Custom chained authentication

Hi
I need to setup a way for all users logging into a webgate to be presented with an acceptable use agreement before they are allowed access to the application. This only needs to happen on the first login.
This is not possible out of the box, has anyone try this with a plugin or chained authentication?
Many thanks.

Assumed: OAM to show user consent to use the system, and once user accepts the agreement, then such a page will not come in any subsequent sessions. There are many ways of doing it, but what you can try is the following. Obviously, if you come up with other solutions, do let us know. OAM 10g.
First the data. In the user profile of each user, there should be an attribute, AcceptedUserAgreement (say) with boolean true or false. You can bulk change the user profile to make this attribute false to begin with.
In the authen scheme, you can have form based challenge, and may have the following params:
creds: login password
action: /end_user_consent_page
passthrough: yes
(The action page also needs to be protected)
The end_user_consent_page needs to be dynamic and it can have the following logic:
- read the obformlogincookie to find out the target resource
- check the attribute AcceptedUserAgreement via ldap calls or idxml calls
-- if the attribute is true, then go ahead and show the target page
-- if the attribute is false, ask for confirmation from user and then update the AcceptedUserAgreement attribute.
Hope this helps. Let us know.

Similar Messages

  • Chaining authentication schemes

    I have been asked to create a custom auth scheme that combines characteristics of the built-in scheme and a custom scheme. Specifically:
    1) HTMLDB users associated with the application's workspace are valid application users
    2) application-managed users are valid if their user name exists in the application-managed table and the LDAP server authorizes their password.
    The simplest way would be to chain together three authorization schemes: built-in (sufficient), custom (required), LDAP (required); but it appears this isn't supported in HTMLDB.
    The next best solution would be to implement both 1) and 2) in a custom login script. I'm pretty sure I can figure out Step 2), but I'm a bit stuck on 1) : I don't see an API suitable for authentication of HTMLDB users. The HTMLDB_UTIL and HTMLDB_CUSTOM_AUTH functions all seem to be for post-authentication use (except of course for login).
    Could someone post a custom authentication check function that performs the equivalent of built-in authentication? That would be very helpful.
    Thanks in advance,
    susan

    Scott,
    Thanks for the reply, your responsiveness on this forum is outstanding and much appreciated by all.
    I would like to submit this feature request for your consideration in a future release of HTMLDB: You should be allowed to chain authentication schemes together as described in the JAAS industry standard
    http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html
    It's a powerful and flexible approach to custom security and warrants your serious consideration.
    Regards,
    susan

  • Custom DB authentication to an application from Oracle Portal not working.

    Hi All,
    We have a Portal customized and integrated to LDAP for SSO.
    From the portal, we have a link that takes to another custom application that requires another level of authentication. We have implemented this authentication as custom Database based authentication.
    When user login to the portal and access this link, he will be directed for authentication again. This custom application has been installed on a different OC4J instance while Oracle Portal is running in a different OC4J instance.
    Issue is though user details are being propagated to the custom application page, we are receiving an error saying authentication failed.
    In the OC4J instance specific for this custom application, we have configured jazn.xml to use custom authentication.
    Below is the code:
    <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
    <!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.dtd">
    <jazn provider="XML" location="./jazn-data.xml" default-realm="jazn.com">
    <property name="role.mapping.dynamic" value="true"/>
    <property name="custom.loginmodule.provider" value="true"/>
    </jazn>
    and in jazn-data.xml, we gave the role mapping.
    But the problem is when the link to the custom application is accessed, it seems like the custom autentication mechanism is not working.
    Can anyone throw light on this?
    Do we need to give the same configuration in the j2ee/home/config directory files also?
    Can we use both LDAP and custom DB authentication with in the same OAS setup. Remember as of now, Portal and custom application are running in different OC4J instances but within the same OAS.
    Any help in this regard will be highely appreciated.
    Thanks,
    Sasi Bhushan

