Custom Login Module Called by WebLogic
I have managed to write and deploy a custom login module that works just fine with
other app servers (except WebLogic). I am using WebLogic 6.1 with sp2. When WebLogic
starts up, it seems to be calling my custom login module with a user of "system".
I then get the following exception:
Authentication Failed: Unexpected Exception, weblogic.security.acl.DefaultUserInfoImpl
java.lang.ClassCastException: weblogic.security.acl.DefaultUserInfoImpl
<<no stack trace available>>
I have updated the Server.policy file to only point to my custom login module, WebLogic's
system path points to the JAR with my login module and I can see the module get called.
Any advice as to what WebLogic is doing here. This behavior does not seem to be
compliant with the JAAS spec. Here is a snippet of my login method:
public boolean login() throws LoginException {
if (callbackHandler == null)
throw new LoginException("Error: blah blah");
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback(USER);
callbacks[1] = new PasswordCallback(PWD, false);
try {
callbackHandler.handle(callbacks);
username = ((NameCallback)callbacks[USERCALLBACK]).getName();
char[] tmpPassword = ((PasswordCallback)callbacks[PWDCALLBACK]).getPassword();
if (tmpPassword == null) {
tmpPassword = new char[0];
password = new String(tmpPassword);
Environment env = new Environment();
env.setProviderUrl(url);
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
Authenticate.authenticate(env, subject);
return verifyCredentials();
} catch (java.io.IOException ioe) {
throw new LoginException(ioe.toString());
} catch (UnsupportedCallbackException uce) {
throw new LoginException("Error: " + uce.getCallback().toString()
+ " not available");
Weblogic 6.x does not support replaceable server side login modules and only
supports login modules on the client.
<[email protected]> wrote in message
news:3cf36c98$[email protected]..
>
I have managed to write and deploy a custom login module that works justfine with
other app servers (except WebLogic). I am using WebLogic 6.1 with sp2.When WebLogic
starts up, it seems to be calling my custom login module with a user of"system".
I then get the following exception:
Authentication Failed: Unexpected Exception,weblogic.security.acl.DefaultUserInfoImpl
java.lang.ClassCastException: weblogic.security.acl.DefaultUserInfoImpl
<<no stack trace available>>
I have updated the Server.policy file to only point to my custom loginmodule, WebLogic's
system path points to the JAR with my login module and I can see themodule get called.
Any advice as to what WebLogic is doing here. This behavior does notseem to be
compliant with the JAAS spec. Here is a snippet of my login method:
public boolean login() throws LoginException {
if (callbackHandler == null)
throw new LoginException("Error: blah blah");
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback(USER);
callbacks[1] = new PasswordCallback(PWD, false);
try {
callbackHandler.handle(callbacks);
username = ((NameCallback)callbacks[USERCALLBACK]).getName();
char[] tmpPassword =((PasswordCallback)callbacks[PWDCALLBACK]).getPassword();
>
if (tmpPassword == null) {
tmpPassword = new char[0];
password = new String(tmpPassword);
Environment env = new Environment();
env.setProviderUrl(url);
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
Authenticate.authenticate(env, subject);
return verifyCredentials();
} catch (java.io.IOException ioe) {
throw new LoginException(ioe.toString());
} catch (UnsupportedCallbackException uce) {
throw new LoginException("Error: " +uce.getCallback().toString()
+ " not available");
Similar Messages
-
RFC Call in a custom login module
Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PMHi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM -
How to call custom Login Module from JSP
Hi,
I am stuck with the following issue:
1) Exactly as presented in help.sap.com (http://help.sap.com/saphelp_nw04/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm) I created custom login module and deployed it as a library on J2EE server. When I configured it to be used for my applications in the Security provider but I am getting "No user name provided" exception everytime when my applications use this custom login module.
2) I realized that I would need to call my custom module somewhere within my application (simple JSP) using LoginContext class and then use MyLoginContext.login() spec to initiate login process. But I am not able to pass CallbackHandler parameters from JSP application to my custom login module.
So I have the following questions:
1. Can I pass parameters using LoginContext and CallbackHandler from JSP to my custom login module (created as exact copy of HELP.SAP.COM example) or this module cannot be used this way.
2. How to pass CallbackHandler correctly to my custom login module from JSP. When I am trying to use CallbackHandler, I am getting "Abstract Class cannot be called" error.
I'd appreciate any little help on this matter.
