Custom Auth Module + refer to other jar

Similar Messages

• Wls7 + custom auth module + abort instead of commit

  Hi,
  I've written a custom authentication module using a rdbms.
  WHat does work:
  - getting + verifying username
  - getting + verifying password
  - adding username to principal
  - getting the groups
  - adding the groups
  - no exceptions are being thrown
  - the login() method returs true
  PROBLEM:
  after that the loginModule returns true, the abort() method is being called and
  not the commit().
  Does anyone know in which scenario the abort() is getting called and not the commit()
  or what could be a possible problem.
  Thx

  See if you also have the default weblogic authenticator configured as an authentication
  provider, and if yes, make sure that the Control flag for that default one is
  set to "SUFFICIENT"/"OPTIONAL".
  "Reborn" <[email protected]> wrote:
  >
  Hi,
  I've written a custom authentication module using a rdbms.
  WHat does work:
  - getting + verifying username
  - getting + verifying password
  - adding username to principal
  - getting the groups
  - adding the groups
  - no exceptions are being thrown
  - the login() method returs true
  PROBLEM:
  after that the loginModule returns true, the abort() method is being
  called and
  not the commit().
  Does anyone know in which scenario the abort() is getting called and
  not the commit()
  or what could be a possible problem.
  Thx

• How to unconfigure a Custom Authentication Module for Convergence

  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
  sudo /opt/SUNWappserver/bin/asadmin stop-appserv
  sudo /opt/SUNWappserver/bin/asadmin start-appserv
  AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter  Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled
  AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler 
  PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reason

  jessethompson wrote:
  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.After enabling the custom login module using the steps in the earlier thread (http://forums.sun.com/thread.jspa?threadID=5318615), I performed the following steps to disable the custom module and re-enable the ldap auth module:
  # Disable custom auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.custom.servicename -v ""
  ./iwcadmin -w <admin password> -o auth.custom.loginimpl -v ""
  ./iwcadmin -w <admin password> -o auth.custom.callbackhandler -v ""
  ./iwcadmin -w <admin password> -o auth.misc.CredentialFile -v ""# Re-enable the LDAP auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.ldap.callbackhandler  -v com.sun.comms.client.security.auth.AppCallbackHandler
  ./iwcadmin -w <admin password> -o auth.ldap.loginimpl -v com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule# Restarte App Server
  cd /opt/SUNWappserver/bin/
  ./asadmin stop-domain; ./asadmin start-domain# Login to iwc interface as user shjorth with password oldpwd
  # Login successful with oldpwd -- custom auth module successfully disabled, LDAP re-enabled
  Regards,
  Shane.

• Deploying a custom login module to the J2EE engine

  I have developed a custom login module, and want to deploy it to the SAP j2ee engine. How should I go about this ? I tried packaging it as a jar and then using the deploytool, went into user management to register the module, but when the module was invoked I got an error in the log saying "Cannot load a login module".
  The way I currently deploy it is packaged with the Example Calculator, and this works. I just add my 2 java files into the web module (in com.sap.examples.calculator.beans) and it gets packaged in the war file.
  Can anyone help with the "proper" way of deploying my module ?
  Thanks in advance

  Hi Brad,
  >
  > What I'm actually trying to do is NOT deploy my
  > custom login module with an application. But rather
  > deploy the jar file as a library to the J2EE engine,
  > so that any application can use it by configuring it
  > in their login stacks. I'm still not totally clear
  > whether this is possible or not.
  Once again - It is possible to deploy the login module as a library to the J2EE Engine; furthermore, this is the PREFERRED way to use login modules!
  >
  > What I have currently done:
  >
  > 1. developed custom login module packaged as a jar in
  > NW studio (2 class files)
  >
  > 2. Using deploytool I deploy the jar as a library to
  > the j2ee engine. This works and the library shows up
  > under the libraries section.
  >
  > 3. Register the login module in the user
  > management->manage security stores section. I'm
  > unsure if this works properly. Do I just provide the
  > full path to the required class ? For example
  > "com.example.myloginmodule.LoginModule"
  > I have a suspicion that my error of "cannot load a
  > login module" stems from here.
  >
  > 4. I have then followed your step and added a
  > reference to the libray (Hard reference) and this
  > seems ok.
  >
  Sorry, Brad, I've made a mistake here. You need to set a reference from the Security Provider Service to the library that contains the login module (not from the application). To do that at runtime, you'll have to use the Configuration Adapter service on the J2EE Engine. For a description of the procedure, see this page in the documentation: http://help.sap.com/saphelp_nw04/helpdata/en/dd/1e3a3e5069eb6ce10000000a114084/frameset.htm
  You need to provide additional entry of the following type in the security-provider.xml file:
  <reference type="library" strength="weak">
          Your-library-name-here
        </reference>
  Regards,
  Ivo.
  Message was edited by: Ivaylo Ivanov

