Custom Login based on Organization

Similar Messages

• Please tell me a BAPI to get Closing balance of customer account based on Sales Organization?

  Hi Experts,
  A requirement has come up where I want to get Customer closing balance based on its sales organization as this particular customer is extented to 2 different sales organizations. I want to get the closing balance of individual sales organization vise.
  Please tell me a BAPI to get Closing balance of customer account based on Sales Organization?

  AFAIK there is no such BAPI, cause there is no database table with balance for customer per sales organisation. (No KNCx table for VKORG)
  First ask functionals (*) how to recover sales organisation from a FI document (I suppose for SD invoice it is easy if no merging between organisation) will be a little tricker for pure FI document like payment transactions (hope thet are quickly cleared...)  Then start from non cleared records of BSID (also BSAD if you use a past date of reference, in case you have to add the records of BSAD with clearing date greater than reference date) and cross it with SD information to break FI into sales organisation.
  Regards,
  Raymond
  (*) Ask for where do they store VKORG in FI documents

• Issues with OSSO ,custom login module and form based authentication

  Hi:
  We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
  authentication and Custom login module.
  Application is going in infinite loop when we we try to login using osso ,from the logs
  what I got is looks like tha when we we try to login from OSSO application goes to the login
  page and it gets the remote user from request so it forwards it to the home page till now
  it is correct behaviour ,but after that It looks like home page find that authentication is
  not done and sends it back to the login page and login page again sends it to the home as it
  finds that remote user is not null.
  Our web.xml form authentication entry looks like this :
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
  </form-login-config>
  </login-config>
  While entry in orion-application.xml has the following entry for custom login :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  </jazn>
  Whether If I change the authentication type to BASIC and add the following line
  in orion-application.xml will solve the issue :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  <jazn-web-app auth-method="SSO" >
  </jazn>
  Any help regarding it will be appreciated .
  Thanks
  Anil

  Hi:
  We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
  authentication and Custom login module.
  Application is going in infinite loop when we we try to login using osso ,from the logs
  what I got is looks like tha when we we try to login from OSSO application goes to the login
  page and it gets the remote user from request so it forwards it to the home page till now
  it is correct behaviour ,but after that It looks like home page find that authentication is
  not done and sends it back to the login page and login page again sends it to the home as it
  finds that remote user is not null.
  Our web.xml form authentication entry looks like this :
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
  </form-login-config>
  </login-config>
  While entry in orion-application.xml has the following entry for custom login :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  </jazn>
  Whether If I change the authentication type to BASIC and add the following line
  in orion-application.xml will solve the issue :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  <jazn-web-app auth-method="SSO" >
  </jazn>
  Any help regarding it will be appreciated .
  Thanks
  Anil

• Custom Login Web Part In SharePoint 2010 Forms Based

  Hi ,
  Im trying to make Custom Login Web Part In SharePoint 2010 Forms Based , all membership configration is done . 
  my question is why (Login1.username , Login1.password ) give this error : 
   login1 does not exist in the current context
  protected
  void
  Login1_Authenticate(object
  sender, AuthenticateEventArgs e)
  02        {
  03            string
  membership = "MembershipProvider";
  04            string
  role = "RoleProvider";
  05 
  06            e.Authenticated
  = SPClaimsUtility.AuthenticateFormsUser(new
  Uri(SPContext.Current.Web.Url),Login1.UserName,Login1.Password);
  07 
  08            if
  (!e.Authenticated) return;
  09 
  10            SecurityToken
  token = SPSecurityContext.SecurityTokenForFormsAuthentication(new
  Uri(SPContext.Current.Web.Url), membership, role,
  Login1.UserName,
  Login1.Password);

