Custom Login Module Behavior (JAAS)...Help!

Similar Messages

• Security constraints not being applied after using custom login module

  I am using form based authentication and I applied the custom login module - DBProcLoginModule to work with the embedded OC4J (JDeveloper 10.1.3.2). I have specified two security contraints in web.xml. The authentication is working correctly, however the security contraints are not being applied. All users are able to access all url resources. The security constraints were working properly before applying the custom login module. Pls help.
  Leena

  Hi,
  if "All users are able to access all url resources" then this indicates that the RL isn't properly protected. If the authorization would fail then noone would have access and you would see error code 401
  Make sure the role names in web.xml are the same as added by the LoginModule. Also make sure you set the dynamic.role property and the custom security provider property in the orion-application.xml
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true"/>
       <property name="role.mapping.dynamic" value="true"/>
  </jazn>
  Note that the above is not required (because done automatically) if the custom LoginModule configuration is deployed through the orion-application.xml file
  Frank

• JAAS Custom Login Modules does not run on JDev/OC4J 10.1.3, pls help...

  Hi all,
  I trying to use Custom Login Modules as described on :
  http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
  I open the DBLMTest.jws in JDeveloper 10.1.3.1, after completing the required steps, I try deploy it into OC4J Stand alone 10.1.3.
  I get ERROR :
  application : foo is in failed state
  Operation failed with error:
  java.lang.InstantiationException
  The cause of the error is the two lines below that I add into orion-application.xml :
  <property name="role.mapping.dynamic" value="true"/>
  <property name="jaas.username.simple" value ="true" />
  If I remove the two lines, it deploys succesfully.
  Please helpp... I have to implement security in our apps very soon....
  Thank you very much,
  xtanto
  The complete trace of deployment error :
  ---- Deployment started. ---- Apr 4, 2007 5:25:19 PM
  Target platform is Standalone OC4J 10g 10.1.3 (oc4j_oracle).
  Wrote WAR file to D:\_JDEV1013.APPs\jaasdatabaseloginmodule\JDeveloper1012Workspaces\DBLMTest\Project\deploy\DBLMTest.war
  Wrote EAR file to D:\_JDEV1013.APPs\jaasdatabaseloginmodule\JDeveloper1012Workspaces\DBLMTest\Project\deploy\DBLMTest.ear
  Uploading file foo.ear ...
  Uploading file foo.ear ...
  Application Deployer for foo STARTS.
  Copy the archive to C:\OC4J\j2ee\home\applications\foo.ear
  Initialize C:\OC4J\j2ee\home\applications\foo.ear begins...
  Unpacking foo.ear
  Done unpacking foo.ear
  Unpacking DBLMTest.war
  Done unpacking DBLMTest.war
  Initialize C:\OC4J\j2ee\home\applications\foo.ear ends...
  Starting application : foo
  Initializing ClassLoader(s)
  Initializing EJB container
  Loading connector(s)
  application : foo is in failed state
  Operation failed with error:
  java.lang.InstantiationException
  Deployment failed
  Elapsed time for deployment: 4 seconds

  Hello there again xtanto,
  I blogged about this last year - perhaps you could run over to http://stegemanoracle.blogspot.com and have a look. I'd send you the exact link, but I cannot access blogspot from work.
  John

• Help with custom login module

  i've been following franks' tutorial on how to use a custom login module. but no matter what i do, i cant get the jsp to authenticate my valid database account.
  jazn-data.xml file
  <!-- JAZN Realm Data -->
  <name>scott</name>
  <credentials>!tiger</credentials>
  <jazn-loginconfig>
  <application>
  <name>foo</name>
  <login-modules>
  <login-module>
  <class>oracle.sample.dbloginmodule.DBTableLM.DBSystemLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  <option>
  <name>jdbcUrl</name>
  <value>jdbc:oracle:thin:@localhost:1521:orcl</value>
  </option>
  <option>
  <name>log_level</name>
  <value>ALL</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  </jazn-data>
  orion-application.xml
  <jazn provider="XML" location="jazn-data.xml"      
  default-realm="jazn.com">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="jaas.username.simple" value ="true" />
  </jazn>
  is there anything wrong with the settings?I've followed the tutorial to the last step. yet i cant get anything. Please help!

