JAAS and GSS-API Tutorial Question
I am running the JAAS and GSS-API tutorial from http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/BasicClientServer.html. I am running in a Windows 2000 Active Directory environment. It appears to be running correctly, but I have a question. Every time it is run, it asks for the User ID (it supplies a default of my current login name) and then a password. The server also asks for the same information. I am running the client and server on the same machine, so the user ID and password entered for both are identical.
I was under the impression, however, that either GSS-API or JAAS using Kerberos would be able to obtain credentials without asking for the user ID and password, because I am already logged on. Is there something I need to change in the example do this? I am missing something else?
Thank you.
Craig
Please do not reply to this posting. If you have suggestions or questions, please use http://forum.java.sun.com/thread.jsp?forum=60&thread=383862&tstart=0&trange=30 on this same topic.
Similar Messages
-
How to use Kerberos & GSS-API to authenticate in Windows OS
Hi,
I need to use Kerberos and GSS-API authentication for user loing in my JSP/Java application against Active Directory in Windows 2003 Server.
I have goen through one thread which is quite similar to my need, but it's used for Linux host, which u can see below.
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Anyone can guide me that how to authenticate user using Kerberos again Active Directory for Windows Environment ?
Thanking you in Advance.
Satyam AMINYou can use Java GSS/Kerberos for authentication using any KDC (Solaris/Linux/Windows) provided you have setup the configuration.
Here are the Java GSS tutorials to get started:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html
Seema -
JAAS and Active Directory Problem
I am attempting to use the JAAS Tutorial code to authenticate against a Windows 2000 domain controller. The code as is works against a domain controller that I set up, but when I attempt to authenticate against a client's domain, I receive an exception:
Authentication failed:
Pre-authentication information was invalid (24)
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
The troubleshooting documentation indicates that this could mean 3 things:
1. the password is incorrect - since I am logging in with my account, I am certain the password is correct.
2. you are using the keytab to obtain the key and the key may have changed since obtaining the keytab - I am not using the useKeyTab option in my configuration of the Krb5oginModule and the option defaults to false.
3. clock skew. I am sure that there is no time difference between my computer and the server.
That said, does anyone know of any other reason that authentication will fail?I am using....
AppConfigurationEntry entry = new AppConfigurationEntry(
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options);
and I get the same thing. Running Win2K Pro. Trying to use GSS-API to do Kerberos authentication.
Jay -
Change password in Active Directory using the JNDI GSS-API/Kerberos
Hi
I am trying to the JNDI GSS-API to change a user password.
When I actually try to change the password using ctx.modifyAttributes(userName, mods), I get the exception:
09:39:38,163 ERROR [STDERR] javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 ]; remaining name 'CN=USER,OU=Usuarios,DC=testead,DC=br'
Here's my java code:
public class ChangePasswordLDAPCommand implements Command {
static Logger logger = Logger.getLogger(ChangePasswordLDAPCommand.class.getName());
@SuppressWarnings("unchecked")
public boolean execute(org.apache.commons.chain.Context context) throws ApplicationException {
logger.info("Início - execute");
try {
CoreConfig config = CoreConfig.getInstance();
String userName = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME);
char[] password = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD).toCharArray();
Subject subject = new Subject();
Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
Map<String, String> map = new HashMap<String, String>();
Map<String, String> shared = new HashMap<String, String>();
map.put("com.sun.security.auth.module.Krb5LoginModule","required");
map.put("client","true");
map.put("useTicketCache","true");
map.put("doNotPrompt","true");
map.put("useKeyTab","true");
map.put("useFirstPass","true");
map.put("refreshKrb5Config","true");
logger.info(">>>>> map.toString(): "+map.toString());
shared.put("javax.security.auth.login.name", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
shared.put("javax.security.auth.login.password", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
shared.put("javax.net.debug","SSL,handshake,trustmanager");
shared.put("sun.security.krb5.debug","true");
shared.put("com.sun.jndi.ldap.connect.pool.timeout","30000");
logger.info(">>>>> shared.toString(): "+shared.toString());
krb5LoginModule.initialize(subject, new UserNamePasswordCallbackHandler(userName,password),shared,map);
krb5LoginModule.login();
if(krb5LoginModule.commit()){
//Recupera o usuario a ser alterado
UsuarioTOLDAP usuarioTO = (UsuarioTOLDAP) context.get(CoreConfig.USUARIO_TO_LDAP);
logger.info(">>>>>>>>>>>>>>>>>>>>>> subject.toString(): "+subject.toString());
Subject.doAsPrivileged(subject, new JndiAction(usuarioTO), null);
} catch (LoginException e) {
e.printStackTrace();
} catch (PrivilegedActionException e) {
