J2ee runclient authentication

Hi,
I'm creating my first EJB application (for the J2EE server), using the examples from the book Mastering Enterprise JavaBeans (2nd Ed), which by the way is a very good book for understanding the basics, and I'm up to running the client, locally to the server. I have the session bean deployed and the server running and when I run the runclient script, it asks for a username and password. I have read somewhere that this should be "guest","guest123", but this doesn't work (it throws:
Application threw an exception:java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write).)
Also, I've checked that the deployment settings for the security of the EJB support the client's choice of authentication. I have even tried adding a new user and restarting the server, but no luck. Any advice? Am I missing something obvious?
Pam

I encountered the exact same problem running on Win2K. The fix is to edit the security policy file used by runclient.bat.
The file to change is in [ J2EE HOME ]/lib/security/client.policy. It has a line that reads
permission java.util.PropertyPermission "*", "read";This should be changed to
permission java.util.PropertyPermission "*", "read,write";

Similar Messages

J2EE Basic Authentication 설정 방법(inbound)

BPEL PM Admin Guide를 따라 해봤는데 잘 안되서 글올립니다.
가이드 1-8 ~ 1-10에 있는 내용을 참고 하여
1. user 생성
java -Xbootclasspath/a:..\..\bpel\lib\orabpel-boot.jar -jar ..\home\jazn.jar -user oc4jadmin -password welcome1 -adduser jazn.com jsmith jsmith
java -Xbootclasspath/a:..\..\bpel\lib\orabpel-boot.jar -jar ..\home\jazn.jar -user oc4jadmin -password welcome1 -addrole jazn.com jsmithrole
java -Xbootclasspath/a:..\..\bpel\lib\orabpel-boot.jar -jar ..\home\jazn.jar -user oc4jadmin -password welcome1 -grantrole jsmithrole jazn.com jsmith
2. <SOA_Oracle_Home>\j2ee\oc4j_soa\applications\orabpel\META-INF\orion-application.xml 수정
<security-role-mapping name="jsmithrole">
<group name=" jsmithrole" />
</security-role-mapping>
3. <SOA_Oracle_Home>\j2ee\oc4j_soa\applications\orabpel\startupWEB-INF\web.xml 수정
<security-constraint>
<web-resource-collection>
<web-resource-name>Default Domain Pages</web-resource-name>
<description>These pages are only accessible by authenticated
users.</description>
<url-pattern>*/orabpel/default/HelloWorld/1.0</url-pattern>
<url-pattern>*/orabpel/default/HelloSecureWorld/1.0</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>jsmithrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jazn.com</realm-name>
</login-config>
<security-role>
<description>BPEL PM User</description>
<role-name>jsmithrole</role-name>
</security-role>
4. HelloWorld BPEL Process 에 configration propertiy 추가
<configurations>
<property name="role" encryption="plaintext">jsmithrole</property>
</configurations>
이렇게 했는데... basic header에 username/password 설정을 하지 않고 호출을 해도 정상적으로 실행이 됩니다.
어떻게 해야하는지 알려주세요.
OS : win2k3
version : 10.1.3.3.1 ( 적용 패치 : 6492514 BPEL Process Manager: Patch TRACKING BUG: 10.1.3.3.1 BUNDLE PATCH )

Log에 에러가 없었다면 설정값이 잘 못된 것은 아니라고 생각됩니다.
다만 설정하신 값들에 나타난 디렉토리 내용을 보니 시스템 설치는 AS middle tier type의 install을 하신 것 같은데 설정 방법은 developer type installation형태의 J2EE Basic authentication설정을 하신 것 같습니다.
Middle tier install의 경우에는 AS control에서 설정을 해주셔야 합니다.
작업하신 내역 중에 3번에 해당하는 내용은 AS Control에서 HelloWorld process의 basic authentication을 설정하는 방법은
oc4j_soa > Application:orabpel > Web Service:HelloWorldPort 를 선택하고, Administration 탭에서 Enble/Disable Features버튼으로 Security Feature를 Enable시키신 후에 oc4j_soa > orabpel > Web Service:HelloWorldPort > Eidti Security Configuration에서 Inbound/Outbound Policies를 설정하시면 됩니다.
그림으로 잘 설명되어 있는 문서를 찾아보긴했는데 아직 찾지 못했습니다. 나중에라도 구하게 되면 공유해드리도록 하겠습니다.