  Sorry about the incomplete previous post:
  I am trying to do the authentication using a customized login module in a stand alone OC4J server. I put some debug statements and found out that the authentication works but fails to authorize. I get the following error:
  NOTIFICATION J2EE RMI-00005 Login permission not granted for myApp (testUser)
  The only way I have been able to get this to work is to add the user 'testUser' in system-jazn-data.xml and specify that 'testUser' has the role 'USERS'. It's not practically possible to specify all the users in system-jazn-data.xml. Is there a workaround this? I have pasted below snippets of orion-application.xml and system-jazn-data.xml. Any help is greatly appreciated. Thanks in advance
  I have specified the following in orion-application.xml
  <namespace-access>
  <read-access>
  <namespace-resource root="">
  <security-role-mapping>
  <group name="USERS"/>
  </security-role-mapping>
  </namespace-resource>
  </read-access>
  <write-access>
  <namespace-resource root="">
  <security-role-mapping>
  <group name="USERS"/>
  </security-role-mapping>
  </namespace-resource>
  </write-access>
  </namespace-access>
  </orion-application>
  In system-jazn-data.xml I have given permission for the role 'USERS' to login.
  <grant>
  <grantee>
  <principals>
  <principal>
  <realm-name>jazn.com</realm-name>
  <type>role</type>
  <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
  <name>jazn.com/USERS</name>
  </principal>
  </principals>
  </grantee>
  <permissions>
  <permission>
  <class>com.evermind.server.rmi.RMIPermission</class>
  <name>login</name>
  </permission>
  </permissions>
  </grant>

• Help - using custom login module with embedded jdev oc4j to access ejb 3

  Hi All (Frank ??),
  I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
  with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
  I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
  have to deploy to oc4j standalone instead.
  I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
  javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
  setting in orion-application.xml for details.
  Using the various guides available, I had no problem getting the custom login module working
  with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
  I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
  respectively in various config files.
  I'm using EJB 3 annotations for protecting methods .. for example
  @RolesAllowed("sr_Member")
  Steps that I had to do so far :-
  In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
      <application>
        <name>current-workspace-app</name>
        <login-modules>
          <login-module>
            <class>kr.security.KnowRushLoginModule</class>
            <control-flag>required</control-flag>
            <options>
              <option>
                <name>dataSource</name>
                <value>jdbc/DB_XE_KNOWRUSHDS</value>
              </option>
              <option>
                <name>user.table</name>
                <value>users</value>
              </option>
              <option>
                <name>user.pk.column</name>
                <value>id</value>
              </option>
              <option>
                <name>user.name.column</name>
                <value>email_address</value>
              </option>
              <option>
                <name>user.password.column</name>
                <value>password</value>
              </option>
              <option>
                <name>role.table</name>
                <value>roles</value>
              </option>
              <option>
                <name>role.to.user.fk.column</name>
                <value>user_id</value>
              </option>
              <option>
                <name>role.name.column</name>
                <value>name</value>
              </option>
            </options>
          </login-module>
        </login-modules>
      </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Admin</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Member</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
  My ejb-jar.xml contains :-
  <?xml version="1.0" encoding="utf-8"?>
  <ejb-jar xmlns ....
    <assembly-descriptor>
      <security-role>
        <role-name>sr_Admin</role-name>
      </security-role>
      <security-role>
        <role-name>sr_Member</role-name>
      </security-role>
    </assembly-descriptor>
  </ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
  My orion-ejb-jar.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-ejb-jar ...
    <assembly-descriptor>
      <security-role-mapping name="sr_Admin">
        <group name="Admin"></group>
      </security-role-mapping>
      <security-role-mapping name="sr_Member">
        <group name="Member"></group>
      </security-role-mapping>
      <default-method-access>
        <security-role-mapping name="sr_Member" impliesAll="true">
        </security-role-mapping>
      </default-method-access>
    </assembly-descriptor>My orion-application.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-application xmlns ...
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <jazn provider="XML">
      <property name="role.mapping.dynamic" value="true"></property>
      <property name="custom.loginmodule.provider" value="true"></property>
    </jazn>
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </read-access>
      <write-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </write-access>
    </namespace-access>
  </orion-application>My essentially auto-generated EJB 3 client does the following :-
        Hashtable env = new Hashtable();
        env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
        env.put(Context.SECURITY_CREDENTIALS, "welcome1");
        final Context context = new InitialContext(env);
        KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
  ...And throws the error
  20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
  EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  javax.naming.NoPermissionException: Not allowed to look
  up KRFacade, check the namespace-access tag setting in
  orion-application.xml for details
       at
  com.evermind.server.rmi.RMIClientConnection.handleLookupRe
  sponse(RMIClientConnection.java:819)
       at
  com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
  andResponse(RMIClientConnection.java:283)
  ....I can see from the console that the user was successfully authenticated :-
  20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
  WARNING: [KnowRushLoginModule] User matt.shannon authenticated
  And that user is granted both the Admin, and Member roles.
  The test servlet using basic authentication correctly detects the user and roles perfectly...
    public void doGet(HttpServletRequest request,
                      HttpServletResponse response)
      throws ServletException, IOException
      LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
      response.setContentType(CONTENT_TYPE);
      PrintWriter out = response.getWriter();
      out.println("<html>");
      out.println("<head><title>ExampleServlet</title></head>");
      out.println("<body>");
      out.println("<p>The servlet has received a GET. This is the reply.</p>");
      out.println("<br> getRemoteUser = " + request.getRemoteUser());
      out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
      out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
      out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
  cheers
  Matt.
  Message was edited by:
  mshannon

  Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
  Did you ever get the code working directly from JDeveloper?
  Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
  For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <realm-name>jazn.com</realm-name>
                           <type>role</type>
                           <class>kr.security.principals.KRRolePrincipal</class>
                           <name>JAAS_Admin</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>If I add the following to orion-application.xml
    <!-- Granting login permission to users accessing this EJB. -->
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping>
            <group name="JAAS_Admin"></group>
          </security-role-mapping>
        </namespace-resource>
      </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
  I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
  From custom login module :-
    private static KRSecurityHelper singleton = new KRSecurityHelper();
    protected Principal[] m_Principals;
      Vector v = new Vector();
        v.add(singleton.getCustomRmiConnectRole());
        // set principals in LoginModule
        m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
  Singleton class :-
  package kr.security;
  import com.evermind.server.rmi.RMIPermission;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import oracle.security.jazn.JAZNConfig;
  import oracle.security.jazn.policy.Grantee;
  import oracle.security.jazn.realm.Realm;
  import oracle.security.jazn.realm.RealmManager;
  import oracle.security.jazn.realm.RealmRole;
  import oracle.security.jazn.realm.RoleManager;
  import oracle.security.jazn.policy.JAZNPolicy;
  import oracle.security.jazn.JAZNException;
  public class KRSecurityHelper
    private static final Logger LOGGER = Logger.getLogger("kr.security");
    private static final String LOGPREFIX = "[KRSecurityHelper] ";
    public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
    private RealmRole m_Role = null;
    public KRSecurityHelper()
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
      JAZNConfig jc = JAZNConfig.getJAZNConfig();
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
      RealmManager realmMgr = jc.getRealmManager();
      try
        // Get the default realm .. e.g. jazn.com
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
        Realm r = realmMgr.getRealm(jc.getDefaultRealm());
        LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
        // Access the role manager for the remote connection role
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"calling default_realm.getRoleManager");
        RoleManager roleMgr = r.getRoleManager();
        LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
          CUSTOM_RMI_CONNECT_ROLE "'");
        RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
        if (rmiConnectRole == null)
          LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
          rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
          Grantee gtee = new Grantee(rmiConnectRole);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
          RMIPermission login = new RMIPermission("login");
          LOGGER.log(Level.FINEST,
            LOGPREFIX +"constructing subject.propagation rmi permission");
          RMIPermission subjectprop = new RMIPermission("subject.propagation");
          // make policy changes
          LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
          JAZNPolicy policy = jc.getPolicy();
          if (policy != null)
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'login' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, login);
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'subject.propagation' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, subjectprop);
            // m_Role = rmiConnectRole;
            m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
            LOGGER.log(Level.INFO, LOGPREFIX
              + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
          else
            LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
        else
          LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
          m_Role = rmiConnectRole;
      catch (JAZNException e)
        LOGGER.log(Level.WARNING,
          LOGPREFIX +"Cannot configure JAZN for remote connections");
    public RealmRole getCustomRmiConnectRole()
      return m_Role;
  }Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
  INFO: Login permission not granted for current-workspace-app (test.user)
  Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
  This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
  There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
  Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
  Matt.

• Custom login module on OC4J 10.1.3.3.0

  Hi,
  I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
  I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
  web.xml:
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>testJAAS</realm-name>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <!-- Security constraints -->
  <security-constraint>
       <web-resource-collection>
       <web-resource-name>Test Secure Application</web-resource-name>
       <description>Requires users to authenticate</description>
       <url-pattern>faces/*</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       <http-method>HEAD</http-method>     
       <http-method>PUT</http-method>     
       </web-resource-collection>     
       <auth-constraint>
       <description>Only allow role1 users</description>
       <role-name>role1</role-name>
       </auth-constraint>     
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <!-- Define the security role(s) -->
  <security-role>
  <description>Example role</description>
  <role-name>role1</role-name>
  </security-role>
  orion-web.xml:
  schema-major-version="10" schema-minor-version="0" >
       <!-- Uncomment this element to control web application class loader behavior.
            <web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
       -->
       <resource-ref-mapping name="jdbc/lics" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
       </security-role-mapping>
       <web-app>
       </web-app>
  orion-application.xml:
       <jazn provider="XML" >
            <property name="jaas.username.simple" value="true" />
            <property name="custom.loginmodule.provider" value="true" />
            <property name="role.mapping.dynamic" value="true" />
       </jazn>
  system-jazn-data.xml:
  <jazn-loginconfig>
       <application>
            <name>le5</name>
            <login-modules>
                 <login-module>
                      <class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>defaultRole</name>
                                <value>role1</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
  Doing as above, the orion-web.xml is below:
       <resource-ref-mapping name="jdbc/lic" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
            <user name="user1" />
            <user name="user2" />
       </security-role-mapping>
  Any insight would be much appreciated. Thanks.

