Client remote Authentication using JAAS and EJB Access

Hi,
I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
I have implemented an EJB who's methods are protected through the deployment descriptor:
        <assembly-descriptor>
             <security-role>
                <description>role for clients outside of the server </description>
                <role-name>sedna</role-name>
              </security-role>
            <method-permission>
              <role-name>sedna</role-name>
              <method>
                <ejb-name>ServerInfoBean</ejb-name>
                <method-intf>Remote</method-intf>
                <method-name>*</method-name>
              </method>
            </method-permission>
            <method-permission>
              <unchecked/>
              <method>
                <ejb-name>ServerInfoBean</ejb-name>
                <method-name>getVersion</method-name>
              </method>
              <method>
                <ejb-name>ServerInfoBean</ejb-name>
                <method-name>create</method-name>
              </method>
            </method-permission>
        </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
But then I try to access another method which is protected and then I get this exception
org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000 minor code: 1806 completed: Maybe
        at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
        at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
        at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
Am I doing something wrong?
Need help! Thx,
Stephan

Hi.
I understand correctly that you call Subject.doAs on
the client to call the remote EJB. I guess It isn't
right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
>
>
Subject contextSubject =
Subject.getSubject(AccessController.getContext());
contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
Again, thanks for your effort,
Stephan

Similar Messages

OSB Authentication using username and password (plaintext or digest)

Hi,
I want to implement a simple osb authentication using username/password (plain text or digest) , so that client required to provide username password token in soap header (message Level security) to access our webservices. I have read some of articles which shows how to create custom ws policy, but received following error during deployment.
weblogic.wsee.ws.init.WsDeploymentException: The WebLogic Server 9.x-style policy is not supported in JAX-WS web services
Please note - I can not install OWSM as part of my requirement
=======
<?xml version="1.0"?>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">

<wssp:Identity>
<wssp:SupportedTokens>

<wssp:SecurityToken IncludeInMessage="true"
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>

You can use the default Auth.xml WS policy in OSB and be able implement the authentication using username and plain text password.
Just assign the Auth.xml on the Request Policies of the Proxy Service (under Policies).
Then use any user credentials that has access to the domain for testing.
If you want to restrict access for each operation then in the Security tab, under Message Access Control, specify a Role.
Then in the OSB > Security Configuration, create the appropriate role with the specific role conditions like User is User1 or User is User2 etc ...
Hope this helps.
Thanks,
Patrick

I use premiere and cannot access all of the transitions, they are grayed out. Why is this?

I use premiere and cannot access all of the transitions, they are grayed out. Why is this?

Maybe you have them "filtered" at the top of the FX Window (Icons)

Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA

Hello all,
I am trying to build a very simple JavaEE application with JAAS, but I getting mad.
I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.
First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:
<application-policy name="exemplo1">
     <authentication>
          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
               <module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option>
               <module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option>
               <module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option>
          </login-module>
     </authentication>
</application-policy>Next I configured the "web.xml" file like this:
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Restricted</web-resource-name>
          <description>Declarative security tests</description>
          <url-pattern>*.do</url-pattern>
     </web-resource-collection>
     <auth-constraint>
          <role-name>xxx</role-name>
     </auth-constraint>
     <user-data-constraint>
          <description>no description</description>
          <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>FORM</auth-method>
     <realm-name>exemplo1</realm-name>
     <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/loginErro.jsp</form-error-page>
     </form-login-config>
</login-config>
<security-role>
     <description>Role xxx</description>
     <role-name>xxx</role-name>
</security-role>Notice that I am using the "xxx" role to protect the "*.do" URL pattern.
The "jboss-web.xml" is like this:
<?xml version="1.0"?>
<jboss-web>
     <security-domain>java:/jaas/exemplo1</security-domain>
</jboss-web>As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.
Now I wanna to be able to also protect my EJBs.
My Stateless Session Bean is implemented as follow:
@RolesAllowed("yyy")
@Stateless(name="UserManagement")
public class UserManagementBean implements UserManagement {
     public void add(User user) {
}When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.
If I add the "jboss.xml" file, like this:
<?xml version="1.0"?>
<jboss>
     <security-domain>java:/jaas/exemplo1</security-domain>
</jboss>I start getting this stack trace:
ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
... Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???
Thanks
Daniel

Using @SecurityDomain("exemplo1") in my EJB and NOT providing jboss.xml, it works.
@SecurityDomain("exemplo1")
@RolesAllowed("yyy")
@Stateless(name="UserManagement")
public class UserManagementBean implements UserManagement {
public void add(User user) {
}Damn! This is some serious shit... I don�t want to configure this in every single EJB.
EJB 3.0 is nice, but some small trivial details like this and others, that was forgotten by Sun, piss me off!

