Custom authentication methods
During the deployment of web application, you use the deployment descriptor to "tell" the browser how to retrieve user information. Therefor the <auth-method> is specified. Normally you use something like BASIC or FORM authentication.
Is there a way to provide an own implementation of such an authentication method?
Lets say you would like to create some kind of advanced authentication method called ADV_FORM to perform something like form authentication but with additional or other parameters on the logon web page...
Can this be done without being some kind of god like Sun Microsystems core development team?
Does anyone know some references for this matter?
Any suggestion would be appreciated.
Kurt
Large static groups have always been a performance issue. While there is some [tuning |http://blogs.sun.com/DirectoryManager/entry/the_truth_about_nsslapd_search] that was introduced for DS 5.x to help with some specific search related problems, I can't guarantee that this will resolve the issue entirely.
Similar Messages
-
Custom Authenticator not returning correctly
Hi,
I have written a custom authenticator to automatically migrate users from an oracle
SSO database into the default WLS8.1 realm (and ultimately to an LDAP Realm).
It all works fine, except that the over all login process fails.
The server is set up to use the default Authenticator initially (set to SUFFICIENT),
then, if this fails, the Migration authenticator (set to REQUIRED) is called.
If this finds the user on the Oracle db, it creates a user for them in the default
realm, and logs them in.
The problem is that even though my Migration Authenticator finishes successfully
(ie the commit() method is executed and returns true) WLS still calls the login
error page as set up in the web.xml file.
The last few lines of the login() method of the authenticator are :
loginSucceeded = true;
addUserToWLSRealm(userId, userPassword);
principalsForSubject.add(new WLSUserImpl(userId));
then the commit() method is :
public boolean commit() throws LoginException {
if(loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
System.out.println("OracleSSOLoginModule.commit - true");
return true;
} else {
System.out.println("OracleSSOLoginModule.commit - false");
return false;
If the user then tries to log in again, since they have been added to the WLS
realm, they are let in, but it should happen on the first attempt.
Any Ideas...?
TIA
Paul"Paul Davies" <[email protected]> wrote in message
news:3f4f37b3$[email protected]..
>
Hi,
I have written a custom authenticator to automatically migrate users froman oracle
SSO database into the default WLS8.1 realm (and ultimately to an LDAPRealm).
It all works fine, except that the over all login process fails.
The server is set up to use the default Authenticator initially (set toSUFFICIENT),
then, if this fails, the Migration authenticator (set to REQUIRED) iscalled.
If this finds the user on the Oracle db, it creates a user for them in thedefault
realm, and logs them in.
The problem is that even though my Migration Authenticator finishessuccessfully
(ie the commit() method is executed and returns true) WLS still calls thelogin
error page as set up in the web.xml file.
Turn on security debugging and see if you are getting a login exception
in the debug output - set the DebugSecurityAtn attribute in the ServerDebug
mbean. -
New server and/or CA certificate for connection from custom authentication
We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
Relevant things I've tried so far:
Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
Import the IPS CA into the web server cert8 style db via the web admin server.
The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
Part of the stack:
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
The relevent bit of code from the SecureURL.retrieve looks as follows:
URL u = new URL(url);
if (!u.getProtocol().equals("https"))
throw new IOException("only 'https' URLs are valid for this method");
URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");
r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String line;
StringBuffer buf = new StringBuffer();
while ((line = r.readLine()) != null)
buf.append(line + "\n");
return buf.toString();
} finally { ...
The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
Thank you very much for any insights and help,
EthanI thought since this has had a fair number of views I would give an update.
I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
certutil: certificate is valid
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
certutil: certificate is invalid: Certificate type not approved for application.
root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
FSU Wildcard Certificate : Certificate type not approved for application.
So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil. -
Custom Authenticator WL startup exception
Hi, I am using Weblogic 9.2 on Linux and have created an example custom authenticator.
I have followed several suggested method for creation/deployment, but still am having a exception upon startup and hoping someone could help.
from a previous post I have used the below instructions and have deployed the jar in $WL_HOME/server/lib/mbeantypes
$WL_HOME/server/providers: This is the base Directory for Customer security Provider.
$WL_HOME/server/providers/src This is the directory for the Source Code.
$WL_HOME/server/providers/providersjar This is the directory for the Custom Provider Jar file .
$WL_HOME/server/providers/created_files This is the Directory for the created schema file by Mbean maker.
