Custome login module:SDA can't reference com.sap.portal.usermapping_api.jar

I made my own j2ee custom login module and one of the things I wanted the custom login module to do is to clear out the UME roles for the user logging in, "download" the role assignments from an ABAP WAS system, and reassign those roles in UME. I got the coding done and created my JAR file. In building the SDA file, I can't figure out how to add com.sap.portal.usermapping_api.jar to the provider.xml file. I tried specifying it on thru "create new" and tried looking for it in the list from "Select library/interface/service, but I still get an error when loading the login module.
Does anyone know how to do this?
TIA.
Mel Calucin
Bentley Systems, Inc.

Hi Mel,
why do you think you need to reference the portal's user mapping service API? I'm not sure whether you can reference Portal services at all from J2EE level.
If you need to use user mapping in your login module, you don't need the Portal's user mapping service. Instead, you can directly use the user mapping interfaces and methods of the UME, which are contained in a J2EE library.
You can use something like the following reference to get runtime access to the UME API library:
<reference reference-type="weak">
<reference-target target-type="library">
com.sap.security.api.sda
</reference-target>
</reference>
Accessing user mapping is possible via com.sap.security.api.UMFactory.getUserMapping() which returns an object implementing com.sap.security.api.umap.IUserMapping. This is the main entry point for all user mapping related features.
Please check the Javadoc for details:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/javadocs/nw04/sp12/user management engine - version 4.0/index.html
I hope this helps.
Best regards
Heiko

Similar Messages

Can't See com.sap.portal.runtime.logon in list of PAR Files in Iview Wizard

Hello All,
I am trying to create an iview from PAR file com.sap.portal.runtime.logon which is the logon par file that has the logon page. But when I right click a folder in the PCD and click on New From PAR Iview I try to find on the list of available par files and I don't find the one named com.sap.portal.runtime.logon
Can anyone tell me if this has to do with the portalapp.xml file from com.sap.porta.runtime.logon.par file.? or with the Security Zones defined in portalapp.xml? Or does someone know why this PAR file doesn't appear on the list and how can I make it appear on this list of par files?
Any helpful ideas to solve this issue will give rewarding points.
Thanks
Luis

Hello,
What I want to do is to put the logon page in the light framework page so that the users can login from the anonymous portal. After I customize the logon page I want to create aniview in the detailed navigation.
If you want to see the jsp files that the com.sap.portal.runtime.logon.par file you have to go to the file system and copy the .par.bak file , rename it to .zip and all the files are there.
But my question is if this is a par file that is deployed in the portal , why I cant create an iview from this par file? From other forums I have read they say that creating an iview from this par file it will put the logon page where you want. But when I try to create an iview from PAR File the com.sap.portal.runtime.logon doesn't appear in the list of available par files.
Please help me on this and will give rewarding points.
Thanks
Luis

Where can I find com.sap.portal.pcm.IObjectsManager class?

I am using EP6 SP9. Which jar file contains com.sap.portal.pcm.IObjectsManager class? I tried using classfinder but I couldn't locate it. I am not able to compile because one of the classes I am using depends on this class....

Hi Sam,
to be found under
...\irj\root\WEB-INF\portal\portalapps\com.sap.portal.ivs.api_portalpcm\lib\com.sap.portal.ivs.api_portalpcm_api.jar
Hope it helps
Detlev
PS: Please consider rewarding points for "problem solving answers", knick-knack...
PPS: Use ClassLocator instead (to be found on sourceforge). Better and faster.

Com.Sap.Portal.dynamicSystem -- Jar needed

Hi all
In my system , I am unable to see the jar file of the import com.sap.portal.dynamicsystem.
Where i find this JAR file ???
Thanks
Kay

Iam not sure,
Try this:
com.sap.portal.ivs.systemlandscapeservice_api.jar
(Path from PCD Browser: ROOT/WEB-INF/portal/portalapps/com.sap.portal.ivs.systemlandscapeservice/lib)
Regards.
P.

