Custom Authorization Class to set Credentials

Similar Messages

• Set the value of a shared secret in a custom auth class

  Hello All,
  We are trying to use a custom authentication class to gain
  additional parameter to pass along in a SAML assertion to a third party
  vendor. We have successfully added the new custom auth class, but we
  are unable to determine how to assign the value of this new parameter to
  anything that is accessible in the creation of the SAML profile.
  The first idea was to use a shared secret. Although we have been able
  to create the shared secret, it does not have any value assigned.
  Here's the code used based on the code used by the PwLookupLogin class
  in the ba-idp-auth.jar file:
  private void setUserTAG(String paramString) {
  SSSecret localSSSecret = new SSSecret();
  localSSSecret.setName(new SSName("tag_van"));
  SSSecretEntry localSSSecretEntry = new SSSecretEntry("tag_van",
  paramString);
  localSSSecret.addSecretEntry(localSSSecretEntry);
  addCredential(WSCQSSToken.SS_SecretName, localSSSecretEntry);
  The second idea was to make use of the "CustomizableStringOne" found in
  a posting in this forum on how to extend a X.509 auth class:
  http://forums.novell.com/novell-deve....html#poststop
  The code we have tried follows:
  private void setUserSSN(String paramString) {
  // Makes use of the "Customizable String One [Custom Profile]"
  try
  // Customizable attribute 1 is the one we use to contain
  customer data to send,
  // but this can change to another if necessary
  WSCMOPToken token =
  (WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_C ustomizableString1.getTokenUniqueId());
  // Build object for new data
  WSFModelEntry modelEntry = token.getModelEntry();
  IDSISCommonAttributeElement data =
  modelEntry.getSchemaClassInstance();
  if (data instanceof IDSISLeafAttributeElement) {
  ((IDSISLeafAttributeElement)data).setText(paramStr ing);
  WSCMDataToken dataToken = new WSCMDataToken(token, data);
  dataToken.setAllowOverride(true);
  catch (Exception ex) {}
  Again, the same problem. No value is found when the idpsend CGI tries
  to generate the assertion.
  We are really struggling to understand how this should work. The basic
  problem is this: How can we set a variable within a Java class that can
  be accessed by the idpsend CGI to be used as an attribute within the
  SAML assertion?
  Any ideas would be greatly appreciated. Thanks.
  keongregory
  keongregory's Profile: http://forums.novell.com/member.php?userid=40599
  View this thread: http://forums.novell.com/showthread.php?t=415440

