Custom login module for EP7.4 with Captcha

Hi
I am trying to create a custom login module which validates the captcha shown at the login screen using SAP help link:
http://help.sap.com/saphelp_nw73/helpdata/en/48/ff4faf222b3697e10000000a42189b/content.htm?frameset=/en/48/fcea4f62944e88e10000000a421937/frameset.htm&current_toc=/en/74/8ff534d56846e2abc61fe5612927bf/plain.htm&node_id=20
The session is being set in the Captcha servlet which is used to render the image on the login page.
However when I am trying to compare it with input or print the session value, its throwing an exception.
I checked in the NWA logs and it just shows the following error message:
6. com.temp.loginModule.MyLoginModuleClass OPTIONAL ok exception true Authentication did not succeed.
Please help me analyse the error stack. Can someone point where do i check the detailed logs to trace the issue?
Please find below source of my login module.
package com.temp.loginModule;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import nl.captcha.Captcha;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.engine.lib.security.http.HttpCallback;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.Principal;
public class MyLoginModuleClass extends AbstractLoginModule{
  private CallbackHandler callbackHandler = null;
  private Subject subject = null;
  private Map sharedState = null;
  private Map options = null;
  // This is the name of the user you have created on
  // the AS Java so you can test the login module
  private String userName = null;
  private boolean successful;
  private boolean nameSet;
  public void initialize(Subject subject, CallbackHandler callbackHandler,
  Map sharedState, Map options) {
  // This is the only required step for the method
  super.initialize(subject, callbackHandler, sharedState, options);
  // Initializing the values of the variables
  this.callbackHandler = callbackHandler;
  this.subject = subject;
  this.sharedState = sharedState;
  this.options = options;
  this.successful = false;
  this.nameSet = false;
  * Retrieves the user credentials and checks them. This is
  * the first part of the authentication process.
  public boolean login() throws LoginException {
// HttpGetterCallback httpGetterCallback = new HttpGetterCallback(); 
//       httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER); 
//       httpGetterCallback.setName("captchaInput"); 
       String value = null; 
//       try { 
//       callbackHandler.handle(new Callback[] { httpGetterCallback }); 
//           String[] arrayRequestparam = (String[]) httpGetterCallback.getValue(); 
//           if(arrayRequestparam!=null && arrayRequestparam.length>0)
//           value = arrayRequestparam[0]; 
//       } catch (UnsupportedCallbackException e) { 
//       throwNewLoginException("An error occurred while trying to validate credentials."); 
//       } catch (IOException e) { 
//            throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION); 
  value = getRequestValue("captchaInput");
  userName = getRequestValue("j_username");
  HttpGetterCallback httpGetterCallbackSessionCaptcha = new HttpGetterCallback(); 
  httpGetterCallbackSessionCaptcha.setType(HttpCallback.SESSION_ATTRIBUTE); 
  httpGetterCallbackSessionCaptcha.setName("myCaptchaLogin"); 
  try { 
  callbackHandler.handle(new Callback[] { httpGetterCallbackSessionCaptcha }); 
  Captcha arraySessionParam = (Captcha) httpGetterCallbackSessionCaptcha.getValue();
// System.out.println("****************************************************httpGetterCallbackSessionCaptcha" + (arraySessionParam==null?"null session":arraySessionParam.getAnswer())+
// "\n captchaInput" + value+"*********************");
  if(arraySessionParam==null || !arraySessionParam.isCorrect(value)){
  throwNewLoginException("Entered code does not match with the image code.Session:"+(arraySessionParam==null?"null":arraySessionParam.getAnswer())+" Param:"+ value);
// throwUserLoginException(new Exception("Entered code does not match with the image code."));
  httpGetterCallbackSessionCaptcha.setValue(null);
  } catch (UnsupportedCallbackException e) { 
  throwNewLoginException("An error occurred while trying to validate credentials."); 
  } catch (IOException e) { 
  throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION); 
  // Retrieve the user credentials via the callback
  // handler.
  // In this case we get the user name from the HTTP
  // NameCallback.
// NameCallback nameCallback = new NameCallback("User name: ");
  /* The type and the name specify which part of the HTTP request
  * should be retrieved. For Web container authentication, the
  * supported types are defined in the interface
  * com.sap.engine.lib.security.http.HttpCallback.
  * For programmatical authentication with custom callback
  * handler the supported types depend on the used callback handler.
// try {
// callbackHandler.handle(new Callback[] {nameCallback});
// catch (UnsupportedCallbackException e) {
// return false;
// catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// userName = nameCallback.getName();
// if( userName == null || userName.length() == 0 ) {
// return false;  
  /* When you know the user name, update the user information
  * using data from the persistence. The operation must
  * be done before the user credentials checks. This method also
  * checks the user name so that if a user with that name does not
  * exist in the active user store, a
  * java.lang.SecurityException is thrown.
// try {
// refreshUserInfo(userName);
// } catch (SecurityException e) {
// throwUserLoginException(e);
  /* Checks if the given user name starts with the specified
  * prefix in the login module options. If no prefix is specified,
  * then all users are trusted.
// String prefix = (String) options.get("user_name_prefix");
// if ((prefix != null) && !userName.startsWith(prefix)) {
// throwNewLoginException("The user is not trusted.");
  /* This is done if the authentication of the login module is    
  * successful.
  * Only one and exactly one login module from the stack must put
  * the user name in the shared state. This user name represents
  * the authenticated user.
  * For example if the login attempt is successful, method
  * getRemoteUser() of
  * the HTTP request will retrieve exactly this name.
  if (sharedState.get(AbstractLoginModule.NAME) == null) {
  sharedState.put(AbstractLoginModule.NAME, userName);
  nameSet = true;
  successful = true;
  return true;
  * Commit the login. This is the second part of the authentication
  * process.
  * If a user name has been stored by the login() method,
  * the user name is added to the subject as a new principal.
  public boolean commit() throws LoginException {
  if (successful) {
  /* The principals that are added to the subject should
  * implement java.security.Principal.You can use the class
  * com.sap.engine.lib.security.Principal for this purpose.
  Principal principal = new Principal(userName);
  subject.getPrincipals().add(principal);
  /* If the login is successful, then the principal corresponding
  * to the <userName> (the same user name that has been added
  * to the subject) must be added in the shared state too.
  * This principal is considered to be the main principal
  * representing the user.
  * For example, this principal will be retrieved from method
  * getUserPrincipal() of the HTTP request.
  if (nameSet) {
  sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
  } else {
  userName = null;
  return true;
  * Abort the authentication process.
  public boolean abort() throws LoginException {
  if (successful) {
  userName = null;
  successful = false;
  return true;
  * Log out the user. Also removes the principals and
  * destroys or removes the credentials that were associated 
  * with the user during the commit phase.
  public boolean logout() throws LoginException {
  // Remove principals and credentials from subject
  if (successful) {
  subject.getPrincipals(Principal.class).clear();
  successful = false;
  return true;
  private String getRequestValue(String parameterName) 
     throws LoginException { 
       HttpGetterCallback httpGetterCallback = new HttpGetterCallback(); 
       httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER); 
       httpGetterCallback.setName(parameterName); 
       String value = null; 
       try { 
      callbackHandler.handle(new Callback[] { httpGetterCallback }); 
           String[] arrayRequestparam = (String[]) httpGetterCallback.getValue(); 
           value = arrayRequestparam[0]; 
       } catch (UnsupportedCallbackException e) { 
            return null; 
       } catch (IOException e) { 
            throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION); 
       return value; 
Regards
Ramanender Singh

