Custom login page with Policy Agent 2.2 & Access Manager

Hi,
Im trying to set up policy agent 2.2 and Access Manager to use the login page of the application Im trying to secure. Im not sure if this is the correct forum or not so feel free to move this if need be.
Ive been using this link: http://docs.sun.com/source/816-6884-10/chapter3.html#wp25376 but it doesnt seem to make sense.
In my AMAgent.properties file Ive set up
com.sun.identity.agents.config.login.form[0]=/contextRoot/login/login.jsp to my login page and Ive also configured the web.xml for that application to use the login:
     <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
               <form-login-page>/login/login.jsp</form-login-page>
               <form-error-page>/login/login.jsp</form-error-page>
          </form-login-config>
     </login-config>
When I try and access the login page Im redirected to the default access manager login page. I did notice in the AMProperties.xml file the following line:
com.sun.identity.agents.config.login.url[0] = http://amserverhost:80/amserver/UI/Login
It seems like I should change that to point to my login page but I didnt see any documentation supporting that. When I change that property to point to location of my login page, i get a redirect loop error.
When I remove the com.sun.identity.agents.config.login.form[0] property all together, I just get a resource restricted error.
Now when I configure the com.sun.identity.agents.config.login.form[0] property, set the config.login.url = to my login page AND set the com.sun.identity.agents.config.notenforced.uri[0] property equal to my login page (so the login page is no longer protected) I am able to see the login page
Is unrestricting the login page correct? Im able to access the login.jsp page directly and when I try and access protected resources Im redirected back to the login page so everything seems to be working correctly but Im not sure if this is the correct way.

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

Similar Messages

Custom Authentication Issue with Policy Agent

Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Neeraj

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

Help - using custom login module with embedded jdev oc4j to access ejb 3

Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
    <application>
      <name>current-workspace-app</name>
      <login-modules>
        <login-module>
          <class>kr.security.KnowRushLoginModule</class>
          <control-flag>required</control-flag>
          <options>
            <option>
              <name>dataSource</name>
              <value>jdbc/DB_XE_KNOWRUSHDS</value>
            </option>
            <option>
              <name>user.table</name>
              <value>users</value>
            </option>
            <option>
              <name>user.pk.column</name>
              <value>id</value>
            </option>
            <option>
              <name>user.name.column</name>
              <value>email_address</value>
            </option>
            <option>
              <name>user.password.column</name>
              <value>password</value>
            </option>
            <option>
              <name>role.table</name>
              <value>roles</value>
            </option>
            <option>
              <name>role.to.user.fk.column</name>
              <value>user_id</value>
            </option>
            <option>
              <name>role.name.column</name>
              <value>name</value>
            </option>
          </options>
        </login-module>
      </login-modules>
    </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>kr.security.principals.KRRolePrincipal</class>
          <name>Admin</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>com.evermind.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
</grant>
<grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>kr.security.principals.KRRolePrincipal</class>
          <name>Member</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>com.evermind.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
    <security-role>
      <role-name>sr_Admin</role-name>
    </security-role>
    <security-role>
      <role-name>sr_Member</role-name>
    </security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <default-method-access>
      <security-role-mapping name="sr_Member" impliesAll="true">
      </security-role-mapping>
    </default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
    <group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
    <group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
    <property name="role.mapping.dynamic" value="true"></property>
    <property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
    <read-access>
      <namespace-resource root="">
        <security-role-mapping name="sr_Admin">
          <group name="Admin"/>
          <group name="Member"/>
        </security-role-mapping>
      </namespace-resource>
    </read-access>
    <write-access>
      <namespace-resource root="">
        <security-role-mapping name="sr_Admin">
          <group name="Admin"/>
          <group name="Member"/>
        </security-role-mapping>
      </namespace-resource>
    </write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
      Hashtable env = new Hashtable();
      env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
      env.put(Context.SECURITY_CREDENTIALS, "welcome1");
      final Context context = new InitialContext(env);
      KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
     at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
     at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
                    HttpServletResponse response)
    throws ServletException, IOException
    LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
    response.setContentType(CONTENT_TYPE);
    PrintWriter out = response.getWriter();
    out.println("<html>");
    out.println("<head><title>ExampleServlet</title></head>");
    out.println("<body>");
    out.println("<p>The servlet has received a GET. This is the reply.</p>");
    out.println("<br> getRemoteUser = " + request.getRemoteUser());
    out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
    out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
    out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannon

Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
     <grant>
          <grantee>
               <principals>
                    <principal>
                         <realm-name>jazn.com</realm-name>
                         <type>role</type>
                         <class>kr.security.principals.KRRolePrincipal</class>
                         <name>JAAS_Admin</name>
                    </principal>
               </principals>
          </grantee>
          <permissions>
               <permission>
                    <class>com.evermind.server.rmi.RMIPermission</class>
                    <name>login</name>
               </permission>
          </permissions>
     </grant>If I add the following to orion-application.xml

<namespace-access>
    <read-access>
      <namespace-resource root="">
        <security-role-mapping>
          <group name="JAAS_Admin"></group>
        </security-role-mapping>
      </namespace-resource>
    </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
    Vector v = new Vector();
      v.add(singleton.getCustomRmiConnectRole());
      // set principals in LoginModule
      m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
    LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
    JAZNConfig jc = JAZNConfig.getJAZNConfig();
    LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
    RealmManager realmMgr = jc.getRealmManager();
    try
      // Get the default realm .. e.g. jazn.com
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
      Realm r = realmMgr.getRealm(jc.getDefaultRealm());
      LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
      // Access the role manager for the remote connection role
      LOGGER.log(Level.FINEST,
        LOGPREFIX +"calling default_realm.getRoleManager");
      RoleManager roleMgr = r.getRoleManager();
      LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
        CUSTOM_RMI_CONNECT_ROLE "'");
      RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
      if (rmiConnectRole == null)
        LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
        rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
        LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
        Grantee gtee = new Grantee(rmiConnectRole);
        LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
        RMIPermission login = new RMIPermission("login");
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"constructing subject.propagation rmi permission");
        RMIPermission subjectprop = new RMIPermission("subject.propagation");
        // make policy changes
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
        JAZNPolicy policy = jc.getPolicy();
        if (policy != null)
          LOGGER.log(Level.INFO, LOGPREFIX
            + "add to policy grant for RMI 'login' permission to "
            + CUSTOM_RMI_CONNECT_ROLE);
          policy.grant(gtee, login);
          LOGGER.log(Level.INFO, LOGPREFIX
            + "add to policy grant for RMI 'subject.propagation' permission to "
            + CUSTOM_RMI_CONNECT_ROLE);
          policy.grant(gtee, subjectprop);
          // m_Role = rmiConnectRole;
          m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.INFO, LOGPREFIX
            + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
        else
          LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
      else
        LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
        m_Role = rmiConnectRole;
    catch (JAZNException e)
      LOGGER.log(Level.WARNING,
        LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
    return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt.

OAM-02073 when trying to login with custom login page

I Created a custom login page, but when I submit it to OIM I get the error on the page "System error. Please re-try your action. If you continue to get this error, please contact the Administrator." with the OAM 11g Page, and in the logs it shows the errors below. Thanks for any ideas on what this issue could be.
<Oct 29, 2011 11:24:46 PM CDT> <Warning> <oracle.oam.controller> <OAM-02073> <Er
ror while checking if the resource is protected or not.>
<Oct 29, 2011 11:24:46 PM CDT> <Warning> <oracle.oam.binding> <BEA-000000> <OAM-
02073
oracle.security.am.common.utilities.exception.AmRuntimeException: OAM-02073
at oracle.security.am.engines.enginecontroller.AuthzEngineController.che
ckProtected(AuthzEngineController.java:536)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.pro
cessEvent(AuthzEngineController.java:159)
at oracle.security.am.controller.MasterController.processEvent(MasterCon
troller.java:354)
at oracle.security.am.controller.MasterController.processRequest(MasterC
ontroller.java:517)
at oracle.security.am.controller.MasterController.process(MasterControll
er.java:457)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLF
lowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.
java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.j
ava:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServl
et.java:168)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java
:133)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:
673)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run
(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecuri
tyHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.jav
a:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.d
oFilter(OAMServletAuthenticationFilter.java:265)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilt
er(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentW
rapperFilter.java:120)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:31
3)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUt
il.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.jav
a:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:1
61)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:13
6)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppS
ervletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletC
ontext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.j
ava:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused By: oracle.security.am.engines.authz.AuthorizationException: OAMSSA-14003
: Policy runtime failed.
at oracle.security.am.engines.authz.AuthorizationEngine.isResourceProtec
ted(AuthorizationEngine.java:183)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.che
ckProtected(AuthzEngineController.java:373)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.pro
cessEvent(AuthzEngineController.java:159)
at oracle.security.am.controller.MasterController.processEvent(MasterCon
troller.java:354)
at oracle.security.am.controller.MasterController.processRequest(MasterC
ontroller.java:517)
at oracle.security.am.controller.MasterController.process(MasterControll
er.java:457)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLF
lowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.
java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.j
ava:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServl
et.java:168)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java
:133)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:
673)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run
(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecuri
tyHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.jav
a:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.d
oFilter(OAMServletAuthenticationFilter.java:265)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilt
er(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentW
rapperFilter.java:120)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:31
3)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUt
il.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.jav
a:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:1
61)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:13
6)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppS
ervletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletC
ontext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.j
ava:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused By: oracle.security.am.common.policy.runtime.PolicyEvaluationException: O
AMSSA-06191: The runtime request contains no resource.
at oracle.security.am.common.policy.runtime.PolicyRuntimeImpl.isResource
Protected(PolicyRuntimeImpl.java:143)
at oracle.security.am.engines.authz.AuthorizationEngine.isResourceProtec
ted(AuthorizationEngine.java:181)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.che
ckProtected(AuthzEngineController.java:373)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.pro
cessEvent(AuthzEngineController.java:159)
at oracle.security.am.controller.MasterController.processEvent(MasterCon
troller.java:354)
at oracle.security.am.controller.MasterController.processRequest(MasterC
ontroller.java:517)
at oracle.security.am.controller.MasterController.process(MasterControll
er.java:457)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLF
lowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.
java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.j
ava:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServl
et.java:168)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java
:133)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:
673)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run
(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecuri
tyHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.jav
a:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.d
oFilter(OAMServletAuthenticationFilter.java:265)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilt
er(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentW
rapperFilter.java:120)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:31
3)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUt
il.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.jav
a:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:1
61)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:13
6)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppS
ervletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletC
ontext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.j
ava:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

