Custom Authentication Module on Identity Server

Similar Messages

• How to unconfigure a Custom Authentication Module for Convergence

  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
  sudo /opt/SUNWappserver/bin/asadmin stop-appserv
  sudo /opt/SUNWappserver/bin/asadmin start-appserv
  AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter  Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled
  AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler 
  PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reason

  jessethompson wrote:
  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.After enabling the custom login module using the steps in the earlier thread (http://forums.sun.com/thread.jspa?threadID=5318615), I performed the following steps to disable the custom module and re-enable the ldap auth module:
  # Disable custom auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.custom.servicename -v ""
  ./iwcadmin -w <admin password> -o auth.custom.loginimpl -v ""
  ./iwcadmin -w <admin password> -o auth.custom.callbackhandler -v ""
  ./iwcadmin -w <admin password> -o auth.misc.CredentialFile -v ""# Re-enable the LDAP auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.ldap.callbackhandler  -v com.sun.comms.client.security.auth.AppCallbackHandler
  ./iwcadmin -w <admin password> -o auth.ldap.loginimpl -v com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule# Restarte App Server
  cd /opt/SUNWappserver/bin/
  ./asadmin stop-domain; ./asadmin start-domain# Login to iwc interface as user shjorth with password oldpwd
  # Login successful with oldpwd -- custom auth module successfully disabled, LDAP re-enabled
  Regards,
  Shane.

• How to remove custom authentication provider in weblogic server 11g

  Hi ,
  I am trying to remove the custom authentication provider in weblogic server 11g, It disappears when i delete it from list of authentication providers. But upon server restart it appears again.
  Documentation for 10g says delete it from service administration but i couldn't find one in 11g. Please help me in removing the custom authentication provider
  Thanks
  Sandeep

  You can try editing the config.xml file and removing it there. (Re: After provider reorder I cannot login admin server console
  If you are referring to a jar file - custom authenticators are usually placed in the <middleware-home>wlserver_10.3/server/lib/mbeantypes/ directory.

• New server and/or CA certificate for connection from custom authentication

  We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
  I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
  My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
  Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
  Relevant things I've tried so far:
  Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
  Import the IPS CA into the web server cert8 style db via the web admin server.
  The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
  Part of the stack:
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
  The relevent bit of code from the SecureURL.retrieve looks as follows:
  URL u = new URL(url);
  if (!u.getProtocol().equals("https"))
  throw new IOException("only 'https' URLs are valid for this method");
  URLConnection uc = u.openConnection();
  uc.setRequestProperty("Connection", "close");
  r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
  String line;
  StringBuffer buf = new StringBuffer();
  while ((line = r.readLine()) != null)
  buf.append(line + "\n");
  return buf.toString();
  } finally { ...
  The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
  Thank you very much for any insights and help,
  Ethan

  I thought since this has had a fair number of views I would give an update.
  I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
  certutil: certificate is valid
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  certutil: certificate is invalid: Certificate type not approved for application.
  root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
  root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  FSU Wildcard Certificate : Certificate type not approved for application.
  So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
  BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
  This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
  After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

• Custom Authentication Issue with Policy Agent

  Hi,
  I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
  2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
  2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
  2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Neeraj

  Hi Neeraj,
  I still have not been able to resolve that issue. Let me know If you find a solution for the same.
  Thanks,
  Srinivas