J2EE SOAP Authentication

I have a SOAP sender channel with HTTPS without authentication, do not use SOAP envelope. When typing the URL in the browser, I get a pop-up for user/password. What is this? Is this to authenticate against J2EE? If so, is there a particular user configured in NWA for this? I have read other blogs saying XIAPPLUSER, and I'm wondering if this user is configured in NWA somewhere to authenticate SOAP messages?

Hi,
The authentication is SAP standard basic authentication. You have to key in SAP login detail. You can disable this in visual admin, kindly search on sdn for the method. Pls take note that this will disable all the authentication for SOAP adapter.

How to implement complicated J2ee & Web authentication?

My web (j2ee) application requires some complex login mechanism. Specifically:
1. User must change the default password when they first login.
2. Session time is 30 mins. User is prompted to login to continue the current work.
3. User must change password for every 3 months.
It seems it is absolutly impossible to adapt Oc4j build-in authentication mech to reach this purpose. We thought to use filters. However, not only do we have to write all the security stuff, but also we have difficult to reach the purpose 2.
Any idea will be helpful.
Zhou

hi zhou,
i dont have a perfect solution for your problem. just a suggestion ...
any app server's built in authentication mechanism does not support all the flexibility you mentioned.
for session time out mention the <session-timeout> in the <session-config> of your web.xml. for purpose 1 and 3 you need to write some application level program to handle this.(or a filter??)
so you can still use the authentication mechanism of the appserver and deligate the extra work to the filter or other mechanism.
hope this helps ....
shrini

AM 7.1 patch1 + GlassFish 9.1_02 + J2EE Agent authentication problem

I've AM 7.1 running on SJS AS 9.1_02 on one host, and I want to protect a portal application also running on SJS AS 9.1_02, but on a different host.
I did have any problem/error when installing the J2EE agent
I can authenticate with any user to my user realm in AM, I think it's well configured but I try to connect to my portal, I get the following error in the browser:
javax.servlet.ServletException: PWC1243: Filter execution threw an exception
java.lang.NoClassDefFoundError
The agent log file doesn't have anything special
The application server server.log file contains the following error:
[#|2008-08-22T17:07:10.892+0200|SEVERE|sun-appserver9.1|javax.enterprise.system.container.web|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-1;_RequestID=7
79200cb-b4d7-4e4a-a25b-c68f2c2253d4;|StandardWrapperValve[jsp]: PWC1406: Servlet.service() for servlet jsp threw exception
java.lang.NoClassDefFoundError
at com.sun.identity.agents.filter.URLPolicyTaskHandler.initialize(URLPolicyTaskHandler.java:63)
I've checked the application server CLASSPATH, and it looks fine since it contains, among others, the agent.jar file .
So, I don't understand where's the problem. Any idea ?

No direct solution found.
The ClassNotFound exception actually seemed to be a side effect rather than the real origin of the problem.
I found a workaround by uninstalling the whole J2EE agent software and using instead an embedded feature
of the application to protect, enabling some kind of OpenSSO client module.

