Custom Realm for SJSAS 9.x using JAAS documentation too vague
Hello there,
I am trying to implement a custom realm for a particular web application on my SJSAS 9.x server. So far I have been unsuccessful and receive the following message in my server.log:
[#|2006-10-20T13:51:56.390-0300|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=11;_ThreadName=httpWorkerThread-8080-1;javious;|SEC5046: Audit: Authentication refused for [javious].|#]
The documentation I have been using for reference is at:
http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view#beabs
However, I have a number of questions.
First of all, this section referenced by the URL above is identified as "Creating a custom realm". Then the second sentence of this section states "Note that client-side JAAS login modules are not suitable for use with the Application Server". Does this not mean that JAAS login modules are not suitable for use with SJSAS web applications since they are components of the Application Server? Is there a reason for providing information on creating a custom realm for this application server in which it is not suitable for? Why isn't it suitable for the application server? What if I want to implement my own realm for my web application so that I can maintain my application users separately in another application?
Secondly, this section explains that I can create a custom realm simply by creating a custom JAAS login module and a custom realm class. It then goes on to explain how to construct these classes and what to include in them. Notably, the documentation states the following:
The authenticateUser() method must end with the following sequence:
String[] grpList;
// populate grpList with the set of groups to which
// _username belongs in this realm, if any
return commitUserAuthentication(_username, _password,
_currentRealm, grpList);Having looked at the API for authenticateUser I discovered that it is a void method, however the documentation states to return a value from "commitUserAuthentication(..). Also, my commitUserAuthentication method only excepts a single argument of type String[] representing a list of group names, therefore I am unable to supply the additional arguments as documented. This is confusing.
Once finished reading the documentation, I am left hanging with hardly a clue as to what to do with these two new classes. Now having implemented a custom login module on Tomcat 5.x in earlier days, I did happen to have some experience to know to edit the security.properties, policy, and login.conf files. So anyhow from here I end up stumbling blindly through configuration of my domain1/login.conf and domain1/server.policy files. I also attempted to add my new realm within the admin console under security/realms and dropped my new jar file (with two classes) into the app server lib directory.
All in all, this completely fails to work. I have even placed System.out.println statements in all of my implemented methods and none of this actually shows up in my server.log file. Why is this section so vague? Why isn't there a step-by-step example from start to finish of how to implement a simple custom realm in SJSAS9?
Does anybody have any helpful suggestions?
Well, once again, I'm going to have to provide my own answer.
After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
In addition to the very helpful info I have found at:
http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
<sun-application>
<realm>mycustrealm</realm>
<security-role-mapping>
<role-name>mycust_role</role-name>
<group-name>mycust_group</group-name>
</security-role-mapping>
</sun-application>
Similar Messages
-
Weblogic700 sp4 custom realm for SAM authentication
we have an applicaiton running on WL7.0 sp4 which will be protected by sun access manager 7.1, but in the domain config we need to create a realm that authentication provider will be SAMAuthentication , I want to know whether we need to create a custom realm or we can create iplanet realm.
Well, once again, I'm going to have to provide my own answer.
After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
In addition to the very helpful info I have found at:
http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
<sun-application>
<realm>mycustrealm</realm>
<security-role-mapping>
<role-name>mycust_role</role-name>
<group-name>mycust_group</group-name>
</security-role-mapping>
</sun-application> -
Policy Director Custom Realm for Weblogic
I would like more information on how the Policy Director custom Realm for Weblogic
works. What all methods are implemented and so on. If anyone could send me the source
code of the custom Realm that would be of great help.
Thanks in advance,
KrishWell, once again, I'm going to have to provide my own answer.
After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
In addition to the very helpful info I have found at:
http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
<sun-application>
<realm>mycustrealm</realm>
<security-role-mapping>
<role-name>mycust_role</role-name>
<group-name>mycust_group</group-name>
</security-role-mapping>
</sun-application> -
Creating a custom realm for tomcat. Help and suggestions please.
Has anybody ever created a custom realm to authenticate users in tomcat.
I would like to use form based login with my own realm.
The form requires 3 fields to log in (hence the custom realm) . I would also like to be able to use the built-in functions like isuserinrole.