    Hi All,
    We have a Portal customized and integrated to LDAP for SSO.
    From the portal, we have a link that takes to another custom application that requires another level of authentication. We have implemented this authentication as custom Database based authentication.
    When user login to the portal and access this link, he will be directed for authentication again. This custom application has been installed on a different OC4J instance while Oracle Portal is running in a different OC4J instance.
    Issue is though user details are being propagated to the custom application page, we are receiving an error saying authentication failed.
    In the OC4J instance specific for this custom application, we have configured jazn.xml to use custom authentication.
    Below is the code:
    <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
    <!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.dtd">
    <jazn provider="XML" location="./jazn-data.xml" default-realm="jazn.com">
    <property name="role.mapping.dynamic" value="true"/>
    <property name="custom.loginmodule.provider" value="true"/>
    </jazn>
    and in jazn-data.xml, we gave the role mapping.
    But the problem is when the link to the custom application is accessed, it seems like the custom autentication mechanism is not working.
    Can anyone throw light on this?
    Do we need to give the same configuration in the j2ee/home/config directory files also?
    Can we use both LDAP and custom DB authentication with in the same OAS setup. Remember as of now, Portal and custom application are running in different OC4J instances but within the same OAS.
    Any help in this regard will be highely appreciated.
    Thanks,
    Sasi Bhushan

  • How to use a custom database authentication with APEX_AUTHENTICATION??

    i have Custom user authentication method.
    create or replace function user_check(username varchar2,password varchar2) return boolem
    is
    check_out integer;
    begin
    select count(*) into check_out from "user" where USER_EMAIL=username and USER_PASS=password;
    if check_out >0 then
    return true;
    else
    return false;
    end if;
    end;
    apex_authentication.login() how to use. And how to make apex_authentication.login() use my method Verify User Login

    You can't mix custom authentication and the internal APEX authentication functions.. So either you use the pre-built user authentication in APEX or you can build your own CUSTOM authentication...
    Many examples of custom authentication are out there...
    Thank you,
    Tony Miller
    Ruckersville, VA

  • Example of custom external authentication

    Where can I find the example of custom external authentication
    which Paul Encarnation has written since most of the links on
    the discussion forum mails seem to be outdated.
    Thanks

    Where can I find the example of custom external authentication
    which Paul Encarnation has written since most of the links on
    the discussion forum mails seem to be outdated.
    Thanks

  • Custom ldap authenticator to retrieve user bean ldap profile

    Hi,
    Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
    This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
    Any input on this ?
    Thank you

    Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

  • Error in custom OAM authentication plugin

    Hi All
    I am trying to build a custom OAM authentication plugin using JDeveloper. Here are the version information:
    OAM - 11.1.1.5 BP04
    WLS - 10.3.5
    Issue:
    I get the following error in the OAM logs when I try to activate the plugin.
    [2012-11-14T09:39:17.996-08:00] [oam_server1] [WARNING] [] [oracle.oam.extensibility.lifecycle] [tid: DistributedCache:DistributionCache:EventDispatcher] [userId: <anonymous>] [ecid: 0000Jfzyiy6EgKI5qrH7iY1GcxMc000002,0] [APP: oam_server] Activation failed due to felix bundle exception while installing and starting the bundle.Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)[[
    org.osgi.framework.BundleException: Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)
    at org.apache.felix.framework.Felix.resolveBundle(Felix.java:3404)
    The names of jar file, class file, plugin xml file etc are all same. My plugin code is very generic and I have the following values in the plugin's manifest and xml file
    Plugin xml file [oamCustomAuthPlugin.xml]:
    <Plugin name="oamCustomAuthPlugin" type="Authentication">
    <author>uid</author>
    <email>[email protected]</email>
    <creationDate>09:32:20, 2011-11-13</creationDate>
    <version>4</version>
    <description>OAM Custom Authentication plugin</description>
    <interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
    <implementation>com.company.oam.oamCustomAuthPlugin</implementation>
    <configuration>
    <AttributeValuePair>
    <Attribute type="string" length="20">INPUT_PARAM1</Attribute>
    <mandatory>true</mandatory>
    <instanceOverride>false</instanceOverride>
    <globalUIOverride>true</globalUIOverride>
    <value>Param1</value>
    </AttributeValuePair>
    <AttributeValuePair>
    <Attribute type="string" length="20">INPUT_PARAM2</Attribute>
    <mandatory>true</mandatory>
    <instanceOverride>false</instanceOverride>
    <globalUIOverride>true</globalUIOverride>
    <value>Param2</value>
    </AttributeValuePair>
    </configuration>
    </Plugin>
    Manifest File [MANIFEST.MF]:
    Ant-Version: Apache Ant 1.7.1
    Bundle-Version: 1.0.0.4
    Bundle-Name: oamCustomAuthPlugin
    Bundle-Activator: oamCustomAuthPlugin
    Bundle-ManifestVersion: 2
    Created-By: 17.0-b17 (Sun Microsystems Inc.)
    Import-Package: oracle.security.am.plugin,oracle.security.am.plugin.authn
    Bundle-SymbolicName: oamCustomAuthPlugin
    Bundle-RequiredExecutionEnvironment: JavaSE-1.6
    Please let me know if you have faced a sinilar issues in the past. Please help !!

