Custom Authentication With Identity Store

Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
 Package = "orkit"
 Extends = "weblogic.management.security.authentication.Authenticator"
 PersistPolicy = "OnUpdate">
 <MBeanAttribute
 Name = "ProviderClassName"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""orkit.OrkitVASPortalProviderImpl""
/>
 <MBeanAttribute
 Name = "Description"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""WebLogic Simple Sample Audit Provider""
/>
 <MBeanAttribute
 Name = "Version"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""1.0""
/>
 <MBeanAttribute
 Name = "LogFileName"
 Type = "java.lang.String"
 Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
 private String description;
 private LoginModuleControlFlag controlFlag;
 public OrkitVASPortalProviderImpl() {
 System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
 @Override
 public IdentityAsserterV2 getIdentityAsserter() {
 return null;
 // Our mapping of users to passwords/groups, instead of being in LDAP or in a
 // database, is represented by a HashMap of MyUserDetails objects..
 public class MyUserDetails {
 String pw;
 String group;
 // We use this to represent the user's groups and passwords
 public MyUserDetails(String pw, String group) {
 this.pw = pw;
 this.group = group;
 public String getPassword() {
 return pw;
 public String getGroup() {
 return group;
 // This is our database
 private HashMap userGroupMapping = null;
 public void initialize(ProviderMBean mbean, SecurityServices services) {
 System.out.println("The Orkit VASPortal Provider is intializing......");
 OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
 description = myMBean.getDescription() + "\n" + myMBean.getVersion();
 System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
 // We would typically use the realm name to find the database
 // we want to use for authentication. Here, we just create one.
 userGroupMapping = new HashMap();
 userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
 userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
 userGroupMapping.put("system", new MyUserDetails("12341234",
 "Administrators"));
 String flag = myMBean.getControlFlag();
 if (flag.equalsIgnoreCase("REQUIRED")) {
 controlFlag = LoginModuleControlFlag.REQUIRED;
 } else if (flag.equalsIgnoreCase("OPTIONAL")) {
 controlFlag = LoginModuleControlFlag.OPTIONAL;
 } else if (flag.equalsIgnoreCase("REQUISITE")) {
 controlFlag = LoginModuleControlFlag.REQUISITE;
 } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
 controlFlag = LoginModuleControlFlag.SUFFICIENT;
 } else {
 throw new IllegalArgumentException("Invalid control flag " + flag);
 public AppConfigurationEntry getLoginModuleConfiguration() {
 HashMap options = new HashMap();
 options.put("usermap", userGroupMapping);
 System.out.println("UserMap: " + options);
 return new AppConfigurationEntry(
 "orkit.OrkitVASPortalLoginModule",
 controlFlag, options);
 public String getDescription() {
 return description;
 public PrincipalValidator getPrincipalValidator() {
 return new PrincipalValidatorImpl();
 public AppConfigurationEntry getAssertionModuleConfiguration() {
 return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
 public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
 private Subject subject;
 private CallbackHandler callbackHandler;
 private HashMap userMap;
 // Authentication status
 private boolean loginSucceeded;
 private boolean principalsInSubject;
 private Vector principalsBeforeCommit = new Vector();
 public void initialize(Subject subject, CallbackHandler callbackHandler,
 Map sharedState, Map options) {
 this.subject = subject;
 this.callbackHandler = callbackHandler;
 // Fetch user/password map that should be set by the authenticator
 userMap = (HashMap) options.get("usermap");
 * Called once after initialize to try and log the person in
 public boolean login() throws LoginException {
 // First thing we do is create an array of callbacks so that
 // we can get the data from the user
 Callback[] callbacks;
 callbacks = new Callback[2];
 callbacks[0] = new NameCallback("username: ");
 callbacks[1] = new PasswordCallback("password: ", false);
 try {
 callbackHandler.handle(callbacks);
 } catch (IOException eio) {
 throw new LoginException(eio.toString());
 } catch (UnsupportedCallbackException eu) {
 throw new LoginException(eu.toString());
 String username = ((NameCallback) callbacks[0]).getName();
 System.out.println("Username: " + username);
 char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
 String password = new String(pw);
 System.out.println("PASSWORD: " + password);
 if (username.length() > 0) {
 if (!userMap.containsKey(username)) {
 throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
 }else{
 System.out.println("Contstainded Username");
 String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
 if (realPassword == null || !realPassword.equals(password)) {
 throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
 }else{
 System.out.println("Everyitng OKIE");
 } else {
 // No Username, so anonymous access is being attempted
 loginSucceeded = true;
 // We collect some principals that we would like to add to the user
 // once this is committed.
 // First, we add his username itself
 principalsBeforeCommit.add(new WLSUserImpl(username));
 // Now we add his group
 principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
 return loginSucceeded;
 public boolean commit() throws LoginException {
 if (loginSucceeded) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = true;
 return true;
 } else {
 return false;
 public boolean abort() throws LoginException {
 if (principalsInSubject) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = false;
 return true;
 public boolean logout() throws LoginException {
 return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thank you very much!