Deploying a custom login module to the J2EE engine

I have developed a custom login module, and want to deploy it to the SAP j2ee engine. How should I go about this ? I tried packaging it as a jar and then using the deploytool, went into user management to register the module, but when the module was invoked I got an error in the log saying "Cannot load a login module".
The way I currently deploy it is packaged with the Example Calculator, and this works. I just add my 2 java files into the web module (in com.sap.examples.calculator.beans) and it gets packaged in the war file.
Can anyone help with the "proper" way of deploying my module ?
Thanks in advance

Hi Brad,
>
> What I'm actually trying to do is NOT deploy my
> custom login module with an application. But rather
> deploy the jar file as a library to the J2EE engine,
> so that any application can use it by configuring it
> in their login stacks. I'm still not totally clear
> whether this is possible or not.
Once again - It is possible to deploy the login module as a library to the J2EE Engine; furthermore, this is the PREFERRED way to use login modules!
>
> What I have currently done:
>
> 1. developed custom login module packaged as a jar in
> NW studio (2 class files)
>
> 2. Using deploytool I deploy the jar as a library to
> the j2ee engine. This works and the library shows up
> under the libraries section.
>
> 3. Register the login module in the user
> management->manage security stores section. I'm
> unsure if this works properly. Do I just provide the
> full path to the required class ? For example
> "com.example.myloginmodule.LoginModule"
> I have a suspicion that my error of "cannot load a
> login module" stems from here.
>
> 4. I have then followed your step and added a
> reference to the libray (Hard reference) and this
> seems ok.
>
Sorry, Brad, I've made a mistake here. You need to set a reference from the Security Provider Service to the library that contains the login module (not from the application). To do that at runtime, you'll have to use the Configuration Adapter service on the J2EE Engine. For a description of the procedure, see this page in the documentation: http://help.sap.com/saphelp_nw04/helpdata/en/dd/1e3a3e5069eb6ce10000000a114084/frameset.htm
You need to provide additional entry of the following type in the security-provider.xml file:
<reference type="library" strength="weak">
Your-library-name-here
</reference>
Regards,
Ivo.
Message was edited by: Ivaylo Ivanov

How do i download com.sap.portal.runtime.logon.par.bak

I need to download com.sap.portal.runtime.logon.par.bak
From what i understand, If you have the System administration privilege then you can download the par file from "System Administration"==>"Support"==>"Support Desk"==>"Portal Runtime"==>"Browse deployment"==>"ROOT"==>"WEB-INF"==>"deployment"==>"pcd"
I was able to navigate this way. However, i cannot find this logon.par under this directory structure.
In help.sap.com, i was told to Navigate to <J2EE_Engine_Instance>\j2ee\cluster\server<X>\apps\sap.com\irj\servlet_jsp\irj\root\WEB-INF\deployment\pcd .There you can find com.sap.portal.runtime.logon.par.bak.
How is this different from the earlier navigation? I don't know how to do this? How exactly do i navigate this way?

Sandeep
I am sure that in the follwoing path, u can find the
com.sap.portal.runtime.logon.par.bak
<J2EE_Engine_Instance>\j2ee\cluster\server<X>\apps\sap.com\irj\servlet_jsp\irj\root\WEB-INF\deployment\pcd
MAke a copy of the PAR and u can Pull it into the NetStudio !!!!
Thanks
Kay