Disable J2EE Local Auth Task Handler in policy agent 2.2

Hi,
Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
Thanks,
Andrei Dumitru

Hi,
Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
Thanks,
Andrei Dumitru

Basic Authentication with Web Service

Hello,
I am running S1AS7 on window XP. I have deployed the sample/jaxrpc/simple with basic authentication enabled. I have also changed to Client.java to set the USERNAME and PASSWORD (ie: stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, "j2ee");
Once I have deployed the war file and run the client, I got access denied exception.
I have checked the s1as7 log and here is the details:
FINE: Logging in user [j2ee] into realm: file using JAAS module: fileRealm
FINEST: Login module initialized: class com.iplanet.ias.security.auth.login.File
LoginModule
FINEST: File login succeeded for: j2ee
FINEST: JAAS login complete.
FINEST: JAAS authentication committed.
FINE: Password login succeeded for : j2ee
FINE: Set security context as user: j2ee
FINE: Authenticator[jaxrpc-simple]: Authenticated 'j2ee' with type 'BASIC'
FINE: SingleSignOn[server1]: Registering sso id '193F1461E0D9B982E6B4055C0134076
9' for user 'j2ee' with auth type 'BASIC'
FINE: Authenticator[jaxrpc-simple]: Calling accessControl()
FINEST: PRINCIPAL : j2ee hasRole?: staffmember
FINEST: PRINCIPAL TABLE: {}
FINE: Authenticator[jaxrpc-simple]: Failed accessControl() test
Please notice that the authentication worked, but the PRINCIPAL TABLE is null!!!! If I run the basic authentication sample, i can see from the log the PRINCIPAL TABLE is (...staff=[staffmember], j2ee=[staffmember],.....)
so somehow the app server treats the two sample differently with the same user id (j2ee/password)
any comments?
thanks..

Hello,
I am running S1AS7 on window XP. I have deployed the
sample/jaxrpc/simple with basic authentication
enabled. I have also changed to Client.java to set
the USERNAME and PASSWORD (ie:
stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY
"j2ee");
Once I have deployed the war file and run the client,
I got access denied exception.
I have checked the s1as7 log and here is the
details:
FINE: Logging in user [j2ee] into realm: file using
JAAS module: fileRealm
FINEST: Login module initialized: class
com.iplanet.ias.security.auth.login.File
LoginModule
FINEST: File login succeeded for: j2ee
FINEST: JAAS login complete.
FINEST: JAAS authentication committed.
FINE: Password login succeeded for : j2ee
FINE: Set security context as user: j2ee
FINE: Authenticator[jaxrpc-simple]: Authenticated
'j2ee' with type 'BASIC'
FINE: SingleSignOn[server1]: Registering sso id
'193F1461E0D9B982E6B4055C0134076
9' for user 'j2ee' with auth type 'BASIC'
FINE: Authenticator[jaxrpc-simple]: Calling
accessControl()
FINEST: PRINCIPAL : j2ee hasRole?: staffmember
FINEST: PRINCIPAL TABLE: {}
FINE: Authenticator[jaxrpc-simple]: Failed
accessControl() test
Please notice that the authentication worked, but the
PRINCIPAL TABLE is null!!!! If I run the basic
authentication sample, i can see from the log the
PRINCIPAL TABLE is (...staff=[staffmember],
j2ee=[staffmember],.....)
so somehow the app server treats the two sample
differently with the same user id (j2ee/password)
any comments?
thanks..
One more thing, here is my web.xml file:
<web-app>
<display-name>Hello World Application</display-name>
<description>A web application containing a simple JAX-RPC endpoint</description>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>basic secuity test</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>staffmember</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>basic-file</realm-name>
</login-config>
</web-app>

Authentication Messages - Locked User, Expired Password etc...

In standard Servlet Security, when using the container authentication mechanism ( using j_security_check) ..., the only responses one can send to the end user are the un-authorized page and the not authenticated message.
There is so much advancement in every other area, but none in this particular area to have a mechanism to send authentication failure error messages for specific cases like the one shown in the title.
Is there any standard pattern that will use Container Managed security to display such error messages.
Any pointers will be great.
Vijay

We can use other login mechanisms, but the problem is that the so called J2EE Pluggable Authentication Realms (or Providers or Domains or Registries) only use the j_security_check mechanism to authenticate users.
So the end result is a very primitive mechanism.
So I was looking for some pointers on a JSR which is dealing with this or somebody who has a pattern to circumvent this problem.
Thanks for the info.
Any other pointers, anyone.
Vijay

XML file is not being displayed in browser? Why?