After having the directory structure as mentioned above run the command as below:
cd $WL_HOME/server
$WL_HOME/samples/domains/wl_server/setExamplesEnv.sh
java -Dfiles=providers/created_files -DMDF=providers/src/MyAuthenticator.xml -DMJF=providers/providersjar/MyAuthenticator.jar -DpreserveStubs=true -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMakerStarted the WL server with the following exception:
starting weblogic with Java version:
java version "1.5.0_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04)
BEA JRockit(R) (build R27.4.0-90_CR358515-94243-1.5.0_12-20080118-1154-linux-ia32, compiled mode)
Starting WLS with line:
/home/A470231/bea/jrockit_150_12/bin/java -jrockit -Xms256m -Xmx512m -Xverify:none -Xverify:none -da -Dplatform.home=/home/A470231/bea/weblogic92 -Dwls.home=/home/A470231/bea/weblogic92/server -Dwli.home=/home/A470231/bea/weblogic92/integration -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/home/A470231/bea/patch_weblogic923/profiles/default/sysext_manifest_classpath -Dweblogic.configuration.schemaValidationEnabled=false -Dweblogic.Name=examplesServer -Djava.security.policy=/home/A470231/bea/weblogic92/server/lib/weblogic.policy weblogic.Server
<Aug 2, 2010 1:14:57 PM EDT> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
/home/A470231/bea/weblogic92/platform/lib/p13n/p13n-schemas.jar:/home/A470231/bea/weblogic92/platform/lib/p13n/p13n_common.jar:/home/A470231/bea/weblogic92/platform/lib/p13n/p13n_system.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_common.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_schemas.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_system.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/wsrp-common.jar>
<Aug 2, 2010 1:14:58 PM EDT> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with BEA JRockit(R) Version R27.4.0-90_CR358515-94243-1.5.0_12-20080118-1154-linux-ia32 from BEA Systems, Inc.>
<Aug 2, 2010 1:14:59 PM EDT> <Info> <Management> <BEA-141107> <Version: WebLogic Server 9.2 MP3 Mon Mar 10 08:28:41 EDT 2008 1096261 >
<Aug 2, 2010 1:15:03 PM EDT> <Info> <WebLogicServer> <BEA-000215> <Loaded License : /home/A470231/bea/license.bea>
<Aug 2, 2010 1:15:03 PM EDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Aug 2, 2010 1:15:03 PM EDT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Aug 2, 2010 1:15:04 PM EDT> <Notice> <Log Management> <BEA-170019> <The server log file /home/A470231/bea/weblogic92/samples/domains/wl_server/servers/examplesServer/logs/examplesServer.log is opened. All server side log events will be written to this file.>
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.CredentialMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.BulkRoleMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.BulkAuthorizationServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.RoleMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.RoleDeploymentServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************REALM:TestRealm
*****************ProviderMBean length:2
*****************ProviderMBean[0]weblogic.security.providers.authorization.DefaultAuthorizerMBeanImpl@a27aaa68([wl_server]/SecurityConfiguration[wl_server]/Realms[TestRealm]/Authorizers[DefaultAuthorizer])
*****************ProviderMBean[1]weblogic.security.providers.authorization.DefaultAdjudicatorMBeanImpl@c6697d45([wl_server]/SecurityConfiguration[wl_server]/Realms[TestRealm]/Adjudicator[DefaultAdjudicator])
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.AuthorizationServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.PolicyDeploymentServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.IsProtectedResourceServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.RoleConsumerServiceConfigHelper_TestRealm<
<Aug 2, 2010 1:15:07 PM EDT> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090877]Service Common AuthorizationService unavailable, see exception text: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at weblogic.security.service.AuthorizationManager.initialize(AuthorizationManager.java:147)
at weblogic.security.service.AuthorizationManager.<init>(AuthorizationManager.java:83)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doATZ(CommonSecurityServiceManagerDelegateImpl.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:273)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:444)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:459)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:540)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:376)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
Caused by: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:342)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:292)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:263)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:71)
at weblogic.security.service.SecurityServiceManager.getService(SecurityServiceManager.java:95)
at weblogic.security.service.AuthorizationManager.initialize(AuthorizationManager.java:137)
... 11 more
Caused by: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:40)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:340)
... 16 more
Can anyone have any ideas?
I have narrowed it down to having a problem retrieving the role and policy consumer services I believe
Thanks,
Bobby.Hi All,
Found the reason for the exception. I was implementing the generated the CustomAuthenticatorImpl class (generated through WebLogic MBeanMaker utility) as the provider class by implementing the AuthenticationProvider interface. Keeping them separate solved the issue.
Able to create the jar without any issues and also no error or exception after restart.
Thanks. -
OAM 11g: Error while importing Custom Authentication Plug-in.
We are trying to create a sample custom authentication plugin in OAM 11g as per the 11.1.1.5.0 doc.
But while trying to import the plugin via oamconsole (system configuration->Plugins->Import Plugin) we receive an error "Invalid XML Structure".
Do we have to embed the XSD (XML Schema Definition) as well ?
