Custom login module - Not invoked...
Hi All
I have developed a custom login module and the necessary configuration steps in VA are performed. However, the custom login module is not called...
1. Developed a Java DC as a Child DC in a Library DC.
2. Added all the relevant jars needed as Used DC and Public Parts as required. Also updated the provider.xml with relevant references.
3. Build and Deployed. (No errors found here..)
4. In VA - Created a new Login Module.... updated the property LoginModuleClassLoaders to library:xyz where xyz is the name of the folder for deployed sda as found in cluster\j2ee\serverx\bin\ext...next updated the config tool for the same.... next modified the sap.com/irj*irj authentication as:
Basic - Requisite
CustomModule - Optional.
Then performed server restart. Yet, login module not called. Any ideas as to where I am going wrong..?? (In my login module, just trying to retrieve the user name and change their attributes like lastname etc... )
Thanks
Deepak
Issue solved....
Had forgot to add the module to the ticket stack...
Similar Messages
-
Custom login module error: Login permission not granted for myapp (myuser)
I have developed a custom login module for my application. I have followed the steps outlined in security guide and other postings. I could not log into the application when I access EJBs from an RMI client. I get the following error.
Login permission not granted for myapp (myuser)
I did grant the login permission to myuser.
I am using OC4J 10.1.3.1.0
Here are the steps I followed and the configuration files. Can anybody help me out?
1. Created a custom login module and packaged it in EAR along with other classes. In the commit method, I added my user into principals of subject. Here is the code,
==================================================================
public boolean commit() throws LoginException {
try {
if (!loginOk) {
return false;
Set<Principal> principals = subject.getPrincipals();
principals.add(user);
loginOk = true;
} finally {
// Some audit logs are written here.
return loginOk;
===============================================================
2. Added custom login module in orion-application.xml. Here are the relevant portions of orion-application.xml
===============================================================
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.compare.ignorecase" value="true" />
</jazn>
<jazn-loginconfig>
<application>
<name>myApp</name>
<login-modules>
<login-module>
<class>com.test.myServerLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>maxRetries</name>
<value>3</value>
</option>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="myUser">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
<security-role-mapping name="esp_operator">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
</namespace-resource>
</read-access>
</namespace-access>
===============================================================
3. After the application is deployed on the EAR, I can see the custom login module in system-jazn-data.xml. The command line jazn admin tool lists my custom login module for my application.
4. I have an RMI client, the client JNDI properties are
==============================================================
java.naming.factory.initial=oracle.j2ee.naming.ApplicationClientInitialContextFactory
java.naming.factory.url.pkgs=oracle.j2ee.naming
==============================================================
The value for java.naming.provider.url is constructed dynamically and it is ormi://myserver:23791/myapp
java.naming.security.principal is set to the user who is trying to login, myuser, in this case.
java.naming.security.credentials is set to the password entered by myuser, password in this case.
5. I used jazn admin tool to grant login permission to my user.
===============================================================
a. Added user
java -jar jazn.jar -user oc4jadmin -password welcome -adduser jazn.com myuser password
b. Grant roles
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole users ja
zn.com myuser
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole oc4j-app
-administrators jazn.com myuser
c. Grant RMI permission
java -jar jazn.jar -user oc4jadmin -password welcome -grantperm jazn.com
-user myuser com.evermind.server.rmi.RMIPermission login
===============================================================
After the permission is granted, the folowing piece of XML is added to system-jazn-data.xml.
===============================================================
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>user</type>
<class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
<name>jazn.com/esp_administrator</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
==============================================================
My principal class is not of type, oracle.security.jazn.spi.xml.XMLRealmUser. Hence, I changed system-jazn-data.xml to include com.test.MyUser instead of oracle.security.jazn.spi.xml.XMLRealmUser. Either way, I get Not Authorized and Login permission not granted for myapp (myuser).
Can anybody help me out, please?
Thank you,
Sri
Message was edited by:
user532586I finally got it to work. But I have a problem granting RMI Permission "login", if the depth of my Principal class within the inheritance hierarachy is more than one. My hierarachy of my principal class is
Object --> ObjectA --> ObjectB --> ObjectC --> ObjectD
ObjectD is my principal class. ObjectB implements java.security.Principal. ObjectA has implementations for methods equals, hashcode and toString. ObjectB has implementations for getName.
