Error using 10.1.3 Security Provider:3rd party LDAP or Custom Login Module
Hello all,
After deploying my JSF/ADF application using Jdeveloper 10.1.3 to Oracle Application Server 10.1.3, I used the Application Server control to change the 'Security Provider' configuration:
1. Using 3rd Party LDAP Provider (Novell eDirectory)
I get the following error when restarting the application with the new config.
06/06/21 16:42:32 Error while configuring security provider MBean for application AccessList
06/06/21 16:42:32 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/CustomLDAPSecurityProvider
2. Using Custom Login Module (again programmatically talks to eDirectory and it works in UIX/10.1.2 application)
I get the following error when restarting the application with the new config.
06/06/21 14:31:19 Error while configuring security provider MBean for application AccessList
06/06/21 14:31:19 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/LoginModuleSecurityProviderAlso, I get this error with both the settings..
06/06/21 14:31:19 WARNING: Application.setConfig Application: AccessList is in failed state as initialization failedjava.lang.
InstantiationException
Jun 21, 2006 2:31:19 PM com.evermind.server.Application setConfig
WARNING: Application: AccessList is in failed state as initialization failedjava.lang.InstantiationException
06/06/21 14:31:19 java.lang.InstantiationException
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
java.lang.ClassNotFoundException error leads me to believe, I am just missing to include some libraries..
I have included "bc4j.security" in my web project and I am not sure if that is what is needed!
Will appreciate your help..
Thanks,
Karthik
The problem i had with my Custom login module was that JDeveloper includes the datasources listed in the connection tab.
When JDeveloper does that it writes the username and password in the jazn-data.xml. But with the Custom Login module the reference in de data-source declaration cannot find the password. that's why i got the InstantiationException at the initDataSources point.
In tools>preferences>deployment you can uncheck the option:
Bundle Default data-sources.xml During Deployment.
The problem with this is when i specify a datasource in the data-sources.xml i included myself, jdeveloper will also put de datasources under the Connections tab in the data-sources.xml.
Does anyone knows how to stop jdeveloper putting the datasources automatic in the file, or how to prevent jdeveloper storing the password in jazn-data.xml?
Similar Messages
-
Map security roles to group within LDAP using external 3rd Party LDAP
I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
Any help would be greatly appreciated.
Log.xml log entry that confirms webtA is communicating successfully with AD.
SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
Error reported in the log
<MESSAGE>
<HEADER>
<TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
<COMPONENT_ID>j2ee</COMPONENT_ID>
<MSG_TYPE TYPE="TRACE"></MSG_TYPE>
<MSG_LEVEL>16</MSG_LEVEL>
<HOST_ID>F2287032-W</HOST_ID>
<HOST_NWADDR>30.30.16.14</HOST_NWADDR>
<MODULE_ID>security</MODULE_ID>
<THREAD_ID>14</THREAD_ID>
<USER_ID>wmgraham</USER_ID>
</HEADER>
<CORRELATION_DATA>
<EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
Web.xml Logical Role definition
<security-constraint>
<web-resource-collection>
<web-resource-name>allpages</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WEBTA_J2EE_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WEBTA_J2EE_USER</role-name>
</security-role>
Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
<security-role-mapping name="WEBTA_J2EE_USER">
<group name="webta"/> <-- Group defined in AD -->
</security-role-mapping>What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" -
3rd party LDAP security provider problem
I'm having an issue that when I've deployed my j2ee application to Oracle AS 10g rel3 app server, the security-constraint I've configured in my web.xml file isn't being obeyed, or at least it doesn't appear to be.
As part of the deployment process I've configured a 3rd party LDAP server as the security provider. As for mapping groups to roles, I've set it such that all users and groups should be mapped to the role AuthorisedUser - my intention is that for any protected url's defined in the web.xml, the user should be redirected to a login page as defined in the web.xml file as well (I'm using FORM based authentication in the login-config) - but after they are logged in they will be assigned the role of AuthorisedUser.
The following is being written to the orion-application.xml file
<security-role-mapping name="AuthorisedUser" impliesAll="true" />
What I'm observing is that users aren't being challenged when they hit a secured url-pattern. Is this as a result of the impliesAll="true" attribute ?I found that the <security-role-mapping> element is not functioning correctly for 10.1.3.4 OC4J LDAP authentication. I saw in the log.xml that I was getting authenticated but it wasn't finding the role-group map.
