J2ee policy agent + Access Manager sample
Hello,
i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, how to cover this area.
Thank you very much for any advise or link.
-Eugen
...\jstudioE704Q4\AppServer7\domains\domain1\server1\logs\server.log
[26/Sep/2005:18:59:11] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleDeployed: customerinfoabout to close all connections
[26/Sep/2005:18:59:12] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:18:59:17] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:18:59:17] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:18:59:17] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:18:59:21] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:18:59:21] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
[26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:18:59:33] INFO ( 1356): CORE3282: stdout: LENGTH_OF_GENERATED_UUID = 29
[26/Sep/2005:19:00:29] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
[26/Sep/2005:19:00:29] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:19:00:30] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:19:00:30] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:19:00:30] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:19:00:31] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:19:00:31] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
[26/Sep/2005:19:09:30] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
[26/Sep/2005:19:09:31] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:19:09:31] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:19:09:31] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:19:09:31] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:19:09:33] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:19:09:33] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
[26/Sep/2005:19:09:49] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:19:10:43] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
[26/Sep/2005:19:10:43] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:19:10:44] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:19:10:44] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:19:10:44] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:19:10:45] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:19:10:45] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
I found no LOG file neither in
...\jstudioE704Q4\PolicyAgent\IdentityServer\j2ee_agents\logs
nor in
...\jstudioE704Q4\PolicyAgent\IdentityServer\j2ee_agents\logs\D__Sun_jstudioE704Q4_AppServer7_domains_domain1_server1_config\
Do you know any other log files to chek ?
Thanks.
--Eugen
Similar Messages
-
J2ee policy agent sample aplication
Hello,
i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
Thank you very much for any advise.
-EugenHello,
i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
Thank you very much for any advise.
-Eugen -
I have read about a J2EE policy agent for the identity server. Does such thing exist?
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app.
How can this be achieved? Would it involve creating a custom JAAS LoginModule for the appserver? I had issues with trying to install some of the identity server Servlets in a normal webapp running in tomcat due to the amserver.propries and the cryto libs for the JAAS.Hi Aaron,
Let me take a stab at this and answer to the best of my ability.
Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
** The next release of identity server would be supporting JAAS authentication module.
** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today. -
Please note that as of July 27,2005; Sun JCE 1.2.1 has expiried. Detail see following url.
http://jp.sunsolve.sun.com/search/document.do?assetkey=1-26-101796-1&searchclause=
We have evaluated the impact and the following J2EE agents will stop functioning as of this date.
1. J2EE policy agent for BEA WebLogic Server 6.1 SP2 : Solaris/HP-UX/Win2000 [version 2.1 and 2.1.1]
2. J2EE policy agent for PeopleSoft 8.3/8.4/8.8 : Solaris/Win2000/AIX 5.1,5.2 [version 2.1 and 2.1.1]
Both these agents should stop fully functioning as of 27th July/05. Please follow the steps listed below to rectify the situation :
1. Download JCE 1.2.2 from URL : http://java.sun.com/products/jce/index-122.html
2. Once you download the zip file, extract the following jar files
* US_export_policy.jar
* local_policy.jar
* jce1_2_1.jar
* sunjce_provider.jar
3. Replace the four JCE lib jars in the agent installation with the jars downloaded from JCE 1.2.2
Please note that excepting the two agents mentioned above will be affected; all other agent installations should not be impacted with the expiration of Sun JCE 1.2.1. Thanks, JerryHi Aaron,
Let me take a stab at this and answer to the best of my ability.
Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
** The next release of identity server would be supporting JAAS authentication module.
** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today. -
Hi,
Could anyone who has installed a J2EE Policy Agent please send me the following jar files zipped up. My email address is [email protected] thanks for your help.
/opt/SUNWam/j2ee_agents/lib/am_agent_sdk_2_1.jar
/opt/SUNWam/j2ee_agents/lib/am_agent_filter_2_1.jar
/opt/SUNWam/j2ee_agents/lib/am_as81_agent_2_1.jarHi Aaron,
Let me take a stab at this and answer to the best of my ability.
Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
** The next release of identity server would be supporting JAAS authentication module.
** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today. -
Difference between web policy agent and j2ee Policy agent ?
Difference between web policy agent and j2ee Policy agent ?
http://docs.sun.com/app/docs/doc/820-5816/ghscr?a=view
-
J2EE Policy agent - login page config questions
Hi,
I'm trying to configure a customized login page for an application that is protected by a AM Policy Agent 2.2-01 on SJSAS 8.2.
