Define HTTP Session Attribute in a Custom Authenticator
Hello everyone I developed sucessefully a Custom Authenticator for WLS10 that interacts with a web service.
But now I need to provide an object to the web applications with the some user information.
I was wondering defining the object in the HTTP Session but I dont know how to do it via de LoginModule of the custom authenticator.
Can anyone provide me some tips?
thanks in advance.
What kind of user information do you need to pass on to the webapplication ? username can be retrieved by request.getRemoteUser() (after successful login).
May be you need to clarify little bit more on what you want to achieve.
-Utpal
Similar Messages
-
Getting http session attributes
Hello,
Perhaps the question here may sound stupid, but I have real problem with that:
Is it possible to obtain http session attributes from the client side
(and even worse) in other languages like VB or VC++? What i mean is that after creating Http session by servlet, and setting some attributes, is it possible to get them by VC or VB app? Thanks in advance :)What i mean is that after creating Http session by servlet, and >setting some attributes, is it possible to get them by VC or VB app? >Thanks in advance :) What do you mean by "VC or VB app" ?
A desktop app written in VC or VB ? a web app in VBscript/ASP ? (but as far as I know there is no web language based on VC, unless you're talking about executable CGIs that can be written in any language).
Assuming that you talk about VB-ASP, I don't think it possible "out of the box" to retrieve session variables created by a servlet in an ASP page.
That would be possible if HTTP supported sessions.
Sessions are implemented at the application level on top of HTTP; they reside in the application that handles requests. Outside it, they don't exist.
It doesn't mean that you can't do that, but that you have to do that using HTTP constructs like URL rewriting or form submission.
For example you could set session variables in a JSP page, and then forward the request to an ASP page through a GET request with all session variables written in the URL. -
How can I flag HTTP session attributes to not be replicated ?
WLS 5.1 SP8 - In memory replication of a stateful servlet. Is
there any way to flag data that has been, or is being, loaded into
a HTTP session so as to not be replicated ? It's a long story,
but we have some data loaded into a hashtable, more specifically
a Properties object, stored in our session. With the hastable
already loaded into the HTTP session, weblogic does not detect
when we add values to the table, and therefore does not replicate
the changes. Which is ok since WLS is working as designed. To
get around this we load the hashtable back into the session everytime
we add a value to the hashtable. Yup, I know that's ugly. Anyway,
what I'm trying to find out if is there is an attribute that we
can set to indicate, to not replicate this data or that data.
Something along the lines of a attribute on a per hastable value
basis. For example, I load value A into my hashtable, then I
need to put my hashtable into the session to get it replicated.
Next I load value B into the hastable, and again to get it replicated
I have to load the entire hashtable back into the session. The
problem here is that the entire table gets replciated. Does anyone
know if I can set an attribute on value A, when I'm adding value
B, so as to not replicate value A when I reload the table ? Of
course all goal is to not store so much data in the session, but
I'm trying to find a work around until that is completed.
Thanks,
David
Where can I find documentation on the details of how Weblogic decides what will
be replicated in the HTTPSession object (for example, it only replicates attributes
which are set or updated using "setAttribute()"?
Prasad Peddada <[email protected]> wrote:
>Robert,
>
> It is true that we replicate only when you call setAttribute in case
>of servlets.
>
>In case of EJB it is slightly different. EJB sends diff's across the
>wire. It doesn't
>replicate the entire state with every request.
>
>-- Prasad
>
>Chris Palmer wrote:
>
>> I think Viresh was referring to modifying part of one attribute causing
>the whole
>> of that attribute (i.e. the hashtable) to be replicated.
>>
>> Is it actually true though that the behaviour would be different in
>a stateful
>> session EJB? I had assumed that the WHOLE ejb state would be replicated
>each time
>> (i.e. after each invocation), without even the benefit of having a
>mechanism such
>> as setAttribute() to flag the attributes that had changed...
>>
>> Chris
>>
>> Robert Patrick wrote:
>>
>> ? Huh? Since when does it always replicate the entire HttpSession?