If anybody has experience with this or knows of a place where to get valuable information please let me know.
Thanks in advance!Hi
Tomcatx.x.x uses the realm sandbox security tecnique
1)In you'r abcd/web-inf/WEB.xml file
write the realm config scripts for the required
jsp/servlet pages[similar will be found in
Tomcat/webapps/examples/web-inf/web.xml]
2)In Tomcatx.x.x/conf/tomcat_users.xml
declare the realm id/pass/roles
3)If still not able to do then study the web.xml (pdf)
avaliable at websiter http://www.moreservlets.com -
Custom eventing for reporting --- am i using the correct ResourceEvent?
Hi All,
I am using a web content management tool which stores all the content created through the tool in /documents repository . This content is published in the portal under various roles . I am working on a report to generate and report the hit counts for the pages in this repository . I have written a Km service that subscribes to GET_TEMPLATE event to generate these statistics.
The problem i am facing is this . When i navigate through the KM folder structure to a given page in a subfolder and do a preview of the page content , the hitcount is incremented and the report reflects this increase . However if i navigate to the role where the content is published and view the content from the role , the page hit count is not incremented and the report does not show the increment .
My questions are
1) Do i need to write a custom KM event that notifies the repository broker about
the page access through the roles?
2) Is there any other standard event to which i can subscribe to get this page hit count.
Any helpful answers will be rewarded.
regards
SubraHi Subra,
> is there any way to know if the tool is raising any event
As I have been one of the developers, I can report that the tool definitely does not raise such an event explicitely. But as said above, it also shouldn't do this, as it shouldn't be needed. In addition, for the display the tool redirects to a KM navigation iView, which normally should lead to the expected event risen anyhow.
But if it really doesn't work, you still have the option to ask btexx to check if this is a shortcoming on SAP side - which in the interest of a smooth working product should be tracked, maybe worked around...
About the caching I can report that there is also no caching used at the moment for the display. This may change one day, for this in fact it would make sense to raise the event (even if the resource isn't called from the framework, but to enable such kind of statistics, if they won't be part of the product one day anyhow).
Hope it helps
Detlev
Message was edited by:
Detlev Beutner
One additional remark for all people involved: I just remember to have read about the same "missing" event on SDN, but I never checked this in the end. It <i>might</i> be that the navigation iView only throws the getChildren event, as for other resources than XML forms elements, it only renders the name of the resource, not it's (or part of it's) content (so the content doesn't get accessed). This also would make sense as normally the access to the <i>Show</i> form could be differentiated from the access to the <i>RenderListItem</i> form. -
Using fileReamd + custom realm w/ WLS6
Hi,
I would like to write a custom realm for WLS6.0, but I would like to
delegate to the fileRealm for WebLogic accounts, such as 'system'. Can
anyone suggest a straightforward way to accomplish this?
Thanks,
Dhiren
Dhiren Patel -- Sr. Web Architect -- Align Technology, Inc.Duh. Momentary lapse of reason, please disregard.
Dhiren
Dhiren Patel wrote:
Hi,
I would like to write a custom realm for WLS6.0, but I would like to
delegate to the fileRealm for WebLogic accounts, such as 'system'. Can
anyone suggest a straightforward way to accomplish this?
Thanks,
Dhiren
Dhiren Patel -- Sr. Web Architect -- Align Technology, Inc.--
Dhiren Patel -- Sr. Web Architect -- Align Technology, Inc. -
Can you make custom ringtone for iPhone 4 w/o using iTunes?
My computer crashed and I had to redownload iTunes and all my music the other day. I plugged my iPhone 4 in to put a custom ringtone I made in iTunes on it and it says it wants to "erase and sync" my phone since it was connected to my old iTunes. Is there a way to fix this or is there a way to make a new custom ringtone for my iphone without using iTunes?
about backup http://support.apple.com/kb/HT1766
you're better off creating new ringtones. Take a look at the first link I gave you, that will answer all your questions. -
While implementing sample custom realm, got ClassNotFound exception
I am trying to get the sample custom realm work. I followed every step in the documentation and had it deployed successfullyl. When I tried to log in, the authentication failed. Then I restarted the SunOne appserver, in the server.log file I got the error:
[22/Jul/2003:09:34:24] WARNING (24887): SEC1100: Disabled realm [jdbc] due to errors.
