Configure JAAS login module stack to support x.509 certificates without SSL

I want to use x.509 certificates for authentication against a EP 7.0 but I dont want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the users certificate, default is SSL_CLIENT_CERT.
What I dont know is how to configure my JAAS login module stack, my suggestion would be this:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they dont, is there another login module that should be used in this case?

Hi Claus,
you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
Looking at this topic:
http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
So with the above said your LM stack config should look like this:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
If this doesn't work I'd suggest opening a support ticket.
Regards,
Yonko

Similar Messages

JAAS login module configuration in Oracle application server

I have a LDAP login module implementing javax.security.auth.spi.LoginModule. This login module works well with tomcat and weblogic, if I configure the JVM arguments -Djava.security.auth.login.config and -Djava.security.policy to pont to the login.conf and access.policy files. The login.conf file has the below content
FREEWAY_SERV
com.wipro.freeway.security.LdapLoginModule required debug=true portal=false;
FREEWAY_PORT
com.wipro.freeway.security.LdapLoginModule required debug=true portal=true;
The application uses these login modules by passing Name of the JAAS configuration (FREEWAY_SERV or FREEWAY_PORT).
I would like to use the same login modules and code in Oracle application sever 10.1.3 and I haven't got any success yet.
Could anybody please help me to get this right?
Thanks in advance.
Message was edited by:
vinayalva

Hi,
in OracleAs bet is to use Enterprise Manager to configure the login module. The LoginModule needs to be configured in the system-jazn-data.xml file, which is located in teh j2ee/home/config directory of the OC4J you use. Enterprise Manager does this all for you.
In your application deployment the orion-application.xml file needs to specify that a custom LoginModule should be used. Again ENterprise Manager does it for you.
To use the LoginModule e.d. for J2EE authentication, just make sure that the application name of the J2EE deployment matches the name of the LoginModule configuration
If you want to use pure JAAS you may have to change the OC4J properties file in the j2ee/home/config directory. Best suggestion to give is to get the online documentation for OC4J security
Frank

Custom JAAS Login Module 9.0.4 configuration problems

Hello,
We have created a custom JAAS Login Module on OC4J 9.0.4 and are having some sort of configuration problem
We always get this error:
Caused by: javax.security.auth.login.LoginException: Login Failure: all modules ignored
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:535)
The Login Module is configured for a specific deployed application in the global jazn-data.xml and is being run as I have attached a debugger to the app server.
Our authentication process succeeds and we return a "true" from the login() method. No exceptions are thrown from our Login Module.
our ORACLE_HOME/j2ee/home/config/jazn-data.xml has this added
<application>
<name>helloworld</name>
<login-modules>
<login-module>
<class>com.test.JaasLoginModule</class>
<control-flag>required</control-flag>
<options>
</options>
</login-module>
</login-modules>
</application>
The j2ee/home/application-deployments/helloworld/jazn-data.xml looks like this:
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data.dtd">
<jazn-data />
and we added this into the j2ee/home/application-deployments/helloworld/orion-applicaton.xml
<jazn provider="XML" location="jazn-data.xml" >
<property name="role.mapping.dynamic" value="true"/>
<property name="custom.loginmodule.provider" value="true"/>
<property name="jaas.username.simple" value="true" />
</jazn>
Are we missing anything? Our code runs, it seems like there is something lacking in the configuration on the OC4J side of things.
Anyone know what we are missing?
Thanks....

Hi,
if you are on 9.0.4 then <property name="custom.loginmodule.provider" value="true"/> shouldn't work because its a parameter of 10.1.3
Frank

How to deploy and configure custom JAAS login module

Dear Experts,
I have created a custom jaas login module, In my .jar I am having
1. MyLoginModule.class
2. Handler.class
3. MyPrincipal.class
I want to know how to deploy the custom jaas module to oc4j. And make available to all
other application to use the same for authentication & authorization. Please suggest me.
Thanks,
Rajesh A

This article does not mention that you can put the <jazn-loginconfig> tag into the orion-application.xml as well.
Much easier to deploy and test.
--olaf

Portal authentication using two login module stacks?

