Custom Authentication Issue with Policy Agent

Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Neeraj

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

Similar Messages

Custom login page with Policy Agent 2.2 & Access Manager

Hi,
Im trying to set up policy agent 2.2 and Access Manager to use the login page of the application Im trying to secure. Im not sure if this is the correct forum or not so feel free to move this if need be.
Ive been using this link: http://docs.sun.com/source/816-6884-10/chapter3.html#wp25376 but it doesnt seem to make sense.
In my AMAgent.properties file Ive set up
com.sun.identity.agents.config.login.form[0]=/contextRoot/login/login.jsp to my login page and Ive also configured the web.xml for that application to use the login:
     <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
               <form-login-page>/login/login.jsp</form-login-page>
               <form-error-page>/login/login.jsp</form-error-page>
          </form-login-config>
     </login-config>
When I try and access the login page Im redirected to the default access manager login page. I did notice in the AMProperties.xml file the following line:
com.sun.identity.agents.config.login.url[0] = http://amserverhost:80/amserver/UI/Login
It seems like I should change that to point to my login page but I didnt see any documentation supporting that. When I change that property to point to location of my login page, i get a redirect loop error.
When I remove the com.sun.identity.agents.config.login.form[0] property all together, I just get a resource restricted error.
Now when I configure the com.sun.identity.agents.config.login.form[0] property, set the config.login.url = to my login page AND set the com.sun.identity.agents.config.notenforced.uri[0] property equal to my login page (so the login page is no longer protected) I am able to see the login page
Is unrestricting the login page correct? Im able to access the login.jsp page directly and when I try and access protected resources Im redirected back to the login page so everything seems to be working correctly but Im not sure if this is the correct way.

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

ACS 5.2 Authentication Issue with Local & Global ADs

Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?
Thanks ahead,
Ye

Hello,
There is an enhacement request open already:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
ACS should be able to query only desired DCs
Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.
Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
Workaround:
Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
Hope this clarifies it.
Regards.

Problem: Protect Sun Web Proxy Server 4.0.5 with Policy Agent 2.2

We are trying to protect the Sun Web proxy Server 4.0.5 with policy agent 2.2 on solaris 10 machine.
We are using Access Manager 7.1 along with directory server 6.2
We are trying to protect the web proxy console url http://domain.example.com with that policy agent so that when we hit web proxy console url
it should through us access manager login page ie http://abc.com/amserver.
How can we achieve this.What all changes required in the AMAgent.properties file.Please suggest.

Hi subho,
problem is fixed. i have unistalled the policy agent and reinstalled it again. the problem i found is we didnt stop the webproxy instance when installing policy agent. Thanks for the reply

Authentication issue with Xcelsius/Portal integration

I am facing an issue with the way we have integrated our Xcelsius dashboard with our corporate portal. I know this probably is more of a SDK question than Administration, but I figured I will ask it here anyway since Tim and some others are diverse enough in their knowledge base. This might be LONG post but please advise if anyone has any good pointers.
We have an Xcelsius dashboard that needs to be served up via our corporate intranet (based on MS Sharepoint 2007). Now we are NOT using the MS Sharepoint Portal Integration Kit, but just doing a basic integration of the SWF call within a web part on Sharepoint. All this means is that within a portlet (web-part) on Sharepoint, I am making a HTTP call to the openDocument URL to invoke the SWF file. So the SWF is actually served up from our Tomcat App Server, and displayed onto this frame within the portal. That is the basic idea.
To achieve this, what I did was write some custom code using the Java SDK to modify the openDocument a little bit. By doing so, I was able to insert some behind-the-scenes-login code wherein no matter who the portal user (Win AD-based) is, he is logged in to BOE as a generic "dashboard-user" and the dashboard is served up. This worked fine for the first dashboard where all we had was SWF and some WebI linking using openDocument (no full-InfoView access).
But in this second dashboard now, what we also have is a hyperlink for users to get to InfoView to do Ad-hoc reporting. What this does is open a child browser window from within the portal (dashboard) --- and it remembers the BOE session for the generic user id "dashboard-user" and logs the end-user in to InfoView using that. But what I actually want is that the end-users, on this new window, should only be prompted at the traditional InfoView logon screen where they can manually enter their Windows AD password and get in. Thus, I would like to keep the dashboard SWF page session separate from the InfoView ad-hoc session, which I cannot seem to do because of the browser relationship and session maintenance.
I am trying to find a way where I can simulate a single sign-on for dashboard viewers on the portal, but at the same time let them jump off to InfoView as themselves.
Any thoughts on how I can do this?
Notes:
We DO NOT have Single Sign-On enabled for InfoView
We are using Windows AD authentication (manual, no SSO)
We are on Tomcat

