ClassNotFound using JAAS

Similar Messages

• How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS

  Hi
  I have read the article on SDN called "How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS", which is also the name of my posting.
  The reason why I post this is that I've tried to follow the links in the PDF to get the file WebsphereEpSsoLib.zip but I get an error 403, which tells me that the file is not there.
  Does anybody know where this file went or can somebody tell me an alternative place to get this file?
  Jacob

  Please open the associated whitepaper, and you can find the download link to the .ZIP file on page 4.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ibm/how to set up single sign-on between an ibm websphere portal and the sap enterprise portal using jaas.pdf
  Hope that works!
  Elise

• Has anyone used JAAS with WebLogic?

  Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
  Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
  Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
  has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
  So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
  //THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
  public class BasicModule implements LoginModule
  private NameCallback strName;
  private PasswordCallback strPass;
  private CallbackHandler myCB;
  private Subject subj;
           //INITIALIZE THIS MODULE
             public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                    try
                         //SET SUBJECT
                           subj = subject;  //NOTE: THIS GIVES YOU REFERENCE
  TO LOGIN CONTEXT'S SUBJECT
                                                   // AND ALLOWS YOU TO PASS
  IT BACK TO THE LOGIN CONTEXT
                         //SET CALLBACKHANDLERS
                           strName = new NameCallback("Your Name: ");
                           strPass = new PasswordCallback("Password:", false);
                           Callback[] cb = { strName, strPass };
                         //HANDLE THE CALLBACKS
                           callbackHandler.handle(cb);
                    } catch (Exception e) { System.out.println(e); }
       //LOG THE USER IN
         public boolean login() throws LoginException
            //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
            System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
  subj.getPrincipals().size() + " Principals");
            //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
             MyPrincipal m = new MyPrincipal("Admin");
             subj.getPrincipals().add(m);
             return true;
           public boolean commit() throws LoginException
                 return true;
      }(Sorry for all that code)
  I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
  do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
  I think the key here is to understand JAAS's plug-in security model to mean:
  (Below are my words)
  The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
  In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
  That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
  checking code can be used regardless of whether a client connects through
  RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
  how they authenticate (except by choosing YOUR set ways).
  Before we even deal with a serialized subject, we need to see how JAAS can
  even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
  I think what needs to be done, is the client needs to have the stubs for our
  LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
  their info into those, and everything is handled server-side. So they may
  not even need to send a Subject across anyways (but they may want to as
  well).
  Please let me know if anyone sees this problem too, or if I am just completely
  off track with this one. I think figuring out how to do JAAS as though
  everything were local, and then putting RMI (or whatever) on top is the
  first thing to tackle.

  Send this to:
  newsgroups.bea.com / security-group.

• Client remote Authentication using JAAS and EJB Access

  Hi,
  I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
  I have implemented an EJB who's methods are protected through the deployment descriptor:
          <assembly-descriptor>
               <security-role>
                  <description>role for clients outside of the server </description>
                  <role-name>sedna</role-name>
                </security-role>
              <method-permission>
                <role-name>sedna</role-name>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-intf>Remote</method-intf>
                  <method-name>*</method-name>
                </method>
              </method-permission>
              <method-permission>
                <unchecked/>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>getVersion</method-name>
                </method>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>create</method-name>
                </method>
              </method-permission>
          </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
  I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
  But then I try to access another method which is protected and then I get this exception
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
          at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
          at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
          at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
  ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
  After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
  After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
  Am I doing something wrong?
  Need help! Thx,
  Stephan

  Hi.
  I understand correctly that you call Subject.doAs on
  the client to call the remote EJB. I guess It isn't
  right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
  >
  >
  Subject contextSubject =
  Subject.getSubject(AccessController.getContext());
  contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
  But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
  Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
  Again, thanks for your effort,
  Stephan

• Role based menu using JAAS

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?

