How to deploy and configure custom JAAS login module

Similar Messages

• JDEV deployment of web app with custom JAAS login module fails

  For the first time, I am trying to implement a custom JAAS login module.
  JDEV deployment to standalone OC4J only fails when my orion-application.xml is included. The deployment fails with a java.lang.InstantiationException.
  This what I have done:
  1) Wrote a custom LoginModule called com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule.
  2) Put it and its dependent classes in a jar named sjtcjaas.jar.
  3) Put the jar in $ORACLE_HOME\j2ee\home\lib
  4) Changed library_path in $ORACLE_HOME\j2ee\home\config\application.xml to
  <library path="../../home/lib/scheduler.jar;../../home/lib/sjtcjaas.jar" />
  5) Added an orion-application.xml to the JDEV project. (I used an Oracle How-to as a pattern, see below.)
  I think I'm close but no cigar, yet. Any help would be appreciated.
  Regards,
  Al Malin
  =============== orion-application.xml ========================================
  <?xml version="1.0"?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.0.0" default-data-source="jdbc/OracleDS" schema-major-version="10" schema-minor-version="0" >
  <security-role-mapping name="sr_manager">
  <group name="managers" />
  </security-role-mapping>
  <security-role-mapping name="sr_developer">
  <group name="developers" />
  </security-role-mapping>
  <log>
  <file path="application.log" />
  </log>
  <!-- Configuring a Login Module in an Application EAR file. -->
  <jazn-loginconfig>
  <application>
  <name>customjaas</name>
  <login-modules>
  <login-module>
  <class>com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  </orion-application>

  Starting OC4J from c:\oc4j\j2ee\home ...
  2006-09-07 13:45:28.484 NOTIFICATION JMS Router is initiating ...
  06/09/07 13:45:29 Oracle Containers for J2EE 10g (10.1.3.0.0) initialized
  2006-09-07 13:45:58.609 NOTIFICATION Application Deployer for aam STARTS.
  2006-09-07 13:45:58.640 NOTIFICATION Copy the archive to C:\oc4j\j2ee\home\applications\aam.ear
  2006-09-07 13:45:58.656 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear begins...
  2006-09-07 13:45:58.656 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear...
  2006-09-07 13:45:58.687 NOTIFICATION Unpacking aam.ear
  2006-09-07 13:45:58.687 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam.ear in C:\oc4j\j2ee\home\applications\aam
  2006-09-07 13:45:58.750 NOTIFICATION Done unpacking aam.ear
  2006-09-07 13:45:58.750 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear
  2006-09-07 13:45:58.750 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war...
  2006-09-07 13:45:58.750 NOTIFICATION Unpacking aam.war
  2006-09-07 13:45:58.765 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam\aam.war in C:\oc4j\j2ee\home\applications\aam\aam
  2006-09-07 13:45:58.765 NOTIFICATION Done unpacking aam.war
  2006-09-07 13:45:58.765 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war
  2006-09-07 13:45:58.812 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear ends...
  2006-09-07 13:45:58.828 NOTIFICATION Starting application : aam
  2006-09-07 13:45:58.828 NOTIFICATION Initializing ClassLoader(s)
  2006-09-07 13:45:58.828 NOTIFICATION Initializing EJB container
  2006-09-07 13:45:58.828 NOTIFICATION Loading connector(s)
  2006-09-07 13:45:58.843 NOTIFICATION application : aam is in failed state
  06/09/07 13:45:58 WARNING: Application.setConfig Application: aam is in failed state as initialization failedjava.lang.InstantiationException
  Sep 7, 2006 1:45:58 PM com.evermind.server.Application setConfig
  WARNING: Application: aam is in failed state as initialization failedjava.lang.InstantiationException
  06/09/07 13:45:58 oracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:510)
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
  06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
  06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
  06/09/07 13:45:58 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
  06/09/07 13:45:58 at java.lang.Thread.run(Thread.java:595)
  06/09/07 13:45:58 Caused by: java.lang.InstantiationException
  06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
  06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
  06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:391)
  06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:308)
  06/09/07 13:45:58 at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
  06/09/07 13:45:58 ... 6 more
  2006-09-07 13:45:58.890 NOTIFICATION Application Deployer for aam FAILED.
  2006-09-07 13:45:58.890 NOTIFICATION Application UnDeployer for aam STARTS.
  2006-09-07 13:45:58.906 NOTIFICATION Removing all web binding(s) for application aam from all web site(s)
  2006-09-07 13:45:59.015 NOTIFICATION Application UnDeployer for aam COMPLETES.
  06/09/07 13:45:59 WARNING: DeployerRunnable.run java.lang.InstantiationExceptionoracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
  at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:126)
  at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
  at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
  at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: java.lang.InstantiationException
  at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
  at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
  at com.evermind.server.Application.setConfig(Application.java:391)
  at com.evermind.server.Application.setConfig(Application.java:308)
  at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
  at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
  at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
  at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
  ... 4 more
  2006-09-07 13:45:59.031 WARNING java.lang.InstantiationException