Ramanender,
JAAS modules usually requires a restart whenever you need to change them. So be very careful with what you expect once you re-deploy your code.
Once the library is loaded it will never reload itself until you perform a restart of the VM. 
Connect to the debug port may help, but basic debugging will not take you too far either.
I would recommend you to use the log tracing facility on your code. Just enter the following class attribute:
import com.sap.tc.logging.Location;
private static final Location trace = Location.getLocation(<your_classname_here>.class);
trace.warningT("Some Warning Text Here..." + variable here);
trace.debugT("Some Warning Text Here..." + variable here);
You may need to go NWA and set the Location Severity Level to Debug according to your needs.
Leave the trace code on your module for IT personnel to debug it if necessary. Don't forget to have the severity level of your code properly set.
Meaning: You don't want to have every trace message your module sills out with warningT() or infoT().
There is a excellent blog here on how this works
Then you will be able to inspect some variable contents while the callbackhandler is being executed.
Pay special attention with the timing - variables have a lifetime when dealing with login modules.
Use the entering(<method_name>) and exiting(<method_name> just ot make sure where in the code the variable should be populated and when.
BR,
Ivan

Similar Messages

  • Custom Login Module for EP7

    Hello Experts,
    i have a requirement to develop a custom Login Module for EP7. I am fine with the programming part and on this side everything should be fine. I am puzzling about the configuration. My LoginModule is configured according to this link: [SAP HELP|http://help.sap.com/saphelp_nw2004s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/content.htm]. But when i configure sap.com/irj*irj in SecurityProvider in Visual Admin, the changes do not take affect. I restarted the portal as well as the Server. I am on NW2004s SP 14.
    What am I missing.
    Thanks for any help,
    best Regards,
    Rene

    Hello Laura,
    thank you for your reply. I have read you link and I doubt that this is the solution. In authschemes.xml you define the user interface for authentication and priority. In Visual admin, you can define the loginModule for your Scheme. But this must be possible without defining an authscheme. Am I right? In my understanding you only have to declare the loginmodule for the application in Visual Admin. And thats it.
    So what i have to do to change the login module for the Portal (irj).
    Any help will be appreciated,
    best regards,
    Rene

  • Custom login module for weblogic portal 10.3.2

    Hi everyone
    i want to develop a custom portal login module for weblogic..
    can anyone help me out with details how can i implement it ...any links provided will ve very useful
    Thanks in advance.

    The credentials given on that page are wrong for 10.3.2. (They might be correct for 10.3, but that's not my problem.) I found the correct credentials -- weblogic / webl0gic -- at this URL:
    weblogic portal 10.3.2 sample domain admin console question
    It's also given correctly in section 6 of the Getting Started Guide, but you have to know to look there first.
    Edited by: dwschulze on Aug 19, 2010 1:47 PM

  • Custom Login Module for Tomcat to procted apps using Oracle Access Manager

    Hi all,
    I have the following scenario.
    A web application deployed in Tomcat to be protected using OAM. One solution is to use Access Gate though we have other alternative as Proxy infront of Tomcat with a webgate. Now I am implementing the Access Gate solution.
    So, when the user clicks the tomcat application, then the prompt (BASIC) appears for login details. custom login module should kick in and take those login details and authenticate against OAM using Access SDK API.
    I have created access gate profile and installed Access SDK. Ran the ConfigureAccessGateTool as well.
    I did some research googling for login module. I came to know that we need to write a custom realm for it. So, this realm implementation involves specifying role-name etc., in web.xml where the role-name would have been defined in tomcat-users.xml.
    This means that the user trying to authenticate against OAM has to have some roles defined in Tomcat to login. I didnot understand the flow end to end as how this will work.
    Please let me know if anybody has done this of customization.
    Thanks,
    Mahendra.