Sarang Deshpande wrote:
1) If the InfoView app on Tomcat (desktoplaunch) is configured with Vintela, openDocument calls from the portal with automatically work using behind the scenes SSO, correct?
in XIR2 everything that falls under infoview should SSO when infoview is setup for SSO (not the case in XI 3.x)
Sarang Deshpande wrote:
2) What is the best practice when it comes to the service accounts needed? I have implemented Windows AD manual auth already so I have a service account that use for that. Should I be using the same on and making vintela/SSO-specific changes to it...or should I have a separate vintela service account and deal with two different ones..each for a diff purpose?
There is no best practice per se but the less service account the lower your chances to duplicate an SPN, functionally everything seems to work just as well with multiple as it does with 1 (of course with 1 there is less management work) If you click the SSO link in my forum sticky post I have a section explaining this with some suggested methods of deploying a service account(s)
Sarang Deshpande wrote:
3) Other than some minor browser configurations that might be required, is there anything else that I should communicate to the team about what might be required to be "pushed" to users' PCs?
Using the default config nothing should be required on the client machine (unless SSO has been disabled in the browser or you intend to use a url that contains a period ..... (i.e. FQDN or IP) with hostname URL (the default) it should just work.
To note if you have XP SP2 or older there is a microsoft spnego bug you may need to apply a fix if you aren't patched to SP3 (about 5% of our customers run into this).
Regards,
Tim

Urgent :Authentication fails for Policy Agent on weblogic 8 SP3

Hi
I am using policy agent for perimeter authentication for an application deployed on weblogic.When i try and access the application using any user which exists on Identity server i get the following exception in the amRealm log.
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:07:379 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()
09/20/2005 06:17:12:505 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.authenticate() Initialized callback handler for Subject:
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login()
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login() : User name from Callback amAdmin
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: SSOTokenValidator failed with exception
[AgentException Stack]
com.sun.identity.agents.arch.AgentException: Invalid transport string version
at com.sun.identity.agents.util.TransportToken.initializeFromString(Unknown Source)
at com.sun.identity.agents.util.TransportToken.<init>(Unknown Source)
at com.sun.identity.agents.common.SSOTokenValidator.validate(Unknown Source)
at com.sun.identity.agents.realm.AmMappingRealm.authenticateAndFetchAllRoles(Unknown Source)
at com.sun.identity.agents.weblogic.AmLoginModule.login(Unknown Source)
at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:71)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at weblogic.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:326)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:279)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:389)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:296)
at weblogic.servlet.security.internal.BasicSecurityModule.checkUserPerm(BasicSecurityModule.java:125)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSecurityModule.java:47)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3568)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()

Hi,
I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
I suggest you try it out and start the bea server as a service and see if it works - if not try again.
I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
hth,
Sean

Possible to deploy Dist Auth in the same web container with Policy Agent?

I have a client who has limited hardware resources and wants to deploy the distributed authentication UI in the same web container as the policy agent. Has anyone successfully done this?

I'm sure it's possible just make sure the DAUI context (e.g. /distAuth) in the agent's configuration for the web server is in the not enforced list properties for the agent.
However, it's so easy just to put an Apache HTTP server/tomcat and run daui, then setup another web server (Sun, Apache, etc.) with an agent or vice versa and you don't have to worry about the agent clobbering DAUI.