G'day,
I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
<authscheme name="mylogon">
<authentication-template>mystack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
</authscheme>
<authscheme-refs>
<authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
<authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
</authscheme-refs>
When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.OK
User: Administrator
Authentication Stack: mystack
The "mylogonform" page is shown when logon is required in both cases.
However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
(Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
Message : LOGIN.FAILED
User: Administrator
Authentication Stack: mystack
Login Module                                                            Flag        Initialize Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          exception false      true       authscheme not sufficient: basicauthentication<mylogonform
Central Checks                                                                                exception             Call logout before login.
I guess one cannot authenticate as a new user until the current user has been logged out.
So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
What is the logic behind portal authentication and showing a logon page?
If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?

Jayesh,
there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
- login module
- logon stacks
Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
login module 1: check if valid sap logon ticket provided
if module 1 fails: then login module 2: request user id/password
if module 2 succeeds: then login module 3: create new sap logon ticket for user
You can define multiple logon stacks and configure individual applications to use the one stack or the other.
The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
Regards,
Dominik

What is so special about the "ticket" login module stack?

G'day,
I am observing some odd behaviour with login module stacks.
I have a custom login module that performs authentication using information in the HTTP servlet request. This custom login module does not require any interaction from the user. I want to use this custom login module when I authenticate to the portal.
By default, the portal uses an authentication scheme known as "uidpwdlogon", which uses the "ticket" login module stack, which is configured to perform basic password login. When I attempt to access the portal I am presented with a username/password page and I need to enter a username and password, hit the "submit" button, and access to the portal is granted.
So I replaced the BasicPasswordLoginModule entry in the "ticket" login module stack with my custom login module, and now access to the portal is granted automatically, as expected. There is no username/password page displayed.
But if I create a new login module stack that contains exactly the same modules as "ticket" login module stack, and modify the "uidpwdlogon" authentication scheme to use my new login module stack instead of the "ticket" login module stack, then something odd occurs: I am now presented with a username/password page again. I need to hit the "submit" button to navigate away from this page before the custom login module stack will process, which will then grant access to the portal.
If I change the "uidpwdlogon" authentication scheme back to use the "ticket" login module stack (which is exactly the same as the previous login module stack), then access to the portal is granted automatically without showing a username/password page.
So: if the (modified) "ticket" login module stack is used, there's no username/password page shown. If a copy of that login module stack is used, then a username/password page is shown.
What's going on here?

G'day,
Thanks for the reply.
The relevant parts of the authschemes.xml file are as follows:
        <authscheme name="uidpwdlogon">
            <authentication-template>myloginstack</authentication-template>
            <priority>21</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
        <authscheme-ref name="default">
            <authscheme>uidpwdlogon</authscheme>
        </authscheme-ref>
        <authscheme-ref name="UserAdminScheme">
            <authscheme>uidpwdlogon</authscheme>
        </authscheme-ref>
Note that I have changed the uidpwdlogon element to use "myloginstack" instead of "ticket", and changed the priority from 20 to 21, as suggested (but it should be noted that the outcome is the same regardless of priority).
The "ticket" login module stack is defined as follows:
EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
MyLoginModule REQUISITE {...}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
and the "myloginstack" is defined identically as follows:
EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
MyLoginModule REQUISITE {...}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
When the "uidpwdlogon" authentication scheme is configured to use the "myloginstack" login module stack, the browser immediately opens up the normal username/password page. I wait for a few minutes (for logging reasons), then hit submit, and access to the portal is granted.
The log output for this is as follows:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: myloginstack
Login Module                                                            Flag        Initialize Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false                 true
MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true
Message : LOGIN.OK
User: testuser
Authentication Stack: myloginstack
Login Module                                                            Flag        Initialize Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false      false
MyLoginModule                                                           REQUISITE   ok          true       true
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true
Central Checks                                                                                true
There are two login stack events because the first login stack event asks the browser to pass along authentication data, which is processed in the second login stack event.
Also note that the time of the first login module event is a few minutes after the username/password page appears, suggesting that the portal is attempting to obtain information before it processes the login module stack.
If I change the "uidpwdlogon" authentication scheme to use the "ticket" login module stack, then no username/password page appears and the security log is essentially identical to that of "myloginstack":
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module                                                            Flag        Initialize Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false                 true
MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true
Message : LOGIN.OK
User: testuser
Authentication Stack: ticket
Login Module                                                            Flag        Initialize Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false      false
MyLoginModule                                                           REQUISITE   ok          true       true
com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true
Central Checks                                                                                true
I am creating the "myloginstack" login module stack using the Visual Administrator tool, by clicking the "Add" button for the "Policy Configurations" tab of the SecurityProvider service. Note that when I do this the entry for "myloginstack" gets a diamond icon, while the entry for "ticket" has a different icon (resembling a graph). I do not know what these different icons beside each policy configuration imply (is "ticket" different to "myloginstack" somehow?) nor how to create a new policy configuration that will have different icon.
I assume the username/password page is shown because the <frontendtarget> element in the "uidpwdlogon" authentication scheme is defined to use "com.sap.portal.runtime.logon.certlogon". Perhaps there is another value I can use here that displays nothing and redirects the browser directly to the portal?