I changed the role-name in the web.xml to be the exact same thing as the group in LDAP and that fixed that problem.
I know the original poster has gone past this problem, but for people in the future, I hope this helps.
Now my problem is the j_security_check... once I'm authenticated, the browser ends up at http://hostname:port/OrderManagement/j_security_check instead of the application page. Any ideas?
Thanks,
David -
Error "java.lang.NoClassDefFoundError: sun/security/provider/Sun" in 10.1.2
Hi,
I developed an ADF UIX application in JDeveloper 10.1.2. It works fine when I run on embedded oc4j in my machine.
I deployed it to Oracle Application Server 10g in AIX. When I run the application from the Application Server and try to open a uix page with data I get the following error:
500 Internal Server Error
java.lang.NoClassDefFoundError: sun/security/provider/Sun at oracle.jbo.common.ampool.PoolMgr.createPool(PoolMgr.java:280) at oracle.jbo.common.ampool.PoolMgr.findPool(PoolMgr.java:482) at oracle.jbo.common.ampool.ContextPoolManager.findPool(ContextPoolManager.java:165) at oracle.adf.model.bc4j.DataControlFactoryImpl.findOrCreateSessionCookie(DataControlFactoryImpl.java(Compiled Code)) at oracle.adf.model.bc4j.DataControlFactoryImpl.createSession(DataControlFactoryImpl.java(Compiled Code)) at oracle.adf.model.binding.DCDataControlReference.getDataControl(DCDataControlReference.java(Compiled Code)) at oracle.adf.model.BindingContext.get(BindingContext.java(Compiled Code)) at oracle.adf.model.binding.DCUtil.findSpelObject(DCUtil.java:228) at oracle.adf.model.binding.DCUtil.findContextObject(DCUtil.java:308) at oracle.adf.model.binding.DCIteratorBinding.<init>(DCIteratorBinding.java:127) at oracle.jbo.uicli.binding.JUIteratorBinding.<init>(JUIteratorBinding.java:59) at oracle.jbo.uicli.binding.JUIteratorDef.createIterBinding(JUIteratorDef.java:58) at oracle.jbo.uicli.binding.JUIteratorDef.createIterBinding(JUIteratorDef.java:47) at oracle.adf.model.binding.DCBindingContainerDef.createIterBindings(DCBindingContainerDef.java(Compiled Code)) at oracle.adf.model.binding.DCBindingContainerDef.createBindingContainer(DCBindingContainerDef.java(Compiled Code)) at oracle.adf.model.binding.DCBindingContainerReference.getBindingContainer(DCBindingContainerReference.java(Inlined Compiled Code)) at oracle.adf.model.BindingContext.get(BindingContext.java(Compiled Code)) at oracle.adf.model.binding.DCUtil.findSpelObject(DCUtil.java:228) at oracle.adf.model.binding.DCUtil.findContextObject(DCUtil.java:308) at oracle.adf.model.binding.DCUtil.findBindingContainer(DCUtil.java:536) at oracle.adf.controller.lifecycle.LifecycleContext.initialize(LifecycleContext.java:121) at oracle.adf.controller.lifecycle.LifecycleContext.initialize(LifecycleContext.java:77) at oracle.adf.controller.struts.actions.DataActionContext.initialize(DataActionContext.java:51) at oracle.adf.controller.struts.actions.DataAction.execute(DataAction.java:150) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java(Compiled Code)) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java(Compiled Code)) at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java(Compiled Code)) at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java(Compiled Code)) at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java(Compiled Code)) at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.AJPRequestHandler.run(AJPRequestHandler.java(Compiled Code)) at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].server.http.AJPRequestHandler.run(AJPRequestHandler.java(Compiled Code)) at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.2)].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java(Compiled Code)) at java.lang.Thread.run(Thread.java:568)
Can anybody tell/help why I am getting this error?