> We were
>> ? told that it uses a hook in the setAttribute() call to determine
>which
>> ? attributes have changed and only replicates those attributes. I
>know this to
>> ? be the case because if I retrieve a previously stored attribute from
>the
>> ? HttpSession and modify it, my changes do not get replicated unless
>I call
>> ? setAttribute again...
>> ?
>> ? Robert
>> ?
>> ? Viresh Garg wrote:
>> ?
>> ? ? Servlet sessions don't work on diffs, so no matter what you do,
>entire
>> ? ? Hashtable will be replicated. If you want the optimization for
>only
>> ? ? replicating the diff ( the stuff that has changed between 2 updates)
>,
>> ? ? consider using stateful session bean and having hashtable part
>of
>> ? ? conversational state of stateful session bean.
>> ? ?
>> ? ? The solution that you suggested on your own for your problem is
>not ugly
>> ? ? as the same solution is used by many customers that I know of.
>This is
>> ? ? particularly a problem for people that use Java Beans and use the
>set
>> ? ? Property directive of Java Bean in JSP. There also in our auto
>generated
>> ? ? code, we put the JavaBean back in HTTP Session, when a setter is
>called to
>> ? ? enforce replication.
>> ? ?
>> ? ? Keep in mind that whatever we do for replication, we want to support
>it
>> ? ? using ONLY standard servlet API and we don't want to introduce
>any WLS
>> ? ? specific API to achieve this, and so putting value back in session
>is the
>> ? ? only way.
>> ? ?
>> ? ? Viresh Garg
>> ? ? Principal Developer Relations Engineer
>> ? ? BEA Systems
>> ? ?
>> ? ? Dave Javu wrote:
>> ? ?
>> ? ? ? WLS 5.1 SP8 - In memory replication of a stateful servlet.
>Is
>> ? ? ? there any way to flag data that has been, or is being, loaded
>into
>> ? ? ? a HTTP session so as to not be replicated ? It's a long story,
>> ? ? ? but we have some data loaded into a hashtable, more specifically
>> ? ? ? a Properties object, stored in our session. With the hastable
>> ? ? ? already loaded into the HTTP session, weblogic does not detect
>> ? ? ? when we add values to the table, and therefore does not replicate
>> ? ? ? the changes. Which is ok since WLS is working as designed.
>To
>> ? ? ? get around this we load the hashtable back into the session everytime
>> ? ? ? we add a value to the hashtable. Yup, I know that's ugly.
>Anyway,
>> ? ? ? what I'm trying to find out if is there is an attribute that
>we
>> ? ? ? can set to indicate, to not replicate this data or that data.
>> ? ? ? Something along the lines of a attribute on a per hastable value
>> ? ? ? basis. For example, I load value A into my hashtable, then
>I
>> ? ? ? need to put my hashtable into the session to get it replicated.
>> ? ? ? Next I load value B into the hastable, and again to get it replicated
>> ? ? ? I have to load the entire hashtable back into the session. The
>> ? ? ? problem here is that the entire table gets replciated. Does
>anyone
>> ? ? ? know if I can set an attribute on value A, when I'm adding value
>> ? ? ? B, so as to not replicate value A when I reload the table ?
>Of
>> ? ? ? course all goal is to not store so much data in the session,
>but
>> ? ? ? I'm trying to find a work around until that is completed.
>> ? ? ? Thanks,
>> ? ? ? David
>
-
History Attributes when using Custom Authentication Type
assigned all History Attributes (in the Entity Object Editor) to my audit columns.
During run time, I find only Created By is assigned the SYSDATE, and Created On, Modified On, and Modified By are null.
I am using Custom Authentication Type.
I have read that the History Attributes only work the the JAAS authentication type. Appreciate any one confirming this.
Also, how do you implement History Attributes if you are using the Custom Authentication Type? Do you need to write Java code?
Thanks.
JohnHi,
confirmed it only works with container managed authentication performed through JAZN. You can't use this with custom security as otherwise this feature could be overwritten. Still you can provide your own implementation:
- create a custom table
- use the setAttr method on the RowImpl class of a VO to store the username
Frank -
How can i set "Createdby" attribute When using Custom JheadStart Security
Hello
We do not use JASS for Authentication , please help us how can i set createtby attributes with jhs.username in application for any entity object?
thanksSee a similar question at History Attributes when using Custom Authentication Type
-
Custom authentication scheme: Invalid Session Target
Yesterday I spent a lot of time figuring out what was happening and I'm not sure if this is a bug or a feature...