  keongregory wrote:
  >
  > Hello All,
  > We are trying to use a custom authentication class to gain
  > additional parameter to pass along in a SAML assertion to a third
  > party vendor. We have successfully added the new custom auth class,
  > but we are unable to determine how to assign the value of this new
  > parameter to anything that is accessible in the creation of the SAML
  > profile.
  >
  > The first idea was to use a shared secret. Although we have been
  > able to create the shared secret, it does not have any value
  > assigned. Here's the code used based on the code used by the
  > PwLookupLogin class in the ba-idp-auth.jar file:
  >
  > private void setUserTAG(String paramString) {
  > SSSecret localSSSecret = new SSSecret();
  > localSSSecret.setName(new SSName("tag_van"));
  > SSSecretEntry localSSSecretEntry = new SSSecretEntry("tag_van",
  > paramString);
  > localSSSecret.addSecretEntry(localSSSecretEntry);
  > addCredential(WSCQSSToken.SS_SecretName, localSSSecretEntry);
  > }
  >
  >
  > The second idea was to make use of the "CustomizableStringOne" found
  > in a posting in this forum on how to extend a X.509 auth class:
  > http://forums.novell.com/novell-deve...ess-manager/37
  > 6654-using-x509-subject-identity-injection-post1826642.html#poststop
  >
  >
  > The code we have tried follows:
  >
  >
  > private void setUserSSN(String paramString) {
  > // Makes use of the "Customizable String One [Custom Profile]"
  > try
  > {
  > // Customizable attribute 1 is the one we use to contain
  > customer data to send,
  > // but this can change to another if necessary
  > WSCMOPToken token =
  > (WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_C ustomizableString1.g
  > etTokenUniqueId());
  >
  > // Build object for new data
  > WSFModelEntry modelEntry = token.getModelEntry();
  > IDSISCommonAttributeElement data =
  > modelEntry.getSchemaClassInstance();
  > if (data instanceof IDSISLeafAttributeElement) {
  > ((IDSISLeafAttributeElement)data).setText(paramStr ing);
  > }
  >
  > WSCMDataToken dataToken = new WSCMDataToken(token, data);
  > dataToken.setAllowOverride(true);
  > }
  > catch (Exception ex) {}
  > }
  >
  >
  > Again, the same problem. No value is found when the idpsend CGI
  > tries to generate the assertion.
  >
  > We are really struggling to understand how this should work. The
  > basic problem is this: How can we set a variable within a Java class
  > that can be accessed by the idpsend CGI to be used as an attribute
  > within the SAML assertion?
  >
  > Any ideas would be greatly appreciated. Thanks.
  We are using this successfully (the code looks stragely familiar ).
  Don't try to store it in the secret store. you can actually store it in
  the customizable string attributes.
  Try to use this:
  protected int doAuthenticate()
  String attribute1 = m_Request.getParameter("attribute1");
  //Custom Attribute 1
  try
  // Customizable attribute 1 is the one we use to contain customer
  data to send,
  // but this can change to another if necessary
  WSCMOPToken token =
  (WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_C ustomizableString1.get
  TokenUniqueId());
  // Build object for new data
  WSFModelEntry modelEntry = token.getModelEntry();
  IDSISCommonAttributeElement data =
  modelEntry.getSchemaClassInstance();
  if (data instanceof IDSISLeafAttributeElement)
  ((IDSISLeafAttributeElement)data).setText(attribut e1);
  WSCMDataToken dataToken = new WSCMDataToken(token, data);
  dataToken.setAllowOverride(true);
  catch (Exception ex) {}
  String url =
  m_SessionData.appendIDToUrl(NIDPContext.getNIDPCon text().getBaseUrl() +
  getProperty("Protocol") + "/idpsend?PID=" + getProperty("ITS"));
  m_Request.setAttribute("url",url);
  // Going to top ensures we are not displaying in any frames
  ((NIDPServletContext)NIDPContext.getNIDPContext()) .goJSP(m_Request,m_Res
  ponse,"top");
  return HANDLED_REQUEST;
  The above code is a non-identifying method (it doesn't return a
  'authenticated'). YOu would chain it with another method that
  identifies the user before this is being processed.
  To check if a user is authenticated or not you could use:
  if (!m_Session.isAuthenticated())
  return NOT_AUTHENTICATED;
  Once the method is processed it should have created a
  LibertyUserProfile object within the eDir that comes with the admin
  console.
  You can find these in
  ou=libertyUserProfile0,ou=<clusterobject>,ou=clust er,ou=nids,ou=accessMa
  nagerContainer,o=novell
  Hopefully this helps.
  Cheers,
  Edward

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• How to create a Platinum,Gold and Silver Customer and how to set different price for a single material based on customer?

  Hi All,
  How to create a Platinum,Gold and Silver Customer and how to set different price for a single material based on customer?
  Assume Material is Pen.
  While creating Sales Order in VA01 how to bring different price for the same material for Platinum,Gold and Silver Customers.
  Kindly help me out.
  Thanks,
  Renjith Jose

  A good place to start is http://www.javaworld.com/javaworld/javatips/jw-javatip34.html
  Also, do a search in this forum on HttpURLConnection. That class allows you to use POST method to send form data to a web server.
  "Hidden" variables are only hidden in HTML. The HTTP that gets POSTed to the web server doesn't distinguish between hidden and not hidden. That is, the content you would write to the HttpURLConnection.getOutputStream() would be something like:
  hidden=1&submit=ok(Of course, the variable names would depend on what the web server was expecting from the form.)
  Also, be sure to set the Content-Type request parameter to "application/x-www-form-urlencoded"

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Custom style classes

  hi all,
  Is it possible to create some custom style classes and assign them to styleClass property of some components?
  And if it possible, where to place those custom classes and how to use them?
  I've tried without success.
  Regards,
  Bassam

  So this begs the question... if I wanted to change the color of a font on a af:panelHeader for example, (inlineStyle="background-color:navy;color:white;") or I set it up as a class in my css e.g. (styleClass="ph" where the css class is ph{background-color:navy;color:white;}) why doesn't the af:panelHeader component render as one would expect... with a blue back ground and white text? I'm using JDeveloper11g.

• Custom Java class called from RTF template generates error

  We are running a report in BI Publisher and the report calls a custom developed Java class that is used to bind PDFs together and sent the result to another application.
  On the RTF template we have some XSLT that reads the input XML and sets a variable which is then passed to the Java class. We are however getting the following error when the report is called simultaneously 2 or more times:
  XML-22044: (Error) Extension function error: Error invoking 'JavaClassName': 'java.lang.Error: Cannot interweave overlay template with pdf input, combined number of pages is odd!
  I read this as the real cause of the error is the Java code but I'm not 100% sure. Also I don't understand what the error message means.
  Could someone help out please?
  Many thanks

  Since our this requirement is in Quotes module, its not using OAF. It is using plain JSPs and java classes.
  What i was thinking is, create the Option values as flex fields, and write a custom java class to fetch these data from the flex tables and use it in the JSP.
  The main problem we are facing now is,
  "...we wrote a simple java class, which establishes database connection, executes a simple insert & select query to our custom table. compiled & placed the class file under our new pkg structure under $JAVA_TOP eg. oracle.apps.xxx.quot.tmpl , bounced the apache."
  But when we tried to import this class in the jsp (which is being customized), the app just throwed Internal Server Error and we couldnt find any info in the Log file.
  Couldnt guess, why is this simple thing failing. Any idea ?