Thanks
SyedI believe this counts to be a bug in adf. I met with such errors as well in migration 1012 from NT to AIX platform, and after decompiling adf jar code and tak a look at it, the following code block indicates that In class- oracle.jbo.client.Configuration
, it is hard coded to get secure provider- sun/security/provider/Sun, as listed below...
import sun.security.provider.Sun;
static void checkSecurityProviders()
Provider aprovider[] = Security.getProviders();
boolean flag = false;
for(int i = 0; i < aprovider.length; i++)
if(!aprovider.getName().equals("SUN"))
continue;
flag = true;
break;
if(!flag)
try
Sun sun = new Sun();
Security.addProvider(sun);
catch(Exception exception)
exception.printStackTrace();
Adam -
Security constraints not being applied after using custom login module
I am using form based authentication and I applied the custom login module - DBProcLoginModule to work with the embedded OC4J (JDeveloper 10.1.3.2). I have specified two security contraints in web.xml. The authentication is working correctly, however the security contraints are not being applied. All users are able to access all url resources. The security constraints were working properly before applying the custom login module. Pls help.
LeenaHi,
if "All users are able to access all url resources" then this indicates that the RL isn't properly protected. If the authorization would fail then noone would have access and you would see error code 401
Make sure the role names in web.xml are the same as added by the LoginModule. Also make sure you set the dynamic.role property and the custom security provider property in the orion-application.xml
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true"/>
<property name="role.mapping.dynamic" value="true"/>
</jazn>
Note that the above is not required (because done automatically) if the custom LoginModule configuration is deployed through the orion-application.xml file
Frank -
I can not login to a certain account due to an error stating cookie not enabled, however my 3rd party cookies are enabled. How do I correct this?
COOKIE_DOMAIN=.hackers
I think this is the problem. .hackers is no valid cookie domain. You have to use something like:
.xy.ab
(two points)
I fear it is not possible to correct this easiely. First change the hostname to something allowed e.g. hackers.com
Then open an ldap browser and edit ou=iplanetamplatformservice,ou=services,dc=hackers
There is an entry with an xml. Copy the xml to an editor, search for .hackers, change it to a valid domainname.
Im not sure if a restart of the webserver is necessary here.
Another idea: You could also try to set the cookie domain to solnce.hackers, maybe this is accepted, even if it is not a cookie domain. But I dont know if this works...
hth
Chris -
Can I use a USB camera with the 3rd party USB camera software and share screens?
I want to do more than just use a USB camera w/iChat (or ichatusb). I also need to be able to initiate screen sharing between two computers. Specifically, I will use iChat with an insight built in camera on my end, and the other person will be using an iMac G5 PPC using a USB camera and the 3rd party USB software for USB ichat support.
My question then is am I able to request screen sharing (taking over their screen) from my ichat/fw combo to their ichatusb/usb combo?
thanks
dcHi,
The Cameras don't come into this at all. (But iChat and OS versions do)
Each end needs iChat 4 or higher.
Go to the Video menu and Enable Screen Sharing (Selecting toggles a tick On and Off (Tick Present is ON) )
Highlight Buddy in list and use the Screen Sharing icon at the bottom of the list (interlinked rectangles).
The G5 could be on Leopard (iChat 4) and be using a USB 1.1 camera that would need iUSBCam (formerly iChatUSBCam) as well as the Camera manufacturers Software.
iChat 3 (In Tiger OS 10.4.x) on the G5 with a USB 1.1 camera, Software and iUSBCam may well offer a Screen Sharing option (Or rather Desktop as Video Feed) in the iChat > Video Menu and that will not work
However if the G5 has USB 2.0 ports (not the Keyboard additional ports) then if it is up to OS 10.4.9 it can use a UVC Camera for Video Chats (UVC = USB Video Class No need for Additional Drivers) but Screen Sharing will still be an issue due to the iChat version.
IF the G5 is still on OS 10.4.x then you will have to use a third Party VNC app at both ends (And run a iChat Audio Chat along side)
9:33 PM Friday; September 2, 2011
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb( 10.6.8)
Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images." No, Seriously -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom login module error: Login permission not granted for myapp (myuser)
I have developed a custom login module for my application. I have followed the steps outlined in security guide and other postings. I could not log into the application when I access EJBs from an RMI client. I get the following error.
Login permission not granted for myapp (myuser)
I did grant the login permission to myuser.
I am using OC4J 10.1.3.1.0
Here are the steps I followed and the configuration files. Can anybody help me out?