• QISRSCENARIO - Action Box - Adding a custom function module

  Hello Experts,
  Under the scenario ID for Performance Award in the transaction QISRSCENARIO I created a custom function module in order to exchange standard. I clicked on the follow-up Functions of the MCSP and then I type my new function module, then when I tried to save the changes I received this error message:
  The function module Z_CUSTOMFUNCTIONMODULE cannot be used.
  Diagnosis
  The function module Z_CUSTOMFUNCTIONMODULE is not suitable to be used as a follow-up function, as the interface does not contain the required parameters.
  Does anyone knows what parameters am I missing?
  Thanks in advance,
  AK

  I would do it this way..
  MCSP is delivered with HRWPC_PCR_SP_TRANSACTION_PA30 as the function module. In SE80, copy the function group HRWPC_PCR_SP_ACTIONS into a custom function group..say  Z_PCR_SP_ACTIONS. When prompted to copy the function modules,select HRWPC_PCR_SP_TRANSACTION_PA30 & name the custom object as , say, Z_PCR_SP_TRANSACTION_PA30. put your custom code inside this function module.Activate the custom function group & function module.Now got to the Action Box & replace the Std function for MCSP with your custom function module.
  ~Suresh

• Custome login module:SDA can't reference com.sap.portal.usermapping_api.jar

  I made my own j2ee custom login module and one of the things I wanted the custom login module to do is to clear out the UME roles for the user logging in,  "download" the role assignments from an ABAP WAS system, and reassign those roles in UME.  I got the coding done and created my JAR file. In building the SDA file, I can't figure out how to add com.sap.portal.usermapping_api.jar to the provider.xml file.  I tried specifying it on thru "create new" and tried looking for it in the list from "Select library/interface/service, but I still get an error when loading the login module.
  Does anyone know how to do this?
  TIA.
  Mel Calucin
  Bentley Systems, Inc.

  Hi Mel,
  why do you think you need to reference the portal's user mapping service API? I'm not sure whether you can reference Portal services at all from J2EE level.
  If you need to use user mapping in your login module, you don't need the Portal's user mapping service. Instead, you can directly use the user mapping interfaces and methods of the UME, which are contained in a J2EE library.
  You can use something like the following reference to get runtime access to the UME API library:
  <reference reference-type="weak">
    <reference-target target-type="library">
      com.sap.security.api.sda
    </reference-target>
  </reference>
  Accessing user mapping is possible via com.sap.security.api.UMFactory.getUserMapping() which returns an object implementing com.sap.security.api.umap.IUserMapping. This is the main entry point for all user mapping related features.
  Please check the Javadoc for details:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/javadocs/nw04/sp12/user management engine - version 4.0/index.html
  I hope this helps.
  Best regards
  Heiko

• Customer Service (CS) module integration  with other modules VERY URGENT

  Customer Service (CS) module integration  with other modules like sd,mm,pm,fi
  documentation very urgent please send to my mail id [email protected]

  This is with regards to Integration of CS module with other modules:
  CS is in very close integration with Plant Maintenance(PM), Sales and Distribution(SD), FI, MM, Costing (CO) and also PP and HR.
  Incase you want to have resource related billing using DIP profile  (PM) you must have Cost element  and Service Products defined in MM etc.
  Itu2019s a very vast area needs to be explored based on the requirement in CS module. Any further assistance needed pls let me know.l.

