Custom developed SAML login module

has anyone developed a custom SAML login module? i need to develop one for SAML 2.0, because SAP does not support SAML version 2.0 yet.
I am familiar with how to develop a generic J2EE login module, but I need instructions how to develop a SAML module. I know that there is a sample saml login module from SAP (com.sap.security.core.server.saml.app.ssotest.dest.SAMLMappingModule), does it come with source code?
Tiberiu

See how to develop a custom J2EE login module for SAML 2.0

Similar Messages

J2EE 6.40 Custom Login Module - how to config

hello all,
i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.
here is the background info:
- i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.
- access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.
- my login module does the user name and password checking. both are stored in database through some other means.
- login is FORM based
following the discussion in another thread on the topic, i did the following:
#1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.
#2 add my login module to the security store through the security provider service.
#3 configure my web app to use the custom login module in web-j2ee-engine.xml
#4 deploy my web app through the ear file
at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).
now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.
question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.
??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.
??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.
??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.
does anyone have a working scenario using custom login modules?
thanks very much for your inputs and thoughts.
wentao

Hi Astrid,
I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
Thanks in advance
Henning

Problems deploying custom JAAS login module (ClassNotFound)

Hi,
I've developed a custom made JAAS login module that filters on IP addresse which I am moving from 6.20 to 6.40.
I've pretty much followed the procedures from http://help.sap.com/saphelp_nw04/helpdata/de/46/3ce9402f3f8031e10000000a1550b0/content.htm , the only major difference is that I needed a reference to WebCallback and therefore a reference to com.sap.security.api.sda from my library project.
I've especially followed the step with "Adding a Reference to the Classloader of the Security Provider" (http://help.sap.com/saphelp_nw04/helpdata/de/2b/23e4407211732ae10000000a155106/content.htm) , but I think its this step that fails. This has been set to library:<library name> , where <library name> is what is written on the right hand side of visual admin under library. I see that the library is deployed under the folder bin\ext\customer.com~com.customer.portal.login.IPRuleLibrary   , so maybe I will try that name tomorrow morning.
The exceptions I get are
#1.5#001321B3B106005C0000000800002E380004039375E59BA6#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error#1#/System/Audit#Java###Exception #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Cannot load a login module.
     at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:95)
     at com.sap.engine.services.security.login.LoginContextFactory.getLoginContext(LoginContextFactory.java:133)
     at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:227)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86)
     at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
     at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
     at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
     at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:295)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:351)
     at com.sap.portal.navigation.Gateway.service(Gateway.java:68)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
Caused by: java.lang.ClassNotFoundException: com.customer.portal.login.IPRuleLoginModule
Found in negative cache
- Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
   library:com.sap.ip.basecomps
   library:core_lib
   common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
   library:servlet
   library:sapxmltoolkit
   library:com.sap.mw.jco
   library:com.sap.util.monitor.jarm
   library:j2eeca
   library:opensql
   interface:security
   interface:log
   interface:shell
   interface:keystore_api
   library:ejb20
   interface:webservices
   library:com.sap.guid
   interface:appcontext
   interface:endpoint_api
   interface:resourceset_api
   interface:resourcecontext_api
   common:service:iiop;service:naming;service:p4;service:ts
   interface:ejbcomponent
   interface:container
   interface:visual_administration
   interface:transactionext
   interface:dsr_ejbcontext_api
   service:timeout
   library:tc~jmx
   library:tcSLUTIL
   service:memory
   library:antlr
   library:jdbdictionary
   library:opensqlextensions
   interface:cross
   service:locking
   service:file
Resources:
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
adminadapter
adminadapter.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxrpc-api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
opensqllib.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx_sec.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxm-api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
keystore
keystore.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
security
security.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupapi.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_jaas.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
connector
connectorimpl.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
webservices_lib.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_service_api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_userstore_lib.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
saaj-api.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_csi.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_ssf.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
userstore
userstore.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
sqljimpl.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_xmlbind.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_util.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
dbpool.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
deploy
deploy.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_compat.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx_notification
jmx_notification.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
configuration
configuration.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupimpl.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_https.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
basicadmin.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas_test.jar
   C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
Loading model: {parent,local,references}
     at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
     at com.sap.engine.services.security.Util.loadClass(Util.java:262)
     at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:204)
     at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:92)
     ... 45 more
#1.5#001321B3B106005C0000000900002E380004039375E5A109#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error##Java###Cannot load login module class .#1#com.customer.portal.login.IPRuleLoginModule#