Hi all!
I have a secnario file->XI->J2EE appl.
I am using File sender adapter and HTTP Receiver adapter.
I placed XML file in D:\somedir of my machine, it is picking up well by XI, <b>all i want to know is how XI sends this XML file to my J2EE Appl.</b>Because my servlet should display the same XML file in browser. I deployed my J2EE appl on weblogic application server9.0 I am getting the following error:
The XML page cannot be displayed
Cannot view XML input using style sheet. Please correct the error and then click the Refresh button, or try again later.
XML document must have a top level element. Error processing resource 'http://localhost:7001/Invoke/DisplayRes'.
These are settings that i have given in my Receiver HTTP adapter:
Aadapter Type: HTTP
                   Receiver
Transport Protocol: HTTP1.0
Message Protocol:    XI payload in HTTP body
Adapter Engine:      Integration Server
Addressing Type:     URL address
Target host:         localhost
Service Number:      7001(Port number of Weblogic appl server--where my J2EE appl is deployed).
Path     : /Invoke/DisplayRes/(Context path of J2EE appl)
Authentication Type:Use Logon Data for SAP System
Content Type: text/xml
Username:   xiappluser
password:   xx
XML code:   UTF-8
This is my Servlet code:
public class DisplayRes extends HttpServlet {
     public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
     doPost(request,response);
     public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
     BufferedReader brin =new BufferedReader(new InputStreamReader(request.getInputStream()));
     String inputLine;
     StringBuffer sBuf = new StringBuffer();
     PrintWriter out = response.getWriter();
     response.setContentType("text/xml");
     while ((inputLine = brin.readLine()) != null)
         sBuf.append(inputLine);
           out.println(sBuf.toString());
          brin.close();
         out.flush();
Where i went wrong please help me,
NOTE: I want to know how XI sends XML file to my J2EE appl. I suppose my servlet receives it in request object.If so can i use like:
response.setContentType("text/xml");
String xmlFile = request.getParameter("myXMLFile");
PrintWriter out = response.getWriter();
out.write(xmlFile);
out.flush();
out.close();
Please help me!
Thanks a lot!

Hi Datta,
You seem to have big problem with this scneario as you have raised this question couple of times , in couple of topics / threads. I will try to make a few things about this clear.
1. XI when sends data to a J2EE application , in your case a servlet, I believe you must be using a HTTP adapter to post the data to it. Whenever XI will post a XML data to a HTTP resource , it will post it as the request body and that is why the code in one of my previous post reads,
BufferedReader brin =new BufferedReader(new InputStreamReader(request.getInputStream()));
String inputLine;
StringBuffer sBuf = new StringBuffer();
PrintWriter out = response.getWriter();
response.setContentType("text/xml");
while ((inputLine = brin.readLine()) != null)
sBuf.append(inputLine);
out.println(sBuf.toString());
brin.close();
out.flush();
If you 've noticed, the statement
request.getInputStream()
retrieves the body of the request as binary data using a ServletInputStream.
So your answer to your question is
<b>XI transferes data to a servlet as a part of HTTP request body</b>, if you use a HTTP adapter.
2. By J2EE application , if you mean a server java proxy, then the method whose name matches with that of the Inbound Message interface recieves a parameter , from which you can retrieve the parameters passed by XI. Just check the getters of that object.
Hope this clears your basic doubts!!!
Rgds,
Amol

Error message when deploying war file to sun web server 6.1

i've been trying to deploy an application developed locally in tomcat to a local install of sun web server 6.1, and can't seem to get it to work. the error message i am getting now is:
[05/Dec/2008:12:44:08] config ( 1640): for host xxx.xxx.xxx.xx trying to GET /cart/index.jsp, handle-processed reports: HTTP2205: The request method is not applicable to the requested resource.
but that is the only error showing up. i've found some other forum topics involving memory issues (not the case here) and mime.type issues (not the case here), but nothing where this is the only error message showing up.
any ideas? anyone?