SunONE Web Server 6.1 SP7 crashes with Policy Agent 2.2 plugin

Recently we started facing glibc issues on our webservers and wanted to know if any of you have come across such issues on your setups..
Setup Info:
- OS is RHEL 4.0
- Sun ONE Web Server 6.1SP7
- Policy Agent 2.2
When user logins to our application for first time, the policy agent on our webserver intercepts the request and redirects to AM SSO server's login page for authentication. Before redirecting the request, the policy agent preserves the request (POST data) in our webserver and then redirects the request to SSO server. After the user is authenticated on SSO server, the SSO server redirects the request back to our webserver and the policy agent now tries to fetch the preserved post data for the user where it fails(see errors below) and then the user gets 'page cannot be displayed' error on browser. Internally, the SJSWS crashes and gets restarted :(
From logs:
[29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.163 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():Result size is 0,tree not present for https://server1.gft.com:443/dummypost/sunpostpreserve2008-04-2906:31:50.311
[29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: *** glibc detected *** free(): invalid pointer: 0x08265670 ***
[29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.529 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():No passwd value in session response.
[29/Apr/2008:06:32:48] catastrophe (13856): CORE3260: Server crash detected (signal SIGSEGV)
[29/Apr/2008:06:32:48] info (13856): CORE3261: Crash occurred in NSAPI SAF service-j2ee
[29/Apr/2008:06:32:48] failure (13107): CORE3107: Child process closed admin channel
(At this point the SJSWS gets restarted)
This issue is not always reproducible though !
Appreciate your help on debugging this..

Hi...
just a guess try looking into this bug details ..it may be helpful
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6299862

Protecting a REST web service with Policy Agent

I have deployed a REST web service in Glassfish using Jersey Annotations. A UI in the same Glassfish instance is protected by a policy agent that forces users through a login page. I would like to protect the REST web service with BASIC Authentication using the same policy agent. Is this possible? Is there supporting documentation?

Hi Daniel,
When you publish a message through Rest, hope your Restful service will receive/process the posted message?
So
YourBizTalk -->(Post Message to)-->RestFulService
From the error message, "the published message could not be routed because no subscribers were found.", it seems like the this Restful service is a
wrapper (or service interface) for BizTalk at client end( where message has been posted thru Rest) and actual posted message is “processed” by BizTalk and the error "" is from BizTalk "after" Rest. This message says the message you posted
through rest is not found subscription at their end.
So
YourBizTalk -->(Post Message to)-->RestFulService -->Clients'BizTalk.
Here problem is at Clients'BizTalk as shown where the posted message to their BizTalk is not processed because no subscription has been found.
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

"Unable to load IAmWebPolicy" with Policy Agent 2.2 on Sun App Server 8.2

I'm trying to install the Policy Agent for App Server 9.0/9.1 to App Server 8.2 (which claims to be supported). Identity Manager is the target resource. I get this when I try accessing the /idm root context:
Exception caught in AmWebPolicyManager initializer: Unable to load IAmWebPolicy: com.sun.identity.agents.policy.AmWebPolicy
at com.sun.identity.agents.policy.AmWebPolicyManager.<clinit>(AmWebPolicyManager.java:135)
Thanks,
Steve Maring

You were absolutely correct
I've resolved this issue - the problem was caused by two things:
1. There is a new version of a library called libxml2.so that I had to get from Sun (they provided version 2.6.7)
2. My web server with the agent on it is on a seperate box from the identity server. These two servers were out of sync in terms of their system time (ie, the solaris box with the agent / web server was about 8 minutes ahead of the solaris box with the identity server)
Once both of these things were fixed (the time issue most importantly), the web server would not hang anymore.