Hi,
The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
Also I was able to modify the properties of the login module runtime, which made me very happy
Dagfinn

Problem with role mapping in custom login module

Hi all,
I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
I thought a source of the problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
Could anybody think of a solution to this problem ?
Thanks, Astrid

Astrid,
Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
I've tried to use the deploytool and deploy the module as a library...but I get a "cannot load a login module" in the logs when authenticating a user.

Help : Call Login Module directly when iView is launched - without submit

Hi there,
we have developed a login module on for our NW2004S SP13 Portal, that checks the IP address of the client to be in a valid range. If so, the standard SAP login screen must be bypassed. If not, the standard login screen needs to be shown (we use the standard sap umLogonPage, we only made a copy z.com.portal.runtime.logon.par) and added to the portalapp.xml an entry which is a copy of the 'certlogon' entry..
-> What we like to achieve is that the logonstack is called directly when the application is launched.
a) Code below functions, but only one problem : when the IP Address is invalid (login module returns false), a blank page is shown instead of the default userid / pw page.
    In case of valid IP OK, invalid IP (login module returns false) blank page :o(
b) As an alternatice, in my opinion, it would be best to use the standard SAP class in the portalapp.xml (com.sap.sapportals.portal.ume.component.logon.SAPMLogonComponent) & have some sort of servlet in front
The behaviour of which page to return in case of failed logon is contained in com.sap.portal.runtime.logon_api.jar, class com.sap.sapportals.portal.ume.component.logon.SAPMLogonComponent -> class SAPMLogonLogic).
How can this be done? I've already cracked my head over it, but can't get this to work -
My coding for a) :
package z.x.sapportals.portal.ume.component.logon;
import com.sap.security.api.logon.ILogonFrontend;
import com.sapportals.portal.prt.component.AbstractPortalComponent;
import com.sapportals.portal.prt.component.IPortalComponentRequest;
import com.sapportals.portal.prt.component.IPortalComponentResponse;
import com.sapportals.portal.prt.session.IUserContext;
public class xSAPMLogonComponent extends AbstractPortalComponent     implements ILogonFrontend
     protected void doContent(IPortalComponentRequest request, IPortalComponentResponse response)
          response.write("\n\n");
          response.write("\n");
          String firstName ="";
          String lastName = "";
          String logonUid = "";
          String password = "";
          String authscheme = "";
          IUserContext userContext = request.getUser();
          if (userContext != null)
               firstName = userContext.getFirstName();
               lastName = userContext.getLastName();
               logonUid = userContext.getLogonUid();
               password = "dummy";
               authscheme = (String)request.getValue("com.sap.security.logon.authscheme.required");
               response.write("Welcome :");
               response.write("logonUid = " + logonUid + "<br><br>");
               response.write("j_password = " + password + "<br><br>");
               response.write("<form id=\"redirform\" method=\"post\" >");
               response.write("<input type=\"hidden\" name=\"login_submit\" value=\"on\">");
               response.write("<input type=\"hidden\" name=\"j_user\" value=\"" + logonUid + "\">");
               response.write("<input type=\"hidden\" name=\"j_password\" value=\"" + password + "\">");
               response.write("<input type=\"hidden\" name=\"j_authscheme\" value=\"" + authscheme + "\">");
               response.write("<input type=\"submit\" value=\"send\">");
               response.write("</form>");
//                      Commented out javascript auto submit to press submit manually for testing
     /* (non-Javadoc)
@see com.sap.security.api.logon.ILogonFrontend#getTarget()
     public Object getTarget()
          // TODO Auto-generated method stub
          return this;
     /* (non-Javadoc)
@see com.sap.security.api.logon.ILogonFrontend#getType()
     public int getType() {
          // TODO Auto-generated method stub
          return 2;
Portalapp.xml :
    <component name="iplogon">
      <component-config>
        <property name="ClassName" value="z.x.sapportals.portal.ume.component.logon.xSAPMLogonComponent"/>
        <property name="SafetyLevel" value="no_safety"/>
        <property name="LocalModeAllowed" value="true"/>
      </component-config>
      <component-profile>
        <property name="AuthScheme" value="anonymous"/>
        <property name="com.sap.portal.pcm.Category" value="platform">
          <property name="inheritance" value="final"/>
        </property>
        <property name="SupportedUserAgents" value="(MSIE, >=5.0, *) (Netscape, *, ) (Mozilla,,*)">
          <property name="inheritance" value="final"/>
        </property>
      </component-profile>
    </component>
authschemes.xml
        <authscheme name="iplogon">
            <authentication-template>
                radiusExtended
            </authentication-template>
            <priority>22</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>z.x.portal.runtime.logon.iplogon</frontendtarget>
        </authscheme>

