule is called if it is not defined in the stack. I guess the best way to track down the problem is to increase the severity of the following locations:
    (use Visual Admin / Log Configurator / Locations TAB to do that):
    com.sap.security.server.jaas
    com.sap.engine.services.security
    Set the Severity to ALL. After that call your application and paste the output in security.log here so I can have a look at it. It will contain a complete trace of the processing of your login modules so maybe we'll see what's going wrong.
    Cheers

  • Login module for the J2EE application

    Hi ,
    I am trying to use the BasicPasswordLoginModule for my J2EE application which will be deployed in the SAP J2EE engine.My application will not be accessed through the portal.
    I am having a login screen in my application for which i want to use the already avaliable login module. ie.. BasicPasswordLoginModule.
    When i am trying to get the login(). i am getting the following the error.
    "javax.security.auth.login.LoginException: No LoginModules configured for BasicPasswordLoginModule".
    Please let me know what needs to be done.
    PS: The version environment is CE 7.1
    Regards
    Abu Bakar

    Hi Julius
    I am totally confused, my application is a pure J2EE application which has only one screen which just displays the details. And i want only the login screen to be implemented. I have gone through a couple of dec from sap which tells to created a custom login module if requiredl but i want to user the FORM based authentication and use the BasicPasswordLoginModule(in-built in WAS)
    All that i am doing is written a web.xml with the following information:
    <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/home.jsp</form-login-page>
       <form-error-page>/relogin.jsp</form-error-page>
       </form-login-config>
      </login-config>
      <security-role>
        <role-name>App_Viewer</role-name>
      </security-role>
    web-j2ee-engine with following information:
    <security-role-map>
              <role-name>App_Viewer</role-name>
               <server-role-name>Administrator</server-role-name>
         </security-role-map>
         <login-module-configuration>
         <login-module-stack>
         <!-- Contains all login modules used for authentication -->
              <login-module>
              <!-- Contains information about one login module -->
                   <login-module-name>BasicPasswordLoginModule</login-module-name>
                   <flag>SUFFICIENT</flag>
                   <options>
                        <option>
                        <!-- The option UserNamePrefix determines that the user name must start with "Admin" -->
                        <name>UserNamePrefix</name>
                        <value>Admin</value>
                        </option>
                   </options>
              </login-module>
         </login-module-stack>
         <security-policy-domain></security-policy-domain>
    </login-module-configuration>
    And I am not sure, if the above mentioned details are enough. My implementation code is as follows:
    try {
              HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
              HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
              request.setAttribute(ILoginConstants.LOGON_UID_ALIAS, this.getUserName());
              request.setAttribute(ILoginConstants.LOGON_PWD_ALIAS, this.getPassword());
              UMFactory.getLogonAuthenticator().logon(request, response, "BasicPasswordLoginModule");
              status = success;
         } catch (Exception e) {
              e.printStackTrace();
              status = e.toString();
    In the NWA i have just configured the UserNamePrefix with Admin, thats all . Since the form login authentication method is already configure with the BasicPasswordLoginModule, I left it untouched.
    I also implemented a custom login module and deployed it but not sure how to use it in my code.
    Please let me know if i am in the rite track. Correct me if i am wrong. At the end of the day i want to use the login screen just to get authenticated. I am also not bothered about the password changing etc.. As the users who are going to use my application are the users in the Identity Management. Few portions of my screen should be allowed to be displayed based on the roles.
    PS: My application is not configured in the portal. Its an independent application deployed on the WAS(CE 7.1).
    Please advice
    Regards
    Abu Bakar

  • Not able  to add login module to authentication stacks!

    HI Portal Gurus!
    we are implementing siteminder sso integration with portal.
    Iam trying to do following configuration ...
    Modify the ticket authentication template:
    a.)Remove from the stack:
    1)BasicPasswordLoginModule
    2)EvaluateTicketLoginModule
    b.)Add the following modules to the top of the stack, in the order shown:
    SiteMinderLoginModule
    CreateTicketLoginModule
    Iam not able to do either reomove exting one nor add new login module.Iam getting an error"Unable to add login module to authentication stacks! "
    Ilogged in to v.admin as administrator with admin & superadmin roles.
    It would be great if anyone could help me in this .
    Regards
    tag