1. Created a custom login module and packaged it in EAR along with other classes. In the commit method, I added my user into principals of subject. Here is the code,
==================================================================
public boolean commit() throws LoginException {
try {
if (!loginOk) {
return false;
Set<Principal> principals = subject.getPrincipals();
principals.add(user);
loginOk = true;
} finally {
// Some audit logs are written here.
return loginOk;
===============================================================
2. Added custom login module in orion-application.xml. Here are the relevant portions of orion-application.xml
===============================================================
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.compare.ignorecase" value="true" />
</jazn>
<jazn-loginconfig>
<application>
<name>myApp</name>
<login-modules>
<login-module>
<class>com.test.myServerLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>maxRetries</name>
<value>3</value>
</option>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="myUser">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
<security-role-mapping name="esp_operator">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
</namespace-resource>
</read-access>
</namespace-access>
===============================================================
3. After the application is deployed on the EAR, I can see the custom login module in system-jazn-data.xml. The command line jazn admin tool lists my custom login module for my application.
4. I have an RMI client, the client JNDI properties are
==============================================================
java.naming.factory.initial=oracle.j2ee.naming.ApplicationClientInitialContextFactory
java.naming.factory.url.pkgs=oracle.j2ee.naming
==============================================================
The value for java.naming.provider.url is constructed dynamically and it is ormi://myserver:23791/myapp
java.naming.security.principal is set to the user who is trying to login, myuser, in this case.
java.naming.security.credentials is set to the password entered by myuser, password in this case.
5. I used jazn admin tool to grant login permission to my user.
===============================================================
a. Added user
java -jar jazn.jar -user oc4jadmin -password welcome -adduser jazn.com myuser password
b. Grant roles
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole users ja
zn.com myuser
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole oc4j-app
-administrators jazn.com myuser
c. Grant RMI permission
java -jar jazn.jar -user oc4jadmin -password welcome -grantperm jazn.com
-user myuser com.evermind.server.rmi.RMIPermission login
===============================================================
After the permission is granted, the folowing piece of XML is added to system-jazn-data.xml.
===============================================================
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>user</type>
<class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
<name>jazn.com/esp_administrator</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
==============================================================
My principal class is not of type, oracle.security.jazn.spi.xml.XMLRealmUser. Hence, I changed system-jazn-data.xml to include com.test.MyUser instead of oracle.security.jazn.spi.xml.XMLRealmUser. Either way, I get Not Authorized and Login permission not granted for myapp (myuser).
Can anybody help me out, please?
Thank you,
Sri
Message was edited by:
user532586I finally got it to work. But I have a problem granting RMI Permission "login", if the depth of my Principal class within the inheritance hierarachy is more than one. My hierarachy of my principal class is
Object --> ObjectA --> ObjectB --> ObjectC --> ObjectD
ObjectD is my principal class. ObjectB implements java.security.Principal. ObjectA has implementations for methods equals, hashcode and toString. ObjectB has implementations for getName.
When I try to grant RMI permission for ObjectD, I get an error that says null.
If I override the methods, equals, hashcode, toString, and getName in ObjectD and provide implementations, I still could not grant permission using jazn tool. I get error that says null. If I update the system-jazn-data.xml with the following grant tag, I could get into the application without any errors.
<grant>
<grantee>
<principals>
<principal>
<class>com.test.ObjectD</class>
<name>developers</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
If I create a new class, myPrincipal that implements java.security.Principal, I donot have any problems. I can grant permission and access application.
Any ideas why I could not use ObjectD as my principal class for granting RMI permission?
Message was edited by:
user532586 -
3rd party LDAP JAZN configuration
Hey,
I've been struggling with the jazn configuration of a 3rd party LDAP (Sun One) server. I've followed the Oracle 10AS documentation on creating the <jazn-loginconfig> element and there is an example template for sun one in the Oracle 10 AS. What about the <jazn-policy> and <jazn-realm> elements? Are these necessary or are these just required when you are using just the XML file itself and not LDAP? What other files besides jazn-data.xml need to be modified?
ThanksOk, a bit of progress...
I turned on jazn logging and got the following exception:
05/09/19 16:05:02 JAAS: LoginConfigProvider: JAZNConfig=[JAZNConfig file:[bpel home]
BPELPM_2/integration/orabpel/system/appserver/oc4j/j2ee/home/config/jazn.xml]
05/09/19 16:05:02 JAAS: LoginConfigProvider=oracle.security.jazn.spi.xml.XMLLoginModuleManager@de5cd9
05/09/19 16:05:02 No Login Module configured for application [deployed app name].
