Custom Login in 7.1

Similar Messages

• Did any body try to change 10g SSO  login page to custom login page?

  Hi..
  Did any body try to change Oracle 10g SSO login page with custom login Page as we used to do in 902 and 1022 versions by changing wwsso_ls_configuration_info_t table entries?
  It seems that there is now other file policy.properties that has entry for login page.
  Is there any documentation provided by Oracle on this?
  I checked metalink and SSO admin guide?
  Any clue or glue....??
  Thanks
  Sarvesh

  Try 1 & 2 if does not work please file a daycare for further assistance.
  1.   In "Day CQ Login Selector Authentication Handler" for path info add an empty row then verify.
  2.   Delete the existing entry for "Day CQ Login Selector Authentication Handler" , Configure your custom at repository level & verify

• SSO b/w portal and webdynpro application customized login??

  Hi,
  I  have one webdynpro application which has a login screen (Created as Webdynpro view). If user enters user/passord, the same gets checked from a custom table in the db (Method for checking user credtentials has been written in view controller). if user credentials are correct it performs some actions defined in webdynpro application.
  I want to configure SSO b/w portal and this webdynpro application sothat when user logon to the portal and open this webdypro application, Login page of webdynpro application should not be shown i.e user credentials should be passed from portal and corresponding authentication method in webdynpro should be called to authenticate the user.
  How to do the same without touching webdypro application ?
  Can we call a method of webdynpro application from portal?
  Regards
  Deepak

  1) To enable ticket authentication for the web dynpro iviews, you must maintain the definition of the system running the Web Dynpro application and set logon method to "SAPLOG"
  2)Since you have customized login screen, you need to bypass this screen manually when you login from portal.
  Add parameter to the application while defining the iview.Give some constant value.
  Check value of this parameter in webdynpro and fire to next view.

• 10g904 - custom login pages & development method of applics for SSO

  i am getting baffled with these custom login pages and their connection with the SSO.
  I have now read extensive documentation from the following:
  Oracle® AS SSO Admin Guide for release 10g (9.0.4) (B10378-01)
  Oracle® AS SSO App Developers Guide for release 10g (9.0.4) (B10852-01)
  Oracle® AS SSO Admin Guide 10g (9.0.4) (B13791-01)
  Oracle® AS App Developers Guide for release 10g (9.0.4) (B10378-01)
  Oracle® SSO Developers Guide for version 306
  what baffles me is how custom login pages are to be defined for the 10g versions of AS.
  in 10g (904) version, applications for SSO can be protected using mod_osso, and may be developed using mod_osso or using SSO-SDK which is deprecated from this version.
  1. this means that if we do not have to use SSO-SDK (which is deprecated in 904 version) and where we need to protect applications using the mod_osso, then why do we need to use the custom pages.
  2. how do the custom-defined deployment specific login pages or change-password pages work?
  3. what is the role of SSO for partner applications if we do not configure it specifically.
  any helpful hints or links would be highly appreciated.
  thanks

  i am getting baffled with these custom login pages and their connection with the SSO.
  I have now read extensive documentation from the following:
  Oracle® AS SSO Admin Guide for release 10g (9.0.4) (B10378-01)
  Oracle® AS SSO App Developers Guide for release 10g (9.0.4) (B10852-01)
  Oracle® AS SSO Admin Guide 10g (9.0.4) (B13791-01)
  Oracle® AS App Developers Guide for release 10g (9.0.4) (B10378-01)
  Oracle® SSO Developers Guide for version 306
  what baffles me is how custom login pages are to be defined for the 10g versions of AS.
  in 10g (904) version, applications for SSO can be protected using mod_osso, and may be developed using mod_osso or using SSO-SDK which is deprecated from this version.
  1. this means that if we do not have to use SSO-SDK (which is deprecated in 904 version) and where we need to protect applications using the mod_osso, then why do we need to use the custom pages.
  2. how do the custom-defined deployment specific login pages or change-password pages work?
  3. what is the role of SSO for partner applications if we do not configure it specifically.
  any helpful hints or links would be highly appreciated.
  thanks

