Custom Access Gate for tomcat in solaris 10 AMD 64

i need write custom AccessGate in java, without install AccessServer SDK in server solaris 10 ADM64, is it possible?

NO. You must install the Asdk in a supported platform, configure the accessgate, policy to be able to develop an access gate.

Similar Messages

Custom Access Gate for 2FA authentication

Hello OAM Gurus,
I am trying to build a custom accessgate which can authenticate user using our 2FA technology for a protected resource accessed initially. I have written a servlet to do this wherein I am expecting somehow when user tries to access the protected resource the user will be redirected to this servlet. The custom AccessGate will be running on a seperate server under a J2EE container. The problem has been 2 folds.
1. I am unable to figure out how do I protect a resource (create a policy) on a web server which will be protected by my access gate.
2. In My servlet how will I get the URL for the protected resource. I initially assumed that it should be referer.
Here is the flow that I am looking at:
User goes to a protected resource on a web server --> redirected to my servlet --> performs 2FA --> Servlet checks if user is authorised to access the resource --> redirect the user to the resource .
Can somebody please help.
Thanks,
Gunjan

Henrik,
there is no SDK for OAM 11g so far, this might come in one of the next patch sets.
You could resort to integrate with OAAM.
--olaf

Custom access gate

I wrote a custom access gate for j2ee application (servlet filter). When I create a resource object, I use request URI, is it correct?
ObResourceRequest resource = new ObResourceRequest("http", request.getRequestURI(), request.getMethod());
The reason I am asking is that in the developer's guide they have a sample which uses (accidentally or not) following syntax- //server/uri (with no port)
Thanks,
-Alex

Actually, URI and URL are quite similar (see RFC 3986). You must provide the string that should match in OAM by combining the host identifier and the protected resource.
Example:
${host_identifier}${protected_resource}
eg. host_identifier = http://forums.oracle.com:80
host_identifier = http://10.10.10.10:80
protected_resource = /forums/post!reply.jspa?messageID=9186341
eg. http://forums.oracle.com:80/forums/post!reply.jspa?messageID=9186341
eg. http://10.10.10.10:80/forums/post!reply.jspa?messageID=9186341
HTH,
--olaf

Example of Certificate based authentication scheme using Custom Access Gate

Can anyone provide me an example using Certificate authN scheme w/ Custom Access Gate. The developers guide has no examples of such. Thanks.

Hi there
I've got to get this working aswell.
In my case I've got to have both the user/password authentication OR certificate based.
The thing is, the documentation says that I need to have the containers (don't know if both the am server and the agent containers or only one of them ) with SSL and "Client Authentication enabled"... now the problem is, when I make it Client Authentication Enabled the container gives me a similar error to the one you described, this is because the server requests the browser to send a certificate when trying to access the server .....
Can you give me any pointers to how this is supposed to be done? I would really appreciate help with this.
Thanks
Rp

Custom Login Module for Tomcat to procted apps using Oracle Access Manager

Hi all,
I have the following scenario.
A web application deployed in Tomcat to be protected using OAM. One solution is to use Access Gate though we have other alternative as Proxy infront of Tomcat with a webgate. Now I am implementing the Access Gate solution.
So, when the user clicks the tomcat application, then the prompt (BASIC) appears for login details. custom login module should kick in and take those login details and authenticate against OAM using Access SDK API.
I have created access gate profile and installed Access SDK. Ran the ConfigureAccessGateTool as well.
I did some research googling for login module. I came to know that we need to write a custom realm for it. So, this realm implementation involves specifying role-name etc., in web.xml where the role-name would have been defined in tomcat-users.xml.
This means that the user trying to authenticate against OAM has to have some roles defined in Tomcat to login. I didnot understand the flow end to end as how this will work.
Please let me know if anybody has done this of customization.
Thanks,
Mahendra.

Hi Ambarish,
Initially I thought of implementing the way you suggested in Option 2.
But there will be various redirections when we use option 2 as the login page should redirect it to a page where OAM authentication and authorization stuff has to be handled. And accordingly we have to redirect it to specific pages upon successful atn and atz. Hence, I was opted using Custom Login Module.
However, I have been trying Option 2 now. In web.xml, I have specified a login page with FORM scheme. The login redirects it to another page say OAM_Authentication_Handler.jsp. Here we code which serves atn and atz. Upon doing this, I have observed that the protected resource in OAM is not getting evaluated using the method
String ms_protocol = "http";
String ms_method = "GET";
String ms_resource = "http://localhost:8080/FormLogin/private.jsp";
ObResourceRequest rrq = new ObResourceRequest(ms_protocol, ms_resource, ms_method);
The method rrq.isProtected() is returning false which implies it to unprotected. I have tested using Access Tester for the resource and it results in expected behaviour.
Is there any limitation here by using this approach?
Any ideas?
Thanks,
Mahendra.

