Custom login module and SSO using 10.1.3.3
We are using ADF 10.1.3.3 to build applications and recently a requirement from a customer was to use LDAP for authentication but use internal application tables for authorisation. So essentially the username and password will be in LDAP but all the roles definition are in the application. This is because the LDAP directory has tight controls on contents and is used enterprise wide.
I created a proof of concept to address this requirement using the examples at
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
and also
http://technology.amis.nl/blog/1462/create-a-webapplication-secured-with-custom-jaas-database-loginmodule-deploy-on-jdeveloper-1013-embedded-oc4j-stand-alone-oc4j-and-opmn-managed-oc4j-10g-as
specifically using DBProcLoginModule to call a database package.
The PL/SQL package I created used DBMS_LDAP to call an LDAP directory with the username and password to check authentication and then used internal application tables to get the authorisation details required.
All this worked very well. I tested on both the embedded OC4J and also standalone OC4J.
Then one of my peers said will this work with SSO? Specifically we use Oracle OID as we have SSO for Forms and Reports.
My experience with SSO has been with Oracle OID and having all the user and role details stored within OID.
So my issue now is can I integrate the custom login module approach I have used with SSO? My knowledge of SSO and OID is limited so I'm not sure how (or if) it would interact with a custom login module. Are the two mutually exclusive?
Any guidance is appreciated.
Regards,
Adrian
Hi,
this question should be posted to the Oracle Application Server forum or the security forum. However, based on my findings and experience in this area, I don't think that SSO is integrated with custom LoginModules since the integration would need to be coded in the LoginModule.
Frank
Similar Messages
-
Issues with OSSO ,custom login module and form based authentication
Hi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
AnilHi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
Anil -
Custom Login Module and failover
I'm trying to figure out how to handle authentication when failover from one OC4J to another occurs. I have a custom login module using the example provided by Frank Nimphius (http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm)
I see different results for this "external" custom login module than for either JAZN file store or for the built-in DBTableOraDataSourceLoginModule that comes with OC4J and am wondering why.
Scenario 1 - File authentication using JAZN file store
Results: Works well.
Failover works and when failover occurs, the login page is not displayed. (no 2nd login is required).
Scenario 2 - Custom login module using DB store through the OC4J built-in DBTableOraDataSourceLoginModule
Results: Works well.
Failover works and when failover occurs, the login page is not displayed. (no 2nd login is required).
Scenario 3 (problematic scenario) - Custom login module using DB store through an external login module (not in OC4J). I used the DBTableOraDataSourceLoginModule from Frank
Nimphius with no modifications for this test.
Results: Failover works. But when failover occurs, the login page is displayed and the user has to login again. Question: Why doesn't failover also cover the authentication as in the previous 2 scenarios?
Note: I tried to fix this by adding Java_sso. This does appear to take care of having to log in a second time but raises new issues. One is that authentication is called for every request. Then after the failover occurs, I see a log message indicating the login module aborted but authentication appears to succeed regardless.I'm trying to figure out how to handle authentication when failover from one OC4J to another occurs. I have a custom login module using the example provided by Frank Nimphius (http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm)
I see different results for this "external" custom login module than for either JAZN file store or for the built-in DBTableOraDataSourceLoginModule that comes with OC4J and am wondering why.
Scenario 1 - File authentication using JAZN file store
Results: Works well.
Failover works and when failover occurs, the login page is not displayed. (no 2nd login is required).
Scenario 2 - Custom login module using DB store through the OC4J built-in DBTableOraDataSourceLoginModule
Results: Works well.
Failover works and when failover occurs, the login page is not displayed. (no 2nd login is required).
Scenario 3 (problematic scenario) - Custom login module using DB store through an external login module (not in OC4J). I used the DBTableOraDataSourceLoginModule from Frank
Nimphius with no modifications for this test.
Results: Failover works. But when failover occurs, the login page is displayed and the user has to login again. Question: Why doesn't failover also cover the authentication as in the previous 2 scenarios?