  Hi,
  role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
  <security-role-mapping name="role1">
  <group name="oc4j-app-administrators" />
  </security-role-mapping>
  from orion-web.xml and it should start wrking
  Frank

• How to call custom Login Module from JSP

  Hi,
  I am stuck with the following issue:
  1) Exactly as presented in help.sap.com (http://help.sap.com/saphelp_nw04/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm) I created custom login module and deployed it as a library on J2EE server. When I configured it to be used for my applications in the Security provider but I am getting "No user name provided" exception everytime when my applications use this custom login module.
  2) I realized that I would need to call my custom module somewhere within my application (simple JSP) using LoginContext class and then use MyLoginContext.login() spec to initiate login process. But I am not able to pass CallbackHandler parameters from JSP application to my custom login module.
  So I have the following questions:
  1. Can I pass parameters using LoginContext and CallbackHandler from JSP to my custom login module (created as exact copy of HELP.SAP.COM example) or this module cannot be used this way.
  2. How to pass CallbackHandler correctly to my custom login module from JSP. When I am trying to use CallbackHandler, I am getting "Abstract Class cannot be called" error.
  I'd appreciate any little help on this matter.
  Thanks and regards,
  Mike

  You have two alternatives to do this:
  You can declare your JSP as a protected resource with the use of the deployment descriptors of the application (web.xml) and add the custom login module in the authentication stack of the application. This way, you will use container-based authentication, i.e. the Web Container will enforce the authentication and it will call the custom login module before it dispatches to the JSP. I recommend you this approach because it requires less coding and it makes the whole thing a matter of configuration. The configuration can be later on enhanced or changed runtime without the need to re-build and re-deploy the application. If you choose this approach you can go to the documentation of the server for help on how to modify the login module stack of the application.
  You can also use programmatic authentication by using JAAS API. To do this you need to create a custom security policy configuration with login module stack containing the custom login module, and then use the standard JAAS mechanism - new LoginContext(<configuration>, <callback-handler>).login(). This approach requires that you write your own callback handler and handle any LoginException.
  Let us know which approach you prefer and whether you have difficulties implementing it!

• Custom Login Module - Commit Method return TRUE always?

  Hi,
  I am creating a custom login module for my portal authentication.
  For the login module, should the commit() method always return TRUE?
  The example code on help.sap.com indicates yes to this question.
  However, the JAVA Sun standard indicates that commit should return FALSE if the preceding login method returned FALSE.
  Does the SAP example stray from the SUN standard?  How should I code the commit() method such that it works (Always TRUE, or follow lead of login() method)?
  Regards,
  Kevin

  Hi Kevin,
  I'm actually working with this document: <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/webinars/jaas%20login%20module%20development%20on%20webas%20java%20640.pdf#search=%22classloader%20sda%20jar%20reference%22">JAAS Login Modules</a>.
  There is also example code. If it should be ignored they return false, otherwise true (page 32).
  Regards,
  Marcus
  Message was edited by: Marcus Freiheit

• J2EE 6.40 Custom Login Module - how to config

  hello all,
  i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.
  here is the background info:
  - i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.
  - access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.
  - my login module does the user name and password checking. both are stored in database through some other means.
  - login is FORM based
  following the discussion in another thread on the topic, i did the following:
  #1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.
  #2 add my login module to the security store through the security provider service.
  #3 configure my web app to use the custom login module in web-j2ee-engine.xml
  #4 deploy my web app through the ear file
  at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).
  now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.
  question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.
  ??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.
  ??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.
  ??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.
  does anyone have a working scenario using custom login modules?
  thanks very much for your inputs and thoughts.
  wentao

  Hi Astrid,
  I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
  When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
  When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
  But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
  The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
  So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
  Thanks in advance
  Henning

