J2EE Policy agent - login page config questions
Hi,
I'm trying to configure a customized login page for an application that is protected by a AM Policy Agent 2.2-01 on SJSAS 8.2.
I am aware of this link:
http://docs.sun.com/app/docs/doc/820-2539/gatai?l=en&a=view .
This describes configuring the custom login for an app. Based on the doc, I have configured the following:
1. I have the agent and my app on one instance on myhost.mydomain.com
2. A url policy is protecting my app, configured in Access Manager 7.1. The url is http://myhost.mydomain.com:38080/myapp/*
3. In my app's web.xml I have the following:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config> 4. In AMAgent.properties:
com.sun.identity.agents.config.login.form[0] = /myapp/login.jsp
com.sun.identity.agents.config.login.error.uri[0] = /myapp/loginerror.jsp
com.sun.identity.agents.config.login.use.internal = false
com.sun.identity.agents.config.login.content.file = FormLoginContent.txtThere doesnt seem to be any change in login page when I go to my app. It just redirects to the Access Manager login page, and when I login it redirects back to the app. The security behavior is correct but I would like the login page to be unique for the app.
So my questions are:
1. Am I using com.sun.identity.agents.config.login.use.internal correctly? I dont want it to use internal login, but my login file, right?
2. My login page is protected by my url policy. Is that a problem? Should I be using com.sun.identity.agents.config.notenforced.uri[0] on the login page?
3. Can anyone clarify to me exactly how and where the contents of FormLoginContent.txt is used?
I'm kind of new to AM and Policy Agents, so i apologize if my questions seem very newb. Any help is appreciated. Thanks!
-Matt
Changing com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
-Matt
Similar Messages
-
I have read about a J2EE policy agent for the identity server. Does such thing exist?
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app.
How can this be achieved? Would it involve creating a custom JAAS LoginModule for the appserver? I had issues with trying to install some of the identity server Servlets in a normal webapp running in tomcat due to the amserver.propries and the cryto libs for the JAAS.Hi Aaron,
Let me take a stab at this and answer to the best of my ability.
Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
** The next release of identity server would be supporting JAAS authentication module.
** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today. -
Please note that as of July 27,2005; Sun JCE 1.2.1 has expiried. Detail see following url.
http://jp.sunsolve.sun.com/search/document.do?assetkey=1-26-101796-1&searchclause=
We have evaluated the impact and the following J2EE agents will stop functioning as of this date.
1. J2EE policy agent for BEA WebLogic Server 6.1 SP2 : Solaris/HP-UX/Win2000 [version 2.1 and 2.1.1]
2. J2EE policy agent for PeopleSoft 8.3/8.4/8.8 : Solaris/Win2000/AIX 5.1,5.2 [version 2.1 and 2.1.1]
Both these agents should stop fully functioning as of 27th July/05. Please follow the steps listed below to rectify the situation :
1. Download JCE 1.2.2 from URL : http://java.sun.com/products/jce/index-122.html
2. Once you download the zip file, extract the following jar files
* US_export_policy.jar
* local_policy.jar
* jce1_2_1.jar
* sunjce_provider.jar
3. Replace the four JCE lib jars in the agent installation with the jars downloaded from JCE 1.2.2
Please note that excepting the two agents mentioned above will be affected; all other agent installations should not be impacted with the expiration of Sun JCE 1.2.1. Thanks, JerryHi Aaron,
Let me take a stab at this and answer to the best of my ability.
Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
** The next release of identity server would be supporting JAAS authentication module.
** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today. -
Hi,
Could anyone who has installed a J2EE Policy Agent please send me the following jar files zipped up. My email address is [email protected] thanks for your help.
/opt/SUNWam/j2ee_agents/lib/am_agent_sdk_2_1.jar
/opt/SUNWam/j2ee_agents/lib/am_agent_filter_2_1.jar
/opt/SUNWam/j2ee_agents/lib/am_as81_agent_2_1.jarHi Aaron,
Let me take a stab at this and answer to the best of my ability.
Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
** The next release of identity server would be supporting JAAS authentication module.
** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today. -
J2ee policy agent + Access Manager sample
Hello,
i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, how to cover this area.