    Hi Ambarish,
    Initially I thought of implementing the way you suggested in Option 2.
    But there will be various redirections when we use option 2 as the login page should redirect it to a page where OAM authentication and authorization stuff has to be handled. And accordingly we have to redirect it to specific pages upon successful atn and atz. Hence, I was opted using Custom Login Module.
    However, I have been trying Option 2 now. In web.xml, I have specified a login page with FORM scheme. The login redirects it to another page say OAM_Authentication_Handler.jsp. Here we code which serves atn and atz. Upon doing this, I have observed that the protected resource in OAM is not getting evaluated using the method
    String ms_protocol = "http";
    String ms_method = "GET";
    String ms_resource = "http://localhost:8080/FormLogin/private.jsp";
    ObResourceRequest rrq = new ObResourceRequest(ms_protocol, ms_resource, ms_method);
    The method rrq.isProtected() is returning false which implies it to unprotected. I have tested using Access Tester for the resource and it results in expected behaviour.
    Is there any limitation here by using this approach?
    Any ideas?
    Thanks,
    Mahendra.

  • DBMS based custom login module for ADF 11g on Web Logic Server (10.3.1.0)

    We have the requirement of creating a login page, wherein the authentication is performed against users records stored in a specific table in Oracle Database. The ADF 11g developer guide does not provide any example to accomplish the same. Though there are numerous examples of achieving the same using OC4J, but there is none available to achieve this on Web Logic Server. Do we have any documentation or information available on this?

    User,
    Have a search on the forum or check the WLS documentation. WLS has built-in authenticators for this that you can likely use.
    John

  • Custom login module error: Login permission not granted for myapp (myuser)

    I have developed a custom login module for my application. I have followed the steps outlined in security guide and other postings. I could not log into the application when I access EJBs from an RMI client. I get the following error.
    Login permission not granted for myapp (myuser)
    I did grant the login permission to myuser.
    I am using OC4J 10.1.3.1.0
    Here are the steps I followed and the configuration files. Can anybody help me out?
    1. Created a custom login module and packaged it in EAR along with other classes. In the commit method, I added my user into principals of subject. Here is the code,
    ==================================================================
    public boolean commit() throws LoginException {
    try {
    if (!loginOk) {
    return false;
    Set<Principal> principals = subject.getPrincipals();
    principals.add(user);
    loginOk = true;
    } finally {
    // Some audit logs are written here.
    return loginOk;
    ===============================================================
    2. Added custom login module in orion-application.xml. Here are the relevant portions of orion-application.xml
    ===============================================================
    <jazn provider="XML">
    <property name="role.mapping.dynamic" value="true" />
    <property name="custom.loginmodule.provider" value="true" />
    <property name="role.compare.ignorecase" value="true" />
    </jazn>
    <jazn-loginconfig>
    <application>
    <name>myApp</name>
    <login-modules>
    <login-module>
    <class>com.test.myServerLoginModule</class>
    <control-flag>required</control-flag>
    <options>
    <option>
    <name>maxRetries</name>
    <value>3</value>
    </option>
    <option>
    <name>debug</name>
    <value>true</value>
    </option>
    </options>
    </login-module>
    </login-modules>
    </application>
    </jazn-loginconfig>
    <namespace-access>
    <read-access>
    <namespace-resource root="">
    <security-role-mapping name="myUser">
    <group name="users"/>
    <group name="oc4j-app-administrators"/>
    </security-role-mapping>
    <security-role-mapping name="esp_operator">
    <group name="users"/>
    <group name="oc4j-app-administrators"/>
    </security-role-mapping>
    </namespace-resource>
    </read-access>
    </namespace-access>
    ===============================================================
    3. After the application is deployed on the EAR, I can see the custom login module in system-jazn-data.xml. The command line jazn admin tool lists my custom login module for my application.
    4. I have an RMI client, the client JNDI properties are
    ==============================================================
    java.naming.factory.initial=oracle.j2ee.naming.ApplicationClientInitialContextFactory
    java.naming.factory.url.pkgs=oracle.j2ee.naming
    ==============================================================
    The value for java.naming.provider.url is constructed dynamically and it is ormi://myserver:23791/myapp
    java.naming.security.principal is set to the user who is trying to login, myuser, in this case.
    java.naming.security.credentials is set to the password entered by myuser, password in this case.
    5. I used jazn admin tool to grant login permission to my user.
    ===============================================================
    a. Added user
    java -jar jazn.jar -user oc4jadmin -password welcome -adduser jazn.com myuser password
    b. Grant roles
    java -jar jazn.jar -user oc4jadmin -password welcome -grantrole users ja
    zn.com myuser
    java -jar jazn.jar -user oc4jadmin -password welcome -grantrole oc4j-app
    -administrators jazn.com myuser
    c. Grant RMI permission
    java -jar jazn.jar -user oc4jadmin -password welcome -grantperm jazn.com
    -user myuser com.evermind.server.rmi.RMIPermission login
    ===============================================================
    After the permission is granted, the folowing piece of XML is added to system-jazn-data.xml.
    ===============================================================
         <grant>
              <grantee>
                   <principals>
                        <principal>
                             <realm-name>jazn.com</realm-name>
                             <type>user</type>
                             <class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
                             <name>jazn.com/esp_administrator</name>
                        </principal>
                   </principals>
              </grantee>
              <permissions>
                   <permission>
                        <class>com.evermind.server.rmi.RMIPermission</class>
                        <name>login</name>
                   </permission>
              </permissions>
         </grant>
    ==============================================================
    My principal class is not of type, oracle.security.jazn.spi.xml.XMLRealmUser. Hence, I changed system-jazn-data.xml to include com.test.MyUser instead of oracle.security.jazn.spi.xml.XMLRealmUser. Either way, I get Not Authorized and Login permission not granted for myapp (myuser).
    Can anybody help me out, please?
    Thank you,
    Sri
    Message was edited by:
    user532586