• Custom login module on OC4J 10.1.3.3.0

  Hi,
  I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
  I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
  web.xml:
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>testJAAS</realm-name>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <!-- Security constraints -->
  <security-constraint>
       <web-resource-collection>
       <web-resource-name>Test Secure Application</web-resource-name>
       <description>Requires users to authenticate</description>
       <url-pattern>faces/*</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       <http-method>HEAD</http-method>     
       <http-method>PUT</http-method>     
       </web-resource-collection>     
       <auth-constraint>
       <description>Only allow role1 users</description>
       <role-name>role1</role-name>
       </auth-constraint>     
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <!-- Define the security role(s) -->
  <security-role>
  <description>Example role</description>
  <role-name>role1</role-name>
  </security-role>
  orion-web.xml:
  schema-major-version="10" schema-minor-version="0" >
       <!-- Uncomment this element to control web application class loader behavior.
            <web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
       -->
       <resource-ref-mapping name="jdbc/lics" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
       </security-role-mapping>
       <web-app>
       </web-app>
  orion-application.xml:
       <jazn provider="XML" >
            <property name="jaas.username.simple" value="true" />
            <property name="custom.loginmodule.provider" value="true" />
            <property name="role.mapping.dynamic" value="true" />
       </jazn>
  system-jazn-data.xml:
  <jazn-loginconfig>
       <application>
            <name>le5</name>
            <login-modules>
                 <login-module>
                      <class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>defaultRole</name>
                                <value>role1</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
  Doing as above, the orion-web.xml is below:
       <resource-ref-mapping name="jdbc/lic" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
            <user name="user1" />
            <user name="user2" />
       </security-role-mapping>
  Any insight would be much appreciated. Thanks.

  Hi,
  role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
  <security-role-mapping name="role1">
  <group name="oc4j-app-administrators" />
  </security-role-mapping>
  from orion-web.xml and it should start wrking
  Frank

• Custom pluggable idm with custom login module

  Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
  Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
  The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
  The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
  Any suggestions? Thanks

  Thanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
  I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
  Thank you.

• Custom Login Module with Adf 11g and and weblogic server

  I have configured adf security on my application. I have checked the authentication and authorization are working fine with the default authenticator.
  I am trying to create a custom login module. I have downloaded the custom login module implementation jaasdatabaseloginmodule.zip http://www.oracle.com/technetwork/developer-tools/jdev/index-089689.html. I have added the DBLoginModule.jar to my application. post written by Frank Nimphius and Duncan Mills
  I have configured the jps config under the application resources with these entries.
  <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
  <property value="true" name="custom.provider"/>
  <property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
  <serviceInstance name="CustomFFMLoginModule"
  provider="jaas.login.provider">
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  <property name="log.level" value="FINEST"/>
  <property name="debug" value="true"/>
  <property name="addAllRoles" value="true"/>
  <property name="loginModuleClassName"
  value="oracle.sample.dbloginmodule.DBTableLM.ALSDBTableLoginModule"/>
  <property value="jdbc/ApplicationDBDS" name="data_source_name"/>
  </serviceInstance>
  <jpsContexts default="FFMSecurityDAM">
  <jpsContext name="FFMSecurityDAM">
  <serviceInstanceRef ref="CustomFFMLoginModule"/>
  <serviceInstanceRef ref="credstore"/>
  <serviceInstanceRef ref="anonymous"/>
  <serviceInstanceRef ref="policystore.xml"/>
  </jpsContext>
  When I run the application this custom login is not getting invoked.
  I even tried to add these contents to DefaultDomain\config\fmwconfig\jps-config.xml still no result.
  Can anyone who has configured custom login module direct me how to correct my application.