Thank you very much for any advise or link.
-Eugen...\jstudioE704Q4\AppServer7\domains\domain1\server1\logs\server.log
[26/Sep/2005:18:59:11] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleDeployed: customerinfoabout to close all connections
[26/Sep/2005:18:59:12] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:18:59:17] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:18:59:17] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:18:59:17] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:18:59:21] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:18:59:21] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
[26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:18:59:33] INFO ( 1356): CORE3282: stdout: LENGTH_OF_GENERATED_UUID = 29
[26/Sep/2005:19:00:29] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
[26/Sep/2005:19:00:29] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:19:00:30] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:19:00:30] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:19:00:30] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:19:00:31] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:19:00:31] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
[26/Sep/2005:19:09:30] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
[26/Sep/2005:19:09:31] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:19:09:31] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:19:09:31] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:19:09:31] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:19:09:33] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:19:09:33] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
[26/Sep/2005:19:09:49] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
[26/Sep/2005:19:10:43] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
[26/Sep/2005:19:10:43] INFO ( 1356): CORE3276: Installing a new configuration
[26/Sep/2005:19:10:44] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
[26/Sep/2005:19:10:44] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
[26/Sep/2005:19:10:44] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
[26/Sep/2005:19:10:45] INFO ( 1356): CORE3280: A new configuration was successfully installed
[26/Sep/2005:19:10:45] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
I found no LOG file neither in
...\jstudioE704Q4\PolicyAgent\IdentityServer\j2ee_agents\logs
nor in
...\jstudioE704Q4\PolicyAgent\IdentityServer\j2ee_agents\logs\D__Sun_jstudioE704Q4_AppServer7_domains_domain1_server1_config\
Do you know any other log files to chek ?
Thanks.
--Eugen -
J2ee policy agent sample aplication
Hello,
i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
Thank you very much for any advise.
-EugenHello,
i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
Thank you very much for any advise.
-Eugen -
Difference between web policy agent and j2ee Policy agent ?
Difference between web policy agent and j2ee Policy agent ?
http://docs.sun.com/app/docs/doc/820-5816/ghscr?a=view
-
Authorization issue with J2EE Policy Agent for AS7
Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
<filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The two resources /customer and /admin are subjected security constraints like:
<security-constraint>
<web-resource-collection>
<web-resource-name>col2</web-resource-name>
<url-pattern>/customer</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The role-to-principal mapping is done in the sun-web.xml like:
<security-role-mapping>
<role-name>customer</role-name>
<group-name>customer</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
[21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
[21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
return the correct grops viz. customer,admin,anyone.
PLEASE HELP-- Second Update --
After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
1. Some URL's has to be defined as not enforced.
com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
com.sun.am.policy.amFilter.notenforcedList[2]=*.css
com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
/opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
byPassSignon=TRUE
defaultUserid="DEFAULT_USER"
defaultPWD="your password"
signon_page=amsignin.html
signonError_page=amsignin.html
logout_page=amsignin.html
expire_page=amsignin.html
However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
Allow Public Access (cheked)
User ID : DEFAULT_USER
Password : your password
HTTP Session Inactivity : (SSO TIMEOUT)
and:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
In section "SignOn/Logout" set the following values:
Signon Page : amsignin.html
Signon Error Page : amerror.html
Logout Page : amsignout.html
Note: After making any changes on the console; restart PIA (weblogic instance).
With this the SSO with PeopleSoft is working Ok.
Message was edited by:
LpzYlnd -
Launching contributor, where is login page config defined?
I have an upgraded 11g UCM instance for both contributor and consumption. The URL is <domain>/ecm for the web front end of the system. I have a site defined that has a site address defined to a domain name. When I am on any page, and press CTRL-SHFT-F5, instead of going to domain/ecm/login/login.htm to authenticate, I am going to domain/cs/login/login.htm and get an error message. Where is "cs" defined so I can go change it?
Thanks, KenChanging com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
-Matt -
Error 403 returned from WebSphere running Policy Agent
Hi,
I'm getting an error 403 (forbidden) in my browser when I try to access a URL that I have protected using a Policy that I have setup in SAM.