I am aware of this link:
http://docs.sun.com/app/docs/doc/820-2539/gatai?l=en&a=view .
This describes configuring the custom login for an app. Based on the doc, I have configured the following:
1. I have the agent and my app on one instance on myhost.mydomain.com
2. A url policy is protecting my app, configured in Access Manager 7.1. The url is http://myhost.mydomain.com:38080/myapp/*
3. In my app's web.xml I have the following:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config> 4. In AMAgent.properties:
com.sun.identity.agents.config.login.form[0] = /myapp/login.jsp
com.sun.identity.agents.config.login.error.uri[0] = /myapp/loginerror.jsp
com.sun.identity.agents.config.login.use.internal = false
com.sun.identity.agents.config.login.content.file = FormLoginContent.txtThere doesnt seem to be any change in login page when I go to my app. It just redirects to the Access Manager login page, and when I login it redirects back to the app. The security behavior is correct but I would like the login page to be unique for the app.
So my questions are:
1. Am I using com.sun.identity.agents.config.login.use.internal correctly? I dont want it to use internal login, but my login file, right?
2. My login page is protected by my url policy. Is that a problem? Should I be using com.sun.identity.agents.config.notenforced.uri[0] on the login page?
3. Can anyone clarify to me exactly how and where the contents of FormLoginContent.txt is used?
I'm kind of new to AM and Policy Agents, so i apologize if my questions seem very newb. Any help is appreciated. Thanks!
-MattChanging com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
-Matt -
Authorization issue with J2EE Policy Agent for AS7
Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
<filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The two resources /customer and /admin are subjected security constraints like:
<security-constraint>
<web-resource-collection>
<web-resource-name>col2</web-resource-name>
<url-pattern>/customer</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The role-to-principal mapping is done in the sun-web.xml like:
<security-role-mapping>
<role-name>customer</role-name>
<group-name>customer</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
[21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
[21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
return the correct grops viz. customer,admin,anyone.
PLEASE HELP-- Second Update --
After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
1. Some URL's has to be defined as not enforced.
com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
com.sun.am.policy.amFilter.notenforcedList[2]=*.css
com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
/opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
byPassSignon=TRUE
defaultUserid="DEFAULT_USER"
defaultPWD="your password"
signon_page=amsignin.html
signonError_page=amsignin.html
logout_page=amsignin.html
expire_page=amsignin.html
However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
Allow Public Access (cheked)
User ID : DEFAULT_USER
Password : your password
HTTP Session Inactivity : (SSO TIMEOUT)
and:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
In section "SignOn/Logout" set the following values:
Signon Page : amsignin.html
Signon Error Page : amerror.html
Logout Page : amsignout.html
Note: After making any changes on the console; restart PIA (weblogic instance).
With this the SSO with PeopleSoft is working Ok.
Message was edited by:
LpzYlnd -
Do I have to configure realm policy in Access Manager for IDM SPML Request
Hi all,
I wanted to run a SPML request from my application to the IDM which is presently protected by an AM server. Somehow, I get the following error, while I run a search using SpmlClient:
org.openspml.util.SpmlException: Unsupported response content type "text/html", must be: "text/xml".
Do I have to set a policy in Sun Access manager for the realm? Guys, pls help.
Thanks,
Aneesh.> I believe as long as you have access to the above two you can turn the CA off if you want.
Enterprise CAs are not intended to be offline. Therefore, you should not turn off them. If these root CAs issue certificates only to subordinate CAs, then you should consider to implement offline Standalone (not Enterprise) Root CAs.
> I believe the location of the CRL is detailed in the CDP which is detailed on the Certs issued but a given CA, so the client can look in the Cert and see what it states about the CDP and thereby get the list of revoked certs.
this is correct.
> to place its CDP at a location other than the default location in case it overwrites the existing CRL at the default location
no, CDP locations should be defined in the post-installation script.
> does the fully qualified X500 name of the CDP include the CA Name (and therefore be unique) and it will not over write the original
yes, LDAP URL includes CA server's NetBIOS name to differentiate between CAs.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
I have been trying to run one of the samples supplied with Access manager 2005q, namely the authentication samlpe in /SUNWam/samples/authentication/spi/providers.