Using default Login Module, RealmLoginModule.05/09/19 16:05:02 javax.security.auth.login.LoginException: No LoginModules conf
igured for oracle.security.jazn.oc4j.JAZNUserManager
05/09/19 16:05:02 at javax.security.auth.login.LoginContext.init(LoginCont
ext.java:189)
05/09/19 16:05:02 at javax.security.auth.login.LoginContext.<init>(LoginCo
ntext.java:404)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.OC4JUtil.getLoginContext(Un
known Source)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.GenericUser$1.run(Unknown S
ource)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(U
nknown Source)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.GenericUser.authenticate(Un
known Source)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.FilterUser.authenticate(Unk
nown Source)
05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.processRe
quest(HttpRequestHandler.java:614)
05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.run(HttpR
equestHandler.java:270)
05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.run(HttpR
equestHandler.java:112)
05/09/19 16:05:02 at com.evermind.util.ReleasableResourcePooledExecutor$My
Worker.run(ReleasableResourcePooledExecutor.java:192)
05/09/19 16:05:02 at java.lang.Thread.run(Thread.java:534)
05/09/19 16:05:02 Authentication: FAILED.
05/09/19 16:05:02 JAAS-OC4J: Authentication failure for user: [username]05/09/19 16:05:02 No Login Module configured for application [app name] Using default Login Module, RealmLoginModule.
05/09/19 16:05:02 javax.security.auth.login.LoginException: No LoginModules configured for oracle.security.jazn.oc4j.JAZNUserManager -
Migration of EmbeddedLDAP to 3rd Party LDAP
Hi,
Is it possible to migrate the complete authentication process of EmbeddedLDAP
used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user (default
user : weblogic created during the domain setup) authentication should happen
on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge between
Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this problem?
Thanks in advance.
MandarI do not believe there are any restrictions on removing the default authenticator.
When you boot the server make sure the user/pass is valid in the 3rd party LDAP
and they have the proper admin/oper privileges to boot the server.
You might want to configure the server with two authenticators first to verify
you can successfully authenticate to the 3rd party LDAP before removing the default
authenticator.
-Craig
"Mandar Jadhav" <[email protected]> wrote:
>
Hi,
Is it possible to migrate the complete authentication process of EmbeddedLDAP
used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user
(default
user : weblogic created during the domain setup) authentication should
happen
on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge
between
Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this
problem?
Thanks in advance.
Mandar -
Custom login module and SSO using 10.1.3.3
We are using ADF 10.1.3.3 to build applications and recently a requirement from a customer was to use LDAP for authentication but use internal application tables for authorisation. So essentially the username and password will be in LDAP but all the roles definition are in the application. This is because the LDAP directory has tight controls on contents and is used enterprise wide.
I created a proof of concept to address this requirement using the examples at
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
and also
http://technology.amis.nl/blog/1462/create-a-webapplication-secured-with-custom-jaas-database-loginmodule-deploy-on-jdeveloper-1013-embedded-oc4j-stand-alone-oc4j-and-opmn-managed-oc4j-10g-as
specifically using DBProcLoginModule to call a database package.
The PL/SQL package I created used DBMS_LDAP to call an LDAP directory with the username and password to check authentication and then used internal application tables to get the authorisation details required.
All this worked very well. I tested on both the embedded OC4J and also standalone OC4J.
Then one of my peers said will this work with SSO? Specifically we use Oracle OID as we have SSO for Forms and Reports.
My experience with SSO has been with Oracle OID and having all the user and role details stored within OID.
So my issue now is can I integrate the custom login module approach I have used with SSO? My knowledge of SSO and OID is limited so I'm not sure how (or if) it would interact with a custom login module. Are the two mutually exclusive?
Any guidance is appreciated.
Regards,
AdrianHi,
this question should be posted to the Oracle Application Server forum or the security forum. However, based on my findings and experience in this area, I don't think that SSO is integrated with custom LoginModules since the integration would need to be coded in the LoginModule.
Frank -
Custom Login Module for Tomcat to procted apps using Oracle Access Manager
Hi all,
I have the following scenario.
A web application deployed in Tomcat to be protected using OAM. One solution is to use Access Gate though we have other alternative as Proxy infront of Tomcat with a webgate. Now I am implementing the Access Gate solution.
