Custom authorization for MDB in WLS 7.0
Hi,
Does anyone know how to authorize MDB using a Custom Authorization
Provider while the Weblogic Container registers the MDB as a listener
to JMS queue? My Custom Authorization Provider uses an oracle database
to store user roles and access control lists to allow a certain role
to access specific weblogic resources.
Any assistance is highly appreciated.
Thanks
Siva
The main reason is that JMS topics do not work well with HTTP clients. A topic cannot
initiate an HTTP call to the subscriber, so we have to store the message in memory
outside of JMS waiting for the subscriber to call us. Reliability is lost (if anyone
cared). The lifecycle of the outbound message is controled by the HTTP session timeout
(yuck!). This did not look like a solid feature that we should support.
If you like it, you can implement it yourself. I would recommend using JAX-RPC
handlers for that.
Thanks,
-ruslan
Michael Poulin wrote:
The deprication note is in "Creating JMS-Implemented WebLogic Web Services, section
Overview of JMS ...
Similar Messages
-
Customizing Authorization for Controlling
Hello, Experts,
I need to create a role with authorization for SPRO but only for the Controling branch.
How do I do it ?
Thank you !
Rami Kleiman - HPHi,
DSK- How do create configuration project ?
Anil - Can you be more specific ? PFCG is transaction for creating roles.
When I add SPRO to the role, it DOES NOT add all the authorization for
the SPRO options.
Thank you,
Rami -
Client certificate authentication with custom authorization for J2EE roles?
We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
<auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--ThanksWe have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
protected void init(Properties props)
throws BadRealmException, NoSuchRealmException
public java.util.Enumeration getGroupNames (String username)
throws InvalidOperationException, NoSuchUserException
public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
protected AuthenticationStatus authenticate()
throws LoginException
private String[] authenticate(String username,String passwd)
private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
protected void init(Properties props)
* Returns the name of all the groups that this user belongs to.
* @param username Name of the user in this realm whose group listing
* is needed.
* @return Enumeration of group names (strings).
* @exception InvalidOperationException thrown if the realm does not
* support this operation - e.g. Certificate realm does not support
* this operation.
public Enumeration getGroupNames(String username)
throws NoSuchUserException, InvalidOperationException
* Complete authentication of certificate user.
* <P>As noted, the certificate realm does not do the actual
* authentication (signature and cert chain validation) for
* the user certificate, this is done earlier in NSS. This default
* implementation does nothing. The call has been preserved from S1AS
* as a placeholder for potential subclasses which may take some
* action.
* @param certs The array of certificates provided in the request.
public void authenticate(X509Certificate certs[])
throws LoginException
// Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM -
I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
ContextElement ce = ces[j];
System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
ContextElement ce = ces[j];
System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov. -
Custom Authorization Object for HR
Hi,
As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
Your help will be appreciated.
Thanks,
Mandeep VirkHi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
but still it is taking the P_ORGIN object. -
HR Authorization : Custom Authorization Object for P_ORGIN
Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
but still it is taking the P_ORGIN objectOnline Help
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a> -
HR custom authorization issues/BADI to be used for some customization
We can develop custom authorization object in HR and run RPUACG00 to generate include MPAUTCON.Is it possible to include some customizations to the MPAUTCON program to accomplish some of our requirements.
If not can you please suggest me a BADI/User exit which can be used to develop some customization on a specific field, which can be called at the times the HR Master data is being changed/displayed/created.
Thanks in adavnce for the answers.Hi Kiranm,
the MPPAUTCON program (or MPPAUTZZ in non-contextual mode) is automatically generated by the RPUACG00 report.
But you can modify it to add custom controls.
Best regards. -
Amount Authorization for Customer
I want to Enter Customer invoice While creating Invoice Following Message Display
No Amount Authorization for vendor/customer in co. code?
Pls ReplyHi,
Go to -
img - fa u2013 arap u2013 business transaction u2013 incoming payment u2013 manual incoming payment u2013 define tolerance (customers)
Define Tolerance Groups for Employees and Assign User/Tolerance Groups
Regards
udayakumar.k -
No authorization for changing Customer Centrally- Idoc in Error Status 51
Hi Experts,
We are implementing MDM for one of the client.
The client runs a modification scenario in MDM for Customer Master.
He modifies a customer record in MDM and this record is transfered from MDM to ECC via PI through Idocs.
We are using standard Idocs for Customer Master which is DEBMDM
There are 2 Idoc's generated in ECC by PI from DEBMDM as DEBMAS and ADRMAS.
ADRMAS Idoc is succesfull in ECC and the corresponding record is modified.
Now the issue is that the corresponding DEBMAS Idoc goes into Error 51.
The Error details is as below:
No authorization for changing vendor Centrally
Message no. F2326
System Response
You cannot access the requested data.
Procedure for System Administration
If necessary, include an entry in the user's authorization profile for
the authorization object and parameters specified below.
Authorization object:
o F_KNA1_APP
Parameters:
o Activity: 02
o Application authorization : *
We gave the respective authorization object to the RFC User ID used in PI RFC created to connect to ECC.