Problems deploying custom JAAS login module (ClassNotFound)

Hi,
I've developed a custom made JAAS login module that filters on IP addresse which I am moving from 6.20 to 6.40.
I've pretty much followed the procedures from http://help.sap.com/saphelp_nw04/helpdata/de/46/3ce9402f3f8031e10000000a1550b0/content.htm , the only major difference is that I needed a reference to WebCallback and therefore a reference to com.sap.security.api.sda from my library project.
I've especially followed the step with "Adding a Reference to the Classloader of the Security Provider" (http://help.sap.com/saphelp_nw04/helpdata/de/2b/23e4407211732ae10000000a155106/content.htm) , but I think its this step that fails. This has been set to library:<library name> , where <library name> is what is written on the right hand side of visual admin under library. I see that the library is deployed under the folder bin\ext\customer.com~com.customer.portal.login.IPRuleLibrary   , so maybe I will try that name tomorrow morning.
The exceptions I get are
#1.5#001321B3B106005C0000000800002E380004039375E59BA6#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error#1#/System/Audit#Java###Exception #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Cannot load a login module.
     at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:95)
     at com.sap.engine.services.security.login.LoginContextFactory.getLoginContext(LoginContextFactory.java:133)
     at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:227)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86)
     at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
     at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
     at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
     at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:295)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:351)
     at com.sap.portal.navigation.Gateway.service(Gateway.java:68)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
Caused by: java.lang.ClassNotFoundException: com.customer.portal.login.IPRuleLoginModule
Found in negative cache
- Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
   library:com.sap.ip.basecomps
   library:core_lib
   common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
   library:servlet
   library:sapxmltoolkit
   library:com.sap.mw.jco
   library:com.sap.util.monitor.jarm
   library:j2eeca
   library:opensql
   interface:security
   interface:log
   interface:shell
   interface:keystore_api
   library:ejb20
   interface:webservices
   library:com.sap.guid
   interface:appcontext
   interface:endpoint_api
   interface:resourceset_api
   interface:resourcecontext_api
   common:service:iiop;service:naming;service:p4;service:ts
   interface:ejbcomponent
   interface:container
   interface:visual_administration
   interface:transactionext
   interface:dsr_ejbcontext_api
   service:timeout
   library:tc~jmx
   library:tcSLUTIL
   service:memory
   library:antlr
   library:jdbdictionary
   library:opensqlextensions
   interface:cross
   service:locking
   service:file
Resources:
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
adminadapter
adminadapter.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxrpc-api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
opensqllib.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx_sec.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxm-api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
keystore
keystore.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
security
security.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupapi.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_jaas.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
connector
connectorimpl.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
webservices_lib.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_service_api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_userstore_lib.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
saaj-api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_csi.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_ssf.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
userstore
userstore.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
sqljimpl.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_xmlbind.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_util.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
dbpool.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
deploy
deploy.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_compat.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx_notification
jmx_notification.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
configuration
configuration.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupimpl.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_https.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
basicadmin.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas_test.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
Loading model: {parent,local,references}
     at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
     at com.sap.engine.services.security.Util.loadClass(Util.java:262)
     at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:204)
     at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:92)
     ... 45 more
#1.5#001321B3B106005C0000000900002E380004039375E5A109#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error##Java###Cannot load login module class .#1#com.customer.portal.login.IPRuleLoginModule#