Hello, I'm having the same issue. I did check my custom login form and I'm using "post" and fully qualified OAM host name. The behavior and very inconsistent. My integration is OIF-OAM. OIF proxy protected by 11g webgate. If I close the browser or try hitting back button, the login form comes up fine and could able to access the resource. I did look into support site and found this Doc Id: ID 1348419.1 which matches my condition, but couldn't able to figure out if there is a patch out for this bug.
Has anyone faced this issue?
Thanks for the help.
Sunil.

How to get the Trusted Identity Login Page with the needed parameters to make custom login screen instead of sharepoint Login Page?

hi guys
i have configured trusted identity provider for my public facing internet portal, but i dont want to use the login screen
since i have about 10 site collection which will use this authentication.
is there a class or property that gives me the url ready with the parameters like "wa" and "wtrealm" and the redirect url based on the place the user click the link from.

You can create your own login page and specify the URL for it in the authentication provider settings of a Web Application or Zone. So the easiest way to do what you want would be to extend your existing Web Application to a new Zone, change the login
Page url to point to use your custom zone, and tell users to use the url of that zone to login with the custom provider you have built.
If you want a single zone then you will need to modify a copy of the login page you display above and have it redirect to a custom login page for your identity provider if the pick the correct entry in the dropdown.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem.

Did any body try to change 10g SSO login page to custom login page?

Hi..
Did any body try to change Oracle 10g SSO login page with custom login Page as we used to do in 902 and 1022 versions by changing wwsso_ls_configuration_info_t table entries?
It seems that there is now other file policy.properties that has entry for login page.
Is there any documentation provided by Oracle on this?
I checked metalink and SSO admin guide?
Any clue or glue....??
Thanks
Sarvesh

Try 1 & 2 if does not work please file a daycare for further assistance.
1. In "Day CQ Login Selector Authentication Handler" for path info add an empty row then verify.
2. Delete the existing entry for "Day CQ Login Selector Authentication Handler" , Configure your custom at repository level & verify

Problem: Protect Sun Web Proxy Server 4.0.5 with Policy Agent 2.2

We are trying to protect the Sun Web proxy Server 4.0.5 with policy agent 2.2 on solaris 10 machine.
We are using Access Manager 7.1 along with directory server 6.2
We are trying to protect the web proxy console url http://domain.example.com with that policy agent so that when we hit web proxy console url
it should through us access manager login page ie http://abc.com/amserver.
How can we achieve this.What all changes required in the AMAgent.properties file.Please suggest.