  Error 1 No overload for method 'SecurityTokenForFormsAuthentication' takes 3 arguments
  Error 2 The name Wss doesnot exisit in current context 
  Can anyone give sugeestion please 
  cant recitfy this error 
  protected void Login1_Authenticate(object sender,
  AuthenticateEventArgs e)
  02        {
  03            string membership
  = "MembershipProvider";
  04            string role
  = "RoleProvider";
  05 
  06            e.Authenticated
  = SPClaimsUtility.AuthenticateFormsUser(newUri(SPContext.Current.Web.Url),Login1.UserName,Login1.Password);
  07 
  08            if (!e.Authenticated) return;
  09 
  10            SecurityToken
  token = SPSecurityContext.SecurityTokenForFormsAuthentication(newUri(SPContext.Current.Web.Url),
  membership, role,
  Login1.UserName,
  Login1.Password);

• B2C scenario customer specific discount when customer login to the B2C site

  Hi E-Commerce gurus,
  We want to implement a customer specific discount scenario when the customer login to the B2C web site afterwards that easily see the customer specific discount as soon as duration of the login process. We have also succeed sales org-material     scenario that according to our given below function module calculates a discount rate covers all the material within the related sales organization and also shows the indicator of discount rate on the every material pictures at the web site.
  Moreover we have configured an access sequence for condition ZB2I(discount condition) that related with Sales Org.-Customer then we replicate the CNACRMPRCUS666 condition table from ECC to CRM with all values but we can not calculate and display the discount rate on the web site when the customer log on the site and/or going to the basket. 
  Is there any available BADI, BAPI on ABAP and JAVA Stack. How can we display the spesific customer discount rate when the customer log on the site and/or going to the basket?
  Kind Regards, 
  Fahrettin
  DATA : lv_time_stamp    TYPE timestamp.
    DATA : BEGIN OF ls_product,
              product_guid    TYPE comt_product_guid,
              indirim         TYPE prct_cond_rate,
           END OF ls_product,
           lt_product         LIKE TABLE OF ls_product.
    DATA : ls_shop_s          TYPE crmm_isa_shop_h,
           ls_vrt             TYPE comm_pcat_vrt.
    CALL FUNCTION 'CRM_ISA_SHOP_READ'
      EXPORTING
        iv_shop_id     = iv_shop_id
      IMPORTING
        es_shop_h      = ls_shop_s
      EXCEPTIONS
        shop_not_found = 1
        OTHERS         = 2.
    IF sy-subrc <> 0.
      RAISE shop_not_found.
    ENDIF.
    SELECT SINGLE * INTO ls_vrt
    FROM comm_pcat_vrt
    WHERE guid = ls_shop_s-pcat_vrt_guid.
    IF sy-subrc <> 0.
      RAISE shop_not_found.
    ENDIF.
    CONVERT DATE sy-datum TIME sy-uzeit INTO TIME STAMP lv_time_stamp
    TIME ZONE sy-zonlo.
    CLEAR ev_indirim.
    SELECT SINGLE kbetr  AS indirim
    INTO ev_indirim
    FROM cnccrmprsap350
    WHERE sales_org      EQ ls_vrt-sales_org
      AND timestamp_from LE lv_time_stamp
      AND timestamp_to   GE lv_time_stamp
      AND kschl          EQ 'ZB2I'.
    ev_indirim = - ev_indirim / 10.
    SELECT DISTINCT product AS product_guid kbetr AS indirim
    INTO CORRESPONDING FIELDS OF TABLE lt_product
    FROM cnccrmprcus518
    WHERE timestamp_from LE lv_time_stamp
      AND timestamp_to   GE lv_time_stamp
      AND kschl          EQ 'ZB2I'.
    LOOP AT lt_product INTO ls_product.
      ls_product-indirim = - ls_product-indirim .
      IF ls_product-indirim GT 90.
        ls_product-indirim =  ls_product-indirim / 10.
      ENDIF.
      MOVE-CORRESPONDING ls_product TO  et_list.
      APPEND et_list.
    ENDLOOP.
    SORT et_list .
  ENDFUNCTION.