• Custom login module

  hi,
  I'm would like to configure a custom authentication module between OIM, JBOSS and AD.
  I try to use the LdapLoginModule from JBOSS.
  Add in xlconfig.xml :
  <login-module>
  <thirdPartyLoginModule>org.jboss.security.auth.spi.LdapLoginModule</thirdPartyLoginModule>
  </login-module>
  Change in login-config.xml :
  <application-policy name = "xellerate">
       <authentication>          
            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                 <module-option name="java.naming.provider.url">ldap://XXXX:389</module-option>
                 <module-option name="principalDNPrefix">XXXX</module-option>
                 <module-option name="principalDNSuffix">XXXX</module-option>
                 <module-option name="java.naming.security.principal">XXXX</module-option>
                 <module-option name="java.naming.security.credentials">XXXX</module-option>
                 <module-option name="rolesCtxDN">XXXX</module-option>
                 <module-option name="uidAttributeID">XXXX</module-option>
            <module-option name="matchOnUserDN">XXXX</module-option>
            <module-option name="roleAttributeID">XXXX</module-option>
            <module-option name="roleAttributeIsDN">XXXX</module-option>
            <module-option name="searchTimeLimit">XXXX</module-option>
            <module-option name="searchScope">XXXX</module-option>
            <module-option name="allowEmptyPasswords">XXXX</module-option>
            </login-module>
       </authentication>
  </application-policy>
  There is an Error when I try to login on OIM.
  Server.log :
  TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(xellerate), size=9
  TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(xellerate), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
  ControlFlag: Anmeldemodul-Steuerflag: required
  Options:name=uidAttributeID, value=member
  name=matchOnUserDN, value=true
  name=rolesCtxDN, value=XXXXX
  name=principalDNPrefix, value=XXXXX
  name=principalDNSuffix, value=XXXXX
  name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
  name=java.naming.security.credentials, value=XXXXX
  name=allowEmptyPasswords, value=false
  name=java.naming.provider.url, value=XXXXX
  name=java.naming.security.principal, value=XXXXX
  name=searchTimeLimit, value=5000
  name=roleAttributeIsDN, value=false
  name=searchScope, value=ONELEVEL_SCOPE
  name=roleAttributeID, value=XXXXX
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@6460623
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: xellerate
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=XXXXXX...}
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@f24d4f
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] Rebind SECURITY_PRINCIPAL to: cn=XXXXX
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] searching rolesCtxDN=XXXXX
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] Checking answer: XXXXX
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] Assign user to role XXXXX
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'XXXXX' authenticated, loginOk=true
  TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true
  TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
  TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=null
  TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
  TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] Begin isValid, principal:null, cache info: null
  TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] defaultLogin, principal=null
  TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(xellerate), size=9
  TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(xellerate), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
  ControlFlag: Anmeldemodul-Steuerflag: required
  Options:name=uidAttributeID, value=member
  name=matchOnUserDN, value=true
  name=rolesCtxDN, value=XXXXX
  name=principalDNPrefix, value=XXXXX
  name=principalDNSuffix, value=XXXXX
  name=java.naming.factory.initial, value=XXXXX
  name=java.naming.security.credentials, value=XXXXX
  name=allowEmptyPasswords, value=false
  name=java.naming.provider.url, value=XXXXX
  name=java.naming.security.principal, value=XXXXX
  name=searchTimeLimit, value=5000
  name=roleAttributeIsDN, value=false
  name=searchScope, value=ONELEVEL_SCOPE
  name=roleAttributeID, value=XXXXX
  2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@22168243
  2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: xellerate
  2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
  2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Authenticating as unauthenticatedIdentity=null
  2009-09-18 14:44:49,576 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=null
  2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] abort
  2009-09-18 14:44:49,576 TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] Login failure
  javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
  In login-config.xml, I comment the following code :
  <!--
  <login-module code="org.jboss.security.ClientLoginModule" flag="required">
  </login-module>
  <login-module code="com.thortech.xl.security.jboss.UsernamePasswordLoginModule" flag = "required" >
       <module-option name = "unauthenticatedIdentity">Unknown</module-option>
       <module-option name = "data-source">java:/jdbc/xlDS</module-option>
  </login-module>
  -->
  I think that my user is authenticated from AD, but OIM try a second authentication with a username = null.
  Any clues will be helpful.
  Can you help me ?

  Hi,
  I solve the problem.
  In xlconfig.xml :
  <login-module>
            <thirdPartyLoginModule>org.jboss.security.auth.spi.LdapLoginModule</thirdPartyLoginModule>
  </login-module>
  In login-config.xml
  <application-policy name = "xellerate">
  <authentication>
  <login-module code="org.jboss.security.ClientLoginModule" flag="required">
  </login-module>
  <login-module code="com.thortech.xl.security.jboss.UsernamePasswordLoginModule" flag = "required" >
            <module-option name = "unauthenticatedIdentity">Unknown</module-option>
  <module-option name="java.naming.factory.initial ... </module-option>
  </login-module>
  </authentication>
  </application-policy>
  A user must have a role "User" in AD.
  That's all.
  Thanks.

• Custom Auth Module + refer to other jar

  Hi, I've just created a Custom Authentication Module based on a rdbms. Now I'm
  trying to use common logging (+log4j) in that module.
  <br><br>
  Now the problem in order to use the logging, I've to refer to some additional
  jars (common + log4j) en some propertie files. But HOW can I include these files
  without having to put them in my server classpath.

