J2EE vs WLS8.1 security

In J2EE we can define permissions and roles in web.xml and ejb-jar.xml, and
in WLS6.1 we define role-principal mapping in weblogic.xml or
weblogic-ejb-jar.xml. We have methods like getUserPrincipal() or
isUserInRole() in HttpServletRequest and EJBContext.
In WLS8.1 we can define global roles, scoped roles, security policies in the
console. How do these interact with the J2EE model? For example, can I put
a global role name in isUserInRole()? If I have configured security
policies on a webapp, when I redeploy it does it revert back to the
definitions in web.xml and weblogic.xml? Is there any documentation on
these issues? Thanks.
-- Chuck

"Chuck Zhao" <[email protected]> wrote:
In J2EE we can define permissions and roles in web.xml and ejb-jar.xml,
and
in WLS6.1 we define role-principal mapping in weblogic.xml or
weblogic-ejb-jar.xml. We have methods like getUserPrincipal() or
isUserInRole() in HttpServletRequest and EJBContext.
In WLS8.1 we can define global roles, scoped roles, security policies
in the
console. How do these interact with the J2EE model? For example, can
I put
a global role name in isUserInRole()? If I have configured security
policies on a webapp, when I redeploy it does it revert back to the
definitions in web.xml and weblogic.xml? Is there any documentation
on
these issues? Thanks.
-- Chuckhttp://edocs.bea.com/wls/docs81/secwlres/types.html#1208206

Similar Messages

ADF Security to J2EE Container Managed Security Problems

Hi al!
I had ADF security enabled in my application. I've added roles and users to embedded OC4J Server Preferences..., configured authorization using pageDefs... (following the Introduction to ADF Security in JDeveloper 10.1.3.2 howto).
For the sake of friendlier user and roles management I decided to go to 2EE Container Managed Security (I want application manager in production environment to be able to manage users in only one place, not in DB table and extra for web app). I followed Frank Nimphius's Database Authentication and Authorization in J2EE Container Managed Security article.
Now I have some problems. I removed users and roles from embedded OC4J Server Preferences... (I believe this are used only for ADF security, am I right?). I can log to application with admin user account (app index page doesn't have any binds and even pageDef), but when trying to access admin pages I get 401 Unauthorized page.
What am I doing wrong, probably I've forgotten something? I'm a bit confused now with users and roles settings and ADF and container managed security.
Part of my web.xml file:
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/app/index.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication/*</url-pattern>
</servlet-mapping>
<security-role>
<description>Admins</description>
<role-name>admin_role</role-name>
</security-role>
<security-role>
<description>Users</description>
<role-name>user_role</role-name>
</security-role>
<security-role>
<role-name>oc4j-administrators</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllAdmins</web-resource-name>
<url-pattern>faces/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllUsers</web-resource-name>
<url-pattern>faces/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user_role</role-name>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>oc4j-administrators</role-name>
<role-name>user_role</role-name>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
Do I have to remove this adfAuthentication tags?
I know I've made things a bit complicated for me now and for anyone to help, but I hope I will get at least some pointers what to do now and maybe some explanation about roles in container managed security? Is it enaugh to have security constraints and roles defined in web.xml file or they have to be defined somewhere else also (beside the database)?
Thank you in advance!
Bye
PS
Maybe stack trace after login:
FINE: LoginConfigProvider.ctr: lmm=[LoginModuleManager: jznCfg=[JAZNConfig null], appConfigEntries={oracle.security.jazn.oc4j.CertificateAuthenticator=[javax.security.auth.login.AppConfigurationEntry@3625d0], oracle.security.jazn.tools.Admintool=[javax.security.auth.login.AppConfigurationEntry@eca6e7], oracle.security.jazn.oc4j.WebCoreIDSSOAuthenticator=[javax.security.auth.login.AppConfigurationEntry@c1c7c4], oracle.security.jazn.oc4j.DigestAuthenticator=[javax.security.auth.login.AppConfigurationEntry@221f81], oracle.security.wss.jaas.SAMLAuthManager=[javax.security.auth.login.AppConfigurationEntry@426e05], oracle.security.jazn.oc4j.JAZNUserManager=[javax.security.auth.login.AppConfigurationEntry@145240a], current-workspace-app=[javax.security.auth.login.AppConfigurationEntry@4120aa], oracle.security.wss.jaas.JAASAuthManager=[javax.security.auth.login.AppConfigurationEntry@1c78f98]}]
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option data_source_name = jdbc/TESTDbDS
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option table = APPLICATION_USER
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option groupMembershipTableName = APPLICATION_ROLE
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option usernameField = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option passwordField = USR_PSW
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option groupMembershipGroupFieldName = ROLE_NAME
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option user_pk_column = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option roles_fk_column = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option pw_encoding_class = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option realm_column = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option application_realm = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option casing = toupper
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]login called on DBTableLoginModule
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Calling callbackhandler ...
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username returned by callback = admin
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username changed to case as defined by toupper to ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User query string: select USR_EMAIL,USR_PSW from APPLICATION_USER where USR_EMAIL= (?)
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User primary key value found = ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Password encoded by: oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User ADMIN authenticated successfully
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Roles query string: select ROLE_NAME from APPLICATION_ROLE where USR_EMAIL= (?)
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBUser Principal Name: ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: admin_role
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Logon Successful = true
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 2 Principals after auth
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Cleaning internal state!