Note: I tried to fix this by adding Java_sso. This does appear to take care of having to log in a second time but raises new issues. One is that authentication is called for every request. Then after the failover occurs, I see a log message indicating the login module aborted but authentication appears to succeed regardless. -
How to call custom Login Module from JSP
Hi,
I am stuck with the following issue:
1) Exactly as presented in help.sap.com (http://help.sap.com/saphelp_nw04/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm) I created custom login module and deployed it as a library on J2EE server. When I configured it to be used for my applications in the Security provider but I am getting "No user name provided" exception everytime when my applications use this custom login module.
2) I realized that I would need to call my custom module somewhere within my application (simple JSP) using LoginContext class and then use MyLoginContext.login() spec to initiate login process. But I am not able to pass CallbackHandler parameters from JSP application to my custom login module.
So I have the following questions:
1. Can I pass parameters using LoginContext and CallbackHandler from JSP to my custom login module (created as exact copy of HELP.SAP.COM example) or this module cannot be used this way.
2. How to pass CallbackHandler correctly to my custom login module from JSP. When I am trying to use CallbackHandler, I am getting "Abstract Class cannot be called" error.
I'd appreciate any little help on this matter.
Thanks and regards,
MikeYou have two alternatives to do this:
You can declare your JSP as a protected resource with the use of the deployment descriptors of the application (web.xml) and add the custom login module in the authentication stack of the application. This way, you will use container-based authentication, i.e. the Web Container will enforce the authentication and it will call the custom login module before it dispatches to the JSP. I recommend you this approach because it requires less coding and it makes the whole thing a matter of configuration. The configuration can be later on enhanced or changed runtime without the need to re-build and re-deploy the application. If you choose this approach you can go to the documentation of the server for help on how to modify the login module stack of the application.
You can also use programmatic authentication by using JAAS API. To do this you need to create a custom security policy configuration with login module stack containing the custom login module, and then use the standard JAAS mechanism - new LoginContext(<configuration>, <callback-handler>).login(). This approach requires that you write your own callback handler and handle any LoginException.
Let us know which approach you prefer and whether you have difficulties implementing it! -
Potential JavaSSO and Custom Login Module Bugs In Clustered Environment
We've been working with the custom login modules and JavaSSO and have found issues with deployment on 10.1.3.2 in a clustered environment. Deployment on a single server looks like it is working properly.
I'm wondering whether any one here has been using CLM with JavaSSO and have deployed in a clustered application server environment? I've posted in the past regarding this in the OC4J side, but never got a response, so I thought I'd try the experts here...
Here are some TARS that we've logged. Any help from the community would be appreciated.
6320304.994 JAVASSO JSSOUTIL.LOGOUT FUNCTION REDIRECT NOT WORKING ON CLUSTER
6365407.993 SETTING <distributable/> TAG IN WEB.XML CRASHES APPLICATION
6338664.992 JAVASSO LOGIN PAGE DOES NOT LOGIN USER BUT RELOADS LOGIN PAGE
Thanks!
KentonHi Kenton,
Specifically, what were the issues that you ran into when clustering JavaSSO? Was it a problem only when combined with the Custom LM?
As long as the same CLM is configured for your app (I assume this is also clustered) and JavaSSO, that should be sufficient. Obviously, CLM need to be configured against the same user repository.
If the apps were on different hosts, did you remember to set the property "custom.sso.cookie.domain" to set the right domain name in the cookie? Otherwise, you will keep getting redirected to the login page.
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABJCGCB
-skt -
Custom Login Module, SSO Ticket validity & Login Module Stack
Hi everybody,
we have a portal (running on jboss) which links to a J2EE web application (running on SAP WAS 6.40) which itself is protected by a custom login module and redirects to different WebDynpro applications (running on same WAS as the J2EE app) depending on some parameters.
So when we go from the portal to the J2EE web application, the custom login module authenticates the user, creates a MYSAPSSO2 Cookie and then redirects to a webdynpro app.
What happens is that the webdynpro app doesn't accept the cookie and redirects to the login mask.
Looking at the request header parameter HOST we have the request coming from sub1.sub2.mycompany.com, which is the portal.