• Custom login module for EP7.4 with Captcha

  Hi
  I am trying to create a custom login module which validates the captcha shown at the login screen using SAP help link:
  http://help.sap.com/saphelp_nw73/helpdata/en/48/ff4faf222b3697e10000000a42189b/content.htm?frameset=/en/48/fcea4f62944e88e10000000a421937/frameset.htm&current_toc=/en/74/8ff534d56846e2abc61fe5612927bf/plain.htm&node_id=20
  The session is being set in the Captcha servlet which is used to render the image on the login page.
  However when I am trying to compare it with input or print the session value, its throwing an exception.
  I checked in the NWA logs and it just shows the following error message:
  6. com.temp.loginModule.MyLoginModuleClass OPTIONAL ok exception true Authentication did not succeed.
  Please help me analyse the error stack. Can someone point where do i check the detailed logs to trace the issue?
  Please find below source of my login module.
  package com.temp.loginModule;
  import java.io.IOException;
  import java.util.Map;
  import javax.security.auth.login.LoginException;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.UnsupportedCallbackException;
  import nl.captcha.Captcha;
  import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
  import com.sap.engine.lib.security.http.HttpGetterCallback;
  import com.sap.engine.lib.security.http.HttpCallback;
  import com.sap.engine.lib.security.LoginExceptionDetails;
  import com.sap.engine.lib.security.Principal;
  public class MyLoginModuleClass extends AbstractLoginModule{
    private CallbackHandler callbackHandler = null;
    private Subject subject = null;
    private Map sharedState = null;
    private Map options = null;
    // This is the name of the user you have created on
    // the AS Java so you can test the login module
    private String userName = null;
    private boolean successful;
    private boolean nameSet;
    public void initialize(Subject subject, CallbackHandler callbackHandler,
    Map sharedState, Map options) {
    // This is the only required step for the method
    super.initialize(subject, callbackHandler, sharedState, options);
    // Initializing the values of the variables
    this.callbackHandler = callbackHandler;
    this.subject = subject;
    this.sharedState = sharedState;
    this.options = options;
    this.successful = false;
    this.nameSet = false;
    * Retrieves the user credentials and checks them. This is
    * the first part of the authentication process.
    public boolean login() throws LoginException {
  // HttpGetterCallback httpGetterCallback = new HttpGetterCallback(); 
  //       httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER); 
  //       httpGetterCallback.setName("captchaInput"); 
         String value = null; 
  //       try { 
  //       callbackHandler.handle(new Callback[] { httpGetterCallback }); 
  //           String[] arrayRequestparam = (String[]) httpGetterCallback.getValue(); 
  //           if(arrayRequestparam!=null && arrayRequestparam.length>0)
  //           value = arrayRequestparam[0]; 
  //       } catch (UnsupportedCallbackException e) { 
  //       throwNewLoginException("An error occurred while trying to validate credentials."); 
  //       } catch (IOException e) { 
  //            throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION); 
    value = getRequestValue("captchaInput");
    userName = getRequestValue("j_username");
    HttpGetterCallback httpGetterCallbackSessionCaptcha = new HttpGetterCallback(); 
    httpGetterCallbackSessionCaptcha.setType(HttpCallback.SESSION_ATTRIBUTE); 
    httpGetterCallbackSessionCaptcha.setName("myCaptchaLogin"); 
    try { 
    callbackHandler.handle(new Callback[] { httpGetterCallbackSessionCaptcha }); 
    Captcha arraySessionParam = (Captcha) httpGetterCallbackSessionCaptcha.getValue();
  // System.out.println("****************************************************httpGetterCallbackSessionCaptcha" + (arraySessionParam==null?"null session":arraySessionParam.getAnswer())+
  // "\n captchaInput" + value+"*********************");
    if(arraySessionParam==null || !arraySessionParam.isCorrect(value)){
    throwNewLoginException("Entered code does not match with the image code.Session:"+(arraySessionParam==null?"null":arraySessionParam.getAnswer())+" Param:"+ value);
  // throwUserLoginException(new Exception("Entered code does not match with the image code."));
    httpGetterCallbackSessionCaptcha.setValue(null);
    } catch (UnsupportedCallbackException e) { 
    throwNewLoginException("An error occurred while trying to validate credentials."); 
    } catch (IOException e) { 
    throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION); 
    // Retrieve the user credentials via the callback
    // handler.
    // In this case we get the user name from the HTTP
    // NameCallback.
  // NameCallback nameCallback = new NameCallback("User name: ");
    /* The type and the name specify which part of the HTTP request
    * should be retrieved. For Web container authentication, the
    * supported types are defined in the interface
    * com.sap.engine.lib.security.http.HttpCallback.
    * For programmatical authentication with custom callback
    * handler the supported types depend on the used callback handler.
  // try {
  // callbackHandler.handle(new Callback[] {nameCallback});
  // catch (UnsupportedCallbackException e) {
  // return false;
  // catch (IOException e) {
  // throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
  // userName = nameCallback.getName();
  // if( userName == null || userName.length() == 0 ) {
  // return false;  
    /* When you know the user name, update the user information
    * using data from the persistence. The operation must
    * be done before the user credentials checks. This method also
    * checks the user name so that if a user with that name does not
    * exist in the active user store, a
    * java.lang.SecurityException is thrown.
  // try {
  // refreshUserInfo(userName);
  // } catch (SecurityException e) {
  // throwUserLoginException(e);
    /* Checks if the given user name starts with the specified
    * prefix in the login module options. If no prefix is specified,
    * then all users are trusted.
  // String prefix = (String) options.get("user_name_prefix");
  // if ((prefix != null) && !userName.startsWith(prefix)) {
  // throwNewLoginException("The user is not trusted.");
    /* This is done if the authentication of the login module is    
    * successful.
    * Only one and exactly one login module from the stack must put
    * the user name in the shared state. This user name represents
    * the authenticated user.
    * For example if the login attempt is successful, method
    * getRemoteUser() of
    * the HTTP request will retrieve exactly this name.
    if (sharedState.get(AbstractLoginModule.NAME) == null) {
    sharedState.put(AbstractLoginModule.NAME, userName);
    nameSet = true;
    successful = true;
    return true;
    * Commit the login. This is the second part of the authentication
    * process.
    * If a user name has been stored by the login() method,
    * the user name is added to the subject as a new principal.
    public boolean commit() throws LoginException {
    if (successful) {
    /* The principals that are added to the subject should
    * implement java.security.Principal.You can use the class
    * com.sap.engine.lib.security.Principal for this purpose.
    Principal principal = new Principal(userName);
    subject.getPrincipals().add(principal);
    /* If the login is successful, then the principal corresponding
    * to the <userName> (the same user name that has been added
    * to the subject) must be added in the shared state too.
    * This principal is considered to be the main principal
    * representing the user.
    * For example, this principal will be retrieved from method
    * getUserPrincipal() of the HTTP request.
    if (nameSet) {
    sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
    } else {
    userName = null;
    return true;
    * Abort the authentication process.
    public boolean abort() throws LoginException {
    if (successful) {
    userName = null;
    successful = false;
    return true;
    * Log out the user. Also removes the principals and
    * destroys or removes the credentials that were associated 
    * with the user during the commit phase.
    public boolean logout() throws LoginException {
    // Remove principals and credentials from subject
    if (successful) {
    subject.getPrincipals(Principal.class).clear();
    successful = false;
    return true;
    private String getRequestValue(String parameterName) 
       throws LoginException { 
         HttpGetterCallback httpGetterCallback = new HttpGetterCallback(); 
         httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER); 
         httpGetterCallback.setName(parameterName); 
         String value = null; 
         try { 
        callbackHandler.handle(new Callback[] { httpGetterCallback }); 
             String[] arrayRequestparam = (String[]) httpGetterCallback.getValue(); 
             value = arrayRequestparam[0]; 
         } catch (UnsupportedCallbackException e) { 
              return null; 
         } catch (IOException e) { 
              throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION); 
         return value; 
  Regards
  Ramanender Singh