Hi there!
I have another question about this. I've modified a bit DBRolePrincipal class to see what's going on. At the beginning of the equals(Object another) method I added this lines:
log("method equals start",0);
log("another type = " + another.getClass(), 0);
if (another instanceof Principal)
Principal mine = (Principal)another;
log("Principal mine.getName() = " + mine.getName(), 0);
The result is this output (after navigating to page that gives 401 forbidden):
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
Why is the name of ADFRolePrincipal always anyone? When I sign in with this user the output says:
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User query string: select USERNAME,PASSWORD from ACTIVE_APP_USER_V where USERNAME= (?)
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User primary key value found = admin_user
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Password encoded by: oracle.sample.dbloginmodule.util.DBLoginModuleCearTextEncoder
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User admin_user authenticated successfully
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Roles query string: select ROLE_NAME from ACTIVE_APP_ROLE_V where USERNAME= (?)
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBRole Principal Name: admin_role
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBUser Principal Name: admin_user
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Logon Successful = true
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 0 Principals before auth
07/10/12 08:46:09 [DBUserPrincipal] method equals start
07/10/12 08:46:09 [DBUserPrincipal] another type = class oracle.sample.dbloginmodule.principals.DBRolePrincipal
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Local LM commit succeeded
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 2 Principals after auth
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Cleaning internal state!
Frank, if you haven't given up on this issue yet could you please try to explain this to me? Why doesn't admin_role principal never get compared in [equals[/i] method?
Thank you!
BB

Adding an External Application that uses J2EE Form Based Security

I'm trying to add an External application that uses the J2EE Form based security. i.e. uses j_username, j_password and posts to j_security_check.
I don't really see how Oracle SSO will support this. The container needs to take control of a clients request and determines when the "Login" page is presented to establish credentials. Posting directly to j_security_check isn't working for me.
I'm using Sybase EAServer 4.12 as the external application.
Is this supported in Oracle SSO?
Do I need to provide a different mechanism for logging user's in?
Also, can someone explain what the benefit would be if I configured the EAServer app as a "Partner" app? I would still have to provide an interface for login. The input would be different but the end result would be the same I guess. What advantages does a Partner app have?
Lastly, is there an NNTP server for these forums?
Thanks.
Darrell

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

SAP-J2EE (root) node Security Provider

I changed the SAP-J2EE (root) node to "ticket" now I can't seem to get into the Visual Administrator. I wouldn't think this would affect Visual Adminstrator?
Is there a way to change things back via a command line interface?

Rohit,
Did you install as a double stack or add-in installation? Or did you install as a standalone AS Java?
Depending on what kind of installation you did determines what the default users you have.
See the following from the AS Java Security Guide:
http://help.sap.com/saphelp_nw04s/helpdata/en/9f/d770424edcc553e10000000a1550b0/frameset.htm
Naturally this is just the default installation. If these users have been deleted since installation, you have to adjust accordingly.
As to which datasource which data source is default also depends on how you installed AS Java. You have the correct data source for the AS Java as stand alone. Depending on what version you originally installed, the double-stack/add-in default data source may be dataSourceConfiguration_abap.xml.
Changing the data source won't help you if you cannot find the guest user though.
-Michael

J2EE, get all security roles

On a J2EE application server (preferable from in a Servlet, but EJB is also fine), how do I get an array or list of all security roles?
I want to present the user who creates for example a forum topic to define which roles can view it.