Hi,
The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
Also I was able to modify the properties of the login module runtime, which made me very happy
Dagfinn

JDEV deployment of web app with custom JAAS login module fails

For the first time, I am trying to implement a custom JAAS login module.
JDEV deployment to standalone OC4J only fails when my orion-application.xml is included. The deployment fails with a java.lang.InstantiationException.
This what I have done:
1) Wrote a custom LoginModule called com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule.
2) Put it and its dependent classes in a jar named sjtcjaas.jar.
3) Put the jar in $ORACLE_HOME\j2ee\home\lib
4) Changed library_path in $ORACLE_HOME\j2ee\home\config\application.xml to
<library path="../../home/lib/scheduler.jar;../../home/lib/sjtcjaas.jar" />
5) Added an orion-application.xml to the JDEV project. (I used an Oracle How-to as a pattern, see below.)
I think I'm close but no cigar, yet. Any help would be appreciated.
Regards,
Al Malin
=============== orion-application.xml ========================================
<?xml version="1.0"?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.0.0" default-data-source="jdbc/OracleDS" schema-major-version="10" schema-minor-version="0" >
<security-role-mapping name="sr_manager">
<group name="managers" />
</security-role-mapping>
<security-role-mapping name="sr_developer">
<group name="developers" />
</security-role-mapping>
<log>
<file path="application.log" />
</log>

<jazn-loginconfig>
<application>
<name>customjaas</name>
<login-modules>
<login-module>
<class>com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</orion-application>

Starting OC4J from c:\oc4j\j2ee\home ...
2006-09-07 13:45:28.484 NOTIFICATION JMS Router is initiating ...
06/09/07 13:45:29 Oracle Containers for J2EE 10g (10.1.3.0.0) initialized
2006-09-07 13:45:58.609 NOTIFICATION Application Deployer for aam STARTS.
2006-09-07 13:45:58.640 NOTIFICATION Copy the archive to C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.656 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear begins...
2006-09-07 13:45:58.656 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear...
2006-09-07 13:45:58.687 NOTIFICATION Unpacking aam.ear
2006-09-07 13:45:58.687 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam.ear in C:\oc4j\j2ee\home\applications\aam
2006-09-07 13:45:58.750 NOTIFICATION Done unpacking aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war...
2006-09-07 13:45:58.750 NOTIFICATION Unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam\aam.war in C:\oc4j\j2ee\home\applications\aam\aam
2006-09-07 13:45:58.765 NOTIFICATION Done unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war
2006-09-07 13:45:58.812 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear ends...
2006-09-07 13:45:58.828 NOTIFICATION Starting application : aam
2006-09-07 13:45:58.828 NOTIFICATION Initializing ClassLoader(s)
2006-09-07 13:45:58.828 NOTIFICATION Initializing EJB container
2006-09-07 13:45:58.828 NOTIFICATION Loading connector(s)
2006-09-07 13:45:58.843 NOTIFICATION application : aam is in failed state
06/09/07 13:45:58 WARNING: Application.setConfig Application: aam is in failed state as initialization failedjava.lang.InstantiationException
Sep 7, 2006 1:45:58 PM com.evermind.server.Application setConfig
WARNING: Application: aam is in failed state as initialization failedjava.lang.InstantiationException
06/09/07 13:45:58 oracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:510)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
06/09/07 13:45:58 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
06/09/07 13:45:58 at java.lang.Thread.run(Thread.java:595)
06/09/07 13:45:58 Caused by: java.lang.InstantiationException
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:391)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:308)
06/09/07 13:45:58 at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
06/09/07 13:45:58 ... 6 more
2006-09-07 13:45:58.890 NOTIFICATION Application Deployer for aam FAILED.
2006-09-07 13:45:58.890 NOTIFICATION Application UnDeployer for aam STARTS.
2006-09-07 13:45:58.906 NOTIFICATION Removing all web binding(s) for application aam from all web site(s)
2006-09-07 13:45:59.015 NOTIFICATION Application UnDeployer for aam COMPLETES.
06/09/07 13:45:59 WARNING: DeployerRunnable.run java.lang.InstantiationExceptionoracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:126)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.InstantiationException
at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
at com.evermind.server.Application.setConfig(Application.java:391)
at com.evermind.server.Application.setConfig(Application.java:308)
at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
... 4 more
2006-09-07 13:45:59.031 WARNING java.lang.InstantiationException