• SharePoint Foundation 2013 - FBA Custom Login Page

  Hi,
       i am trying to enable FBA in SharePoint Foundation 2013 and it works fine for default login page
       but when i try to create custom login page ( which is already working without any problems in SharePoint 2010 )  i receive an error when i try to authenticate user using the following code :
           SPClaimsUtility.AuthenticateFormsUser(Context.Request.UrlReferrer, txtUserName.Text, txtPassword.Text);
       i checked the Log file and found the following entries :
          - Application error when access /_layouts/CM Custom Login Page/Login.aspx, Error=Exception of type 'System.ArgumentException' was thrown.  Parameter name: httpApplication   at Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser(Uri
  context, String userName, String password)     at CM_Custom_Login_Page.Layouts.CmCustomLoginPage.Login.btnLogin_Click(Object sender, EventArgs e)     at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)    
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
          -  System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.  Parameter name: httpApplication    at Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser(Uri
  context, String userName, String password)     at CM_Custom_Login_Page.Layouts.CmCustomLoginPage.Login.btnLogin_Click(Object sender, EventArgs e)     at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)    
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
        -  Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentException: Exception of type 'System.ArgumentException'
  was thrown.  Parameter name: httpApplication     at Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser(Uri context, String userName, String password)     at CM_Custom_Login_Page.Layouts.CmCustomLoginPage.Login.btnLogin_Click(Object
  sender, EventArgs e)     at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
  at System.Web.UI.Page.HandleError(Exception e)     at System.Web.UI.Page.ProcessRequestMain(...
        -  ...Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
  at System.Web.UI.Page.ProcessRequest()     at System.Web.UI.Page.ProcessRequest(HttpContext context)     at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()    
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

  check first whether you are getting context or not, to me it looks like issue with Contrext.Request.UrlReferrer
  try with this code
  Uri url = new Uri(SPContext.Current.Web.Url);SPClaimsUtility.AuthenticateFormsUser(url, txtUserName.Text, txtPassword.Text);

• SOAP Web Service +  Custom Login Module issue

  Hi Guys,
  We faced an authentication issue in our project. Could you please give any advice how the issue could be resolved.
  Environment: A simple SOAP Web Service on top of POJO class created in a Web Application. The web application deployed to the SAP NetWeaver 7.10 Application Server in the Enterprise Application Archive.
  Configuration:
        Single Service Administration Application(NetWeaver Administration -> SOA Management -> Application and Scenario Communication -> Single Service Administration)
         The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
      Authentication Application(NetWeaver Administration-> Configuration Management->Security->Authentication)
        The application(<vendorName>/<earName>*<vendor>~<webAppName>) has Authentication Stack configured to use our custom login module.
  Issue:  BasicPasswordLoginModule used by the J2EE when we are trying to execute the web service using Web Service Navigator(checked in debug mode). It seems that we missed something in configuration.
  Idea: The main Idea is to use our custom login module when we are executing a web service.
  Could you help me to resolve the issue.
  Thanks,
  Dmitry
  Edited by: Dmitry Eidin on Jul 17, 2009 3:46 PM

  > The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
  That's the point.

• Custom Login using the Pluggable Identity Management Framework

  Hi all,
  We are trying to establish 2 ways into our application:
  1. via a login form
  2. seamless login from an external application
  To achieve this we are trying to build our own custom authentication using the pluggable IDM framework.
  Basically if a secure page is requested, we want to check the header/cookie/request (don't mind which) for a key which is provided by the external application. If present, the key is validated against a web service provided by the external app, the identity is asserted and the user is entered seamlessly into the application. If the header/cookie/request does not contain a key the user is to be redirected to a login page, where they can input username and password which will be validated against our database.
  We've created a Token Collector and Token Asserter class, we've modified our custom Login Module to retrieve the identity created by the Token Asserter but we haven't worked out how to get the alternate login page working for users which don't come through the external application.
  Has anybody built anything similar? From the documentation it appears we should be able to achieve our goal using the pluggable IDM, but we're going around in circles a bit at the moment.
  Any help/sample code would be greatly appreciated.
  thanks.