When i login with the password and username from my custom authentication provider, my login module check ok, but logon form still there.

Similar Messages

ITunes Producer is stuck at Authenticating with the iTunes Store.

I'm trying to update my ebook and it keeps getting stuck at the Authenticating with iTunes Store stage. I've done this before and have had no problems. Usually it takes a few seconds to a minute at the most. This time, I let it sit for close to 15 minutes. I don't think it's Authenticating. I've cancelled and tried again and again but nothing. What gives?

Please view answer posted by me below to solve this issue. I tried to solve it in may ways and follow two methods worked for me.
http://stackoverflow.com/a/19996704/1227485
I hope it helps.

Glassfish 3.1 Container managed security - custom authentication

I have used custom authentication with tomcat and it works great. I am moving to glassfish 3.1 and want to set it up there now. I haven't found any specifics for glassfish 3.1. Anybody got it working in GF 3.1?
Thanks,
John

To follow up ...
I am using container managed security and form based authentication. My custom SJSAS login realm, however, never fails to authenticate users. Instead of failing authentication when a username and password match cannot be found, I add the user to an 'unknown-user' group who has no rights to the application.
I do this because I can then catch 403 errors for users who have failed authentication (because they are not authorized to access any pages), or for users who are not in the right role to access part of the application.
It's not the way that I would prefer to handle login 'failures', but it works.

Custom Authentication Module on Identity Server

Hi,
I have a custom authentication module which I am trying to access through the policy agent.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
My login module code is something like this:
package com.iplanet.am.samples.authentication.providers;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import java.rmi.RemoteException;
import java.io.FileInputStream;
import java.util.Properties;
public class LoginModule1 extends AMLoginModule
private String userName;
private String userTokenId;
private HashMap usersMap;
private java.security.Principal userPrincipal = null;
public LoginModule1() throws LoginException
public void init(Subject subject, Map sharedState, Map options)
          System.out.println("LoginModule1 initialization");
          usersMap = new HashMap();
          ResourceBundle bundle = ResourceBundle.getBundle("users");
          Enumeration users = bundle.getKeys();
          while (users.hasMoreElements())
               String user = (String)users.nextElement();
               String password = bundle.getString(user.trim());
               usersMap.put(user, password);
public int process(Callback[] callbacks, int state) throws AuthLoginException
          int currentState = state;
          if (currentState == 1)
               userName = ((NameCallback) callbacks[0]).getName().trim();
               char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
               String passwdString = new String (passwd);
               if (userName.equals(""))
                    throw new AuthLoginException("names must not be empty");
               if (userName.equals("testuser") && passwdString.equals("testuser"))
                    userTokenId = userName;
                    return -1;
               if (usersMap.containsKey(userName))
                    if (usersMap.get(userName).equals(new String(passwd)))
                         userTokenId = userName;
                         return -1;
               return 0;
     public java.security.Principal getPrincipal()
          if (userPrincipal != null)
               return userPrincipal;
          else
          if (userTokenId != null)
               userPrincipal = new SamplePrincipal("testuser");
               return userPrincipal;
          else
               return null;
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Srinivas

Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

Custom Authentication Issue with Policy Agent

Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Neeraj

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

How to configure SOA Suite 11g Worklist with LDAP Identity Store

Hi
Im trying to configure the worklistapp to use an ldap identity store (SOA Suite 11g)
The ldap is a open source ldap (Open DS in this case), is NOT : OID, OVD, Active Directory, WLS OVD, IPlanet.
for doing so, i did the next configurations:
workflow-identity-config.xml
<configuration realmName="realm1">
<provider providerType="JPS" name="JpsProvider" service="Identity">
<property name="jpsContextName" value="worklist" />
</provider>
</configuration>
jps-config.xml
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1">
 
 <property name="oracle.security.jps.jaas.mode" value="off"/>
 <property name="custom.provider" value="true"/>
<serviceProviders>
<serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
<description>LDAP-based IdentityStore Provider</description>
</serviceProvider>
</serviceProviders>
<serviceInstances>
 <serviceInstance name="idstore.ldap.opends" provider="idstore.ldap.provider">
 <property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
 <property name="idstore.type" value="CUSTOM"/>
 <property name="ldap.url" value="ldap://host:port"/>
 <property name="subscriber.name" value="dc=company,dc=com"/>
 <property name="search.type" value="SIMPLE"/>
 <property name="security.principal" value="cn=adminuser,dc=company,dc=com"/>
 <property name="security.credential" value="!adminuser_password"/>
 <property name="user.login.attr" value="cn"/>
 <property name="username.attr" value="cn"/>
 <property name="groupname.attr" value="cn"/>
 <extendedProperty>
 <name>group.mandatory.attrs</name>
 <values>
 <value>cn</value>
 <value>objectClass</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>group.object.classes</name>
 <values>
 <value>top</value>
 <value>groupOfUniqueNames</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>group.filter.object.classes</name>
 <values>
 <value>groupOfUniqueNames</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>group.member.attrs</name>
 <values>
 <value>uniqueMember</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>group.search.bases</name>
 <values>
 <value>o=groups,dc=company,dc=com</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>user.mandatory.attrs</name>
 <values>
 <value>cn</value>
 <value>objectClass</value>
 <value>sn</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>user.object.classes</name>
 <values>
 <value>organizationalPerson</value>
 <value>person</value>
 <value>inetOrgPerson</value>
 <value>top</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>user.filter.object.classes</name>
 <values>
 <value>inetOrgPerson</value>
 </values>
 </extendedProperty>
 <extendedProperty>
 <name>user.search.bases</name>
 <values>
 <value>o=users,dc=company,dc=com</value>
 </values>
 </extendedProperty>
 </serviceInstance>
 </serviceInstances>
<jpsContexts default="default">
<jpsContext name="worklist">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="keystore"/>
<serviceInstanceRef ref="policystore.xml"/>
<serviceInstanceRef ref="audit"/>
<serviceInstanceRef ref="idstore.ldap.opends"/>
</jpsContext>
</jpsContexts>
</jpsConfig>
but i get the error:
Jul 2, 2009 12:52:40 PM oracle.security.jps.internal.idstore.util.IdentityStoreUtil getIdentityStoreFactory
WARNING: The identity store factory name is not configured.
Jul 2, 2009 12:52:40 PM oracle.bpel.services.common.ServicesLogger __logException
SEVERE: <.> Error in authenticating user.
Error in authenticating and creating a workflow context for user realm1/user1.
Verify that the user credentials and identity service configurations are correct.
ORABPEL-30501
Error in authenticating user.
Error in authenticating and creating a workflow context for user sigfe.com/user1.
Verify that the user credentials and identity service configurations are correct.
at oracle.bpel.services.workflow.verification.impl.VerificationService.authenticateUser(VerificationService.java:603)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
So, anyone knows how i can specify the identity store factory?
or the correct parameters for a ldap identity store repository?
I used the 11G documentation for the security file :
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/jpsprops.htm
thanks

I am having exactly the same issue. Once I configure jps-config.xml file to use my custom authenticator and login into the worklist app, the following gets thrown. I was wondering if you need map some roles to the existing users in the Custom Authenticator.
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.