-------------------------SamplePlugin.java-------------------------------------
import oracle.security.am.plugin.ExecutionStatus;
import oracle.security.am.plugin.MonitoringData;
import oracle.security.am.plugin.PluginConfig;
import oracle.security.am.plugin.authn.AuthenticationContext;
import oracle.security.am.plugin.authn.AuthenticationException;
import oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn;
import java.util.Map;
import java.util.logging.Level;
class SamplePlugin extends AbstractAuthenticationPlugIn {
private static final String CLASS_NAME = "FirstTestClass";
public ExecutionStatus initialize (PluginConfig config){
super.initialize(config);
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering initialize");
return ExecutionStatus.SUCCESS;
@Override
public String getDescription() {
// TODO Auto-generated method stub
return null;
@Override
public Map<String, MonitoringData> getMonitoringData() {
// TODO Auto-generated method stub
return null;
@Override
public String getPluginName() {
// TODO Auto-generated method stub
return null;
@Override
public int getRevision() {
// TODO Auto-generated method stub
return 0;
@Override
public ExecutionStatus process(AuthenticationContext arg0)
throws AuthenticationException {
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering process");
return ExecutionStatus.SUCCESS;
@Override
public void setMonitoringStatus(boolean arg0) {
// TODO Auto-generated method stub
@Override
public boolean getMonitoringStatus() {
// TODO Auto-generated method stub
return false;
-------------------------SamplePlugin.java-------------------------------------
------------------------SamplePlugin.xml--------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<Plugin name="SamplePlugin" type="Authentication">
<author>Self</author>
<email>[email protected]</email>
<creationDate>09:41:22, 2012-02-05</creationDate>
<version>1</version>
<description>SamplePlugin</description>
<interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
<implementation>SamplePlugin</implementation>
</Plugin>
------------------------SamplePlugin.xml--------------------------------
------------------------MANIFEST.MF--------------------------------
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.2
Bundle-Version: 1.0.0.qualifier
Bundle-Name: SamplePlugin
Bundle-Activator: SamplePlugin
Bundle-ManifestVersion: 2
Created-By: 1.6.0_24-b07 (Sun Microsystems Inc.)
Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.
plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api,
oracle.security.am.common.utilities.principal,oracle.security.idm,jav
ax.naming,javax.sql,java.management,javax.security.auth
Bundle-SymbolicName: SamplePlugin
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
------------------------MANIFEST.MF--------------------------------
Contents of SamplePlugin.jar
1. SamplePlugin.xml
2. SamplePlugin.class
3. META-INF/
MANIFEST.MFI build the Plugin.jar file similarly as above(followed the same steps)..
But when i log into OAM and trying to import the plugin (System Configuration->Plugins- Import Plugin) the browser goes to hung state and i see below error in logs (domain log and in diag log)
I see the jar file created in this location (\Middleware\user_projects\domains\IAMdomain\oam\plugins)
Please let me know if you have any idea..Thanks!
####<Feb 29, 2012 1:10:03 PM PST> <Warning> <oracle.adf.controller.internal.metadata.MetadataService> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-00000000000003fe> <1330549803273> <BEA-000000> <ADFc: /WEB-INF/adfc-config.xml: >
####<Feb 29, 2012 1:10:03 PM PST> <Warning> <oracle.adf.controller.internal.metadata.MetadataService> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-00000000000003fe> <1330549803274> <ADFC-52024> <ADFc: Duplicate managed bean definition for 'accessCheck' detected.>
####<Feb 29, 2012 1:10:03 PM PST> <Warning> <oracle.adfinternal.view.faces.renderkit.rich.RegionRenderer> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-0000000000000402> <1330549803479> <ADF_FACES-60099> <The region component with id: pt1:_lar has detected a page fragment with multiple root components. Fragments with more than one root component may not display correctly in a region and may have a negative impact on performance. It is recommended that you restructure the page fragment to have a single root component.>
####<Feb 29, 2012 1:10:33 PM PST> <Error> <javax.enterprise.resource.webcontainer.jsf.application> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-0000000000000593> <1330549833253> <BEA-000000> <java.lang.NullPointerException
javax.faces.el.EvaluationException: java.lang.NullPointerException
at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:51)
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190
####<Feb 29, 2012 1:10:33 PM PST> <Warning> <oracle.adfinternal.view.faces.lifecycle.LifecycleImpl> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-0000000000000593> <1330549833316> <BEA-000000> <ADF_FACES-60098:Faces lifecycle receives unhandled exceptions in phase INVOKE_APPLICATION 5
javax.faces.FacesException: #{FileProcessor.doUpload}: java.lang.NullPointerException
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118)
at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190)
at oracle.adf.view.rich.component.rich.RichPopup$BroadcastContextCallback.invokeContextCallback(RichPopup.java:666)
at org.apache.myfaces.trinidad.component.UIXComponentBase.invokeOnComponent(UIXComponentBa
>
####<Feb 29, 2012 1:10:33 PM PST> <Error> <oracle.oam.admin.console.policy> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-0000000000000593> <1330549833361> <OAM-400016> <Failed to authenticate the user
javax.servlet.ServletException: java.lang.NullPointerException
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:277)
####<Feb 29, 2012 1:10:34 PM PST> <Warning> <oracle.adf.view.rich.component.fragment.UIXRegion> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-000000000000059a> <1330549834008> <ADF_FACES-00009> <Error processing viewId: /plugin-taskflow/authplugins URI: /oracle/security/am/taskflows/authplugin.jsff actual-URI: /oracle/security/am/taskflows/authplugin.jsff.