I deployed the application using a WAR file I created and the Server Manager.
I've been able to get a JSP running in the $INSTALL_DIR/docs directory (database connectivity, result set printing, session data storing) but not outside of there.
I switched to "finest" error reporting, but that isn't really helping much either.
I even deployed one of the sample WAR files that came with the installation (webapps-simple.war), and it failed too, the error message I got was:
[09/Dec/2008:10:35:51] fine ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, ntrans-j2ee reports: mapped uri "/jsp/num/numguess.jsp" in context "/simple" to resource "jsp"
[09/Dec/2008:10:35:51] fine ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: context = StandardEngine[null].StandardHost[https-arlll3n4244.arcds.com].StandardContext[simple]
[09/Dec/2008:10:35:51] fine ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: contextPath = /simple
[09/Dec/2008:10:35:51] fine ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: wrapper = null
[09/Dec/2008:10:35:51] fine ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: servletPath =
[09/Dec/2008:10:35:51] fine ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: pathInfo = null
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: Authenticator[simple]: Security checking request GET /simple/jsp/num/numguess.jsp
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: Authenticator[simple]: Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/num/numguess.jsp --> false
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: Authenticator[simple]: No applicable constraint located
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: Authenticator[simple]: Not subject to any constraint
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WebModule[simple]: Mapping contextPath='/simple' with requestURI='/simple/jsp/num/numguess.jsp' and relativeURI='/jsp/num/numguess.jsp'
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WebModule[simple]: Decoded relativeURI='/jsp/num/numguess.jsp'
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WebModule[simple]: Trying exact match
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WebModule[simple]: Trying prefix match
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WebModule[simple]: Trying extension match
[09/Dec/2008:10:35:51] finer ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WebModule[simple]: Mapped to servlet 'jsp' with servlet path '/jsp/num/numguess.jsp' and path info 'null' and update=true
[09/Dec/2008:10:35:51] info ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WEB2798: [cart/] ServletContext.log(): JspEngine --> /jsp/num/numguess.jsp
[09/Dec/2008:10:35:51] info ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WEB2798: [cart/] ServletContext.log(): ServletPath: /jsp/num/numguess.jsp
[09/Dec/2008:10:35:51] info ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WEB2798: [cart/] ServletContext.log(): PathInfo: null
[09/Dec/2008:10:35:51] info ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WEB2798: [cart/] ServletContext.log(): RealPath: C:\Sun\WebServer6.1\https-ARLLL3N4244.arcds.com\webapps\https-ARLLL3N4244.arcds.com\simple\jsp\num\numguess.jsp
[09/Dec/2008:10:35:51] info ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WEB2798: [cart/] ServletContext.log(): RequestURI: /simple/jsp/num/numguess.jsp
[09/Dec/2008:10:35:51] info ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: WEB2798: [cart/] ServletContext.log(): QueryString: null
[09/Dec/2008:10:35:51] failure ( 5384): for host 192.168.112.96 trying to GET /simple/jsp/num/numguess.jsp, service-j2ee reports: StandardWrapperValve[jsp]: WEB2792: Servlet.service() for servlet jsp threw exception
java.lang.IllegalArgumentException: WEB3446: setAttribute: Non-serializable attribute
     at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1280)
     at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:191)
     at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:191)
     at org.apache.jasper.runtime.PageContextImpl.setAttribute(PageContextImpl.java:271)
     at jsps.jsp._num._numguess_jsp._jspService(_numguess_jsp.java:81)
     at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:688)
     at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:460)
     at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:376)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at org.apache.catalina.core.StandardWrapperValve.invokeServletService(StandardWrapperValve.java:771)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:322)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:157)
     at com.iplanet.ias.web.WebContainer.service(WebContainer.java:579)