Help - using custom login module with embedded jdev oc4j to access ejb 3

Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
 <application>
 <name>current-workspace-app</name>
 <login-modules>
 <login-module>
 <class>kr.security.KnowRushLoginModule</class>
 <control-flag>required</control-flag>
 <options>
 <option>
 <name>dataSource</name>
 <value>jdbc/DB_XE_KNOWRUSHDS</value>
 </option>
 <option>
 <name>user.table</name>
 <value>users</value>
 </option>
 <option>
 <name>user.pk.column</name>
 <value>id</value>
 </option>
 <option>
 <name>user.name.column</name>
 <value>email_address</value>
 </option>
 <option>
 <name>user.password.column</name>
 <value>password</value>
 </option>
 <option>
 <name>role.table</name>
 <value>roles</value>
 </option>
 <option>
 <name>role.to.user.fk.column</name>
 <value>user_id</value>
 </option>
 <option>
 <name>role.name.column</name>
 <value>name</value>
 </option>
 </options>
 </login-module>
 </login-modules>
 </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Member</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
 <security-role>
 <role-name>sr_Admin</role-name>
 </security-role>
 <security-role>
 <role-name>sr_Member</role-name>
 </security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
 <security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
 </security-role-mapping>
 <security-role-mapping name="sr_Member">
 <group name="Member"></group>
 </security-role-mapping>
 <default-method-access>
 <security-role-mapping name="sr_Member" impliesAll="true">
 </security-role-mapping>
 </default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
 <group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
 <property name="role.mapping.dynamic" value="true"></property>
 <property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </read-access>
 <write-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
 Hashtable env = new Hashtable();
 env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
 env.put(Context.SECURITY_CREDENTIALS, "welcome1");
 final Context context = new InitialContext(env);
 KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
 at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
 at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
 HttpServletResponse response)
 throws ServletException, IOException
 LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
 response.setContentType(CONTENT_TYPE);
 PrintWriter out = response.getWriter();
 out.println("<html>");
 out.println("<head><title>ExampleServlet</title></head>");
 out.println("<body>");
 out.println("The servlet has received a GET. This is the reply.");
 out.println(" getRemoteUser = " + request.getRemoteUser());
 out.println(" getUserPrincipal = " + request.getUserPrincipal());
 out.println(" isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
 out.println(" isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannon

Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>JAAS_Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
 </grant>If I add the following to orion-application.xml

<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping>
 <group name="JAAS_Admin"></group>
 </security-role-mapping>
 </namespace-resource>
 </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
 Vector v = new Vector();
 v.add(singleton.getCustomRmiConnectRole());
 // set principals in LoginModule
 m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
 JAZNConfig jc = JAZNConfig.getJAZNConfig();
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
 RealmManager realmMgr = jc.getRealmManager();
 try
 // Get the default realm .. e.g. jazn.com
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
 Realm r = realmMgr.getRealm(jc.getDefaultRealm());
 LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
 // Access the role manager for the remote connection role
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"calling default_realm.getRoleManager");
 RoleManager roleMgr = r.getRoleManager();
 LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
 CUSTOM_RMI_CONNECT_ROLE "'");
 RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 if (rmiConnectRole == null)
 LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
 rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
 Grantee gtee = new Grantee(rmiConnectRole);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
 RMIPermission login = new RMIPermission("login");
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"constructing subject.propagation rmi permission");
 RMIPermission subjectprop = new RMIPermission("subject.propagation");
 // make policy changes
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
 JAZNPolicy policy = jc.getPolicy();
 if (policy != null)
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'login' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, login);
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'subject.propagation' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, subjectprop);
 // m_Role = rmiConnectRole;
 m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.INFO, LOGPREFIX
 + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
 else
 LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
 else
 LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
 m_Role = rmiConnectRole;
 catch (JAZNException e)
 LOGGER.log(Level.WARNING,
 LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
 return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt.