Authentication issue with 4.1

We are using a custom authentication scheme. It calls the authenticatin api to authenticate agains active directory.
It is working in multiple apex aplications in apex version 3.2. We created a new install of 4.1 and imported the apps from 3.2
I can't get this authentication to work in 4.1. Here is the code that works in 3.2 but not in 4.1
This code is in the login process of page 101.
The error msg I get is Invalid Login Credentials
I have created the application at the oracle hosted site. id/wd id guest/Lock01$
Off course for simplicty, all the code does is emualte how I am logging in at the 3.2 install. All other code has not been copied over. This application works on our 3.2 install but not 4.1! Help!
{declare
b_result boolean := false;
c_result boolean := false;
d_result boolean := false;
begin
-- :IS_ADMIN_USER := 0;
-- :IS_IE_USER := 0;
:USERNAME := :P101_USERNAME;
:PASSWORD := :P101_PASSWORD;
-- for security reasons I commented out the server and base domain info. in this call.
b_result := LDAP2.AUTHENTICATE_ADUSER(:P101_USERNAME, :P101_PASSWORD, :P101_DOMAIN, '#####.####.com', 'DC=####,DC=####,DC=com');
if (b_result = true) then
-- I know that session is valid as i displayed a mesg if it was valid to be sure.
If APEX_CUSTOM_AUTH.IS_SESSION_VALID
--this was the old way in 3.2 that worked but doesn't in 4.1
-- wwv_flow_custom_auth_std.post_login(
-- P_UNAME => :USERNAME,
-- P_PASSWORD => :PASSWORD,
-- P_SESSION_ID => v('APP_SESSION'),
-- P_FLOW_PAGE => :APP_ID||':1'
-- I tried this in 4.1 but still doesn't work
APEX_CUSTOM_AUTH.POST_LOGIN (
p_uname => :USERNAME,
p_session_id => V('APP_SESSION'),
p_app_page => :APP_ID||':1');
End if;
else
owa_util.redirect_url('f?p=&APP_ID.:&LOGIN_PAGE.:&SESSION.');
apex_util.set_session_state('LOGIN_MESSAGE', 'Your ID or PASSWORD is incorrect. Please try again.');
end if;
-- :PASSWORD := null;
end;
Edited by: ashalon on Mar 16, 2012 11:23 AM
Edited by: ashalon on Mar 16, 2012 11:25 AM
Edited by: ashalon on Mar 16, 2012 12:20 PM
Edited by: ashalon on Mar 16, 2012 3:46 PM

Hi ashalon,
login processing normally calls the authentication scheme's login handler (aka authentication function). In many cases, this is done in a submit process on an Apex login page, that calls
apex_authentication.login (
    p_username => :P101_USERNAME,
    p_password => :P101_PASSWORD );This procedure (and it's variants, like wwv_flow_custom_auth_std.login) cause the Apex engine to
1. run the authentication scheme's pre-authentication procedure
2. pass username and password to the authentication scheme's authentication function, which should return true or false, depending on whether the credentials are valid
3. if true: run the post-authentication procedure
4. if true: save the username in session state
5. if true: prepare a redirect URL to the deep link (i.e. the page that triggered login)
6. if false: prepare a redirect URL to the login page with a notification_msg that contains the error
7. log success/failure of the login attempt
8. generate a new session cookie
9. perform the redirect
The exact order and technical details of these steps may vary from Apex version to version.
The authenentication function (2.) can check against the workspace users table (Apex authentication), the database, an LDAP repository or you can build your own.
Some authentication schemes rely on external mechanisms to check the credentials and a defined way for these to pass the username back to the authentication scheme. SSO does this in a very special way, the header-based authentication scheme simply relies on a HTTP header variable to transport the username. These authentication schemes never run 1. and 2. from above, but simply accept the username and run 3. - 9. This behaviour is exposed with the post_login procedure.
Your authentication scheme is interesting. It piggybacks on the Apex authentication scheme, but de facto uses nothing of it. The submit process on the login page checks LDAP credentials and then runs post_login, if the check was successful. You could surely rewrite this as a custom authentication, although the authentication function had to rely on v('P101_DOMAIN') in addition to the username and password that get passed to it by default. Whether the rewrite makes sense is up to you, of course. If you are comfortable with this authentication, stick to it. But it probably would be much easier to understand for others and also easier to reuse in other apps if the LDAP credentials checking was in the authentication scheme.
Regards,
Christian

