How to set role based Authorization in JAAS

Similar Messages

• Role based menu using JAAS

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?

• Custom security JHeadstart 11gTP1 -Use Role-based Authorization is missing

  In JHeadstart 11g TP1 the option Use Role-based Authorization is missing.
  Will this option only be available in de production release of JHeadstart 11g? What is the reason why this is missing? Is it still possible to use CUSTOM authorization in JHeadstart 11g TP1?

  It is not missing.
  If you turn on custom authorization, you can specify your own roles against groups to access them, and use role names in the insert allowed/update allowed and delete allowed expressions.
  Steven Davelaar,
  JHeadstart Team.

• Can't use role-based authorization

  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

  Dave,
  If you're using WLS6 the console supports dynamic user updates so you could
  change each users configuration as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:3a672c81$[email protected]..
  >
  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

• How to Set URL-Based Session Tracking to No

  Dear BSP Gurus
  I am fairly new to BSP applications, but I am getting an error which goes "BSP exception: Access to URL /sap(bD1lbiZjPTEwMCZkPW1pbg==)/bc/bsp/sap/crm_ui_frame/ is forbidden" and notice some say they solved it by Setting URL-Based Session Tracking to No, so my question is how do I do that.
  Unless off course there is another way to solve my problem. Would greatly appreciate it.
  Awaiting your favorable response

  Hey Raja and Rajani
  I actually activated all the applications below SAP->BC->->SAP-> **(Application)*->  but still I am getting that error.
  When I then test the individual applications I get errors like
  "BSP Exception: Das Objekt default.htm in der URL /sap/bc/bsp/sap/bp_cont_main/default.htm?sap-client=100&sap-sessioncmd=open ist nicht gültig"
  I really have run out if ideas, I need your assistance, initially I thought it cd be the logical link coz the work centres appear fine then I tried to assign even standard business roles, its giving the same error.
  What do I do now?

• How to set roles from JDBC connections

  Hi guys,
  I have a jdbc connection which purpose is to run queries based on a string that I construct in my program.
  My question is: if I have to run a DCL, like: SET ROLE RL_XXX TO USER1;
  What's the easiest way to do it with my same connection?
  Thanks.

  Hi Marc,
  Sorry for the typo. It's a BDC source, I use a WCF client to access a SQL Database (HR External System) that has 4 fields that are necessary to present in the Sharepoint User Profile. The issue occurs with a Full or a Delta Sync. The problem is that if the
  BDC source is not present the fields are deleted (I get a SPS-Dummy Added and all of the pbjects in the BDC Connector Space are deleted).
  I do not want this to happen. I do not want the User Profile Attributes/Fields to be empty/deleted if there is no connection I simply want them to stay what they are... I have two issues.
  1) Is that the even if i change my data on SQL Server side, the changes do not get picked up by the sync. Since the only field that is being tested for change is an ADid, since the id does not change the BDC does not consider them changes.
  2) If there is no connection I do not want the attributes to be deleted. I have not figured out a way to effectively do this.
  So my issue appears to be simple to solve, but after 4 days and hundreds of tutorial pages read I have yet to figure out a proper way to do this.
  Here is the pseudo-specification
  The Fields that come form the HR System (SQL Server) are to be presented in the user profile. If there is no connection to the BDC file the fields remain as they are until there is a connection and updates can be made. Changes to any of the fields are performed
  manually in the HR system. These changes must be picked up by the daily sync.