  Can you tell why the page is not working? I mean, any errors ? What happens when you try to open the protected resource?
  Here is an example of the code, I removed some part of the code specific to the bussines so if you have doubts just let me know
  token collector
  import java.io.IOException;
  import java.io.UnsupportedEncodingException;
  import java.net.URLEncoder;
  import java.util.Hashtable;
  import java.util.List;
  import java.util.Map;
  import java.util.Properties;
  import javax.servlet.http.Cookie;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import oracle.security.jazn.collector.CollectorException;
  import oracle.security.jazn.collector.TokenCollector;
  import oracle.security.jazn.sso.SSOTokenFormatException;
  import oracle.security.jazn.token.IdentityToken;
  import oracle.security.jazn.token.TokenNotFoundException;
  public class MyTokenCollector implements TokenCollector
  private Properties _properties;
  public void fail(HttpServletRequest request,
  HttpServletResponse response, int reason)
  throws CollectorException
  String loginURL = _properties.getProperty("custom.sso.url.login");
  String urlParam = _properties.getProperty("custom.sso.url.param");
  String idParam = _properties.getProperty("custom.sso.id.param");               
  Log.Info("Token collection failed (" + reason + ")");
  StringBuffer requestURL = request.getRequestURL();
  String queryString = request.getQueryString();
  requestURL = requestURL.append("?").append(queryString);
  StringBuffer sb = new StringBuffer();
  try
  sb = sb.append(urlParam).append("=");
  String encodedStr =
  URLEncoder.encode(requestURL.toString(), "UTF-8");
  sb = sb.append(encodedStr);
  sb = sb.append("#").append(request.getServerName()).append("#").append(request.getServerPort());
  String redirectQueryString = sb.toString();
  String rurl = loginURL + "?" + redirectQueryString;
  response.sendRedirect(response.encodeRedirectURL(rurl));
  catch (UnsupportedEncodingException uee)
  SSOTokenFormatException stfe =
  new SSOTokenFormatException(uee, 4);
  Log.Error(stfe.getMessage());
  throw new CollectorException(stfe);
  catch (IOException ioe)
  Log.Error("IOException occured: " + ioe);
  throw new CollectorException(ioe);
  public IdentityToken getToken(String tokenType,
  HttpServletRequest request,
  List tokenNames, Properties properties)
  throws TokenNotFoundException, CollectorException
  _properties = properties;
  String valor = null;
  Log.Info("URL: "+request.getRequestURI());
  if ( tokenType. equalsIgnoreCase("HTTP_COOKIE"))
  valor = procesarCookie(request, tokenNames);
  }else if (tokenType.equalsIgnoreCase("HTTP_HEADER"))
  valor = procesarHeader(request, tokenNames);
  }else
  throw new CollectorException("token type not supported");
  MyIdentityToken token = new MyIdentityToken(valor);
  token.setTokenType(tokenType);
  token.setPropiedades(properties);
  return token;
  private String procesarCookie(HttpServletRequest request, List tokenNames)
  throws TokenNotFoundException
  if (1 != tokenNames.size())
  //Only one cookie can be handled
  String error = "Invalid number of cookies check jazn.xml";
  throw new TokenNotFoundException(error);
  Map cookies = new Hashtable();
  Cookie allCookies[] = request.getCookies();
  if (allCookies != null)
  String cookieName = (String) tokenNames.get(0);
  Log.Info( "Searching for cookie: " + cookieName);
  Cookie cookie;
  for(int i = 0; i < allCookies.length; i++)
  cookie = allCookies;
  if (cookie.getName().equals(cookieName))
  return cookie.getValue();
  String error = "Rquired cookie not found";
  Log.Error(error);
  throw new TokenNotFoundException(error);
  }else
  String error = "No cookie on request";
  throw new TokenNotFoundException(error);
  private String procesarHeader(HttpServletRequest request, List tokenNames)
  throws TokenNotFoundException
  String nombreHeader = (String) tokenNames.get(0);
  String header = request.getHeader(nombreHeader);
  if (header != null)
  return header;
  }else
  String error = "Request doesn't have the requierd header";
  throw new TokenNotFoundException(error);
  Token Asserter Example
  import java.util.Properties;
  import javax.security.auth.Subject;
  import oracle.security.jazn.asserter.AsserterException;
  import oracle.security.jazn.asserter.TokenAsserter;
  import oracle.security.jazn.callback.IdentityCallbackHandler;
  import oracle.security.jazn.callback.IdentityCallbackHandlerImpl;
  import oracle.security.jazn.token.IdentityToken;
  public class MyTokenAsserter
  implements TokenAsserter
  public void finalize()
  throws Throwable
  public IdentityCallbackHandler assertIdentity(String tokenType,
  IdentityToken token,
  Properties properties)
  throws AsserterException
  InversuraIdentityToken idToken = (InversuraIdentityToken) token;
  String valorToken = idToken.getValorToken();
  InversuraToken invToken;
  try {
  invToken = new InversuraToken(valorToken);
  if (verificarVigencia(invToken))
  IdentityCallbackHandlerImpl idcb = new IdentityCallbackHandlerImpl(invToken.getLogin());
  idcb.setAuthenticationType("InversuraSSO");
  idcb.setIdentityAsserted(true);
  MyPrincipal ppal = new MyPrincipal(invToken.getLogin());
  Subject subj = new Subject();
  subj.getPrincipals().add(ppal);
  idcb.setSubject(subj);
  return idcb;
  throw new AsserterException("Token expired");
  }catch (Exception e)
  String error = e.getMessage();
  throw new AsserterException(error, e);
  public boolean verificarVigencia(InversuraToken token)
  return token.estaVigente();