Custom authentication issue

Good Afternoon,
I am trying to add some code to a custom authentication routine to allow for tracking in the APEX supplied logs. Currently the authentication code processes the Login attempt and either allows access or returns the user back to the login page with a error message in case they entered an invalid username/password.
I had added in each case the required two lines of code:
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('Test Message.. Ignore Me')
APEX_UTIL.SET_AUTHENTICATION_RESULT(1) (Just as a test, will use more accurate values later)
Now when I login with a non-existent user it logs it as a successful login, with NO custom text loaded...
Can anyone suggest an idea here, other than using a custom logging table?
Thank you,
Tony Miller
Webster, TX

Hi,
I did test set item session state , and it works OK for me.
First I did forgot create that item when there was errors in my test.
Do you have some computations, validations in login page ? Any application process that might run ?
Or do you have any Page Sentry Function, Session Verify Function or Pre-Authentication Process in authentication scheme ?
What is you session not valid in authentication scheme ?
Have you tested your code on apex.oracle.com ?
Br,Jari
Edited by: jarola on Apr 16, 2010 9:25 AM
I did more test.
If you try login with some user name and password
http://apex.oracle.com/pls/otn/f?p=12444
Then you can try login with user EXPIRED and passwd test.
To see access log login with user ACTIVE and passwd test.
Then go page 10 you can see access log
http://apex.oracle.com/pls/otn/f?p=12444:10
My auth function is
create or replace
function                            custom_auth_2 (p_username in VARCHAR2, p_password in VARCHAR2)
return BOOLEAN
is
l_password varchar2(4000);
l_stored_password varchar2(4000);
l_expires_on date;
l_count number;
begin
-- First, check to see if the user is in the user table
select count(*) into l_count from demo_users where user_name = p_username;
if l_count > 0 then
-- First, we fetch the stored hashed password & expire date
select password, expires_on into l_stored_password, l_expires_on
   from demo_users where user_name = p_username;
-- Next, we check to see if the user's account is expired
-- If it is, return FALSE
if l_expires_on > sysdate or l_expires_on is null then
    -- If the account is not expired, we have to apply the custom hash
    -- function to the password
    l_password := custom_hash(p_username, p_password);
    -- Finally, we compare them to see if they are the same and return
    -- either TRUE or FALSE
    0, 'AUTH_SUCCESS',
    1, 'AUTH_UNKNOWN_USER',
    2, 'AUTH_ACCOUNT_LOCKED',
    3, 'AUTH_ACCOUNT_EXPIRED',
    4, 'AUTH_PASSWORD_INCORRECT',
    5, 'AUTH_PASSWORD_FIRST_USE',
    6, 'AUTH_ATTEMPTS_EXCEEDED',
    7, 'AUTH_INTERNAL_ERROR',
    if l_password = l_stored_password then
      APEX_UTIL.SET_CUSTOM_AUTH_STATUS('SUCCEEDED');
      APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
      return true;
    else
      APEX_UTIL.SET_CUSTOM_AUTH_STATUS('WRONG_PASSWORD');
      APEX_UTIL.SET_AUTHENTICATION_RESULT(4);
       APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','You have entered invalid Username or Password');
      return false;
    end if;
else
    APEX_UTIL.SET_CUSTOM_AUTH_STATUS('ACCOUNT_EXPIRED');
    APEX_UTIL.SET_AUTHENTICATION_RESULT(3);
     APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','Your account has been locked');
    return false;
end if;
else
-- The username provided is not in the DEMO_USERS table
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('USER_NOT_FOUND');
APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','You have entered invalid Username or Password');
return false;
end if;
end;I have application item LOGIN_MESSAGE and in login page I did also create before header process.
APEX_APPLICATION.G_NOTIFICATION := :LOGIN_MESSAGE;
:LOGIN_MESSAGE := NULL;To show that item message in notification. It do not affect how auth work.
It seems work ok