Urgent: JAAS Login Module Deployment Problem

Hi,
I have developed a JAAS Login module for the portal (EP6 SP9 sneak preview) and i am getting the following error:
GroupAssignmentLoginModuleLibrary does not exist in LoadContextWrapper.modifyName.
com.sap.engine.services.security.exceptions.BaseSecurityException: Can not load a login Module
The next line is a ClassNotFoundException for the Login Module and the class found in negative cache.
Please let me know if you know the solution to this problem.
It is an urgent issue and a solution will be suitably rewarded.
Regards,
Vibhu

Hi Diego,
Scenario 1: SAP EP to SAP Backend Integration
      In this scenario the most commonly used strategy
      is SAP logon tickets. As far as I know this is the
      best and simple way to implement SSO.
Scenario 2: SAP EP to Non SAP systems.
      In this scenario various mechanisms can be used.
      It depends on the application you are integrating
      with. SAP does deliver SSO soultions with Lotus
      Notes and Outlook etc. If supported probably it is
      simple to use the SAP solution [Reliability and
      Support].
Scenario 3: Enterprise Uses third party authetication
      Software.
      For the authntication if the company chooses to use
      some third party product like SiteMinder etc, then
      you can simply use this solution for SAP EP authe-
      tication, and also all your other enterprise
      applications based on the product support. But SAP
      EP to other SAP systems be best integrated with SAP
      logon tickets.
Scenario 4: SSO using homegrown authetication or some
      third party JAAS module.
      If you have significant applications that are home
      grown that uses some custom authentication mecha-
      nism (Example: Authentication based on ID and
      Password stored in company database ) you can write
      a JAAS module extention to authenticate using that
      database. In other words JAAS is flexible and
      for using external authentication mechanisms.
There are several mechanisms available that all depends
on your internal applications/security mechanism/integration etc.
Here is the link to one of the good articles on SDN about the SAP supported SSO mechanisms.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/58094632-0301-0010-a391-fc0de26f010e
Hope this information is useful.
-Venkat Malempati

GlassFish, JAAS Login Module - get remote ejb clien IP address

How to get remote ejb client IP in my custom JAAS login module if I use Glassfish?
Edited by: NoName on Sep 23, 2009 4:06 AM

Hi,
Try configuring wdisp/add_xforwardedfor_header in web dispatcher as described here:
http://help.sap.com/saphelp_nw04/helpdata/en/de/89023c59698908e10000000a11402f/content.htm
And configuring ClientIpHeaderName on the java server as described here:
http://help.sap.com/saphelp_nw04/helpdata/en/52/46f6a089754e3a964a5d932eb9db8b/content.htm
Regards,
Maria