Seeburger Host FTP SSL Error

I have a scenario that has been working in production for some time (> 6mo). Today I am getting the following error on all communication channels that use Host FTP (they all go to our same VAN account). I have reloaded the certificate in Java Administrator, reset the password, and confirmed from the system that the remote ftp host is accessible. I did check the user (SEEBURGER) is not locked.<br>
<br><br>
Message : com.seeburger.jftp.app.exception.FtpExceptionConfigurationError: Error while creating socket chain CAUSED BY: java.lang.Exception: Error while preparing SSLContext CAUSED BY: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Access Denied. CAUSED BY: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001517B19DC9001F0000036500002670000488BA247963F4] is created. For more information contact your system administrator.
Stack trace:
Exception: com.seeburger.jftp.app.exception.FtpExceptionRethrowError: Error in session:
     at com.seeburger.jftp.app.JFtpSession.executeTask(JFtpSession.java:399)
     at com.seeburger.jftp.app.JFtpSession.execute(JFtpSession.java:211)
     at com.seeburger.jftp.JFTPProcessor.execute(JFTPProcessor.java:132)
     at com.seeburger.frame.core.FrameWorkListener.syncNewData(FrameWorkListener.java:523)
     at com.seeburger.xi.connector.fw.SynchronousTaskExecutor.executeTask(SynchronousTaskExecutor.java:40)
     at com.seeburger.xi.connector.queue.QueueProcessorImpl.doOutboundTransmission(QueueProcessorImpl.java:791)
     at com.seeburger.xi.connector.queue.QueueProcessorImpl.executeAsynchronously(QueueProcessorImpl.java:664)
     at com.seeburger.xi.connector.queue.QueueProcessorImpl.execute(QueueProcessorImpl.java:455)
     at com.seeburger.xi.connector.queue.QueueProcessorImpl.process(QueueProcessorImpl.java:482)
     at com.seeburger.xi.connector.queue.QueueProcessorImpl.run(QueueProcessorImpl.java:213)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.seeburger.jftp.app.exception.FtpExceptionConnectionError: Error while connection to remote host
     at com.seeburger.jftp.app.process.ftp.FtpEngine.connect(FtpEngine.java:192)
     at com.seeburger.jftp.app.process.ScriptEngine.commandOpen(ScriptEngine.java:368)
     at com.seeburger.jftp.app.process.ScriptEngine.executeCommand(ScriptEngine.java:234)
     at com.seeburger.jftp.app.process.ScriptEngine.executeScriptInRange(ScriptEngine.java:186)
     at com.seeburger.jftp.app.process.ScriptEngine.executeScriptBegin(ScriptEngine.java:136)
     at com.seeburger.jftp.app.JFtpSession.executeTask(JFtpSession.java:321)
     ... 13 more
Caused by: com.seeburger.jftp.app.exception.FtpExceptionConnectionError: Error while opening control socket
     at com.seeburger.jftp.app.process.ftp.FtpControlSocket.open(FtpControlSocket.java:85)
     at com.seeburger.jftp.app.process.ftp.FtpClient.open(FtpClient.java:80)
     at com.seeburger.jftp.app.process.ftp.FtpEngine.connect(FtpEngine.java:121)
     ... 18 more
Caused by: com.seeburger.jftp.app.exception.FtpExceptionConfigurationError: Error while creating socket chain
     at com.seeburger.jftp.app.process.ftp.FtpSocket.createSocketChain(FtpSocket.java:352)
     at com.seeburger.jftp.app.process.ftp.FtpSocket.connectOpen(FtpSocket.java:97)
     at com.seeburger.jftp.app.process.ftp.FtpControlSocket.open(FtpControlSocket.java:72)
     ... 20 more
Caused by: java.lang.Exception: Error while preparing SSLContext
     at com.seeburger.communication.socketmodel.wizards.SslConnectWizardKSMAlias.<init>SslConnectWizardKSMAlias.java:117)
     at com.seeburger.jftp.app.process.ftp.FtpSocket.createSocketChain(FtpSocket.java:316)
     ... 22 more
Caused by: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Access Denied.
     at com.seeburger.ksm.xi.cryptoapi.XICryptoApi.constructException(XICryptoApi.java:743)
     at com.seeburger.ksm.xi.cryptoapi.XICryptoApi.getAliasCollection(XICryptoApi.java:136)
     at com.seeburger.communication.socketmodel.wizards.SslConnectWizardKSMAlias.<init>SslConnectWizardKSMAlias.java:101)
Edited by: Tadd Bryan on Jun 10, 2010 10:46 PM