• How do you use a custom login application?

  I have setup a custom Login Application as instructed from the admin guide, but cannot find any instructions on how you then go about using it. Some other posts on here mention customising/linking a page to it based on the user Login.jsp, but they arn't clear on the steps to do this.

  The solution I was using was a single sign on system called CAS, which handled the authentication. The class I used is shown here:
  http://www.ja-sig.org/wiki/display/CAS/CASifying+Sun+Identity+Manager
  The java class is called: CASResourceAdapter.java
  Most of this code is not used. The bit you would be interested in is in the method named:
  public WavesetResult authenticate(HashMap loginInfo) throws WavesetExceptionIf you delete all the code in here and replace it with the code below as most of this is a customised search that the author wrote:
       final String method = "authenticate";
       if (_trace.level1(this,method))
              _trace.entry(WSTrace.LEVEL1, this, method);
          WavesetResult result = new WavesetResult();
          String userId = (String)loginInfo.get(USER);
          if(_trace.level2(this,method))
            _trace.info(_trace.LEVEL2, this, method, USER + " = " + userId);
            _trace.info(_trace.LEVEL2, this, method, "map: " +  loginInfo);
          if (_trace.level2(this,method))
              _trace.info(_trace.LEVEL2, this, method, "Obtained user '" + userId + "' from info: " + String.valueOf(loginInfo));
          result.addResult(Constants.AUTHENTICATED_IDENTITY, userId);
          return result;You could also remove the trace code. The code you would be interested in particular would be:
  WavesetResult result = new WavesetResult();
  String userId = (String)loginInfo.get(USER);
  if(_trace.level2(this,method))
  result.addResult(Constants.AUTHENTICATED_IDENTITY, userId);
  return result;The logininfo is a method used to retrieve whatever userid was used to authenticate. This is what was needed to retreive the userid from CAS. You will need to replace this with custom code to retreive the userid from your webservice.
  Once you are happy with the code, place the compiled class with the correct package levels in idm/web-inf/classes. You may need to create the folder called classes.
  Next login to your idm and goto resources and then configure types. Add a custom resource to point to your new class In my case it was edu.unmerced.idm.adapter.CASResourceAdaptor. Save this and then add this as a resource in your resources screen and except all defaults and give it a custom name of your choice.
  You then need to add this resource to each of your users.
  Next you need to goto configure and then login. In here you need to create a new login module group and point it to your CAS resource. Then change the default login for the users login application to use this new login group. See idm specific documentation on how to do this
  Reboot your idm application server.
  You would now use your alternative webservice system to authenticate and then afterwards get it to forward to your idm and if the code picks up the user from your webservice correctly you should be logged into idm as that user.

• Multiple custom login pages

  I have two WebApps. In central admin i set one different custom login page for each.
  now the problem: the second WebApp redirects to the login page of the first one.
  Known problem?