Need Help with Identity Asserter and Authenticator

First I have build custom authentication provider and configured in Web logic without Assertion and deployed as MBean --
Then I build one Custom Identity Assertion separately and deployed on Web Logic with below configuration. Now my problem is that even though I pass TOKEN in header , but still weblogic prompts for username / password . Though it successfully prints Token on console inside Asserter.
Also I have set below in config.xml to avoid
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
Web.xml
<security-constraint>
 <display-name></display-name>
 <web-resource-collection>
 <web-resource-name>anything</web-resource-name>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>PUT</http-method>
 <http-method>HEAD</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>user </description>
 <role-name>myuser</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>myrealm</realm-name>
 </login-config>
 <security-role>
 <role-name>myuser</role-name>
 </security-role>
where do I need to define myuser in weblogic admin console ?

hello!
I've been trying to find a working example for creating
a custom Identity Assert...but the links to such resources in the old BEA
docs are now broken...
can you point me towards a source of working code examples
for an Identity Asserter?
thank you!

Problem with using OID as Identity Store for OAM

I have oam11.1.1.5.1 and oid 11.1.1.5.
I switched the embedded ldap to OID as the default as well as the system identity store followed the doc http://docs.oracle.com/cd/E21764_01/doc.1111/e15478/datasrc.htm#BHCJEDJA
In the oid I have created the group Administrators and added the users to: weblogic, weblogicoi, oamtester and more.
Only weblogic can sign into the oam console by one login :
http://<host>:/oamconsole , redirected to the page having oam port 14100 with the login wizard, get in with weblogic account credential.
and for the others have to have two logins:
http://<host>:/oamconsole , redirected to the page having oam port 14100 with the login wizard,
After keyed in the user credential, got redirected to back to the page having port 7001 with the login wizard, keyed in the user credential again and got in.
All the passords are using in the oid's, that confirms the oid is the oam's identity store.
Seems weblogic is the seed account. Could I miss something for granting privs for the others? if so what did I miss? Do I have to create an authentication provider with the oid(ldap) in WLS' security domain? If so, is that a mandatory?
Edited by: gadba on Jan 14, 2012 7:06 AM

Hi,
Did you set the Authentication Module to use your newly created User Identity Store? Or is it still pointing to your default UserIdentityStore1. If not, you will have to modify these configuration in your Access Manager Settings. Also, make sure that your new User Identity store is set as default store as well as system store.
~Yagnesh

Restful Web Services - First Party Authentication with custom authentication schemes

Hi
I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts.
Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
Thanks
Kes

Hi Gemma,
unfortunately at the moment you are caught between a rock and a hard place:
- As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
- Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
Thanks,
Colm Divilly

Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

Hi Experts,
I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
there are two ways to configure external identity store.
1) AD
2) LDAP
Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

Hi Leo,
its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
This post is to understand the LDAP & AD intergration with ISE .
I have requirement where client is asking to intergrate machine database using LDAP.
I am quite new for LDAP intergration that is the reason I have created this discussion.

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Not Working-central web-authentication with a switch and Identity Service Engine

on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
    10 permit ip any any
Extended IP access list redirect
    10 deny ip any host 172.22.2.38
    20 permit tcp any any eq www
    30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
           Interface: FastEthernet0/24
          MAC Address: 0015.c549.5c99
           IP Address: 172.22.3.184
            User-Name: 00-15-C5-49-5C-99
               Status: Authz Success
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
     URL Redirect ACL: redirect
         URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: AC16011F000000490AC1A9E2
      Acct Session ID: 0x00000077
               Handle: 0xB7000049
Runnable methods list:
       Method   State
       mab      Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
Nuno

OK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
    10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
    10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
     Admission feature: DOT1X
     ACS ACL: xACSACLx-IP-redirect-4f743d58
     URL Redirect ACL: redirect
     URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
     Interface: FastEthernet0/24
     MAC Address: 0015.c549.5c99
     IP Address: 172.22.3.74
     User-Name: 00-15-C5-49-5C-99
     Status: Authz Success
     Domain: DATA
     Oper host mode: multi-auth
     Oper control dir: both
     Authorized By: Authentication Server
     Vlan Group: N/A
     ACS ACL: xACSACLx-IP-redirect-4f743d58
     URL Redirect ACL: redirect
     URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
     Session timeout: N/A
     Idle timeout: N/A
     Common Session ID: AC16011F000000160042BD98
     Acct Session ID: 0x0000001B
     Handle: 0x90000016
     Runnable methods list:
     Method   State
     mab      Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing?