Query on Access gate

I have the following requirement :
The requested protected URL is having the UserId as a query string and this has to be matched with UserId of logged-in user after authentication.
So could you please suggest which is the approach I need to follow:
1. Create a custom access gate which can do the authentication and also implement the logic of comparison.
or
2. Install a webgate and configure the redirect url to a servlet which can process the request and compare the userid in the requested URL and the logged in userid and subsequently redirect to the originally requested page.

My suggestion is that the only reasonably secure way to approach this is to write a custom authZ plugin that will only authorize the request when the querystring param matches the profile attribute. I've seen similar things done to enforce user specific content in the URI or querysting. With this approach, you can consume the authZ processing decision via either WebGate or AccessGate equally.
If you are working in the context of a servlet filter (for example) then you could, as you suggest, have OAM WebGate populate a header variable with the ID and write some comparison logic around that. I suspect you'll find various security concerns with this depending on how you are set up. All depends how critical the security is for you.
Go with the authZ plugin if security is the primary driver.
Mark

How to make the Access Gate SDK work with Web Gate

When we want control the display of one area in one page, we can define this area as one resource then control the access of it. But when the user has been authenticated in the application, how can we get the user session and then call Access Gate SDK to check if the user is authorized? The following is one utility class to archive it.
* $Id: CreateUserAction.java,v 1.1 2005/10/11 23:19:34 jason Exp $
* $Revision: 1.1 $
* $Date: 2005/10/11 23:19:34 $
* Copyright (C) 1972 - 2005, Oracle Co. All Rights Reserved
* The program(s) herein may be used and/or copied only with
* the written permission of Oracle Co. or in accordance with
* the terms and conditions stipulated in the agreement/contract
* under which the program(s) have been supplied.
package oblix.view;
import com.oblix.access.ObAccessException;
import com.oblix.access.ObConfig;
import com.oblix.access.ObResourceRequest;
import com.oblix.access.ObUserSession;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
* @author zhoujian
public class OblixUtil {
private static String ObSSOCookie = "ObSSOCookie";
private OblixUtil() {
* Check if the user is Authorized
* @param request
* @param rescourceUrl
* @return
public static boolean isAuthorized(HttpServletRequest request,
String rescourceUrl) {
return isAuthorized(request, "http", rescourceUrl, "GET");
* Check if the user is Authorized
* @param request
* @param resourceType
* @param rescourceUrl
* @param resourceMethod
* @return
private static boolean isAuthorized(HttpServletRequest request,
String resourceType, String rescourceUrl, String resourceMethod) {
try {
ObConfig.initialize();
ObResourceRequest resource = new ObResourceRequest(resourceType,
rescourceUrl, resourceMethod);
ObUserSession session = getObUserSession(request);
return session.isAuthorized(resource);
} catch (ObAccessException oe) {
oe.printStackTrace();
ObConfig.shutdown();
return false;
* Get the Oblix user session from the request.
* @param request
* @return
* @throws ObAccessException
private static ObUserSession getObUserSession(HttpServletRequest request)
throws ObAccessException {
String token = getCookieValueByName(request.getCookies(), ObSSOCookie);
if (token != null) {
return new ObUserSession(token);
return null;
private static String getCookieValueByName(Cookie[] cookies, String name) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equalsIgnoreCase(name)) {
return cookies[i].getValue();
return null;
}

Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
Now if you do want to write custom access gate when the resource is already protected by a Web gate,
you can get the ObSSOCookie from the users browser session.
You can pass the URL to the IsAuthorized method and call.
Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
THanks
Ram

Multiple access gates with one ASDK

Hello All,
We have an ASDK installed on an application and configured an access gate to talk to OAM1 with datastore1. Now we have OAM2 with datastore2 and need this application to talk to the OAM2. OAM1 and OAM2 handle different sets of users.
Can we install another access gate on the same ASDK and talk to OAM2? If not please suggest the best way to provide SSO with both OAMs to the application?
Thanks in advance.

IDMGod,
I tried setting the environment variables, oracle doc below says
http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12491/as_api.htm#CHDFCJEI
OBACCESS_INSTALL_DIR = SDK_install_dir
Points to the Access Manager SDK install root. (This is necessary only if your AccessGate does not specify SDK_install_dir as part of the ObConfig.initialize method).
From what I understood, this needs to changed by defining the parameters in ObConfig.initialize method. Since I already have an Access Gate1 configured, is it possible to change this value for that Access Gate? If so where can I find this method in the AccessGate1 (I used configureaccessgate utility for this, there is no custom code used in this accessgate)
When I install Access Gate2, do I need to write custom access gate code as mentioned in the examples in the above doc? or can I use the out of box access gate by running the configureaccessgate utility?
Thank you.