  Ramanender,
  JAAS modules usually requires a restart whenever you need to change them. So be very careful with what you expect once you re-deploy your code.
  Once the library is loaded it will never reload itself until you perform a restart of the VM. 
  Connect to the debug port may help, but basic debugging will not take you too far either.
  I would recommend you to use the log tracing facility on your code. Just enter the following class attribute:
  import com.sap.tc.logging.Location;
  private static final Location trace = Location.getLocation(<your_classname_here>.class);
  trace.warningT("Some Warning Text Here..." + variable here);
  trace.debugT("Some Warning Text Here..." + variable here);
  You may need to go NWA and set the Location Severity Level to Debug according to your needs.
  Leave the trace code on your module for IT personnel to debug it if necessary. Don't forget to have the severity level of your code properly set.
  Meaning: You don't want to have every trace message your module sills out with warningT() or infoT().
  There is a excellent blog here on how this works
  Then you will be able to inspect some variable contents while the callbackhandler is being executed.
  Pay special attention with the timing - variables have a lifetime when dealing with login modules.
  Use the entering(<method_name>) and exiting(<method_name> just ot make sure where in the code the variable should be populated and when.
  BR,
  Ivan

• Custom Login Module Called by WebLogic

  I have managed to write and deploy a custom login module that works just fine with
  other app servers (except WebLogic). I am using WebLogic 6.1 with sp2. When WebLogic
  starts up, it seems to be calling my custom login module with a user of "system".
  I then get the following exception:
  Authentication Failed: Unexpected Exception, weblogic.security.acl.DefaultUserInfoImpl
  java.lang.ClassCastException: weblogic.security.acl.DefaultUserInfoImpl
  <<no stack trace available>>
  I have updated the Server.policy file to only point to my custom login module, WebLogic's
  system path points to the JAR with my login module and I can see the module get called.
  Any advice as to what WebLogic is doing here. This behavior does not seem to be
  compliant with the JAAS spec. Here is a snippet of my login method:
  public boolean login() throws LoginException {
  if (callbackHandler == null)
  throw new LoginException("Error: blah blah");
  Callback[] callbacks = new Callback[2];
  callbacks[0] = new NameCallback(USER);
  callbacks[1] = new PasswordCallback(PWD, false);
  try {
  callbackHandler.handle(callbacks);
  username = ((NameCallback)callbacks[USERCALLBACK]).getName();
  char[] tmpPassword = ((PasswordCallback)callbacks[PWDCALLBACK]).getPassword();
  if (tmpPassword == null) {
  tmpPassword = new char[0];
  password = new String(tmpPassword);
  Environment env = new Environment();
  env.setProviderUrl(url);
  env.setSecurityPrincipal(username);
  env.setSecurityCredentials(password);
  Authenticate.authenticate(env, subject);
  return verifyCredentials();
  } catch (java.io.IOException ioe) {
  throw new LoginException(ioe.toString());
  } catch (UnsupportedCallbackException uce) {
  throw new LoginException("Error: " + uce.getCallback().toString()
  + " not available");