• Custom JAAS Login Module 9.0.4 configuration problems

  Hello,
  We have created a custom JAAS Login Module on OC4J 9.0.4 and are having some sort of configuration problem
  We always get this error:
  Caused by: javax.security.auth.login.LoginException: Login Failure: all modules ignored
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:535)
  The Login Module is configured for a specific deployed application in the global jazn-data.xml and is being run as I have attached a debugger to the app server.
  Our authentication process succeeds and we return a "true" from the login() method. No exceptions are thrown from our Login Module.
  our ORACLE_HOME/j2ee/home/config/jazn-data.xml has this added
  <application>
  <name>helloworld</name>
  <login-modules>
  <login-module>
  <class>com.test.JaasLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  </options>
  </login-module>
  </login-modules>
  </application>
  The j2ee/home/application-deployments/helloworld/jazn-data.xml looks like this:
  <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
  <!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data.dtd">
  <jazn-data />
  and we added this into the j2ee/home/application-deployments/helloworld/orion-applicaton.xml
  <jazn provider="XML" location="jazn-data.xml" >
  <property name="role.mapping.dynamic" value="true"/>
  <property name="custom.loginmodule.provider" value="true"/>
  <property name="jaas.username.simple" value="true" />
  </jazn>
  Are we missing anything? Our code runs, it seems like there is something lacking in the configuration on the OC4J side of things.
  Anyone know what we are missing?
  Thanks....

  Hi,
  if you are on 9.0.4 then <property name="custom.loginmodule.provider" value="true"/> shouldn't work because its a parameter of 10.1.3
  Frank

• Howto put custom JAAS Login Module into NWDI

  Hi there!
  We are currently in migration phase and want to integrate existing codings to NWDI. We mainly had Web Dynpro projects which we figured out how to migrate through discovering  help.sap.com
  Formerly I developed a custom JAAS login module which is productive on our portal systems. Now I would like to integrate it to NWDI. Is this possible in general?
  Best Regards
  Christian

  Can you clarify a bit more what didn't work? What issues do you face?
  Our setup for security.jar (which is not available in one of the base SC's) (for the rest try to use as many base DC's as possible):
  1. Create External Library DC for security.jar
  2. Add security.jar to libraries folder, add to new pp for Compilation
  3. Create J2EE Library DC for loginmodule
  4. Create Java Library DC for loginmodule as Child DC
  5. Define the External Library DC as Used DC of the Java DC, referencing the Compilation pp (Only a Build time dependency, since this will not be deployed, instead you'll reference the registered interface, see below).
  6. Create a public part for Assembly in the Java DC. Add all your loginmodule classes to the pp.
  7. Define the Java DC as Used DC of the J2EE Library DC, referencing the Assembly pp (only Build time dependency). (this packages the loginmodule jar in the J2EE library)
  8. Create a provider.xml in the 'server' folder of the J2EE Library DC
  9. Define references to libraries used by the Child DC and the Child DC's jar:
       <references>
            <reference
                 provider-name="sap.com"
                 strength="weak"
                 type="library">com.sap.security.api.sda</reference>
            <reference
                 provider-name="sap.com"
                 strength="weak"
                 type="interface">security_api</reference>
            <reference
                 provider-name="sap.com"
                 strength="weak"
                 type="library">com.sap.tc.Logging</reference>
            <reference
                 provider-name="sap.com"
                 strength="weak"
                 type="library">servlet</reference>
       </references>
       <jars>
            <jar-name>[vendor name]~[DC name]~Assembly.jar</jar-name>
       </jars>
  The J2EE Library DC has only one Used DC: The child Java DC.
  The Java DC has Used DCs for anything you need to compile your loginmodule code.
  Hope I didn't forget anything else.