When I try to grant RMI permission for ObjectD, I get an error that says null.
If I override the methods, equals, hashcode, toString, and getName in ObjectD and provide implementations, I still could not grant permission using jazn tool. I get error that says null. If I update the system-jazn-data.xml with the following grant tag, I could get into the application without any errors.
<grant>
<grantee>
<principals>
<principal>
<class>com.test.ObjectD</class>
<name>developers</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
If I create a new class, myPrincipal that implements java.security.Principal, I donot have any problems. I can grant permission and access application.
Any ideas why I could not use ObjectD as my principal class for granting RMI permission?
Message was edited by:
user532586 -
Custom Login Module Does Not Work
Hello,
Can someone give me some suggestions on what I should look at to fix the following error. I created jaas custom login module. Within the module I authenticate against an active directory. I've put many trace statements throughout the login module code. So I can actually follow everystep of the way through the login process. The user authenticates correctly and in the commit() method of the login module, the security principal is created and added to the principals and true is returned from the method. Everything looks like it worked correctly... but the user doesn't actually get into the portal. The login screen is redisplayed. This login module is the only login module in the stack being used to authenticate. According to the tracing, everything should of worked. Does anyone have any suggestions on what I should look at?
thanks,
Keith
NW04 SP14Marcel,
The reason we are using a custom login is we want to handle different situations when logging in, for example, if a password is expired we re-direct to a change password page that allows the user to update their password.
In our EP6 sp2 environment, this is working. I then recoded the login module so it would work in NW04, be we are having no luck.
Here is the weird thing, it works on some userid's but not on others. For example, with a userid like "kjanks" it works fine. But with a userid like "t.portal08" it fails, then your back at the login screen with the userid field displaying the userid, but the password field is empty. You can then click the login button again without doing anything else and then it works and you get in the portal. So it seems like the "." in the one userid is causing trouble.
Any Ideas?
thanks,
Keith -
Security constraints not being applied after using custom login module
I am using form based authentication and I applied the custom login module - DBProcLoginModule to work with the embedded OC4J (JDeveloper 10.1.3.2). I have specified two security contraints in web.xml. The authentication is working correctly, however the security contraints are not being applied. All users are able to access all url resources. The security constraints were working properly before applying the custom login module. Pls help.
LeenaHi,
if "All users are able to access all url resources" then this indicates that the RL isn't properly protected. If the authorization would fail then noone would have access and you would see error code 401
Make sure the role names in web.xml are the same as added by the LoginModule. Also make sure you set the dynamic.role property and the custom security provider property in the orion-application.xml
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true"/>
<property name="role.mapping.dynamic" value="true"/>
</jazn>
Note that the above is not required (because done automatically) if the custom LoginModule configuration is deployed through the orion-application.xml file
Frank -
Custom login module Authentication works but Authorization Does not work
Hi:
I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
Is there any other settings I need to perform. Could you please let me know.
ThanksI have the same issue, please refer to this thread.
Re: ADF Security Authorization -
Callbacks does not work in custom login module
Hi,
We are upgrading portal from 7.01 to 7.31. I am working on custom login module.
I am using NameCallBack, PasswordCallback and httpcallback (prior to upgrade used webCallback which is deprecated in 7.31)
All these three callbacks works fine in our sandbox which uses Portal Database as UME, But same code fails and returns NULL for callbacks in Dev system where we use Active Directory.
//In initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
super.initialize(subject, callbackHandler, sharedState, options);
this.callbackHandler = callbackHandler;
// in logion()
NameCallback nameCallback = new NameCallback("User name: ");
PasswordCallback passwordCallback = new PasswordCallback("Password: ", true);
try
callbackHandler.handle(new Callback[] { nameCallback, passwordCallback });
Any ideas will be appreciated.
Thanks,
DileepShould be fixed in 4.5. Set mouseEnabled=true on the Panel
-
Netweaver04 : Custom Login Module . Visual Admin : class not found
Hi all ,
using the Sneak Preview of Netweaver04 and Portal .