Hi,
I'm not sure if you have already solved this issue, I was looking up another issue and came across this topic, maybe I can close this topic for you.....
Here is what you could do...
1) Create a custom login module stack with your login module
2) Create a authentication scheme that refers this stack
For example, you have defined a login module stack called certlogon in the Security Provider service in the Visual Administrator. You   want to create an authentication scheme that uses this login module stack. To do this, you add the following excerpt to the authschemes.xmlfile.
<authscheme name="myauthscheme">
      
      <authentication-template>
        certlogon
      </authentication-template>
      <priority>20</priority>
      
      
      <frontendtype>2</frontendtype>
      
      <frontendtarget>
        com.mycompany.certlogonapp
      </frontendtarget>
</authscheme>
In this schema refer your custom login application.
thanks,
Sudhir

JAAS login module is calling password change page

Hi,
I am developing an login module on SAP Portal 7.0, but I stuck an issue. "User password change" page is appearing on the screen as soon as I call "http://<hostname>:<port>/irj/portal", after I add my custom login module under "ticket" component on "Visual Administrator". It is weird that custom login module is running properly on the portal with 1 server node. The problem is occured when I try to call it on the portal with 5 server nodes. I would like to indicate that I didn't call "User password change" page or something like a thing that can call that page, in the code. Anyone has a suggestion?
Thank you

I solved the problem

Login Module - WebCallback

Hi there,
I've developed a login module to verify if a users IP address is valid between a given IP range.
My coding is based upon the following tutorial : <a href="http://help.sap.com/saphelp_nw04/helpdata/en/d0/5954e9f2aa47e6b91fc3ebf18d5de5/frameset.htm">Advanced Authentication Example</a>
Debugging mode is switched on, and I have seen that in following code, the first line is executed, but the code just stops when the logInfo method has completed. The line with WebCallback is not even called.
Import statments :
<i>
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import net.sourceforge.jradiusclient.RadiusAttribute;
import net.sourceforge.jradiusclient.RadiusAttributeValues;
import net.sourceforge.jradiusclient.RadiusClient;
import net.sourceforge.jradiusclient.RadiusPacket;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.Principal;
import com.sap.engine.lib.security.http.HttpCallback;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.security.api.logon.WebCallback;
import com.sap.tc.logging.Location;
</i>
<i>
     private String getClientIP ()
     throws UnsupportedCallbackException, IOException
          logInfo("method getClientIP");
          WebCallback wcb = new WebCallback ();
          _callbackHandler.handle (new Callback [] { wcb });
          HttpServletRequest req = wcb.getRequest();
          logInfo("Client IP : " + req.getRemoteAddr());
          return req.getRemoteAddr ();
</i>
I use NWDI, and as used DC's I have :
<i>
com.sap.engine.client.lib
com.sap.security.api.sda
security_api
servlet
tc/logging
</i>
Any ideas?
Many thanks!