    Try with Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api If it doesn't work try with - Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api ,oracle.security.am.plugin.ExecutionStatus

  • Error in Custom Ldap Authentication

    Hi All,
    I was trying to use the custom LDAP authentication( [Earlier Post|http://forums.oracle.com/forums/thread.jspa?threadID=2251976&stqc=true] ) but was not successful in making it work with our AD LDAP server. Thats when I came across post [ http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185|http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185]
    I used the same function
    create or replace function authenticate_aduser(
    p_username in varchar2,
    p_password in varchar2)
    return boolean
    is
    l_user varchar2(256);
    l_ldap_server varchar2(256) := '<Hostname>';
    l_domain varchar2(256) := '<Domain Name>';
    l_ldap_port number := 389;
    l_retval pls_integer;
    l_session dbms_ldap.session;
    l_cnt number;
    begin
    l_user := p_username||'@'||l_domain;
    l_session := dbms_ldap.init( l_ldap_server, l_ldap_port ); -- start session
    l_retval := dbms_ldap.simple_bind_s( l_session, l_user, p_password ); -- auth as user
    l_retval := dbms_ldap.unbind_s( l_session ); -- unbind
    return true;
    exception when others then
    l_retval := dbms_ldap.unbind_s( l_session );
    return false;
    end;Test it by giving correct password
         SQL> declare
    begin
    if authenticate_aduser('<username>','<correct password>') then
    dbms_output.put_line('Test Successful');
    else
    dbms_output.put_line('Test Failed');
    end if;
    end; 2 3 4 5 6 7 8
    9 /
    Test Successful
    PL/SQL procedure successfully completed.Tested it by giving wrong password
    SQL> declare
    begin
    if authenticate_aduser('<user name>','<wrong password>') then
    dbms_output.put_line('Test Successful');
    else
    dbms_output.put_line('Test Failed');
    end if;
    end; 2 3 4 5 6 7 8
    9 /
    Test Failed
    PL/SQL procedure successfully completed.So the fundtion is working perfectly with LDAP server.
    I am trying to create a custom authentication scheme with the above function.
    Shared Components -> Authentication Schemes -> create ->From Scratch ->
    In Autentication Function -> return authenticate_aduser(:P101_USERNAME,:P101_PASSWORD);
    In Logout URL -> wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&amp;p_next_flow_page_sess=4155:PUBLIC_PAGE
    Then after setting this as the current authentication scheme. Whenever I try to login with correct credentials it is giving me error
    Invalid Login Credentials
    Kindly let me know were I am going wrong here.
    Thanks & Regards,
    Vikas Krishna

    I was able to fix this.
    I used the same function authenticate_aduser
    and then followed blog http://www.talkapex.com/2009/03/custom-authentication-status.html to create a custom authentication. It worked finally.
    Thanks to Martin for his wonderful post.
    Thanks & Regards,
    Vikas Krishna

  • Custom SPNEGO Authenticator

    I'm working on developing a custom spnego authenticator to JBoss. I saw a client example in Advanced JGSS Security Programming. But I haven't found if it's possible to develop a program that accepts a browser's token spnego in the server side. Is it possible in Java 6?
    Thanks a lot!!

    http://dev2dev.bea.com/utilitiestools/security.html

  • How do I use my own Custom Auth/Authentication/Entitlement (Token)?

