FWSM: AAA authentication using TACACS and local authorization

Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
"privilege show level 1 mode exec command access-list"  in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.

You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by  creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK

Similar Messages

  • Aaa authentication using tacacs+ for LAP

    WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
    In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
    Rgds
    Eng Wee

    There really isn't anything you can do on the LAP through telnet/ssh.  You can enable TACACS for access to the controller.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

  • About 802.1x port authentication using TACACS+

    Hi
    I have some question. Please help me. Thanks.
    Question1. May I use that 802.1x port authentication using TACACS+
    Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
    Any help would be greatly appreciated.
    Thanks.

    Thanks to you.
    Where to find the documents about Tacacs+ doesn't support EAP?
    I cast more time and I cannot find the documents.
    Please help me....
    Thanks.

  • ANM 4.2 - RBAC using Tacacs+ and ACS5.1

    I want to configure RBAC for ANM 4,2 using tacacs+ and ACS 5.1
    Service = ANM
    ANM_UniqueID = ANM_1
    RoleName = ANM_Admin
    Domain = All
    When the admin user logs in, this policy element is triggerd, but the Role is not sent back.
    How to configure the Custom Attribute?
    Cheers,
    Wolff

    Could you please move this tread to AAA community, since this community is mostly about load-balancing and I doubt that you will get any answers here. You can find AAA community here: https://supportforums.cisco.com/community/netpro/security/aaa
    You should be able to move it by clicking on "Move thread" on the right side and then navigating to Communities -> Security -> AAA
    Thanks

  • OSB Authentication using username and password (plaintext or digest)

    Hi,
    I want to implement a simple osb authentication using username/password (plain text or digest) , so that client required to provide username password token in soap header (message Level security) to access our webservices. I have read some of articles which shows how to create custom ws policy, but received following error during deployment.
    weblogic.wsee.ws.init.WsDeploymentException: The WebLogic Server 9.x-style policy is not supported in JAX-WS web services
    Please note - I can not install OWSM as part of my requirement
    =======
    <?xml version="1.0"?>
    <!-- WS-SecurityPolicy -->
    <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wssp="http://www.bea.com/wls90/security/policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">
    <!-- Identity Assertion -->
    <wssp:Identity>
    <wssp:SupportedTokens>
    <!-- Use UsernameToken for authentication -->
    <wssp:SecurityToken IncludeInMessage="true"
    TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
    <wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/>
    </wssp:SecurityToken>
    </wssp:SupportedTokens>
    </wssp:Identity>
    </wsp:Policy>

    You can use the default Auth.xml WS policy in OSB and be able implement the authentication using username and plain text password.
    Just assign the Auth.xml on the Request Policies of the Proxy Service (under Policies).
    Then use any user credentials that has access to the domain for testing.
    If you want to restrict access for each operation then in the Security tab, under Message Access Control, specify a Role.
    Then in the OSB > Security Configuration, create the appropriate role with the specific role conditions like User is User1 or User is User2 etc ...
    Hope this helps.
    Thanks,
    Patrick

  • PIX 525 aaa authentication with both tacacs and local

    Hi,
    I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
    It works fine, now i would like to add the back up authentication, as follows:
    - If the ACS goes down i can to be authenticated with the local database.
    Is it possible with PIX, if yes how?

    Hi,
    I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
    1.It dosent ask for username /password in first level.
    2.on second level it asks for user name it dosent authenticate the user .
    Cud u pls let me know if the following config is correct.If not cud u help me .
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authen enable console TACACS+

  • Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

    I have a Nexus 7010 running
    Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
    >>ip radius source-interface mgmt 0
    >>radius-server key XXXXX
    >>radius-server host X.X.X.X key XXXXX authentication accounting
    >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
    >>authentication login default group Radius_Group aaa authentication
    >>login console local aaa group server radius Radius_Group
    >>    server X.X.X.X
    >>    server X.X.X.X
    >>    source-interface mgmt0
    Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
    shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
    Does anyone know if this works????
    Thanks

    I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
    Attribute: cisco-av-pair
    Requirement: Mandatory
    Value: shell:roles*"network-admin vdc-admin"
    For more information take a look at this link:
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
    Hope this helps
    Thank you for rating helpful posts!

  • Same user in tacacs and local database with different privilege

    Hi there,
    i am just not sure if this is correct behavior.
    i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
    i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
    aaa authentication login default group ACS
    aaa authorization commands default group ACS local
    aaa accounting default group ACS
    a user test with priv 15 is craeted on ACS server, password test2
    everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
    e.g.:  
    username test password test1 role priv-0   (note passwords are different for users in both databases)
    after i create the same user in local database with privilege 0,
    if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
    is this normal?
    thank you for help...