Thanks and regards,
MikeYou have two alternatives to do this:
You can declare your JSP as a protected resource with the use of the deployment descriptors of the application (web.xml) and add the custom login module in the authentication stack of the application. This way, you will use container-based authentication, i.e. the Web Container will enforce the authentication and it will call the custom login module before it dispatches to the JSP. I recommend you this approach because it requires less coding and it makes the whole thing a matter of configuration. The configuration can be later on enhanced or changed runtime without the need to re-build and re-deploy the application. If you choose this approach you can go to the documentation of the server for help on how to modify the login module stack of the application.
You can also use programmatic authentication by using JAAS API. To do this you need to create a custom security policy configuration with login module stack containing the custom login module, and then use the standard JAAS mechanism - new LoginContext(<configuration>, <callback-handler>).login(). This approach requires that you write your own callback handler and handle any LoginException.
Let us know which approach you prefer and whether you have difficulties implementing it! -
Custom Login Module with Adf 11g and and weblogic server
I have configured adf security on my application. I have checked the authentication and authorization are working fine with the default authenticator.
I am trying to create a custom login module. I have downloaded the custom login module implementation jaasdatabaseloginmodule.zip http://www.oracle.com/technetwork/developer-tools/jdev/index-089689.html. I have added the DBLoginModule.jar to my application. post written by Frank Nimphius and Duncan Mills
I have configured the jps config under the application resources with these entries.
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
<property value="true" name="custom.provider"/>
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
<serviceInstance name="CustomFFMLoginModule"
provider="jaas.login.provider">
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="log.level" value="FINEST"/>
<property name="debug" value="true"/>
<property name="addAllRoles" value="true"/>
<property name="loginModuleClassName"
value="oracle.sample.dbloginmodule.DBTableLM.ALSDBTableLoginModule"/>
<property value="jdbc/ApplicationDBDS" name="data_source_name"/>
</serviceInstance>
<jpsContexts default="FFMSecurityDAM">
<jpsContext name="FFMSecurityDAM">
<serviceInstanceRef ref="CustomFFMLoginModule"/>
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
When I run the application this custom login is not getting invoked.
I even tried to add these contents to DefaultDomain\config\fmwconfig\jps-config.xml still no result.
Can anyone who has configured custom login module direct me how to correct my application.Hi Frank,
After following the documentation suggested. I am able to create custom authenticator. But when I login I getting the below exception. When I debugged login method returned true. But this error is being thrown after that. Any clue.
java.lang.IllegalArgumentException: [Security:097531]Method com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals) was unable to sign a principal
at com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(PrincipalValidationServiceImpl.java:188)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy10.sign(Unknown Source)
at weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject(WLSIdentityServiceImpl.java:63)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:119)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:237)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:186)
at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:254)
at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:209)
at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:92)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2204)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) -
I am using franks solution of custom login module
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm#jaasintro
I specified in my system-janz-data.xml
<application>
<name>gs</name>
<login-modules>
<login-module>
<class>oracle.sample.dbloginmodule.DBTableLM.DBTableLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>password_column</name>
<value>password</value>
</option>
<option>
<name>pw_encoding_class</name>
<value>oracle.sample.dbloginmodule.util.DBLoginModuleSHA1Encoder</value>
</option>
<option>
<name>username_column</name>
<value>username</value>
</option>
<option>
<name>roles_fk_column</name>
<value>userid</value>
</option>
<option>
<name>db_schema</name>
<value></value>
</option>
<option>
<name>debug</name>
<value>true</value>
</option>
<option>
<name>user_pk_column</name>
<value>userid</value>
</option>
<option>
<name>user_table</name>
<value>V_LOGIN_USER</value>
</option>
<option>
<name>db_schema_pw</name>
<value></value>
</option>
<option>
<name>realm_column</name>
<value>realm</value>
</option>
<option>
<name>roles_column</name>
<value>access_role</value>
</option>
<option>
<name>log_level</name>
<value>ALL</value>
</option>
<option>
<name>jdbcUrl</name>
<value>jdbc:oracle:thin:@</value>
</option>
<option>
<name>roles_table</name>
<value>V_LOGIN_USER</value>
</option>
<option>
<name>jdbcDriver</name>
<value>oracle.jdbc.driver.OracleDriver</value>
</option>
</options>
</login-module>
</login-modules>
</application>
this login module never gets called any suggestions ?hi user630433
(1) What makes you conclude that "... this login module never gets called ..."? Which steps do you take, what "output" do you see?
(2) Could you post some information about the context you are working in ... the application you use, the OC4J (version) you use, ...?