Create an application with some public pages (1,2,101) and some non-public pages (3,4).
Created a list on page 0 listing all pages but only listing page 3 and 4 when user is logged in.
Created a custom authentication scheme.
Running the application showed me the page 1 and the list containing 1,2,101.
I could navigate to 101 and then log in after which I was taken to page 1 showing only 1,2,101.
I changed page 101 so that it would take me to page 3 after logging in and it did. The list showed me 1,2,101,3,4 and the username was also visible.
I could visit all pages correctly except page 1. Whenever I navigated to page 1 I effectively got logged out.
Finally I discovered that I had set "Invalid Session Target" to page 1 in my authentication scheme.
Is this the intended effect ?Rene,
When a page is selected in the authentication scheme's Invalid Session Page LOV, it gets designated as "the login page". Whenever this page is rendered, APP_USER is null and APP_SESSION is a new session ID. This accounts for what you saw. It's sort of a quirk more than a bug or feature and we ought to properly document this behavior. If, for some reason, you needed a login page that you could navigate back to (after login) in the current session and using the current APP_USER value, you can deselect the page from the Invalid Session Page LOV in the authentication scheme and instead code this in the Invalid Session URL:
f?p=&APP_ID.:101:&APP_SESSION.
...using 101 as the login page, but it can be any page ID as long as it's a public page.
Scott -
New server and/or CA certificate for connection from custom authentication
We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
Relevant things I've tried so far:
Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
Import the IPS CA into the web server cert8 style db via the web admin server.
The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
Part of the stack:
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
The relevent bit of code from the SecureURL.retrieve looks as follows:
URL u = new URL(url);
if (!u.getProtocol().equals("https"))
throw new IOException("only 'https' URLs are valid for this method");
URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");
r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String line;
StringBuffer buf = new StringBuffer();
while ((line = r.readLine()) != null)
buf.append(line + "\n");
return buf.toString();
} finally { ...
The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
Thank you very much for any insights and help,
EthanI thought since this has had a fair number of views I would give an update.
I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
certutil: certificate is valid
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
certutil: certificate is invalid: Certificate type not approved for application.
root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
FSU Wildcard Certificate : Certificate type not approved for application.
So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil. -
Custom Authentication using WebService
Hi,
I am trying to create a way to Authenticate my users after calling a Webservice using Custom Authentication so that they don't have to Log on twice (SSO).
Here is a brief description of what I'm trying to do:
- End Users Login and get Authenticated in an iPlanet Portal.
- Once in - they hit a link which calls my APEX Application in a new window.
- I call the Web Service that return a response telling me if they have a valid Portal session along with username etc.
- If they are logged in to our Portal - I authenticate them in APEX using Custom Authentication and allow them to continue.
I have done this so far:
- Created an After Footer Process in the Login Page(101) that calls the Web Service.
- Created an automatic Page submit on page 101 with Javascript.
- Changed the After Submit Process 'Set Username Cookie' to use the Login returned in the Web Service.
- Changed the After Submit Process 'Login' to use the Login returned in the Web Service.
- Custom Authentication is run after Page is submitted.
- The user can then run the Application.
Everything was working fine when I was already logged in to APEX as a Developer, but when I tried to run the application as a non-developer I get the Error:
ORA-01400: cannot insert NULL into ("FLOWS_030100"."WWV_FLOW_COLLECTIONS$"."USER_ID")
I now realize that my Webservice Process is trying to store the result of the Web Service call before the Login has occured - so there is no APEX User at this point.
Does anyone have a way to accomplish what I'm trying to do?