FD32 - Customer credit, Issue with mass update of "TITLE OF NOTE" field

Hi All,
we have requirement for mass upload of credit master records. I am facing an issue with creation/populating of Title of note field. When we go directly to FD32 transaction we have a button "Services for Object" near tiltle of second screen of FD32 through which we can create a title of note (SOOD-OBJDES) but when we go to FD32 through SHDB for BDC recording, that option is not found.
Any idea on how to handle mass update for that field?
Dhareppa

Hi,
You can use function module 'SGOS_NOTE_CREATE'. to create a note after you create customer credit limit through SHDB for BDC recording. It is going to be a separate program.
Function Module Parameters:
IS_OBJECT-OBJKEY = customer no + credit control area. --> ex. 20000000140001
IS_OBJECT-OBJTYPE = BUS1010
IP_TITLE = Your title
IT_CONTENT = your note content.
Cheers,
Chaiphon

Reverse meaning of "notenforced" with policy agent 1.2

is it possible to reverse the meaning of the "notenforced" variable in the AMAgent.properties file for the policy agent 1.2?
I know this is possible with the 2.0 agent, but I need to use 1.2.
how else would one go about not protecting anything on a website except for specific resources. i would think that many websites prefer to be totally open and anonymous except for in a few places.
any suggestions are appreciated. cheers.

Hi,
It seems that your agent installation had some problems.
1)
I would sugest that you first check the installation logs:
Installation Logs : During installation, all the activity is stored in a special set of log files. Look inside j2ee_agents\appserver_v9_agent\logs\debug\Agent.log file (and also in j2ee_agents\appserver_v9_agent\logs\audit\ install.log file)to see all the activity that is logged druing installation. Check for any exceptions or unsuccessful installation messages.
Are there any problems in the installation log?
2) What app server version download are you using? Are you using the Java EE 5 SDK download bundle that has a bunch of things including GlassFish server, ESB, and also Access manager 7? If so, then this bundle can cause problems since it also includes (AM7.1)Access Manager 7.1 (the previous version of opensso) pre-installed which measn that each domain already is altered to include references to AM7.1 in its domain configuration files and this causes clashes when the agent is also instaled on these domains. If you are using this, then maybe first try a download of GlassFish that does not have all these things bundled and pre-installed.
hth,
Sean

SMTP relay authentication issue with DynDNS MailHop Outbound

Hi,
I'm trying to use the SMTP relay functionality of my OS X Server but I get following log message:
Apr 4 21:40:21 mydomain postfix/smtp[7629]: 4EE3686F529: to=<xxxx@xxxxx>, relay=outbound.mailhop.org[204.13.248.71]:465, delay=140731, delays=140130/0.06/600/0, dsn=4.4.2, status=deferred (conversation with outbound.mailhop.org[204.13.248.71] timed out while receiving the initial server greeting)
I configured the relay settings in Server-Admin for host: outbound.mailhop.org:465 and added my dyndns username and password.
I would appreciate if someone could help me to figure out what I'm missing.
Thanks

If you're getting a 550 error then it indicates an issue with the SMTP server you're using / how you're connecting to it. Either the mail server you've got configured for SMTP isn't setup to handle email for you, or in addition to setting the server address
in the SMTP settings, you also need to configure it to configure authentication on the email accounts. In the account settings you need to select More settings (I think, I don't have an Outlook 2007 copy to check on), then you'll see an Outgoing
Server tab, within which you can configure the required authentication. It will either be the same as the POP3 login, in which case you can select "Use same settings as my incoming mail server", or if they're different you can enter the specific details that
are required to send.

Custom Authentication Issue with Policy Agent

Similar Messages

Maybe you are looking for