Just to provide the community the final answer to my problem... After working with Seeburger support the issue was identified. During a BASIS team review of the Java settings, the Security Model was changed from "no" to "Token."
In J2EE Visual Administrator, Under Server, Services, Security Provider:
Components - SAP-J2EE-Engine
Authentication Template: "no" (correct value)
BasicPasswordLoginModule: SUFFICIENT

Single Sign-On (SSO) in Web Server 7.0u5

Hello,
I am in the process of trying to configure single sign-on (SSO) between several apps in the same SJWS 7.0u5 virtual server, and I'm not having much luck. This appears to be very similar to the problem reported in another thread (http://forums.sun.com/thread.jspa?forumID=759&threadID=5281564) that applied to 7.0u2.
I found one interesting detail that the previous post did not mention, however, and I think it is key to resolving this issue.
I've been using the SSO feature of WS7 since day one, and up to this point is has worked flawlessly. However, I am in the process of adding a new webapp that differs from the prior webapps in one significant way: it uses form-based login, and all the previous webapps used basic authentication.
Using the "Live HTTP Headers" Firefox add-on I captured the cookie exchanges between the client and server, and this is what I see:
1. Logging in to any of the apps that use basic authentication results in both the JSESSIONID for the current webapp and the JSESSIONIDSSO for the entire server to be returned in the response.
2. If I then go to a secured URI in the new (form login) webapp the JSESSIONIDSSO cookie is sent, but I still land on the login page.
3. When completing the login form and submitting it, no JSESSIONIDSSO is returned.
In both types of apps, my web.xml includes the appropriate configuration. FORM authentication: <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>ldap</realm-name>
    <form-login-config>
      <form-login-page>/login.jsf</form-login-page>
      <form-error-page>/error.jsf</form-error-page>
    </form-login-config>
</login-config>...and BASIC authentication: <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ldap</realm-name>
</login-config>From this, it appears as though the SSO functionality is not working when using FORM authentication, only when using BASIC authentication.
The web apps developer's guide specifically says that SSO works for all webapps in the same virtual server with the same realm-name, which is certainly the case for me. It doesn't say that SSO is not supported in FORM-authenticated webapps, but that would appear to be the case.
Or is this a bug?
Or am I simply doing something obviously wrong?
Thanks!
Bill

In addition, I set the logging level to "fine", and I see these entries for the FORM authentication:
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Process request for '/testSso/'
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Checking for SSO cookie
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: SSO cookie is not present
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Security checking request GET /testSso/
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Matched constraint 'SecurityConstraint[secureURIs]' against GET /index.jsp
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Matched constraint 'SecurityConstraint[secureURIs]' against GET /index.jsp
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Calling hasUserDataPermission()
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   User data constraint has no restrictions
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Calling authenticate()
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Restore request from session '19FFE2F63CF4E8756C19B60AC6F7A65E'
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Authenticated 'testUser' with type 'FORM'
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Registering sso id '2698AFCE8889EF9877778386855517BC' for user 'testUser in realm ldap' with auth type 'FORM'
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Associate sso id 2698AFCE8889EF9877778386855517BC with session StandardSession[19FFE2F63CF4E8756C19B60AC6F7A65E]
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Proceed to restored request
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Calling accessControl()
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Checking roles testUser
[06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Successfully passed all security constraintsThat seems to indicate that an SSO ID is created and a cookie should be sent with the response, but as show in the Live HTTP Headers output, that is not the case.
The log entries for the BASIC authentication are as follows:
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Process request for '/ppc/'
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Checking for SSO cookie
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Security checking request GET /ppc/
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Matched constraint 'SecurityConstraint[ppc]' against GET /index.jsp
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Matched constraint 'SecurityConstraint[ppc]' against GET /index.jsp
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Calling hasUserDataPermission()
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   User data constraint has no restrictions
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Calling authenticate()
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Logging in user [testUser] into realm: ldap using JAAS module: ldapRealm
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Password login succeeded for : testUser
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Authenticated 'testUser' with type 'BASIC'
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Registering sso id 'A58B93F0A00C619AF18F53C2F7C00D16' for user 'testUser in realm ldap' with auth type 'BASIC'
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Associate sso id A58B93F0A00C619AF18F53C2F7C00D16 with session StandardSession[EF2E1F7E8B3FB7E3FDD4607E4A62D99E]
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Calling accessControl()
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Checking roles testUser
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: No role found: administrator
[06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Successfully passed all security constraintsIn this case, you can see that the SSO ID that is generated matches the value set in the response.
Bill