e.printStackTrace();
logger.info("Fim - execute");
return Command.CONTINUE_PROCESSING;
@SuppressWarnings("unchecked")
public class JndiAction implements java.security.PrivilegedExceptionAction{
private static Logger logger = Logger.getLogger(JndiAction.class.getName());
private UsuarioTOLDAP usuarioTOLDAP = null;
public JndiAction(UsuarioTOLDAP usuarioTO) {
this.usuarioTOLDAP = usuarioTO;
public Object run() {
performJndiOperation(usuarioTOLDAP);
return null;
@SuppressWarnings("unchecked")
private static void performJndiOperation(UsuarioTOLDAP usuarioTOLDAP){
logger.info(">>>>> entrei na JndiOperation");
try {
CoreConfig config = CoreConfig.getInstance();
String distinguishedName = "";
String keystore = "C:/Documents and Settings/user/.keystore";
System.setProperty(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
System.setProperty("com.sun.jndi.ldap.connect.pool.timeout","30000");
System.setProperty("javax.net.debug","all");
System.setProperty("sun.security.krb5.debug","true");
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, CoreConfig.INITIAL_CONTEXT_FACTORY);
env.put(Context.PROVIDER_URL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_URL));
env.put(Context.SECURITY_AUTHENTICATION, CoreConfig.SECURITY_PROTOCOL_GSSAPI);
env.put(Context.SECURITY_PRINCIPAL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
env.put(Context.SECURITY_CREDENTIALS, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
env.put(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
env.put("javax.security.sasl.qop","auth-int");
env.put("javax.security.sasl.strength","high");
env.put("javax.security.sasl.server.authentication","true");
String userName = "CN=USER,"+config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_BASE_DN);
// Cria o contexto inicial de acesso ao LDAP
//DirContext ctx = new InitialDirContext(env);
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//set password is a ldap modfy operation
ModificationItem[] mods = new ModificationItem[1];
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"" + usuarioTOLDAP.getNovaSenha() + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
// Perform the update
ctx.modifyAttributes(userName, mods);
ctx.close();
} catch (NamingException e1) {
e1.printStackTrace();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}Edited by: c0m4nch3 on Jan 21, 2010 12:13 PMRefer to my response for a similar question in http://forums.sun.com/thread.jspa?threadID=5416736
Also the following may be related: http://forums.sun.com/thread.jspa?threadID=5196192
Good luck. -
Changing user password in Active Directory using the JNDI GSS-API/Kerberos5
Hello,
I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
*javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
*If anyone can help me figure out why it doesn't work, that would be great!*
P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
Here's my java code:
{code}import javax.naming.*;
import javax.security.auth.*;
import java.security.PrivilegedAction;
import java.io.UnsupportedEncodingException;
public void changeSecret((String uid, String oldPassword, String newPassword)
throws NamingException, ACException{
try {
K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
LoginContext lc = new LoginContext("marker", cb);
lc.login();
Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
catch(LoginException e) {
try {
lc.logout();
catch(LoginException e) {
}ChangePasswordAction.java is:import javax.naming.*;
import javax.naming.naming.directory.*;
import java.io.UnsupportedEncodingException;
private class ChangePasswordAction implements PrivilegedAction {
private String uid;
private String quotedOldPassword;
private String quotedNewPassword;
public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
this.uid = uid;
quotedOldPassword = "\"" + oldPassword + "\"";
quotedNewPassword = "\"" + newPassword + "\"";
public Object run() {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
DirContext ctx = new InitialDirContext(env);
ModificationItem[] mods = new ModificationItem[2];
byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
ctx.modifyAttributes(uid, mods);
ctx.close();
} catch (NamingException e) {
} catch (UnsupportedEncodingException e) {
return null;
}K5CallbackHandler is:import javax.security.auth.callback.*;
final class K5CallbackHandler
implements CallbackHandler {
private final String name;
private final char[] passwd;
public K5CallbackHandler(String nm, String pw) {
name = nm;
if(pw == null) {
passwd = new char[0];
else {
passwd = pw.toCharArray();
public void handle(Callback[] callbacks)
throws java.io.IOException, UnsupportedCallbackException {
for(int i = 0; i < callbacks.length; i++) {
if(callbacks[i] instanceof NameCallback) {
NameCallback cb = (NameCallback) callbacks;
cb.setName(name);
else {
if(callbacks[i] instanceof PasswordCallback) {
PasswordCallback cb = (PasswordCallback) callbacks[i];
cb.setPassword(passwd);
else {
throw new UnsupportedCallbackException(callbacks[i]);
}The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
marker {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
//Eg. auth-conf; confidentiality, auth-int; integrity
//confidentiality is required to set a password
env.put("javax.security.sasl.qop","auth-conf");
//require high strength 128 bit crypto
env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
Good luck. -
What's differences between jaas and jacc?