• Accessing LDAP in a custom JAAS login module

  Hi,
  I have developed a custom jaas login module in CE 7.1. I created a java dc which contains a class extending AbstractLoginModule. This DC is deployed on to the server using an EAR DC. I am trying to access LDAP in the custom login module. I am trying to establish an SSL connection to LDAP. For this purpose i have created a custom socket factory class which extends SSLSocketFactory. I used the code below to establish the connection.
            Hashtable<String,String> env=new Hashtable<String,String>();
            DirContext dirContext=null;
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL,ldapURL);
                  env.put(Context.SECURITY_PROTOCOL,"ssl");
                  env.put("java.naming.ldap.factory.socket", "com.test.ldap.MySSLSocketFactory");
                  dirContext=new InitialDirContext(env);
  MySSLSocketFactory is the name of custom socket factory.
  During a login process, the above code results in error because the connection to LDAP server could not be established. However the same code when executed in a webdynpro DC is working without any problem. What could be the reason for this?
  This is the error i could see in defaultTrace
  javax.naming.CommunicationException: js24.na.domain.net:636 [Root exception is java.lang.ClassNotFoundException: com.test.ldap.MySSLSocketFactory
  Loader Info -
  ClassLoader name: [service:security]
  Living status: alive
  Direct parent loaders:
     [system:Frame]
     [library:j2eeca]
     [service:timeout]
     [service:com.sap.security.core.ume.service]
     [service:adminadapter]
  Resources:
     /usr/sap/SV3/J10/j2ee/cluster/bin/services/security/lib/private/sap.comtcjesecurityimpl.jar
  at com.sun.jndi.ldap.Connection.<init>(Connection.java:205)
  at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
  at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1579)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2681)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
  at com.sap.engine.system.naming.provider.DefaultInitialContext._getDefaultInitCtxt(DefaultInitialContext.java:64)
  at com.sap.engine.system.naming.provider.DefaultInitialContext.<init>(DefaultInitialContext.java:45)
  at com.sap.engine.system.naming.provider.DefaultInitialContextFactory.getInitialContext(DefaultInitialContextFactory.java:41)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
  at javax.naming.InitialContext.init(InitialContext.java:223)
  at javax.naming.InitialContext.<init>(InitialContext.java:197)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)

  Hi,
  I used an EJB to perform the LDAP search and called the EJB from the login module. It is working as expected.
  Regards,
  Shabeer

• Problems deploying custom JAAS login module (ClassNotFound)