javax.el.ELException: java.lang.NullPointerException
at javax.el.BeanELResolver.getValue(BeanELResolver.java:266)
at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173)
at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer$PanelCollectionHelper._encodeAll(PanelCollectionRenderer.java:728)
at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer$PanelCollectionHelper.access$500(PanelCollectionRenderer.java:537)
at oracle.adfinternal.view.faces.renderkit.rich.PanelCollectionRenderer.encodeAll(PanelCollectionRenderer.java:402)
at oracle.adf.view.rich.render.RichRenderer.encodeAll(RichRenderer.java:1396)
at org.apache.myfaces.trinidad.render.CoreRenderer.encodeEnd(CoreRenderer.java:335)
at org.apache.myfaces.trinidad.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:767)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:937)
####<Feb 29, 2012 1:10:34 PM PST> <Warning> <oracle.adfinternal.view.faces.lifecycle.LifecycleImpl> <spsolutions> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <d6305b57ff260991:700b4664:135ca3d69dc:-8000-000000000000059a> <1330549834020> <BEA-000000> <ADF_FACES-60098:Faces lifecycle receives unhandled exceptions in phase RENDER_RESPONSE 6
javax.faces.FacesException: javax.el.ELException: java.lang.NullPointerException
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._renderResponse(LifecycleImpl.java:804)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:294)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:214) -
OAM - Authorization based on the authentication method
We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
In other words, he wants to have the flexibility to define rules such as the following:
Application A: Only accessible with client certificates
Application B: Only accessible with mobile TAN
Application D: Only accessible with SecureId or mobile TAN
Application E: Accessible with any authentication method
In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
Does anyone know a way to implement these requirements.
Any help is appreciated.
Best regards,
DonatThis is how I think we can do this.
Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
I hope one of this solutions will help you.
Thanks
Kiran Thakkar -
Workshop 8.1 Calling EJB from Custom Authentication Provider
I am writing a custom authentication provider that runs on Weblogic Server 8.1 and also on Workshop 8.1. Everything is packaged into a jar file that I put into the mbeantypes directory. From the authentication provider I want to get an EJB home that is on another Weblogic 8.1 server.
Loading the home from the Weblogic server works great. But in Workshop I get a ClassCastException from the PortableRemoteObject.narrow() call.
This happens in Workshop even if I remove all my application jar files, so I am left with nothing but the startup classpath and the files in the mbeantypes directory. That is, I don't have any classes in two directories.
When I look at the class that I actually get back from the call to context.lookup( jndiName ), I get the same stub class back on the Weblogic Server and on the Workshop server. But only on Workshop do I have this casting problem.
Any ideas?
Thanks,
MarkIssue has been resolved.
The reason I've forgotten about Value Object that is being returned by Remoute method to put them into classpath of Authenticator Provider -
Error generating custom authentication providor MBean
I'm using WLS 9.0 and am having troubles creating my custom authentication provider.
I have created my class that implements AuthenticationProviderV2 and my class that implements LoginModule and put my MBeanType xml file in the same package as my two classes.
However, when I run \bea\jrockit90_150_03\bin\java weblogic.management.commo.WebLogicMBeanMaker -MDF net\sundog\authentication\BobcatAuthenticator.xml -MJF SundogAuthenticator.jar -files . -createStubs -g -validateXML
I get the following output:
Creating an MJF from the contents of directory ....
Compiling the files...
Creating the list.
Doing the compile.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
WLMaker-SubProcess: :
WLMaker-SubProcess: :
WLMaker-SubProcess: :
WLMaker-SubProcess: : Generating the implementations for security MBeans
WLMaker-SubProcess: : no annotation found for key
WLMaker-SubProcess: : no annotation found for key [velocityCount]
WLMaker-SubProcess: : no annotation found for key [line]
WLMaker-SubProcess: : no annotation found for key [f]
WLMaker-SubProcess: : no annotation found for key [m]
WLMaker-SubProcess: : no annotation found for key [p]
WLMaker-SubProcess: : no annotation found for key [n]
WLMaker-SubProcess: : done
WLMaker-SubProcess: :
WLMaker-SubProcess: :
WLMaker-SubProcess: :
WLMaker-SubProcess: : Generating the parsing binders for security MBeans
WLMaker-SubProcess: : done
WLMaker-SubProcess: :
WLMaker-SubProcess: :
WLMaker-SubProcess: :
WLMaker-SubProcess: : Generating the bean infos for security MBeans ...