  Hi,
  If you running in Realm Mode, add the below line
  iplanetAuthTestService=Authentication
  <replace iplanetAuthTestService with the name of your Test login service>
  to /opt/SUNWam/web-src/services/WEB-INF/classes/amServiceTable.properties
  (or)
  C:\Sun\AccessManager\web-src\services\WEB-INF\classes\amServiceTable.properties
  redeploy amservices with deploy level=21 (amconfig.prop)
  Hope this helps..
  Shashi

• OBIEE 11.1.1.5 with Hyperion Shared Services 11.1.1.3 custom authenticator

  Hi,
  I'm trying to get OBIEE 11.1.1.5 to use HSS 11.1.1.3 as custom authenticator. This worked in 10.1.3.4, but I can't seem to find the old DLL to use. Is this supported at all? If not then I will need to downgrade to 10.1.3.4. Any ideas? Thanks.
  Regards,
  Gerd

  Gerd,
  I think I got this working to an extent now but I am stuck at this error msg
  There is error 'No such file or directory' during loading custom authentication module '/opt/local/usr/home/Oracle/OracleBI/web/bin64/libsawobisauthenticatorproxy643r.so'.
  2011-06-26 21:04:05
  [nQSError: 13011] Query for Initialization Block 'Hyperion EPM' has failed.
  I have set the env variable LD_LIBRARY_PATH to this path but still I am getting the same error msg. I also have full previleges on this file. Would be really great if you can tell me why I am unable to load this driver file on to server. Thanks in advance

• Wls7 + custom auth module + abort instead of commit

  Hi,
  I've written a custom authentication module using a rdbms.
  WHat does work:
  - getting + verifying username
  - getting + verifying password
  - adding username to principal
  - getting the groups
  - adding the groups
  - no exceptions are being thrown
  - the login() method returs true
  PROBLEM:
  after that the loginModule returns true, the abort() method is being called and
  not the commit().
  Does anyone know in which scenario the abort() is getting called and not the commit()
  or what could be a possible problem.
  Thx

  See if you also have the default weblogic authenticator configured as an authentication
  provider, and if yes, make sure that the Control flag for that default one is
  set to "SUFFICIENT"/"OPTIONAL".
  "Reborn" <[email protected]> wrote:
  >
  Hi,
  I've written a custom authentication module using a rdbms.
  WHat does work:
  - getting + verifying username
  - getting + verifying password
  - adding username to principal
  - getting the groups
  - adding the groups
  - no exceptions are being thrown
  - the login() method returs true
  PROBLEM:
  after that the loginModule returns true, the abort() method is being
  called and
  not the commit().
  Does anyone know in which scenario the abort() is getting called and
  not the commit()
  or what could be a possible problem.
  Thx

• LDAP FailOver in Custom Authentication

  Has anyone implemented Directory Failover in Custom Authentication Module ?
  Appreciate any relevant pointers
  Thanks,
  Janran

  String hosts = "directory1 directory2";
  ld.connect( hosts);
  You can tune the connection policy with LDAPConnection.setConnSetupDelay. The default policy is LDAPConnection.NODELAY_SERIAL
  With NODELAY_PARALLEL, the SDK will create threads that simultaneously attempt to connect to each of the specified hosts.
  ld.setConnSetupDelay( LDAPConnection.NODELAY_SERIAL ); ld.setConnSetupDelay( LDAPConnection.NODELAY_PARALLEL ); ld.setConnSetupDelay( 10 ); // 10 seconds between threads

• Does a Kerberos authentication module exist?

  Does anyone know of a Kerberos authentication module for Portal Server? If not, can anyone think of any security implications that would suggest "rolling my own" would not be a good idea?

  No we don't have any kerberos auth module as a part of the product and you can develop your own using the auth api's.