Coded a Custom Login Module via the TechEd04 example and deployed it to the portal with security_api.jar attached ...works great .
BUT when I try to login to the Visual Admin tool it cannot find the JARS I have put in admin/lib and I get a NoClassDefFound error on a class in security_api.jar .
How do I get the Visual Admin tool to find that JAR ?
Regards
DanielHi Daniel,
sounds like a reference is missing.
Check this:
http://help.sap.com/saphelp_nw04/helpdata/en/2b/23e4407211732ae10000000a155106/frameset.htm
Regards, Karsten -
JAAS Custom Login Modules does not run on JDev/OC4J 10.1.3, pls help...
Hi all,
I trying to use Custom Login Modules as described on :
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
I open the DBLMTest.jws in JDeveloper 10.1.3.1, after completing the required steps, I try deploy it into OC4J Stand alone 10.1.3.
I get ERROR :
application : foo is in failed state
Operation failed with error:
java.lang.InstantiationException
The cause of the error is the two lines below that I add into orion-application.xml :
<property name="role.mapping.dynamic" value="true"/>
<property name="jaas.username.simple" value ="true" />
If I remove the two lines, it deploys succesfully.
Please helpp... I have to implement security in our apps very soon....
Thank you very much,
xtanto
The complete trace of deployment error :
---- Deployment started. ---- Apr 4, 2007 5:25:19 PM
Target platform is Standalone OC4J 10g 10.1.3 (oc4j_oracle).
Wrote WAR file to D:\_JDEV1013.APPs\jaasdatabaseloginmodule\JDeveloper1012Workspaces\DBLMTest\Project\deploy\DBLMTest.war
Wrote EAR file to D:\_JDEV1013.APPs\jaasdatabaseloginmodule\JDeveloper1012Workspaces\DBLMTest\Project\deploy\DBLMTest.ear
Uploading file foo.ear ...
Uploading file foo.ear ...
Application Deployer for foo STARTS.
Copy the archive to C:\OC4J\j2ee\home\applications\foo.ear
Initialize C:\OC4J\j2ee\home\applications\foo.ear begins...
Unpacking foo.ear
Done unpacking foo.ear
Unpacking DBLMTest.war
Done unpacking DBLMTest.war
Initialize C:\OC4J\j2ee\home\applications\foo.ear ends...
Starting application : foo
Initializing ClassLoader(s)
Initializing EJB container
Loading connector(s)
application : foo is in failed state
Operation failed with error:
java.lang.InstantiationException
Deployment failed
Elapsed time for deployment: 4 secondsHello there again xtanto,
I blogged about this last year - perhaps you could run over to http://stegemanoracle.blogspot.com and have a look. I'd send you the exact link, but I cannot access blogspot from work.
John -
Custom Login Module with Adf 11g and and weblogic server
I have configured adf security on my application. I have checked the authentication and authorization are working fine with the default authenticator.
I am trying to create a custom login module. I have downloaded the custom login module implementation jaasdatabaseloginmodule.zip http://www.oracle.com/technetwork/developer-tools/jdev/index-089689.html. I have added the DBLoginModule.jar to my application. post written by Frank Nimphius and Duncan Mills
I have configured the jps config under the application resources with these entries.
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
<property value="true" name="custom.provider"/>
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
<serviceInstance name="CustomFFMLoginModule"
provider="jaas.login.provider">
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="log.level" value="FINEST"/>
<property name="debug" value="true"/>
<property name="addAllRoles" value="true"/>
<property name="loginModuleClassName"
value="oracle.sample.dbloginmodule.DBTableLM.ALSDBTableLoginModule"/>
<property value="jdbc/ApplicationDBDS" name="data_source_name"/>
</serviceInstance>
<jpsContexts default="FFMSecurityDAM">
<jpsContext name="FFMSecurityDAM">
<serviceInstanceRef ref="CustomFFMLoginModule"/>
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
When I run the application this custom login is not getting invoked.
I even tried to add these contents to DefaultDomain\config\fmwconfig\jps-config.xml still no result.