WLMaker-SubProcess: : no annotation found for key [import]
WLMaker-SubProcess: : no annotation found for key [property]
WLMaker-SubProcess: : no annotation found for key [beanConfigurable]
WLMaker-SubProcess: : no annotation found for key [propertyMethod]
WLMaker-SubProcess: : no annotation found for key [method]
WLMaker-SubProcess: : Generating Bean Factory Class to .\weblogic\management\security\SUNDOGAUTHENTICATORBeanInfoFactory.java
WLMaker-SubProcess: : done
WLMaker-SubProcess: : Stopped draining WLMaker-SubProcess:
WLMaker-SubProcess: : Stopped draining WLMaker-SubProcess:
WLMaker-SchemaGen-SubProcess : Generating schema for security provider mbeans ...
WLMaker-SchemaGen-SubProcess : [JAM] Warning: failed to resolve class tempFileDirForSchema.weblogic.management.security.ImportMBeanImpl
WLMaker-SchemaGen-SubProcess : [JAM] Warning: failed to resolve class tempFileDirForSchema.weblogic.management.security.pk.KeyStoreMBeanImpl
[---snip, many lines like the above---]
WLMaker-SchemaGen-SubProcess : [SEVERE] Could not resolve class: tempFileDirForSchema.weblogic.management.security.ImportMBeanImpl
WLMaker-SchemaGen-SubProcess : [SEVERE] Could not resolve class: tempFileDirForSchema.weblogic.management.security.pk.KeyStoreMBeanImpl
WLMaker-SchemaGen-SubProcess : [SEVERE] Could not resolve class: tempFileDirForSchema.weblogic.management.security.authentication.UserLockoutManagerMBeanImpl
WLMaker-SchemaGen-SubProcess : [SEVERE] Could not resolve class: tempFileDirForSchema.weblogic.management.utils.PropertiesListerMBeanImpl
[---snip, many lines like the above---]
WLMaker-SchemaGen-SubProcess : [SEVERE] initialization errors encountered, skipping compilation
WLMaker-SchemaGen-SubProcess: Stopped draining WLMaker-SchemaGen-SubProcess
WLMaker-SchemaGen-SubProcess: Stopped draining WLMaker-SchemaGen-SubProcess
Creating the list.
Doing the compile.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
Creating the MJF...
MJF is created.
The trouble is that it looks like it's not able to compile the classes that are supposed to be in the tempFileDirForSchema package. I am trying to follow the documentation and examples from the 9.0 documentation, and using the 8.1 samples when there isn't an updated 9.0 version available.
I figure the class compiling problems are the cause of this error I get when starting weblogic after deploying my authenticator:
eblogic.security.service.SecurityServiceRuntimeException:
[Security:090371]Problem instantiating Authentication Provider java.lang.NullPointerException
at
weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:258)
at
weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:328)
at
weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:592)
at
weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:442)
at
weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:695)
at
weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:724)
at
weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
at
weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:775)
at
weblogic.security.SecurityService.start(SecurityService.java:133)
at
weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ServerWorkManagerImpl
$WorkAdapterImpl.run(ServerWorkManagerImpl.java:518)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:179)
Caused by: java.lang.NullPointerException
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:242)
at
weblogic.security.service.SecurityServiceManagerDelegateImpl.createSecurityProvider(SecurityServiceManagerDelegateImpl.java:267)
at
weblogic.security.service.SecurityServiceManager.createSecurityProvider(SecurityServiceManager.java:1000)
at
weblogic.security.service.adapters.AdapterFactory.getAuthenticationProvider(AdapterFactory.java:73)
at
weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:180)
... 12 more
Thanks,
Nathan
Message was edited by:
nvoxlandthere is a spi sample exclusively for wls 9.1 here
https://codesamples.projects.dev2dev.bea.com/servlets/Scarab/remcurreport/true/template/ViewIssue.vm/id/S224/nbrresults/250
this worked for me. -
History Attributes when using Custom Authentication Type
assigned all History Attributes (in the Entity Object Editor) to my audit columns.
During run time, I find only Created By is assigned the SYSDATE, and Created On, Modified On, and Modified By are null.
I am using Custom Authentication Type.
I have read that the History Attributes only work the the JAAS authentication type. Appreciate any one confirming this.
Also, how do you implement History Attributes if you are using the Custom Authentication Type? Do you need to write Java code?
Thanks.