(tip : You can use "Your Control Panel" to make your name visible in forum posts.)
regards
Jan Vervecken -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom login module on OC4J 10.1.3.3.0
Hi,
I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>testJAAS</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test Secure Application</web-resource-name>
<description>Requires users to authenticate</description>
<url-pattern>faces/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only allow role1 users</description>
<role-name>role1</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general. </description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Define the security role(s) -->
<security-role>
<description>Example role</description>
<role-name>role1</role-name>
</security-role>
orion-web.xml:
schema-major-version="10" schema-minor-version="0" >
<!-- Uncomment this element to control web application class loader behavior.
<web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
-->
<resource-ref-mapping name="jdbc/lics" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
<web-app>
</web-app>
orion-application.xml:
<jazn provider="XML" >
<property name="jaas.username.simple" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
system-jazn-data.xml:
<jazn-loginconfig>
<application>
<name>le5</name>
<login-modules>
<login-module>
<class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>defaultRole</name>
<value>role1</value>
</option>
</options>
</login-module>
</login-modules>
</application>
I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
Doing as above, the orion-web.xml is below:
<resource-ref-mapping name="jdbc/lic" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
<user name="user1" />
<user name="user2" />
</security-role-mapping>
Any insight would be much appreciated. Thanks.Hi,
role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
from orion-web.xml and it should start wrking
Frank -
J2EE 6.40 Custom Login Module - how to config
hello all,
i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.
here is the background info:
- i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.
- access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.
- my login module does the user name and password checking. both are stored in database through some other means.
- login is FORM based
following the discussion in another thread on the topic, i did the following:
#1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.
#2 add my login module to the security store through the security provider service.
#3 configure my web app to use the custom login module in web-j2ee-engine.xml
#4 deploy my web app through the ear file
at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).
now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.
question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.
??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.
??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.
??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.
does anyone have a working scenario using custom login modules?
thanks very much for your inputs and thoughts.
wentaoHi Astrid,
I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
Thanks in advance
Henning -
How to get Custom Login Module to communicate with frontendtarget
We have created a custom login module and placed it in our login module stack.
So we have the following 3 Login Modules in our stack:
EvaluateTicketModule
OurCustomLoginModule
CreateTicketModule
Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
Question:
There are standard screens in the SAP login PAR:
changePasswordPage.jsp
umLogonProblemPage.jsp
umResetPasswordPage.jsp
How do I trigger one of these screens from my Login() method of my
custom login module? I thought if I throw some specific exception, these screens would
be called?A bit more info.
We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication.
I changed the Iview property "Authentication Scheme" to our custom one.
If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
Whis is what i expect.
I enter a username and password and click Logon button. I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
However, It always give iview runtime exception with Access Denied.
#1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
#1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
#1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true authscheme not sufficient: uidpwdlogon<cglogon
\#1 ume.configuration.active = true
2. companyname.com.CGLoginModuleClass REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
\#1 ume.configuration.com = true#
#1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36... com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
#1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
[EXCEPTION]
{0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
and here's my login method...
public boolean login() throws javax.security.auth.login.LoginException
this.succeeded = false;
String passwordString = "";
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
HttpGetterCallback httpgettercallback = new HttpGetterCallback();
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
catch (UnsupportedCallbackException e)
return false;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
else
username = userid;
if (password.length == 0)
throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
else
passwordString = new String(password);
String eccLoginResult = validateECCAuthentication(username, passwordString);
if (!eccLoginResult.equals(""))
myLoc.infoT(this.username + " - failed ECC authentication.");
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
myLoc.infoT(this.username + " - failed ECC authentication.");
this.succeeded = true;
if (this.succeeded)
try
refreshUserInfo(this.username);
catch (SecurityException e)
throwUserLoginException(e);
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, this.username);
this.nameSet = true;
else
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
return this.succeeded; -
Custom login module and SSO using 10.1.3.3
We are using ADF 10.1.3.3 to build applications and recently a requirement from a customer was to use LDAP for authentication but use internal application tables for authorisation. So essentially the username and password will be in LDAP but all the roles definition are in the application. This is because the LDAP directory has tight controls on contents and is used enterprise wide.
I created a proof of concept to address this requirement using the examples at
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
and also
http://technology.amis.nl/blog/1462/create-a-webapplication-secured-with-custom-jaas-database-loginmodule-deploy-on-jdeveloper-1013-embedded-oc4j-stand-alone-oc4j-and-opmn-managed-oc4j-10g-as
specifically using DBProcLoginModule to call a database package.