So, when the user clicks the tomcat application, then the prompt (BASIC) appears for login details. custom login module should kick in and take those login details and authenticate against OAM using Access SDK API.
I have created access gate profile and installed Access SDK. Ran the ConfigureAccessGateTool as well.
I did some research googling for login module. I came to know that we need to write a custom realm for it. So, this realm implementation involves specifying role-name etc., in web.xml where the role-name would have been defined in tomcat-users.xml.
This means that the user trying to authenticate against OAM has to have some roles defined in Tomcat to login. I didnot understand the flow end to end as how this will work.
Please let me know if anybody has done this of customization.
Thanks,
Mahendra.Hi Ambarish,
Initially I thought of implementing the way you suggested in Option 2.
But there will be various redirections when we use option 2 as the login page should redirect it to a page where OAM authentication and authorization stuff has to be handled. And accordingly we have to redirect it to specific pages upon successful atn and atz. Hence, I was opted using Custom Login Module.
However, I have been trying Option 2 now. In web.xml, I have specified a login page with FORM scheme. The login redirects it to another page say OAM_Authentication_Handler.jsp. Here we code which serves atn and atz. Upon doing this, I have observed that the protected resource in OAM is not getting evaluated using the method
String ms_protocol = "http";
String ms_method = "GET";
String ms_resource = "http://localhost:8080/FormLogin/private.jsp";
ObResourceRequest rrq = new ObResourceRequest(ms_protocol, ms_resource, ms_method);
The method rrq.isProtected() is returning false which implies it to unprotected. I have tested using Access Tester for the resource and it results in expected behaviour.
Is there any limitation here by using this approach?
Any ideas?
Thanks,
Mahendra. -
HT4837 3rd Party LDAP users in local groups aren't recognized by wiki
Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot. Is this a bug?
To be more specific:
- Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
- Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
- Local groups created in Server.app -- Accounts -> Groups
- LDAP users placed into those local groups
- Services like file sharing recognize proper permissions based on the groups the LDAP users are in
- Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
- Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login. A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
Any ideas before I submit this as a bug?Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot. Is this a bug?
To be more specific:
- Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
- Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
- Local groups created in Server.app -- Accounts -> Groups
- LDAP users placed into those local groups
- Services like file sharing recognize proper permissions based on the groups the LDAP users are in
- Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
- Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login. A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
Any ideas before I submit this as a bug? -
User can't see some OID entry from 3rd party ldap browser but OAM?
Hi All,
after tried to applied access control to some OID entry, user then can't see that entry from 3rd party ldap browster, and this is a expected behavior, but why the same user can see that entry from user management interface of OAM?
Regards,
MaksonHi Makson,
OAM's Identity Server binds to OID as a single user* (typically an OID admin, even orcladmin) and applies only those acl's that have been defined within OAM. So when you login to OAM as end-user X, the Identity Server (eg orcladmin) checks to see what rights within OAM have been defined for User X - but in this scenario any rights defined within OID are not applied to user X. By default, OAM end-users have no access to information in ldap (although the OAM Admins have full access by default).
Regards,
Colin
*Depending on how you are accessing OAM, you may see extra binds in the OID logs when the end-users actually login to OAM.
Maybe you are looking for
-
V240 ALOM resets every time it requests an IP address through DHCP
I'm encountering an issue with an ALOM configured to DHCP. Every time it requests an IP address (tracked by watching messages on the DHCP server, which is running Red Hat EL4 update 4), the ALOM resets. All the POSTs pass. If it's configured for a st
-
Will not boot up from DVD drive
HP pavilion slimline s3200n will recognize the DVD drive but it will not boot up from the drive
-
Is there any collective way to have Lightroom 5 find lost files?
Though I have tried to move folders and files only with Lightroom, I note that a good number of my images shown in thumbnails in Library cannot be opened because Lightroom 5 cannot find the files. I assume I have moved files among drives accidentall
-
Iphoto restored from backup with books created in iPhoto gone
Anyone have any help? My Mac crashed, but fortunately had backed up my iphoto. Reinstalled now cannot find my books that were created...Need help on it might be the dog bed for me. Thx
-
Mime Type for document class when archiving outlook emails
Hello team, can anybody fill me in how to configue the mime type for .msg files (outlook emails) in the document class msg?