    [ Background ]
    Adobe Access DRM provides for 3 authentication mechanisms:
    Anonymous - Licenses are issued irregardless on if there is/isn't a valid authentication token attached to the license request.
    UsernamePassword - Licenses are ONLY issued if the license request has a valid Adobe-Access-Server-Issued authentication token.
    Custom - Licenses are ONLY issued if there is a valid cusom authentication token attached to the license request.
    Typically, customers already have some authentication scheme in place and choose to re-use that system, instead of leveraging Adobe Access' built-in usernamePassword support.  For this to succeed, accomodations must be made during packaging time, on the client device, and at the Adobe Access license server endpoint.
    [ More Background ]
    Here's a forum thread that prompted this thread: http://forums.adobe.com/message/5085330#5085330
    [ Recipe ]
    1. Adobe Access DRM Policy is created that specifies a "custom" authentication token.  As of Adobe Access 4.0, the tools that ship with the Java SDK cannot create a DRM policy with "custom" authentication out the box; a small Java application will have to be written to do this, which is covered in the thread posted above.
    2. Content is packaged using this custom_auth policy.
    3. Client device performs authentication via whatever channel already exists for you to perform authentication (e.g. SAML tokens, etc...)
    4. Client device sets the authentication token: DRMManager.setAuthenticationToken()
    5. Client device attempts to acquire a license for the content created in step #2: DRMManager.loadVoucher();
    5a) Because step #4 set the authentication, all license requests going forward will automatically have this custom auth token appended to it
    6. License server receives request & extracts custom auth token to parse & perform additional entitlement checks
    7. Licnese server generates a license to return to client device.
    [ Server Code Snippet (RefImplLicenseReqHandler.java) ]
    try {
      ServletInputStream in = request.getInputStream();
      ServletOutputStream out = response.getOutputStream();
      HandlerConfiguration context = super.getHandlerContext();
      ServerCredential licenseServerCred = getLicenseParams().getLicenseServerCred();
      licenseHandler = new LicenseHandler(context, in, out, licenseServerCred);
      licenseHandler.parseRequest();
      List<? extends LicenseRequestMessage> requests = licenseHandler.getRequests();
      // Multiple request in one message is not supported in FAXS 2.0 or 3.0 client.
      for (LicenseRequestMessage licenseReq : requests) {
         try {
      // TODO: If custom authentication is specified in the DRM policy, here is where
      // you can retrieve the custom authentication token and perform custom parsing to
      // determine further business rules and entitlement before issuing a license.
      // The "Custom Authentication" will look like:
      // 1. Client device obtains auth token using some other channel
      // 2. Client device sets auth token by calling DRMManager.setAuthenticationToken()
      // 3. Client makes a license request by calling DRMManager.loadVoucher()
      // 4. Adobe Access Server receives request and:
      // 4a) Determines Custom Auth is required by DRM Policy: licenseReq.getContentInfo().getContentMetadata().getPolicies()[0].getLicenseServerInfo(). getAuthenticationType();
      // 4b) Retrieves Custom Auth token for custom parsing/handling: licenseReq.getRawAuthenticationToken()
      // 5. If there are no errors when parsing the custom token, Adobe Access Server generates a license.
                                                      V2ContentMetaData metadata = licenseReq.getContentInfo().getContentMetadata();
                                                      ApplicationProperties applicationProperties = null;
                                                      String usageModelString = null;
                                                      if (metadata != null) {
                                                                applicationProperties = metadata.getCustomProperties();
                                                                if (applicationProperties != null) {
                                                                          usageModelString = applicationProperties.getSingleValueAsUTF8String(DEMOMODE);
    cheers,
    /Eric.

    Google Search: '''firefox create a persona'''
    * '''Personas for Firefox''' | How to Create Personas<br>https://www.getpersonas.com/en-US/demo_create
    * '''Personas for Firefox''' | Frequent Questions<br>http://www.getpersonas.com/en-US/faq
    * '''Personas for Firefox''' | Getting Started<br>http://www.getpersonas.com/en-US/getting_started
    '''I think you'd have a lot more fun with Styles though''', personas tend to hide things on toolbars, styles can be more helpful (or just as bad)
    * '''Stylish''' :: Add-ons for Firefox<br>https://addons.mozilla.org/en-US/firefox/addon/stylish/
    * '''Restyle the web with Stylish!''' - userstyles.org<br>http://userstyles.org/
    * '''Scrollbar Context Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/54
    * '''Scrollbar Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/52
    * '''Link Warning''' - Themes and Skins for Mozilla - userstyles.org<br>http://userstyles.org/styles/1301
    * '''Tabs, Enlarge list-all-tabs button''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/18553
    * '''Tabs Bar Minimal Size''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/9043
    * '''Tab Color Underscoring active/read/unread (Fx3.6)''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/24728