Connecting to Remote Desktop using proxy and Remote Desktop Gateway?

I have setup a Remote Desktop Gateway server using Windows Server 2012 R2. I am using the Remote Desktop Gateway as an intermediary between to provide the remote desktop session over 443 since 3389 is blocked at many client locations.
However, I ran into a problem with a client who's using a web proxy.
Is is possible to configure Remote Desktop to connect via web proxy? If so, how? If not does any one have any suggestions on how to provide a Remote Desktop session via 443 over proxy for situations where you don't control the client's PC or network? Does RemoteApps
allow for access via web proxy when using RD Gateway?
The error message is below:
Your computer can't connect to the remote computer because the web proxy server requires authentication. To allow unauthenticated traffic to an RD Gateway server through your web proxy server, contact your network administrator.
Thanks for any help!

Hi,
My suggestion is to setup a RD Web Access server and make it available for your clients via proxy.
Remote Desktop Web Access (RD Web Access)
http://technet.microsoft.com/en-us/library/cc731923.aspx
Thanks.
Jeremy Wu
TechNet Community Support

Issue with Authentication using JAAS for coherence

Hi,
I have configured security frame work using JAAS for storage enabled node,
I am using keystore for authenticating the users, Below is the code used for authentication,
    Subject subject;
        try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
        catch (Throwable t){
            subject = null;
            log("Authentication error:");
            log(t); }
        if (subject != null)
            for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                Principal principal = (Principal) iter.next();
                log("Principal: " + principal.getName());
        Security.runAs(subject, new PrivilegedAction()
            public Object run()
                NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                boolean flag = true;
                while (flag) {}
                return null;
            });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
        <security-config>
                <enabled system-property="tangosol.coherence.security">true</enabled>
                <login-module-name>TestCoherence</login-module-name>
                 <access-controller>
                <class-name>com.tangosol.net.security.DefaultController</class-name>
                        <init-params>
                        <init-param id="1">
                        <param-type>java.io.File</param-type>
                        <param-value>config/keystore.jks</param-value>
                        </init-param>
                        <init-param id="2">
                        <param-type>java.io.File</param-type>
                        <param-value>config/permissions.xml</param-value>
                        </init-param>
                        </init-params>
                 </access-controller>
                 <callback-handler>
                        <class-name>Test</class-name>
                 </callback-handler>
         </security-config>I am using the following command line parameters for bringing up the storage enabled node.
-Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml"
-Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks"
-Djava.security.auth.login.config="$CONFIG_PATH/login.config"
-Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
Thanks in advance,
Bhargav

Bhargav,
Rather than trying to loop forever in a callback handler try this
import com.tangosol.net.CacheFactory;
import com.tangosol.net.DefaultCacheServer;
import com.tangosol.net.security.Security;
import javax.security.auth.Subject;
import java.security.PrivilegedExceptionAction;
public class SecureCacheServer {
    public static void main(final String[] args) throws Exception {
        LoginContext lc = new LoginContext("Coherence");
        lc.login();
        Subject subject = lc.getSubject();
        Security.runAs(subject, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                DefaultCacheServer.main(args);
                return null;
}Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
I hope the code above compiles OK as it is a modified version of the code I really use.
Hope this helps
JK