    Hi,
    in change mode only getting an error.
    error"unable to add login module stack to authentication stacl! details are available in status bar"
    in status bar information below...
    Unable to add login module to the authentication stack!
    java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
         at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
         at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
         at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java(Compiled Code))
         at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java(Compiled Code))
         at com.sap.engine.services.security.server.AuthenticationContextImpl.setLoginModules(AuthenticationContextImpl.java(Compiled Code))
         at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImpl.setLoginModules(RemoteAuthenticationImpl.java(Compiled Code))
         at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImplp4_Skel.dispatch(RemoteAuthenticationImplp4_Skel.java(Compiled Code))
         at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
         at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
         at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
         at java.security.AccessController.doPrivileged1(Native Method)
         at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
         at com.sap.engine.services.security.exceptions.BaseSecurityException.writeReplace(BaseSecurityException.java:349)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
         at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
         at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:1057)
         at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java(Compiled Code))
         at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java(Compiled Code))
         at com.sap.engine.services.rmi_p4.DispatchImpl.throwException(DispatchImpl.java(Compiled Code))
         at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
         at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
         at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
         at java.security.AccessController.doPrivileged1(Native Method)
         at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
    I would appreciate if anybody could help for resolving this issue.
    Regards
    Tag

  • Problems with custom login module/authscheme in Portal iViews

    Hi,
    In our portal users must login with their username and password ("ticket" login module stack) to access most of the content. For some of the iViews containing confidential data we would like to ask the users some personal questions before giving them access.
    I followed all the steps described in the [official documentation |http://help.sap.com/saphelp_nw04s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/content.htm]:
    - created a custom login module
    - added it to a custom login module stack
    - added a custom authscheme in the authschemes.xml file
    - assigned the iView to this authscheme
    I also create a PortalComponent that reads the user entries and calls my login module (JSP not shown):
    public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)     {          
        HttpServletRequest req = request.getServletRequest();
        HttpServletResponse resp = request.getServletResponse(false);
        ILogonAuthentication ila = UMFactory.getLogonAuthenticator();
        Subject subject = ila.logon(req, resp, "myauthscheme");
        // if authenticated what to do next??
    Now when I try to access the protected iView, I see my screen to answer the questions, I press submit and my login module is called. But, I never get redirected to the iView I'm supposed to go. So I still have two questions:
    1) Which login modules should be in the login module stack? Should I include the BasicPasswordLoginModule?
    For the moment I have:
    EvaluateTicketLoginModule (SUFFICIENT)
    MyCustomLoginModule (REQUISITE)
    CreateTicketLoginModule (OPTIONAL)
    2) How can I be redirected to the protected iView after the user is being authenticated? Is it the portal framework who is responsible to navigate there automatically? Or is it in my own code after the logon() call? In that case how can I retrieve the destination URL?
    Thanks,
    Martin

    I'm using the version 10.1.3.0.4 (SU5).
    The error is:
    06/09/28 18:09:05 WARNING: Application.setConfig Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
    28/09/2006 18:09:05 com.evermind.server.Application setConfig
    WARNING: Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
    2006-09-28 18:09:05.390 WARNING J2EE 0JR0013 Exception initializing deployed application: current-workspace-app. null
    My JAAS-oc4j-app content is:
    <log>
    <file path="JAAS-oc4j-app.log" xmlns=""/>
    </log>
    <jazn provider="XML" location="JAAS-jazn-data.xml">
    <property name="role.mapping.dynamic" value="true"/>
    <property name="custom.loginmodule.provider" value="true"/>
    <property name="jaas.username.simple" value="true"/>
    </jazn>
    <data-sources path="JAAS-data-sources.xml"/>
    Thanks for reply.

Maybe you are looking for

  • IW31 - Modify Basic Finish Date

    Hi Gurus, I'm looking for a badi or user exit that allows me to modify the Basic Finish Date in the IW31/IW32 transactions just before saving. I've tried the following ways without any succes: - IWO10009 - Function Module --> EXIT_SAPLCOIH_009 This u

  • JNLP-Template: where is it alowed to use wildcards (*) in a template?

    I know that it is not allowed to use a wildcard in value-attribute of a property-element. But is there somewhere a documentation with all (not) allowed elements and attributes?

  • LaserJet P2015dn Washed Out Print

    The cartridege and printer is brand spanking new. Word, Excel documents print superbly. However, if I print something from a website it is barely readable, same for my email messages. I use Gadwin Print Screen software and that results also in printi

  • Recommended size of photos

    Just started using iM 8 on my 1.8 Dual G5 (Yes, it installed and works although it appears a little slowly)! Question: What is the size that photos need to be to insure they will import and display properly? I dragged a couple of photos from an exter

  • Urgent: Problems with IMAP-PostBox (mistakenly deleted messages)

    Hi there, I would be deeply grateful if someone could help me. I worked offline and created two new postboxes (IMAP) - to which I transfered a lot of messages. Hours later when I went online, the mail-system deleted the postboxes saying: invalid acti