Thanks,
BillYou should create a page sentry function based on the often-cited ntlm page sentry function discussed in this forum. That has the framework you need. Here is an example, although it's kind of old:
function modntlm_page_sentry return boolean as
l_current_sid number;
l_authenticated_username varchar2(256) := OWA_UTIL.GET_CGI_ENV('REMOTE_USER');
begin
if l_authenticated_username is null then
return false;
end if;
l_current_sid := wwv_flow_custom_auth_std.get_session_id_from_cookie;
if wwv_flow_custom_auth_std.is_session_valid then
htmldb_application.g_instance := l_current_sid;
if l_authenticated_username = wwv_flow_custom_auth_std.get_username then
wwv_flow_custom_auth.define_user_session(
p_user=>l_authenticated_username,
p_session_id=>l_current_sid);
return true;
else -- username mismatch. Unset the session cookie and redirect back here to take other branch
wwv_flow_custom_auth_std.logout(
p_this_flow=>v('FLOW_ID'),
p_next_flow_page_sess=>v('FLOW_ID')||':'||nvl(v('FLOW_PAGE_ID'),0)||':'||l_current_sid);
htmldb_application.g_unrecoverable_error := true; -- tell htmldb engine to quit
return false;
end if;
else -- application session cookie not valid; we need a new htmldb session
wwv_flow_custom_auth.define_user_session(
p_user=>l_authenticated_username,
p_session_id=>wwv_flow_custom_auth.get_next_session_id);
htmldb_application.g_unrecoverable_error := true; -- tell htmldb engine to quit
if owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' then
wwv_flow_custom_auth.remember_deep_link(p_url=>'f?'||wwv_flow_utilities.get_cgi_query_string_decoded);
else
wwv_flow_custom_auth.remember_deep_link(p_url=>'f?p='||
to_char(htmldb_application.g_flow_id)||':'||
to_char(nvl(htmldb_application.g_flow_step_id,0))||':'||
to_char(htmldb_application.g_instance));
end if;
wwv_flow_custom_auth_std.post_login( -- register session in htmldb sessions table,set cookie,redirect back
p_uname => l_authenticated_username,
p_flow_page => htmldb_application.g_flow_id||':'||nvl(htmldb_application.g_flow_step_id,0));
return false;
end if;
end modntlm_page_sentry;You would replace this:
l_authenticated_username varchar2(256) := OWA_UTIL.GET_CGI_ENV('REMOTE_USER');
...with whatever statement will allow you to get the authentication status and authenticated user name from the environment, from HTTP headers, or from some other external source.
Then you would put this into the page sentry function attribute of the authentication scheme for your application:
return modntlm_page_sentry;
Of course you can name it anything you like but it should be compiled in your applicaiton's parsing schema.
Scott -
URGENT help required : Custom Authentication Plugin for validation of users
Hi Experts.
I'm a newbie and am stuck in middle of nowhere.
I have been asked to develop a custom authentication plug-in which would validate a user using the attributes such as a userid and a shared-userid.
shared-userid is just a custom id that would be generated on the basis of some logic.
Currently I'm using OAM 10.1.4.3.0 on WINDOWS server and as everybody, I'm also not able to find any sample files or sample folder structure.
As per one of the other threads https://forums.oracle.com/forums/thread.jspa?messageID=3838474, sample code and sample folders are removed from this particular version and were present in some previous version.
So, can anyone please help me out with the following:
1. How can I proceed to accomplish this task, i.e. to check whether a user-id and a shared-userid both are validated and a user is granted access.
2. Are all of these files required to create a custom authentication plug-in or can we proceed only with the ".c" file (i.e. make file, authn.c, and a dll file made using the make file and .c file)
3. Can anybody provide me with a sample file or a sample code written in "C" wherein the plug-in connects to the LDAP and searches for a particular dn for comparison or something. Also a sample make file for windows to convert the .c file to .dll.
PLEASEEEE help me ASAP.
Regards
Edited by: 805912 on Nov 15, 2011 7:18 PMHi,
Regarding question 2, you also need the header file is supplied in the Access Server installation directory, under ...access\oblix\sdk\authn_api and is called authn_api.h. you need this to build the dll which must then be placed in the Access Server's ...\access\oblix\lib directory.