Can anyone who has configured custom login module direct me how to correct my application.Hi Frank,
After following the documentation suggested. I am able to create custom authenticator. But when I login I getting the below exception. When I debugged login method returned true. But this error is being thrown after that. Any clue.
java.lang.IllegalArgumentException: [Security:097531]Method com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals) was unable to sign a principal
at com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(PrincipalValidationServiceImpl.java:188)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy10.sign(Unknown Source)
at weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject(WLSIdentityServiceImpl.java:63)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:119)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:237)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:186)
at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:254)
at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:209)
at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:92)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2204)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) -
Deploying a custom login module to the J2EE engine
I have developed a custom login module, and want to deploy it to the SAP j2ee engine. How should I go about this ? I tried packaging it as a jar and then using the deploytool, went into user management to register the module, but when the module was invoked I got an error in the log saying "Cannot load a login module".
The way I currently deploy it is packaged with the Example Calculator, and this works. I just add my 2 java files into the web module (in com.sap.examples.calculator.beans) and it gets packaged in the war file.
Can anyone help with the "proper" way of deploying my module ?
Thanks in advanceHi Brad,
>
> What I'm actually trying to do is NOT deploy my
> custom login module with an application. But rather
> deploy the jar file as a library to the J2EE engine,
> so that any application can use it by configuring it
> in their login stacks. I'm still not totally clear
> whether this is possible or not.
Once again - It is possible to deploy the login module as a library to the J2EE Engine; furthermore, this is the PREFERRED way to use login modules!
>
> What I have currently done:
>
> 1. developed custom login module packaged as a jar in
> NW studio (2 class files)
>
> 2. Using deploytool I deploy the jar as a library to
> the j2ee engine. This works and the library shows up
> under the libraries section.
>
> 3. Register the login module in the user
> management->manage security stores section. I'm
> unsure if this works properly. Do I just provide the
> full path to the required class ? For example
> "com.example.myloginmodule.LoginModule"
> I have a suspicion that my error of "cannot load a
> login module" stems from here.
>
> 4. I have then followed your step and added a
> reference to the libray (Hard reference) and this
> seems ok.
>
Sorry, Brad, I've made a mistake here. You need to set a reference from the Security Provider Service to the library that contains the login module (not from the application). To do that at runtime, you'll have to use the Configuration Adapter service on the J2EE Engine. For a description of the procedure, see this page in the documentation: http://help.sap.com/saphelp_nw04/helpdata/en/dd/1e3a3e5069eb6ce10000000a114084/frameset.htm
You need to provide additional entry of the following type in the security-provider.xml file:
<reference type="library" strength="weak">
Your-library-name-here
</reference>
Regards,
Ivo.
Message was edited by: Ivaylo Ivanov -
Dynamic System Resolution and Custom Login Modules
I'm trying to achieve the following, and wondered whether anyone could validate that is possible, and possible solutions.
We want to use Dynamic System Resolution to programatically determine which system alias (and therefore which R3 client) should be returned based on the user. So far so good.
When the user logs in, we want them to be able to specify which R3 client they wish to use whilst logged in to EP. We are considering writing a custom login module to do this, which will strip the client the user wishes to use out of the j_user username, and stores the client value *somewhere* so that the Dynamic System Resolution code can access it and base the system alias it returns on the user's prefered client.
Considering the DSR code only has access to the IUser object it would be handy if our login module could store the prefered client as an attribute in the IUser object. Is it possible to set custom attributes in custom login modules for a given user?
We want to do this to avoid having to have an EP instance per client in a given R3 system, and to avoid duplicating worksets by creating delta linked copies and overriding the client number.
Any suggestions?
Cheers,
SteveHello,
Before even doing such an elaborated construction, I do not succeed in writing a working Dynamic System Resolution.
The service doing the resolution is never called when the method getSystemID() is invoked.
I know that the registry is read (I first test with a system alias which was in the PCD and get an error when debugging, I forget that you cannot use the same system alias in the PCD and in the Dynamic System Resolution service) but afterward the resolving service is not called.
Has anyone an idea ?