    I finally got it to work. But I have a problem granting RMI Permission "login", if the depth of my Principal class within the inheritance hierarachy is more than one. My hierarachy of my principal class is
    Object --> ObjectA --> ObjectB --> ObjectC --> ObjectD
    ObjectD is my principal class. ObjectB implements java.security.Principal. ObjectA has implementations for methods equals, hashcode and toString. ObjectB has implementations for getName.
    When I try to grant RMI permission for ObjectD, I get an error that says null.
    If I override the methods, equals, hashcode, toString, and getName in ObjectD and provide implementations, I still could not grant permission using jazn tool. I get error that says null. If I update the system-jazn-data.xml with the following grant tag, I could get into the application without any errors.
         <grant>
              <grantee>
                   <principals>
                        <principal>
                             <class>com.test.ObjectD</class>
                             <name>developers</name>
                        </principal>
                   </principals>
              </grantee>
              <permissions>
                   <permission>
                        <class>com.evermind.server.rmi.RMIPermission</class>
                        <name>login</name>
                   </permission>
              </permissions>
         </grant>
    If I create a new class, myPrincipal that implements java.security.Principal, I donot have any problems. I can grant permission and access application.
    Any ideas why I could not use ObjectD as my principal class for granting RMI permission?
    Message was edited by:
    user532586

  • RMI with custom login module

    I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
    javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
         javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
         at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
         at javax.naming.InitialContext.lookup(InitialContext.java:351)
         at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
    Caused by: javax.naming.AuthenticationException: Not authorized
         at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
         at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
         at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
         at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
         at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
         at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
         at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
    The standalone application is setting these properties for JNDI lookup -
    java.naming.security.principal=<user>
    java.naming.security.credentials=<password>
    java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
    java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
    As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
    <jazn-policy>
              <!-- Grant login permission for anyone in the user role -->
              <grant>
                   <grantee>
                        <principals>
                             <principal>
                                  <realm-name>jazn.com</realm-name>
                                  <type>role</type>
                                  <class>uk.co.card.jaas.SimplePrincipal</class>
                                  <name>user</name>
                             </principal>
                        </principals>
                   </grantee>
                   <permissions>
                        <permission>
                             <class>com.evermind.server.rmi.RMIPermission</class>
                             <name>login</name>
                        </permission>
                   </permissions>
              </grant>
         </jazn-policy>
    The ejb-jar.xml also has this defined in the assembly-descriptor.
    <assembly-descriptor>
              <security-role>
                   <role-name>user</role-name>
              </security-role>
    </assembly-descriptor>
    The orion-application.xml has the namespace access provided as -
         <namespace-access>
              <read-access>
                   <namespace-resource root="">
                        <security-role-mapping impliesAll="true">
                             <group name="users" />
                        </security-role-mapping>
                   </namespace-resource>
              </read-access>
              <write-access>
                   <namespace-resource root="">
                        <security-role-mapping impliesAll="true">
                             <group name="users" />
                        </security-role-mapping>
                   </namespace-resource>
              </write-access>
         </namespace-access>
    Appreciate if someone can help me identify what I am missing.

    I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
    javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
         javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
         at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
         at javax.naming.InitialContext.lookup(InitialContext.java:351)
         at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
    Caused by: javax.naming.AuthenticationException: Not authorized
         at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
         at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
         at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
         at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
         at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
         at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
         at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
    The standalone application is setting these properties for JNDI lookup -
    java.naming.security.principal=<user>
    java.naming.security.credentials=<password>
    java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
    java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
    As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
    <jazn-policy>
              <!-- Grant login permission for anyone in the user role -->
              <grant>
                   <grantee>
                        <principals>
                             <principal>
                                  <realm-name>jazn.com</realm-name>
                                  <type>role</type>
                                  <class>uk.co.card.jaas.SimplePrincipal</class>
                                  <name>user</name>
                             </principal>
                        </principals>
                   </grantee>
                   <permissions>
                        <permission>
                             <class>com.evermind.server.rmi.RMIPermission</class>
                             <name>login</name>
                        </permission>
                   </permissions>
              </grant>
         </jazn-policy>
    The ejb-jar.xml also has this defined in the assembly-descriptor.
    <assembly-descriptor>
              <security-role>
                   <role-name>user</role-name>
              </security-role>
    </assembly-descriptor>
    The orion-application.xml has the namespace access provided as -
         <namespace-access>
              <read-access>
                   <namespace-resource root="">
                        <security-role-mapping impliesAll="true">
                             <group name="users" />
                        </security-role-mapping>
                   </namespace-resource>
              </read-access>
              <write-access>
                   <namespace-resource root="">
                        <security-role-mapping impliesAll="true">
                             <group name="users" />
                        </security-role-mapping>
                   </namespace-resource>
              </write-access>
         </namespace-access>
    Appreciate if someone can help me identify what I am missing.

  • Custom Login Module - Commit Method return TRUE always?