[22/Jul/2003:09:34:24] WARNING (24887): SEC1000: Caught exception.
com.sun.enterprise.security.auth.realm.BadRealmException: java.lang.ClassNotFoundException: samples.security.jdbcrealm.JDBCRealm
at com.sun.enterprise.security.auth.realm.Realm.doInstantiate(Realm.java:350)
at com.sun.enterprise.security.auth.realm.Realm.instantiate(Realm.java:284)
at com.iplanet.ias.security.RealmConfig.createRealms(RealmConfig.java:95)
at com.sun.enterprise.security.RealmManager.init(RealmManager.java:91)
at com.sun.enterprise.server.J2EEServer.startAuthenticationService(J2EEServer.java:1211)
at com.sun.enterprise.server.J2EEServer.run(J2EEServer.java:391)
at com.sun.enterprise.server.J2EEServer.main(J2EEServer.java:1415)
at com.iplanet.ias.server.ApplicationServer.onInitialization(ApplicationServer.java:212)
at com.iplanet.ias.server.J2EERunner.confPreInit(J2EERunner.java:114)
Since I am new to this, I couldn't locate the problem after checking everything many times. Can anyone help me? I need to get this part work first, then I can move ahead and make changes.
Thanks a million!Thanks a lot, I did it and it worked.
I have more questions. For the custom realm database, I want to use a table just for username and password, and another table just for roles. Then use a third table as a bridge between the two. Can I do it in the sample application? Can I change JDBCLoginModule to do this? If yes, Where to put JDBCLoginModule and JDBCRealm after changes?
Really appreciate your help. -
WebLogic Server doesn't start after configuring a Custom Realm
Hi,
We are having problems getting WebLogic server to startup after configuring a
Custom Realm. It outputs the error message "User System not authorized to boot
WebLogic Server. Security Excpetion".
For debugging purposed we had our Custom Realm classes output some debug statements
to the console. From the output it was apparent that all the users were getting
authenticated properly including System, Administrator, wliSystem etc. But after
the initial authentications we get this error message. I am attaching the log
file for your reference. Do we have to implement Authorization also (by implementing
ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used only for
authentication.
Appreciate any feedback on the cause of the problem.
Thanks
Vikram
[test.log]Thanks Deyan. I will give it a try and let you know.
"Deyan D. Bektchiev" <[email protected]> wrote:
Vikram,
You should make your user that you use to startup the server a member
of
the Administrators group.
In other words there should be a Principal "Administrators" in the
Subject that your LoginModule returns.
I'm not sure if you can configure this afterwards but this is how it's
done out of the box.
Dejan
Vikram wrote:
Mike,
We are working with a Platform domain on Weblogic 7.0. When you implementa custom
realm it can be implemented just for authentication and not for authorization.
In our case we used the Custom Realm only for authentication. ACLs storeall the
authorization information. We assumed that the standard Weblogic useraccounts
like system, administrator are already part of the ACLs with the appropriateprivileges.
Please let me know if you have any suggestions.
Thanks
Vikram
"mike" <[email protected]> wrote:
You mix up authentication and authorization. The fact that a user is
a valid user
(authentication) does not guarantee that he/she can perform a certain
action (authorization).
The second is defined by ACLs or something, which is probably (most
likely)
not
set in your case. To go on ranting I need to know which version youare
on (looks
like 7, grey area for me).
"Vikram" <[email protected]> wrote:
Hi,
We are having problems getting WebLogic server to startup after configuring
a
Custom Realm. It outputs the error message "User System not authorized
to boot
WebLogic Server. Security Excpetion".
For debugging purposed we had our Custom Realm classes output some
debug
statements
to the console. From the output it was apparent that all the userswere
getting
authenticated properly including System, Administrator, wliSystemetc.
But after
the initial authentications we get this error message. I am attaching
the log
file for your reference. Do we have to implement Authorization also
(by
implementing
ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used
only for
authentication.