lately i saw a new java scurity released on http://java.sun.com/j2ee/javaacc/; it seems like similar to JAAS (http://java.sun.com/products/jaas/); though, reportedly, jacc concerned more detail in authrization, however, there's autherization api been included as i know. is there anyone be able to tell me what's differences between jaas and jacc? or where there's resource or article exaplained detail about this issue?
i appreciate any suggestions.
thank you very much,From what I saw, the JACC specifically deals with what is currently called Container Managed Security. JAAS is something that would be used on top of JACC.
See also:
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security11.html
JACC contracts provide the following benefits:
- JACC moves security administration and decision-making responsibility from the container to the security providers.
- JACC enables the use of a common policy across different security systems.
- J2EE system integrators can integrate containers with existing authorization policy infrastructure
re Jaap -
GSS API library required to set up a Secure Network Connection (SNC)
We are working in a project to connect Microsoft ILM to SAP CUA. The goal is to manage Identities in
SAP CUA by Microsoft ILM.
The requirement is to make use of an encrypted network connection between the two systems.
Due to our investigation it looks like that we need to use a SNC (Secure Network Connection).
To set up a SNC we need a third party GSS API library. Before we can order this GSS API library we need to
test this in a test environment.
Our question if there is a possibility that we can use a trial version of a GSS API library, to set up a test environment?
Is there another way to setup a SNC in a test environment?
We are looking for a GSS API Library?
If you need more information please contact me.Hi AndrZegers ,
This is Supply Network collaboration (SNC) forum and your query looks like more of security.
You can post your query in security forum.
Security
Regards,
Nikhil -
GSS API failing with java 1.6 but working with java 1.5 in jboss 3.2.6
18:05:08,210 INFO [STDOUT] GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
18:05:08,210 INFO [STDOUT] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
18:05:08,210 INFO [STDOUT] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
18:05:08,213 INFO [STDOUT] at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
18:05:08,214 INFO [STDOUT] at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
18:05:08,214 INFO [STDOUT] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
18:05:08,214 INFO [STDOUT] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
18:05:08,214 INFO [STDOUT] at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.credentialForService(SSOTokenVerifier.java:324)
18:05:08,214 INFO [STDOUT] at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.initialize(SSOTokenVerifier.java:97)
18:05:08,214 INFO [STDOUT] at com.apple.ist.saci.iphonevpn.servlet.SACIIPhoneStartUpServlet.init(SACIIPhoneStartUpServlet.java:26)
18:05:08,214 INFO [STDOUT] at javax.servlet.GenericServlet.init(GenericServlet.java:256)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1029)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:862)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4013)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardContext.start(StandardContext.java:4357)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:823)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:595)
18:05:08,214 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:05:08,214 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
18:05:08,214 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,215 INFO [STDOUT] at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,215 INFO [STDOUT] at org.apache.catalina.core.StandardContext.init(StandardContext.java:5441)
18:05:08,215 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:05:08,215 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
18:05:08,215 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,215 INFO [STDOUT] at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,215 INFO [STDOUT] at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeployInternal(TomcatDeployer.java:316)
18:05:08,215 INFO [STDOUT] at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeploy(TomcatDeployer.java:76)
18:05:08,215 INFO [STDOUT] at org.jboss.web.AbstractWebDeployer.start(AbstractWebDeployer.java:320)
18:05:08,215 INFO [STDOUT] at org.jboss.web.WebModule.startModule(WebModule.java:62)
18:05:08,215 INFO [STDOUT] at org.jboss.web.WebModule.startService(WebModule.java:40)
18:05:08,215 INFO [STDOUT] at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
18:05:08,215 INFO [STDOUT] at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
18:05:08,215 INFO [STDOUT] at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
18:05:08,215 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.Invocation.dispatch(Invocation.java:62)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.Invocation.dispatch(Invocation.java:54)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.Invocation.invoke(Invocation.java:82)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:197)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,216 INFO [STDOUT] at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:884)
18:05:08,216 INFO [STDOUT] at $Proxy20.start(Unknown Source)
18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.getUsernameAndPassword(UsernamePasswordLoginModule.java:216)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:131)
at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:124)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)It seems you are providing username using a TextCallbackHandler (which is default for GSS-API). This is OK if you are writing a console program and the user can input the name in a command line prompt. If you are writing a server side program, there is no console, you need to write your own CallbackHandler to provide username. -
BPM 11g: JAVA API and Webservice API
Who knows BPM 11g: JAVA API and Webservice API?