  Hi Frank,
  After following the documentation suggested. I am able to create custom authenticator. But when I login I getting the below exception. When I debugged login method returned true. But this error is being thrown after that. Any clue.
  java.lang.IllegalArgumentException: [Security:097531]Method com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals) was unable to sign a principal
       at com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(PrincipalValidationServiceImpl.java:188)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
       at $Proxy10.sign(Unknown Source)
       at weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject(WLSIdentityServiceImpl.java:63)
       at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:119)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
       at $Proxy16.login(Unknown Source)
       at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
       at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
       at $Proxy34.authenticate(Unknown Source)
       at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
       at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
       at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:237)
       at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:186)
       at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:254)
       at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:209)
       at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:92)
       at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2204)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

• Custom Authentication Module on Identity Server

  Hi,
  I have a custom authentication module which I am trying to access through the policy agent.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
  My login module code is something like this:
  package com.iplanet.am.samples.authentication.providers;
  import java.util.*;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.PasswordCallback;
  import javax.security.auth.login.LoginException;
  import com.sun.identity.authentication.spi.AMLoginModule;
  import com.sun.identity.authentication.spi.AuthLoginException;
  import java.rmi.RemoteException;
  import java.io.FileInputStream;
  import java.util.Properties;
  public class LoginModule1 extends AMLoginModule
  private String userName;
  private String userTokenId;
  private HashMap usersMap;
  private java.security.Principal userPrincipal = null;
  public LoginModule1() throws LoginException
  public void init(Subject subject, Map sharedState, Map options)
            System.out.println("LoginModule1 initialization");
            usersMap = new HashMap();
            ResourceBundle bundle = ResourceBundle.getBundle("users");
            Enumeration users = bundle.getKeys();
            while (users.hasMoreElements())
                 String user = (String)users.nextElement();
                 String password = bundle.getString(user.trim());
                 usersMap.put(user, password);
  public int process(Callback[] callbacks, int state) throws AuthLoginException
            int currentState = state;
            if (currentState == 1)
                 userName = ((NameCallback) callbacks[0]).getName().trim();
                 char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
                 String passwdString = new String (passwd);
                 if (userName.equals(""))
                      throw new AuthLoginException("names must not be empty");
                 if (userName.equals("testuser") && passwdString.equals("testuser"))
                      userTokenId = userName;
                      return -1;
                 if (usersMap.containsKey(userName))
                      if (usersMap.get(userName).equals(new String(passwd)))
                           userTokenId = userName;
                           return -1;
                 return 0;
       public java.security.Principal getPrincipal()
            if (userPrincipal != null)
                 return userPrincipal;
            else
            if (userTokenId != null)
                 userPrincipal = new SamplePrincipal("testuser");
                 return userPrincipal;
            else
                 return null;
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
  2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Srinivas

  Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
  I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
  I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
  so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