Authenticate using JAAS and LDAP

Hi,
I am trying to authenticate a user using JAAS against LDAP. I am able to hit LDAP, but failing when it comes to authentication.
Yes, I have made sure the user and password are right.
Here is my code and error message. Would really appreciate if someone can tell me what am I doing wrong here.
My 'jaas.config' file :
JNDILogin {
     com.sun.security.auth.module.JndiLoginModule Required
     debug=true
     useFirstPass=false
     strongDebug=true
     tryFirstPass=true
     storePass=true
     user.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX"
group.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX";
My implementation class 'ClientSideSecurityImp,java' :
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.log4j.*;
import com.sun.security.auth.callback.TextCallbackHandler;
import com.sun.security.auth.module.JndiLoginModule;
* Filename is ClientSideSecurity.java
public class ClientSideSecurityImp
private static final Logger log = Logger
.getLogger(ClientSideSecurityImp.class);
private Subject activeSubject = null;
private String userName = null;
private String appName = null;
private String viaMech = null;
private LoginContext lc = null;
public ClientSideSecurityImp(String appNameVal)
this.appName = appNameVal;
* (non-Javadoc)
public boolean userAuthenticate() throws SecurityException//,
// AuthenticationException
boolean authenticated = false;
String whereAmI = "ClientSideSecurityImp.UserAuthenticate()";
CallbackHandler handler = null;
JndiLoginModule jndi = new JndiLoginModule();
handler = new TextCallbackHandler();
if (lc == null)
try
lc = new LoginContext("JNDILogin", handler);
lc.login();
} catch (LoginException e)
// TODO Auto-generated catch block
e.printStackTrace();
activeSubject = lc.getSubject();
log.debug(activeSubject.toString());
// if we return with no exeption then authentication was sucessful.
authenticated = true;
return authenticated;
* @return success at removing the certificates.
public boolean logout()
String whereAmI = "ClientSideSecurityImp.logout()";
boolean success = false;
this.userName = "";
this.activeSubject = null;
return true;
My test class with main 'ClientSideSecurityImpTest.java' :
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;
import com.jaas.ClientSideSecurityImp;
import junit.framework.TestCase;
* TODO To change the template for this generated type comment go to
* Window - Preferences - Java - Code Style - Code Templates
public class ClientSideSecurityImpTest extends TestCase
private static ClientSideSecurityImp cssi = new ClientSideSecurityImp("MyApp");
private static final Logger log = Logger.getLogger(ClientSideSecurityImp.class);
public static void main(String[] args)
PropertyConfigurator.configure("log4j.properties");
boolean test = cssi.userAuthenticate();
log.debug("**##$$##** Authenticated :" + test);
Error I get :
I get some error messages here that is expected as I have 'tryFirstPass=true' in my 'jaas.config' file. Then it asks for the user and password again. After that this is what I get:
Ldap username: user
Ldap password: password
          [JndiLoginModule] user entered username: user
          [JndiLoginModule] user entered password: password
          [JndiLoginModule]: User not found
javax.naming.NoInitialContextException: Cannot instantiate class: =com.sun.jndi.ldap.LdapCtxFactory [Root exception is java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory]
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:652)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
     at javax.naming.InitialContext.init(InitialContext.java:219)
     at javax.naming.InitialContext.<init>(InitialContext.java:175)
     at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:496)
     at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
     at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
Caused by: java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:219)
     at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:42)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:649)
     ... 17 more
          [JndiLoginModule] regular authentication failed
          [JndiLoginModule]: aborted authentication failed
javax.security.auth.login.FailedLoginException: User not found
     at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:624)
     at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
     at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
java.lang.NullPointerException
     at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:65)
     at com.jaas.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
Thanks in advance.

The error message clear cut says that the JVM cannot find the class com.sun.jndi.ldap.LdapCtxFactory. Make sure the LDAP provider jar which contains this class is in your program's classpath.

Porting varray data from one db to another remote db using queues and jms

We are trying to port a varray from one db to another db using queues and java jms. The varray is embedded in an object type (necessary according to oracle docs). The varray, embed object, and the queues are identical between the 2 dbs. We have used the capabilities in jdeveloper to generate the necessary classes to access the embed object and its payload the varray.
However, when we attempt this:
public void publish( com.wgint.sql.EaiType payload )
throws JMSException, SQLException
Connection dbConnection = ((AQjmsSession)session).getDBConnection();
AdtMessage message = ((AQjmsSession)session).createAdtMessage();
message.setAdtPayload( payload );
( (AQjmsTopicPublisher) publisher ).publish( publisher.getTopic(),
message,
agents );
we get a ora-00902 error, invalid datatype. I cannot find a single example on technet or the internet in which someone has done something similar. I do not know if it is feasible or not.
Steve

Do you really need JMS to do this? If not, just let the AQ layer propagate your messages from your local to your remote queue. See the online doc how to do this.

FWSM: AAA authentication using TACACS and local authorization

Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.

You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK

Using SWING and EJB

Had nebody used Swing for GUI and EJBs for business logic. HEre i need to use Swing for gui rather than JSPs.
Can nebody help??