The sample seems to compile fine (after changing the encoding used). The question I have is what to do next? Following the text in the developers guide and readme, it says to move the .jar file to SUNWam/web-src/services/WEB-INF/lib and the .xml file to SUNWam/web-src/services/WEB-INF/lib.
Im running access manager on a web-server, so i then rload amserver.war on the server, change the servers classpath so that the new .jar (LoginModuleSample.jar) file is there and restart the server.
Am I missing something in this process? The auth module never seems to work, either giving me an authentication failed message, or an internal authentication error.
Thanks for any help
KeanoHi Keano,
I don't know what steps you are missing but you can try the below example:
http://developers.sun.com/prodtech/identserver/reference/techart/authentication.html
Thanks,
Raj -
What does the LoginModule sample do in the Access Manager samples
hi,
thanks for reading my question. I just wanted to know what the Login Module sample shows to a user.
thanks
dhawanmayurHi Lars,
Would the information in the link below help you?
https://websmp208.sap-ag.de/~sapidb/011000358700002294272006E
From what I understand, the only thing that Service Connector does is to "give the approval and the connection parameters" to your local SAP Router to initiate a network tunnel between your local SAP Router and SAP's SAP Router.
I hope this helps. -
NSAPI in Access Manager & Policy Agent
Hi all,
May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
Thanks in advance!Hi all,
May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
Thanks in advance! -
Securing web services with Sun Access Manager
Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anderswhat you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-) -
Error 403 returned from WebSphere running Policy Agent
Hi,
I'm getting an error 403 (forbidden) in my browser when I try to access a URL that I have protected using a Policy that I have setup in SAM.
My configuration is as follows:
Sun Access Manager 6 2005Q1 on Solaris
WebSphere AppServer 5.1.1.5 on Win 2000
WebSphere 5.0 Policy Agent 2.1 on Win 2000
At the moment, all I'm trying to do is protect a URL which is contained in a simple WAR file which I have deployed on WAS.
As per the J2EE Policy Agents guide, I have installed the Agent Filter by adding the following into web.xml
<web-app>
<display-name>...</display-name>
<description>...</description>
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Identity Server Policy Agent</description>
<filter-class>com.sun.identity.agents.websphere.AmWAS50AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I've switched on Global Security in WAS and successfully logged back into the WebSphere Console using amldapuser. This confirms that the Agent Realm is working correctly.
In SAM I set up a Policy with a Rule that specified the URL I want to protect. I added a Subject to this Rule of type LDAP User. The user I chose was amadmin (for the moment).
I also configued an Agent with agentRootURL=http://<WAS fully qualified domain name>:9080/
When I try to access the URL of the servlet in the WAR, I am redirected to the SAM's login page
http://<SAM fully qualified domain name>/amserver/UI/Login?goto=http%3A%2F%2F<WAS fully qualified domain name>%3A9080%2FRoamingApp%2FRoaming
However, when I enter the amadmin/ <password> error 403 is returned to the browser.
I've checked the logs on SAM
From amAuthentication.access
"2005-07-28 11:58:15" "Login Success" LDAP dc=acme,dc=com INFO uid=amAdm
in,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=DSAME Users,dc=acme,
dc=com" <WAS IP address>
From amSSO.access
"2005-07-28 11:58:15" "SESSION CREATE" amSSO.access dc=acme,dc=com I
NFO uid=amAdmin,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=
DSAME Users,dc=acme,dc=com" <WAS IP address>
From agent.log (Policy Agent on Win 2000)
[Thursday, July 28, 2005 11:58:15 AM BST] [null]
Access to http://<WAS fully qualified domain name>:9080/RoamingApp/Roaming denied for user UNKNOWN
Perhaps I dont have the Policy in SAM configured correctly..... if anyone has come across this kind of problem before, I would greatly appreciate any help they can give me.
Thanks,
JustinThanks for getting back to me Jerry.
I had a look at the role-to-principal mappings you suggested. To do this I added a security constraint to my web.xml file.
Then I reconfigured WebSphere so that the Active User Registry = LDAP instead of Custom. This allowed me to assign the LDAP group (in SAM) to the role (in web.xml). WAR file installed fine with these new bindings and I restarted WAS.
Unfortunately, I'm still getting Error 403 in the browser!
Any ideas as to what I might be doing wrong? Any help you can give me would be much appreciated.
This is the amFilter log file from the Policy Agent...