Regarding question 3, if you install an earlier version of the Access Server, ie 10.1.4.2 or less, then you will get a \access\oblix\sdk\authentication\samples\authn_api directory that contains a basic sample authentication plugin. However, there is still documented in the 10.1.4.3 Developer Guide another sample plugin, simplapi.c, in the 10.1.4.3 Developer Guide with instructions on how to use it. It does work, but unfortunately requires a couple of edits to get it working after copy&pasting it (no code changes, just fairly obvious case changes eg changing ObanPlugin* to ObAnPlugin*). I used the following commands to get it to compile into a .so file on unix:
g++44 -c -fPIC -Wno-deprecated -m32 simpleapi.c
g++44 -shared -nostdlib -lc -m32 simpleapi.o -o simpleapi.so
but I really would not know if or how these translate into a Windows environment.
Regards,
Colin
Edited by: ColinPurdon on Nov 15, 2011 2:50 PM -
How to set session attributes in a bean?
How do I set a session attribute in a server-side bean?
I'm not sure if I asked the question the right way. What I meant is, while it's easy to set session attributes in a JSP page (session.setAttribute("sessionname", "sessionvalue")), I'd want to set such an attribute within a server-side bean defined in this web application. But what is the syntax for doing it?Here a simple bean that stores something in the session and retrieves something from it.
import javax.servlet.http.HttpSession;
public class TestBean {
private String value;
public void doSomething(HttpSession session, int a, int b) {
if (a+b > 0) {
session.setAttribute("ab",Boolean.TRUE);
} else {
session.setAttribute("ab",Boolean.FALSE);
public void init(HttpSession session) {
if (session != null) {
Boolean b = (Boolean)session.getAttribute("ab");
if (b == Boolean.TRUE) {
value = "a + b is greater than zero";
} else {
value = "a + b is not greater than zero";
} else {
value = "no session";
public String getValue() {
return value;
}In your JSP, use something along the lines of :
<%
TestBean bean = new TestBean();
bean.init(session);
bean.doSomething(session,1,2);
%>If your bean only lives during one request, you can pass the session to the constructor, which stores it in a private variable. This saves passing the session each time.
Hope this helps,
--Arnout -
Hi,
i' m developing JSP channels. I know that i can create new attributes with value in the jsp session:
session.setAttribute(aname, aval);
But i want other channels to have access to this attributes.
Is there a global Session where all jsp provider have access ?
When not, which is the best way to do that ?
Thanks
RichardTwo methods called setUserSessionProperty
and getUserSessionProperty in the pluggable auth API enables authentication modules to get and set properties in the user session. This allows
authentication modules to communicate with channels, applications, or other authentication modules by setting session properties. For example, a custom
authentication module may add the user password to the session, so that an application may retrieve this property, for single sign on at a later time.
The default examples given are for servlets ..
Take a look at the sp3 release notes .. -
Good Afternoon,
I am trying to add some code to a custom authentication routine to allow for tracking in the APEX supplied logs. Currently the authentication code processes the Login attempt and either allows access or returns the user back to the login page with a error message in case they entered an invalid username/password.
I had added in each case the required two lines of code:
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('Test Message.. Ignore Me')
APEX_UTIL.SET_AUTHENTICATION_RESULT(1) (Just as a test, will use more accurate values later)
Now when I login with a non-existent user it logs it as a successful login, with NO custom text loaded...
Can anyone suggest an idea here, other than using a custom logging table?
Thank you,
Tony Miller
Webster, TXHi,
I did test set item session state , and it works OK for me.
First I did forgot create that item when there was errors in my test.
Do you have some computations, validations in login page ? Any application process that might run ?
Or do you have any Page Sentry Function, Session Verify Function or Pre-Authentication Process in authentication scheme ?
What is you session not valid in authentication scheme ?
Have you tested your code on apex.oracle.com ?
Br,Jari
Edited by: jarola on Apr 16, 2010 9:25 AM
I did more test.
If you try login with some user name and password
http://apex.oracle.com/pls/otn/f?p=12444
Then you can try login with user EXPIRED and passwd test.
To see access log login with user ACTIVE and passwd test.