• Help - using custom login module with embedded jdev oc4j to access ejb 3

  Hi All (Frank ??),
  I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
  with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
  I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
  have to deploy to oc4j standalone instead.
  I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
  javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
  setting in orion-application.xml for details.
  Using the various guides available, I had no problem getting the custom login module working
  with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
  I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
  respectively in various config files.
  I'm using EJB 3 annotations for protecting methods .. for example
  @RolesAllowed("sr_Member")
  Steps that I had to do so far :-
  In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
      <application>
        <name>current-workspace-app</name>
        <login-modules>
          <login-module>
            <class>kr.security.KnowRushLoginModule</class>
            <control-flag>required</control-flag>
            <options>
              <option>
                <name>dataSource</name>
                <value>jdbc/DB_XE_KNOWRUSHDS</value>
              </option>
              <option>
                <name>user.table</name>
                <value>users</value>
              </option>
              <option>
                <name>user.pk.column</name>
                <value>id</value>
              </option>
              <option>
                <name>user.name.column</name>
                <value>email_address</value>
              </option>
              <option>
                <name>user.password.column</name>
                <value>password</value>
              </option>
              <option>
                <name>role.table</name>
                <value>roles</value>
              </option>
              <option>
                <name>role.to.user.fk.column</name>
                <value>user_id</value>
              </option>
              <option>
                <name>role.name.column</name>
                <value>name</value>
              </option>
            </options>
          </login-module>
        </login-modules>
      </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Admin</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Member</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
  My ejb-jar.xml contains :-
  <?xml version="1.0" encoding="utf-8"?>
  <ejb-jar xmlns ....
    <assembly-descriptor>
      <security-role>
        <role-name>sr_Admin</role-name>
      </security-role>
      <security-role>
        <role-name>sr_Member</role-name>
      </security-role>
    </assembly-descriptor>
  </ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
  My orion-ejb-jar.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-ejb-jar ...
    <assembly-descriptor>
      <security-role-mapping name="sr_Admin">
        <group name="Admin"></group>
      </security-role-mapping>
      <security-role-mapping name="sr_Member">
        <group name="Member"></group>
      </security-role-mapping>
      <default-method-access>
        <security-role-mapping name="sr_Member" impliesAll="true">
        </security-role-mapping>
      </default-method-access>
    </assembly-descriptor>My orion-application.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-application xmlns ...
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <jazn provider="XML">
      <property name="role.mapping.dynamic" value="true"></property>
      <property name="custom.loginmodule.provider" value="true"></property>
    </jazn>
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </read-access>
      <write-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </write-access>
    </namespace-access>
  </orion-application>My essentially auto-generated EJB 3 client does the following :-
        Hashtable env = new Hashtable();
        env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
        env.put(Context.SECURITY_CREDENTIALS, "welcome1");
        final Context context = new InitialContext(env);
        KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
  ...And throws the error
  20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
  EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  javax.naming.NoPermissionException: Not allowed to look
  up KRFacade, check the namespace-access tag setting in
  orion-application.xml for details
       at
  com.evermind.server.rmi.RMIClientConnection.handleLookupRe
  sponse(RMIClientConnection.java:819)
       at
  com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
  andResponse(RMIClientConnection.java:283)
  ....I can see from the console that the user was successfully authenticated :-
  20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
  WARNING: [KnowRushLoginModule] User matt.shannon authenticated
  And that user is granted both the Admin, and Member roles.
  The test servlet using basic authentication correctly detects the user and roles perfectly...
    public void doGet(HttpServletRequest request,
                      HttpServletResponse response)
      throws ServletException, IOException
      LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
      response.setContentType(CONTENT_TYPE);
      PrintWriter out = response.getWriter();
      out.println("<html>");
      out.println("<head><title>ExampleServlet</title></head>");
      out.println("<body>");
      out.println("<p>The servlet has received a GET. This is the reply.</p>");
      out.println("<br> getRemoteUser = " + request.getRemoteUser());
      out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
      out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
      out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
  cheers
  Matt.
  Message was edited by:
  mshannon

  Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
  Did you ever get the code working directly from JDeveloper?
  Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
  For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <realm-name>jazn.com</realm-name>
                           <type>role</type>
                           <class>kr.security.principals.KRRolePrincipal</class>
                           <name>JAAS_Admin</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>If I add the following to orion-application.xml
    <!-- Granting login permission to users accessing this EJB. -->
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping>
            <group name="JAAS_Admin"></group>
          </security-role-mapping>
        </namespace-resource>
      </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
  I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
  From custom login module :-
    private static KRSecurityHelper singleton = new KRSecurityHelper();
    protected Principal[] m_Principals;
      Vector v = new Vector();
        v.add(singleton.getCustomRmiConnectRole());
        // set principals in LoginModule
        m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
  Singleton class :-
  package kr.security;
  import com.evermind.server.rmi.RMIPermission;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import oracle.security.jazn.JAZNConfig;
  import oracle.security.jazn.policy.Grantee;
  import oracle.security.jazn.realm.Realm;
  import oracle.security.jazn.realm.RealmManager;
  import oracle.security.jazn.realm.RealmRole;
  import oracle.security.jazn.realm.RoleManager;
  import oracle.security.jazn.policy.JAZNPolicy;
  import oracle.security.jazn.JAZNException;
  public class KRSecurityHelper
    private static final Logger LOGGER = Logger.getLogger("kr.security");
    private static final String LOGPREFIX = "[KRSecurityHelper] ";
    public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
    private RealmRole m_Role = null;
    public KRSecurityHelper()
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
      JAZNConfig jc = JAZNConfig.getJAZNConfig();
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
      RealmManager realmMgr = jc.getRealmManager();
      try
        // Get the default realm .. e.g. jazn.com
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
        Realm r = realmMgr.getRealm(jc.getDefaultRealm());
        LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
        // Access the role manager for the remote connection role
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"calling default_realm.getRoleManager");
        RoleManager roleMgr = r.getRoleManager();
        LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
          CUSTOM_RMI_CONNECT_ROLE "'");
        RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
        if (rmiConnectRole == null)
          LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
          rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
          Grantee gtee = new Grantee(rmiConnectRole);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
          RMIPermission login = new RMIPermission("login");
          LOGGER.log(Level.FINEST,
            LOGPREFIX +"constructing subject.propagation rmi permission");
          RMIPermission subjectprop = new RMIPermission("subject.propagation");
          // make policy changes
          LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
          JAZNPolicy policy = jc.getPolicy();
          if (policy != null)
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'login' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, login);
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'subject.propagation' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, subjectprop);
            // m_Role = rmiConnectRole;
            m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
            LOGGER.log(Level.INFO, LOGPREFIX
              + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
          else
            LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
        else
          LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
          m_Role = rmiConnectRole;
      catch (JAZNException e)
        LOGGER.log(Level.WARNING,
          LOGPREFIX +"Cannot configure JAZN for remote connections");
    public RealmRole getCustomRmiConnectRole()
      return m_Role;
  }Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
  INFO: Login permission not granted for current-workspace-app (test.user)
  Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
  This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
  There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
  Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
  Matt.