• Using JAAS in a BC4J Client

  Hello
  We are building a BC4J application.
  We would like to use JAAS on the client side (Swing Client), to do some authorization.
  I made a test, authentication a user trough JAAS on the client as follow:
  // Auhorization
  CallbackHandler handler = new InfoCallbackHandler();
  String s = "oracle.security.jazn.tools.Admintool";
  LoginContext loginContext = new LoginContext(s, handler);
  loginContext.login();
  Subject subject = loginContext.getSubject();
  // authenticated action
  Subject.doAs(subject, this);
  This works, as long as the client has access to the jazn.xml file.
  As far as I understand, this loads the RealmLoginModule.
  The RealmLoginModule uses either a jazn.xml file, or LDAP for authentication.
  Now I'm curios about where the RealmLoginModule gets its information from, when the client is running on an other machine than the OC4J Server.
  Where does the RealmLoginModule get the connection information for the OC4J or LDAP- server from?
  Do I have to deliver the security information (jazn.xml file) to the client (I dont want to expose all this information to the Hackers on the client side)?
  Is there a way to delegate the JAAS calls to the middle tier (a security provider , LoginModule, that does RMI-calls to an EJB-component)?
  Is there a way to do authorization with the BC4J interfaces on the client (something like boolean ApplikacitonModule.isUserInRole(Role) or javax.security.auth.Subject ApplikacitonModule.getSubject() or java.util.Set ApplikacitonModule.getPrincipalsForSubject())?
  I would like to get a javax.security.auth.Subject representing the user (and password)
  that is authenticated in the middle tier. This is the Subject (defined by username & password)),
  used for the JNDI lookup, and by the whole J2EE (EJB) security, when creating a root ApplicationModule.
  Is this possible?
  Regards
  Matthais Gerber

  Hi,
  In JDeveloper 9.0.3, BC4J has JAAS support in the middle-tier. You could set jbo.security.enforce to "Test" or "Must" on the application module using "Configuration...", "Edit" in JDev. If you are using the default Oracle 9iAS JAAS you will also need to include BC4J Security library in the project. The jdk\jre\lib\securtiy\java.security should have login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider.
  You do not need to create LoginContext, CallbackHandler, etc. in either your client app or business objects.
  If you are not using OC4J, you need to have another loginmodule that implement javax.security.auth.spi.LoginModule. You need to set the jbo.security.loginmodule with you loginmodule name, include the class or jar in your library, specify the jaas config file on the java runtime option.
  Please refer to 9.0.3 online help "Working with Security in BC4J" for more information.
  Thanks,
  Yvonn

• Using JAAS without config text files

  Hi everybody,
  I'm trying to develop an application using JAAS for authentication and authorization, but I don't want to depend on the text files for configuration.
  This application is going to be distributed using Webstart, so I don't know which configuration the user will have.
  Is there anyway to bypass these files?
  Thanks a lot,
  Luis Javier

  For the LoginModule part, you could try to set your own Configuration object.
  Ses javax.security.auth.login.Configuration.setConfiguration
  You should be able to inherit from Configuration and provide your own method to
  provide AppConfigEntries.

• Active server implementation using jaas

  Active server implementation using jaas----------can someone suggest me how to go about it
  help needed immediately

  Have you programed your server? Can you communicate with me about the subject? My email is [email protected] QQ: 540028839

• Access resource from other application using JAAS

  i use JAAS for autenticate and autorizate in my web application, but i need access a resource from the other application , but this application don�t use JAAS.
  How can i acces this resource from other application?
  i know need send the parameters JSESSIONID, but , always redirecto the login page.
  thank you for your help

  your signon url is consists of the following url http://server.domain.com:port/site/signon.html
  Can you ping server.domain.com from your client?
  If you can ping it, then make sure your port is added as a rule in the firewall of the server.
  Also make sure that the proxy setting of the client have an exception to server.domain.com.
  If you cannot ping it, make sure the server and the client are conneted to the same network and make sure the hosts file on the client reflects the ipaddress and the hostname of the server.
  Hakan