Access gate SDK, authentication and issues/bug

I have been trying to test authentication against CORE ID using the access gate SDK for java and following the samples that installed with the SDK.
I simulate user account lock-out and pwd to expire ( in two days) situations. Doing the form based access server authentication, I am able to see the error messages and in the case of locked a/c, it doesn't log me in.
Using access gate SDK, it successfully creates a ObUserSession object for the protected resource, shows user as LOGGED_IN and the getStatus() returns normal. There is no indication of the actual status of the user account on the server !
It does, catch the actual pwd expired status, as mentioned in the documentation.
Is there anything missing here ?

Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
Now if you do want to write custom access gate when the resource is already protected by a Web gate,
you can get the ObSSOCookie from the users browser session.
You can pass the URL to the IsAuthorized method and call.
Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
THanks
Ram

How to make the Access Gate work

have been following the developers guide to write an access gate. my application(simple html) is running on JBoss, want to protect this resouce using the access gate. JAccessGate.java is working fine however the access gate is not intercepting the resource request.
how do i configure Jboss with the Access Server so that the Access Gate process the request.
the servlet example isn't working ... constants.REQUEST isn't being recognised despite adding all the pkg's.
it would be helpful if someone could share the steps to achieve this.
that apart any idea about how the reverse proxy works ?
thanks and regards
Edited by: user642640 on Jun 6, 2009 4:14 AM

Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
Now if you do want to write custom access gate when the resource is already protected by a Web gate,
you can get the ObSSOCookie from the users browser session.
You can pass the URL to the IsAuthorized method and call.
Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
THanks
Ram

How to install webgate on tomcat with solaris 10 AMD 64bits?

Hi Experts
I need to install a webgate on the webserver tomcat, but i found that installation is not possible because thes is not webgate for tomcat, many people recommended install a reverse proxy with Apache or OHS but i can't find a webgate installer on Solaris 10 AMD 64bits.
Exists that version of webgate? or exist a workaround??
what is your suggestion??

Choose the Webserver and the WebGate from the OAM support matix.
If OAM does not have WebGate for the platform where you have tomcat installed, if it is an option, you can install a webserver and WebGate on any OAM supported OS and configure Reverse Proxy. WebGate does not need to be on the same server/machine or on same platform.

Custom File Extension for Microsoft Access Text Driver (*.txt, *.csv)

I'm trying to use a custom file extension for the Microsoft Access Text Driver (*.txt, *.csv) driver.
I have updated the FileExtns registry to have my new extension.
When I issue the following it does not work.
select [NoName]
from openrowset('MSDASQL'
           ,'Driver={Microsoft Access Text Driver (*.txt, *.csv)};
                DefaultDir=c:\filedir'
           ,'select * from "file.lst"')
If I make the file a .csv it works fine. However, if it has an extension of not CSV or TXT (in this case .lst, which is in the registry setting) extension it throws the following error and cannot seem to find a solution to it.
OLE DB provider "MSDASQL" for linked server "(null)" returned message "[Microsoft][ODBC Text Driver] Cannot update. Database or object is read-only.". Msg 7350, Level 16, State 2, Line 1 Cannot get the column information from
OLE DB provider "MSDASQL" for linked server "(null)".
In addition, (although I can probably find this elsewhere), I need to have the first line 'BLANK' so that it does not miss data (there is no header row). Is there a way to use OPENROWSET without BULK to basically include all rows as data?
Any help is appreciated.

Hi,
According to your description, I did a test with your script, and got the same message as your post. Usually, by default, the Microsoft Access Text Driver (*.txt, *.csv) supports the four extensions file, such as *.asc, *.csv, *.tab, *.txt. To solve this issue,
I recommend you try to save the LST file in the above format, then use OPENROESET to get data from the supported extensions file in SQL Server.
In addition, the
OPENROWSET function is mainly used to retrieve remote data from an OLEDB data source, when you use OPENROWSET without BULK, provider_name is a necessary parameter in the script. However, the OPENROWSET (BULK...) is mainly called from a SELECT…FROM clause
within an INSERT statement, when importing bulk data from a data file into SQL Server table. Thus if you need to import bulk data, you should use the basic syntax: INSERT ... SELECT * FROM OPENROWSET(BULK...), also there are some alternatives, such as
BULK INSERT
and
BCP .
Thanks
Lydia Zhang