Also we have given the user id Tcode authorization like XD01/02/03.
But this error still persists.
Request to throw some light on this.
Cheers
DhwaniCheck these threads
[Re: IDOC STATUS - 51 " IDOC HAS TEST STATUS|IDOC STATUS - 51 " IDOC HAS TEST STATUS";
[Error Inbound IDoc - Status 51|Error Inbound IDoc - Status 51;
thanks
G. Lakshmipathi -
Authorization for FBL5n specific customer
Hi all,
I have a scenario where we want to restrict sales person to view specific customer. We maintain sales person and customer number relation in a Z table.
Please advise how I can restrict?Hello Ravi
You can restrict access to master records in order to prevent unauthorized changes from being made. Depending on how you organize your master data, you can assign authorizations for maintaining this data. For example, one user may have authorization to maintain all master data, while another may have authorization to maintain only accounting master data.
You can also assign different authorizations for different types of processing. All users could have authorization to display master records, while only a limited group of users may be able to create and change master data.
Authorizations are specified during system configuration and assigned to each user in his or her user master record. If you have any other questions on this subject, you should contact your system administrator. The Implementation Guide (IMG) for Financial Accounting explains how to set up authorizations.
Suresh -
Authorization Problem (I am Using Authorization For Custom Forms)
Hi All,
I am Using Authorizations To My Forms (I created One Addon For This Addon I am Using Authorization).I created Authorization For My Addon But While Working It Showing Some Errors
. In My Addon Four Forms are there For this four forms I am Using Authorization based on usres some screens only super user can access. normal user he is not a super user he cliekd on that authorization form it shows one message Your not a authorized user to permitted this operation in this message box we have two butons one is ok button and one is Authorized by another user . When i clicked on Ok Button I am getting error Internal error (-10) occured [131-183]. Please give me Your Valable Suggestion.
I am waiting for your Reply.
Thanks & Regards
NareshI am using Sap Authorizations For My Custom Form See The Code Also U Can Get Clear Idea
Private Sub CustomAuthorization()
Dim li_RetVal As Integer
Dim pUserPer As SAPbobsCOM.UserPermissionTree
Try
pUserPer = Me.SBO_Company.GetBusinessObject(SAPbobsCOM.BoObjectTypes.oUserPermissionTree)
'Purchase Indent
If pUserPer.GetByKey("NHCL_PM") = False Then
pUserPer.PermissionID = "NHCL_PM"
pUserPer.Name = "Purchase Module"
pUserPer.Options = SAPbobsCOM.BoUPTOptions.bou_FullNone
li_RetVal = pUserPer.Add()
End If
'Purchase Indent ->New Purchase Indent
If pUserPer.GetByKey("NHCL_PM_NPI") = False Then
pUserPer.PermissionID = "NHCL_PM_NPI"
pUserPer.Name = "New Purchase Indent"
pUserPer.Options = SAPbobsCOM.BoUPTOptions.bou_FullNone
pUserPer.ParentID = "NHCL_PM"
pUserPer.UserPermissionForms.FormType = "2000010002"
li_RetVal = pUserPer.Add()
End If
'Purchase Indent->View For Approval
If pUserPer.GetByKey("NHCL_PM_VIE") = False Then
pUserPer.PermissionID = "NHCL_PM_VIE"
pUserPer.Name = "View For Approval"
pUserPer.Options = SAPbobsCOM.BoUPTOptions.bou_FullNone
pUserPer.ParentID = "NHCL_PM"
pUserPer.UserPermissionForms.FormType = "2000010003"
li_RetVal = pUserPer.Add()
End If
'Purchase Indent ->Selection For RFQ
If pUserPer.GetByKey("NHCL_PM_SEC") = False Then
pUserPer.PermissionID = "NHCL_PM_SEC"
pUserPer.Name = "Selection For RFQ"
pUserPer.Options = SAPbobsCOM.BoUPTOptions.bou_FullNone
pUserPer.ParentID = "NHCL_PM"
pUserPer.UserPermissionForms.FormType = "2000010006"
li_RetVal = pUserPer.Add()
End If
'Purchase Indent ->Purchase Quotation
If pUserPer.GetByKey("NHCL_PM_PUR") = False Then
pUserPer.PermissionID = "NHCL_PM_PUR"
pUserPer.Name = "Purchase Quotation"
pUserPer.Options = SAPbobsCOM.BoUPTOptions.bou_FullNone
pUserPer.ParentID = "NHCL_PM"
pUserPer.UserPermissionForms.FormType = "2000010007"
li_RetVal = pUserPer.Add()
End If
'Purchase Indent ->Final Quotation
If pUserPer.GetByKey("NHCL_PM_FIN") = False Then
pUserPer.PermissionID = "NHCL_PM_FIN"
pUserPer.Name = "Final Quotation"
pUserPer.Options = SAPbobsCOM.BoUPTOptions.bou_FullNone
pUserPer.ParentID = "NHCL_PM"
pUserPer.UserPermissionForms.FormType = "2000010008"
li_RetVal = pUserPer.Add()
End If
Catch ex As Exception
Dim ErrCode As Long
Dim ErrMsg As String
Me.SBO_Company.GetLastError(ErrCode, ErrMsg)
Me.SBO_Application.StatusBar.SetText("Authorization Problem" & ErrCode & li_RetVal, SAPbouiCOM.BoMessageTime.bmt_Short)
End Try
End Sub -
Authorization for customized transaction
Hi,
In our system, developers create one transaction ZSIDUPDATE.