Urgent - error in Customized login module

hi
I have created a customise login module by using the following url
http://help.sap.com/saphelp_nw04/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
but when I login to the portal, my login module is not working .When I checked in defaultTrace.1.trc file, it showing following errors :
Caused by: java.lang.ClassNotFoundException: com.sap.test.TestLoginModuleClass
Found in negative cache
Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:com.sap.security.core.ume.service;service:connector;service:dbpool;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
 library:com.sap.ip.basecomps
 library:core_lib
 common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
 library:servlet
 library:sapxmltoolkit
 library:com.sap.mw.jco
 library:com.sap.util.monitor.jarm
 library:j2eeca
 library:opensql
 interface:security
 interface:log
 interface:shell
 interface:keystore_api
 library:ejb20
 interface:webservices
 library:com.sap.guid
 interface:appcontext
 interface:endpoint_api
 interface:resourceset_api
 interface:resourcecontext_api
 common:service:iiop;service:naming;service:p4;service:ts
 interface:ejbcomponent
 interface:container
 interface:visual_administration
 interface:transactionext
 interface:dsr_ejbcontext_api
 service:timeout
 service:memory
 service:deploy
 library:antlr
 library:jdbdictionary
 library:opensqlextensions
 service:adminadapter
 interface:cross
Resources:
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
dbpool.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_compat.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
security
security.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
webservices_lib.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_userstore_lib.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_jaas_test.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
sqljimpl.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
connector
connectorimpl.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
saaj-api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_jaas.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_xmlbind.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_util.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_ssf.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
userstore
userstore.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_https.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_service_api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
jaxrpc-api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
opensqllib.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_jaas.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
jaxm-api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
keystore
keystore.jar
Loading model: {parent,local,references}
 at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:298)
 at com.sap.engine.services.security.Util.loadClass(Util.java:257)
 at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:199)
 at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:89)
 ... 13 more
#1.5#001143F14283004C0000000000001F900004064B9EAAD383#1132821761187#com.sap.sl.util.cvers.impl.CVersFactory##com.sap.sl.util.cvers.impl.CVersFactory#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersFactory#
#1.5#001143F14283004C0000000100001F900004064B9EAAE147#1132821761187#com.sap.sl.util.cvers.impl.CVersManager##com.sap.sl.util.cvers.impl.CVersManager#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersManager#
#1.5#001143F14283004C0000000200001F900004064B9EAAFAD2#1132821761187#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.DBConnector#
#1.5#001143F14283004C0000000300001F900004064B9EAB2769#1132821761203#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersDao#
#1.5#001143F14283004C0000000400001F900004064B9EAB2B09#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering getDataSource#
#1.5#001143F14283004C0000000500001F900004064B9EAB2CAC#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### get initial contrext...#
#1.5#001143F14283004C0000000600001F900004064B9EAB315E#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### get data source...#
#1.5#001143F14283004C0000000900001F900004064B9EAB508E#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#/Applications/SL/UTIL#Plain###get data source CVERS failed! Trying SAP/BC_UME... #
#1.5#001143F14283004C0000000A00001F900004064B9EAB59E2#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### got data source!#
#1.5#001143F14283004C0000000B00001F900004064B9EAB5BAD#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting getDataSource#
#1.5#001143F14283004C0000000C00001F900004064B9EAB60C6#1132821761218#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering findByRealKey#
#1.5#001143F14283004C0000000D00001F900004064B9EAB6A53#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.HashKey#
#1.5#001143F14283004C0000000E00001F900004064B9EAB6B9D#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### concatenated hashKey: sap.comSAP-JEECOR#
#1.5#001143F14283004C0000000F00001F900004064B9EAB6C53#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### hashKey: sap.comSAP-JEECOR#
#1.5#001143F14283004C0000001000001F900004064B9EAB6D35#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### hashVal: -1330087332#
#1.5#001143F14283004C0000001100001F900004064B9EABCF31#1132821761250#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering findByRealKey#
#1.5#001143F14283004C0000001200001F900004064B9EAC1380#1132821761265#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### Found the following real key: com.sap.sl.util.cvers.impl.CVersDBObject@11399a6#
#1.5#001143F14283004C0000001300001F900004064B9EAC145C#1132821761265#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting findByRealKey#
#1.5#001143F14283004C0000001400001F900004064B9EAC440C#1132821761281#com.sap.sl.util.components.impl.ComponentFactory##com.sap.sl.util.components.impl.ComponentFactory#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.components.impl.ComponentFactory#
#1.5#001143F14283004C0000001500001F900004064B9EAC5182#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering closeConnection#
#1.5#001143F14283004C0000001600001F900004064B9EAC52B7#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting closeConnection#
#1.5#001143F14283004C0000001700001F900004064B9EAC5348#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting findByRealKey#
#1.5#001143F14283004F0000000000001F900004064BA94350C0#1132821938953#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: InstToolTopicFactoryFinishImage loader does not exist: . Using default class loader!!!#
#1.5#001143F14283004F0000000100001F900004064BA944042B#1132821939000#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: DAserviceQueueFactory loader does not exist: . Using default class loader!!!#
#1.5#001143F14283004F0000000200001F900004064BA9445581#1132821939015#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: InstToolTopicFactoryCreateEmptyImage loader does not exist: . Using default class loader!!!#
Can any one tell me what should I do for that ????
Thanks
shashank