My question is ...
How do u call EJBs from swing based applets..
In J2EE transaction management cud be done at server side but how will we manage with the swing app??

Database and ejb access in Input Processor, custom Validator

Hi guys,
I know the Portal docs recommend that database and ejb calls should be done in
a Pipeline Component. Are transactions the only concern?
I'd like to validate two fields. This can be easily accomplished by a an ejb
method call that returns a boolean for one, and by running a simple select statement
for the other. Are there any risks to creating custom validator classes to do
this?
Thanks

David,
Here are the characterstics of Pipelines and IPs:
Inputprocessors:
- Web App scope (classloaded by webapp classloader)
- simple java class
Pipelines/Pipeline Components:
- Enterprise App scope (available to all webapps)
- java class or EJB
- can be transactional (can even rollback PipelineSession)
- Pipelines executed from within the EJB container
There is nothing illegal about putting EJB calls and JDBC calls into an Inputprocessor.
For simple validation, this is probably okay. However, when doing heavy business
logic, having the Pipeline manage a single transaction for your PCs is wonderful.
PJL
"David Sun" <[email protected]> wrote:
>
Hi guys,
I know the Portal docs recommend that database and ejb calls should be
done in
a Pipeline Component. Are transactions the only concern?
I'd like to validate two fields. This can be easily accomplished by
a an ejb
method call that returns a boolean for one, and by running a simple select
statement
for the other. Are there any risks to creating custom validator classes
to do
this?
Thanks

Setting up authentication using IAS and an AP1200

I'm trying to get RADIUS authentication working using Windows 2003 IAS and an AP1200, client is an AIR-CB21AG with latest drivers (2.1). Can anyone point me to a "how to" guide or advise how to configure each component to get it all working?
Thanks in advance!

Gerardo
A customer that I work with has set up lots of VPN connections to remote sites where the remote site is behind a cable network connection including actiontech routers. We are using the 1841 router but I would think that the 1861 would be able to do this without much problem.
As to the specific questions that you ask:
- We use GRE/IPSec tunnels and it works well.
- there should not be any configuration changes on the actiontech router.
- as far as caveats:
+ make sure that the image on the 1861 is the advanced security feature set or the advanced services feature set so that you get support for the encryption needed for VPN.
+ in our implementation we require that the remote site have a fixed IP address which allows each end of the VPN to uniquely specify its peer and allows either end of the VPN to initiate the connection. I assume that your user is getting an address via DHCP from the actiontech. This will mean that your head end will have to accept connection requests from anyone and authenticate to verify that it is an authorized request. And it will mean that the remote must initiate the connection.
If it is a single user at this remote location would it be feasible to set it up as a remote access VPN rather than a site to site VPN and to have the user use the VPN client which would eliminate the requirement for a router at the remote site?
HTH
Rick

Authentication using userCertificate and SASL External

hi!
I try to authenticate using SASL "External" and SSL.
The SSL connection works fine, also SASL when using "Digest-MD5" but when I try to authenticate using "External" I get connected as anonymous.
Here is what I did:
I created a self-signed certificate with owner "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org".
My client has this certificate in it's keystore.
The server has an entry with "dn=uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" an this entry has the userCertificate attribute, which also contains my self-signed certificate.
I edited the "certmap.conf" file like this:
certmap default default
default:DNComps
default:FilterComps uid
default:verifycert on
As I understood the manual, this means the server should search the directory for an RDN "uid=xyz" and check if the certificate of this user is the same as the one provided by the client. If it is, the client should get the permissions of this entry.
But in the logfile I always get this message:
conn=4 fd=1148 slot=1148 SSL connection from 172.16.0.190 to 172.16.0.190
conn=4 SSL 128-bit RC4
conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
conn=4 op=1 SRCH base="uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" scope=0 filter="(objectClass=*)" attrs="entryid"
conn=4 op=1 RESULT err=0 tag=101 nentries=1 etime=0
conn=4 op=2 fd=1148 closed - A1
So, one possibility is I understood something completly wrong and the other is the server doesn't find the entry "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" because of any misconfiguration or I need a user certificate, which has been issued by a CA...
Can anyone help me?
Thanks a lot!
Florian