Then go page 10 you can see access log
http://apex.oracle.com/pls/otn/f?p=12444:10
My auth function is
create or replace
function custom_auth_2 (p_username in VARCHAR2, p_password in VARCHAR2)
return BOOLEAN
is
l_password varchar2(4000);
l_stored_password varchar2(4000);
l_expires_on date;
l_count number;
begin
-- First, check to see if the user is in the user table
select count(*) into l_count from demo_users where user_name = p_username;
if l_count > 0 then
-- First, we fetch the stored hashed password & expire date
select password, expires_on into l_stored_password, l_expires_on
from demo_users where user_name = p_username;
-- Next, we check to see if the user's account is expired
-- If it is, return FALSE
if l_expires_on > sysdate or l_expires_on is null then
-- If the account is not expired, we have to apply the custom hash
-- function to the password
l_password := custom_hash(p_username, p_password);
-- Finally, we compare them to see if they are the same and return
-- either TRUE or FALSE
0, 'AUTH_SUCCESS',
1, 'AUTH_UNKNOWN_USER',
2, 'AUTH_ACCOUNT_LOCKED',
3, 'AUTH_ACCOUNT_EXPIRED',
4, 'AUTH_PASSWORD_INCORRECT',
5, 'AUTH_PASSWORD_FIRST_USE',
6, 'AUTH_ATTEMPTS_EXCEEDED',
7, 'AUTH_INTERNAL_ERROR',
if l_password = l_stored_password then
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('SUCCEEDED');
APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
return true;
else
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('WRONG_PASSWORD');
APEX_UTIL.SET_AUTHENTICATION_RESULT(4);
APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','You have entered invalid Username or Password');
return false;
end if;
else
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('ACCOUNT_EXPIRED');
APEX_UTIL.SET_AUTHENTICATION_RESULT(3);
APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','Your account has been locked');
return false;
end if;
else
-- The username provided is not in the DEMO_USERS table
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('USER_NOT_FOUND');
APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','You have entered invalid Username or Password');
return false;
end if;
end;I have application item LOGIN_MESSAGE and in login page I did also create before header process.
APEX_APPLICATION.G_NOTIFICATION := :LOGIN_MESSAGE;
:LOGIN_MESSAGE := NULL;To show that item message in notification. It do not affect how auth work.
It seems work ok -
Apex Custom Authentication Schema Page Sentry Error
Hi,
I am using Application Express 4.0.0. I am struggling with a strange problem while trying to implement custom authentication schema.
I declare a page sentry function 'page_sentry' which returns TRUE or FALSE based on certain conditions. My page_sentry is as follows:
FUNCTION PAGE_SENTRY RETURN BOOLEAN
IS
l_username VARCHAR2(512);
l_session_id NUMBER;
BEGIN
IF USER != 'APEX_PUBLIC_USER' THEN
RETURN false;
END IF;
l_session_id := wwv_flow_custom_auth_std.get_session_id_from_cookie;
-- check application session cookie.
IF wwv_flow_custom_auth_std.is_session_valid THEN
apex_application.g_instance := l_session_id;
l_username := wwv_flow_custom_auth_std.get_username;
wwv_flow_custom_auth.define_user_session(
p_user => l_username, p_session_id => l_session_id);
RETURN true;
ELSE
--redirect to login page using OWA_UTIL.REDIRECT_URL
END IF;
RETURN false;
END page_sentry;
And Cookie Name : _AUTH
At first, It always returned FALSE. I wasn't getting any error. However, even after forcibly returning TRUE from the page_sentry function the redirect was still not happening. I tried to look into what cookies were being set for the same and I found this:
Name: ApexLibErrorStack1
Content: page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication
I couldn't find any relevant help for this. Worst of it is I cannot set any cookie from the page_sentry function at all. Please help!Hi all.
Can someone please help me out with the above issue. I am not sure if things are wrong at my end or is this an apex bug.
--Update:
The source of my problem perhaps lies in the manner in which I have configured my Oracle HTTP Server. When I disable port HTTP server on port 80 and run apex without it on default port 8080, the custom authentication schema cookie gets set.