Hi Joerg
Thanks !!!
I had checked. Pls check I had given the following things ...
in configtool ->Global service configuration ->services ->security
LoginModuleClassLoaders library:sap.com~TestLoginLibrary
As
my class name = com.sap.test.TestLoginModuleClass
In provider.xml,
 provider name = sap.com
 Component Name = TestLoginLibrary
 Display name = TestLoginLibrary
Can u pls tell me what should I do .
Thanks
shashank
Urs answer must be appreciate.

J2EE 6.40 Custom Login Module - how to config

hello all,
i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.
here is the background info:
- i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.
- access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.
- my login module does the user name and password checking. both are stored in database through some other means.
- login is FORM based
following the discussion in another thread on the topic, i did the following:
#1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.
#2 add my login module to the security store through the security provider service.
#3 configure my web app to use the custom login module in web-j2ee-engine.xml
#4 deploy my web app through the ear file
at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).
now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.
question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.
??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.
??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.
??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.
does anyone have a working scenario using custom login modules?
thanks very much for your inputs and thoughts.
wentao

Hi Astrid,
I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
Thanks in advance
Henning

Custom login module - Not invoked...

Hi All
I have developed a custom login module and the necessary configuration steps in VA are performed. However, the custom login module is not called...
1. Developed a Java DC as a Child DC in a Library DC.
2. Added all the relevant jars needed as Used DC and Public Parts as required. Also updated the provider.xml with relevant references.
3. Build and Deployed. (No errors found here..)
4. In VA - Created a new Login Module.... updated the property LoginModuleClassLoaders to library:xyz where xyz is the name of the folder for deployed sda as found in cluster\j2ee\serverx\bin\ext...next updated the config tool for the same.... next modified the sap.com/irj*irj authentication as:
Basic - Requisite
CustomModule - Optional.
Then performed server restart. Yet, login module not called. Any ideas as to where I am going wrong..?? (In my login module, just trying to retrieve the user name and change their attributes like lastname etc... )
Thanks
Deepak

Issue solved....
Had forgot to add the module to the ticket stack...

Custom Login Module - ClassNotFound

Hello all
I developed a custom login module following the instructions I found here: http://help.sap.com/saphelp_nw04/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
The general purpose of my module is to "filter" the username and look for (using the UMFactory) the corresponding uniqueUserID.
The problem is that my LoginModule cannot be loaded due to "ClassNotFound" Error which I see in the defaultTrace.
My steps were:
1. Create my LoginModuleImplementation
2. Create a Library as stated in the tutorial. Additionally I added some more references to the Library (Logging, webservices_lib) and successfully deplyed it to the J2EE-Server. I can see the file in one folder (...../j2ee/cluster/server0/bin/ext/MyModuleLib/MyModule.jar) so I think it's been correctly deployed.
3. I configured its usage in the securtiy provider-UserManagementPolicies and with security provider-policy-ticket.
4. I also ran the configtool to added it to the ClassLoader property there
I double- no, fourth-checked everything and it's spelled correctly and exactly (case-sensitive) as in NWDS.
So, do you have any idea please?
By the way: Do you know where I can set the Severity-Level for the LoginModul-Stack, so I get more informational messages?
Regards
Michael

Hi,
The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
Also I was able to modify the properties of the login module runtime, which made me very happy
Dagfinn