  Weblogic 6.x does not support replaceable server side login modules and only
  supports login modules on the client.
  <[email protected]> wrote in message
  news:3cf36c98$[email protected]..
  >
  I have managed to write and deploy a custom login module that works justfine with
  other app servers (except WebLogic). I am using WebLogic 6.1 with sp2.When WebLogic
  starts up, it seems to be calling my custom login module with a user of"system".
  I then get the following exception:
  Authentication Failed: Unexpected Exception,weblogic.security.acl.DefaultUserInfoImpl
  java.lang.ClassCastException: weblogic.security.acl.DefaultUserInfoImpl
  <<no stack trace available>>
  I have updated the Server.policy file to only point to my custom loginmodule, WebLogic's
  system path points to the JAR with my login module and I can see themodule get called.
  Any advice as to what WebLogic is doing here. This behavior does notseem to be
  compliant with the JAAS spec. Here is a snippet of my login method:
  public boolean login() throws LoginException {
  if (callbackHandler == null)
  throw new LoginException("Error: blah blah");
  Callback[] callbacks = new Callback[2];
  callbacks[0] = new NameCallback(USER);
  callbacks[1] = new PasswordCallback(PWD, false);
  try {
  callbackHandler.handle(callbacks);
  username = ((NameCallback)callbacks[USERCALLBACK]).getName();
  char[] tmpPassword =((PasswordCallback)callbacks[PWDCALLBACK]).getPassword();
  >
  if (tmpPassword == null) {
  tmpPassword = new char[0];
  password = new String(tmpPassword);
  Environment env = new Environment();
  env.setProviderUrl(url);
  env.setSecurityPrincipal(username);
  env.setSecurityCredentials(password);
  Authenticate.authenticate(env, subject);
  return verifyCredentials();
  } catch (java.io.IOException ioe) {
  throw new LoginException(ioe.toString());
  } catch (UnsupportedCallbackException uce) {
  throw new LoginException("Error: " +uce.getCallback().toString()
  + " not available");

• RMI with custom login module

  I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
  javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
       javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
       at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
       at javax.naming.InitialContext.lookup(InitialContext.java:351)
       at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
  Caused by: javax.naming.AuthenticationException: Not authorized
       at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
       at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
       at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
       at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
       at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
       at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
       at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
  The standalone application is setting these properties for JNDI lookup -
  java.naming.security.principal=<user>
  java.naming.security.credentials=<password>
  java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
  java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
  As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
  <jazn-policy>
            <!-- Grant login permission for anyone in the user role -->
            <grant>
                 <grantee>
                      <principals>
                           <principal>
                                <realm-name>jazn.com</realm-name>
                                <type>role</type>
                                <class>uk.co.card.jaas.SimplePrincipal</class>
                                <name>user</name>
                           </principal>
                      </principals>
                 </grantee>
                 <permissions>
                      <permission>
                           <class>com.evermind.server.rmi.RMIPermission</class>
                           <name>login</name>
                      </permission>
                 </permissions>
            </grant>
       </jazn-policy>
  The ejb-jar.xml also has this defined in the assembly-descriptor.
  <assembly-descriptor>
            <security-role>
                 <role-name>user</role-name>
            </security-role>
  </assembly-descriptor>
  The orion-application.xml has the namespace access provided as -
       <namespace-access>
            <read-access>
                 <namespace-resource root="">
                      <security-role-mapping impliesAll="true">
                           <group name="users" />
                      </security-role-mapping>
                 </namespace-resource>
            </read-access>
            <write-access>
                 <namespace-resource root="">
                      <security-role-mapping impliesAll="true">
                           <group name="users" />
                      </security-role-mapping>
                 </namespace-resource>
            </write-access>
       </namespace-access>
  Appreciate if someone can help me identify what I am missing.