The PL/SQL package I created used DBMS_LDAP to call an LDAP directory with the username and password to check authentication and then used internal application tables to get the authorisation details required.
All this worked very well. I tested on both the embedded OC4J and also standalone OC4J.
Then one of my peers said will this work with SSO? Specifically we use Oracle OID as we have SSO for Forms and Reports.
My experience with SSO has been with Oracle OID and having all the user and role details stored within OID.
So my issue now is can I integrate the custom login module approach I have used with SSO? My knowledge of SSO and OID is limited so I'm not sure how (or if) it would interact with a custom login module. Are the two mutually exclusive?
Any guidance is appreciated.
Regards,
AdrianHi,
this question should be posted to the Oracle Application Server forum or the security forum. However, based on my findings and experience in this area, I don't think that SSO is integrated with custom LoginModules since the integration would need to be coded in the LoginModule.
Frank -
Custom pluggable idm with custom login module
Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
Any suggestions? ThanksThanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
Thank you. -
Custom login module with 10.1.3
Hello all,
I've been trying out Frank N's custom login module (http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm) with JDev 10.1.3/OC4J 10.1.3 and am not having much luck.
Whenever I add <property name="role.mapping.dynamic" value="true"/> to orion-application.xml, the application fails to deploy with java.lang.InstantiationException. I even get this error when I try to set up a custom login module using the enterprise manager for OC4J 10.1.3. Is this a bug, or does the doc need to be updated? Without this item configured, I do get the basic login prompt, but no logging or anything - which indicates to me that the custom login module is not even being called. Nothing on metalink either.
Thanks,
Johnhmm i dont know... custom login module (db authentication) definitely works with standalone 10.1.3.0.0 and jdevloper standalone, but it doesnt work with jdev embeded oc4j (jdevstudio1013\jdev\system\oracle.j2ee.10.1.3.36.73\embedded-oc4j)
i have the code, and it works.. however the application is entirerly made in jdev 10.1.3.04 production, it is not migrated from previous jdev.. make sure to deploy from war file (i have prob to deploy from ear)
the only big problem i got is to setup ssl in separate oc4j standalone (ssl works with jdev standalone) and make client athentication to work
because it wont run as it should.. (i did not have this prob in 10.1.2.1) -
Custom Login Module, LM Stack ignored
Moderator's note: This is a question split from another thread:
Maybe someone with LoginModuleStack knowledge can give us a hand
Another issue (which is isolated from the other question) we have is that somehow the defined Login Module Stack for the J2EE app
doesn't get called when there exits already a MYSAPSSO2 cookie in the session.
The Login Module Stack looks like this:
Custom Login Module Position 1 Required (also tested with optional & requisite)
CreateTicketLoginModule Position 2 Sufficient (also tested with optional)
So if we call the J2EE web app with no existing MYSAPSSO2 cookie (e.g. open in new browser window), everything
works fine and the defined login module stack is run through.
If we call the app with existing MYSAPSSO2 cookie (e.g. open in same browser window after logout of previous app),
the login module stack is ignored and it seems that the EvaluateTicketLoginModule is called straight away, despite not being defined in the stack.
What could be the problem and how can this be solved?
Signed with greetings and a happy weekend on behalf of Minh-Duc Truong,
Your,
Julius
Edited by: Minh-Duc Truong on Jul 18, 2008 4:52 PM
Edited by: Julius Bussche on Jul 18, 2008 7:29 PMHi,
I cannot believe that the EvaluateTicketLoginModule is called if it is not defined in the stack. I guess the best way to track down the problem is to increase the severity of the following locations:
(use Visual Admin / Log Configurator / Locations TAB to do that):
com.sap.security.server.jaas
com.sap.engine.services.security
Set the Severity to ALL. After that call your application and paste the output in security.log here so I can have a look at it. It will contain a complete trace of the processing of your login modules so maybe we'll see what's going wrong.
Cheers -
Custom Login Module Behavior (JAAS)...Help!
Problem: After successful authentication through a custom login module, the screen stays on the login screen and does not go to the iview you clicked on...
I have created a login module as documented [here|http://help.sap.com/saphelp_nw04s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm].