Error using 10.1.3 Security Provider:3rd party LDAP or Custom Login Module

Hello all,
After deploying my JSF/ADF application using Jdeveloper 10.1.3 to Oracle Application Server 10.1.3, I used the Application Server control to change the 'Security Provider' configuration:
1. Using 3rd Party LDAP Provider (Novell eDirectory)
I get the following error when restarting the application with the new config.
06/06/21 16:42:32 Error while configuring security provider MBean for application AccessList
06/06/21 16:42:32 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/CustomLDAPSecurityProvider
2. Using Custom Login Module (again programmatically talks to eDirectory and it works in UIX/10.1.2 application)
I get the following error when restarting the application with the new config.
06/06/21 14:31:19 Error while configuring security provider MBean for application AccessList
06/06/21 14:31:19 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/LoginModuleSecurityProviderAlso, I get this error with both the settings..
06/06/21 14:31:19 WARNING: Application.setConfig Application: AccessList is in failed state as initialization failedjava.lang.
InstantiationException
Jun 21, 2006 2:31:19 PM com.evermind.server.Application setConfig
WARNING: Application: AccessList is in failed state as initialization failedjava.lang.InstantiationException
06/06/21 14:31:19 java.lang.InstantiationException
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
java.lang.ClassNotFoundException error leads me to believe, I am just missing to include some libraries..
I have included "bc4j.security" in my web project and I am not sure if that is what is needed!
Will appreciate your help..
Thanks,
Karthik

The problem i had with my Custom login module was that JDeveloper includes the datasources listed in the connection tab.
When JDeveloper does that it writes the username and password in the jazn-data.xml. But with the Custom Login module the reference in de data-source declaration cannot find the password. that's why i got the InstantiationException at the initDataSources point.
In tools>preferences>deployment you can uncheck the option:
Bundle Default data-sources.xml During Deployment.
The problem with this is when i specify a datasource in the data-sources.xml i included myself, jdeveloper will also put de datasources under the Connections tab in the data-sources.xml.
Does anyone knows how to stop jdeveloper putting the datasources automatic in the file, or how to prevent jdeveloper storing the password in jazn-data.xml?

RFC Call in a custom login module

Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

How to call custom Login Module from JSP

Hi,
I am stuck with the following issue:
1) Exactly as presented in help.sap.com (http://help.sap.com/saphelp_nw04/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm) I created custom login module and deployed it as a library on J2EE server. When I configured it to be used for my applications in the Security provider but I am getting "No user name provided" exception everytime when my applications use this custom login module.
2) I realized that I would need to call my custom module somewhere within my application (simple JSP) using LoginContext class and then use MyLoginContext.login() spec to initiate login process. But I am not able to pass CallbackHandler parameters from JSP application to my custom login module.
So I have the following questions:
1. Can I pass parameters using LoginContext and CallbackHandler from JSP to my custom login module (created as exact copy of HELP.SAP.COM example) or this module cannot be used this way.
2. How to pass CallbackHandler correctly to my custom login module from JSP. When I am trying to use CallbackHandler, I am getting "Abstract Class cannot be called" error.
I'd appreciate any little help on this matter.
Thanks and regards,
Mike

You have two alternatives to do this:
You can declare your JSP as a protected resource with the use of the deployment descriptors of the application (web.xml) and add the custom login module in the authentication stack of the application. This way, you will use container-based authentication, i.e. the Web Container will enforce the authentication and it will call the custom login module before it dispatches to the JSP. I recommend you this approach because it requires less coding and it makes the whole thing a matter of configuration. The configuration can be later on enhanced or changed runtime without the need to re-build and re-deploy the application. If you choose this approach you can go to the documentation of the server for help on how to modify the login module stack of the application.
You can also use programmatic authentication by using JAAS API. To do this you need to create a custom security policy configuration with login module stack containing the custom login module, and then use the standard JAAS mechanism - new LoginContext(<configuration>, <callback-handler>).login(). This approach requires that you write your own callback handler and handle any LoginException.
Let us know which approach you prefer and whether you have difficulties implementing it!