Create new JAAS login module & have to deploy in OC4J

Dear Experts,
Is it possible to create number of user roles under the group oc4jadmin. Then have to assign task for each user in group. please suggest me.
Thanks,
Rajesh
Edited by: Rajesh A on Mar 12, 2009 10:15 AM
Edited by: Rajesh A on Mar 12, 2009 6:48 PM

h5. James,Anirudh
Is it possible to define new JAAS module that would first check with Oracle DB & then check with LDAP directory. Actually my requirement was to authenticate user with the help of backends. Here backend denotes both Oracle DB & LDAP. In the sense when user enters valid id & password it checks for existence in DB & if exist DB returns a new value (role) then have to check new value with LDAP( what are the privileges available for specified role & who is the superior for the same). The details maintaining in LDAP are dynamic so we cant able to move into DB. Every process involving here is automatic in the sense no external server connection should provide for authentication. The custom login module should be deploy in same OC4J container. Always available as service. I want to know about the following
1) How to define costom JAAS login module
2) How to configure coutom JAAS login module over OC4J
3) How to make use of it
Thanks,
Rajesh

JAAS login module

Hello all, I'm having a problem with authentication. I hava a jaas Login Module that authenticates users against a db. After some work I could configure it and got it working. But, even my Login Module works fine, after validating an user I get the exception:
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: User not authorized.
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:223)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.lumina.security.jaasrbac.SecurityFacade.authenticate(SecurityFacade.java:119)
... 51 more
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: User is locked.
at com.sap.engine.services.security.server.jaas.CheckAction.checkUserLockStatus(CheckAction.java:181)
at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:58)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.checkUserLockStatus(LoginModuleHelperImpl.java:116)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:175)
... 63 more
This happens after my login module is invoked and succeeds authenticating an user.
Is it really necessary to have a copy of the user data in the UME store?
Thanks,
Juan Manuel

Hi Bhavik,
You have to use the VisualAdministrator tool.
These are the steps I did (or I think I did):
    1) I created a library whith Developer Studio which contained the Login Module implementing class and its dependencies.
    2) Deployed it to J2EE engine
    3) Using Visual Administrator go to security provider (J2E/Server0/services)
    4) Click UserManagement tab
    5) Click Manage Security Stores button
    6) Click Add Login Module button
    7) Click Ok in the first dialog that appears
    8) Fill the required data in the add Login Module dialog (className of the Login Module implementation,disply name, description and options (if any, iex: debug=true)
    9) Click Ok
    10)Click policy Configurations tab
    11) Click add button (bottom of the component's panel)
    12) Enter the name for the new policy configuration (I think it must be the same name you use in your application code when you refer to the login module) and click ok
    13) Now, the new configuration appears in the components list. Click on it
    14) Click 'add new' button which is at the bottom of the authentication tab (right panel)
    15) Select the login module you created in 8) and click ok
    16) In the authentication tab appears the login module you have created. There you can the right flag you desire for your login module (optional, required, requisite,sufficient)
    17) Click the Properties tab next to Runtime tab
    18) Click on property LoginModuleClassLoaders
    19) Modify this property value to: library:libraryName (where libraryName is the name you deployed your login module library classes in step 2) )
    20) Restart J2EE engine
Regards,
Juan Manuel

JAAS Login Module Redirect to Iview

I am having some difficulty getting a redirect to an Iview to work in our custom JAAS Login Module. This code works in our current production environment, using Portal version EP6.0 SP2 Patch 35:
callbacks[0] = new com.sap.security.api.logon.WebCallback();
HttpServletResponse rsp = ((WebCallback) callbacks[0]).getResponse();
rsp.sendRedirect(this.changepasswordurl + this.username); //get url from property
But this nearly identical code is not working in our development environment, running NetWeaver:
WebCallback wcb = new WebCallback ();
this.callbackHandler.handle(new Callback [] {wcb});
HttpServletResponse rsp = wcb.getResponse();
myLoc.infoT("URL: " + this.changepasswordurl + this.username);
rsp.sendRedirect(this.changepasswordurl + this.username); //get url from property
When the rsp.sendRedirect statement is executed, I get a stack dump:
#1.5#00306EF4D7AD0048000000550000576000040C5F45EBE199#1139503241315#com.nike.portal.auth.PortalLoginModule#sap.com/irj#com.nike.portal.auth.PortalLoginModule#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Info##Plain###URL: https://dev.XXXXX.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fnikeconnect!2fiviews!2fcommon!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#on!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#
#1.5#00306EF4D7AD0048000000570000576000040C5F45EC2971#1139503241326#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Error##Java###Error in some of the login modules.
[EXCEPTION]
#1#com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
        at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:153)
        at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at sun.reflect.GeneratedMethodAccessor260.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
When I cut the exact URL being redirected to from the trace log and paste it into a browser, it goes to the page just fine.
Can anyone suggest a different method of performing a redirect from withing my JAAS Login Module in NetWeaver? I'm thinking maybe I'm not getting the response object properly - any ideas?
Thank you...
Dave

