Custom Login Module - all modules ignored

Hello,
we created a custom login module and deployed it as library to the server. We than configured the login module as described in the SAP manual:
http://help.sap.com/saphelp_nw70/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
First we had a little problem with the library path. The security log has a nice overview what login stack and what modules where called, for our module it stated u201CCannot load login module class u2026.u201D
After reading the forum, we found that our login module path was wrong, we only added the class name as described in the tutorial. Correct was to use the library name from Visual Admin.
But now, if we call the portal, the security log is just empty. It seems no stack and no module is called at all. If we remove our custom module from the ticket stack, everything is fine and we get an entry in the security log with the ticket stack and all remaining modules.
If we add the custom login module to the stack again and enter username and password we get an error message that all modules are ignored.
Does anybody know this error and maybe what to do?
Best regards,
Kai

Hi Kai,
have you solved your problem?
Currently we are facing a similar Problem.
We have a custom login module. I deployed everything like in the tutorial. There should be no Problem with the login module itself, as it is an exact copy of a working one. Class names are the same. The only difference is in package names, project names, library names. I adjusted the classloader to the new library and also adjusted the classname in the user store where the login module is configured.The login module is part of the "ticket" authentication stack.
When we want to log on to the portal, we get an error like "all modules ignored".
Maybe you have found a solution which is also suitable for our problem.
Thanks
Regards
Pascal

Similar Messages

SP15 in Java engine failed, "Login Failure: all modules ignored"

Hi
During the installation of sp15 (with JSPM) failed, the sdm log shows:
ERROR: Cannot connect to Host: [hostname] with user name: [J2EE_ADMIN]
My instance was down so I started but now there is an error, when I try to log on to User management it give me the error: "Login Failure: all modules ignored".
I checked the logs for the server and found the following:
#1.5^H#0000000000000067000000250000596D00045A79FA4B224F#1225379843613#com.sap.engine.services.security.resource.ResourceHandl
eImpl#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.resource.ResourceHandleImpl#J2EE_GUEST#0##n/a##da7
065c0a69511ddb438000000000000#SAPEngine_Application_Thread[impl:3]_15##0#0#Error#1#/System/Security/Audit/J2EE#Java###ACCESS.
ERROR: Authorization check for caller assignment to J2EE resource [ : : : ].#4#SAP-J2EE-Engine#session-pool#ge
t_session_pool#ALL#
#1.5^H#0000000000000067000000260000596D00045A79FA4B32AC#1225379843613#com.sap.engine.services.security.authentication.loginco
ntext#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0##n/a##da7
065c0a69511ddb438000000000000#SAPEngine_Application_Thread[impl:3]_15##0#0#Error##Java###Caller not authorized.
[EXCEPTION]
#1#com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
 at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:627)
 at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:513)
 at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
 at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:119)
 at com.sap.engine.services.security.server.AuthenticationContextImpl.getSessionPool(AuthenticationContextImpl.java:39
5)
 at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContextFactory(AuthenticationContextImpl
.java:740)
 at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:2
54)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:324)
 at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:324)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
 at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
 at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.forceLoggedInUser(SAPJ2EEAuthenticator.java:231)
 at com.sap.security.core.admin.ServletAccessToLogic.getActiveUser(ServletAccessToLogic.java:141)
 at com.sap.security.core.admin.UserAdminLogic.executeRequest(UserAdminLogic.java:438)
 at com.sap.security.core.admin.UserAdminServlet.doPost(UserAdminServlet.java:26)
 at com.sap.security.core.admin.UserAdminServlet.doGet(UserAdminServlet.java:19)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
 at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
 at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
 at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessio
nMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
I found the SAP Note 971249 but Iu2019m not sure it applies and even I can log on into Visual administrator.
Log for the Visual Administrator
<!LOGHEADER[START]/>
<!HELP[Manual modification of the header may cause parsing problem!]/>
<!LOGGINGVERSION[1.5.3.7185 - 630]/>
<!NAME[/usr/sap/SID/DVEBMGS00/j2ee/admin/log/./traces/visual_administration.trc]/>
<!PATTERN[visual_administration.trc]/>
<!FORMATTER[com.sap.tc.logging.ListFormatter]/>
<!ENCODING[UTF8]/>
<!FILESET[0, 5, 10000000]/>
<!PREVIOUSFILE[visual_administration.4.trc]/>
<!NEXTFILE[visual_administration.1.trc]/>
<!LOGHEADER[END]/>
#1.5^H#C000AC11873E00000000000100CEC78D00045A541BE7A040#1225217198758#com.sap.engine.services.adminadapter.gui.tasks.LoginTas
k##com.sap.engine.services.adminadapter.gui.tasks.LoginTask#######Thread[Thread-1,5,main]##0#0#Error#1#/System/Server/VisualA
dministrationTool#Java###Error while trying to login to host: null
[EXCEPTION]
#1#java.lang.NullPointerException
 at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImpl.login(RemoteLoginContextHelperImpl.
java:72)
 at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImplp4_Skel.dispatch(RemoteLoginContextH
elperImplp4_Skel.java:64)
 at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:319)
 at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:200)
 at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:136)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessio
nMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Thank you very much for your help.
Best Regards