My configuration is as follows:
Sun Access Manager 6 2005Q1 on Solaris
WebSphere AppServer 5.1.1.5 on Win 2000
WebSphere 5.0 Policy Agent 2.1 on Win 2000
At the moment, all I'm trying to do is protect a URL which is contained in a simple WAR file which I have deployed on WAS.
As per the J2EE Policy Agents guide, I have installed the Agent Filter by adding the following into web.xml
<web-app>
<display-name>...</display-name>
<description>...</description>
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Identity Server Policy Agent</description>
<filter-class>com.sun.identity.agents.websphere.AmWAS50AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I've switched on Global Security in WAS and successfully logged back into the WebSphere Console using amldapuser. This confirms that the Agent Realm is working correctly.
In SAM I set up a Policy with a Rule that specified the URL I want to protect. I added a Subject to this Rule of type LDAP User. The user I chose was amadmin (for the moment).
I also configued an Agent with agentRootURL=http://<WAS fully qualified domain name>:9080/
When I try to access the URL of the servlet in the WAR, I am redirected to the SAM's login page
http://<SAM fully qualified domain name>/amserver/UI/Login?goto=http%3A%2F%2F<WAS fully qualified domain name>%3A9080%2FRoamingApp%2FRoaming
However, when I enter the amadmin/ <password> error 403 is returned to the browser.
I've checked the logs on SAM
From amAuthentication.access
"2005-07-28 11:58:15" "Login Success" LDAP dc=acme,dc=com INFO uid=amAdm
in,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=DSAME Users,dc=acme,
dc=com" <WAS IP address>
From amSSO.access
"2005-07-28 11:58:15" "SESSION CREATE" amSSO.access dc=acme,dc=com I
NFO uid=amAdmin,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=
DSAME Users,dc=acme,dc=com" <WAS IP address>
From agent.log (Policy Agent on Win 2000)
[Thursday, July 28, 2005 11:58:15 AM BST] [null]
Access to http://<WAS fully qualified domain name>:9080/RoamingApp/Roaming denied for user UNKNOWN
Perhaps I dont have the Policy in SAM configured correctly..... if anyone has come across this kind of problem before, I would greatly appreciate any help they can give me.
Thanks,
JustinThanks for getting back to me Jerry.
I had a look at the role-to-principal mappings you suggested. To do this I added a security constraint to my web.xml file.
Then I reconfigured WebSphere so that the Active User Registry = LDAP instead of Custom. This allowed me to assign the LDAP group (in SAM) to the role (in web.xml). WAR file installed fine with these new bindings and I restarted WAS.
Unfortunately, I'm still getting Error 403 in the browser!
Any ideas as to what I might be doing wrong? Any help you can give me would be much appreciated.
This is the amFilter log file from the Policy Agent...
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: incoming request =>
HttpServletRequest: class => com.ibm.ws.webcontainer.srt.SRTServletRequest@1af52898
Character Encoding : null
Content Lenght : -1
Content Type : null
Locale : en_IE
Accept Locales:
en_IE
Protocol : HTTP/1.1
Remote Address : 172.20.13.96
Remote Host : 172.20.13.96
Scheme : http
Server Name : dubwrk1589.ie.pri.o2.com
Server Port : 9080
Is Secure : false
Auth Type : null
Context Path : /RoamingApp
Cookies:
amFilterParam: AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=
amFilterRDParam: AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=
WASReqURL: http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming
JSESSIONID: 0000HRZTVpt84dvtjaLaKWBnwzu:-1
Headers:
accept:
image/gif
image/x-xbitmap
image/jpeg
image/pjpeg
application/msword
application/vnd.ms-excel
application/vnd.ms-powerpoint
application/x-shockwave-flash
referer:
http://sam.digifone.com/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
accept-language:
en-ie
cookie:
amFilterParam=AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=; amFilterRDParam=AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=; WASReqURL=http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming; JSESSIONID=0000HRZTVpt84dvtjaLaKWBnwzu:-1
accept-encoding:
gzip
deflate
user-agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
host:
dubwrk1589.ie.pri.o2.com:9080
connection:
Keep-Alive
cache-control:
no-cache
Method : GET
Path Info : null
Path Trans : null
Query String : null
Remote User : null
Requested Session ID : 0000HRZTVpt84dvtjaLaKWBnwzu:-1
Request URI : /RoamingApp/login.jsp
Servlet Path : /login.jsp
Session : true
User Principal : null
Attributes:
com.ibm.servlet.engine.webapp.dispatch_type: forward