Custom login module for EP7.4 with Captcha

Hi
I am trying to create a custom login module which validates the captcha shown at the login screen using SAP help link:
http://help.sap.com/saphelp_nw73/helpdata/en/48/ff4faf222b3697e10000000a42189b/content.htm?frameset=/en/48/fcea4f62944e88e10000000a421937/frameset.htm&current_toc=/en/74/8ff534d56846e2abc61fe5612927bf/plain.htm&node_id=20
The session is being set in the Captcha servlet which is used to render the image on the login page.
However when I am trying to compare it with input or print the session value, its throwing an exception.
I checked in the NWA logs and it just shows the following error message:
6. com.temp.loginModule.MyLoginModuleClass OPTIONAL ok exception true Authentication did not succeed.
Please help me analyse the error stack. Can someone point where do i check the detailed logs to trace the issue?
Please find below source of my login module.
package com.temp.loginModule;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import nl.captcha.Captcha;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.engine.lib.security.http.HttpCallback;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.Principal;
public class MyLoginModuleClass extends AbstractLoginModule{
private CallbackHandler callbackHandler = null;
private Subject subject = null;
private Map sharedState = null;
private Map options = null;
// This is the name of the user you have created on
// the AS Java so you can test the login module
private String userName = null;
private boolean successful;
private boolean nameSet;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
// This is the only required step for the method
super.initialize(subject, callbackHandler, sharedState, options);
// Initializing the values of the variables
this.callbackHandler = callbackHandler;
this.subject = subject;
this.sharedState = sharedState;
this.options = options;
this.successful = false;
this.nameSet = false;
* Retrieves the user credentials and checks them. This is
* the first part of the authentication process.
public boolean login() throws LoginException {
// HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
// httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
// httpGetterCallback.setName("captchaInput");
 String value = null;
// try {
// callbackHandler.handle(new Callback[] { httpGetterCallback });
// String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
// if(arrayRequestparam!=null && arrayRequestparam.length>0)
// value = arrayRequestparam[0];
// } catch (UnsupportedCallbackException e) {
// throwNewLoginException("An error occurred while trying to validate credentials.");
// } catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
value = getRequestValue("captchaInput");
userName = getRequestValue("j_username");
HttpGetterCallback httpGetterCallbackSessionCaptcha = new HttpGetterCallback();
httpGetterCallbackSessionCaptcha.setType(HttpCallback.SESSION_ATTRIBUTE);
httpGetterCallbackSessionCaptcha.setName("myCaptchaLogin");
try {
callbackHandler.handle(new Callback[] { httpGetterCallbackSessionCaptcha });
Captcha arraySessionParam = (Captcha) httpGetterCallbackSessionCaptcha.getValue();
// System.out.println("****************************************************httpGetterCallbackSessionCaptcha" + (arraySessionParam==null?"null session":arraySessionParam.getAnswer())+
// "\n captchaInput" + value+"*********************");
if(arraySessionParam==null || !arraySessionParam.isCorrect(value)){
throwNewLoginException("Entered code does not match with the image code.Session:"+(arraySessionParam==null?"null":arraySessionParam.getAnswer())+" Param:"+ value);
// throwUserLoginException(new Exception("Entered code does not match with the image code."));
httpGetterCallbackSessionCaptcha.setValue(null);
} catch (UnsupportedCallbackException e) {
throwNewLoginException("An error occurred while trying to validate credentials.");
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// Retrieve the user credentials via the callback
// handler.
// In this case we get the user name from the HTTP
// NameCallback.
// NameCallback nameCallback = new NameCallback("User name: ");
/* The type and the name specify which part of the HTTP request
* should be retrieved. For Web container authentication, the
* supported types are defined in the interface
* com.sap.engine.lib.security.http.HttpCallback.
* For programmatical authentication with custom callback
* handler the supported types depend on the used callback handler.
// try {
// callbackHandler.handle(new Callback[] {nameCallback});
// catch (UnsupportedCallbackException e) {
// return false;
// catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// userName = nameCallback.getName();
// if( userName == null || userName.length() == 0 ) {
// return false;
/* When you know the user name, update the user information