• Authenticate using JAAS and LDAP

  Hi,
  I am trying to authenticate a user using JAAS against LDAP. I am able to hit LDAP, but failing when it comes to authentication.
  Yes, I have made sure the user and password are right.
  Here is my code and error message. Would really appreciate if someone can tell me what am I doing wrong here.
  My 'jaas.config' file :
  JNDILogin {
       com.sun.security.auth.module.JndiLoginModule Required
       debug=true
       useFirstPass=false
       strongDebug=true
       tryFirstPass=true
       storePass=true
       user.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX"
  group.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX";
  My implementation class 'ClientSideSecurityImp,java' :
  import javax.security.auth.Subject;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import org.apache.log4j.*;
  import com.sun.security.auth.callback.TextCallbackHandler;
  import com.sun.security.auth.module.JndiLoginModule;
  * Filename is ClientSideSecurity.java
  public class ClientSideSecurityImp
  private static final Logger log = Logger
  .getLogger(ClientSideSecurityImp.class);
  private Subject activeSubject = null;
  private String userName = null;
  private String appName = null;
  private String viaMech = null;
  private LoginContext lc = null;
  public ClientSideSecurityImp(String appNameVal)
  this.appName = appNameVal;
  * (non-Javadoc)
  public boolean userAuthenticate() throws SecurityException//,
  // AuthenticationException
  boolean authenticated = false;
  String whereAmI = "ClientSideSecurityImp.UserAuthenticate()";
  CallbackHandler handler = null;
  JndiLoginModule jndi = new JndiLoginModule();
  handler = new TextCallbackHandler();
  if (lc == null)
  try
  lc = new LoginContext("JNDILogin", handler);
  lc.login();
  } catch (LoginException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  activeSubject = lc.getSubject();
  log.debug(activeSubject.toString());
  // if we return with no exeption then authentication was sucessful.
  authenticated = true;
  return authenticated;
  * @return success at removing the certificates.
  public boolean logout()
  String whereAmI = "ClientSideSecurityImp.logout()";
  boolean success = false;
  this.userName = "";
  this.activeSubject = null;
  return true;
  My test class with main 'ClientSideSecurityImpTest.java' :
  import org.apache.log4j.Logger;
  import org.apache.log4j.PropertyConfigurator;
  import com.jaas.ClientSideSecurityImp;
  import junit.framework.TestCase;
  * TODO To change the template for this generated type comment go to
  * Window - Preferences - Java - Code Style - Code Templates
  public class ClientSideSecurityImpTest extends TestCase
  private static ClientSideSecurityImp cssi = new ClientSideSecurityImp("MyApp");
  private static final Logger log = Logger.getLogger(ClientSideSecurityImp.class);
  public static void main(String[] args)
  PropertyConfigurator.configure("log4j.properties");
  boolean test = cssi.userAuthenticate();
  log.debug("**##$$##** Authenticated :" + test);
  Error I get :
  I get some error messages here that is expected as I have 'tryFirstPass=true' in my 'jaas.config' file. Then it asks for the user and password again. After that this is what I get:
  Ldap username: user
  Ldap password: password
            [JndiLoginModule] user entered username: user
            [JndiLoginModule] user entered password: password
            [JndiLoginModule]: User not found
  javax.naming.NoInitialContextException: Cannot instantiate class: =com.sun.jndi.ldap.LdapCtxFactory [Root exception is java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory]
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:652)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
       at javax.naming.InitialContext.init(InitialContext.java:219)
       at javax.naming.InitialContext.<init>(InitialContext.java:175)
       at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:496)
       at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
       at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
  Caused by: java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory
       at java.lang.Class.forName0(Native Method)
       at java.lang.Class.forName(Class.java:219)
       at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:42)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:649)
       ... 17 more
            [JndiLoginModule] regular authentication failed
            [JndiLoginModule]: aborted authentication failed
  javax.security.auth.login.FailedLoginException: User not found
       at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:624)
       at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
       at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
  java.lang.NullPointerException
       at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:65)
       at com.jaas.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
  Thanks in advance.

  The error message clear cut says that the JVM cannot find the class com.sun.jndi.ldap.LdapCtxFactory. Make sure the LDAP provider jar which contains this class is in your program's classpath.

• Automatic login using JAAS...

  I've got a web application that uses a secured resource to restrict access to a set of pages. Using FORM based authentication this all works fine - the web container uses a custom LoginModule and request.getUserPrincipal returns the correct user.
  However, if I attempt to do a programmatic login (eg, in a Servlet) using something like this:
  new LoginContext("Users", new UsernamePasswordHandler(username, password.toCharArray()).login();it all goes wrong. No LoginException is thrown, the custom LoginModule authenticates them alright and the EJB context has the correct user Principal. HttpServletRequests, however, still return null for the user Principal.
  Does anyone know how to programmatically "set" the user Principal that the Servlet container associates with a particular session?
  I'm using JBoss 3.0.0 with Catalina.
  Many thanks in advance.