JohnHi,
confirmed it only works with container managed authentication performed through JAZN. You can't use this with custom security as otherwise this feature could be overwritten. Still you can provide your own implementation:
- create a custom table
- use the setAttr method on the RowImpl class of a VO to store the username
Frank -
Is there a standard way to plug in custom authentication code
Is there a standard way to plug in use my own custom authentication code using forms authentication when I am using servlets/jsp for my website. I read the spec and found that the spec requires servlet containers to support forms authentication, but, the process seems to be transparent to the developer. This restricts me to store user information in the format imposed by the container provider. I cannot use, MS Active directory for example, to store user attributes and use it for forms authentication. Also, I could not find any standard way in which HttpServletRequest.getRemoteUser() works. Shouldn't there be a set of interfaces abstracting authentication process, which developers can implement for customized authentication mechanisms.
Thanks
Nikhil.Greetings,
Is there a standard way to plug in use my own custom authentication code using formsNo. There are standard "authentication mechanisms" but that's not quite the same thing. Like most things in J2EE, the "what" of things are specified but the "how" them are left to the vendor. Consult your vendor docs.
authentication when I am using servlets/jsp for my website. I read the spec and found that the spec
requires servlet containers to support forms authentication, but, the process seems to be transparent
to the developer. This restricts meFor the most part, "forms" authentication is transparent to the developer - at least, with respect to directly responding to and handling the request. The developer, however, does have some significant work to do with regard to the form itself and any associated error "pages". The point of the "standard authentication schemes", however, is to delegate the work of actual authentication processing to the container and, thereby, make it transparent to the developer (one of the many "application services" provided by the application server ;).
to store user information in the format imposed by the container provider. I cannot use, MS Active
directory for example, to store user attributes and use it for forms authentication. Also, I could notAgain read your vendor docs on how to "plug in" your own authentication handler(s). Most support it in some fashion which typically involves implementing some interface(s) and/or abstract class(es). Many also support it through their own "standard" component handlers, like an EJB invoker, where the invoked component is expected to function in a pre-determined way.
Of course, there's nothing in the specification that says authentication must be handled by the container (only that it must be supported)! You're free to implement a login mechanism through your own proprietary JSP page and/or servlet (and/or EJB), and bypass the container entirely. ;)
find any standard way in which HttpServletRequest.getRemoteUser() works.Regardless of the standard authentication scheme used (i.e. handled by the container), the user's authenticated login ID is returned by the method. Unfortunately, this means the method is useless if your own "authentication system" is used in lieu of the container - but, of course, in such a case the method should also be un-needed. ;)
Shouldn't there be a set of interfaces abstracting authentication process, which developers can
implement for customized authentication mechanisms.It's a matter of debate.
Thanks
Nikhil.Regards,
Tony "Vee Schade" Cook -
One SSID with muptiple authentication methods
Have received a request from a customer to run both TKIP and AES encryption on the same SSID
From reading I believe this is not possible but can anyone confirm this please
Currently the config looks thus
dot11 ssid HELP
vlan 20
authentication open eap eap_methods
authentication network-eap eap_mtheods
authentication key-management wpa
authentication key-management wpa version 2 <<<<<<<<<<<<<<<<<<
<<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>
Interface Dot11Radio0
encryption mode ciphers tkip
encrytption vlan 20 mode ciphers aes-ccm tkip
Many ThanksHello
Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.
We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.
Regards,
Sent from Cisco Technical Support Android App -
How to make the JMX custom authentication work ?
I am using the password and access file based authentication on JMX. When building my JMXConnectorServer, i use the property names and it works fine.
Map<String, String> env = new HashMap<String, String>();
env.put(ApplicationProperties.JMX_PWD_FILE_PROP, pwdFile);
env.put(ApplicationProperties.JMX_ACCESS_FILE_PROP, accFile);
connectorServer = JMXConnectorServerFactory.newJMXConnectorServer(jmxServiceURL, env, mBeanServer);However, now i want to use a custom authenticator and i implemented my own LoginModule to have a encrypted password in the password file. Thus the ideas is to have an encrypted password and plain text user name in the password file.