    Hello.
    Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
    So traditional IOS can use the "privilege" attribute but other operating systems can not.
    Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.
    When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.
    If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
    Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
    I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
    Please rate if it helps

  • AAA authentication not working and 'default' method list

    Guys,
    I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
    Config
    aaa new-model
    username admin privilege 15 secret 5 xxxxxxxxxx.
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization reverse-access default group tacacs+ local
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa session-id common
    tacacs-server host x.x.x.x
    tacacs-server host x.x.x.x
    tacacs-server host x.x.x.x
    tacacs-server host x.x.x.x
    tacacs-server directed-request
    tacacs-server key 7 0006140E54xxxxxxxxxx
    ip tacacs source-interface Vlan200
    Debugs
    002344: Dec  5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
    002345: Dec  5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
    002346: Dec  5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
    core01#
    002347: Dec  5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
    002348: Dec  5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
    002349: Dec  5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    002350: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
    002351: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
    002352: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
    002353: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
    002354: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
    002355: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
    002356: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
    002357: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
    002358: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
    002359: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
    002360: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
    002361: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
    002362: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
    Enter configuration commands, one per line.  End with CNTL/Z.
    core01(config)#
    002363: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
    002364: Dec  5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
    002365: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
    002366: Dec  5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
    core01(config)#

    Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
    As rick suggested sh tacacs would be good as well. That would show failures and successes
    HTH
    Kishore

  • WAAS Authentication using TACACS+

    Hi,
    I am trying to use TACACS as the primary method of authentication. The thing is that I configured in WAAS the values required (security word, primary server and secondary server). Also, in Authentication Method I chose TACACS as primary and local as the secondary.
    After that I logged in to the WAAS using my TACACS account and I could enter, but the Navigation Pane is empty. It seems like my account doesn't have permissions to change config, but it is level 15 in TACACS ( I used to change config in Sw and routers).
    I dont know if I am missing a step to config this feature either on the WAAS or the ACS.
    Thanks,

    TACACS really only provides a single "A"  Authentication.
    Are you allowed or not....
    in order to provide Authorization, you need to still create the account in CM. and provide a role and domain in the user config.
    Leave the Local user check box "unchecked" if you plane to use TACACS to Authenticate.
    Im sure there is a way to provide authorization through complex custom attributes but it achieves the same goal via CM. once authenticated.

  • Privilege mode authentication using Tacacs for Cisco Routers

    I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service compress-config
    hostname 2621-3
    boot-start-marker
    boot system flash c2600-i-mz.123-26.bin
    boot-end-marker
    logging buffered 5001 debugging
    no logging console
    no logging monitor
    enable password cisco
    memory-size iomem 10
    clock timezone CST -7
    clock summer-time CST recurring
    aaa new-model
    aaa authentication login default local
    aaa authentication enable default group tacacs+
    aaa authorization exec default group tacacs+ local
    aaa session-id common
    ip subnet-zero
    ip cef
    no ip domain lookup
    ip domain name int.voyence.com
    ip name-server 192.168.21.5
    !key chain jetef
    key 10
      key-string c1sco
    modemcap entry ZOOM
    modemcap entry ZOOM
    username jeff password 0 jeff
    tacacs-server host 192.168.21.230 key cisco
    tacacs-server host 10.6.230.32
    tacacs-server directed-request
    tacacs-server key dakey
    line con 0
    exec-timeout 15 0
    logging synchronous
    speed 115200
    line aux 0
    exec-timeout 15 0
    password 7 104D000A0618
    logging synchronous
    modem InOut
    modem autoconfigure discovery
    terminal-type monitor
    transport input all
    stopbits 1
    flowcontrol hardware
    line vty 0 4
    exec-timeout 15 0
    password cisco
    private
    logging synchronous

  • Tacacs + and local account

    Hello all.. Im trying to set up my cisco switch not to use the local account if the tacacs server is up. Here is what I have so far..thanks
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting send stop-record authentication failure
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+

    The current configuration you have will work in your favor.
    aaa authentication login default group tacacs+ local
    This command says user will be able to login via local username //password only if tacacs server goes down.
    Conclusion : local user will not be able to authenticate in tacacs server presence.
    HTH
    Regds, Jatin
    Do rate helpful posts~

  • Client remote Authentication using JAAS and EJB Access

    Hi,
    I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
    I have implemented an EJB who's methods are protected through the deployment descriptor:
            <assembly-descriptor>
                 <security-role>
                    <description>role for clients outside of the server </description>
                    <role-name>sedna</role-name>
                  </security-role>
                <method-permission>
                  <role-name>sedna</role-name>
                  <method>
                    <ejb-name>ServerInfoBean</ejb-name>
                    <method-intf>Remote</method-intf>
                    <method-name>*</method-name>
                  </method>
                </method-permission>
                <method-permission>
                  <unchecked/>
                  <method>
                    <ejb-name>ServerInfoBean</ejb-name>
                    <method-name>getVersion</method-name>
                  </method>
                  <method>
                    <ejb-name>ServerInfoBean</ejb-name>
                    <method-name>create</method-name>
                  </method>
                </method-permission>
            </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
    I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
    But then I try to access another method which is protected and then I get this exception
    org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
            at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
            at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
            at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
    ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
    After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
    After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
    Am I doing something wrong?
    Need help! Thx,
    Stephan