• Custom Authentication With Identity Store

  Hi everyone,
  I faced a problem with login function of my portal (Webcenter Application). The Problem is:
  - Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
  - If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
  - View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
  Here are my work:
  - I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
  - I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
  Here are my Code:
  <?xml version="1.0" ?>
  <MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
             Package = "orkit"
             Extends = "weblogic.management.security.authentication.Authenticator"
             PersistPolicy = "OnUpdate">
      <MBeanAttribute
          Name        = "ProviderClassName"
          Type        = "java.lang.String"
          Writeable   = "false"
          Default     = "&quot;orkit.OrkitVASPortalProviderImpl&quot;"
  />
      <MBeanAttribute
          Name        = "Description"
          Type        = "java.lang.String"
          Writeable   = "false"
          Default     = "&quot;WebLogic Simple Sample Audit Provider&quot;"
  />
      <MBeanAttribute
          Name        = "Version"
          Type        = "java.lang.String"
          Writeable   = "false"
          Default     = "&quot;1.0&quot;"
  />
      <MBeanAttribute
          Name        = "LogFileName"
          Type        = "java.lang.String"
          Default     = "&quot;SimpleSampleAuditor.log&quot;"
  />
  </MBeanType>
  package orkit;
  import java.util.HashMap;
  import javax.security.auth.login.AppConfigurationEntry;
  import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
  import weblogic.management.security.ProviderMBean;
  import weblogic.security.provider.PrincipalValidatorImpl;
  import weblogic.security.spi.*;
  public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
      private String description;
      private LoginModuleControlFlag controlFlag;
      public OrkitVASPortalProviderImpl() {
          System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
      @Override
      public IdentityAsserterV2 getIdentityAsserter() {
          return null;
      // Our mapping of users to passwords/groups, instead of being in LDAP or in a
      // database, is represented by a HashMap of MyUserDetails objects..
      public class MyUserDetails {
          String pw;
          String group;
          // We use this to represent the user's groups and passwords
          public MyUserDetails(String pw, String group) {
              this.pw = pw;
              this.group = group;
          public String getPassword() {
              return pw;
          public String getGroup() {
              return group;
      // This is our database
      private HashMap userGroupMapping = null;
      public void initialize(ProviderMBean mbean, SecurityServices services) {
          System.out.println("The Orkit VASPortal Provider is intializing......");
          OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
          description = myMBean.getDescription() + "\n" + myMBean.getVersion();
          System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
          // We would typically use the realm name to find the database
          // we want to use for authentication. Here, we just create one.
          userGroupMapping = new HashMap();
          userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
          userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
          userGroupMapping.put("system", new MyUserDetails("12341234",
                  "Administrators"));
          String flag = myMBean.getControlFlag();
          if (flag.equalsIgnoreCase("REQUIRED")) {
              controlFlag = LoginModuleControlFlag.REQUIRED;
          } else if (flag.equalsIgnoreCase("OPTIONAL")) {
              controlFlag = LoginModuleControlFlag.OPTIONAL;
          } else if (flag.equalsIgnoreCase("REQUISITE")) {
              controlFlag = LoginModuleControlFlag.REQUISITE;
          } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
              controlFlag = LoginModuleControlFlag.SUFFICIENT;
          } else {
              throw new IllegalArgumentException("Invalid control flag " + flag);
      public AppConfigurationEntry getLoginModuleConfiguration() {
          HashMap options = new HashMap();
          options.put("usermap", userGroupMapping);
          System.out.println("UserMap: " + options);
          return new AppConfigurationEntry(
                  "orkit.OrkitVASPortalLoginModule",
                  controlFlag, options);
      public String getDescription() {
          return description;
      public PrincipalValidator getPrincipalValidator() {
          return new PrincipalValidatorImpl();
      public AppConfigurationEntry getAssertionModuleConfiguration() {
          return null;
  //    public IdentityAsserter getIdentityAsserter() {
  //        return null;
      public void shutdown() {
  * To change this template, choose Tools | Templates
  * and open the template in the editor.
  package orkit;
  import orkit.OrkitVASPortalProviderImpl;
  import java.io.IOException;
  import java.util.*;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.spi.LoginModule;
  import weblogic.security.principal.WLSGroupImpl;
  import weblogic.security.principal.WLSUserImpl;
  * This login module will be called by our Authentication Provider. It assumes
  * that the option, usermap, will be passed which contains the map of users to
  * passwords and groups.
  public class OrkitVASPortalLoginModule implements LoginModule {
      private Subject subject;
      private CallbackHandler callbackHandler;
      private HashMap userMap;
      // Authentication status
      private boolean loginSucceeded;
      private boolean principalsInSubject;
      private Vector principalsBeforeCommit = new Vector();
      public void initialize(Subject subject, CallbackHandler callbackHandler,
              Map sharedState, Map options) {
          this.subject = subject;
          this.callbackHandler = callbackHandler;
          // Fetch user/password map that should be set by the authenticator
          userMap = (HashMap) options.get("usermap");
       * Called once after initialize to try and log the person in
      public boolean login() throws LoginException {
          // First thing we do is create an array of callbacks so that
          // we can get the data from the user
          Callback[] callbacks;
          callbacks = new Callback[2];
          callbacks[0] = new NameCallback("username: ");
          callbacks[1] = new PasswordCallback("password: ", false);
          try {
              callbackHandler.handle(callbacks);
          } catch (IOException eio) {
              throw new LoginException(eio.toString());
          } catch (UnsupportedCallbackException eu) {
              throw new LoginException(eu.toString());
          String username = ((NameCallback) callbacks[0]).getName();
          System.out.println("Username: " + username);
          char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
          String password = new String(pw);
          System.out.println("PASSWORD: " + password);
          if (username.length() > 0) {
              if (!userMap.containsKey(username)) {
                  throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
              }else{
                  System.out.println("Contstainded Username");
              String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
              if (realPassword == null || !realPassword.equals(password)) {
                  throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
              }else{
                  System.out.println("Everyitng OKIE");
          } else {
              // No Username, so anonymous access is being attempted
          loginSucceeded = true;
          // We collect some principals that we would like to add to the user
          // once this is committed.
          // First, we add his username itself
          principalsBeforeCommit.add(new WLSUserImpl(username));
          // Now we add his group
          principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
          return loginSucceeded;
      public boolean commit() throws LoginException {
          if (loginSucceeded) {
              subject.getPrincipals().removeAll(principalsBeforeCommit);
              principalsInSubject = true;
              return true;
          } else {
              return false;
      public boolean abort() throws LoginException {
          if (principalsInSubject) {
              subject.getPrincipals().removeAll(principalsBeforeCommit);
              principalsInSubject = false;
          return true;
      public boolean logout() throws LoginException {
          return true;
  }and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
  Can someome help.
  Thank you very much!