Instant client for Solaris AMD x64

Hi,
I am desperately looking for OCI instant client for solaris AMD x64. I tried instant client download page (http://www.oracle.com/technology/software/tech/oci/instantclient/index.html) but it is not listed there. I have no idea who to contact within Oracle or Oracle tech support.
Any help is greatly appreciated.
Thank you,
Boris

I've just downloaded the basic and sqlplus zip files and sqlplus works fine. sqlplus is linked to libclntsh.so.10.1, so I doubt that file is corrupt.
instantclient_10_2> ls -l
total 225992
-r--r--r--   1 oracle   dba      1594191 May 19 2006 classes12.jar
-r--r--r--   1 oracle   dba         1525 May 19 2006 glogin.sql
-rwxr-xr-x   1 oracle   dba      29618728 May 19 2006 libclntsh.so.10.1
-rwxr-xr-x   1 oracle   dba      7860792 May 19 2006 libnnz10.so
-rwxr-xr-x   1 oracle   dba      1404480 May 19 2006 libocci.so.10.1
-rwxr-xr-x   1 oracle   dba      70141168 May 19 2006 libociei.so
-rwxr-xr-x   1 oracle   dba       146640 May 19 2006 libocijdbc10.so
-rwxr-xr-x   1 oracle   dba      1913800 May 19 2006 libsqlplus.so
-rwxr-xr-x   1 oracle   dba      1437952 May 19 2006 libsqlplusic.so
-r--r--r--   1 oracle   dba      1540457 May 19 2006 ojdbc14.jar
-rw-rw-r--   1 oracle   dba         6690 Apr 28 14:43 sqlnet.log
-rwxr-xr-x   1 oracle   dba        11536 May 19 2006 sqlplus
instantclient_10_2> ldd sqlplus
        libsqlplus.so =>         /tmp/ic/instantclient_10_2/libsqlplus.so
        libclntsh.so.10.1 =>     /tmp/ic/instantclient_10_2/libclntsh.so.10.1
        libnnz10.so =>   /tmp/ic/instantclient_10_2/libnnz10.so
        libkstat.so.1 =>         /lib/64/libkstat.so.1
        libnsl.so.1 =>   /lib/64/libnsl.so.1
        libsocket.so.1 =>        /lib/64/libsocket.so.1
        libgen.so.1 =>   /lib/64/libgen.so.1
        libdl.so.1 =>    /lib/64/libdl.so.1
        libsched.so.1 =>         /usr/lib/64/libsched.so.1
        libc.so.1 =>     /lib/64/libc.so.1
        librt.so.1 =>    /lib/64/librt.so.1
        libaio.so.1 =>   /lib/64/libaio.so.1
        libm.so.2 =>     /lib/64/libm.so.2
        libthread.so.1 =>        /lib/64/libthread.so.1
        libmp.so.2 =>    /lib/64/libmp.so.2
        libmd.so.1 =>    /lib/64/libmd.so.1
        libscf.so.1 =>   /lib/64/libscf.so.1
        libdoor.so.1 => /lib/64/libdoor.so.1
        libuutil.so.1 =>         /lib/64/libuutil.so.1
instantclient_10_2> ./sqlplus /nolog
SQL*Plus: Release 10.2.0.2.0 - Production on Tue Apr 28 14:47:04 2009
Copyright (c) 1982, 2005, Oracle. All Rights Reserved.
SQL> exit
instantclient_10_2> uname -a
SunOS xxxx 5.10 Generic_120012-14 i86pc i386 i86pc

What does "wheel" mean for custom access

What does "wheel" mean when allowing custom access to a folder?

wheel= admin
In computing, the term wheel refers to a user account with a wheel bit, a system setting that provides additional special system privileges that empower a user to execute restricted commands that ordinary user accounts cannot access. The term is derived from the slang term big wheel, referring to a person with great power or influence. It was first used in this context with regard to the TENEX operating system, later distributed under the name TOPS-20 in the 1960s and early 1970s.
The term was adopted by Unix users in the 1980s, due to the movement of operating system developers and users from TENEX/TOPS-20 to Unix. Modern Unix implementations generally include a security protocol that requires a user be a member of the wheel user privileges group in order to gain superuser access to a machine by using the su command.

Custom authorization provider for WL7 problem (not getting all parameters from ContextHandler)

I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
     ContextElement ce = ces[j];
     System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.

I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
     ContextElement ce = ces[j];
     System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.

Custom Access Gate for tomcat in solaris 10 AMD 64

Similar Messages

Maybe you are looking for