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
FQDNHandler: Incoming Server Name: [dubwrk1589.ie.pri.o2.com] Result: null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
PatternRule{*/j_security_check}.matchString(/RoamingApp/login.jsp) => false
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
NotEnforcedListManager.isNotEnforced(/RoamingApp/login.jsp) => false
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Login attempt number: 10
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: SSO Validation failed for null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Reseting Cookies in Response
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
WARNING: AmFilter: Login attempt number 10 failed for request URI: /RoamingApp/login.jsp
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: Checking if http://sam.digifone.com:80/amserver/UI/Login is available
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: URL http://sam.digifone.com:80/amserver/UI/Login is available
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: getAvailableURL() => http://sam.digifone.com:80/amserver/UI/Login
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: redirectURL is: http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
WARNING: AmFilter: redirect attempt limit reached for http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp, access will be denied
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Using 403 forbidden to block access
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
getResource: id = 20004
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: result =>
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
getResource: id = 20008 -
Policy Agent 2.2 patch for appserver 8.2
Sparc JES 5 update 1. Appserver 8.2.
Release notes for Policy Agent 2.2 for Appserver 8.1 say it will work on 8.2 with " the proper patch".
Obtaining Policy Agent 2.2 for 9.0 does not appear to be possible anymore, and there is no indication that it would not require a patch to work with 8.2... OpenSSO links only to 8.1.
Searching sunsolve doesn't quite give us the patch number. Some candidates but nothing that is clearly the required patch in this installation.
If someone could throw some light on this unlit corner of the otherwise excellent JES5u1 release (and I DO like it) I would really appreciate.
Thanks
BJOkay, I think I have the answer.
The patch that enables the Agent for AS 81 to work with 8.2 is currently only available
through technical support.
However, you can download the 2.2 agent for As 9.0/9.1 from
sun download site. This agent supports AS 8.1/8.2/9.0/9.1 servers.
This agent is available for download here:
http://www.sun.com/download/products.xml?id=46d7aa66
Now, I make the download thing sound easy (it should be), but for some reason, searching for that link that I provide above isn't currently easy. At the moment, the download for this agent doesn't show up on the Policy Agent download page, here:
http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Policy%20Agents
That might be a very temporary condition. I'm trying to straighten this out on the Sun side. Next, I'll add the direct download for this agent on my Policy Agent page here:
http://blogs.sun.com/JohnD/page/policyagent -
Custom login page with Policy Agent 2.2 & Access Manager
Hi,
Im trying to set up policy agent 2.2 and Access Manager to use the login page of the application Im trying to secure. Im not sure if this is the correct forum or not so feel free to move this if need be.
Ive been using this link: http://docs.sun.com/source/816-6884-10/chapter3.html#wp25376 but it doesnt seem to make sense.
In my AMAgent.properties file Ive set up
com.sun.identity.agents.config.login.form[0]=/contextRoot/login/login.jsp to my login page and Ive also configured the web.xml for that application to use the login:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/login.jsp</form-error-page>
</form-login-config>
</login-config>
When I try and access the login page Im redirected to the default access manager login page. I did notice in the AMProperties.xml file the following line:
com.sun.identity.agents.config.login.url[0] = http://amserverhost:80/amserver/UI/Login
It seems like I should change that to point to my login page but I didnt see any documentation supporting that. When I change that property to point to location of my login page, i get a redirect loop error.
When I remove the com.sun.identity.agents.config.login.form[0] property all together, I just get a resource restricted error.