  When i login with the password and username from my custom authentication provider, my login module check ok, but logon form still there.

• Cannot Start Weblogic Server After adding  Custom Authentication Provider

  Hi,
  I implemented a Custom authentication provider and configured it wih Weblogic 10.3 application server. Although I successfully added Authentication provider, I couldn't restart my server. I used MBeanMaker utility to package my Authentication provider and login module. Although the MBean Utility signalled some warnings and severe messages, it successfully packaged the files. When I look at the config.xml file after adding he authenticator it just adds three lines
  ( <sec:authentication-provider>
  <sec:name>STOREDPROCEDURE</sec:name>
  </sec:authentication-provider>
  ) Although there are some other attributes of the authenticator.
  Please advice.
  Here is some stack trace.
  Best Regards,
  Salim
  com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  ####<Feb 3, 2009 12:22:42 AM EET> <Error> <Security> <localhost.localdomain> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1233613362036> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified..
  weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)

  You need to make sure that you nuke the whole directory that you are specifying to the MBean marker generator. For example, I use the following command to generate the provider jar file.
  java -Dfiles=$PRJROOT/ERModel/classes -DMDF=$PRJROOT/ERModel/classes/MyCustomAuthenticator.xml -DMJF=$PRJROOT/ERModel/custom-auth-provider.jar -DtargetNameSpace=http://xmlns.oracle.com/oracleas/schema/11/adf/sampleapp/weblogic/providers -DpreserveStubs=true -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker1c
  I need to nuke the directory in the -Dfile option i.e. 'rm -rf $PRJROOT/ERModel/classes/' each time I generate the jar file. If you don't, the jar file generates without any error but you will get a runtime exception.

• Bypassing Identity server authentication

  I am working on Sun ONE portal 6.0 and its bundled identity server 5.1. I am exploring various methods to authenticate users transparently without login screen being shown.
  1. can we pass params through query string something like "http://portal.domain.com/amserver/login?module=LDAP&TOKEN0=uid&TOKEN1=pwd" to achieve it.
  2. I have gone thru sso package and tried to find method
  to retrieve ssotokenid for web based authentication. I could not find any ??
  3. I have gone thru Authentication API whose implementation example is given in ../authentication/LDAP directory. But it is in identity server 6.0
  4. Is it possible to write any customised authentication module to authenticate user and retireve cookie to be set on browser ????
  Can anybody suggest me solution ???

  As of your first Step, you can pass the parameters to the amserver login module and authenticate the user against the authentication backend. This is not By passing the Identiy Server itself. Its a way of authenticating the user without going throught the login sreen of that perticular module.
  As per I know you can develop your own authentication module and pass the cookie that you want to pass and carry the session.

• Custom login module Authentication works but Authorization Does not work

  Hi:
  I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
  Is there any other settings I need to perform. Could you please let me know.
  Thanks

  I have the same issue, please refer to this thread.
  Re: ADF Security Authorization