• How to set role which can issue only one command

  I am thinking about setting role, which will be allowed to issue olny one command. I have created role test. Which has the following entries in the following files:
  /etc/user_attr
  test::::profiles=OneCommand;type=role
  /etc/security/exec_attr
  OneCommand:solaris:cmd:::/tmp/data.sh:euid=0
  After this I sill could issue all comands, not only test command /tmp/data.sh.
  When I issued comand profiles on test role I received the following:
  bash-3.00$ profiles test
  OneCommand
  Basic Solaris User
  All
  So I commented line in the /etc/policy.conf to read:
  #PROFS_GRANTED=Basic Solaris User
  After that, when I try to issue /tmp/data.sh command as a test role I receive the following error:
  $ /tmp/data.sh
  pfexec: Exec format error
  Does anybody know how to set up the role which can issue only one command ? Maybe there is a way to do this in the way which wil not affect another roles (ie, not to touch /etc/policy.conf).
  Best regards

  RadekW wrote:
  I am thinking about setting role, which will be allowed to issue olny one command. I have created role test. Which has the following entries in the following files:They will need the ability to run at least a profile shell otherwise all bets are off. So now you're down to two commands. :-)
  bash-3.00$ profiles test
  OneCommand
  Basic Solaris User
  AllFirst you need to define what already exists by default. (policy.conf)
  Then you get to change those defaults or create a new default list just for test.
  Then you get to add a role or profile for test that allows the execution of a profile shell and one command.
  Then you should test all of the user accounts to ensure that something didn't break. This step might be a little overkill.
  alan

• XWS-Security, JAAS and role-based authorization

  What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
  A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
  Thanks in advance.

  Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?

• Re: Permission-based authorization with JAAS

  Actually, I am struggling on this topic also. Probably someone else could help
  on this. If you only deal with WLS, one solution could be write your own RoleMapper.
  When the RoleMapper is called, the subject/principal should be available, at that
  time you could do DB search to find roles the principal belongs to and return
  all the roles to WLS security manager. WLS take over from there to enforce the
  access control defined in ejb-jar.
  -John
  "Natasha" <[email protected]> wrote:
  >
  That is very helpful, thank you very much, John!
  What about dynamic role definition? Any thoughts on how I should go
  about authorizing
  based on specific permissions a user has? What I need, essentially,
  is to have
  only the relevant parts of a given page visible to a user with certain
  permissions,
  so I want to use JAAS to have a system that would check if the current
  instance
  of Subject is authorized for a particular action.
  Natasha
  "John Zhu" <[email protected]> wrote:
  One thing you could do is to have all the client logs in through JNDI
  lookup API.
  And client's principal will be passed to the bean. Inside the bean's
  method call
  principal.getName() to retrieve the principal. After that you couldsearch
  DB
  to get ACL related to the principal, then enforce the security.
  Principal principal = context.getCallerPrincipal();
  logger.info("The principal name: "+principal.getName());
  [email protected] (Natasha) wrote:
  I need to implement an authorization model in which a user can be
  authorized to view a certain page or a part of a page based on their
  permissions. The trick is that the role definition is dynamic, andI
  can not make a policy file ahead of time. Instead, I would like to
  simply retrieve the users permissions and then allow access (or, say,
  use a jsp tag to check if a certain part of the page should be
  displayed) based of whether the user has the permission required, and
  have a configuration file that defines the access policy by mapping
  actions to permissions. I am trying to figure out whether I can use
  JAAS and the Subject class for this, because all of the examples I
  could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implement
  my
  own LoginModule if I need to authenticate against a database, in my
  case, probably via using Weblogic entity beans. Sun tutorial states
  that developers do not need to implement a LoginModule, but I do not
  understand how I can do all that without it. I am using Weblogic 7.0
  and Struts.
  Any help will be greatly appreciated.
  Natasha