  • Configuring custom database authentication in Weblogic 10

    Hi,
    For my project I am trying to configure security/login module. It's an ADF based web application(ADF11g) and is deployed on Weblogic10. I have implemented the custom authentication with DB login module, created the jar and placed it inside %WL_HOME%/server/lib/mbeantypes. Now I have created one new Authenticator inside 'myrealm'. But after the successful deployment of the application when I am trying to access any secured page this custom authenticator is not being invoked. Can anyone please tell me the exact steps I have to follow for getting custom authenticator working properly.
    Thanks much!

    I had some minor implementation faults in code, after fixing those it is working fine

  • Customizing an Authenticator MBean

    All,
    I'm working on creating a custom SSPI for our specific security system. I
    have it setup and working, but there are some problems with the MBean used
    to plug it into Weblogic.
    1) I created an MDF file with three Attributes (ProviderClassName,
    Description, Version). When I go the Authentication Provider tab in the
    Weblogic console, I see that these settings are being properly retreived and
    displayed.
    But if I select my specific provider, the page that comes back has blank
    entries for everything listed here (things like name, description, version,
    control flag). Also, Control Flag appears as an empty text-input field
    instead of a drop down listing the proper flags.
    In the System.out window I see a bunch of exceptions get thrown when I
    request the details page:
    java.lang.NoSuchMethodException: couldn't find getter for 'Name' on
    com.sapient.services.security.auth.weblogic7.WeblogicCarbonAuthenticatorMBea
    n
    I attempted to add a new Attribute in the MDF file for "Name" and rebuilt,
    but it did not appear to fix the problem. What do I need to do to make the
    details page for my Authenticator provide useful information?
    2) My Authenticator requires some configuration properties to run. I
    currently have them hard-coded for testing purposes, but I would like for
    users to be able to set these in the console. What must I do to make these
    appear as text-input fields in the console? I could not find any examples
    of how to do this.
    -jdr

    What I did was to get the SampleSecurityProviders as a starting point
    and then add my custom properties to it.
    It didn't work for a while because of the classpath issue but once I had
    this resolved it started working fine without me having to do anything more.
    --dejan
    Jordan Reed wrote:
    Thanks Dejan,
    when I pulled all the classes out of the main server classpath and only had
    them in a jar under the mbeantypes directory in weblogic it started working
    correctly.
    Now I just need to figure out how to put my own configurable attribute in
    the MBean.
    -jordan
    "Deyan D. Bektchiev" <[email protected]> wrote in message
    news:[email protected]...
    Hi Jordan,
    I had a similar issue and the solution was to remove all of the provider
    classes from the server classpath.
    There is a sample on dev2dev.bea.com called SampleSecurityProviders that
    was very useful for me, but it has the same classpath issue (BEA support
    said they'll update their documentation for this).
    Regards,
    Dejan
    Jordan Reed wrote:
    All,
    I'm working on creating a custom SSPI for our specific security system.
    I
    have it setup and working, but there are some problems with the MBean
    used
    to plug it into Weblogic.
    1) I created an MDF file with three Attributes (ProviderClassName,
    Description, Version). When I go the Authentication Provider tab in the
    Weblogic console, I see that these settings are being properly retreived
    and
    displayed.
    But if I select my specific provider, the page that comes back has blank
    entries for everything listed here (things like name, description,
    version,
    control flag). Also, Control Flag appears as an empty text-input field
    instead of a drop down listing the proper flags.
    In the System.out window I see a bunch of exceptions get thrown when I
    request the details page:
    java.lang.NoSuchMethodException: couldn't find getter for 'Name' on
    com.sapient.services.security.auth.weblogic7.WeblogicCarbonAuthenticatorMBe
    a
    n
    I attempted to add a new Attribute in the MDF file for "Name" and
    rebuilt,
    but it did not appear to fix the problem. What do I need to do to make
    the
    details page for my Authenticator provide useful information?
    2) My Authenticator requires some configuration properties to run. I
    currently have them hard-coded for testing purposes, but I would like for
    users to be able to set these in the console. What must I do to make
    these
    appear as text-input fields in the console? I could not find any
    examples
    of how to do this.
    -jdr