The WAS is located on sub3.mycompany.com.
If we manipulate the HOST parameter to sub2.mycompany.com everything works fine and the webdynpro app successfully authenticates the user.
This does sound either like a domain relaxing issue or a multi domain issue, which we added as parameters to the CreateTicketLoginModule in the Login Module Stack for the J2EE web app.
Unfortunately without result.
Did anybody have a similar problem and can give some hints on how to solve this?
Any help is appreciated
Regards,
md
Edited by: Minh-Duc Truong on Jul 17, 2008 7:18 PM
Edited by: Minh-Duc Truong on Jul 17, 2008 7:19 PM
Edited by: Julius Bussche on Jul 18, 2008 7:25 PMHi md,
I have split your 2nd question into a seperate thread => That would make them easier to answer as well, which will help.
You can find it here: Custom Login Module, LM Stack ignored
Cheers,
Julius
Edited by: Julius Bussche on Jul 18, 2008 7:26 PM -
Custom login module Authentication works but Authorization Does not work
Hi:
I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
Is there any other settings I need to perform. Could you please let me know.
ThanksI have the same issue, please refer to this thread.
Re: ADF Security Authorization -
How to get Custom Login Module to communicate with frontendtarget
We have created a custom login module and placed it in our login module stack.
So we have the following 3 Login Modules in our stack:
EvaluateTicketModule
OurCustomLoginModule
CreateTicketModule
Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
Question:
There are standard screens in the SAP login PAR:
changePasswordPage.jsp
umLogonProblemPage.jsp
umResetPasswordPage.jsp
How do I trigger one of these screens from my Login() method of my
custom login module? I thought if I throw some specific exception, these screens would
be called?A bit more info.
We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication.
I changed the Iview property "Authentication Scheme" to our custom one.
If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
Whis is what i expect.
I enter a username and password and click Logon button. I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
However, It always give iview runtime exception with Access Denied.
#1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
#1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
#1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true authscheme not sufficient: uidpwdlogon<cglogon
\#1 ume.configuration.active = true
2. companyname.com.CGLoginModuleClass REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
\#1 ume.configuration.com = true#
#1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36... com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
#1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
[EXCEPTION]
{0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
and here's my login method...
public boolean login() throws javax.security.auth.login.LoginException
this.succeeded = false;
String passwordString = "";
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
HttpGetterCallback httpgettercallback = new HttpGetterCallback();
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
catch (UnsupportedCallbackException e)
return false;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
else
username = userid;
if (password.length == 0)
throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
else
passwordString = new String(password);
String eccLoginResult = validateECCAuthentication(username, passwordString);
if (!eccLoginResult.equals(""))
myLoc.infoT(this.username + " - failed ECC authentication.");
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
myLoc.infoT(this.username + " - failed ECC authentication.");
this.succeeded = true;
if (this.succeeded)
try
refreshUserInfo(this.username);
catch (SecurityException e)
throwUserLoginException(e);
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, this.username);
this.nameSet = true;
else
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
return this.succeeded; -
Custome login module:SDA can't reference com.sap.portal.usermapping_api.jar
I made my own j2ee custom login module and one of the things I wanted the custom login module to do is to clear out the UME roles for the user logging in, "download" the role assignments from an ABAP WAS system, and reassign those roles in UME. I got the coding done and created my JAR file. In building the SDA file, I can't figure out how to add com.sap.portal.usermapping_api.jar to the provider.xml file. I tried specifying it on thru "create new" and tried looking for it in the list from "Select library/interface/service, but I still get an error when loading the login module.
Does anyone know how to do this?
TIA.
Mel Calucin
Bentley Systems, Inc.Hi Mel,
why do you think you need to reference the portal's user mapping service API? I'm not sure whether you can reference Portal services at all from J2EE level.
If you need to use user mapping in your login module, you don't need the Portal's user mapping service. Instead, you can directly use the user mapping interfaces and methods of the UME, which are contained in a J2EE library.