  Hi,
  I've been following the (lack of) progress of your post with interest. As I will be going down the same path very shortly. If you have any joy please send me any details.
  I've looked at Tomcat 4.0.3 source and it appears that you may have an option to get the Principal set in the request. If you can cast your request to a org.apache.catalina.HttpRequest then you'll have access to the setUserPrincipal() method.
  Otherwise you're going to have to implement a Realm (which I'm looking into as we speak) which uses JAAS. There've been a few posts in the Tomcat lists about a JAAS Realm, but seems that no-one has created one yet worth including in a build of Tomcat.
  Dave

• Issue with Authentication using JAAS for coherence

  Hi,
  I have configured security frame work using JAAS for storage enabled node,
  I am using keystore for authenticating the users, Below is the code used for authentication,
      Subject subject;
          try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
          catch (Throwable t){
              subject = null;
              log("Authentication error:");
              log(t); }
          if (subject != null)
              for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                  Principal principal = (Principal) iter.next();
                  log("Principal: " + principal.getName());
          Security.runAs(subject, new PrivilegedAction()
              public Object run()
                  NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                  boolean flag = true;
                  while (flag) {}
                  return null;
              });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
          <security-config>
                  <enabled system-property="tangosol.coherence.security">true</enabled>
                  <login-module-name>TestCoherence</login-module-name>
                   <access-controller>
                  <class-name>com.tangosol.net.security.DefaultController</class-name>
                          <init-params>
                          <init-param id="1">
                          <param-type>java.io.File</param-type>
                          <param-value>config/keystore.jks</param-value>
                          </init-param>
                          <init-param id="2">
                          <param-type>java.io.File</param-type>
                          <param-value>config/permissions.xml</param-value>
                          </init-param>
                          </init-params>
                   </access-controller>
                   <callback-handler>
                          <class-name>Test</class-name>
                   </callback-handler>
           </security-config>I am using the following command line parameters for bringing up the storage enabled node.
  -Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml" 
  -Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks" 
  -Djava.security.auth.login.config="$CONFIG_PATH/login.config" 
  -Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
  Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
  at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
  at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
  at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
  at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
  at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
  at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
  at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
  Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
  Thanks in advance,
  Bhargav

  Bhargav,
  Rather than trying to loop forever in a callback handler try this
  import com.tangosol.net.CacheFactory;
  import com.tangosol.net.DefaultCacheServer;
  import com.tangosol.net.security.Security;
  import javax.security.auth.Subject;
  import java.security.PrivilegedExceptionAction;
  public class SecureCacheServer {
      public static void main(final String[] args) throws Exception {
          LoginContext lc = new LoginContext("Coherence");
          lc.login();      
          Subject subject = lc.getSubject();
          Security.runAs(subject, new PrivilegedExceptionAction() {
              public Object run() throws Exception {
                  DefaultCacheServer.main(args);
                  return null;
  }Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
  As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
  I hope the code above compiles OK as it is a modified version of the code I really use.
  Hope this helps
  JK

• Using JAAS credentials in EJBs

  Hi,
  I'm trying to use JAAS credentials to do EJB authorization and I'm curious if this is even possible. Do I have to authorize the container I'm running in? Can I authorize it programmatically or do I need to use a different method?
  I've heard that's possible to authorize the container in OC4J 11 but I have seen any documentation on how to do it.

  Mark,
  if you are talking about a pure JAAS approach - one in which you perform JAAS authentication and authorization in your application code - then this of course is possible, but the container has nothing to do with it. Many users mix JAAS authentication and authorization with JAZN authentication and authorization, which is container managed authentication and authorization that is documented in the OracleAs documentation for OC4J (also for the use of EJB)
  Frank

• Using JAAS/JNDI with the Login Server

  Is it possible to set up single sign-on through the Login Server
  and OID for a Java portlet using JAAS and JNDI? What would be
  required to set this up?

  I was facing same problem,
  Here is I got an answer, I was doing same mistake.
  You cannot authenticate with an outlook.com account when you use the management shell. You have to use a @yourtenant.onmicrosoft.com
  account or an account where the domain has been associated with your O365 tenant like @contoso.com . Microsoft accounts cannot be used with the management shell.
  http://community.office365.com/en-us/f/156/t/238053.aspx 

• Using jaas

  can some one help me in using jaas , where i have access only to web.xml not server.xml , please gimme a link or an example for using jaas please its vey ugent

  your answer is here:
  http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=65&t=000637
  sincerly yours,
  charles(jGuard team).