On a J2EE application server (preferable from in a
Servlet, but EJB is also fine), how do I get an array
or list of all security roles?
I want to present the user who creates for example a
forum topic to define which roles can view it.Short answer: You cant, because there is no such functionality mandated by either the servlet or the ejb specs.
Long answer: You can, but it will be particular to the registry implementation you use, and will also mandate some naming scheme to map between for example ldap groups and authentication roles.
Br - J

J2EE Container Managed Security doc and inquiry about what to do if I tweak

hello:
If the application_roles is taken out of the database schema, would the example still work with minimal changes? There is a possibility our organization may a separate department handling username and password while our app and our separate database will handle roles. Is there something I need to be aware of or is it just a matter of looking up the role in a separate table after authentication? Based on roles, users will have different authorities. is there something built in Oracle JDev?
Thanks

Hi,
you can do anything you want with custom LoginModules. If the provided database login module in OC4J is not sufficient then you can also build yur own login module (or use one of the three I built and published 2 years ago). So the answer is that it is not relevant of where the role definition comes from as long as it is associated with the user upon authentication
Frank

J2EE Container Security - Duplication inevitable? (Attn: Frank)

Frank:
Just to be clear, so you are saying I will have duplication of roles in "application_roles" table and the web.xml. And, this is the only way I could "authenticate" using "application_users" table data and "authorize" using "application_roles" existing in a totally different database schema!
Hmmm. Almost seems like existence of "application_roles" table is not required in the setup I described. After authentication, I have to hit the web.xml to get the roles for the authenticated users anyway? Why bother with extra work with database? Am I right?
By the way, I am repeating my setup and your answers to refresh your memory because you get many inquiries.
UPDATE as of 14:30 pm. I think I may be showing my ignorance here. I guess user's role is decided by table "application_roles." You then use the isUserInRole() merely to set read/write/view permissions. But, I am not quite sure yet. Hence I will leave this post for your answer. I am not quite done with my analysis before deciding to change this post.
Thanks
To refresh:
My set up. I have ADFBC. I have using SRDemo with a twist. I am using your new doc "Database authentication and Auth in J2EE container managed security."- not ADF security from SRDemo's last chapter. I ignored the ADF Security part in the SRDemo. I have "application_roles" and srdemo tables in one database schema and "application_users" in a totally different schema.
You wrote:
web.xml is used to define authorization based on security constraints expressed in URL patterns. However, for each of the user roles - e.g. PRESIDENT - you need to create a role in web.xml with the same name. When you then call isUserInRole() from the JSF application then it checks web.xml for the security role and then attempts to verify that the user has this role granted. It is not obvious why web.xml needs to have the role defined. There exists a reason that however would add more to your confusion than to your success ;-)
Youcan use the same approach SRDemo uses in that you provide a managed bean with boolean methods like isPresident(), isManager() etc. The methods perform "isUserInRole()"
Then you use EL to access these methods to hide/show components

Hi
Just to be clear, so you are saying I will have duplication of roles in "application_roles" table and the web.xml. And, this is the only way I could "authenticate" using "application_users" table data and "authorize" using "application_roles" existing in a totally different database schema!
The table is the security provider wheras web.xml defines the security roles that you can work with in your program code. The J2EE servlet spec defines a separation of application roles and groups or roles in the security provider. There is an additional step between roles in web.xml and the security provider, which is that you could map the role name in web.xml to a security role name. I never tested this with custom LoginModules and for this reason the two role names match.
The goal of container managed security is that the developer can build the secure web application without having to know about the security roles defined on the security provider.
Note that anything that you call in application code within container managed security - and this is not specific to Oracle - is checked against the web.xml file which is mapped to the security provider. If e.g. you use JBoss then you could configure a database module to handle the authentication and authorization. But still the security role needs to be provided in web.xml
Frank

ADF Mobile - Security. Serving custom, non-j2ee security policies.