    Hi,
    I am creating a custom login module for my portal authentication.
    For the login module, should the commit() method always return TRUE?
    The example code on help.sap.com indicates yes to this question.
    However, the JAVA Sun standard indicates that commit should return FALSE if the preceding login method returned FALSE.
    Does the SAP example stray from the SUN standard?  How should I code the commit() method such that it works (Always TRUE, or follow lead of login() method)?
    Regards,
    Kevin

    Hi Kevin,
    I'm actually working with this document: <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/webinars/jaas%20login%20module%20development%20on%20webas%20java%20640.pdf#search=%22classloader%20sda%20jar%20reference%22">JAAS Login Modules</a>.
    There is also example code. If it should be ignored they return false, otherwise true (page 32).
    Regards,
    Marcus
    Message was edited by: Marcus Freiheit

  • Dynamic System Resolution and Custom Login Modules

    I'm trying to achieve the following, and wondered whether anyone could validate that is possible, and possible solutions.
    We want to use Dynamic System Resolution to programatically determine which system alias (and therefore which R3 client) should be returned based on the user. So far so good.
    When the user logs in, we want them to be able to specify which R3 client they wish to use whilst logged in to EP. We are considering writing a custom login module to do this, which will strip the client the user wishes to use out of the j_user username, and stores the client value *somewhere* so that the Dynamic System Resolution code can access it and base the system alias it returns on the user's prefered client.
    Considering the DSR code only has access to the IUser object it would be handy if our login module could store the prefered client as an attribute in the IUser object. Is it possible to set custom attributes in custom login modules for a given user?
    We want to do this to avoid having to have an EP instance per client in a given R3 system, and to avoid duplicating worksets by creating delta linked copies and overriding the client number.
    Any suggestions?
    Cheers,
    Steve

    Hello,
    Before even doing such an elaborated construction, I do not succeed in writing a working Dynamic System Resolution.
    The service doing the resolution is never called when the method getSystemID() is invoked.
    I know that the registry is read (I first test with a system alias which was in the PCD and get an error when debugging, I forget that you cannot use the same system alias in the PCD and in the Dynamic System Resolution service) but afterward the resolving service is not called.
    Has anyone an idea ?
    Thanks a lot
    Best regards
    Richard

  • Custom Login Module Called by WebLogic

    I have managed to write and deploy a custom login module that works just fine with
    other app servers (except WebLogic). I am using WebLogic 6.1 with sp2. When WebLogic
    starts up, it seems to be calling my custom login module with a user of "system".
    I then get the following exception:
    Authentication Failed: Unexpected Exception, weblogic.security.acl.DefaultUserInfoImpl
    java.lang.ClassCastException: weblogic.security.acl.DefaultUserInfoImpl
    <<no stack trace available>>
    I have updated the Server.policy file to only point to my custom login module, WebLogic's
    system path points to the JAR with my login module and I can see the module get called.
    Any advice as to what WebLogic is doing here. This behavior does not seem to be
    compliant with the JAAS spec. Here is a snippet of my login method:
    public boolean login() throws LoginException {
    if (callbackHandler == null)
    throw new LoginException("Error: blah blah");
    Callback[] callbacks = new Callback[2];
    callbacks[0] = new NameCallback(USER);
    callbacks[1] = new PasswordCallback(PWD, false);
    try {
    callbackHandler.handle(callbacks);
    username = ((NameCallback)callbacks[USERCALLBACK]).getName();
    char[] tmpPassword = ((PasswordCallback)callbacks[PWDCALLBACK]).getPassword();
    if (tmpPassword == null) {
    tmpPassword = new char[0];
    password = new String(tmpPassword);
    Environment env = new Environment();
    env.setProviderUrl(url);
    env.setSecurityPrincipal(username);
    env.setSecurityCredentials(password);
    Authenticate.authenticate(env, subject);
    return verifyCredentials();
    } catch (java.io.IOException ioe) {
    throw new LoginException(ioe.toString());
    } catch (UnsupportedCallbackException uce) {
    throw new LoginException("Error: " + uce.getCallback().toString()
    + " not available");

    Weblogic 6.x does not support replaceable server side login modules and only
    supports login modules on the client.
    <[email protected]> wrote in message
    news:3cf36c98$[email protected]..
    >
    I have managed to write and deploy a custom login module that works justfine with
    other app servers (except WebLogic). I am using WebLogic 6.1 with sp2.When WebLogic
    starts up, it seems to be calling my custom login module with a user of"system".
    I then get the following exception:
    Authentication Failed: Unexpected Exception,weblogic.security.acl.DefaultUserInfoImpl
    java.lang.ClassCastException: weblogic.security.acl.DefaultUserInfoImpl
    <<no stack trace available>>
    I have updated the Server.policy file to only point to my custom loginmodule, WebLogic's
    system path points to the JAR with my login module and I can see themodule get called.
    Any advice as to what WebLogic is doing here. This behavior does notseem to be
    compliant with the JAAS spec. Here is a snippet of my login method:
    public boolean login() throws LoginException {
    if (callbackHandler == null)
    throw new LoginException("Error: blah blah");
    Callback[] callbacks = new Callback[2];
    callbacks[0] = new NameCallback(USER);
    callbacks[1] = new PasswordCallback(PWD, false);
    try {
    callbackHandler.handle(callbacks);
    username = ((NameCallback)callbacks[USERCALLBACK]).getName();
    char[] tmpPassword =((PasswordCallback)callbacks[PWDCALLBACK]).getPassword();
    >
    if (tmpPassword == null) {
    tmpPassword = new char[0];
    password = new String(tmpPassword);
    Environment env = new Environment();
    env.setProviderUrl(url);
    env.setSecurityPrincipal(username);
    env.setSecurityCredentials(password);
    Authenticate.authenticate(env, subject);
    return verifyCredentials();
    } catch (java.io.IOException ioe) {
    throw new LoginException(ioe.toString());
    } catch (UnsupportedCallbackException uce) {
    throw new LoginException("Error: " +uce.getCallback().toString()
    + " not available");