  Hi,
  I've developed a custom made JAAS login module that filters on IP addresse which I am moving from 6.20 to 6.40.
  I've pretty much followed the procedures from http://help.sap.com/saphelp_nw04/helpdata/de/46/3ce9402f3f8031e10000000a1550b0/content.htm , the only major difference is that I needed a reference to WebCallback and therefore a reference to com.sap.security.api.sda from my library project.
  I've especially followed the step with "Adding a Reference to the Classloader of the Security Provider" (http://help.sap.com/saphelp_nw04/helpdata/de/2b/23e4407211732ae10000000a155106/content.htm) , but I think its this step that fails. This has been set to library:<library name> , where <library name> is what is written on the right hand side of visual admin under library. I see that the library is deployed under the folder bin\ext\customer.com~com.customer.portal.login.IPRuleLibrary   , so maybe I will try that name tomorrow morning.
  The exceptions I get are
  #1.5#001321B3B106005C0000000800002E380004039375E59BA6#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error#1#/System/Audit#Java###Exception #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Cannot load a login module.
       at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:95)
       at com.sap.engine.services.security.login.LoginContextFactory.getLoginContext(LoginContextFactory.java:133)
       at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:227)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86)
       at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
       at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
       at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
       at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:295)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:351)
       at com.sap.portal.navigation.Gateway.service(Gateway.java:68)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
  Caused by: java.lang.ClassNotFoundException: com.customer.portal.login.IPRuleLoginModule
  Found in negative cache
  - Loader Info -
  ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
  Parent loader name: [Frame ClassLoader]
  References:
     library:com.sap.ip.basecomps
     library:core_lib
     common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
     library:servlet
     library:sapxmltoolkit
     library:com.sap.mw.jco
     library:com.sap.util.monitor.jarm
     library:j2eeca
     library:opensql
     interface:security
     interface:log
     interface:shell
     interface:keystore_api
     library:ejb20
     interface:webservices
     library:com.sap.guid
     interface:appcontext
     interface:endpoint_api
     interface:resourceset_api
     interface:resourcecontext_api
     common:service:iiop;service:naming;service:p4;service:ts
     interface:ejbcomponent
     interface:container
     interface:visual_administration
     interface:transactionext
     interface:dsr_ejbcontext_api
     service:timeout
     library:tc~jmx
     library:tcSLUTIL
     service:memory
     library:antlr
     library:jdbdictionary
     library:opensqlextensions
     interface:cross
     service:locking
     service:file
  Resources:
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_saml_toolkit_api.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  adminadapter
  adminadapter.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  com.sap.security.core.ume.service
  com.sap.security.core.ume.service.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  webservices_lib
  jaxrpc-api.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  com.sap.security.api.sda
  com.sap.security.api.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  dbpool
  opensqllib.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  jmx
  jmx_sec.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  webservices_lib
  jaxm-api.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  keystore
  keystore.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  security
  security.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  basicadmin
  jstartupapi.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_saml_jaas.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  connector
  connectorimpl.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  webservices_lib
  webservices_lib.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_jaas.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_saml_service_api.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_userstore_lib.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  webservices_lib
  saaj-api.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  com.sap.security.core.sda
  com.sap.security.core.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  com.sap.security.core.sda
  com.sap.security.core.tpd.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_csi.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_ssf.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  userstore
  userstore.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  dbpool
  sqljimpl.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_saml_xmlbind.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_saml_util.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  dbpool
  dbpool.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  deploy
  deploy.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_saml_toolkit_core.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  jmx
  jmx.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_compat.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  jmx_notification
  jmx_notification.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  configuration
  configuration.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  basicadmin
  jstartupimpl.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_https.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  services
  basicadmin
  basicadmin.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  security.class
  tc_sec_jaas_test.jar
     C:
  usr
  sap
  EQ2
  J13
  j2ee
  cluster
  server1
  bin
  ext
  com.sap.security.api.sda
  com.sap.security.api.perm.jar
  Loading model: {parent,local,references}
       at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
       at com.sap.engine.services.security.Util.loadClass(Util.java:262)
       at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:204)
       at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:92)
       ... 45 more
  #1.5#001321B3B106005C0000000900002E380004039375E5A109#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error##Java###Cannot load login module class .#1#com.customer.portal.login.IPRuleLoginModule#

  Hi,
  The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
  Also I was able to modify the properties of the login module runtime, which made me very happy
  Dagfinn

• Custom JAAS login module configuration in Oracle application server

  I have a LDAP login module implementing javax.security.auth.spi.LoginModule. This login module works well with tomcat and weblogic, if I configure the JVM arguments -Djava.security.auth.login.config and -Djava.security.policy to point to the login.conf and access.policy files. The login.conf file has the below content
  FREEWAY_SERV
  com.wipro.freeway.security.LdapLoginModule required debug=true portal=false;
  FREEWAY_PORT
  com.wipro.freeway.security.LdapLoginModule required debug=true portal=true;
  The access.policy file has contains content like below:
  grant Principal com.wipro.freeway.security.RolePrincipal "UserAdministration" {
       permission com.wipro.freeway.security.URLPermission "/createOtherUser.frw";
       permission com.wipro.freeway.security.URLPermission "/createDealer.frw";
  The application uses these login modules by passing Name of the JAAS configuration (FREEWAY_SERV or FREEWAY_PORT).
  I would like to use the same login module and code in Oracle application sever 10.1.3 and I haven't got any success yet. I am not getting how to set these JVM properties and make my application identify this custom login module. I have tried configuring the custom login module via oc4j admin console and I couldn't give a name to my configuration. I also set the system properties for
  -Djava.security.auth.login.config and -Djava.security.policy with no success.
  Could anybody please help me to get this right?
  Thanks in advance.

  Hello,
  In OracleAS 10g R3 (10.1.3.x) you can register your login module in your application (and server) using Enterprise Manager, and config file. That is easier and more flexible that the parameter.
  I would invite you to take a look to the security how-to:
  - 10.1.3 How-tos, and How to integrate a custom login module
  You can also take a look to the 10.1.3 Documentation and the LDAP/Login Module integration.
  - Security guide: Login Modules

• How to test and configure custom extensions in Flash Pro CC?