• Custom login module Authentication works but Authorization Does not work

  Hi:
  I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
  Is there any other settings I need to perform. Could you please let me know.
  Thanks

  I have the same issue, please refer to this thread.
  Re: ADF Security Authorization

• Unable to deploy custom adapter module in PI 7.31

  Hi pros,
  I created a custom adapter module to split some complex input files to multiple messages. We use a SAP PO 7.31 java-only installation. I followed this document to create my adapter module:
  How to Create Modules for the JEE Adapter Engine
  I know it is for PI 7.1 but a colleague of mine said that he was able to create a running adapter module for PI 7.3 following the guide. I created the following projects:
  EAR project references the EJB project:
  Project facet of the EJBproject:
  ejb-jar.xml config:
  application-j2ee-engine.xml (in EAR project):
  When I try to deploy my module, I get the following error:
  Java version:
  NWDS version:
  Any hint is appreciated! What can be wrong? What can I check again?
  THANKS!
  Message was edited by: Stefan Münchow

  I am not sure if the version is the problem. We have PI 7.31, support package 14, patch level 0 and NWDS 7.31 support package 12, patch level 4. The version of NWDS is lower than the version of the PI. According to Note 1599298 the error occurs when the NWDS is higher than the one of PI. Besides, we are able to deploy BPMN processes with the same NWDS to the same server.
  This is the exact exception trace shown in NWDS:
  com.sap.ide.eclipse.sdm.deploy.DeploymentException: [ERROR CODE DPL.DCAPI.1027] DeploymentException.
  Reason: ASJ.dpl_dc.001085 Operation [deploy] of [sap.com_SplitArticleFileModule_EAR] failed
  at com.sap.ide.eclipse.sdm.threading.DCDeployThread.run(DCDeployThread.java:110)
  ------------- Nested exception -------------------
  com.sap.engine.services.dc.api.deploy.DeployException: [ERROR CODE DPL.DCAPI.1027] DeploymentException.
  Reason: ASJ.dpl_dc.001085 Operation [deploy] of [sap.com_SplitArticleFileModule_EAR] failed
  at com.sap.engine.services.dc.api.deploy.impl.DeployProcessorImpl.deployItems(DeployProcessorImpl.java:862)
  at com.sap.engine.services.dc.api.deploy.impl.DeployProcessorImpl.deploy(DeployProcessorImpl.java:259)
  at com.sap.ide.eclipse.deployer.dc.deploy.DeployProcessor70.deploy(DeployProcessor70.java:105)
  at com.sap.ide.eclipse.sdm.threading.DCDeployThread.run(DCDeployThread.java:80)
  Caused by: com.sap.engine.services.dc.cm.deploy.DeploymentException: ASJ.dpl_dc.001085 Operation [deploy] of [sap.com_SplitArticleFileModule_EAR] failed
  at com.sap.engine.services.dc.cm.deploy.impl.OnlineDeployProcessor.performDelivery(OnlineDeployProcessor.java:246)
  at com.sap.engine.services.dc.cm.deploy.impl.BulkOnlineDeployProcessor.deploy(BulkOnlineDeployProcessor.java:67)
  at com.sap.engine.services.dc.cm.deploy.impl.AbstractDeployProcessor$DeployProcessorHelper.visit(AbstractDeployProcessor.java:282)
  at com.sap.engine.services.dc.cm.deploy.impl.DeploymentItemImpl.accept(DeploymentItemImpl.java:84)
  at com.sap.engine.services.dc.cm.deploy.impl.AbstractDeployProcessor.deploy(AbstractDeployProcessor.java:100)
  at com.sap.engine.services.dc.cm.deploy.impl.DeployThread.run(DeployThread.java:39)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
  at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
  Caused by: com.sap.engine.services.dc.gd.DeliveryException: [ERROR CODE DPL.DC.3298] Operation [deploy] of [sap.com_SplitArticleFileModule_EAR] failed
  at com.sap.engine.services.dc.gd.impl.ApplicationDeployer.deploy(ApplicationDeployer.java:167)