Hi,
Have You added reference com.sap.security.api.sda in your library project.
Open provider.xml file and check if you have reference com.sap.security.api.sda
Hope this helps
Jakub Krecicki

Accessing LDAP in a custom JAAS login module

Hi,
I have developed a custom jaas login module in CE 7.1. I created a java dc which contains a class extending AbstractLoginModule. This DC is deployed on to the server using an EAR DC. I am trying to access LDAP in the custom login module. I am trying to establish an SSL connection to LDAP. For this purpose i have created a custom socket factory class which extends SSLSocketFactory. I used the code below to establish the connection.
          Hashtable<String,String> env=new Hashtable<String,String>();
          DirContext dirContext=null;
          env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
          env.put(Context.PROVIDER_URL,ldapURL);
                env.put(Context.SECURITY_PROTOCOL,"ssl");
                env.put("java.naming.ldap.factory.socket", "com.test.ldap.MySSLSocketFactory");
                dirContext=new InitialDirContext(env);
MySSLSocketFactory is the name of custom socket factory.
During a login process, the above code results in error because the connection to LDAP server could not be established. However the same code when executed in a webdynpro DC is working without any problem. What could be the reason for this?
This is the error i could see in defaultTrace
javax.naming.CommunicationException: js24.na.domain.net:636 [Root exception is java.lang.ClassNotFoundException: com.test.ldap.MySSLSocketFactory
Loader Info -
ClassLoader name: [service:security]
Living status: alive
Direct parent loaders:
   [system:Frame]
   [library:j2eeca]
   [service:timeout]
   [service:com.sap.security.core.ume.service]
   [service:adminadapter]
Resources:
   /usr/sap/SV3/J10/j2ee/cluster/bin/services/security/lib/private/sap.comtcjesecurityimpl.jar
at com.sun.jndi.ldap.Connection.<init>(Connection.java:205)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1579)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2681)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at com.sap.engine.system.naming.provider.DefaultInitialContext._getDefaultInitCtxt(DefaultInitialContext.java:64)
at com.sap.engine.system.naming.provider.DefaultInitialContext.<init>(DefaultInitialContext.java:45)
at com.sap.engine.system.naming.provider.DefaultInitialContextFactory.getInitialContext(DefaultInitialContextFactory.java:41)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)

Hi,
I used an EJB to perform the LDAP search and called the EJB from the login module. It is working as expected.
Regards,
Shabeer

Howto put custom JAAS Login Module into NWDI

Hi there!
We are currently in migration phase and want to integrate existing codings to NWDI. We mainly had Web Dynpro projects which we figured out how to migrate through discovering help.sap.com
Formerly I developed a custom JAAS login module which is productive on our portal systems. Now I would like to integrate it to NWDI. Is this possible in general?
Best Regards
Christian

Can you clarify a bit more what didn't work? What issues do you face?
Our setup for security.jar (which is not available in one of the base SC's) (for the rest try to use as many base DC's as possible):
1. Create External Library DC for security.jar
2. Add security.jar to libraries folder, add to new pp for Compilation
3. Create J2EE Library DC for loginmodule
4. Create Java Library DC for loginmodule as Child DC
5. Define the External Library DC as Used DC of the Java DC, referencing the Compilation pp (Only a Build time dependency, since this will not be deployed, instead you'll reference the registered interface, see below).
6. Create a public part for Assembly in the Java DC. Add all your loginmodule classes to the pp.
7. Define the Java DC as Used DC of the J2EE Library DC, referencing the Assembly pp (only Build time dependency). (this packages the loginmodule jar in the J2EE library)
8. Create a provider.xml in the 'server' folder of the J2EE Library DC
9. Define references to libraries used by the Child DC and the Child DC's jar:
     <references>
          <reference
               provider-name="sap.com"
               strength="weak"
               type="library">com.sap.security.api.sda</reference>
          <reference
               provider-name="sap.com"
               strength="weak"
               type="interface">security_api</reference>
          <reference
               provider-name="sap.com"
               strength="weak"
               type="library">com.sap.tc.Logging</reference>
          <reference
               provider-name="sap.com"
               strength="weak"
               type="library">servlet</reference>
     </references>
     <jars>
          <jar-name>[vendor name]~[DC name]~Assembly.jar</jar-name>
     </jars>
The J2EE Library DC has only one Used DC: The child Java DC.
The Java DC has Used DCs for anything you need to compile your loginmodule code.
Hope I didn't forget anything else.