WEB-INF/web.xml

Hi:
I need to add <security-constraint> to my Flex
Builder-3 project.
How and where do I add this with FB3.
After I have used the authentication J2EE basic
authentication mechanism, how
do I get a reference to the role-name that has logged in?
Thanks

Shirker1,
I don't understand why this would be necessary? The J2EE
security authentication process happens at the server and so
protects your jsp etc pages that load into the browser. The Flex
app runs in the client once the page has loaded. A thread called
"j_security_check" a couple of days ago looked at pretty much the
same issue. Basically, if you want to enforce some security in your
(client) Flex app that uses the security model of your server, then
you have to write something that sends credentials to teh server
and gets the answer back.
Richard

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
    <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
    protected void init(Properties props)
        throws BadRealmException, NoSuchRealmException
    public java.util.Enumeration getGroupNames (String username)
        throws InvalidOperationException, NoSuchUserException
    public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
*       _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
*      return commitAuthentication(_username, _password, _currentRealm,
*      grpList);
* <li>The grpList parameter is a String[] which can optionally be
*      populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
*    <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
*      <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
*       <property name="jaas-context" value="jdbcRealm"/>
*    </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
    protected AuthenticationStatus authenticate()
        throws LoginException
    private String[] authenticate(String username,String passwd)
    private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
*   <li>assign-groups - A comma-separated list of group names which
*       will be assigned to all users who present a cryptographically
*       valid certificate. Since groups are otherwise not supported
*       by the cert realm, this allows grouping cert users
*       for convenience.
* </ul>
public class CertificateRealm extends IASRealm
   protected void init(Properties props)
     * Returns the name of all the groups that this user belongs to.
     * @param username Name of the user in this realm whose group listing
     *     is needed.
     * @return Enumeration of group names (strings).
     * @exception InvalidOperationException thrown if the realm does not
     *     support this operation - e.g. Certificate realm does not support
     *     this operation.
    public Enumeration getGroupNames(String username)
        throws NoSuchUserException, InvalidOperationException
     * Complete authentication of certificate user.
     * <P>As noted, the certificate realm does not do the actual
     * authentication (signature and cert chain validation) for
     * the user certificate, this is done earlier in NSS. This default
     * implementation does nothing. The call has been preserved from S1AS
     * as a placeholder for potential subclasses which may take some
     * action.
     * @param certs The array of certificates provided in the request.
    public void authenticate(X509Certificate certs[])
        throws LoginException
        // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Problem using runclient with j2ee

Dear all,
please help as i am banging my head against the monitor trying to figure all these little things out. Currently, I am working through the j2ee tutorial. This uses the deploytool to package and deploy all files. however, when i try to run runclient from the command line, i get the following error message :
Application threw an exception:java.io.IOException: converterApp.ear does not exist
I cannot see why this should happen as the file converterApp.ear definately does exist. I have also added the application client file to the APPCPATH environment variable (as the tutorial instructs).
Any help would be much appreciated
Thanks

You must go to your diroctory where ACount.ear exist. Then you set up your classpath for the sub client application like :
set Classpath= AcountAppliClint.jar
to run application client do :
runclient -client AccountEAR.ear -name Applicationclient -textauth
by

J2ee runclient authentication

Similar Messages

Maybe you are looking for