Can Actions Menu of Interactive Reports work with Custom Authentication?

My testing is leading my to believe that Actions Menu do not work with Custom Authentication (but only work with APEX Authentication) in APEX 3.1.2? If that's true then is there a work around to this?
Just to clarify, I've posted/asked this question twice before:
1) Re: Actions Menu in Interactive Reports does not sort, filter, select cols etc
2) Interactive Report actions don't work for users (i.e. for non-developers)
But I've come to believe this is the main problem. I just don't know how to resolve/work around this?
Thanks for any help.

I haven't setup a sample because my custom authentication is using LDAP authentication. I'm not sure how I can replicate that on the samples server?
I'm using LDAP authentication with a Page Sentry function. My further testing reveals that the Page Sentry function is setting the APEX variable user to NULL (ie blank) whenever there's any code in the Page Sentry function box. PL/SQL code as simple as
BEGIN return TRUE; END;
in the Page Sentry function box sets the "user" is set to <null>. When the Page sentry function box is left empty (no code specified) it sets the "user" properly after authentication against the specified LDAP directory.
What all this has to do with Interactive Reports...
It seems like when the user is NULL it messes-up Interactive Reports that are stored in the flows database. Although it shows the default report properly, but no runtime interactive actions (filtering, sorting, column break, etc.) work.
Can someone please correct or confirm this?
Thanks.

Display custom hosts attributes in Internal Identity Store

Any one know how to Display custom attributes to the Internal Identity Store
I have created several attributes, but can't seem to find anyway to add them to the display window.
Cheers

They are displayed by default and there's no actual way to hide them.
Are you sure that you didn't create a customer HOST attribute and are looking in the internal user table or vice-versa ? Host and users have different custom attributes page. That's the only explanation I See

Problems with custom authentication when migrating from 3.2 to 4.1.1

Hi,
we’re about to upgrade our APEX instances to 4.1.1 and to migrate our applications. I encountered some problems with our custom authentication schema.
1. Recognize already authenticated sessions: in 3.2 the sentry function could return false as long as the user was not authenticated. Public pages could still be displayed (including the login page). The result of the function apex_custom_auth.is_session_valid returned false until once the sentry function returned true. How can I recognize non authenticated sessions in 4.1.1? I looked for the test the Condition “User is the public user (user has not authenticated)” computes on a page but didn’t found the right one. It’s not what docu states here (comparison with the public user): http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/condition001.htm#HTMDB25943. I replaced the test with p_authentication.username = ‘nobody’. It works. But that doesn’t seem to me to be the right way …
2. Post_logout lacks session context: the Post Logout Procedure does not receive a session_id and username. Neither the V(‘APP_SESSION’) nor p_authentication.session_id are set. This applies to both plugin authentication schemes and non-plugin custom authentication schemes. Is there another way to obtain the logged-out sessions infos or is this a bug?
See apex.oracle.com for a demo, workspace WS_MW, gast/gast. Can someone please guide me the way?
Michael

Hello again,
there are no replies until now .... I reviewed some posts regarding custom authentication again and did not find any solution for the issues. Found some that worked with APEX 3.2.1 but not with 4.1.1. I can only work around
1.) in an insecure way, because the non documented (?) user "nobody" can change and all new sessions will be considered authenticated
2.) in a way, that ends up in implementing the logout from the non apex environment outside the authentication schema or authentication plugin.
May be I should contact support for at least the second issue because this doesn't work as documented or am I doing something wrong?
Michael

Custom Authentication With Identity Store

Similar Messages

Maybe you are looking for