* using data from the persistence. The operation must
* be done before the user credentials checks. This method also
* checks the user name so that if a user with that name does not
* exist in the active user store, a
* java.lang.SecurityException is thrown.
// try {
// refreshUserInfo(userName);
// } catch (SecurityException e) {
// throwUserLoginException(e);
/* Checks if the given user name starts with the specified
* prefix in the login module options. If no prefix is specified,
* then all users are trusted.
// String prefix = (String) options.get("user_name_prefix");
// if ((prefix != null) && !userName.startsWith(prefix)) {
// throwNewLoginException("The user is not trusted.");
/* This is done if the authentication of the login module is
* successful.
* Only one and exactly one login module from the stack must put
* the user name in the shared state. This user name represents
* the authenticated user.
* For example if the login attempt is successful, method
* getRemoteUser() of
* the HTTP request will retrieve exactly this name.
if (sharedState.get(AbstractLoginModule.NAME) == null) {
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
successful = true;
return true;
* Commit the login. This is the second part of the authentication
* process.
* If a user name has been stored by the login() method,
* the user name is added to the subject as a new principal.
public boolean commit() throws LoginException {
if (successful) {
/* The principals that are added to the subject should
* implement java.security.Principal.You can use the class
* com.sap.engine.lib.security.Principal for this purpose.
Principal principal = new Principal(userName);
subject.getPrincipals().add(principal);
/* If the login is successful, then the principal corresponding
* to the <userName> (the same user name that has been added
* to the subject) must be added in the shared state too.
* This principal is considered to be the main principal
* representing the user.
* For example, this principal will be retrieved from method
* getUserPrincipal() of the HTTP request.
if (nameSet) {
sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
} else {
userName = null;
return true;
* Abort the authentication process.
public boolean abort() throws LoginException {
if (successful) {
userName = null;
successful = false;
return true;
* Log out the user. Also removes the principals and
* destroys or removes the credentials that were associated
* with the user during the commit phase.
public boolean logout() throws LoginException {
// Remove principals and credentials from subject
if (successful) {
subject.getPrincipals(Principal.class).clear();
successful = false;
return true;
private String getRequestValue(String parameterName)
 throws LoginException {
 HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
 httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
 httpGetterCallback.setName(parameterName);
 String value = null;
 try {
 callbackHandler.handle(new Callback[] { httpGetterCallback });
 String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
 value = arrayRequestparam[0];
 } catch (UnsupportedCallbackException e) {
 return null;
 } catch (IOException e) {
 throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
 return value;
Regards
Ramanender Singh

Ramanender,
JAAS modules usually requires a restart whenever you need to change them. So be very careful with what you expect once you re-deploy your code.
Once the library is loaded it will never reload itself until you perform a restart of the VM.
Connect to the debug port may help, but basic debugging will not take you too far either.
I would recommend you to use the log tracing facility on your code. Just enter the following class attribute:
import com.sap.tc.logging.Location;
private static final Location trace = Location.getLocation(<your_classname_here>.class);
trace.warningT("Some Warning Text Here..." + variable here);
trace.debugT("Some Warning Text Here..." + variable here);
You may need to go NWA and set the Location Severity Level to Debug according to your needs.
Leave the trace code on your module for IT personnel to debug it if necessary. Don't forget to have the severity level of your code properly set.
Meaning: You don't want to have every trace message your module sills out with warningT() or infoT().
There is a excellent blog here on how this works
Then you will be able to inspect some variable contents while the callbackhandler is being executed.
Pay special attention with the timing - variables have a lifetime when dealing with login modules.
Use the entering(<method_name>) and exiting(<method_name> just ot make sure where in the code the variable should be populated and when.
BR,
Ivan

Custome login module:SDA can't reference com.sap.portal.usermapping_api.jar

Similar Messages

Maybe you are looking for