  Hi,
  As per my knowledge if you want to implement customer specific discount then you should use ISA B2B instead of ISA B2C. ISA B2B gives you this facility which you want to implement on B2C.
  Also How you will distinguish User in B2C to display specific prise. Your discount price is based on Sales Org or base on user?
  As your ABAP program is working fine but you are not getting it on web site then you have to write custom java code and collect all the required information on ISA side then pass it to RFC's import parameter and get the result back and display result on ISA B2C.
  eCommerce Developer

• HOW TO CREATE A DFF BASED ON ORGANIZATION

  Hi,
  I want to create a DFF which would have 5 different context values, i want 2 of them to be available in one organization and other 3 in other organization, how i can achieve this.
  Regards,
  Usman.

  Hello,
  "HOW TO CREATE A DFF BASED ON ORGANIZATION"
  1- I will create a customized table having two columns one is for context name and other is for org_id,
  2- then i will create a value set on this table and will use this on 'Value Set' field on 'Descriptive Flexfield Segments' window.
  3- In the where clause of this value set i will pass org_id from profile $PROFILES$.ORG_ID,
  4- this will restrict the context based on org_id And user will only have context related to there org
  I have successfully achieved the above requirment.
  Find below the restriction you should follow so that Value set is available in LOVs on "Descriptive Flexfield Segments" window:
  Value sets used for context fields must obey certain restrictions or they will not be available to use in the Value Set field in the Context Field region of the Descriptive
  Flexfield Segments window:
  • Format Type must be Character (Char)
  • Numbers Only must not be checked (alphabetic characters are allowed)
  • Uppercase Only must not be checked (mixed case is allowed)
  • Right-justify and Zero-fill Numbers must not be checked
  • Validation Type must be Independent or Table
  If the validation type is Independent:
  • the value set maximum size must be less than or equal to 30
  If the validation type is Table:
  • the ID Column must be defined, it must be Char or Varchar2 type, and its size must
  be less than or equal to 30. The ID column corresponds to the context field value
  code (the internal, non-translated context field value).
  • the Value Column must be defined, it must be Char or Varchar2 type, and its size
  must be less than or equal to 80. The Value column corresponds to the context field
  value name (the displayed context field value).
  • the value set maximum size must be less than or equal to 80
  All context field values (the code values) you intend to use must exist in the value set. If
  you define context field values in the Context Field Values block of the Descriptive
  Flexfield Segments window that do not exist in the context field value set, they will be
  ignored, even if you have defined context-sensitive segments for them.
  Best Regards,
  Usman.

• How do you use a custom login application?

  I have setup a custom Login Application as instructed from the admin guide, but cannot find any instructions on how you then go about using it. Some other posts on here mention customising/linking a page to it based on the user Login.jsp, but they arn't clear on the steps to do this.

  The solution I was using was a single sign on system called CAS, which handled the authentication. The class I used is shown here:
  http://www.ja-sig.org/wiki/display/CAS/CASifying+Sun+Identity+Manager
  The java class is called: CASResourceAdapter.java
  Most of this code is not used. The bit you would be interested in is in the method named:
  public WavesetResult authenticate(HashMap loginInfo) throws WavesetExceptionIf you delete all the code in here and replace it with the code below as most of this is a customised search that the author wrote:
       final String method = "authenticate";
       if (_trace.level1(this,method))
              _trace.entry(WSTrace.LEVEL1, this, method);
          WavesetResult result = new WavesetResult();
          String userId = (String)loginInfo.get(USER);
          if(_trace.level2(this,method))
            _trace.info(_trace.LEVEL2, this, method, USER + " = " + userId);
            _trace.info(_trace.LEVEL2, this, method, "map: " +  loginInfo);
          if (_trace.level2(this,method))
              _trace.info(_trace.LEVEL2, this, method, "Obtained user '" + userId + "' from info: " + String.valueOf(loginInfo));
          result.addResult(Constants.AUTHENTICATED_IDENTITY, userId);
          return result;You could also remove the trace code. The code you would be interested in particular would be:
  WavesetResult result = new WavesetResult();
  String userId = (String)loginInfo.get(USER);
  if(_trace.level2(this,method))
  result.addResult(Constants.AUTHENTICATED_IDENTITY, userId);
  return result;The logininfo is a method used to retrieve whatever userid was used to authenticate. This is what was needed to retreive the userid from CAS. You will need to replace this with custom code to retreive the userid from your webservice.
  Once you are happy with the code, place the compiled class with the correct package levels in idm/web-inf/classes. You may need to create the folder called classes.
  Next login to your idm and goto resources and then configure types. Add a custom resource to point to your new class In my case it was edu.unmerced.idm.adapter.CASResourceAdaptor. Save this and then add this as a resource in your resources screen and except all defaults and give it a custom name of your choice.
  You then need to add this resource to each of your users.
  Next you need to goto configure and then login. In here you need to create a new login module group and point it to your CAS resource. Then change the default login for the users login application to use this new login group. See idm specific documentation on how to do this
  Reboot your idm application server.
  You would now use your alternative webservice system to authenticate and then afterwards get it to forward to your idm and if the code picks up the user from your webservice correctly you should be logged into idm as that user.