Nikolay,
Assuming you mean authenticaion to your developed application and not the HTML DB facilities, yes you can do that. Take a look at the custom_page_sentry function that appears on this forum in several threads, e.g., Re: NTLM with Cookies ... - is someone there After you change this function to meet your requirements (cookie names, etc.) and compile it in your application's schema, you'd create a new authentication schema and type 'return custom_page_sentry;' into the page sentry function field. Then enter a URL to your site's login page into the Invalid Session URL field. Then make the new authentication scheme the current scheme. Of course, with this solution, you are responsible for making it as secure as you need it to be, preventing cookie forgery/theft, etc.
Scott

Authentication using database accounts (EJB)

Hi.
I'm developing a web app(struts, jsp). Users should log-in using their Oracle
database accounts (created with CREATE USER ...). Is it possible to accomplish that using EJB? How?
I've read that i can somehow map application server's users with database users
using sql authentication providers: Wouldn't then sql queries made by ejbs
still be executed with the same user every time?

Normally application servers use a shared login to allow using a shared connection pool, and avoid the cost of logging in and out.
Are you using JPA or the native TopLink API? Are you using JTA?
TopLink / EclipseLink have several features for user logins.
You can use Oracle proxy connections, these allow a shared connection pool to be used, but allow setting a proxy user on the connection.
See, org.eclipse.persistence.config.PersistenceUnitProperties.ORACLE_PROXY_TYPE
You can also use real database logins with JPA (or ServerSession) through using a JPA EntityManager properties or a ConnectionPolicy.
See, org.eclipse.persistence.config.EntityManagerProperties, org.eclipse.persistence.sessions.server.ConnectionPolicy.
You also have the option of using a shared login for reads, and a user login for writes.
If you are using the native API, you can also use DatabaseSessions.
James : http://www.eclipselink.org

How to handle Client Certificate authentication using URLRequest/URLLoader

Hi All,
I developed an AIR Application which communicates with a server. Protocol used for communication is HTTPS, and server has a valid certificate.
So whenever AIR App, communicates with the server, a dialogue box prompts to select the client certificate just as show below.
So here what I am looking at is, Any method is available to prevent this prompt.
I have already tried the method of Enabling "Dont Prompt for client certificate selection when only one certificate exists", Of course this method will work only if multiple certificate exists, so what if multiple certificate exists.
How an air application can handle that?
So any one find any way to handle this. I am using URLRequest for commnicating with server.
Here is the code snippet I have used.
var request:URLRequest = new URLRequest(url);
request.method = URLRequestMethod.GET;
var urlLoader:URLLoader = new URLLoader();
urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
urlLoader.addEventListener(Event.COMPLETE, loaderCompleteHandler)
urlLoader.addEventListener(Event.OPEN, openHandler);
urlLoader.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
urlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
urlLoader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);//, false, 0, true);
Please help me...
Thanks
Sanal

Yes it is possible. Refer
Using Certificates for Authentication [http://docs.sun.com/app/docs/doc/820-7985/ginbp?l=en&a=view]
SSL Authentication section in [http://docs.sun.com/app/docs/doc/820-7985/gdesn?l=en&a=view]
client-auth element in server.xml [http://docs.sun.com/app/docs/doc/820-7986/gaifo?l=en&a=view]
certmap.conf [http://docs.sun.com/app/docs/doc/820-7986/abump?l=en&a=view]
certmap.conf should have verifycert "on", and lets say this certmap is called "cmverify" :
certmap cmverify    default
cmverify:DNComps
cmverify:FilterComps    uid
cmverify:verifycert onIn serve.xml we should have <client-auth> "required" and lets say we have an auth-db named "ldapregular":
<http-listener>...
<ssl>...
    <client-auth>required</client-auth>
</ssl>
</http-listener>
<auth-db>
<name>ldapregular</name><url>ldap://myldap:369/o%3DTestCentral</url>
<property><name>binddn</name><value>cn=Directory Manager</value></property>
<property><name>bindpw</name><value...</value><encoded/></property>
</auth-db>In ACL file we should have method = "ssl", database = "ldapregular" and certmap = "cmverify" :# clientauth against LDAP database with special certmap which has verifyCert on
acl "uri=/";
authenticate (user,group) {
    prompt = "Enterprise Server";
    method = "ssl";
    database = "ldapregular";
    certmap = "cmverify";
deny (all) user = "anyone";
allow (all) user = "alpha,beta,gamma";

Client remote Authentication using JAAS and EJB Access

Similar Messages

Maybe you are looking for