Now when I configure the com.sun.identity.agents.config.login.form[0] property, set the config.login.url = to my login page AND set the com.sun.identity.agents.config.notenforced.uri[0] property equal to my login page (so the login page is no longer protected) I am able to see the login page
Is unrestricting the login page correct? Im able to access the login.jsp page directly and when I try and access protected resources Im redirected back to the login page so everything seems to be working correctly but Im not sure if this is the correct way.Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas -
How to redirect user from login page to "Set Challenge question" page
How to redirect user from login page to "Set Challenge question" page (NOT custom page) after 3 un successful password attempts?
Meaning when user types wrong password 3 times they will be redirected to set Challenge question page. If user answers the challenge question then password reset page should be appeared other wise (after remaining 3 un successeful challenge question answers) account should be locked out.
thanks for your help.hi sandeep
Thanks for your answer. Let me ellaborate more on the requirement here.
- Password Policy and Lost Password management are set up in the identity system
- Configure login tries allowed= 5. Verify accout is lock out after 5 unsucessful login.
This is what need to achieve.
1) If a user attempts to login 3(not 5) times using an incorrect login credential he/she should be redirected to set challenge question (security question) page.
2) Then if the user attempts (remaining) 2 times incorrect challenge answer then his/her account should be locked out.
3) If he/she answers the challenge answer correctly then he/she should be redirected to password reset page.
Is this possible? -
Hello.
I was wondering if it's possible to somehow authenticate using HTTP Authentication mechanisms, like Basic or Digest authentication (probably over HHTPS) together with Policy Agent?
What I'm looking for is a mechanism that checks if the Identity Server Session Cookie is in the request, and if not, does a normal 401 response.
The browser can then resend the request straight away including user credentials.
This avoids a redirect to the Identity Server, which is a pain in the back side if the request is a large POST data upload or similar.
Anyone heard of something like this?
Regards,
KyrreHi Charlie,
Thanks for the reply. Currently I have implemented permissions for UI elements like this:
1) Used JATO framework in an application JSP page which points to a view bean class. This view bean class instantiates UI elements as required.
2) From the module base servlet, I access SSOToken Manager, SSOToken, AMUser, AMRole objects for the current logged in user. (I am working on role based permissions).
3) Based on the roles available for the user, I set the visibility of certain UI elements.
Can you elaborate a little bit more in this context about how I can create/use the policies? I will try to list out below what you trying to say. Please provide your feedback.
1)Protect http resources say http://www.myapp.com/index.html on Idetity Server similar to what I have currently.
2)Instantiate policy object in the module servlet, have resources for each UI element that needs to be protected in this policy, evaluate policy based on the currently logged in user/role and then return permission like read/edit.
Thanks,
Srinivas -
Questions about a custom login page.
Could someone give me an example of a custom login page that does the error checking with
p_error_code. I can't seem to get one to work correctly. I don't ever get any info in
p_error_code when there is an error in login.
You can email me the code at [email protected] if you would prefer.
Thanks.
BethanyBethany,
The best place for this question is the Orac le9ias Portal Security and Login Server forum.
Thanks
Maybe you are looking for
-
How can I get a download again after I already bought it?
About a week and a half ago, I bought a new South Park episode. I wasn't gonna have time to download it after I bought it, so I closed iTunes. I opened it again to see if the download was gonna still be there, but it wasn't there. Can I get the downl
-
Table name for Open purchase requisition / Purchase Order Number's
Hi, I want to delete some Asset Number's. When i m deleting those, system give a error message You cannot delete. Open purchase requisition exists.. From where i can found those Purchase Requisition / Purchase Order Number's. Is there any table, wher
-
Not loading from flat file using SQL*Loader
Hi, I am trying to load from an excel file. first i converted excel file into csv file and save it as as dat file. in the excel file one column is salary and the data is like $100,000 while converting xls to csv the salary is changed to "$100,000 " (
-
Validation rules applied to data migration templates at import
Hi everyone! First post here for me, so please bear with me if I missed something. My company has just started the initial implementation of ByDesign. We come from a set of disparate and partially home-grown systems that we outgrew a few years ago. A
-
Hi All, I am using DBMS_CRYPTO(ENCRYPT_AES128) algorithm for encrypting a column. The input column is of 40 characters. After the encryption value the encrypted value more than double of actual length. This is evident because encrypted value is raw o