Whenever I (Basis Admin) hit this transaction, error "No Authorization for Transaction" is occurred. I don't understand why the error is for authorization for this customized transaction because I have SAP_ALL & SAP_NEW profile.
Can anybody give the solution?
Regards,
RajeshHello Rajesh,
Check the report behind ZSIDUPDATE. I suppose there must be some kind of code which will allow only certain user to execute it based on their user ids. Either the user ids will be hardcoded or else they are being picked up from some table. This is not a classical authorization error. You may set a trace also but debugging is best. it will crack it open in seconds.
Regards.
Ruchit. -
Hi,
How we can give Authorization for custom form as well as custom menuHi,
Try this out
Go to Administration module
> system initialization
> Authorizations
>Additional Authorization Creator
Add same level and just mention your
Authorization id=Custom
Name=Custom
Option=Full/Read/None
Forms id=*(Your Form ID) *
Ok
Now Go to Administration module
> system initialization
> Authorizations
>General authorizations
Now select user and set user authorization-------> Custom -
> No Atuorization
Reply me
Remember if Problem Resolved then mark as answered -
Authorization for a custom programme
How to do Authorization for Custom Transactions?
Can we directly put Authorization Object name in SE93?
What should be the default values? How can we authorize - User Input values in Program T-Code?
How to do Authorization for Custom Programs?
This is usually done by incuding:
AT SELECTION-SCREEN .
AUTHORITY-CHECK OBJECT 'F_RE_TRANS' ID1 Authorization field1 FIELD1 Authorization field value1
ID2 Authorization field2 FIELD2 Authorization field value2
IF sy-subrc = 4.
Display No Authorization error
ENDIF.
If we donot want to pass the Authorization field - Activity Code ACTVT as Display/Change/Create etc., what should be passed in ACTVT, can we leave it ' ' ?
How to do Authorization for Table Maintainance Transactions?
Can we directly put Authorization Object name in SE11 Table Maintainance Generator?
If how to determine Authorization Group?
What should be the default values?
How can we authorize - User Input values in Table maintainance T-Code?
Can we use transaction SU22? If so how?Hi Friend,
SU21- for creating authorization object
SU20 - for creating authorization field and assign with authorization object
SU22 - maintain authorization agianst transactions
Execute these transactions or see any standard object you will understand everything.
Regards
Krishnendu -
BW report authorization for restrict cost center
dear all,
i have problem on BW report authorization for restrict cost center.....when i execute the query, after selection screen, appear error message 'you cannot change zv_cctr for characteristic 0COSTCENTER during query'.
note : zv_cctr is variable restriction for costcenter, type processing = customer exit.
below the customer exit :
WHEN 'ZV_CCTR'.
IF i_step = 2.
DATA : gt_mstuidvscc TYPE TABLE OF ztbw_mstuidvscc,
gs_mstuidvscc TYPE ztbw_mstuidvscc,
wa_final2(10) TYPE c.
SELECT * FROM ztbw_mstuidvscc INTO CORRESPONDING FIELDS OF TABLE gt_mstuidvscc
WHERE userid = 'sy-uname'.
LOOP AT gt_mstuidvscc INTO gs_mstuidvscc.
wa_final2 = gs_mstuidvscc-kostl.
l_s_range-opt = 'EQ'.
l_s_range-high = wa_final2.
APPEND l_s_range TO e_t_range.
ENDLOOP.
ENDIF.
Regards,
Tonyi defined variable as ready for input and mandatory.
regards,
Tony
Maybe you are looking for
-
Is the HP BT500 wireless printer adaptor able to be updated to work with Bluetooth 2.1?
I have a new HP BT500 wireless bluetooth printer dongle. It is not working on either of my Windows 7 (both 32 and 64 bit) Lenovos. It states that the setup cannot continue because the bluetooth version is an older version. I would like to be able
-
how do i restore my ipod touch when it says ipod is disabled connect to itunes
-
Hi, Since the site isn't online yet I posted my project for downloading. I am using Dreamweaver CS4. For the website I am creating I would like to have a spry menu bar. I have been trying to figure this out but I can't do it. The main file I am wo
-
Edit in Photoshop shows a black photoshop window
I have the latest version of Lightroom and Photoshop. Whenever I right click to open the image in photoshop, photoshop window opens with a black screen. It don't open the image.
-
Burning CD Labels from ITunes to LightScribe Label
Evidently one can't print CD Labels directlty to a LightScribe Labeler Anyone have a CD Labeler Software to recommend that will do the job. I'd like to burn the ITunes generated artwork and song lists LightScribe CD's but don't know how. Gateway GM54