I have added a new entry in the authschemes.xml file:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
As you can see above, i wanted to try to use the standard sap screen: com.sap.portal.runtime.logon.certlogon
Also, the logon module stack called "form" contains one and only one login module: mycompany.com.CGLoginModuleClass (REQUISITE)
Here is also the code to my Login() method of my module:
public boolean login() throws LoginException
Exception exception_on_the_way = null;
String passwordString = "";
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
exception_on_the_way = e;
catch (UnsupportedCallbackException e)
exception_on_the_way = e;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throw new LoginException(MISSING_UID);
else
userName = userid;
if (password.length == 0)
throw new LoginException(MISSING_PASSWORD);
else
passwordString = new String(password);
try
refreshUserInfo(userName);
catch (SecurityException e)
exception_on_the_way = e;
if (exception_on_the_way != null)
// A productive application should write an entry
// into the trace here
exception_on_the_way.printStackTrace();
throw new LoginException("Could not handle callbacks");
String eccLoginResult = "";
//eccLoginResult = validateECCAuthentication(userName, passwordString);
if (!eccLoginResult.equals(""))
//throwNewLoginException(eccLoginResult);
//throw new LoginException(USER_AUTH_FAILED);
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
successful = true;
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
return true;
I set up a random iview in the portal to use our new authentication scheme: cglogon by changing the iview property Authentication Scheme.
After clicking the logon button, My login() method gets called and sucessful is set to true. Also the commit() method gets called.
Problem: However, the screen gets redirected to the logon screen again...
Here is the trace in the logs:
Used Passport Type: 3
#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD8007200003781000041C100045B07FD434AB8#1225989778316#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Persistent listeners of {0} notified#1#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD8007200003782000041C100045B07FD4353D2#1225989778319#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.logon#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering method with ({0})#1#com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@2cbd9a10, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@5db3e73e, cglogon#
#1.5 #0018FE8C6FD8007200003783000041C100045B07FD435510#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Security context [{0}] successfully loaded from cache.#1#form#
#1.5 #0018FE8C6FD8007200003784000041C100045B07FD43559B#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003785000041C100045B07FD43560F#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003786000041C100045B07FD435864#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New policy configuration modification context successfully created for configuration with path [{0}].#1#security/configurations/form#
#1.5 #0018FE8C6FD8007200003787000041C100045B07FD4358F8#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.getStorage(Configuration config)#
#1.5 #0018FE8C6FD8007200003788000041C100045B07FD435983#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New storage [{0}] created.#1#com.sap.engine.services.security.server.storage.AtomicStorage@3091c97c#
#1.5 #0018FE8C6FD8007200003789000041C100045B07FD435A00#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.getStorage(Configuration config)#
#1.5 #0018FE8C6FD800720000378A000041C100045B07FD435A7B#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.begin()#
#1.5 #0018FE8C6FD800720000378B000041C100045B07FD435B31#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New configuration handler [{0}] created.#1#com.sap.engine.core.configuration.impl.ConfigurationHandlerImpl@334304cd#
#1.5 #0018FE8C6FD800720000378C000041C100045B07FD435BC8#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.begin()#
#1.5 #0018FE8C6FD800720000378D000041C100045B07FD435C3A#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###New modification bundle started for the current thread.#
#1.5 #0018FE8C6FD800720000378E000041C100045B07FD435CC6#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Trying to get configuration [{0}] from storage; write access [{1}]; create if missing [{2}]#3#security/configurations/form/security/authentication#false#false#
#1.5 #0018FE8C6FD800720000378F000041C100045B07FD435DC0#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Configuration returned from storage successfully [{0}].#1#security/configurations/form/security/authentication#
#1.5 #0018FE8C6FD8007200003790000041C100045B07FD436148#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.forget()#
#1.5 #0018FE8C6FD8007200003791000041C100045B07FD436225#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.forget()#
#1.5 #0018FE8C6FD8007200003792000041C100045B07FD43629D#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###Successful forget of modification bundle for the current thread.#
#1.5 #0018FE8C6FD8007200003793000041C100045B07FD4363B9#1225989778323#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###Re-authentication requested.#
#1.5 #0018FE8C6FD8007200003794000041C100045B07FD4364BA#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Security context [{0}] successfully loaded from cache.#1#form#
#1.5 #0018FE8C6FD8007200003795000041C100045B07FD436534#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003796000041C100045B07FD4365A6#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003797000041C100045B07FD439765#1225989778336#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###User [{0}] attempt to re-authenticate.#1#kcf#