Custom pluggable idm with custom login module

Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
Any suggestions? Thanks

Thanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
Thank you.

Custom Login Module with Adf 11g and and weblogic server

I have configured adf security on my application. I have checked the authentication and authorization are working fine with the default authenticator.
I am trying to create a custom login module. I have downloaded the custom login module implementation jaasdatabaseloginmodule.zip http://www.oracle.com/technetwork/developer-tools/jdev/index-089689.html. I have added the DBLoginModule.jar to my application. post written by Frank Nimphius and Duncan Mills
I have configured the jps config under the application resources with these entries.
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
<property value="true" name="custom.provider"/>
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
<serviceInstance name="CustomFFMLoginModule"
provider="jaas.login.provider">
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="log.level" value="FINEST"/>
<property name="debug" value="true"/>
<property name="addAllRoles" value="true"/>
<property name="loginModuleClassName"
value="oracle.sample.dbloginmodule.DBTableLM.ALSDBTableLoginModule"/>
<property value="jdbc/ApplicationDBDS" name="data_source_name"/>
</serviceInstance>
<jpsContexts default="FFMSecurityDAM">
<jpsContext name="FFMSecurityDAM">
<serviceInstanceRef ref="CustomFFMLoginModule"/>
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
When I run the application this custom login is not getting invoked.
I even tried to add these contents to DefaultDomain\config\fmwconfig\jps-config.xml still no result.
Can anyone who has configured custom login module direct me how to correct my application.

Hi Frank,
After following the documentation suggested. I am able to create custom authenticator. But when I login I getting the below exception. When I debugged login method returned true. But this error is being thrown after that. Any clue.
java.lang.IllegalArgumentException: [Security:097531]Method com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals) was unable to sign a principal
     at com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(PrincipalValidationServiceImpl.java:188)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
     at $Proxy10.sign(Unknown Source)
     at weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject(WLSIdentityServiceImpl.java:63)
     at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:119)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
     at $Proxy16.login(Unknown Source)
     at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
     at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
     at $Proxy34.authenticate(Unknown Source)
     at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
     at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
     at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:237)
     at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:186)
     at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:254)
     at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:209)
     at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:92)
     at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2204)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Deploying a custom login module to the J2EE engine

I have developed a custom login module, and want to deploy it to the SAP j2ee engine. How should I go about this ? I tried packaging it as a jar and then using the deploytool, went into user management to register the module, but when the module was invoked I got an error in the log saying "Cannot load a login module".
The way I currently deploy it is packaged with the Example Calculator, and this works. I just add my 2 java files into the web module (in com.sap.examples.calculator.beans) and it gets packaged in the war file.
Can anyone help with the "proper" way of deploying my module ?
Thanks in advance