Executing the following with Oracle HTTP Server:
OWA_UTIL.PRINT_CGI_ENV;
gives:
HTTP_COOKIE = ApexLibErrorStack1=page%3D1%3Cbr%20%2F%3EERR-1201%20session%20ID%20not%20set%20on%20custom%20authentication.; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL
And without HTTP Server:
gives:
HTTP_COOKIE = WWV_CUSTOM-F_1420403886791332_100=9625AAC49B9951D8;......
Did I miss something in my HTTP server configuration ?
Edited by: pc on Jan 2, 2012 3:15 AM -
OWA_SEC.CUSTOM package - Custom authentication procedures...
Folks -
I haven't ever used the OWA_SEC.CUSTOM package for custom authentication of a psp application - and now need to do so. The documentation doesn't have any examples of what I need to do. Although there is plenty of documentation - it all says the same stuff, without saying what developers need to do to get it to work.
For example I have updated the following files in the following ways - and still it doesn't work:
owapriv.sql - updated the line that says:
auth_scheme := OWA_SEC.NO_CHECK;
to :
auth_scheme := OWA_SEC.CUSTOM;
owacust.sql - updated to say:
create or replace package body OWA_CUSTOM is
/* Global PLSQL Agent Authorization callback function - */
/* It is used when PLSQL Agent's authorization scheme is set to */
/* GLOBAL or CUSTOM when there is overriding OWA_CUSTOM package.*/
/* This is a default implementation. User should modify. */
function authorize return boolean is
v_username varchar2(30);
v_pass varchar2(30);
BEGIN
owa_sec.set_authorization(OWA_SEC.CUSTOM);
owa_sec.set_protection_realm('my_app');
v_username := owa_sec.get_user_id;
v_pass := owa_sec.get_password;
IF v_username = 'cmanning' THEN
return TRUE;
ELSE
return FALSE;
END IF;
end;
end;
show errors
wdbsvrapp.sql looks like this:
[DAD_mydad]
connect_string = my_connect_string
password = my_password
username = my_username
default_page = my_default_package.procedure
;document_table =
;document_path =
;document_proc =
;upload_as_long_raw =
;upload_as_blob =
name_prefix =
;always_describe =
;after_proc =
;before_proc =
reuse = Yes
connmax = 20
;pathalias =
;pathaliasproc =
enablesso = No
;custom_auth =
Can anyone tell me what I am missing / doing wrong.
For example:
When I take out the username/password reference from the wdbsvr.app file - the browswer tries to authenticate me and the only username/password that validates is the username/password of the database user.
I don't want to have to have database users for every application user that should be authenticated in my application. I want to put a routine in the owacust.sql file that authenticates users (via my own routine or an optional LDAP/radius/SecurID lookup). In this basic example - I am only validating with the cmanning/cmanning combination.
From what I understand in the documentation - if I use OWA_SEC.CUSTOM - then I don't have to put a .authorize function in every package - the OWA agent simply authenticates every request via the OWA_CUSTOM.authorize function.....
Dude - what's up?
Can someone from the Big O help a brother out?
cfm
nullCharles
It looks to me like you want your users authenticated when they try to view your pl/sql-generated html pages, but you want to control the validation with custom code.
You appear to be trying to use owa_custom.authorize to authorize each request, which seems like a good approach.
This whole area is quite complex and I have never found any really comprehensive doco on it. Here are my thoughts which others might like to comment on.
This is a simple version of owa_custom:
PACKAGE BODY OWA_CUSTOM IS
FUNCTION authorize return boolean is
BEGIN
owa_sec.set_protection_realm('aRealm');
if owa.user_id is null then
return false;
else
return my_validate_user
(owa.user_id,owa.get_password);
end if;
exception
RETURN FALSE;
END authorize;
begin
owa_sec.set_authorization(OWA_SEC.GLOBAL);
end;
Note the begin block that applies to the package and sets authorization to GLOBAL when the package is loaded.
The authentication mode in the DAD will need to be Global Owa (afaik) and you will need to supply an oracle username and password in the DAD. ie. you will authenticate the userid/password supplied by the user and then the user will connect to the database as the oracle user specified in the DAD.
I cannot test this code at the moment. Nor can I give you complete instructions to set up authentication from scratch. But here's a brief description of what the code should do.