Thanks a lot
Best regards
Richard -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom login module on OC4J 10.1.3.3.0
Hi,
I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>testJAAS</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test Secure Application</web-resource-name>
<description>Requires users to authenticate</description>
<url-pattern>faces/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only allow role1 users</description>
<role-name>role1</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general. </description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Define the security role(s) -->
<security-role>
<description>Example role</description>
<role-name>role1</role-name>
</security-role>
orion-web.xml:
schema-major-version="10" schema-minor-version="0" >
<!-- Uncomment this element to control web application class loader behavior.
<web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
-->
<resource-ref-mapping name="jdbc/lics" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
<web-app>
</web-app>
orion-application.xml:
<jazn provider="XML" >
<property name="jaas.username.simple" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
system-jazn-data.xml:
<jazn-loginconfig>
<application>
<name>le5</name>
<login-modules>
<login-module>
<class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>defaultRole</name>
<value>role1</value>
</option>
</options>
</login-module>
</login-modules>
</application>
I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
Doing as above, the orion-web.xml is below:
<resource-ref-mapping name="jdbc/lic" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
<user name="user1" />
<user name="user2" />
</security-role-mapping>
Any insight would be much appreciated. Thanks.Hi,
role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
from orion-web.xml and it should start wrking
Frank -
Custom logon module not called by the portal
Hi, all.
I need some help urgently on this new portal requirement. There are some sensitive ESS/MSS iviews that we need to give the users an additional logon challenge. The normal ESS/MSS iviews will be using SSO. This one will still use SSO, but have to pass the userid/password challenge.
We have decided to use the authentication scheme. Also, the "form" logon stack has been modified with only one logon module, which is our customized one. To create the java project, jar and library, we are following the link: http://help.sap.com/saphelp_nw04s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
Here's the extract of our authscheme.xml:
<authscheme name="certlogon">
<authentication-template>
client_cert
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme name="coo_secure">
<authentication-template>
form
</authentication-template>
<priority>40</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
</authscheme>
<authscheme name="basicauthentication">
<authentication-template>
ticket
</authentication-template>
<priority>20</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
</authscheme>
The authscheme is called coo_secure. When a user clicks on the iviews with the coo_secure authscheme, a userid/pwd prompt pops up. But it does not accept whatever I type in. From the defaulttrace, I do not see any hint that our customized logon module was ever called.
Is there anyway to turn on portal tracing to see what is going on?
Thanks,
Jonathan.Hi Jonathan,
Did you solved the problem with the custom logon module?
We have a very similar scenario. I followed below help site to implement a custom logon module for particular iviews.
http://help.sap.com/saphelp_nw70/helpdata/EN/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm
and also the documentation:
SAP Netweaver Developers Guide - Integrating Security Functions
But I am not able to get my own custom login module with the custom authscheme running.
If I access my specific IViews that requires additional custom authentication I get the portal login page again. After giving login data I get the error message:
Java iView Runtime
An exception occured while processing your request.
If this situation persists, please contact your system administrator.
If you solved your problem, can you please share the solution with me?
Thanks,
Regards,
Yasar -
RFC Call in a custom login module
Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PMHi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM
Maybe you are looking for
-
Discoverer Plus not working in Internet Explorer
IE 6.0 on Windows 2000 professional SP4 and all of the patches up to date. Latest Java run time from Sun. I hit the link to Plus and it will eventually bring me back to the login screen with all of the parameters empty. It also opens a new window whi
-
Hi, I have the following scenario. Its a simple BPEL process with string input and string output with a call to Human Task. the Human Task has the expiration duration of 5 mins. I invoke the process from bpel console and as expected it waits for the
-
Hi, I am exploring the enhancement CNEX0031 to be able to write some code for progress caclulation. As per the docuementation,this exit is triggered in txn CNE1. However, in spite of putting a break-point in the user -exit and thereafter running CNE1
-
Why I can`t open my raw files, from Olympus E-P3 camera????
-
Passing parameters to IAC Transaction iView
Hi guys, Anybody knows how I can carry out this task? I have a page that has some value that I would like to pass to an IAC Transaction iView via the URL. Thanks!