• Sql Query in Custom Java Class in OIM 9x

  Hi All,
  I m having requirement where I need to execute SQL Select Query in custom java class.
  The class is a action class ,in a method I m trying to execute SQL Query as below
       sdkDataSet = new tcDataSet();
            dataprovider =sdkDataSet.getDataBase();
                 //sdkDataSet = new tcDataSet();
                 sdkDataSet.setQuery(dataprovider, sdkQuery);
                 sdkDataSet.executeQuery();
                 logger.debug(CLASSNAME + methodName + "Query Executed");
                 if (sdkDataSet.getRowCount() > 0)
                      sdkName = sdkDataSet.getString(0);
                      logger.debug(CLASSNAME + methodName+ "The sdkName is " + sdkName);
  Error is returned in logs
  tcDataSetException    Must set a query before executing
  I hope issue is coming due to dataprovider dbrefence.
  Kindly let me know how to execute sql query in a action class.
  Regards,
  Krish

  Hi Pallavi,
  Thanks for your reply...
  OOTB class Name is com.thortech.xl.webclient.actions.ApprovalsAction
  This class will display the pending Approvals for a user.On pending approval page, I need to add one more attribute let say email of the beneficiary user.I have a query which will fetch email value based on RequestID.
  select usr.usr_email from rqu rqu, usr usr, act act  where rqu.usr_key=usr.usr_key and usr.act_key=act.act_key and rqu.req_key=1234*
  Pls let me know if there is any way to get email with or with out executing Query.
  Regards,
  Krish

• Custom java class in Quoting screen Customization

  Hi,
  We are working with Customization of couple of screens in Quote module. Esp. the Create Template screen. We decide to add new property to the Template and user needs to choose among a set of values to this new property through a radio button.
  Instead of hardcoding these property values and radiobuttons, we thought we would define these data in some lookup table and fetch them and display.
  Now, since we are defining these lookup data, should we write our custom java class to interact with database and fetch them from any lookup table (should we use flex fields ?) ?
  If we are going to write custom java object, any guidance on how to compile/deploy/standards for them ?
  Message was edited by:
  tcesenthil

  Since our this requirement is in Quotes module, its not using OAF. It is using plain JSPs and java classes.
  What i was thinking is, create the Option values as flex fields, and write a custom java class to fetch these data from the flex tables and use it in the JSP.
  The main problem we are facing now is,
  "...we wrote a simple java class, which establishes database connection, executes a simple insert & select query to our custom table. compiled & placed the class file under our new pkg structure under $JAVA_TOP eg. oracle.apps.xxx.quot.tmpl , bounced the apache."
  But when we tried to import this class in the jsp (which is being customized), the app just throwed Internal Server Error and we couldnt find any info in the Log file.
  Couldnt guess, why is this simple thing failing. Any idea ?

• 11g - LDAP Sync - Select Custom Object class based on user type

  Hi Gurus,
  We have Ldap Sync set up between OIM 11g and ODSEE, we have some custom object class in ODSEE when the user are getting created in OIM it is getting created in ODSEE and it has all object class , every thing is working fine.
  Now we have to select the object class based on user type of OIM, while pushing the user to ODSEE through LDAP sync.
  we checked the LDAPUser.xml we doesnt have any option to choose custom object class based on user type.
  Guys needs suggestion how to go forward on this requirement.

  Do you have OVD between OIM and ODSEE? If yes, then this can be handled at OVD. By modifying the LDAP Adapter and setting up search for users with custom objectclass instead of inetorgperson.
  Flow would be as follows:
  OIM --> LDAPRequest to Create User with inetorgperson to OVD --> OVD --> change request's objectclass to custom objectclass --> Create user in OID with custom objectclass
  ~Yagnesh

• How to resolve #{row} of af:table in custom tag class?