public class ABCDJMXLoginModule implements LoginModule {
private CallbackHandler callbackHandler;
private Subject subject;
private String u_username;
private String u_password;
private JMXPrincipal user;
private Properties userCredentials;
private String passwordFile;
private String f_username;
private String f_password;
private static final Logger logger = LoggerFactory.getLogger(ABCDJMXLoginModule.class);
public boolean abort() throws LoginException {
// TODO Auto-generated method stub
return false;
public boolean commit() throws LoginException {
// TODO Auto-generated method stub
return true;
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
Map<String, ?> options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
public boolean login() throws LoginException {
try {
attemptLogin();
loadPasswordFile();
} catch (Exception e) {
logger.info("Exception, e");
if (u_username == null || u_password == null) {
throw new LoginException("Either no username or no password specified");
logger.info("Password from user and file : " + u_password + " :: " + f_password);
if (u_password.equals(f_password)) {
return true;
return false;
public boolean logout() throws LoginException {
// TODO Auto-generated method stub
return true;
private void attemptLogin() throws LoginException {
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("u_username");
callbacks[1] = new PasswordCallback("u_password", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
logger.error("IOException", e);
} catch (UnsupportedCallbackException e) {
logger.error("UnsupportedCallbackException", e);
u_username = ((NameCallback) callbacks[0]).getName();
user = new JMXPrincipal(u_username);
char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
u_password = tmpPassword.toString();
logger.info("UserName : " + u_username);
logger.info("Password : " + u_password);
System.arraycopy(tmpPassword, 0, u_password, 0, tmpPassword.length);
((PasswordCallback) callbacks[1]).clearPassword();
private void loadPasswordFile() throws IOException {
FileInputStream fis = null;
passwordFile = "c:\\abcd.jmx.enc.password.file";
try {
fis = new FileInputStream(passwordFile);
} catch (SecurityException e) {
logger.error("Security Exception", e);
BufferedInputStream bis = new BufferedInputStream(fis);
userCredentials = new Properties();
userCredentials.load(bis);
bis.close();
f_username = u_username;
f_password = (String) userCredentials.get(f_username);
logger.info("UserName before Decrypt : " + f_username);
logger.info("Password from file before Decrypt : " + f_password);
// decrypt the password from file and later compare it with user password from JConsole
if (f_password != null) f_password = Cryptography.decrypt(f_password);
logger.info("Password from file after Decrypt : " + f_password);
}When i use the following code and try to connect via JConsole nothing happens.
Map<String, String> env = new HashMap<String, String>();
env.put(ApplicationProperties.JMX_PWD_FILE_PROP, pwdFile);
env.put(ApplicationProperties.JMX_ACCESS_FILE_PROP, accFile);
env.put("jmx.remote.x.login.config", "com.splwg.ejb.service.management.ABCDJMXLoginModule");
connectorServer = JMXConnectorServerFactory.newJMXConnectorServer(jmxServiceURL, env, mBeanServer);Any ideas on why this happens ? For sure, i am also not coming into the ABCDJMXLoginModule class - I have some print statements there and none of them get printed. Any sort of ideas and solutions are appreciated. I tried with the property "com.sun.management.jmxremote.login.config" too. I was expecting that mentioning the property in the environment and passing it to the JMXCOnnectorServer would do all the trick.
Am i missing something ?Hello dcloko_BR,
I downloaded and installed Lenovo´s The Lenovo Solution Center and now the solution center starts after pressing the blue button. Perhaps give it a try.
Edit: Upps sorry, only newer models are supported according to the readme.txt.
Best regards
Andreas
Follow @LenovoForums on Twitter! Try the forum search, before first posting: Forum Search Option
Please insert your type, model (not S/N) number and used OS in your posts.
I´m a volunteer here using New X1 Carbon, ThinkPad Yoga, Yoga 11s, Yoga 13, T430s,T510, X220t, IdeaCentre B540.
TIP: If your computer runs satisfactorily now, it may not be necessary to update the system.
English Community Deutsche Community Comunidad en Español -
NAM 3.2.1 Custom Authentication Class for BASIC not loaded
Hi!
Im trying to write a custom authentication class for
BASIC/PROTECTED_BASIC, so I started with the PasswordClass sample from
SDK novell-nacm3_2-devel-2012.08.10.tar.gz, stripped out the
STSAuthenticationClass and changed the type to
AuthnConstants.PROTECTED_PASSWORD --> and it works!
public String getType() {
return AuthnConstants.PROTECTED_PASSWORD;
Next I wanted to create a custom BASIC auth class by changing the type
to AuthnConstants.BASIC / AuthnConstants.PROTECTED_BASIC
public String getType() {
return AuthnConstants.PROTECTED_BASIC;
but now IDP complains about the unsupported type.
<amLogEntry> 2012-12-20T15:11:17Z WARNING NIDS Application:
AM#300105006: AMDEVICEID#FC77EC2A45509E7B: Failed to load
authentication class due to unsupported type: ITdBasicTestClass
</amLogEntry>
Im running NAM 3.2.1 single box appliance for development/testing.
There is an old thread here, that looks like the same issue:
http://tinyurl.com/c6eawj6
Any hits?
regards
Thomas
PS: What i really want to solve is strip out the Domain from the
username on basic authentication since most MS apps/clients provide the
username in format DOMAIN\USER...
reibenwein
reibenwein's Profile: https://forums.netiq.com/member.php?userid=1382
View this thread: https://forums.netiq.com/showthread.php?t=46430hmmm, well try writing the value out to stderr and see if you can at least make sure you are getting
a good read.