hi
we had the same issue some time back when we upgraded to SP15, we opened a OSS message and SAP had to come and fix the issue.
It was some inconsistencies in -Config DB settings and they made quite a few changes in security/configurations/ticket(config tool)
also
one Java parameter was wrong(config tool - server config) :
-Djava.security.policy=/java.policy it should be -
> Djava.security.policy=./java.policy (The DOT was missing)
thank you
Jonu Joy

Custom Login Module, LM Stack ignored

Moderator's note: This is a question split from another thread:
Maybe someone with LoginModuleStack knowledge can give us a hand
Another issue (which is isolated from the other question) we have is that somehow the defined Login Module Stack for the J2EE app
doesn't get called when there exits already a MYSAPSSO2 cookie in the session.
The Login Module Stack looks like this:
Custom Login Module Position 1 Required (also tested with optional & requisite)
CreateTicketLoginModule Position 2 Sufficient (also tested with optional)
So if we call the J2EE web app with no existing MYSAPSSO2 cookie (e.g. open in new browser window), everything
works fine and the defined login module stack is run through.
If we call the app with existing MYSAPSSO2 cookie (e.g. open in same browser window after logout of previous app),
the login module stack is ignored and it seems that the EvaluateTicketLoginModule is called straight away, despite not being defined in the stack.
What could be the problem and how can this be solved?
Signed with greetings and a happy weekend on behalf of Minh-Duc Truong,
Your,
Julius
Edited by: Minh-Duc Truong on Jul 18, 2008 4:52 PM
Edited by: Julius Bussche on Jul 18, 2008 7:29 PM

Hi,
I cannot believe that the EvaluateTicketLoginModule is called if it is not defined in the stack. I guess the best way to track down the problem is to increase the severity of the following locations:
(use Visual Admin / Log Configurator / Locations TAB to do that):
com.sap.security.server.jaas
com.sap.engine.services.security
Set the Severity to ALL. After that call your application and paste the output in security.log here so I can have a look at it. It will contain a complete trace of the processing of your login modules so maybe we'll see what's going wrong.
Cheers

J2EE 6.40 Custom Login Module - how to config

hello all,
i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.
here is the background info:
- i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.
- access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.
- my login module does the user name and password checking. both are stored in database through some other means.
- login is FORM based
following the discussion in another thread on the topic, i did the following:
#1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.
#2 add my login module to the security store through the security provider service.
#3 configure my web app to use the custom login module in web-j2ee-engine.xml
#4 deploy my web app through the ear file
at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).
now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.
question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.
??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.
??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.
??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.
does anyone have a working scenario using custom login modules?
thanks very much for your inputs and thoughts.
wentao

Hi Astrid,
I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
Thanks in advance
Henning