You can use something like the following reference to get runtime access to the UME API library:
<reference reference-type="weak">
<reference-target target-type="library">
com.sap.security.api.sda
</reference-target>
</reference>
Accessing user mapping is possible via com.sap.security.api.UMFactory.getUserMapping() which returns an object implementing com.sap.security.api.umap.IUserMapping. This is the main entry point for all user mapping related features.
Please check the Javadoc for details:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/javadocs/nw04/sp12/user management engine - version 4.0/index.html
I hope this helps.
Best regards
Heiko -
Deploying a custom login module to the J2EE engine
I have developed a custom login module, and want to deploy it to the SAP j2ee engine. How should I go about this ? I tried packaging it as a jar and then using the deploytool, went into user management to register the module, but when the module was invoked I got an error in the log saying "Cannot load a login module".
The way I currently deploy it is packaged with the Example Calculator, and this works. I just add my 2 java files into the web module (in com.sap.examples.calculator.beans) and it gets packaged in the war file.
Can anyone help with the "proper" way of deploying my module ?
Thanks in advanceHi Brad,
>
> What I'm actually trying to do is NOT deploy my
> custom login module with an application. But rather
> deploy the jar file as a library to the J2EE engine,
> so that any application can use it by configuring it
> in their login stacks. I'm still not totally clear
> whether this is possible or not.
Once again - It is possible to deploy the login module as a library to the J2EE Engine; furthermore, this is the PREFERRED way to use login modules!
>
> What I have currently done:
>
> 1. developed custom login module packaged as a jar in
> NW studio (2 class files)
>
> 2. Using deploytool I deploy the jar as a library to
> the j2ee engine. This works and the library shows up
> under the libraries section.
>
> 3. Register the login module in the user
> management->manage security stores section. I'm
> unsure if this works properly. Do I just provide the
> full path to the required class ? For example
> "com.example.myloginmodule.LoginModule"
> I have a suspicion that my error of "cannot load a
> login module" stems from here.
>
> 4. I have then followed your step and added a
> reference to the libray (Hard reference) and this
> seems ok.
>
Sorry, Brad, I've made a mistake here. You need to set a reference from the Security Provider Service to the library that contains the login module (not from the application). To do that at runtime, you'll have to use the Configuration Adapter service on the J2EE Engine. For a description of the procedure, see this page in the documentation: http://help.sap.com/saphelp_nw04/helpdata/en/dd/1e3a3e5069eb6ce10000000a114084/frameset.htm
You need to provide additional entry of the following type in the security-provider.xml file:
<reference type="library" strength="weak">
Your-library-name-here
</reference>
Regards,
Ivo.
Message was edited by: Ivaylo Ivanov -
Custom login module - Not invoked...
Hi All
I have developed a custom login module and the necessary configuration steps in VA are performed. However, the custom login module is not called...
1. Developed a Java DC as a Child DC in a Library DC.
2. Added all the relevant jars needed as Used DC and Public Parts as required. Also updated the provider.xml with relevant references.
3. Build and Deployed. (No errors found here..)
4. In VA - Created a new Login Module.... updated the property LoginModuleClassLoaders to library:xyz where xyz is the name of the folder for deployed sda as found in cluster\j2ee\serverx\bin\ext...next updated the config tool for the same.... next modified the sap.com/irj*irj authentication as:
Basic - Requisite
CustomModule - Optional.
Then performed server restart. Yet, login module not called. Any ideas as to where I am going wrong..?? (In my login module, just trying to retrieve the user name and change their attributes like lastname etc... )
Thanks
DeepakIssue solved....
Had forgot to add the module to the ticket stack... -
Custom Login Module - all modules ignored
Hello,
we created a custom login module and deployed it as library to the server. We than configured the login module as described in the SAP manual:
http://help.sap.com/saphelp_nw70/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
First we had a little problem with the library path. The security log has a nice overview what login stack and what modules where called, for our module it stated u201CCannot load login module class u2026.u201D
After reading the forum, we found that our login module path was wrong, we only added the class name as described in the tutorial. Correct was to use the library name from Visual Admin.