Hi subho,
problem is fixed. i have unistalled the policy agent and reinstalled it again. the problem i found is we didnt stop the webproxy instance when installing policy agent. Thanks for the reply

10g904 - custom login pages & development method of applics for SSO

i am getting baffled with these custom login pages and their connection with the SSO.
I have now read extensive documentation from the following:
Oracle® AS SSO Admin Guide for release 10g (9.0.4) (B10378-01)
Oracle® AS SSO App Developers Guide for release 10g (9.0.4) (B10852-01)
Oracle® AS SSO Admin Guide 10g (9.0.4) (B13791-01)
Oracle® AS App Developers Guide for release 10g (9.0.4) (B10378-01)
Oracle® SSO Developers Guide for version 306
what baffles me is how custom login pages are to be defined for the 10g versions of AS.
in 10g (904) version, applications for SSO can be protected using mod_osso, and may be developed using mod_osso or using SSO-SDK which is deprecated from this version.
1. this means that if we do not have to use SSO-SDK (which is deprecated in 904 version) and where we need to protect applications using the mod_osso, then why do we need to use the custom pages.
2. how do the custom-defined deployment specific login pages or change-password pages work?
3. what is the role of SSO for partner applications if we do not configure it specifically.
any helpful hints or links would be highly appreciated.
thanks

i am getting baffled with these custom login pages and their connection with the SSO.
I have now read extensive documentation from the following:
Oracle® AS SSO Admin Guide for release 10g (9.0.4) (B10378-01)
Oracle® AS SSO App Developers Guide for release 10g (9.0.4) (B10852-01)
Oracle® AS SSO Admin Guide 10g (9.0.4) (B13791-01)
Oracle® AS App Developers Guide for release 10g (9.0.4) (B10378-01)
Oracle® SSO Developers Guide for version 306
what baffles me is how custom login pages are to be defined for the 10g versions of AS.
in 10g (904) version, applications for SSO can be protected using mod_osso, and may be developed using mod_osso or using SSO-SDK which is deprecated from this version.
1. this means that if we do not have to use SSO-SDK (which is deprecated in 904 version) and where we need to protect applications using the mod_osso, then why do we need to use the custom pages.
2. how do the custom-defined deployment specific login pages or change-password pages work?
3. what is the role of SSO for partner applications if we do not configure it specifically.
any helpful hints or links would be highly appreciated.
thanks

SharePoint Foundation 2013 - FBA Custom Login Page

Hi,
     i am trying to enable FBA in SharePoint Foundation 2013 and it works fine for default login page
     but when i try to create custom login page ( which is already working without any problems in SharePoint 2010 ) i receive an error when i try to authenticate user using the following code :
         SPClaimsUtility.AuthenticateFormsUser(Context.Request.UrlReferrer, txtUserName.Text, txtPassword.Text);
     i checked the Log file and found the following entries :
        - Application error when access /_layouts/CM Custom Login Page/Login.aspx, Error=Exception of type 'System.ArgumentException' was thrown. Parameter name: httpApplication   at Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser(Uri
context, String userName, String password)     at CM_Custom_Login_Page.Layouts.CmCustomLoginPage.Login.btnLogin_Click(Object sender, EventArgs e)     at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
        - System.ArgumentException: Exception of type 'System.ArgumentException' was thrown. Parameter name: httpApplication    at Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser(Uri
context, String userName, String password)     at CM_Custom_Login_Page.Layouts.CmCustomLoginPage.Login.btnLogin_Click(Object sender, EventArgs e)     at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
      - Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentException: Exception of type 'System.ArgumentException'
was thrown. Parameter name: httpApplication     at Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser(Uri context, String userName, String password)     at CM_Custom_Login_Page.Layouts.CmCustomLoginPage.Login.btnLogin_Click(Object
sender, EventArgs e)     at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.HandleError(Exception e)     at System.Web.UI.Page.ProcessRequestMain(...
      - ...Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()     at System.Web.UI.Page.ProcessRequest(HttpContext context)     at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

check first whether you are getting context or not, to me it looks like issue with Contrext.Request.UrlReferrer
try with this code
Uri url = new Uri(SPContext.Current.Web.Url);SPClaimsUtility.AuthenticateFormsUser(url, txtUserName.Text, txtPassword.Text);

How can i use my custom login page in a custom partner application ?