Help - using custom login module with embedded jdev oc4j to access ejb 3

Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
 <application>
 <name>current-workspace-app</name>
 <login-modules>
 <login-module>
 <class>kr.security.KnowRushLoginModule</class>
 <control-flag>required</control-flag>
 <options>
 <option>
 <name>dataSource</name>
 <value>jdbc/DB_XE_KNOWRUSHDS</value>
 </option>
 <option>
 <name>user.table</name>
 <value>users</value>
 </option>
 <option>
 <name>user.pk.column</name>
 <value>id</value>
 </option>
 <option>
 <name>user.name.column</name>
 <value>email_address</value>
 </option>
 <option>
 <name>user.password.column</name>
 <value>password</value>
 </option>
 <option>
 <name>role.table</name>
 <value>roles</value>
 </option>
 <option>
 <name>role.to.user.fk.column</name>
 <value>user_id</value>
 </option>
 <option>
 <name>role.name.column</name>
 <value>name</value>
 </option>
 </options>
 </login-module>
 </login-modules>
 </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Member</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
 <security-role>
 <role-name>sr_Admin</role-name>
 </security-role>
 <security-role>
 <role-name>sr_Member</role-name>
 </security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
 <security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
 </security-role-mapping>
 <security-role-mapping name="sr_Member">
 <group name="Member"></group>
 </security-role-mapping>
 <default-method-access>
 <security-role-mapping name="sr_Member" impliesAll="true">
 </security-role-mapping>
 </default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
 <group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
 <property name="role.mapping.dynamic" value="true"></property>
 <property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </read-access>
 <write-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
 Hashtable env = new Hashtable();
 env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
 env.put(Context.SECURITY_CREDENTIALS, "welcome1");
 final Context context = new InitialContext(env);
 KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
 at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
 at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
 HttpServletResponse response)
 throws ServletException, IOException
 LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
 response.setContentType(CONTENT_TYPE);
 PrintWriter out = response.getWriter();
 out.println("<html>");
 out.println("<head><title>ExampleServlet</title></head>");
 out.println("<body>");
 out.println("The servlet has received a GET. This is the reply.");
 out.println(" getRemoteUser = " + request.getRemoteUser());
 out.println(" getUserPrincipal = " + request.getUserPrincipal());
 out.println(" isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
 out.println(" isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannon

Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>JAAS_Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
 </grant>If I add the following to orion-application.xml

<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping>
 <group name="JAAS_Admin"></group>
 </security-role-mapping>
 </namespace-resource>
 </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
 Vector v = new Vector();
 v.add(singleton.getCustomRmiConnectRole());
 // set principals in LoginModule
 m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
 JAZNConfig jc = JAZNConfig.getJAZNConfig();
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
 RealmManager realmMgr = jc.getRealmManager();
 try
 // Get the default realm .. e.g. jazn.com
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
 Realm r = realmMgr.getRealm(jc.getDefaultRealm());
 LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
 // Access the role manager for the remote connection role
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"calling default_realm.getRoleManager");
 RoleManager roleMgr = r.getRoleManager();
 LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
 CUSTOM_RMI_CONNECT_ROLE "'");
 RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 if (rmiConnectRole == null)
 LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
 rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
 Grantee gtee = new Grantee(rmiConnectRole);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
 RMIPermission login = new RMIPermission("login");
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"constructing subject.propagation rmi permission");
 RMIPermission subjectprop = new RMIPermission("subject.propagation");
 // make policy changes
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
 JAZNPolicy policy = jc.getPolicy();
 if (policy != null)
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'login' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, login);
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'subject.propagation' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, subjectprop);
 // m_Role = rmiConnectRole;
 m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.INFO, LOGPREFIX
 + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
 else
 LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
 else
 LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
 m_Role = rmiConnectRole;
 catch (JAZNException e)
 LOGGER.log(Level.WARNING,
 LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
 return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt.

RFC Call in a custom login module

Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

Custom Login Module - Commit Method return TRUE always?

Hi,
I am creating a custom login module for my portal authentication.
For the login module, should the commit() method always return TRUE?
The example code on help.sap.com indicates yes to this question.
However, the JAVA Sun standard indicates that commit should return FALSE if the preceding login method returned FALSE.
Does the SAP example stray from the SUN standard? How should I code the commit() method such that it works (Always TRUE, or follow lead of login() method)?
Regards,
Kevin

Hi Kevin,
I'm actually working with this document: <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/webinars/jaas%20login%20module%20development%20on%20webas%20java%20640.pdf#search=%22classloader%20sda%20jar%20reference%22">JAAS Login Modules</a>.
There is also example code. If it should be ignored they return false, otherwise true (page 32).
Regards,
Marcus
Message was edited by: Marcus Freiheit

Problem with role mapping in custom login module

Hi all,
I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
I thought a source of the problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
Could anybody think of a solution to this problem ?
Thanks, Astrid

Astrid,
Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
I've tried to use the deploytool and deploy the module as a library...but I get a "cannot load a login module" in the logs when authenticating a user.