  Did u think about implementing your own AuthorizationProvider and using it in your
  security realm. The AuthorizationProvider does the trick of verifying which resource
  is being accessed and who can access it.
  My only problem is that I am unable to find out how to make the Resource know
  what instance it is...
  "Natasha" <[email protected]> wrote:
  >
  I guess I have to see if anyone suggests an alternative, and then decide
  whether
  it is worth adapting JAAS instead of a quick homegrown solution, as it
  seems like
  in our case the biggest reason to adopt JAAS is it being the standard.
  Thank you very much for your help, John!
  Natasha.
  "John Zhu" <[email protected]> wrote:
  Actually, I am struggling on this topic also. Probably someone elsecould
  help
  on this. If you only deal with WLS, one solution could be write your
  own RoleMapper.
  When the RoleMapper is called, the subject/principal should be available,
  at that
  time you could do DB search to find roles the principal belongs to and
  return
  all the roles to WLS security manager. WLS take over from there to enforce
  the
  access control defined in ejb-jar.
  -John
  "Natasha" <[email protected]> wrote:
  That is very helpful, thank you very much, John!
  What about dynamic role definition? Any thoughts on how I should go
  about authorizing
  based on specific permissions a user has? What I need, essentially,
  is to have
  only the relevant parts of a given page visible to a user with certain
  permissions,
  so I want to use JAAS to have a system that would check if the current
  instance
  of Subject is authorized for a particular action.
  Natasha
  "John Zhu" <[email protected]> wrote:
  One thing you could do is to have all the client logs in through JNDI
  lookup API.
  And client's principal will be passed to the bean. Inside the bean's
  method call
  principal.getName() to retrieve the principal. After that you couldsearch
  DB
  to get ACL related to the principal, then enforce the security.
  Principal principal = context.getCallerPrincipal();
  logger.info("The principal name: "+principal.getName());
  [email protected] (Natasha) wrote:
  I need to implement an authorization model in which a user can be
  authorized to view a certain page or a part of a page based on their
  permissions. The trick is that the role definition is dynamic, andI
  can not make a policy file ahead of time. Instead, I would like
  to
  simply retrieve the users permissions and then allow access (or,say,
  use a jsp tag to check if a certain part of the page should be
  displayed) based of whether the user has the permission required,and
  have a configuration file that defines the access policy by mapping
  actions to permissions. I am trying to figure out whether I can
  use
  JAAS and the Subject class for this, because all of the examplesI
  could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implementmy
  own LoginModule if I need to authenticate against a database, in
  my
  case, probably via using Weblogic entity beans. Sun tutorial states
  that developers do not need to implement a LoginModule, but I donot
  understand how I can do all that without it. I am using Weblogic7.0
  and Struts.
  Any help will be greatly appreciated.
  Natasha

• Permission-based authorization with JAAS

  I need to implement an authorization model in which a user can be authorized to
  view a certain page or a part of a page based on their permissions. The trick
  is that the role definition is dynamic, and I can&#8217;t make a policy file ahead
  of time. Instead, I would like to simply retrieve the users permissions and then
  allow access (or, say, use a jsp tag to check if a certain part of the page should
  be displayed) based of whether the user has the permission required, and have
  a configuration file that defines the access policy by mapping actions to permissions.
  I am trying to figure out whether I can use JAAS (at the risk of being strangled
  by omni-present Michael Lee) and the Subject class for this, because all of the
  examples I could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implement my own LoginModule
  if I need to authenticate against a database, in my case, probably via using Weblogic
  entity beans. Sun tutorial states that developers do not need to implement a
  LoginModule, but I do not understand how I can do all that without it. I am using
  Weblogic 7.0 and Struts.
  Any help will be greatly appreciated.
  Natasha

  I need to implement an authorization model in which a user can be authorized to
  view a certain page or a part of a page based on their permissions. The trick
  is that the role definition is dynamic, and I can&#8217;t make a policy file ahead
  of time. Instead, I would like to simply retrieve the users permissions and then
  allow access (or, say, use a jsp tag to check if a certain part of the page should
  be displayed) based of whether the user has the permission required, and have
  a configuration file that defines the access policy by mapping actions to permissions.
  I am trying to figure out whether I can use JAAS (at the risk of being strangled
  by omni-present Michael Lee) and the Subject class for this, because all of the
  examples I could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implement my own LoginModule
  if I need to authenticate against a database, in my case, probably via using Weblogic
  entity beans. Sun tutorial states that developers do not need to implement a
  LoginModule, but I do not understand how I can do all that without it. I am using
  Weblogic 7.0 and Struts.
  Any help will be greatly appreciated.
  Natasha