  Hi,
  According to your post, my understanding is that you wanted to set different login pages for different web applications.
  Please check whether you choose the zone that you want to configure and enter the Sign In Page URL correctly.
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• How can i use my custom login page in a custom partner application ?

  Dear All,
  I'm trying to customize a login page displayed other than the default sso login page
  by submiting my form to the regular pl/sql procedure : "PORTAL.wwptl_login.login_url"
  but i tried to type the requested partner application url in the browser i got the sso
  login page other than my custom login page. So, How can i use my custom login page in a custom partner application ?
  Regards,
  Mohammed Amin
  [email protected]

  I cannot begin to express my level of frustration. I have been trying to use the composition widget light box display for some time now. I drag the widget to my document. The default widget has three small trigger boxes and a large area made up of a forward and backward button, a background, a text box and a frame for your image.
  My steps have been …
  I click on the little trigger box.
  I click on the frame that holds the main image.
  I go to the fill menu and browse my computer for my image and then click OK.
  IT shows up on my screen. Yay
  I attempt to continue using the next two trigger boxes provided in the widget.
  After that, I add more by clicking on the little plus sign.
  This is where all heck breaks loose.
  Every single time I attempt to add thumbnails, something messes up. When I go to preview, either not all of my main images show up, or it starts with the wrong one, or some are missing. I have looked and looked for help on this and the only thing I can find is how easy it is to create a great portfolio lightbox display.  But as we know, that only works when your thumbnails are the same image as the images in your lightbox. If you want something different, you have to use the composition wizard. I am finding it extremely difficult and confusing to customize.
  Is there an exact sequence you need to use to add images to the slideshow? I am my wits end.

• Help - using custom login module with embedded jdev oc4j to access ejb 3

  Hi All (Frank ??),
  I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
  with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
  I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
  have to deploy to oc4j standalone instead.
  I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
  javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
  setting in orion-application.xml for details.
  Using the various guides available, I had no problem getting the custom login module working
  with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
  I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
  respectively in various config files.
  I'm using EJB 3 annotations for protecting methods .. for example
  @RolesAllowed("sr_Member")
  Steps that I had to do so far :-
  In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
      <application>
        <name>current-workspace-app</name>
        <login-modules>
          <login-module>
            <class>kr.security.KnowRushLoginModule</class>
            <control-flag>required</control-flag>
            <options>
              <option>
                <name>dataSource</name>
                <value>jdbc/DB_XE_KNOWRUSHDS</value>
              </option>
              <option>
                <name>user.table</name>
                <value>users</value>
              </option>
              <option>
                <name>user.pk.column</name>
                <value>id</value>
              </option>
              <option>
                <name>user.name.column</name>
                <value>email_address</value>
              </option>
              <option>
                <name>user.password.column</name>
                <value>password</value>
              </option>
              <option>
                <name>role.table</name>
                <value>roles</value>
              </option>
              <option>
                <name>role.to.user.fk.column</name>
                <value>user_id</value>
              </option>
              <option>
                <name>role.name.column</name>
                <value>name</value>
              </option>
            </options>
          </login-module>
        </login-modules>
      </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Admin</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Member</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
  My ejb-jar.xml contains :-
  <?xml version="1.0" encoding="utf-8"?>
  <ejb-jar xmlns ....
    <assembly-descriptor>
      <security-role>
        <role-name>sr_Admin</role-name>
      </security-role>
      <security-role>
        <role-name>sr_Member</role-name>
      </security-role>
    </assembly-descriptor>
  </ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
  My orion-ejb-jar.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-ejb-jar ...
    <assembly-descriptor>
      <security-role-mapping name="sr_Admin">
        <group name="Admin"></group>
      </security-role-mapping>
      <security-role-mapping name="sr_Member">
        <group name="Member"></group>
      </security-role-mapping>
      <default-method-access>
        <security-role-mapping name="sr_Member" impliesAll="true">
        </security-role-mapping>
      </default-method-access>
    </assembly-descriptor>My orion-application.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-application xmlns ...
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <jazn provider="XML">
      <property name="role.mapping.dynamic" value="true"></property>
      <property name="custom.loginmodule.provider" value="true"></property>
    </jazn>
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </read-access>
      <write-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </write-access>
    </namespace-access>
  </orion-application>My essentially auto-generated EJB 3 client does the following :-
        Hashtable env = new Hashtable();
        env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
        env.put(Context.SECURITY_CREDENTIALS, "welcome1");
        final Context context = new InitialContext(env);
        KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
  ...And throws the error
  20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
  EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  javax.naming.NoPermissionException: Not allowed to look
  up KRFacade, check the namespace-access tag setting in
  orion-application.xml for details
       at
  com.evermind.server.rmi.RMIClientConnection.handleLookupRe
  sponse(RMIClientConnection.java:819)
       at
  com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
  andResponse(RMIClientConnection.java:283)
  ....I can see from the console that the user was successfully authenticated :-
  20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
  WARNING: [KnowRushLoginModule] User matt.shannon authenticated
  And that user is granted both the Admin, and Member roles.
  The test servlet using basic authentication correctly detects the user and roles perfectly...
    public void doGet(HttpServletRequest request,
                      HttpServletResponse response)
      throws ServletException, IOException
      LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
      response.setContentType(CONTENT_TYPE);
      PrintWriter out = response.getWriter();
      out.println("<html>");
      out.println("<head><title>ExampleServlet</title></head>");
      out.println("<body>");
      out.println("<p>The servlet has received a GET. This is the reply.</p>");
      out.println("<br> getRemoteUser = " + request.getRemoteUser());
      out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
      out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
      out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
  cheers
  Matt.
  Message was edited by:
  mshannon

  Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
  Did you ever get the code working directly from JDeveloper?
  Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
  For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <realm-name>jazn.com</realm-name>
                           <type>role</type>
                           <class>kr.security.principals.KRRolePrincipal</class>
                           <name>JAAS_Admin</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>If I add the following to orion-application.xml
    <!-- Granting login permission to users accessing this EJB. -->
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping>
            <group name="JAAS_Admin"></group>
          </security-role-mapping>
        </namespace-resource>
      </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
  I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
  From custom login module :-
    private static KRSecurityHelper singleton = new KRSecurityHelper();
    protected Principal[] m_Principals;
      Vector v = new Vector();
        v.add(singleton.getCustomRmiConnectRole());
        // set principals in LoginModule
        m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
  Singleton class :-
  package kr.security;
  import com.evermind.server.rmi.RMIPermission;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import oracle.security.jazn.JAZNConfig;
  import oracle.security.jazn.policy.Grantee;
  import oracle.security.jazn.realm.Realm;
  import oracle.security.jazn.realm.RealmManager;
  import oracle.security.jazn.realm.RealmRole;
  import oracle.security.jazn.realm.RoleManager;
  import oracle.security.jazn.policy.JAZNPolicy;
  import oracle.security.jazn.JAZNException;
  public class KRSecurityHelper
    private static final Logger LOGGER = Logger.getLogger("kr.security");
    private static final String LOGPREFIX = "[KRSecurityHelper] ";
    public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
    private RealmRole m_Role = null;
    public KRSecurityHelper()
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
      JAZNConfig jc = JAZNConfig.getJAZNConfig();
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
      RealmManager realmMgr = jc.getRealmManager();
      try
        // Get the default realm .. e.g. jazn.com
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
        Realm r = realmMgr.getRealm(jc.getDefaultRealm());
        LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
        // Access the role manager for the remote connection role
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"calling default_realm.getRoleManager");
        RoleManager roleMgr = r.getRoleManager();
        LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
          CUSTOM_RMI_CONNECT_ROLE "'");
        RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
        if (rmiConnectRole == null)
          LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
          rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
          Grantee gtee = new Grantee(rmiConnectRole);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
          RMIPermission login = new RMIPermission("login");
          LOGGER.log(Level.FINEST,
            LOGPREFIX +"constructing subject.propagation rmi permission");
          RMIPermission subjectprop = new RMIPermission("subject.propagation");
          // make policy changes
          LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
          JAZNPolicy policy = jc.getPolicy();
          if (policy != null)
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'login' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, login);
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'subject.propagation' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, subjectprop);
            // m_Role = rmiConnectRole;
            m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
            LOGGER.log(Level.INFO, LOGPREFIX
              + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
          else
            LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
        else
          LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
          m_Role = rmiConnectRole;
      catch (JAZNException e)
        LOGGER.log(Level.WARNING,
          LOGPREFIX +"Cannot configure JAZN for remote connections");
    public RealmRole getCustomRmiConnectRole()
      return m_Role;
  }Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
  INFO: Login permission not granted for current-workspace-app (test.user)
  Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
  This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
  There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
  Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
  Matt.

• Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

  Hi,
  We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
  After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
  Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
  Thanks,
  Annie

  Brenden,
  Thank you so much for the reply. This is our code in the web.xml:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
  If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
  regards,
  Annie

• Custom login module on OC4J 10.1.3.3.0

  Hi,
  I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
  I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
  web.xml:
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>testJAAS</realm-name>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <!-- Security constraints -->
  <security-constraint>
       <web-resource-collection>
       <web-resource-name>Test Secure Application</web-resource-name>
       <description>Requires users to authenticate</description>
       <url-pattern>faces/*</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       <http-method>HEAD</http-method>     
       <http-method>PUT</http-method>     
       </web-resource-collection>     
       <auth-constraint>
       <description>Only allow role1 users</description>
       <role-name>role1</role-name>
       </auth-constraint>     
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <!-- Define the security role(s) -->
  <security-role>
  <description>Example role</description>
  <role-name>role1</role-name>
  </security-role>
  orion-web.xml:
  schema-major-version="10" schema-minor-version="0" >
       <!-- Uncomment this element to control web application class loader behavior.
            <web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
       -->
       <resource-ref-mapping name="jdbc/lics" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
       </security-role-mapping>
       <web-app>
       </web-app>
  orion-application.xml:
       <jazn provider="XML" >
            <property name="jaas.username.simple" value="true" />
            <property name="custom.loginmodule.provider" value="true" />
            <property name="role.mapping.dynamic" value="true" />
       </jazn>
  system-jazn-data.xml:
  <jazn-loginconfig>
       <application>
            <name>le5</name>
            <login-modules>
                 <login-module>
                      <class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>defaultRole</name>
                                <value>role1</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
  Doing as above, the orion-web.xml is below:
       <resource-ref-mapping name="jdbc/lic" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
            <user name="user1" />
            <user name="user2" />
       </security-role-mapping>
  Any insight would be much appreciated. Thanks.

  Hi,
  role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
  <security-role-mapping name="role1">
  <group name="oc4j-app-administrators" />
  </security-role-mapping>
  from orion-web.xml and it should start wrking
  Frank

• Using a custom login page for the portal

  Hi all,
  I'm currently doing a migration from Plumtree 4.5WS to Plumtree 5.0.4. In the current 4.5WS portal, I'm catering to 3 different login mechanisms due to time-lags in migration of my users' workstations. The 3 mechanisms are:
  1) Smart Card Reader on Windows 95 using TLS (uses a client side ActiveX)
  2) Smart Card Reader on Windows XP using SSL (uses client side ActiveX)
  3) Java PKI Card on Windows XP using SSL (uses server side scripting)
  To cater to the above, we've made customisations to login.asp and dologin.asp and also added a few scripts of our own.
  I now need to migrate these over to Plumtree 5.0 as well. I've thought of 2 ways to do this:
  1) Doing a custom view replacement of the Login View. This however has limitations as I'm not sure how the codes for the above 3 mechanisms will come in, especially 3), which involves server side scripting.
  2) Creating a custom login and exit page. This is probably a much more feasible solution in my case as it allows me to freely create my login pages and exit pages accordingly to cater for the above. However to do this, I need to be able to customize the Log In and Log Off links on the Portal Banner in order to point these to my own login and exit pages.
  Any ideas what is the best (or correct) way to do this?
  Thanks!
  Weng Kong Lee

  AFAIK only one login.jsp is called.
  But you can include logic into that one JSP file.
  If referer = portal.company.com THEN
  else
  This way you can create different look and feel for different virtual hosts.
  Login portlets have the disadvantage that https is not supported
  Ton

• Custom login module Authentication works but Authorization Does not work

  Hi:
  I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
  Is there any other settings I need to perform. Could you please let me know.
  Thanks

  I have the same issue, please refer to this thread.
  Re: ADF Security Authorization