  • Security constraints not being applied after using custom login module

    I am using form based authentication and I applied the custom login module - DBProcLoginModule to work with the embedded OC4J (JDeveloper 10.1.3.2). I have specified two security contraints in web.xml. The authentication is working correctly, however the security contraints are not being applied. All users are able to access all url resources. The security constraints were working properly before applying the custom login module. Pls help.
    Leena

    Hi,
    if "All users are able to access all url resources" then this indicates that the RL isn't properly protected. If the authorization would fail then noone would have access and you would see error code 401
    Make sure the role names in web.xml are the same as added by the LoginModule. Also make sure you set the dynamic.role property and the custom security provider property in the orion-application.xml
    <jazn provider="XML">
         <property name="custom.loginmodule.provider" value="true"/>
         <property name="role.mapping.dynamic" value="true"/>
    </jazn>
    Note that the above is not required (because done automatically) if the custom LoginModule configuration is deployed through the orion-application.xml file
    Frank

  • Help - using custom login module with embedded jdev oc4j to access ejb 3

    Hi All (Frank ??),
    I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
    with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
    I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
    have to deploy to oc4j standalone instead.
    I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
    javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
    setting in orion-application.xml for details.
    Using the various guides available, I had no problem getting the custom login module working
    with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
    I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
    respectively in various config files.
    I'm using EJB 3 annotations for protecting methods .. for example
    @RolesAllowed("sr_Member")
    Steps that I had to do so far :-
    In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
        <application>
          <name>current-workspace-app</name>
          <login-modules>
            <login-module>
              <class>kr.security.KnowRushLoginModule</class>
              <control-flag>required</control-flag>
              <options>
                <option>
                  <name>dataSource</name>
                  <value>jdbc/DB_XE_KNOWRUSHDS</value>
                </option>
                <option>
                  <name>user.table</name>
                  <value>users</value>
                </option>
                <option>
                  <name>user.pk.column</name>
                  <value>id</value>
                </option>
                <option>
                  <name>user.name.column</name>
                  <value>email_address</value>
                </option>
                <option>
                  <name>user.password.column</name>
                  <value>password</value>
                </option>
                <option>
                  <name>role.table</name>
                  <value>roles</value>
                </option>
                <option>
                  <name>role.to.user.fk.column</name>
                  <value>user_id</value>
                </option>
                <option>
                  <name>role.name.column</name>
                  <value>name</value>
                </option>
              </options>
            </login-module>
          </login-modules>
        </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
      <grant>
        <grantee>
          <principals>
            <principal>
              <realm-name>jazn.com</realm-name>
              <type>role</type>
              <class>kr.security.principals.KRRolePrincipal</class>
              <name>Admin</name>
            </principal>
          </principals>
        </grantee>
        <permissions>
          <permission>
            <class>com.evermind.server.rmi.RMIPermission</class>
            <name>login</name>
          </permission>
        </permissions>
      </grant>
      <grant>
        <grantee>
          <principals>
            <principal>
              <realm-name>jazn.com</realm-name>
              <type>role</type>
              <class>kr.security.principals.KRRolePrincipal</class>
              <name>Member</name>
            </principal>
          </principals>
        </grantee>
        <permissions>
          <permission>
            <class>com.evermind.server.rmi.RMIPermission</class>
            <name>login</name>
          </permission>
        </permissions>
      </grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
    My ejb-jar.xml contains :-
    <?xml version="1.0" encoding="utf-8"?>
    <ejb-jar xmlns ....
      <assembly-descriptor>
        <security-role>
          <role-name>sr_Admin</role-name>
        </security-role>
        <security-role>
          <role-name>sr_Member</role-name>
        </security-role>
      </assembly-descriptor>
    </ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
    My orion-ejb-jar.xml contains ...
    <?xml version="1.0" encoding="utf-8"?>
    <orion-ejb-jar ...
      <assembly-descriptor>
        <security-role-mapping name="sr_Admin">
          <group name="Admin"></group>
        </security-role-mapping>
        <security-role-mapping name="sr_Member">
          <group name="Member"></group>
        </security-role-mapping>
        <default-method-access>
          <security-role-mapping name="sr_Member" impliesAll="true">
          </security-role-mapping>
        </default-method-access>
      </assembly-descriptor>My orion-application.xml contains ...
    <?xml version="1.0" encoding="utf-8"?>
    <orion-application xmlns ...
      <security-role-mapping name="sr_Admin">
        <group name="Admin"></group>
      </security-role-mapping>
      <security-role-mapping name="sr_Member">
        <group name="Member"></group>
      </security-role-mapping>
      <jazn provider="XML">
        <property name="role.mapping.dynamic" value="true"></property>
        <property name="custom.loginmodule.provider" value="true"></property>
      </jazn>
      <namespace-access>
        <read-access>
          <namespace-resource root="">
            <security-role-mapping name="sr_Admin">
              <group name="Admin"/>
              <group name="Member"/>
            </security-role-mapping>
          </namespace-resource>
        </read-access>
        <write-access>
          <namespace-resource root="">
            <security-role-mapping name="sr_Admin">
              <group name="Admin"/>
              <group name="Member"/>
            </security-role-mapping>
          </namespace-resource>
        </write-access>
      </namespace-access>
    </orion-application>My essentially auto-generated EJB 3 client does the following :-
          Hashtable env = new Hashtable();
          env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
          env.put(Context.SECURITY_CREDENTIALS, "welcome1");
          final Context context = new InitialContext(env);
          KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
    ...And throws the error
    20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
    EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
    WARNING: Exception returned by remote server: {0}
    javax.naming.NoPermissionException: Not allowed to look
    up KRFacade, check the namespace-access tag setting in
    orion-application.xml for details
         at
    com.evermind.server.rmi.RMIClientConnection.handleLookupRe
    sponse(RMIClientConnection.java:819)
         at
    com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
    andResponse(RMIClientConnection.java:283)
    ....I can see from the console that the user was successfully authenticated :-
    20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
    WARNING: [KnowRushLoginModule] User matt.shannon authenticated
    And that user is granted both the Admin, and Member roles.
    The test servlet using basic authentication correctly detects the user and roles perfectly...
      public void doGet(HttpServletRequest request,
                        HttpServletResponse response)
        throws ServletException, IOException
        LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
        response.setContentType(CONTENT_TYPE);
        PrintWriter out = response.getWriter();
        out.println("<html>");
        out.println("<head><title>ExampleServlet</title></head>");
        out.println("<body>");
        out.println("<p>The servlet has received a GET. This is the reply.</p>");
        out.println("<br> getRemoteUser = " + request.getRemoteUser());
        out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
        out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
        out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
    cheers
    Matt.
    Message was edited by:
    mshannon

    Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
    Did you ever get the code working directly from JDeveloper?
    Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
    For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
         <grant>
              <grantee>
                   <principals>
                        <principal>
                             <realm-name>jazn.com</realm-name>
                             <type>role</type>
                             <class>kr.security.principals.KRRolePrincipal</class>
                             <name>JAAS_Admin</name>
                        </principal>
                   </principals>
              </grantee>
              <permissions>
                   <permission>
                        <class>com.evermind.server.rmi.RMIPermission</class>
                        <name>login</name>
                   </permission>
              </permissions>
         </grant>If I add the following to orion-application.xml
      <!-- Granting login permission to users accessing this EJB. -->
      <namespace-access>
        <read-access>
          <namespace-resource root="">
            <security-role-mapping>
              <group name="JAAS_Admin"></group>
            </security-role-mapping>
          </namespace-resource>
        </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
    I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
    From custom login module :-
      private static KRSecurityHelper singleton = new KRSecurityHelper();
      protected Principal[] m_Principals;
        Vector v = new Vector();
          v.add(singleton.getCustomRmiConnectRole());
          // set principals in LoginModule
          m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
    Singleton class :-
    package kr.security;
    import com.evermind.server.rmi.RMIPermission;
    import java.util.logging.Level;
    import java.util.logging.Logger;
    import oracle.security.jazn.JAZNConfig;
    import oracle.security.jazn.policy.Grantee;
    import oracle.security.jazn.realm.Realm;
    import oracle.security.jazn.realm.RealmManager;
    import oracle.security.jazn.realm.RealmRole;
    import oracle.security.jazn.realm.RoleManager;
    import oracle.security.jazn.policy.JAZNPolicy;
    import oracle.security.jazn.JAZNException;
    public class KRSecurityHelper
      private static final Logger LOGGER = Logger.getLogger("kr.security");
      private static final String LOGPREFIX = "[KRSecurityHelper] ";
      public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
      private RealmRole m_Role = null;
      public KRSecurityHelper()
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
        JAZNConfig jc = JAZNConfig.getJAZNConfig();
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
        RealmManager realmMgr = jc.getRealmManager();
        try
          // Get the default realm .. e.g. jazn.com
          LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
          Realm r = realmMgr.getRealm(jc.getDefaultRealm());
          LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
          // Access the role manager for the remote connection role
          LOGGER.log(Level.FINEST,
            LOGPREFIX +"calling default_realm.getRoleManager");
          RoleManager roleMgr = r.getRoleManager();
          LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
            CUSTOM_RMI_CONNECT_ROLE "'");
          RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
          if (rmiConnectRole == null)
            LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
            rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
            LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
            Grantee gtee = new Grantee(rmiConnectRole);
            LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
            RMIPermission login = new RMIPermission("login");
            LOGGER.log(Level.FINEST,
              LOGPREFIX +"constructing subject.propagation rmi permission");
            RMIPermission subjectprop = new RMIPermission("subject.propagation");
            // make policy changes
            LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
            JAZNPolicy policy = jc.getPolicy();
            if (policy != null)
              LOGGER.log(Level.INFO, LOGPREFIX
                + "add to policy grant for RMI 'login' permission to "
                + CUSTOM_RMI_CONNECT_ROLE);
              policy.grant(gtee, login);
              LOGGER.log(Level.INFO, LOGPREFIX
                + "add to policy grant for RMI 'subject.propagation' permission to "
                + CUSTOM_RMI_CONNECT_ROLE);
              policy.grant(gtee, subjectprop);
              // m_Role = rmiConnectRole;
              m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
              LOGGER.log(Level.INFO, LOGPREFIX
                + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
            else
              LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
          else
            LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
            m_Role = rmiConnectRole;
        catch (JAZNException e)
          LOGGER.log(Level.WARNING,
            LOGPREFIX +"Cannot configure JAZN for remote connections");
      public RealmRole getCustomRmiConnectRole()
        return m_Role;
    }Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
    INFO: Login permission not granted for current-workspace-app (test.user)
    Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
    This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
    There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
    Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
    Matt.