  at com.sap.engine.services.dc.gd.impl.InitialApplicationDeployer.performDeployment(InitialApplicationDeployer.java:138)
  at com.sap.engine.services.dc.gd.impl.InitialGenericDeliveryImpl.deploy(InitialGenericDeliveryImpl.java:57)
  at com.sap.engine.services.dc.cm.deploy.impl.OnlineDeployProcessor.performDelivery(OnlineDeployProcessor.java:213)
  ... 8 more
  Caused by: com.sap.engine.services.deploy.server.utils.DSRemoteException: ASJ.dpl_ds.006193 Operation [deploy] of [/usr/sap/DP2/J64/j2ee/cluster/server0/temp/tc~bl~deploy_controller/archives/213/SplitArticleFileModule_EAR.ear] failed
  at com.sap.engine.services.deploy.server.DeployServiceImpl.catchDeploymentExceptionWithDSRem(DeployServiceImpl.java:3370)
  at com.sap.engine.services.deploy.server.DeployServiceImpl.deploy(DeployServiceImpl.java:315)
  at com.sap.engine.services.dc.gd.impl.ApplicationDeployer.deploy(ApplicationDeployer.java:139)
  ... 11 more
  Caused by: com.sap.engine.services.deploy.container.rtgen.GenerationException: Open failed for '/usr/sap/DP2/J64/j2ee/cluster/server0/temp/deploy/SplitArticleFileModule_EAR.ear1422275742985/com.sap.aii.utilxi.server.jar' with fd 218 returning message 'couldn't find 'END' tag' and errno 0 after trying cache.
  at com.sap.engine.services.webservices.server.deploy.preprocess.WebServicesGenerator.createSingleModule(WebServicesGenerator.java:100)
  at com.sap.engine.services.webservices.server.deploy.preprocess.WebServicesGenerator.generate(WebServicesGenerator.java:54)
  at com.sap.engine.services.deploy.container.rtgen.AnnotationsSupportingGenerator.generate(AnnotationsSupportingGenerator.java:27)
  at com.sap.engine.services.deploy.ear.jar.moduledetect.GeneratorWrapper.generate(GeneratorWrapper.java:43)
  at com.sap.engine.services.deploy.ear.jar.ModuleGeneratorTool.generate(ModuleGeneratorTool.java:110)
  at com.sap.engine.services.deploy.ear.jar.ModuleGeneratorTool.generateOverExistingModules(ModuleGeneratorTool.java:97)
  at com.sap.engine.services.deploy.ear.jar.ModuleGeneratorTool.generateModules(ModuleGeneratorTool.java:80)
  at com.sap.engine.services.deploy.ear.jar.EARReader.read(EARReader.java:240)
  at com.sap.engine.services.deploy.server.application.DeployUtilTransaction.prepareNewDeploymentInfo(DeployUtilTransaction.java:217)
  at com.sap.engine.services.deploy.server.application.DeploymentTransaction.begin(DeploymentTransaction.java:199)
  at com.sap.engine.services.deploy.server.application.ApplicationTransaction.makeAllPhasesOnOneServer(ApplicationTransaction.java:421)
  at com.sap.engine.services.deploy.server.application.ApplicationTransaction.makeAllPhases(ApplicationTransaction.java:473)
  at com.sap.engine.services.deploy.server.DeployServiceImpl.makeGlobalTransaction(DeployServiceImpl.java:1836)
  at com.sap.engine.services.deploy.server.DeployServiceImpl.deploy(DeployServiceImpl.java:360)
  at com.sap.engine.services.deploy.server.DeployServiceImpl.deploy(DeployServiceImpl.java:313)
  ... 12 more
  Caused by: java.util.zip.ZipException: Open failed for '/usr/sap/DP2/J64/j2ee/cluster/server0/temp/deploy/SplitArticleFileModule_EAR.ear1422275742985/com.sap.aii.utilxi.server.jar' with fd 218 returning message 'couldn't find 'END' tag' and errno 0 after trying cache.
  at java.util.zip.ZipFile.open(Native Method)
  at java.util.zip.ZipFile.<init>(ZipFile.java:154)
  at java.util.jar.JarFile.<init>(JarFile.java:141)
  at java.util.jar.JarFile.<init>(JarFile.java:105)
  at com.sap.engine.services.webservices.server.deploy.preprocess.WebServicesSupportHandlerImpl.generateWebSupport(WebServicesSupportHandlerImpl.java:79)
  at com.sap.engine.services.webservices.server.deploy.preprocess.WebServicesGenerator.createSingleModule(WebServicesGenerator.java:69)
  ... 26 more
  Maybe the used jar files could be the problem?