Hi Brad,
>
> What I'm actually trying to do is NOT deploy my
> custom login module with an application. But rather
> deploy the jar file as a library to the J2EE engine,
> so that any application can use it by configuring it
> in their login stacks. I'm still not totally clear
> whether this is possible or not.
Once again - It is possible to deploy the login module as a library to the J2EE Engine; furthermore, this is the PREFERRED way to use login modules!
>
> What I have currently done:
>
> 1. developed custom login module packaged as a jar in
> NW studio (2 class files)
>
> 2. Using deploytool I deploy the jar as a library to
> the j2ee engine. This works and the library shows up
> under the libraries section.
>
> 3. Register the login module in the user
> management->manage security stores section. I'm
> unsure if this works properly. Do I just provide the
> full path to the required class ? For example
> "com.example.myloginmodule.LoginModule"
> I have a suspicion that my error of "cannot load a
> login module" stems from here.
>
> 4. I have then followed your step and added a
> reference to the libray (Hard reference) and this
> seems ok.
>
Sorry, Brad, I've made a mistake here. You need to set a reference from the Security Provider Service to the library that contains the login module (not from the application). To do that at runtime, you'll have to use the Configuration Adapter service on the J2EE Engine. For a description of the procedure, see this page in the documentation: http://help.sap.com/saphelp_nw04/helpdata/en/dd/1e3a3e5069eb6ce10000000a114084/frameset.htm
You need to provide additional entry of the following type in the security-provider.xml file:
<reference type="library" strength="weak">
Your-library-name-here
</reference>
Regards,
Ivo.
Message was edited by: Ivaylo Ivanov

Custom login module for weblogic portal 10.3.2

Hi everyone
i want to develop a custom portal login module for weblogic..
can anyone help me out with details how can i implement it ...any links provided will ve very useful
Thanks in advance.

The credentials given on that page are wrong for 10.3.2. (They might be correct for 10.3, but that's not my problem.) I found the correct credentials -- weblogic / webl0gic -- at this URL:
weblogic portal 10.3.2 sample domain admin console question
It's also given correctly in section 6 of the Getting Started Guide, but you have to know to look there first.
Edited by: dwschulze on Aug 19, 2010 1:47 PM

Custom login module - Not invoked...

Hi All
I have developed a custom login module and the necessary configuration steps in VA are performed. However, the custom login module is not called...
1. Developed a Java DC as a Child DC in a Library DC.
2. Added all the relevant jars needed as Used DC and Public Parts as required. Also updated the provider.xml with relevant references.
3. Build and Deployed. (No errors found here..)
4. In VA - Created a new Login Module.... updated the property LoginModuleClassLoaders to library:xyz where xyz is the name of the folder for deployed sda as found in cluster\j2ee\serverx\bin\ext...next updated the config tool for the same.... next modified the sap.com/irj*irj authentication as:
Basic - Requisite
CustomModule - Optional.
Then performed server restart. Yet, login module not called. Any ideas as to where I am going wrong..?? (In my login module, just trying to retrieve the user name and change their attributes like lastname etc... )
Thanks
Deepak

Issue solved....
Had forgot to add the module to the ticket stack...

Custom Login Module - ClassNotFound

Hello all
I developed a custom login module following the instructions I found here: http://help.sap.com/saphelp_nw04/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
The general purpose of my module is to "filter" the username and look for (using the UMFactory) the corresponding uniqueUserID.
The problem is that my LoginModule cannot be loaded due to "ClassNotFound" Error which I see in the defaultTrace.
My steps were:
1. Create my LoginModuleImplementation
2. Create a Library as stated in the tutorial. Additionally I added some more references to the Library (Logging, webservices_lib) and successfully deplyed it to the J2EE-Server. I can see the file in one folder (...../j2ee/cluster/server0/bin/ext/MyModuleLib/MyModule.jar) so I think it's been correctly deployed.
3. I configured its usage in the securtiy provider-UserManagementPolicies and with security provider-policy-ticket.
4. I also ran the configtool to added it to the ClassLoader property there
I double- no, fourth-checked everything and it's spelled correctly and exactly (case-sensitive) as in NWDS.
So, do you have any idea please?
By the way: Do you know where I can set the Severity-Level for the LoginModul-Stack, so I get more informational messages?
Regards
Michael

Hi,
The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
Also I was able to modify the properties of the login module runtime, which made me very happy
Dagfinn

Custom developed SAML login module

Similar Messages

Maybe you are looking for