    Hi.
    I understand correctly that you call Subject.doAs on
    the client to call the remote EJB. I guess It isn't
    right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
    >
    >
    Subject contextSubject =
    Subject.getSubject(AccessController.getContext());
    contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
    But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
    Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
    Again, thanks for your effort,
    Stephan

  • Authentication using userCertificate and SASL External

    hi!
    I try to authenticate using SASL "External" and SSL.
    The SSL connection works fine, also SASL when using "Digest-MD5" but when I try to authenticate using "External" I get connected as anonymous.
    Here is what I did:
    I created a self-signed certificate with owner "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org".
    My client has this certificate in it's keystore.
    The server has an entry with "dn=uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" an this entry has the userCertificate attribute, which also contains my self-signed certificate.
    I edited the "certmap.conf" file like this:
    certmap default default
    default:DNComps
    default:FilterComps uid
    default:verifycert on
    As I understood the manual, this means the server should search the directory for an RDN "uid=xyz" and check if the certificate of this user is the same as the one provided by the client. If it is, the client should get the permissions of this entry.
    But in the logfile I always get this message:
    conn=4 fd=1148 slot=1148 SSL connection from 172.16.0.190 to 172.16.0.190
    conn=4 SSL 128-bit RC4
    conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
    conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
    conn=4 op=1 SRCH base="uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" scope=0 filter="(objectClass=*)" attrs="entryid"
    conn=4 op=1 RESULT err=0 tag=101 nentries=1 etime=0
    conn=4 op=2 fd=1148 closed - A1
    So, one possibility is I understood something completly wrong and the other is the server doesn't find the entry "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" because of any misconfiguration or I need a user certificate, which has been issued by a CA...
    Can anyone help me?
    Thanks a lot!
    Florian

    Nikolay,
    Assuming you mean authenticaion to your developed application and not the HTML DB facilities, yes you can do that. Take a look at the custom_page_sentry function that appears on this forum in several threads, e.g., Re: NTLM with Cookies ... - is someone there After you change this function to meet your requirements (cookie names, etc.) and compile it in your application's schema, you'd create a new authentication schema and type 'return custom_page_sentry;' into the page sentry function field. Then enter a URL to your site's login page into the Invalid Session URL field. Then make the new authentication scheme the current scheme. Of course, with this solution, you are responsible for making it as secure as you need it to be, preventing cookie forgery/theft, etc.
    Scott

  • Using ResourceBundle and Locale in an Applet

    hello,
    i worked out a little application to use with multilanguage support.
    i wrote two classes so i can start the application within a jar file located on my computer and anotherone to launch it as an applet...
    for development i use Eclipse; when i try to run it in eclipse everything works fine (although i limit the access of the applet!)
    when i try to run the applet in IE i get the error message:
    java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)i did not use the function "System.getProperty("user.dir")" in MY code which is referred!
    so i guess its one of the included packages:
    ResourceBundle | Locale
    how can i solve this problem as its working in the limited access applet in eclipse??
    thanks in advance

    note: i do load the .properties file from the JAR package, not from hdd!
    here is my code
    import java.util.Locale;
    import java.util.ResourceBundle;
    public class Xlocale {
         private Locale locale = Locale.ENGLISH;
         private ResourceBundle thisLocaleRB;
         public Xlocale(String aXlocaleName, String aLocale) {
              setLocale(getLocale(aLocale)); //if you leave this line it won't work *hmm?*
              if (thisLocaleRB == null || getLocale() != thisLocaleRB.getLocale()) {
                   try {
                        thisLocaleRB = ResourceBundle.getBundle(aXlocaleName, getLocale());
                   } catch (Exception e) {
                        //System.err.println(e.getLocalizedMessage()+" ["+System.getProperty("user.dir")+"\\"+aXlocaleName+"_"+getLocale()+".properties]\n");
         public String getString(String key, String dv) {
              String val = thisLocaleRB.getString(key);
              if (val == null)
                   return dv;
              else
                   return val;
         public void setLocale(Locale l) {
              this.locale = l;
         public Locale getLocale() {
              return this.locale == null ? Locale.ENGLISH : locale;
        public static Locale getLocale(String loc)
            if(loc!=null && loc.length()>0)
                return new Locale(loc);
            else
                return Locale.ENGLISH;
    }

Maybe you are looking for