• Custom logon module not called by the portal

  Hi, all.
  I need some help urgently on this new portal requirement. There are some sensitive ESS/MSS iviews that we need to give the users an additional logon challenge. The normal ESS/MSS iviews will be using SSO. This one will still use SSO, but have to pass the userid/password challenge.
  We have decided to use the authentication scheme. Also, the "form" logon stack has been modified with only one logon module, which is our customized one. To create the java project, jar and library, we are following the link: http://help.sap.com/saphelp_nw04s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
  Here's the extract of our authscheme.xml:
          <authscheme name="certlogon">
              <authentication-template>
                  client_cert
              </authentication-template>
              <priority>21</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
          </authscheme>
          <authscheme name="coo_secure">
              <authentication-template>
                  form
              </authentication-template>
              <priority>40</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
          </authscheme>
          <authscheme name="basicauthentication">
              <authentication-template>
                  ticket
              </authentication-template>
              <priority>20</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
          </authscheme>
  The authscheme is called coo_secure. When a user clicks on the iviews with the coo_secure authscheme, a userid/pwd prompt pops up. But it does not accept whatever I type in. From the defaulttrace, I do not see any hint that our customized logon module was ever called.
  Is there anyway to turn on portal tracing to see what is going on?
  Thanks,
  Jonathan.

  Hi Jonathan,
  Did you solved the problem with the custom logon module?
  We have a very similar scenario. I followed below help site to implement a custom logon module for particular iviews.
  http://help.sap.com/saphelp_nw70/helpdata/EN/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm
  and also the documentation:
  SAP Netweaver Developers Guide - Integrating Security Functions
  But I am not able to get my own custom login module with the custom authscheme running.
  If I access my specific IViews that requires additional custom authentication I get the portal login page again. After giving login data I get the error message:
  Java iView Runtime
  An exception occured while processing your request.
  If this situation persists, please contact your system administrator.
  If you solved your problem, can you please share the solution with me?
  Thanks,
  Regards,
  Yasar