Like a System.out.println(AuthnConstants.PROTECTED_PASSWO RD);
I ran into some strange stuff where some constants had no values for no apparent reason when they
should.
I would also try supplying the actual value instead of the constant and see if it goes through that
way. ("ProtectedBasic")
On 1/10/2013 11:14 AM, reibenwein wrote:
>
> Hi!
>
>
> I copied com.novell.nam.authentication.PasswordClass to start with my
> test custom auth class. It includes a method getType() like this:
>
> /**
> * Get the authentication type this class implements
> *
> * @return returns the authentication type represented by this
> class
> */
> public String getType() {
> return AuthnConstants.PROTECTED_PASSWORD;
> }
>
>
> --> IDP loads my custom auth class, as long as a leave getType()
> returning AuthnConstants.PROTECTED_PASSWORD! But this is form base
> authentication. According to the API documentation (see page 17 in
> namc_enu.pfd within the sdk download), getType should
> returnAuthnConstants. PROTECTED_BASIC for secure Basic authentication
> (or AuthnConstants.BASIC for non SSL Basic auth). So i changed getType()
> like this:
>
>
> /**
> * Get the authentication type this class implements
> *
> * @return returns the authentication type represented by this class
> */
> public String getType() {
> return AuthnConstants.PROTECTED_BASIC;
> }
>
>
> --> and then IPD comes with the error "Failed to load authentication
> class due to unsupported type"...
>
>
> regards,
> Thomas
>
> -
User!UserID when using custom Authentication in SSRS2012
We are using FormsAuthentication with SSRS2012 for our custom authentication in SSRS2012.
What SSRS code determines User!UserID report expressionwhen using a custom authentication provider?
I ask this because if the FormsAuthCookie.UserName determines the User!UserID value, then I need to use a more unique value than FirstName/LastName when building the forms auth cookie.
thanks
scottHi scott,
UserID is the ID of the user running the report. If you are using Windows Authentication, this value is the domain account of the current user(Domain/username).
The value of User!UserID is determined by the Reporting Services security extension, which enables the authentication and authorization of users or groups; that is, it enables different users to log on to a report server and, based on their identities,
perform different tasks or operations.
By default, Reporting Services uses a Windows-based authentication extension, which uses Windows account protocols to verify the identities of users who claim to have accounts on the system. Reporting Services uses a role-based security system to authorize
users. The Reporting Services role-based security model is similar to the role-based security models of other technologies.
WorkFlow about authentication and authorization occur as follows:
https://msdn.microsoft.com/en-us/library/ms152825.aspx
The user credentials are submitted to the Reporting Services Web service through the
LogonUser method.
This member of the Reporting Services Web service can be used to pass user credentials to a report server for validation. Your underlying security extension implements
IAuthenticationExtension.LogonUser which contains your custom authentication code. In the Forms Authentication sample,
LogonUser, which performs an authentication check against the supplied credentials and a custom user store in a database. An example of an implementation of
LogonUser looks like this:
https://msdn.microsoft.com/en-us/library/ms152899.aspx
If you still have any problem, please feel free to ask.
Regards
Vicky Liu
If you have any feedback on our support, please click
here.
Vicky Liu
TechNet Community Support -
I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>
Maybe you are looking for
-
ERROR IN SELECT-OPTIONS COMPONENT
Hi Friends, Currently, I am working on SELECT-OPTIONS component, Variants. In component controller WDDOINIT, I have got the instantiated the select-options component. And I have one more pop-up view, in Get_variant action method ,I will be getting th
-
Burning my DVD with more gigs than the disc
I am going to be burning my new movie shortly. It is approximately 13 GB. The DVDs I have show "4.7 GB" on the box, so I am assuming I can't put my entire movie on one disc. Do they make discs larger than this so that I can put the whole movie on one
-
Report to Mimic SE16/List download in SM30/SE16
Hi, I basically need to download the contents of a table to an excel file. Unfortunatly the users will not have access to use the 'system-list-save-local file' functionality in SM30 and they also dont have access to SE16(where it can also be done). I
-
I created a Multiselect list for item :P5_REGIONS(USING DYNAMIC ) DYNAMIC QUERY IS SELECT DISTINCT DEPTNO FROM DEPT; Mutiselect list 10 20 30 40 50 I have another item name :P5_SELECTED_REGIONS So what I want to do is When user select multi values fr
-
Problem in Upgrading from 2.1 to 3.1 on Linux
Hi I have a problem while upgrading 2.1 to 3.1 on XE database . I have been following the procedure given in the below link http://www.oracle.com/technology/products/database/application_express/html/3.1_and_xe.html when i complied the file apxldimg.