  • How to get Custom Login Module to communicate with frontendtarget

    We have created a custom login module and placed it in our login module stack.
    So we have the following 3 Login Modules in our stack:
    EvaluateTicketModule
    OurCustomLoginModule
    CreateTicketModule
    Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
    <authscheme name="cglogon">
                <authentication-template>
                    form
                </authentication-template>
                <priority>21</priority>
                <frontendtype>2</frontendtype>
                <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
            </authscheme>
    Question:
    There are standard screens in the SAP login PAR:
                changePasswordPage.jsp
                umLogonProblemPage.jsp
                umResetPasswordPage.jsp
    How do I trigger one of these screens from my Login() method of my
    custom login module?  I thought if I throw some specific exception, these screens would
    be called?

    A bit more info. 
    We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication. 
    I changed the Iview property "Authentication Scheme" to our custom one.
    If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
    Whis is what i expect.
    I enter a username and password and click Logon button.  I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
    However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
    However, It always give iview runtime exception with Access Denied.
    #1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
    #1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
    #1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
    #1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
    #1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
    #1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
    #1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
    User: N/A
    Authentication Stack: form
    Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
    1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception             true       authscheme not sufficient: uidpwdlogon<cglogon
            \#1 ume.configuration.active = true
    2. companyname.com.CGLoginModuleClass                                         REQUISITE   ok          exception             true       Authentication did not succeed.
    3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
            \#1 ume.configuration.com = true#
    #1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36...                    com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
    #1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
    [EXCEPTION]
    {0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
         at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
         at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
         at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
         at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
         at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
         at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
         at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
         at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
    and here's my login method...
         public boolean login() throws javax.security.auth.login.LoginException
              this.succeeded = false;
              String passwordString = "";
              if (callbackHandler == null)
                   throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
              HttpGetterCallback httpgettercallback = new HttpGetterCallback();
              NameCallback nc = new NameCallback("User:");
              PasswordCallback pc = new PasswordCallback("Password:", false);
              Callback[] callbacks = new Callback[] { nc, pc };
              try
                   callbackHandler.handle(callbacks);
              catch (IOException e)
                   throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
              catch (UnsupportedCallbackException e)
                   return false;
              String userid = nc.getName();
              char[] password = pc.getPassword();
              pc.clearPassword();
              if (userid.length() == 0)
                   throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
              else
                   username = userid;
              if (password.length == 0)
                   throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
              else
                   passwordString = new String(password);
              String eccLoginResult = validateECCAuthentication(username, passwordString);
              if (!eccLoginResult.equals(""))
                   myLoc.infoT(this.username + " - failed ECC authentication.");
                   throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
              else
                   myLoc.infoT(this.username + " - failed ECC authentication.");
                   this.succeeded = true;
              if (this.succeeded)
                   try
                        refreshUserInfo(this.username);
                   catch (SecurityException e)
                        throwUserLoginException(e);
                   if (sharedState.get(AbstractLoginModule.NAME) == null)
                        sharedState.put(AbstractLoginModule.NAME, this.username);
                        this.nameSet = true;
              else
                   throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
              return this.succeeded;

  • Custom pluggable idm with custom login module

    Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
    Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
    The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
    The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
    Any suggestions? Thanks

    Thanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
    I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
    Thank you.

  • Custom login module with 10.1.3

    Hello all,
    I've been trying out Frank N's custom login module (http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm) with JDev 10.1.3/OC4J 10.1.3 and am not having much luck.
    Whenever I add <property name="role.mapping.dynamic" value="true"/> to orion-application.xml, the application fails to deploy with java.lang.InstantiationException. I even get this error when I try to set up a custom login module using the enterprise manager for OC4J 10.1.3. Is this a bug, or does the doc need to be updated? Without this item configured, I do get the basic login prompt, but no logging or anything - which indicates to me that the custom login module is not even being called. Nothing on metalink either.
    Thanks,
    John

    hmm i dont know... custom login module (db authentication) definitely works with standalone 10.1.3.0.0 and jdevloper standalone, but it doesnt work with jdev embeded oc4j (jdevstudio1013\jdev\system\oracle.j2ee.10.1.3.36.73\embedded-oc4j)
    i have the code, and it works.. however the application is entirerly made in jdev 10.1.3.04 production, it is not migrated from previous jdev.. make sure to deploy from war file (i have prob to deploy from ear)
    the only big problem i got is to setup ssl in separate oc4j standalone (ssl works with jdev standalone) and make client athentication to work
    because it wont run as it should.. (i did not have this prob in 10.1.2.1)

Maybe you are looking for

  • Why does iTunes create disk errors when deleting movie files?

    I use a Macbook Pro, OSX 10.7.5. When I delete movie file from my iTunes library I get disk errors. I need to option boot select the recovery disk and repair the disk.  Deleting a movie file I have placed on my desktop with finder does not create any

  • Video has no audio itunes

    i have tried everything i can think of, reinstalled quicktime, updated direct x, updated itunes, messed with quicktime setting, please help me fix thissssssss!!!!

  • Best practices for permission settings in SharePoint 2010

    Hello, Does anyone know if there is a good "best practices" paper\article for SharePoint permissions in SharePoint 2010. I have a pretty good idea of what i would like to do. The problem is that there is another group that handles security for the Sh

  • Component attributes changed programmatically but aren't taken into account

    Hello everyone, I tried to change a JLabel's and JTextField's attributes, all this inside a JButton's ActionListener, but the changes don't seem to be takin into account. I did a debug and they are correctly set, but the changes don't show up on the

  • Index spreadsheet element

    I have various elements like temperature, humidity, etc logged to a *.txt file.  Is there a way I can explicitly define which cell to pull data from.  For example if I wanted to see the result in cell A1.  Do I need to change my files to *.xls first?