  Hi all,
  My customer creates custom converter tag with some attributes. When they use it outside af:table, it works as expected.
  However when they use it in af:table and set "#{row.value}" into the tag's attribute, it doesn't work because it can't resolve #{row} EL expression.
  The method they wrote is like below.
  private Object getExpressionValue(ValueExpression expression) {
  if (expression == null) {
  return null;
  final ELContext elContext =
  FacesContext.getCurrentInstance().getELContext();
  return expression.getValue(elContext);
  Does anyone know the way to do resolve #{row} expresison in custom tag class?
  If you share sample codes, it will be much appreciated.
  Regards,
  Atsushi

  Hi,
  the row variable is a temporary variables, which means that #{row} may work when the table renders but not when users edit fields in a table and then submit the change. You don't really mention what doesn't work for your customer (and wouldn't it be better your customer could post here on OTN to avoid you becoming a dispatcher?) . An expression #{row.value} for example doesn't exist unless your customer uses a POJO model that has a property "value" in which case the entity has a setValue/getValue.
  Frank

• Authorization class and entitlements inheritence

  Hello,
  We're using the Authorization.isAccessAllowed() method to check if a user is entitled to view a page.
  We've created a few entitlements which contain a role expression based on the user's session. When these entitlements are set on the page and the user's session does not satisfy one of the entitlements, then the Authorization class returns the correct results (i.e. false).
  However, if we set no entitlements on the page and set the entitlements on the book which the page is in, then the Authorization returns true.
  Is there a way to through the API for the entitlements on the book to be evaluated when we're checking the page? So can the entitlements be inherited.
  My assumption was, if the user is not entitlemed to view a book, they should not be entitled to view any other pages/books within that book.
  Regards,
  Jonathan

  Hi
  So the target system is ok, the rquest type is ok, also the user is ok?
  I suppose yes, because you've create it so it should be your user.
  It's very strange, I've tried to check when that message is triggered and I've found out for wrong target system only, but the message could be called dymanically.
  Try to check when that message is called by debug, you can create a watch point for SY-MSGNO = 519
  Max

• Function PIT don't recognize a Custom Processing Class

  Hi all,
  I've defined a brand new custom processing class, in order to evaluate some WT for labor cost, but when I try to call the PIT function, with param 2 set to P90 (my processing class in numbered with 90), the check give me an error message:
  With regard to function PIT, specified processing class 90 does not exist                                                                               
  Message no. 5P 414                                                                               
  Diagnosis                                                                               
  You have specified a processing class which does not exist or is not   
       permitted for the country grouping of the schema.               
  Is there any additional operation to perform?
  Thank you in advance.
  Paolo

  Hi Paolo,
  could u please explain the solution in more detail....Even I have overcome the same problem, I have tried the following ....is that what you had meant in ur reply..
  pe02 -> attributes -> vountry grouping = 13 (Australia) in place of *
  is that all ...else could you plz explain the situation.
  Regards,
  Anil

• Customizing Authorizations

  Dear all,
  what are the by SAP recommended and needed Authorizations for Customization? I am looking for a document by SAP mentioning the situation for SRM.
  We are facing the situation of strict role & authorization management at a company, where they also do not allow SAP standard roles. I need proven SAP document why extensive SAP authorizations needed in SRM. We do not have the time, to trace all tables, transactions etc. to rebuild SAP standard roles & authorizations.
  Any help & info is highly appreciated.
  Cheers,
  Claudia

  As all we aware SRM is a Role based application. however you also right and  customer also right to ask this question to us.
  In SAP SRM one or more predefined roles are assigned to each user or user account. Depending on
  the role, the user is authorized to carry out certain transactions and access certain data. In addition,
  each user or user account is assigned to its company and/or organizational unit. By way of this
  assignment, the user inherits additional attributes that further restrict access, for example, employees
  may only assign purchase orders to their own cost centers.
  In the standard SAP SRM delivery, customers receive predefined role templates that they can extend
  or adapt to their specific requirements. The standard roles include roles for managers, employees,
  and so on.
  Individual users access SAP SRM transactions and data via their browsers and then transfer sensitive
  confidential data. This information must be protected against unauthorized access. As standard, this
  is taken care of by encoding all data during the transfer from the Web Server to the browser. SAP
  SRM follows the standard in this case and supports secure HTTP.
  Roles for System Configuration
  Users wanting to set up or configure an SAP SRM Server system are assigned to the SAP SRM
  Administrator role, which provides them with the required authorizations. The necessary Customizing
  authorizations ensure that these setup users are able to carry out IMG projects.
  For more information, see http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
  Enhancement Package 1 System Administration Security Guide User Administration and Authentication
  User Management .
  do you want this security guide realeased by SAP
  Security Guide
  SAP Supplier Relationship Management powered by SAP
  NetWeaver®
  Target Audience
  n System administrators
  n Technology consultants
  mail to businesss id i send you. i believe i have downloaded from market place?a re you looking for this document?
  I have read and listened some web ex slides discusions on role arena form SAP experts.if you could not locate i will search for you..
  br
  muthu