But now, if we call the portal, the security log is just empty. It seems no stack and no module is called at all. If we remove our custom module from the ticket stack, everything is fine and we get an entry in the security log with the ticket stack and all remaining modules.
If we add the custom login module to the stack again and enter username and password we get an error message that all modules are ignored.
Does anybody know this error and maybe what to do?
Best regards,
KaiHi Kai,
have you solved your problem?
Currently we are facing a similar Problem.
We have a custom login module. I deployed everything like in the tutorial. There should be no Problem with the login module itself, as it is an exact copy of a working one. Class names are the same. The only difference is in package names, project names, library names. I adjusted the classloader to the new library and also adjusted the classname in the user store where the login module is configured.The login module is part of the "ticket" authentication stack.
When we want to log on to the portal, we get an error like "all modules ignored".
Maybe you have found a solution which is also suitable for our problem.
Thanks
Regards
Pascal -
Custom login module error: Login permission not granted for myapp (myuser)
I have developed a custom login module for my application. I have followed the steps outlined in security guide and other postings. I could not log into the application when I access EJBs from an RMI client. I get the following error.
Login permission not granted for myapp (myuser)
I did grant the login permission to myuser.
I am using OC4J 10.1.3.1.0
Here are the steps I followed and the configuration files. Can anybody help me out?
1. Created a custom login module and packaged it in EAR along with other classes. In the commit method, I added my user into principals of subject. Here is the code,
==================================================================
public boolean commit() throws LoginException {
try {
if (!loginOk) {
return false;
Set<Principal> principals = subject.getPrincipals();
principals.add(user);
loginOk = true;
} finally {
// Some audit logs are written here.
return loginOk;
===============================================================
2. Added custom login module in orion-application.xml. Here are the relevant portions of orion-application.xml
===============================================================
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.compare.ignorecase" value="true" />
</jazn>
<jazn-loginconfig>
<application>
<name>myApp</name>
<login-modules>
<login-module>
<class>com.test.myServerLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>maxRetries</name>
<value>3</value>
</option>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="myUser">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
<security-role-mapping name="esp_operator">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
</namespace-resource>
</read-access>
</namespace-access>
===============================================================
3. After the application is deployed on the EAR, I can see the custom login module in system-jazn-data.xml. The command line jazn admin tool lists my custom login module for my application.
4. I have an RMI client, the client JNDI properties are
==============================================================
java.naming.factory.initial=oracle.j2ee.naming.ApplicationClientInitialContextFactory
java.naming.factory.url.pkgs=oracle.j2ee.naming
==============================================================
The value for java.naming.provider.url is constructed dynamically and it is ormi://myserver:23791/myapp
java.naming.security.principal is set to the user who is trying to login, myuser, in this case.
java.naming.security.credentials is set to the password entered by myuser, password in this case.
5. I used jazn admin tool to grant login permission to my user.
===============================================================
a. Added user
java -jar jazn.jar -user oc4jadmin -password welcome -adduser jazn.com myuser password
b. Grant roles
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole users ja
zn.com myuser
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole oc4j-app
-administrators jazn.com myuser
c. Grant RMI permission
java -jar jazn.jar -user oc4jadmin -password welcome -grantperm jazn.com
-user myuser com.evermind.server.rmi.RMIPermission login
===============================================================
After the permission is granted, the folowing piece of XML is added to system-jazn-data.xml.
===============================================================
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>user</type>
<class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
<name>jazn.com/esp_administrator</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
==============================================================
My principal class is not of type, oracle.security.jazn.spi.xml.XMLRealmUser. Hence, I changed system-jazn-data.xml to include com.test.MyUser instead of oracle.security.jazn.spi.xml.XMLRealmUser. Either way, I get Not Authorized and Login permission not granted for myapp (myuser).
Can anybody help me out, please?
Thank you,
Sri
Message was edited by:
user532586I finally got it to work. But I have a problem granting RMI Permission "login", if the depth of my Principal class within the inheritance hierarachy is more than one. My hierarachy of my principal class is
Object --> ObjectA --> ObjectB --> ObjectC --> ObjectD
ObjectD is my principal class. ObjectB implements java.security.Principal. ObjectA has implementations for methods equals, hashcode and toString. ObjectB has implementations for getName.