We are trying to achieve session management across our ADF Mobile app.
We were hoping to use the ADF Mobile inbuilt security framework.
However our Mobile App is simply a UI interface to a large Enterprise App which already has a custom security framework(entirely database based) in place.
The enterprise app exposes RESTful interfaces(JAX-RS-Jersey) for functionality which the mobile app consumes.
This question has broadly 2 parts to it.
1. Does ADF Mobile inbuilt security work ONLY with J2ee container managed security realm service?
2. Can ADF Mobile inbuilt security be made to work with a custom application security framework?
Following are the challenges we face in dealing with the 2nd question,
2a. We need to extricate the Username and Password from the request as sent by the ADF Mobile default login page
2b. Based on the authenticated state(using custom security framework) assign Roles to the user and set the response.
2c. In the Mobile app use the custom roles to drive UI.
2d. One of the statements in the documentation says that irrespective of successful or failed login the Springboard will be visible. Can this be prevented?
2e. Can we maintain session while achieving the last 4?
Using the following JAX-RS annotations it has been impossible to retrieve any user credentials at our webservice end.
@Context SecurityContext, @Context HttpServletRequest, @CookieParams, @HeaderParam

Hi,
here's how you do it
- application roles are defined in jazn-data.xml
- Write a custom JAAS LoginModule that authenticates against the database
- Create WLS authentication provider for your JAAS LoginModule and configure it in WLS
- LoginModule returns principal for user and the user group memberships
- User logs in via login.jspx
- WLS authenticates user
- Security context is updated with user and user roles
Frank

Error when changing password of NW J2ee's secure store and Oracle sqlplus

Hi all,
I am wondering on the following:
Current setting:
I have "old_password" for J2ee configtool's secure store.
I have "old_password" for Oracle's sapsr2 user inside Sqlplus.
When I change the password for all 3 place from "old_password" to "new_password", I am not able to connect to configtool. I am also not able to start the Portal service; with logfile error "invalid user/password"
If I change the password back to "old_password", I can connect to configtool as well as start the service.
Snote and forumers (google) mention that update configtool's secure store and "alter user sapsr3" for Oracle database is all I need to change password.
Have I miss out some step in order to change the password for my Enterprise Portal?
Thank you.
Regards

edit: never mind, found the meaning of SDM.
but the command below, is it usable?
For Windows OS:
Open a command prompt and navigate to the folder <Drive>:\usr\sap\DP1\JC21\SDM\program
Execute the below commands:
sdm jstartup "mode=standalone"
sdm changepassword "newpassword=<Enterthenewpassword>"
sdm jstartup "mode=integrated"
StartServer.bat
Edited by: Sek Yao Ooi on Dec 7, 2009 9:21 AM

Error while executing Secure SOAP web service from Web Service Navigator

Hi All,
I have created a web service for a stateless session bean choosing option "Secure SOAP".
When I am testing it through web service navigator, it is showing following error:-
Security: Authentication expected but missing
And in response text it is showing following :-
HTTP/1.1 500 Internal Server Error
Connection: close
Server: SAP J2EE Engine/7.00
Content-Type: text/xml; charset=UTF-8
Date: Wed, 17 Dec 2008 05:42:10 GMT
Set-Cookie: <value is hidden>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>Security: Authentication expected but missing</faultstring><detail><ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException xmlns:ns1='http://sap-j2ee-engine/error'>Security: Authentication expected but missing</ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
Can anybody help me with above thing?
And my second question : I have created web service with "Basic Auth SOAP" option. and while executing at web service navigator, its asking for username & password.
What role / right should be granted to this user so as to make him able to execute this web service? This user must be a UME user, correct?
Pls help me in resolving this.
Thanks and regards,
Amey Mogare

Hi Fazal,
I have read the thread, but my questions are still unanswered.
1. I know how to set username and password while using "Basic Auth SOAP" protocol. But my question in this case is what are the accesses user requires to be able to execute web service.
2. And about Secure SOAP, why is above mentioned error is appearing?
Thanks and regards,
Amey Mogare

I need to secure SOAP message sent into SOAP adapter, how to?