  Hi,
  How do you install custom CS extensions in Flash Pro CC for testing and debugging before they have been signed and packaged?
  We have a custom extension for Flash Pro developed in-house using the CS SDK that we've been using with flash pro CS5 and CS6 but we're having trouble getting it to work in CC and I'd like to run it locally in test/debug mode.
  With flash pro CS6 and CS5 it was possible to test extensions by copying the output folder from flash builder into the CS Service Manager root folder (e.g. /Users/<username>/Library/Application Support/Adobe/CS6ServiceManager) and setting PlayerDebugMode to 1 in the CSXS preferences.
  I've added the PlayerDebugMode=1 flag to com.adobe.CSXS.4.plist however, I can't find the equivalent service manager folder for Flash Pro CC to copy the extension into.
  Is there a different folder to use for CC or is the process for testing extensions completely different? (are extensions written in the CS SDK even compatible with CC?)
  I'm running Mac OS Lion.
  Thanks,
  Stephen

  Thanks, that explains a lot.
  I'm afraid I'm a bit confused about what the preferred way of developing extensions is going ahead. There seems to be a lot of conflicting documentation on the adobe site, e.g. http://www.adobe.com/devnet/creativesuite.html  seems like the top page for extension documentation but it only talks about CS SDK 2.0 which uses CSXS and doesn't seem to be compatible with creative cloud apps.
  Then there's CS Extension Builder 2.1 which looks like it supports Flash Pro CC but isn't mentioned in the pages you linked too and it doesn't mention JSFL, but talks about the CSAW library.
  Do you know if:
  * The CS SDK has been dropped completely? 
  * CS Extenstion Builder is deprecated? (I can't see it as an option in the list of Creative Cloud apps)
  * Is then any documentation/utilities to help migrate existing CSXS extensions to work with creative cloud apps?
  Thanks,
  Stephen

• Custom JAAS Login Module

  I have a question about sample in "Developing security providers for weblogic server"
  of WebLogic 7.0
  In 3-21 in the document, abort() method may be called n times after abort.
  Why is it possible that abort() method is called many times?
  Regards,

  I have a question about sample in "Developing security providers for weblogic server"
  of WebLogic 7.0
  In 3-21 in the document, abort() method may be called n times after abort.
  Why is it possible that abort() method is called many times?
  Regards,

• Create new JAAS login module & have to deploy in OC4J

  Dear Experts,
  Is it possible to create number of user roles under the group oc4jadmin. Then have to assign task for each user in group. please suggest me.
  Thanks,
  Rajesh
  Edited by: Rajesh A on Mar 12, 2009 10:15 AM
  Edited by: Rajesh A on Mar 12, 2009 6:48 PM

  h5. James,Anirudh
  Is it possible to define new JAAS module that would first check with Oracle DB & then check with LDAP directory. Actually my requirement was to authenticate user with the help of backends. Here backend denotes both Oracle DB & LDAP. In the sense when user enters valid id & password it checks for existence in DB & if exist DB returns a new value (role) then have to check new value with LDAP( what are the privileges available for specified role & who is the superior for the same). The details maintaining in LDAP are dynamic so we cant able to move into DB. Every process involving here is automatic in the sense no external server connection should provide for authentication. The custom login module should be deploy in same OC4J container. Always available as service. I want to know about the following
  1) How to define costom JAAS login module
  2) How to configure coutom JAAS login module over OC4J
  3) How to make use of it
  Thanks,
  Rajesh

• Configure JAAS login module stack to support x.509 certificates without SSL

  I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
  I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
  What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

  Hi Claus,
  you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
  There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
  Looking at this topic:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
  the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
  So with the above said your LM stack config should look like this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  If this doesn't work I'd suggest opening a support ticket.
  Regards,
  Yonko

• GlassFish, JAAS Login Module - get remote ejb clien IP address

  How to get remote ejb client IP in my custom JAAS login module if I use Glassfish?
  Edited by: NoName on Sep 23, 2009 4:06 AM