  I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
  javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
       javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
       at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
       at javax.naming.InitialContext.lookup(InitialContext.java:351)
       at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
  Caused by: javax.naming.AuthenticationException: Not authorized
       at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
       at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
       at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
       at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
       at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
       at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
       at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
  The standalone application is setting these properties for JNDI lookup -
  java.naming.security.principal=<user>
  java.naming.security.credentials=<password>
  java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
  java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
  As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
  <jazn-policy>
            <!-- Grant login permission for anyone in the user role -->
            <grant>
                 <grantee>
                      <principals>
                           <principal>
                                <realm-name>jazn.com</realm-name>
                                <type>role</type>
                                <class>uk.co.card.jaas.SimplePrincipal</class>
                                <name>user</name>
                           </principal>
                      </principals>
                 </grantee>
                 <permissions>
                      <permission>
                           <class>com.evermind.server.rmi.RMIPermission</class>
                           <name>login</name>
                      </permission>
                 </permissions>
            </grant>
       </jazn-policy>
  The ejb-jar.xml also has this defined in the assembly-descriptor.
  <assembly-descriptor>
            <security-role>
                 <role-name>user</role-name>
            </security-role>
  </assembly-descriptor>
  The orion-application.xml has the namespace access provided as -
       <namespace-access>
            <read-access>
                 <namespace-resource root="">
                      <security-role-mapping impliesAll="true">
                           <group name="users" />
                      </security-role-mapping>
                 </namespace-resource>
            </read-access>
            <write-access>
                 <namespace-resource root="">
                      <security-role-mapping impliesAll="true">
                           <group name="users" />
                      </security-role-mapping>
                 </namespace-resource>
            </write-access>
       </namespace-access>
  Appreciate if someone can help me identify what I am missing.

• Problems with custom login module/authscheme in Portal iViews

  Hi,
  In our portal users must login with their username and password ("ticket" login module stack) to access most of the content. For some of the iViews containing confidential data we would like to ask the users some personal questions before giving them access.
  I followed all the steps described in the [official documentation |http://help.sap.com/saphelp_nw04s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/content.htm]:
  - created a custom login module
  - added it to a custom login module stack
  - added a custom authscheme in the authschemes.xml file
  - assigned the iView to this authscheme
  I also create a PortalComponent that reads the user entries and calls my login module (JSP not shown):
  public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)     {          
      HttpServletRequest req = request.getServletRequest();
      HttpServletResponse resp = request.getServletResponse(false);
      ILogonAuthentication ila = UMFactory.getLogonAuthenticator();
      Subject subject = ila.logon(req, resp, "myauthscheme");
      // if authenticated what to do next??
  Now when I try to access the protected iView, I see my screen to answer the questions, I press submit and my login module is called. But, I never get redirected to the iView I'm supposed to go. So I still have two questions:
  1) Which login modules should be in the login module stack? Should I include the BasicPasswordLoginModule?
  For the moment I have:
  EvaluateTicketLoginModule (SUFFICIENT)
  MyCustomLoginModule (REQUISITE)
  CreateTicketLoginModule (OPTIONAL)
  2) How can I be redirected to the protected iView after the user is being authenticated? Is it the portal framework who is responsible to navigate there automatically? Or is it in my own code after the logon() call? In that case how can I retrieve the destination URL?
  Thanks,
  Martin

  I'm using the version 10.1.3.0.4 (SU5).
  The error is:
  06/09/28 18:09:05 WARNING: Application.setConfig Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
  28/09/2006 18:09:05 com.evermind.server.Application setConfig
  WARNING: Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
  2006-09-28 18:09:05.390 WARNING J2EE 0JR0013 Exception initializing deployed application: current-workspace-app. null
  My JAAS-oc4j-app content is:
  <log>
  <file path="JAAS-oc4j-app.log" xmlns=""/>
  </log>
  <jazn provider="XML" location="JAAS-jazn-data.xml">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="custom.loginmodule.provider" value="true"/>
  <property name="jaas.username.simple" value="true"/>
  </jazn>
  <data-sources path="JAAS-data-sources.xml"/>
  Thanks for reply.

• SOAP Web Service +  Custom Login Module issue

  Hi Guys,
  We faced an authentication issue in our project. Could you please give any advice how the issue could be resolved.
  Environment: A simple SOAP Web Service on top of POJO class created in a Web Application. The web application deployed to the SAP NetWeaver 7.10 Application Server in the Enterprise Application Archive.
  Configuration:
        Single Service Administration Application(NetWeaver Administration -> SOA Management -> Application and Scenario Communication -> Single Service Administration)
         The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
      Authentication Application(NetWeaver Administration-> Configuration Management->Security->Authentication)
        The application(<vendorName>/<earName>*<vendor>~<webAppName>) has Authentication Stack configured to use our custom login module.
  Issue:  BasicPasswordLoginModule used by the J2EE when we are trying to execute the web service using Web Service Navigator(checked in debug mode). It seems that we missed something in configuration.
  Idea: The main Idea is to use our custom login module when we are executing a web service.
  Could you help me to resolve the issue.
  Thanks,
  Dmitry
  Edited by: Dmitry Eidin on Jul 17, 2009 3:46 PM

  > The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
  That's the point.

• RFC Call in a custom login module

  Hi All,
  What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
  I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
  Have anyone of you come across such a situation?
  Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
  Or it just runs inside the j2EE container?
  Thanks for your help
  Aakash
  Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

  Hi All,
  What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
  I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
  Have anyone of you come across such a situation?
  Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
  Or it just runs inside the j2EE container?
  Thanks for your help
  Aakash
  Edited by: Aakash Jain on Nov 24, 2008 11:42 PM