Callbacks does not work in custom login module

Hi,
We are upgrading portal from 7.01 to 7.31. I am working on custom login module.
I am using NameCallBack, PasswordCallback and httpcallback (prior to upgrade used webCallback which is deprecated in 7.31)
All these three callbacks works fine in our sandbox which uses Portal Database as UME, But same code fails and returns NULL for callbacks in Dev system where we use Active Directory.
//In initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
super.initialize(subject, callbackHandler, sharedState, options);
this.callbackHandler = callbackHandler;
// in logion()
NameCallback nameCallback = new NameCallback("User name: ");
PasswordCallback passwordCallback = new PasswordCallback("Password: ", true);
try
callbackHandler.handle(new Callback[] { nameCallback, passwordCallback });
Any ideas will be appreciated.
Thanks,
Dileep

Should be fixed in 4.5. Set mouseEnabled=true on the Panel

Custome login module:SDA can't reference com.sap.portal.usermapping_api.jar

I made my own j2ee custom login module and one of the things I wanted the custom login module to do is to clear out the UME roles for the user logging in, "download" the role assignments from an ABAP WAS system, and reassign those roles in UME. I got the coding done and created my JAR file. In building the SDA file, I can't figure out how to add com.sap.portal.usermapping_api.jar to the provider.xml file. I tried specifying it on thru "create new" and tried looking for it in the list from "Select library/interface/service, but I still get an error when loading the login module.
Does anyone know how to do this?
TIA.
Mel Calucin
Bentley Systems, Inc.

Hi Mel,
why do you think you need to reference the portal's user mapping service API? I'm not sure whether you can reference Portal services at all from J2EE level.
If you need to use user mapping in your login module, you don't need the Portal's user mapping service. Instead, you can directly use the user mapping interfaces and methods of the UME, which are contained in a J2EE library.
You can use something like the following reference to get runtime access to the UME API library:
<reference reference-type="weak">
<reference-target target-type="library">
com.sap.security.api.sda
</reference-target>
</reference>
Accessing user mapping is possible via com.sap.security.api.UMFactory.getUserMapping() which returns an object implementing com.sap.security.api.umap.IUserMapping. This is the main entry point for all user mapping related features.
Please check the Javadoc for details:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/javadocs/nw04/sp12/user management engine - version 4.0/index.html
I hope this helps.
Best regards
Heiko

Custom Login Module that should check only userId with out passwd

Hi All,
Can we write a custom login module which should check user name in the HTTPHeader and let the user login if the user id exists in the userstore(Active Directory Server).
It should not validate with the passwd, as the requesting server sends only the user id in the HTtp Header.
Is it possible to do this ?if so can anyone give me some inouts. I know how to configure cutom login module. But i am not sure with out validating th epasswd we can let the user log in through custom login module.
can anyone send me sample code.
Thanks a lot
Lakshmi

Hi Lakshmi,
What describe the real issue you are trying to solve?
Regards
-Venkat Malempati