• Help - using custom login module with embedded jdev oc4j to access ejb 3

  Hi All (Frank ??),
  I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
  with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
  I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
  have to deploy to oc4j standalone instead.
  I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
  javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
  setting in orion-application.xml for details.
  Using the various guides available, I had no problem getting the custom login module working
  with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
  I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
  respectively in various config files.
  I'm using EJB 3 annotations for protecting methods .. for example
  @RolesAllowed("sr_Member")
  Steps that I had to do so far :-
  In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
      <application>
        <name>current-workspace-app</name>
        <login-modules>
          <login-module>
            <class>kr.security.KnowRushLoginModule</class>
            <control-flag>required</control-flag>
            <options>
              <option>
                <name>dataSource</name>
                <value>jdbc/DB_XE_KNOWRUSHDS</value>
              </option>
              <option>
                <name>user.table</name>
                <value>users</value>
              </option>
              <option>
                <name>user.pk.column</name>
                <value>id</value>
              </option>
              <option>
                <name>user.name.column</name>
                <value>email_address</value>
              </option>
              <option>
                <name>user.password.column</name>
                <value>password</value>
              </option>
              <option>
                <name>role.table</name>
                <value>roles</value>
              </option>
              <option>
                <name>role.to.user.fk.column</name>
                <value>user_id</value>
              </option>
              <option>
                <name>role.name.column</name>
                <value>name</value>
              </option>
            </options>
          </login-module>
        </login-modules>
      </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Admin</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Member</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
  My ejb-jar.xml contains :-
  <?xml version="1.0" encoding="utf-8"?>
  <ejb-jar xmlns ....
    <assembly-descriptor>
      <security-role>
        <role-name>sr_Admin</role-name>
      </security-role>
      <security-role>
        <role-name>sr_Member</role-name>
      </security-role>
    </assembly-descriptor>
  </ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
  My orion-ejb-jar.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-ejb-jar ...
    <assembly-descriptor>
      <security-role-mapping name="sr_Admin">
        <group name="Admin"></group>
      </security-role-mapping>
      <security-role-mapping name="sr_Member">
        <group name="Member"></group>
      </security-role-mapping>
      <default-method-access>
        <security-role-mapping name="sr_Member" impliesAll="true">
        </security-role-mapping>
      </default-method-access>
    </assembly-descriptor>My orion-application.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-application xmlns ...
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <jazn provider="XML">
      <property name="role.mapping.dynamic" value="true"></property>
      <property name="custom.loginmodule.provider" value="true"></property>
    </jazn>
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </read-access>
      <write-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </write-access>
    </namespace-access>
  </orion-application>My essentially auto-generated EJB 3 client does the following :-
        Hashtable env = new Hashtable();
        env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
        env.put(Context.SECURITY_CREDENTIALS, "welcome1");
        final Context context = new InitialContext(env);
        KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
  ...And throws the error
  20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
  EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  javax.naming.NoPermissionException: Not allowed to look
  up KRFacade, check the namespace-access tag setting in
  orion-application.xml for details
       at
  com.evermind.server.rmi.RMIClientConnection.handleLookupRe
  sponse(RMIClientConnection.java:819)
       at
  com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
  andResponse(RMIClientConnection.java:283)
  ....I can see from the console that the user was successfully authenticated :-
  20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
  WARNING: [KnowRushLoginModule] User matt.shannon authenticated
  And that user is granted both the Admin, and Member roles.
  The test servlet using basic authentication correctly detects the user and roles perfectly...
    public void doGet(HttpServletRequest request,
                      HttpServletResponse response)
      throws ServletException, IOException
      LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
      response.setContentType(CONTENT_TYPE);
      PrintWriter out = response.getWriter();
      out.println("<html>");
      out.println("<head><title>ExampleServlet</title></head>");
      out.println("<body>");
      out.println("<p>The servlet has received a GET. This is the reply.</p>");
      out.println("<br> getRemoteUser = " + request.getRemoteUser());
      out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
      out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
      out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
  cheers
  Matt.
  Message was edited by:
  mshannon

  Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
  Did you ever get the code working directly from JDeveloper?
  Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
  For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <realm-name>jazn.com</realm-name>
                           <type>role</type>
                           <class>kr.security.principals.KRRolePrincipal</class>
                           <name>JAAS_Admin</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>If I add the following to orion-application.xml
    <!-- Granting login permission to users accessing this EJB. -->
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping>
            <group name="JAAS_Admin"></group>
          </security-role-mapping>
        </namespace-resource>
      </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
  I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
  From custom login module :-
    private static KRSecurityHelper singleton = new KRSecurityHelper();
    protected Principal[] m_Principals;
      Vector v = new Vector();
        v.add(singleton.getCustomRmiConnectRole());
        // set principals in LoginModule
        m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
  Singleton class :-
  package kr.security;
  import com.evermind.server.rmi.RMIPermission;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import oracle.security.jazn.JAZNConfig;
  import oracle.security.jazn.policy.Grantee;
  import oracle.security.jazn.realm.Realm;
  import oracle.security.jazn.realm.RealmManager;
  import oracle.security.jazn.realm.RealmRole;
  import oracle.security.jazn.realm.RoleManager;
  import oracle.security.jazn.policy.JAZNPolicy;
  import oracle.security.jazn.JAZNException;
  public class KRSecurityHelper
    private static final Logger LOGGER = Logger.getLogger("kr.security");
    private static final String LOGPREFIX = "[KRSecurityHelper] ";
    public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
    private RealmRole m_Role = null;
    public KRSecurityHelper()
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
      JAZNConfig jc = JAZNConfig.getJAZNConfig();
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
      RealmManager realmMgr = jc.getRealmManager();
      try
        // Get the default realm .. e.g. jazn.com
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
        Realm r = realmMgr.getRealm(jc.getDefaultRealm());
        LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
        // Access the role manager for the remote connection role
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"calling default_realm.getRoleManager");
        RoleManager roleMgr = r.getRoleManager();
        LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
          CUSTOM_RMI_CONNECT_ROLE "'");
        RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
        if (rmiConnectRole == null)
          LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
          rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
          Grantee gtee = new Grantee(rmiConnectRole);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
          RMIPermission login = new RMIPermission("login");
          LOGGER.log(Level.FINEST,
            LOGPREFIX +"constructing subject.propagation rmi permission");
          RMIPermission subjectprop = new RMIPermission("subject.propagation");
          // make policy changes
          LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
          JAZNPolicy policy = jc.getPolicy();
          if (policy != null)
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'login' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, login);
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'subject.propagation' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, subjectprop);
            // m_Role = rmiConnectRole;
            m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
            LOGGER.log(Level.INFO, LOGPREFIX
              + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
          else
            LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
        else
          LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
          m_Role = rmiConnectRole;
      catch (JAZNException e)
        LOGGER.log(Level.WARNING,
          LOGPREFIX +"Cannot configure JAZN for remote connections");
    public RealmRole getCustomRmiConnectRole()
      return m_Role;
  }Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
  INFO: Login permission not granted for current-workspace-app (test.user)
  Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
  This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
  There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
  Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
  Matt.

• Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

  Hi,
  We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
  After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
  Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
  Thanks,
  Annie

  Brenden,
  Thank you so much for the reply. This is our code in the web.xml:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
  If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
  regards,
  Annie

• Custom login module on OC4J 10.1.3.3.0

  Hi,
  I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
  I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
  web.xml:
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>testJAAS</realm-name>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <!-- Security constraints -->
  <security-constraint>
       <web-resource-collection>
       <web-resource-name>Test Secure Application</web-resource-name>
       <description>Requires users to authenticate</description>
       <url-pattern>faces/*</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       <http-method>HEAD</http-method>     
       <http-method>PUT</http-method>     
       </web-resource-collection>     
       <auth-constraint>
       <description>Only allow role1 users</description>
       <role-name>role1</role-name>
       </auth-constraint>     
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <!-- Define the security role(s) -->
  <security-role>
  <description>Example role</description>
  <role-name>role1</role-name>
  </security-role>
  orion-web.xml:
  schema-major-version="10" schema-minor-version="0" >
       <!-- Uncomment this element to control web application class loader behavior.
            <web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
       -->
       <resource-ref-mapping name="jdbc/lics" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
       </security-role-mapping>
       <web-app>
       </web-app>
  orion-application.xml:
       <jazn provider="XML" >
            <property name="jaas.username.simple" value="true" />
            <property name="custom.loginmodule.provider" value="true" />
            <property name="role.mapping.dynamic" value="true" />
       </jazn>
  system-jazn-data.xml:
  <jazn-loginconfig>
       <application>
            <name>le5</name>
            <login-modules>
                 <login-module>
                      <class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>defaultRole</name>
                                <value>role1</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
  Doing as above, the orion-web.xml is below:
       <resource-ref-mapping name="jdbc/lic" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
            <user name="user1" />
            <user name="user2" />
       </security-role-mapping>
  Any insight would be much appreciated. Thanks.

  Hi,
  role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
  <security-role-mapping name="role1">
  <group name="oc4j-app-administrators" />
  </security-role-mapping>
  from orion-web.xml and it should start wrking
  Frank

• How to get the Trusted Identity Login Page with the needed parameters to make custom login screen instead of sharepoint Login Page?

  hi guys
  i have configured trusted identity provider for my public facing internet portal, but i dont want to use the login screen
  since i have about 10 site collection which will use this authentication.
  is there a class or property that gives me the url ready with the parameters like "wa" and "wtrealm" and the redirect url based on the place the user click the link from.

  You can create your own login page and specify the URL for it in the authentication provider settings of a Web Application or Zone.  So the easiest way to do what you want would be to extend your existing Web Application to a new Zone, change the login
  Page url to point to use your custom zone, and tell users to use the url of that zone to login with the custom provider you have built.
  If you want a single zone then you will need to modify a copy of the login page you display above and have it redirect to a custom login page for your identity provider if the pick the correct entry in the dropdown.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• How to call custom Login Module from JSP

  Hi,
  I am stuck with the following issue:
  1) Exactly as presented in help.sap.com (http://help.sap.com/saphelp_nw04/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm) I created custom login module and deployed it as a library on J2EE server. When I configured it to be used for my applications in the Security provider but I am getting "No user name provided" exception everytime when my applications use this custom login module.
  2) I realized that I would need to call my custom module somewhere within my application (simple JSP) using LoginContext class and then use MyLoginContext.login() spec to initiate login process. But I am not able to pass CallbackHandler parameters from JSP application to my custom login module.
  So I have the following questions:
  1. Can I pass parameters using LoginContext and CallbackHandler from JSP to my custom login module (created as exact copy of HELP.SAP.COM example) or this module cannot be used this way.
  2. How to pass CallbackHandler correctly to my custom login module from JSP. When I am trying to use CallbackHandler, I am getting "Abstract Class cannot be called" error.
  I'd appreciate any little help on this matter.
  Thanks and regards,
  Mike