  • Custom mix Authentication

    Hi ,
    I have two kind of Users, one type users are Oracle Users(their authentication could be checked through -DBACCOUNT-) and another type users are detailed in a database table(,say auth).
    Now, what I want is that if User logs in then following operation gets happen
    If username/password is correct according to Oracle Users(i.e -DBACCOUNT-) then returns to the main page(,say 1,as successful login)
    elsif <check the table auth tabel,containing the list of Users with respective passwords> if user exists in the table then returns to main page 1(as successful login)
    else return to the login page(,say 101,as unsuccessful login).
    To build this piece ,what should I do?
    I have created an on demand function in Apex,authCheck, which checks if the username and password exits in the auth table or not and returns the respective boolean.
    create or replace function authCheck(p_username in varchar2, p_password in varchar2) return boolean is
    Result boolean:=FALSE;
    ln_verify number(15);
    begin
    select count(*) into ln_verify from auth
    where upper(user_id)=upper(p_username)
    and upper(password)=upper(p_password);
    if sql%notfound then
    Result := FALSE;
    else
    Result := TRUE;
    end if;
    return(Result);
    Exception
    when NO_DATA_FOUND then
    return FALSE;
    end authCheck;
    ******************************************************************************************************************************************************

    Please tell us your first name and show it in your forum profile to help us. Thanks.
    See Re: Database account and custom authentication mix .
    Scott

  • SecurityException (Invalid Subject) with custom database authentication provider WLS 7.0

    Hello
    I have implemented a custom authentication provider using a
    database. The login module works fine. It check the username and
    password, add the user as a WLSUser-principal and add the groups
    relatated to the user as WLSGroup-principals to the subject. I
    am able to start the WLS only using my authentication provider,
    but if i want to login into the console i get following
    SecurityException:
    java.lang.SecurityException: Invalid Subject: principals=
    [system, Administrators]
    at weblogic.security.service.SecurityServiceManager.seal
    (SecurityServiceManager.java:893)
    at weblogic.security.service.RoleManager.getRoles
    (RoleManager.java:269)
    at
    weblogic.security.service.AuthorizationManager.isAccessAllowed
    (AuthorizationManager.java:608)
    at
    weblogic.servlet.security.internal.WebAppSecurity.hasPermission
    (WebAppSecurity.java:370)
    at
    weblogic.servlet.security.internal.SecurityModule.checkPerm
    (SecurityModule.java:125)
    at
    weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
    rm(FormSecurityModule.java:328)
    at
    weblogic.servlet.security.internal.SecurityModule.beginCheck
    (SecurityModule.java:179)
    at
    weblogic.servlet.security.internal.FormSecurityModule.checkA
    (FormSecurityModule.java:167)
    at
    weblogic.servlet.security.internal.ServletSecurityManager.checkAc
    cess(ServletSecurityManager.java:185)
    at
    weblogic.servlet.internal.WebAppServletContext.invokeServlet
    (WebAppServletContext.java:2960)
    at weblogic.servlet.internal.ServletRequestImpl.execute
    (ServletRequestImpl.java:2466)
    at weblogic.kernel.ExecuteThread.execute
    (ExecuteThread.java:152)
    at weblogic.kernel.ExecuteThread.run
    (ExecuteThread.java:133)
    Seems to me, that the default role manager does not map the
    group Administrators to the role Admin, which is allowed to
    access the resource console. So, what i do wrong? Must i set
    additional credentials to the subject? Or must i use a special
    Principal class? Who can help me?
    Thanks in advance & greetings
    Dirk Fellenstein