#1.5 #0018FE8C6FD8007200003798000041C100045B07FD439CA1#1225989778337#com.sap.engine.services.security.sessionmanagement#sap.com/irj#com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Principal {0} assigned to {1}#2#kcf#[Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]#
#1.5 #0018FE8C6FD8007200003799000041C100045B07FD439D6C#1225989778338#com.sap.engine.services.security.sessionmanagement#sap.com/irj#com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Subject {0} assigned to {1}#2#Subject:
Principal: kcf
#[Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]#
#1.5 #0018FE8C6FD800720000379A000041C100045B07FD439DF3#1225989778338#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Re-authentication for user [{0}] successfull.#1#kcf#
#1.5 #0018FE8C6FD800720000379C000041C100045B07FD439F9B#1225989778338#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.OK
User: kcf
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. mycompany.com.CGLoginModuleClass REQUISITE ok true true
Central Checks true #
#1.5 #0018FE8C6FD800720000379D000041C100045B07FD43A10D#1225989778338#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.logon#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###Security session assigned successfully to the http session.#
#1.5 #0018FE8C6FD800720000379F000041C100045B07FD43CC17#1225989778349#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting logon with authenticated subject.#
#1.5 #0018FE8C6FD80072000037A0000041C100045B07FD43D9FE#1225989778353#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.isAuthenticated#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering method with ({0})#1#KCF#
#1.5 #0018FE8C6FD80072000037A1000041C100045B07FD43DAC6#1225989778353#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.isAuthenticated#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Exiting method with {0}#1#false#
#1.5 #0018FE8C6FD80072000037A2000041C100045B07FD440358#1225989778364#com.sap.engine.services.security.authentication.logonapplication#sap.com/irj#com.sap.engine.services.security.authentication.logonapplication.initBeans#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###LanguagesBean created#
#1.5 #0018FE8C6FD80072000037A3000041C100045B07FD44045E#1225989778364#com.sap.engine.services.security.authentication.logonapplication#sap.com/irj#com.sap.engine.services.security.authentication.logonapplication.executeRequest#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###No command found, forwarding to umLogonPage#
#1.5 #0018FE8C6FD80072000037A4000041C100045B07FD4429BF#1225989778373#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering SecurityContext.empty() on {0}#1#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD80072000037A5000041C100045B07FD442AC1#1225989778374#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#Guest#0##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Notifying persistent listener {0} of {1}#2#
User ID : kcf
Service Type : Web Request
Action Name : Appl.: irj:com.cg.ivu_saplogon_0
Action Type : http
Additional Info : null
CPU Time [us] : 0
Queue Time [us] : 4295152
No of ext. calls : 0
Edited by: K Ferguson on Nov 6, 2008 6:07 PMI am facing the same problem.
And how was is solved ?
Thanks -
Custom login module - Not invoked...
Hi All
I have developed a custom login module and the necessary configuration steps in VA are performed. However, the custom login module is not called...
1. Developed a Java DC as a Child DC in a Library DC.
2. Added all the relevant jars needed as Used DC and Public Parts as required. Also updated the provider.xml with relevant references.
3. Build and Deployed. (No errors found here..)
4. In VA - Created a new Login Module.... updated the property LoginModuleClassLoaders to library:xyz where xyz is the name of the folder for deployed sda as found in cluster\j2ee\serverx\bin\ext...next updated the config tool for the same.... next modified the sap.com/irj*irj authentication as:
Basic - Requisite
CustomModule - Optional.
Then performed server restart. Yet, login module not called. Any ideas as to where I am going wrong..?? (In my login module, just trying to retrieve the user name and change their attributes like lastname etc... )
Thanks
DeepakIssue solved....
Had forgot to add the module to the ticket stack...
Maybe you are looking for
-
Using Brio with VB but without the Brio VB API
Hi there. We're currently attempting to integrate our product (a website) with Brio. For the time being it's only being done for a demo to gauge whether are customers are interested in the functionality or not, so it may or may not actually happen fo
-
Preview thumbnails in Bridge CS4
After several years of being able to preview thumbnails in Bridge CS4, I can no longer do so.
-
Cannot view SharePoint Online documents through CRM Online Outlook Connector - iframe error
We are integrating CRM 2013 Online with SharePoint 2013 Online. We have installed the CRM List Component solution. We have also modified the SharePoint master page to permit display of SharePoint content in iframes. We can view SharePoint documents w
-
Motion 5 with Final Cut Express?
It will let me download Motion 5 from the app store, but will it work with the newest version of Final Cut Express? Meaning can I use it for smoother slow motion and import into FCE? Thanks!
-
Can't sync Imac (Ical) with Ipad2 (calendar)
Since a few days I can't longer sync my Imac calendar with my Ipad. Before it always worked perfectly. Th only thing that's changed is an update of Itunes (11.0). Could this be the rout-cause? How can I solve it? Before, when I added something in my