Hi guys,
My scenario uses SOAP and I need to secure this SOAP message sent into SOAP adapter. As I have read in the documentation, HTTPS is possible only on the SOAP receiver adapter. But my is SENDER.
COuld you help me please, how to solve it? Or post some link? Or, if you have your own approach, to let me know?
Thanx, Peter

Hi,
you can use SSL with the sender adapter. Please see the extract of the SOAP Adapter FAQ (Note #856597) below:
<b>Q:</b> Can I use SSL for my sender adapter?
<b>A:</b> Yes. Normally, the SOAP adapter servlet runs on the engines HTTP port. But you can activate the engine's HTTPS port so that this servlet can receive messages sent to the HTTPS port. See the documentation about the J2EE engine's security configuration.
I am afraid, I haven't yet tried this myself, so you will need to consult the J2EE documentation.
Regards,
HC

How can I know the security role of the logged in user

When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
Thanks
Manohar

shet wrote:
role at run time.
When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

Database Auth in J2EE and Page authorization, Attn: Frank

Frank:
(1) In one of your replies to my queries, you said that page authorization and permissions (the way it is available now in a file based security where one can go to Edit Authorization on each page and grant read/write) is not available in a J2EE Container managed Security with database schema table based security provider that used custom LoginModules till JDev 11. Till then, is there an alternative way?
(2) Is a tool of some sort in the works for page authorization that can be given to customers? Otherwise it will be nightmare if customers call in and say they want to change authorizations every second and one has to go to JDeveloper to manually check the checkboxes on the pages from "Edit Authorization" and deliver another release after changes.
(3) Lastly, from your replies, it looks like LoginModules are powerful. You mentioned that you can write one to access multiple database connections to access different tables in different schema etc. is there a link to a how-to that addresses this? (Something that may apply to accessing APPLICATION_USERS in one schema and APPLICATION_ROLES and all the SRDemo tables (as a test case)in another schema. I recall it being there somewhere. I want to get "very" familiar with it. By the way, your DBTableOraDataSourcesLoginModule is working very well with the tables in my Oracle JExpress database. Thanks...
Thanks

Hi, Frank,
I followed your how-to document of Database Authentication and Authorization in J2EE Container Managed Security to set up a test application. However, I came to a point that the authentication and authorization seemed ok but received 401 unauthorized error. Here is the log I received
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
細緻: [DBTableOraDataSourceLoginModule]Logon Successful = true
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Subject contains 5 Principals after auth
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Cleaning internal state!
2007年11月7日下午04:52:53 oracle.adfinternal.view.faces.application.ViewHandlerImpl _checkTimestamp
資訊: ADF Faces is running with time-stamp checking enabled. This should not be used in a production environment. See the oracle.adf.view.faces.CHECK_FILE_MODIFICATION property in WEB-INF/web.xml
What may go wrong? web.xml? system-jazn-data.xml ? application.xml ? or data-sources.xml?
Your advice would be appreciated.

Using weblogic security roles in authentication: weblogic 9

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
    <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
    <j2ee:welcome-file>index.html</j2ee:welcome-file>
    <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
    <j2ee:auth-method>FORM</j2ee:auth-method>
    <j2ee:form-login-config>
      <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
      <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
    </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
        <url-pattern>test.jsp</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
        <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
    <role-name>LTVORole</role-name>
   <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
    <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
    <j2ee:welcome-file>index.html</j2ee:welcome-file>
    <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
    <j2ee:auth-method>FORM</j2ee:auth-method>
    <j2ee:form-login-config>
      <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
      <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
    </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
        <url-pattern>test.jsp</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
        <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
    <role-name>LTVORole</role-name>
   <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

Secure store lib dir does not exist - unable to open config tool

Hi we are using NW 7.0 with windows 2005 (AS java).
when i click on configtool in central instance it says
Error occured while working with configuration( scanning)
Msg: Error occured : secure store lib Dir does not exist :
server\sapmnt\SID\SYS\global\security\lib\tools
please suggest
Thanks
KK

HI ,
Was config tool working earlier?
Please check if direcories sapmnt & saploc exist are you are able to access them.Check permission on it.
May be your windows server got patched and some security policy got changed.Worth a revisiting and checking.
Other thing you can try is take a backup of bootstrap.properties file and modify the location of library from
server\sapmnt\J2EE\sys\global\security\lib\tools to \usr\sap\J2EE\sys\global\security\lib in the bootstrap file.
Regards,
Ashutosh

J2EE vs WLS8.1 security

Similar Messages

Maybe you are looking for