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: incoming request =>
HttpServletRequest: class => com.ibm.ws.webcontainer.srt.SRTServletRequest@1af52898
Character Encoding : null
Content Lenght : -1
Content Type : null
Locale : en_IE
Accept Locales:
en_IE
Protocol : HTTP/1.1
Remote Address : 172.20.13.96
Remote Host : 172.20.13.96
Scheme : http
Server Name : dubwrk1589.ie.pri.o2.com
Server Port : 9080
Is Secure : false
Auth Type : null
Context Path : /RoamingApp
Cookies:
amFilterParam: AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=
amFilterRDParam: AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=
WASReqURL: http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming
JSESSIONID: 0000HRZTVpt84dvtjaLaKWBnwzu:-1
Headers:
accept:
image/gif
image/x-xbitmap
image/jpeg
image/pjpeg
application/msword
application/vnd.ms-excel
application/vnd.ms-powerpoint
application/x-shockwave-flash
referer:
http://sam.digifone.com/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
accept-language:
en-ie
cookie:
amFilterParam=AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=; amFilterRDParam=AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=; WASReqURL=http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming; JSESSIONID=0000HRZTVpt84dvtjaLaKWBnwzu:-1
accept-encoding:
gzip
deflate
user-agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
host:
dubwrk1589.ie.pri.o2.com:9080
connection:
Keep-Alive
cache-control:
no-cache
Method : GET
Path Info : null
Path Trans : null
Query String : null
Remote User : null
Requested Session ID : 0000HRZTVpt84dvtjaLaKWBnwzu:-1
Request URI : /RoamingApp/login.jsp
Servlet Path : /login.jsp
Session : true
User Principal : null
Attributes:
com.ibm.servlet.engine.webapp.dispatch_type: forward
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
FQDNHandler: Incoming Server Name: [dubwrk1589.ie.pri.o2.com] Result: null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
PatternRule{*/j_security_check}.matchString(/RoamingApp/login.jsp) => false
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
NotEnforcedListManager.isNotEnforced(/RoamingApp/login.jsp) => false
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Login attempt number: 10
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: SSO Validation failed for null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Reseting Cookies in Response
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
WARNING: AmFilter: Login attempt number 10 failed for request URI: /RoamingApp/login.jsp
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: Checking if http://sam.digifone.com:80/amserver/UI/Login is available
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: URL http://sam.digifone.com:80/amserver/UI/Login is available
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: getAvailableURL() => http://sam.digifone.com:80/amserver/UI/Login
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: redirectURL is: http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
WARNING: AmFilter: redirect attempt limit reached for http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp, access will be denied
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Using 403 forbidden to block access
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
getResource: id = 20004
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: result =>
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
getResource: id = 20008 -
Configure security realm for external Access Manager in App server 8.1
Hi All,
I would like to protect my j2ee application using access manager running on an external host.
I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
external host & port of AM is:
http://svrd234d.dnn.com.au:58765
Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
classname="com.sun.amagent.as.realm.AgentRealm"
property name="jaas-context" value="agentRealm"
property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
property name="hostURL " value="http://svrd234d.dnn.com.au:58765"Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
Jerry
Maybe you are looking for
-
I get no volume with voice memos. Video recording pick up is ok, but in voice memo the VU meter does not move from my voice, even if I am yelling. Knocking the iPod touch case will produce a volume. I have restarted the iPod. Any suggestions? Harmz
-
How do I prevent a 2nd website from nuking a 1st site?
I hope you can help me since I have not succeeded in my attempts so far. On one macbook I have a fully developed iweb website that I want to keep. When I attempted to design a 2nd site, with a new name, using iweb in my macbook pro, it simply replace
-
Condition record in display mode (Non editable)
Hi, We have upgraded our system from 4.7 to ECC 6.0. In ECC 6.0 We have below condition types in case of India import having different delivery vendor (Customs.) other than supplier. 1.JECV 2.J1CV 3.JADC In old version it was not there. Now ,for old
-
SAP DB installation failed!
Hi , i am installing content server & cache server on my machine. while installing i am getting the following error: "SAP DB installation failed" i had uninstalled once, and renamed the SAP DB to run the installtion only to find the above mentioned e
-
Hi folks outside, Like a tunderstruck my MacBook got faulty. Recharging the internal battery works fine. When pushing the on/off button; blowers run sleep lamp lid en goes off, blowers stop running. This al within seconds. If there is someone to help