Dear All,
I'm trying to customize a login page displayed other than the default sso login page
by submiting my form to the regular pl/sql procedure : "PORTAL.wwptl_login.login_url"
but i tried to type the requested partner application url in the browser i got the sso
login page other than my custom login page. So, How can i use my custom login page in a custom partner application ?
Regards,
Mohammed Amin
[email protected]

I cannot begin to express my level of frustration. I have been trying to use the composition widget light box display for some time now. I drag the widget to my document. The default widget has three small trigger boxes and a large area made up of a forward and backward button, a background, a text box and a frame for your image.
My steps have been …
I click on the little trigger box.
I click on the frame that holds the main image.
I go to the fill menu and browse my computer for my image and then click OK.
IT shows up on my screen. Yay
I attempt to continue using the next two trigger boxes provided in the widget.
After that, I add more by clicking on the little plus sign.
This is where all heck breaks loose.
Every single time I attempt to add thumbnails, something messes up. When I go to preview, either not all of my main images show up, or it starts with the wrong one, or some are missing. I have looked and looked for help on this and the only thing I can find is how easy it is to create a great portfolio lightbox display. But as we know, that only works when your thumbnails are the same image as the images in your lightbox. If you want something different, you have to use the composition wizard. I am finding it extremely difficult and confusing to customize.
Is there an exact sequence you need to use to add images to the slideshow? I am my wits end.

Questions about a custom login page.

Could someone give me an example of a custom login page that does the error checking with
p_error_code. I can't seem to get one to work correctly. I don't ever get any info in
p_error_code when there is an error in login.
You can email me the code at [email protected] if you would prefer.
Thanks.
Bethany

Bethany,
The best place for this question is the Orac le9ias Portal Security and Login Server forum.
Thanks

My Macbook Pro is frozen on the login page with a white screen and only my login picture. How do I fix this? I can't turn it off and I closed it and let it charge but it's still not working.

My Macbook Pro is frozen on the login page with a white screen and only my login picture. How do I fix this? I can't turn it off and I closed it and let it charge but it's still not working. It's only 3 months old and was working perfectly fine 30min before this happened.

Hello Kierasully,
I would start your troubleshooting with the article below for issues of not being able to log in to your Mac. Start with booting up in to Safe Boot as well as resetting PRAM on your Mac. If that does not work, then verify the hard drive with booting to the Recover HD and go to Disk Utility to verify it.
Mac OS X: Gray screen appears during startup
http://support.apple.com/en-us/ts2570
Regards,
-Norm G.

Adding Custom Breadcrumb for SharePoint 2013 Custom Master-Page With A Custom Separator.

Hi All,
I have successfully converted an HTML file to a SharePoint 2013 Custom Master-Page with relevant style sheets. But when I used within the SharePoint site I could not find the breadcrumb. So I want to know how to do that? For that breadcrumb I need a custom
separator like an arrow like in the below.
As you can see the separator is a custom built one. To have this custom separator in my HTML I have used the following code snippet.
<div class="breadcrumb-desktop">
<span class="breadcrumb-links"><a href="#">SharePoint Site Home</a></span>
<span class="breadcrumb-links"><a href="#">Sub Link 01</a></span> Active Page
</div>
The styles are as like in the below.
.breadcrumb-desktop {
width: 100%;
font-family: Arial;
padding: 23px 0 40px;
float: left;
font-size: 0.75em;
line-height: 1.25;
.breadcrumb-desktop > span.breadcrumb-links:after {
content: " \203A ";
white-space: pre;
I have tried the following code snippet within the SharePoint site as


But it did not display as I wanted.
So how am I supposed to insert these to my Custom Master-Page's breadcrumb and style them? Please could someone help me to solve this?
Thanks and regards,
Chiranthaka

Hi Chiranthaka,
Please use the following code snippet in your html master page.
<div class="CustomBreadcrumbs">
You are here:






</div>
Here is a thread for your reference:
https://social.msdn.microsoft.com/Forums/office/en-US/daabd903-df98-41da-80d8-6a942d06980e/add-breadcrumb-to-custom-master-page-html-file?forum=sharepointcustomization
We can also customize a breadcrumb control, then add it in master page.
http://msreddysharepoint.blogspot.com/2013/01/custom-breadcrumb-navigation-in.html
Best Regards
Dennis Guo
TechNet Community Support

Multiple custom login pages

I have two WebApps. In central admin i set one different custom login page for each.
now the problem: the second WebApp redirects to the login page of the first one.
Known problem?

Hi,
According to your post, my understanding is that you wanted to set different login pages for different web applications.
Please check whether you choose the zone that you want to configure and enter the Sign In Page URL correctly.
Best Regards,
Linda Li
Linda Li
TechNet Community Support

Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

Hi,
We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
Thanks,
Annie

Brenden,
Thank you so much for the reply. This is our code in the web.xml:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
regards,
Annie

Custom login page with Policy Agent 2.2 & Access Manager

Similar Messages

Maybe you are looking for