When I try to grant RMI permission for ObjectD, I get an error that says null.
If I override the methods, equals, hashcode, toString, and getName in ObjectD and provide implementations, I still could not grant permission using jazn tool. I get error that says null. If I update the system-jazn-data.xml with the following grant tag, I could get into the application without any errors.
<grant>
<grantee>
<principals>
<principal>
<class>com.test.ObjectD</class>
<name>developers</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
If I create a new class, myPrincipal that implements java.security.Principal, I donot have any problems. I can grant permission and access application.
Any ideas why I could not use ObjectD as my principal class for granting RMI permission?
Message was edited by:
user532586 -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom Login Module for Tomcat to procted apps using Oracle Access Manager
Hi all,
I have the following scenario.
A web application deployed in Tomcat to be protected using OAM. One solution is to use Access Gate though we have other alternative as Proxy infront of Tomcat with a webgate. Now I am implementing the Access Gate solution.
So, when the user clicks the tomcat application, then the prompt (BASIC) appears for login details. custom login module should kick in and take those login details and authenticate against OAM using Access SDK API.
I have created access gate profile and installed Access SDK. Ran the ConfigureAccessGateTool as well.
I did some research googling for login module. I came to know that we need to write a custom realm for it. So, this realm implementation involves specifying role-name etc., in web.xml where the role-name would have been defined in tomcat-users.xml.
This means that the user trying to authenticate against OAM has to have some roles defined in Tomcat to login. I didnot understand the flow end to end as how this will work.
Please let me know if anybody has done this of customization.
Thanks,
Mahendra.Hi Ambarish,
Initially I thought of implementing the way you suggested in Option 2.
But there will be various redirections when we use option 2 as the login page should redirect it to a page where OAM authentication and authorization stuff has to be handled. And accordingly we have to redirect it to specific pages upon successful atn and atz. Hence, I was opted using Custom Login Module.
However, I have been trying Option 2 now. In web.xml, I have specified a login page with FORM scheme. The login redirects it to another page say OAM_Authentication_Handler.jsp. Here we code which serves atn and atz. Upon doing this, I have observed that the protected resource in OAM is not getting evaluated using the method
String ms_protocol = "http";
String ms_method = "GET";
String ms_resource = "http://localhost:8080/FormLogin/private.jsp";
ObResourceRequest rrq = new ObResourceRequest(ms_protocol, ms_resource, ms_method);
The method rrq.isProtected() is returning false which implies it to unprotected. I have tested using Access Tester for the resource and it results in expected behaviour.
Is there any limitation here by using this approach?
Any ideas?
Thanks,
Mahendra.
Maybe you are looking for
-
TS2446 When i go to buy an app i get a verification is required????
When i go to buy an app i get a verification is required
-
Issue in Synchronous OSB using Jms Queues in OSB11g
Hi, I am working on building a synchronous OSB using the following steps. 1) Creating the Synchronous OSB Proxy Service which routes the message to the business service which in turn places a message in the Queue(inqueue) by populating the JMSCor
-
Hyper-V Manager remote connection
This is originally posted to the following forum and they suggested I post here. http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_perf/hyper-v-manager-remote-connection/708e46c4-8e84-4fd6-8cdd-590d10a008a9 In Windows 10 Technica
-
Info urgently needed - Need IEEE 1394 (Firewire) connection
I need a IEEE 1394 connection for my T60 (1951 A47) for transfering digital video from our new HD video camera. How can I upgrade my laptop to receive such a signal? Not solved but replaced by -> http://forums.lenovo.com/lnv/board/message?board.id=T
-
Deployed in 9iAS , But giving WebService Error
Hi, Encountered following error while deploying .ear in Oracle 9i Enterprise Manager on WINDOWS 2000 Server. The application got deployed but after deployment it is giving error message stating that error occurred while publishing the web services. A