  You have two alternatives to do this:
  You can declare your JSP as a protected resource with the use of the deployment descriptors of the application (web.xml) and add the custom login module in the authentication stack of the application. This way, you will use container-based authentication, i.e. the Web Container will enforce the authentication and it will call the custom login module before it dispatches to the JSP. I recommend you this approach because it requires less coding and it makes the whole thing a matter of configuration. The configuration can be later on enhanced or changed runtime without the need to re-build and re-deploy the application. If you choose this approach you can go to the documentation of the server for help on how to modify the login module stack of the application.
  You can also use programmatic authentication by using JAAS API. To do this you need to create a custom security policy configuration with login module stack containing the custom login module, and then use the standard JAAS mechanism - new LoginContext(<configuration>, <callback-handler>).login(). This approach requires that you write your own callback handler and handle any LoginException.
  Let us know which approach you prefer and whether you have difficulties implementing it!

• J2EE 6.40 Custom Login Module - how to config

  hello all,
  i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.
  here is the background info:
  - i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.
  - access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.
  - my login module does the user name and password checking. both are stored in database through some other means.
  - login is FORM based
  following the discussion in another thread on the topic, i did the following:
  #1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.
  #2 add my login module to the security store through the security provider service.
  #3 configure my web app to use the custom login module in web-j2ee-engine.xml
  #4 deploy my web app through the ear file
  at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).
  now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.
  question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.
  ??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.
  ??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.
  ??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.
  does anyone have a working scenario using custom login modules?
  thanks very much for your inputs and thoughts.
  wentao

  Hi Astrid,
  I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
  When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
  When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
  But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
  The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
  So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
  Thanks in advance
  Henning

• Problem with role mapping in custom login module

  Hi all,
  I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
  Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
  Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
  Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
  I thought a source of the  problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping  in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
  Could anybody think of a solution to this problem ?
  Thanks,  Astrid

  Astrid,
  Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
  I've tried to use the deploytool and deploy the module as a library...but I get a "cannot  load a login module" in the logs when authenticating a user.

• Custom login module and SSO using 10.1.3.3

  We are using ADF 10.1.3.3 to build applications and recently a requirement from a customer was to use LDAP for authentication but use internal application tables for authorisation. So essentially the username and password will be in LDAP but all the roles definition are in the application. This is because the LDAP directory has tight controls on contents and is used enterprise wide.
  I created a proof of concept to address this requirement using the examples at
  http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
  and also
  http://technology.amis.nl/blog/1462/create-a-webapplication-secured-with-custom-jaas-database-loginmodule-deploy-on-jdeveloper-1013-embedded-oc4j-stand-alone-oc4j-and-opmn-managed-oc4j-10g-as
  specifically using DBProcLoginModule to call a database package.
  The PL/SQL package I created used DBMS_LDAP to call an LDAP directory with the username and password to check authentication and then used internal application tables to get the authorisation details required.
  All this worked very well. I tested on both the embedded OC4J and also standalone OC4J.
  Then one of my peers said will this work with SSO? Specifically we use Oracle OID as we have SSO for Forms and Reports.
  My experience with SSO has been with Oracle OID and having all the user and role details stored within OID.
  So my issue now is can I integrate the custom login module approach I have used with SSO? My knowledge of SSO and OID is limited so I'm not sure how (or if) it would interact with a custom login module. Are the two mutually exclusive?
  Any guidance is appreciated.
  Regards,
  Adrian

  Hi,
  this question should be posted to the Oracle Application Server forum or the security forum. However, based on my findings and experience in this area, I don't think that SSO is integrated with custom LoginModules since the integration would need to be coded in the LoginModule.
  Frank