Custom login module for EP7.4 with Captcha

Hi
I am trying to create a custom login module which validates the captcha shown at the login screen using SAP help link:
http://help.sap.com/saphelp_nw73/helpdata/en/48/ff4faf222b3697e10000000a42189b/content.htm?frameset=/en/48/fcea4f62944e88e10000000a421937/frameset.htm&current_toc=/en/74/8ff534d56846e2abc61fe5612927bf/plain.htm&node_id=20
The session is being set in the Captcha servlet which is used to render the image on the login page.
However when I am trying to compare it with input or print the session value, its throwing an exception.
I checked in the NWA logs and it just shows the following error message:
6. com.temp.loginModule.MyLoginModuleClass OPTIONAL ok exception true Authentication did not succeed.
Please help me analyse the error stack. Can someone point where do i check the detailed logs to trace the issue?
Please find below source of my login module.
package com.temp.loginModule;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import nl.captcha.Captcha;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.engine.lib.security.http.HttpCallback;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.Principal;
public class MyLoginModuleClass extends AbstractLoginModule{
private CallbackHandler callbackHandler = null;
private Subject subject = null;
private Map sharedState = null;
private Map options = null;
// This is the name of the user you have created on
// the AS Java so you can test the login module
private String userName = null;
private boolean successful;
private boolean nameSet;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
// This is the only required step for the method
super.initialize(subject, callbackHandler, sharedState, options);
// Initializing the values of the variables
this.callbackHandler = callbackHandler;
this.subject = subject;
this.sharedState = sharedState;
this.options = options;
this.successful = false;
this.nameSet = false;
* Retrieves the user credentials and checks them. This is
* the first part of the authentication process.
public boolean login() throws LoginException {
// HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
// httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
// httpGetterCallback.setName("captchaInput");
 String value = null;
// try {
// callbackHandler.handle(new Callback[] { httpGetterCallback });
// String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
// if(arrayRequestparam!=null && arrayRequestparam.length>0)
// value = arrayRequestparam[0];
// } catch (UnsupportedCallbackException e) {
// throwNewLoginException("An error occurred while trying to validate credentials.");
// } catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
value = getRequestValue("captchaInput");
userName = getRequestValue("j_username");
HttpGetterCallback httpGetterCallbackSessionCaptcha = new HttpGetterCallback();
httpGetterCallbackSessionCaptcha.setType(HttpCallback.SESSION_ATTRIBUTE);
httpGetterCallbackSessionCaptcha.setName("myCaptchaLogin");
try {
callbackHandler.handle(new Callback[] { httpGetterCallbackSessionCaptcha });
Captcha arraySessionParam = (Captcha) httpGetterCallbackSessionCaptcha.getValue();
// System.out.println("****************************************************httpGetterCallbackSessionCaptcha" + (arraySessionParam==null?"null session":arraySessionParam.getAnswer())+
// "\n captchaInput" + value+"*********************");
if(arraySessionParam==null || !arraySessionParam.isCorrect(value)){
throwNewLoginException("Entered code does not match with the image code.Session:"+(arraySessionParam==null?"null":arraySessionParam.getAnswer())+" Param:"+ value);
// throwUserLoginException(new Exception("Entered code does not match with the image code."));
httpGetterCallbackSessionCaptcha.setValue(null);
} catch (UnsupportedCallbackException e) {
throwNewLoginException("An error occurred while trying to validate credentials.");
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// Retrieve the user credentials via the callback
// handler.
// In this case we get the user name from the HTTP
// NameCallback.
// NameCallback nameCallback = new NameCallback("User name: ");
/* The type and the name specify which part of the HTTP request
* should be retrieved. For Web container authentication, the
* supported types are defined in the interface
* com.sap.engine.lib.security.http.HttpCallback.
* For programmatical authentication with custom callback
* handler the supported types depend on the used callback handler.
// try {
// callbackHandler.handle(new Callback[] {nameCallback});
// catch (UnsupportedCallbackException e) {
// return false;
// catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// userName = nameCallback.getName();
// if( userName == null || userName.length() == 0 ) {
// return false;
/* When you know the user name, update the user information
* using data from the persistence. The operation must
* be done before the user credentials checks. This method also
* checks the user name so that if a user with that name does not
* exist in the active user store, a
* java.lang.SecurityException is thrown.
// try {
// refreshUserInfo(userName);
// } catch (SecurityException e) {
// throwUserLoginException(e);
/* Checks if the given user name starts with the specified
* prefix in the login module options. If no prefix is specified,
* then all users are trusted.
// String prefix = (String) options.get("user_name_prefix");
// if ((prefix != null) && !userName.startsWith(prefix)) {
// throwNewLoginException("The user is not trusted.");
/* This is done if the authentication of the login module is
* successful.
* Only one and exactly one login module from the stack must put
* the user name in the shared state. This user name represents
* the authenticated user.
* For example if the login attempt is successful, method
* getRemoteUser() of
* the HTTP request will retrieve exactly this name.
if (sharedState.get(AbstractLoginModule.NAME) == null) {
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
successful = true;
return true;
* Commit the login. This is the second part of the authentication
* process.
* If a user name has been stored by the login() method,
* the user name is added to the subject as a new principal.
public boolean commit() throws LoginException {
if (successful) {
/* The principals that are added to the subject should
* implement java.security.Principal.You can use the class
* com.sap.engine.lib.security.Principal for this purpose.
Principal principal = new Principal(userName);
subject.getPrincipals().add(principal);
/* If the login is successful, then the principal corresponding
* to the <userName> (the same user name that has been added
* to the subject) must be added in the shared state too.
* This principal is considered to be the main principal
* representing the user.
* For example, this principal will be retrieved from method
* getUserPrincipal() of the HTTP request.
if (nameSet) {
sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
} else {
userName = null;
return true;
* Abort the authentication process.
public boolean abort() throws LoginException {
if (successful) {
userName = null;
successful = false;
return true;
* Log out the user. Also removes the principals and
* destroys or removes the credentials that were associated
* with the user during the commit phase.
public boolean logout() throws LoginException {
// Remove principals and credentials from subject
if (successful) {
subject.getPrincipals(Principal.class).clear();
successful = false;
return true;
private String getRequestValue(String parameterName)
 throws LoginException {
 HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
 httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
 httpGetterCallback.setName(parameterName);
 String value = null;
 try {
 callbackHandler.handle(new Callback[] { httpGetterCallback });
 String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
 value = arrayRequestparam[0];
 } catch (UnsupportedCallbackException e) {
 return null;
 } catch (IOException e) {
 throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
 return value;
Regards
Ramanender Singh