Thanks for the pointers. We were able to get an SAP developer to take a look at this and he coded up this solution, which takes what you suggested and filled in all the blanks. I am baffled as to how I would have figured this out on my own (like the RESPONSE_CODE value of 302), given the limited documentation around the HttpCallback. We haven't had the opportunity to try this yet - I'll respond with a new post either way to let you know. Anyway, here's the code snippet for how to perform a redirect:
In the custom JAAS Login Module:
setRedirect(callbackHandler, this.changepasswordurl);
This is the setRedirect method:
private void setRedirect(CallbackHandler ch, String redirectURL)
      throws IOException, UnsupportedCallbackException
    HttpSetterCallback setRCodeCB = new HttpSetterCallback();
    setRCodeCB.setType(HttpCallback.RESPONSE_CODE);
    setRCodeCB.setName("Moved Temporarily");
    setRCodeCB.setValue("302");
    HttpSetterCallback setRedirCB = new HttpSetterCallback();
    setRedirCB.setType(HttpCallback.HEADER);
    setRedirCB.setName("Location");
    setRedirCB.setValue(redirectURL);
    Callback[] cbSetter = new Callback[2];
    cbSetter[0] = setRCodeCB;
    cbSetter[1] = setRedirCB;
    ch.handle(cbSetter);

JAAS Login Module development/deployment - getting en error

Guys,
I have developed a JAAS Login Module (as per the SAP documentation) and configured the J2EE Engine (as per the SAP documentation) for this module to sit amongst several other standard modules, but I have a problem. I am unable to get the Module working on one portal instance and I am getting an error in the default.trc file when the server restarts after SDM deployment.
The error is: "cannot load login module class....... java.lang.ClassNotFoundException........"
The whole thing works on another instance of EP6 SP16,17 and 18..... however it does not work on this one completely separate instance (there probably are configuration difference between these instances!)
Im not quite sure, given this set of circumstances, what could be causing the Login Module not to load. Which part of the configuration of the J2EE engine should I look in, something perhaps overlooked in the documentation?
Thanks
Adrian

With some help I have now solved this.
In the properties tab of Security Provider, the reference to your login module in the classloader needs to be prefixed with library:~<provider>. For the default SAP example the provider in com.sap...... or whatever you have changed it to.

JAAS Login module SOAP

Hi all,
Im developing a new JAAS login module which will use Apache's Axis API to call a remote SOAP server.
During the development process, I added the Axis library by using the classic Java Build path=> libraries on Sap Netweaver developer Studio.
The compilation, the deployment of the SDA and the configuration via Visual Admin are working well.
But when I tried to authenticate on the SAP EP through this module, Ive got the following error message:
java.lang.NoClassDefFoundError: org.apache.axis.client.Service
In my opinion, it seems that the Apache Axis API (jar files) is not present on the SAP EP.
Is there any way to add external libraries like Apache Axis API (jar files) on the SAP EP?
Is there any way to add external libraries like Apache Axis API (jar files) on the sda generated by Sap Netweaver developer Studio?
Thanks,

Hi,
can't you add the Axis libs to the SDA? In the file server/provider.xml you have the possibility to add jars via the NWDS.
HTH
Daniel

Configure JAAS login module stack to support x.509 certificates without SSL

Similar Messages

Maybe you are looking for