  Hi,
  Try configuring wdisp/add_xforwardedfor_header in web dispatcher as described here:
  http://help.sap.com/saphelp_nw04/helpdata/en/de/89023c59698908e10000000a11402f/content.htm
  And configuring ClientIpHeaderName on the java server as described here:
  http://help.sap.com/saphelp_nw04/helpdata/en/52/46f6a089754e3a964a5d932eb9db8b/content.htm
  Regards,
  Maria

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin

• JAAS Login Module Redirect to Iview

  I am having some difficulty getting a redirect to an Iview to work in our custom JAAS Login Module.  This code works in our current production environment, using Portal version EP6.0 SP2 Patch 35:
  callbacks[0] = new com.sap.security.api.logon.WebCallback();
  HttpServletResponse rsp = ((WebCallback) callbacks[0]).getResponse();
  rsp.sendRedirect(this.changepasswordurl + this.username);  //get url from property
  But this nearly identical code is not working in our development environment, running NetWeaver:
  WebCallback wcb = new WebCallback ();
  this.callbackHandler.handle(new Callback [] {wcb});
  HttpServletResponse rsp = wcb.getResponse();
  myLoc.infoT("URL: " + this.changepasswordurl + this.username);
  rsp.sendRedirect(this.changepasswordurl + this.username); //get url from property
  When the rsp.sendRedirect statement is executed, I get a stack dump:
  #1.5#00306EF4D7AD0048000000550000576000040C5F45EBE199#1139503241315#com.nike.portal.auth.PortalLoginModule#sap.com/irj#com.nike.portal.auth.PortalLoginModule#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Info##Plain###URL: https://dev.XXXXX.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fnikeconnect!2fiviews!2fcommon!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#on!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#
  #1.5#00306EF4D7AD0048000000570000576000040C5F45EC2971#1139503241326#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Error##Java###Error in some of the login modules.
  [EXCEPTION]
  #1#com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
          at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
          at java.security.AccessController.doPrivileged(Native Method)
          at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:153)
          at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
          at sun.reflect.GeneratedMethodAccessor260.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
  When I cut the exact URL being redirected to from the trace log and paste it into a browser, it goes to the page just fine.
  Can anyone suggest a different method of performing a redirect from withing my JAAS Login Module in NetWeaver?  I'm thinking maybe I'm not getting the response object properly - any ideas?
  Thank you...
  Dave

  Thanks for the pointers.  We were able to get an SAP developer to take a look at this and he coded up this solution, which takes what you suggested and filled in all the blanks.  I am baffled as to how I would have figured this out on my own (like the RESPONSE_CODE value of 302), given the limited documentation around the HttpCallback.  We haven't had the opportunity to try this yet - I'll respond with a new post either way to let you know.  Anyway, here's the code snippet for how to perform a redirect:
  In the custom JAAS Login Module:
  setRedirect(callbackHandler, this.changepasswordurl);
  This is the setRedirect method:
  private void setRedirect(CallbackHandler ch, String redirectURL)
        throws IOException, UnsupportedCallbackException
      HttpSetterCallback setRCodeCB = new HttpSetterCallback();
      setRCodeCB.setType(HttpCallback.RESPONSE_CODE);
      setRCodeCB.setName("Moved Temporarily");
      setRCodeCB.setValue("302");
      HttpSetterCallback setRedirCB = new HttpSetterCallback();
      setRedirCB.setType(HttpCallback.HEADER);
      setRedirCB.setName("Location");
      setRedirCB.setValue(redirectURL);
      Callback[] cbSetter = new Callback[2];
      cbSetter[0] = setRCodeCB;
      cbSetter[1] = setRedirCB;
      ch.handle(cbSetter);

• "HttpServletRequest" from ContextHandler in JAAS Login Module

  Hi All. I've developed a custom authenticator in WL 9.1. This CA has a custom JAAS Login Module. Inside this module I use weblogic.security.auth.callback.ContextHandlerCallback in order to get javax.http.servlet.HttpServletRequest using the key HttpServletRequest.
  This component works properly in WL 9.1 but using the same component with the same configuration in WL 9.2 I'm experiencing a null pointer getting HttpServletRequest from context handler.
  Any idea about this issue ?
  Regards.

  i am new to JAAS. I am trying to write a custom authenticator in weblogic 9.2. how did u get the handle to ContextHandler to get the httpservletrequest.
  Edited by anishek at 07/23/2007 4:16 AM