Ramanender,
JAAS modules usually requires a restart whenever you need to change them. So be very careful with what you expect once you re-deploy your code.
Once the library is loaded it will never reload itself until you perform a restart of the VM.
Connect to the debug port may help, but basic debugging will not take you too far either.
I would recommend you to use the log tracing facility on your code. Just enter the following class attribute:
import com.sap.tc.logging.Location;
private static final Location trace = Location.getLocation(<your_classname_here>.class);
trace.warningT("Some Warning Text Here..." + variable here);
trace.debugT("Some Warning Text Here..." + variable here);
You may need to go NWA and set the Location Severity Level to Debug according to your needs.
Leave the trace code on your module for IT personnel to debug it if necessary. Don't forget to have the severity level of your code properly set.
Meaning: You don't want to have every trace message your module sills out with warningT() or infoT().
There is a excellent blog here on how this works
Then you will be able to inspect some variable contents while the callbackhandler is being executed.
Pay special attention with the timing - variables have a lifetime when dealing with login modules.
Use the entering(<method_name>) and exiting(<method_name> just ot make sure where in the code the variable should be populated and when.
BR,
Ivan

Custom login module and SSO using 10.1.3.3

We are using ADF 10.1.3.3 to build applications and recently a requirement from a customer was to use LDAP for authentication but use internal application tables for authorisation. So essentially the username and password will be in LDAP but all the roles definition are in the application. This is because the LDAP directory has tight controls on contents and is used enterprise wide.
I created a proof of concept to address this requirement using the examples at
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
and also
http://technology.amis.nl/blog/1462/create-a-webapplication-secured-with-custom-jaas-database-loginmodule-deploy-on-jdeveloper-1013-embedded-oc4j-stand-alone-oc4j-and-opmn-managed-oc4j-10g-as
specifically using DBProcLoginModule to call a database package.
The PL/SQL package I created used DBMS_LDAP to call an LDAP directory with the username and password to check authentication and then used internal application tables to get the authorisation details required.
All this worked very well. I tested on both the embedded OC4J and also standalone OC4J.
Then one of my peers said will this work with SSO? Specifically we use Oracle OID as we have SSO for Forms and Reports.
My experience with SSO has been with Oracle OID and having all the user and role details stored within OID.
So my issue now is can I integrate the custom login module approach I have used with SSO? My knowledge of SSO and OID is limited so I'm not sure how (or if) it would interact with a custom login module. Are the two mutually exclusive?
Any guidance is appreciated.
Regards,
Adrian

Hi,
this question should be posted to the Oracle Application Server forum or the security forum. However, based on my findings and experience in this area, I don't think that SSO is integrated with custom LoginModules since the integration would need to be coded in the LoginModule.
Frank

Custom pluggable idm with custom login module

Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
Any suggestions? Thanks

Thanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
Thank you.

Custom Login Module, SSO Ticket validity & Login Module Stack

Hi everybody,
we have a portal (running on jboss) which links to a J2EE web application (running on SAP WAS 6.40) which itself is protected by a custom login module and redirects to different WebDynpro applications (running on same WAS as the J2EE app) depending on some parameters.
So when we go from the portal to the J2EE web application, the custom login module authenticates the user, creates a MYSAPSSO2 Cookie and then redirects to a webdynpro app.
What happens is that the webdynpro app doesn't accept the cookie and redirects to the login mask.
Looking at the request header parameter HOST we have the request coming from sub1.sub2.mycompany.com, which is the portal.
The WAS is located on sub3.mycompany.com.
If we manipulate the HOST parameter to sub2.mycompany.com everything works fine and the webdynpro app successfully authenticates the user.
This does sound either like a domain relaxing issue or a multi domain issue, which we added as parameters to the CreateTicketLoginModule in the Login Module Stack for the J2EE web app.
Unfortunately without result.
Did anybody have a similar problem and can give some hints on how to solve this?
Any help is appreciated
Regards,
md
Edited by: Minh-Duc Truong on Jul 17, 2008 7:18 PM
Edited by: Minh-Duc Truong on Jul 17, 2008 7:19 PM
Edited by: Julius Bussche on Jul 18, 2008 7:25 PM

Hi md,
I have split your 2nd question into a seperate thread => That would make them easier to answer as well, which will help.
You can find it here: Custom Login Module, LM Stack ignored
Cheers,
Julius
Edited by: Julius Bussche on Jul 18, 2008 7:26 PM

Custom Login Module - all modules ignored

Similar Messages

Maybe you are looking for