• BlazeDS role based authorization

  Hi,
  I'm half the way in developing a POC for using flex as the front end of our application and I'm having some security issues.
  I'm using JBoss with JAAS and I figured that using BlazeDS just uses JAAS login module to perform authentication.
  * Will it use JAAS for authorization too? Will EJB method level permission will still apply?
  * How can I use the Subject/Principals/Policies in the client side flex application to inflect some UI restrictions on unauthorized operations?
  Thanks,
  Eyal

  Hey Jiby,
  I already posted this question to the forum http://swforum.sun.com/jive/thread.jspa?threadID=44893&tstart=15 prior to opening this ticket with Sun
  Regards
  Matthew Key

• How to setting oracle.jps.authorization.provider through EM

  Hi,
  I have installed Oracle SOA 11.1.1.5. How can I set the logging level of oracle.jps.authorization.provider in EM Console. I don't see this under EM Console -> Log configuration.
  Thanks

  Hi swati,
  1. for this u will also require help of basis team.
  2. these are the steps.
  a) make an entry in DBCON
  b) make connection string
  (on the physical application server,
  so that it can connect to secondary database)
  (this will be done by basis team,
  in which, they will specify the
  IP address of the secondary database server,
  the DATABASE ID, and the port number)
  c) then using open sql / native sql,
  we can use the secondary database connection,
  just like normal.
  d) if we use open sql,
  then there must be Y/Z table on
  sap as well as secondary database,
  and the field names , their type all should be identical.
  regards,
  amit m.

• How to set role to a resource (portal, portlet..)

  Hi everybody,
  I have a resource's name and I want to set an role entitlement to a resource (portal, portlet, book...) but I don't know how to do this by programming.
  Please help me. Thanks

  I can get all the roles entitled to a resource by programming as follows:
  String delimiter = EntitlementConstants.RESOURCE_ID_DELIMITER;
  String resourceID = "com_bea_p13n"+ delimiter +
                      "Portlet"+ delimiter
                      +"showProfile";          
  String[] roles = RolePolicyManager.listRolesForResource(ApplicationHelper.getNonVersionedAppName(),                    ApplicationHelper.getWebAppName(getRequest()), resourceID);     
  This code will return all the roles entitled to the portlet 'showProfile'.
  So I think, it is possible to set a role to a resource by programming, but I don't know how to do this.
  Anyone have an answer?
  Edited by: user11732508 on Jul 27, 2009 12:11 AM

• How to check Role based on the User ID

  Hi All,
    Based on the User ID how to check the role of the particular person[ex Employee / Manager etc].In HR module in which table the details are present.
  Thanks.
  Regards
  Tina

  Hi Tina,
  Use FM: <b>HR_GETEMPLOYEEDATA_FROMUSER</b>
  This will give you all info related to User ID.
  In parameter EMPLOYEESUBGROUP , you will get position of this employee.
  Hope this helps.
  Regds,
  Akshay Bhawgat
  Note: Some points would be nice if it helps.
  Message was edited by: Akshay Bhagwat

• How to do Role and Authorization check in report program

  Hi Friends,
  Please provide me your guidance on how to add or give coding to check role authorisation of a particular field, input from selection screen.
  My requirement is,
  If the Fund center filed in my select option parameter has been filled, then I have to check the role authoriszation(which was created already) in the At selection-screen event to check and give access to the user to run the process further.
  Say my Fund center is "SH'
  and my Role authorisation to be settled to all users 'ZMM_BXI'.
  How to implement in report program, Please advise.
  Thanks & Regards
  Babu.

  Sorry SDN,
  Posted in a wrong Forum page.
  Please excuse.