    I have solved it. The Problem was that the two Principal implementations, one that
    implements WLSGroup and one that implements WLSUser, need a common principal base
    class. The principal validator class, method getPrincipalBaseClass() must then return
    the common principal base class.
    "Dirk Fellenstein" <[email protected]> wrote:
    >
    Hello
    I have implemented a custom authentication provider using a
    database. The login module works fine. It check the username and
    password, add the user as a WLSUser-principal and add the groups
    relatated to the user as WLSGroup-principals to the subject. I
    am able to start the WLS only using my authentication provider,
    but if i want to login into the console i get following
    SecurityException:
    java.lang.SecurityException: Invalid Subject: principals=
    [system, Administrators]
    at weblogic.security.service.SecurityServiceManager.seal
    (SecurityServiceManager.java:893)
    at weblogic.security.service.RoleManager.getRoles
    (RoleManager.java:269)
    at
    weblogic.security.service.AuthorizationManager.isAccessAllowed
    (AuthorizationManager.java:608)
    at
    weblogic.servlet.security.internal.WebAppSecurity.hasPermission
    (WebAppSecurity.java:370)
    at
    weblogic.servlet.security.internal.SecurityModule.checkPerm
    (SecurityModule.java:125)
    at
    weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
    rm(FormSecurityModule.java:328)
    at
    weblogic.servlet.security.internal.SecurityModule.beginCheck
    (SecurityModule.java:179)
    at
    weblogic.servlet.security.internal.FormSecurityModule.checkA
    (FormSecurityModule.java:167)
    at
    weblogic.servlet.security.internal.ServletSecurityManager.checkAc
    cess(ServletSecurityManager.java:185)
    at
    weblogic.servlet.internal.WebAppServletContext.invokeServlet
    (WebAppServletContext.java:2960)
    at weblogic.servlet.internal.ServletRequestImpl.execute
    (ServletRequestImpl.java:2466)
    at weblogic.kernel.ExecuteThread.execute
    (ExecuteThread.java:152)
    at weblogic.kernel.ExecuteThread.run
    (ExecuteThread.java:133)
    Seems to me, that the default role manager does not map the
    group Administrators to the role Admin, which is allowed to
    access the resource console. So, what i do wrong? Must i set
    additional credentials to the subject? Or must i use a special
    Principal class? Who can help me?
    Thanks in advance & greetings
    Dirk Fellenstein

  • Custom Tag Authentication

    Hello Everyone,
    Quick question. If I want to redirect a user to a login.html page if they're not logged on and they are trying to use a resource, what is the best way to go about it? Should I page the bean value attribute to the tag and then just embed boolean values in the page with the pageContext.setAttribute(..)? Or is there a better way to go about it, since I'm just not sure with the way that the tag returns values (SKIP, etc.).
    Thanks a lot,
    Lior

    If you have multiple filters, you can have your security one determine whether or not to continue with the chain or not. Code example:
    chain.doFilter(request, response);
    That continues in the chain of filters, if there are anymore. If you want to short circuit that and send the user somewhere else, simple don't call that method and either forward the user to another resource from the request object, or use a sendRedirect on the response object to send them to wherever.
    EXample:
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                        throws java.io.IOException, ServletException
              if (something==true)
                   // continue through other filters (if anymore)
                   chain.doFilter(request, response);
              else
                   // failed test, redirect (or forward) to another page/resource
                   response.sendRedirect("/loginpage.jsp") ;
                   return ;
         }

Maybe you are looking for

  • Can I put my sim card from my iPhone into my iPad 2?

    I would like to know if I can put my O2 sim card from my I phone 4 into my iPad 2? Also would this cause any problems with my contacts etc stored onto my sim card?

  • No count-in, cursor moving when trying to record

    When I record from 1 1 1 1, I get the count-in I've setup (2 bars). However, if I try recording from, for example, 4 2 4 17, it'll move the cursor back to 2 1 1 1 and start recording there without a count-in. Does anyone have any ideas why this is ha

  • Fcp looking for non-existent plug ins

    i installed some demo audio units plug-ins a while back and didn't like them so i deleted them. i just had to re-install FCP and now, every time i launch, it looks for each and every one of the audio units. i have to click cancel like forty times to

  • Assigning Privilege Level Thru RADIUS

    I'm using Microsoft IAS as my RADIUS server. We have a number of Cisco 2800 routers running the latest IOS which are also acting as VPN servers for our remote user connecting using their laptops via IPSec and Cisco VPN Client. How can I set the privi

  • LOCKING HELP

    PLZ GIMME A PROG WHICH EXPLAINS D LOCKING TECHNIQUE USED IN ABAP PLZ ALSO PROVIDE A DETAILED EXPLANATION.