Appreciate any feedback on the cause of the problem.
Thanks
Vikram -
Can you make custom clothing for 3d Models?
Hello, I am new to Photoshop CS5 Extended and mostly bought the program for making textures for 3d clothing since it has a bridge from DAZ to Photoshop which I hope will make my work go faster. I have been using DAZ and Poser for a while now and have been working in photo editing and vector designing for 12 years. I am not new to this, just need to adobe products. I was wondering if it is possible to custom clothing for 3D Daz models using Adobe Photoshop CS5 Extended? I can find tutors on painting models but nothing on making the custom clothing itself, not a texture for other clothing but making my own clothing for DAZ Kids4. I have been using Hexagon to work with clothing but was looking for a photoshop alternative method.
Thank you
Kimberlyfor the mesh, hexagon is actually better than photoshop. Since it can create the actual mesh. Though, you can import the mesh into photoshop so you can see it while you paint the texture.
The 3d creation portion of photoshop is still a bit limiting. (But my experience stops with CS5. I have not tried CS6 yet, so impovement could have been made)
The issue I have with hexagon is the amount of bugs in it. I prefer a more robust and more expensive alternative. But thats me
A free alternative is Blender. But I find the UI a bit outdated and hard to grasp. But again, thats me.
Generate your UV maps as you normally would then load them into photoshop and get painting. You may like other texture generating apps to go along with photoshop. Genetica is great for making tileable textures. -
auth-method BASIC with custom realm
I've set up my web.xml with <auth-method>BASIC, and I've defined a custom realm
for authentication. When I enter a valid userid/password at login, I can trace
authUserPassword() in my custom realm, and I can see that it is returning an object
which is a subclass of weblogic.security.acl.User, as it should. However, rather
than acknowledging a successful login and moving on, the login dialog is redisplayed,
(minus password). Further attempts to enter the same userid/password don't invoke
authUserPassword(), presumably since the "failed" login is still cached. What
am I missing?Have a look in the web server log to see under what account the failed
accesses took place, that will help in identifying the cause.
"Bill Welch" <[email protected]> wrote in message
news:3b2a6431$[email protected]..
>
I've set up my web.xml with <auth-method>BASIC, and I've defined a customrealm
for authentication. When I enter a valid userid/password at login, I cantrace
authUserPassword() in my custom realm, and I can see that it is returningan object
which is a subclass of weblogic.security.acl.User, as it should. However,rather
than acknowledging a successful login and moving on, the login dialog isredisplayed,
(minus password). Further attempts to enter the same userid/passworddon't invoke
authUserPassword(), presumably since the "failed" login is still cached.What
am I missing? -
Using JAAS/JNDI with the Login Server
Is it possible to set up single sign-on through the Login Server
and OID for a Java portlet using JAAS and JNDI? What would be
required to set this up?I was facing same problem,
Here is I got an answer, I was doing same mistake.
You cannot authenticate with an outlook.com account when you use the management shell. You have to use a @yourtenant.onmicrosoft.com
account or an account where the domain has been associated with your O365 tenant like @contoso.com . Microsoft accounts cannot be used with the management shell.
http://community.office365.com/en-us/f/156/t/238053.aspx -
Admin Console Integration for Users in a Custom Realm
We are implementing a custom realm and are having troubles getting our Users to
show up in the User list.
Our user class extends weblogic.security.acl.User, and is forced to use the default
CTOR because our data access layer requires it.
Unfortunately, getName() returns null if the User(String) constructor is not used.
Furthermore, Identity::setName() is final, so it seems as though there is no
way to set the user's name after construction.
I am correct in this?
If so, any thoughts on whether it is worth going down the path of making my user
class implement Principal instead of extending weblogic.security.acl.User? I
would be forced to try to guess at what methods in User are required to integrate
with the admin console, I believe. I have not been able to find any documentation
that specifies what api/contract the console uses when it attempts to display
user, role, acl information for a custom realm.
Any advice would be greatly appreciated.
-chrisMy comments mixed with your text
"Chris Goodacre" <[email protected]> wrote:
>
We are implementing a custom realm and are having troubles getting our
Users to
show up in the User list.