1. It sets authorization to GLOBAL. So mod_plsql will call owa_custom.authorize for every request. That is, you don't call owa_custom.authorize, it will be done for you and the internals probably look like this:
if owa_custom.authorize then
user_requesed_page(user_supplied_args);
else
send_access_denied;
end if;
2. It sets up a realm, which is relevant to HTTP Basic Authentication and its challenge/response. (You don't have to use HTTP Basic Authentication. An alternative is to present a login form to the user, then you manage the userid/password.)
3. It looks in owa.user_id which will hold the userid supplied by the browser after a HTTP Basic Authentication challenge/response.
4. It uses your custom code to validate the userid and password once the user has been challenged to provide these. You obviously have to create the my_validate_user procedure in the schema and package of your choice.
5. It does not time users out, it does not sustain multi-sessions per user via cookies and it does not support logout without shutting the browsers. But it is simpler for lacking these features.
If this is a way you want to try then your first aim should be to make sure owa_custom is called globally and that it lets you into the database via the DAD-supplied userid and password. You may need some way of writing debug on the server using utl_file to confirm it is being called. Or you could make it return true unconditionally, request a page, then make it return false and request a page.
This is just a start, but let me know if it is on topic.
It would be great to hear suggestions and comments from others on authentication for an htp application under iAS.
Has anyone tried DB Prism?
null -
How to unconfigure a Custom Authentication Module for Convergence
After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
, I decided to try to revert back to the default.
How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
sudo /opt/SUNWappserver/bin/asadmin stop-appserv
sudo /opt/SUNWappserver/bin/asadmin start-appserv
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled
AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler
AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler
PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reasonjessethompson wrote:
After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
, I decided to try to revert back to the default.
How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.After enabling the custom login module using the steps in the earlier thread (http://forums.sun.com/thread.jspa?threadID=5318615), I performed the following steps to disable the custom module and re-enable the ldap auth module:
# Disable custom auth-module
cd /opt/sun/comms/iwc/sbin
./iwcadmin -w <admin password> -o auth.custom.servicename -v ""
./iwcadmin -w <admin password> -o auth.custom.loginimpl -v ""
./iwcadmin -w <admin password> -o auth.custom.callbackhandler -v ""
./iwcadmin -w <admin password> -o auth.misc.CredentialFile -v ""# Re-enable the LDAP auth-module
cd /opt/sun/comms/iwc/sbin
./iwcadmin -w <admin password> -o auth.ldap.callbackhandler -v com.sun.comms.client.security.auth.AppCallbackHandler
./iwcadmin -w <admin password> -o auth.ldap.loginimpl -v com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule# Restarte App Server
cd /opt/SUNWappserver/bin/
./asadmin stop-domain; ./asadmin start-domain# Login to iwc interface as user shjorth with password oldpwd
# Login successful with oldpwd -- custom auth module successfully disabled, LDAP re-enabled
Regards,
Shane.
Maybe you are looking for
-
How do i delete all my pictures from iphone
I need to delete photos from iPhone 5. Need to delete them ALL as I need space on the phone and I don't want to individually click 1000+ pix. They are already backed up to Dropbox. There appears to be no way to do this. Any suggestions (other than s
-
I have $84 store balance but need to change registered country (I moved - foreign credit card)...
Can I spend that and won't have a problem later when I change my country, with apps and everything? I read your 'purchased' won't show your stuff anymore, but you can still search individually and re-download free, sounds like some chaos comes with
-
How can I tell the number of discs needed to transfer an iMovie to DVD?
OK, I'll admit it---I'm new to iMovie and have yet to burn a DVD since iDVD was not included on my Mac. I have ordered a new disc of iLife 09 which should arrive next week, but I'm trying to be prepared to burn some home movies as soon as it is inst
-
Problem with updating to 4.0.4 :(
guys i tried to update my WT19i live with walkman via SUS.It said it was successful but i have the same version again(2.3.4).By the way i live in Greece.Do you know how can i update it?I tried with PCC but it says that my phone is updated
-
Hello all! Does anybody know how can I get to know, inside a class, the name of the host where that class is running? Thanks in advance.