Our user class extends weblogic.security.acl.User, and is forced to use
the default
CTOR because our data access layer requires it.
Unfortunately, getName() returns null if the User(String) constructor
is not used.Yes.
Furthermore, Identity::setName() is final, so it seems as though there
is no
way to set the user's name after construction.
I am correct in this?Yes. Changing a user's name on a constructed user object is like mutating that
user to another user - a security hole. It isn't allowed.
>
If so, any thoughts on whether it is worth going down the path of making
my user
class implement Principal instead of extending weblogic.security.acl.User?I'd try to stay with extending weblogic.security.acl.User, but also implement
weblogic.security.acl.CredentialChanger, so you can change passwords through the
console (otherwise you get NullPointerExceptions).
You really want to get around not being able to supply a user name as part of
the ctor.
I
would be forced to try to guess at what methods in User are required
to integrate
with the admin console, I believe. I have not been able to find any
documentation
that specifies what api/contract the console uses when it attempts to
display
user, role, acl information for a custom realm.
Any advice would be greatly appreciated.
-chris1. Your realm should extend AbstractManageableRealm and implement DebuggableRealm
if you want to integrate with the console.
2. The only contract is to implement all the methods!
3. Check the type of the user and group objects being passed to your realm - if
they're not your user and group type, reject the call.
4. The documentation is indeed terrible, and often wrong. The examples shipped
are incomplete (the RBDMS realm shipped has approx 1/3 of the functionality).
You'll get good with jad.
Should all be better in 7.0 with JAAS. The realm interfaces is a dog.
Good luck,
simon. -
One custom security realm for many wl servers?
Is it possible to use one custom security realm for many weblogic servers...ie
one login for all application on different weblogic server.Is it possible to use one custom security realm for many weblogic servers...ie
one login for all application on different weblogic server. -
How to create a user class for the customer realm
how can I create a User class for my custom security realm, please help me out. i am trying to access using the active directory server and iam unable to write a simple classs for this user, can anyone help me. iam a beginner, would appriciate if any one helps me.regardsbaba
Hi Rawat,
You Don't need to create User Exits,but you need to find user Exits.Below are list of user Exits for MB31.
Use proper exit as per your requirement.
Exit Name Description
MBCF0002 Customer function exit: Segment text in material doc. item
MBCF0005 Material document item for goods receipt/issue slip
MBCF0006 Customer function for WBS element
MBCF0007 Customer function exit: Updating a reservation
MBCF0009 Filling the storage location field
MBCF0010 Customer exit: Create reservation BAPI_RESERVATION_CREATE1
MBCF0011 Read from RESB and RKPF for print list in MB26
MB_CF001 Customer Function Exit in the Case of Updating a Mat. Doc.
award points if ans is useful.
Regards,
Albert
Maybe you are looking for
-
Windows 2012 r2 not able to get windows updates from WSUS 2012 r2
One of our windows 2012 R2 server is not getting windows updates from WSUS 2012 R2 but other 2012 R2 are getting updates. I found on windowsupdate log on the server saying "WARNING: Failed to get Network Cost info from NLM, assuming network is NOT me
-
CS5 Extension Manager error message re: plug-in installation
Extension Manager gives me the following error mesage when I try and load "Adobe Photoshop CS5 Automate Plug-ins" What do I need to do to solve the error message?
-
my iPod classic has stop working and when ever i try to synch it there is a alert saying that do not disconnect it and there are some songs which when i try to play the iPod re-starts again so please tell me what is the issue and some sound is commin
-
Hi I have 3 Prompt (ID,NAME,Country) All 3 prompts i am using Presentaion variable.This variables i am passing into report filter.(Var_ID,Var_Name,Var_Country) In where Class i set OR option like below ID is equal to/is in Var_ID OR NAME is equal to/
-
Acrobat 9 closes automatically - Vista 64 bit
Hi all, I've just installed acrobat 9 and when i open this program, every time it closes after a few seconds. Don't you know how i could resolve the problem? I will be grateful for each help. I've got Vista 64 bit system. Waiting for your response. T