Customer want to call BPM 11g between Heterogeneous systems, such .net framework. One way is use webservice API, I think, but where can find it? thank youWhen you create a BPM application in 11g, you're actually creating a SOA composite application with a BPMN component in the composite. From within the BPMN editor, you can specify the interface (parameters) of each start node in the process. If you select a start node, look at the implementation tab, you'll see a properties group that lets you define the interface one property at a time, or by selecting an interface from the catalog.
By defining these properties you're also defining the shape of the Web Service interface that will automatically be created in the composite. If you switch to the composite view, you'll see your BPMN process with a wire to it from a Web Service that's generated from the interface defined in the BPMN editor. The naming convention is the BPMN process name with ".service" appended. When you deploy the BPMN process, the web service will also be deployed, since it's also part of the composite. From Enterprise Manager (EM) you can test the service and get the WSDL, which could be used by other applications (e.g. .NET) to start and interact with a process instance.
This is one of the advantages of the 11g architecture. The composite exposes services to consumers/clients. The implementation could have been BPEL, BPMN, a Mediator, Java/EJBs, or any combination working together. To the consumer, it's just a web service.
In case your next question was about security ... you won't see properties about security in the BPMN editor. You use Web Service Manager to apply security or other constraints to the web service endpoint. -
ERROR in JDBC API TUTORIAL using finally
According to the jdbc api tutorial and reference, the way to close a pooled connection is to use a try/catch/finally block as follows:
try{
Connection con = ds.getConnection("login", "password");
// ... code to use the connection
catch(SQLException sqle){
finally {
if (con != null) con.close()
HOWEVER it seems that u cannot call close() on con because it can throw an SQLException which is not caught. The compiler issues the following error:
"unreported exception java.sql.SQLException; must be caught or declared to be thrown con.close();"
Does anyone know how to remedy thistry /catch the con.close,and you also can realize it by declaring the method by
"thows SQLException" -
Hi there,
I'm using Weblogic 6.1 and working on the security aspect of a project.
What I want to do is to set up the app so that a user logs in and gets authenticated
using JAAS. I also want to secure the app so that all requests for urls must
be authenticated first i.e. They go through the login page first.
The easiest way I can see to do this is to use FORM based authentication using
j_security_check.
Is there a way then to set whatever j_security_check in the session, within the
JAAS part of the code? Rather than authenticating with JAAS and then sending
username and password to j_security_check.
Does anyone know what to set? I looked at previous messages but they seem to
deal with earlier versions and these do not work with 6.1
Any help would be appreciated,
Thanks,
IanFrank, thanks for comments.
Yes user info is in the sama database so I can get it from there, but I would like to call this DB function once after succesfull authentication. In addition we have kind of 2 level passwords in place, one application password and one internal db password for user to access database resources.
User does not know his/her db password, we have just api to get db password after authentication and existing application api (developed for forms client originaly) assumes user access db by his own connection, so in many api's oracle function user is stored in some tables.
So what I need is after authentication of user (with application password) I can get Oracle password and then make new DB connection to all application api, just would like to store Oracle password (or new user db connection )somewhere so I dont need to fetch it everytime I need to call application API.
ferdo -
Authentication & Authorization with SSO, JAAS and Database Tables mix
Hi,
I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
A lot of thanks in advanced.
And sorry, excuse my so bad english.
See you.Marcel,
Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
We currently plan to have the patch release available sometime in the second half of May.
Kind regards,
Peter Ebell
JHeadstart Team -
JAAS and J2EE SDK -- please help!
Hi,
I'd like to know if it is possible to use customized LoginModule classes in the J2EE SDK reference impl. 1.3
If so what I can't understand is the following:
if I use the form-based auth. mechanism in my web app. how can I specify which login module to use? I mean I know JAAS needs an entry in a configuration file such as
mylogin{
MyLoginModule required debug=false;
};but my question is in what file should I add it? clientlogin.config, login.config or serverlogin.config?
And much more important question is: how can I then specify that I need to use the "mylogin" entry?
I don't know how the JSecurityCheck servlet work, is there any document where I can find the source code of it?
Please can anyone help me?
Thanks in advance.I managed to get it working in tomcat 4.0 if you create a config file with the details you've specified called login.config you then need to pass it as a parameter when you start your servlet engine
i.e. -Djava.security.auth.login.conf=login.config -
Would anyone know where I can purhcase the ActionScript 3 and
FLEX API Posters that were handed out at the MAX 2006 Conference in
Las Vegas? I've seen versions of it on the Internet, but I cannot
print these versions out. Any information would be much
appreciated.
Thanks -Good question, I'd like to know this myself. 4.5 has a huge number of changes since 4.0.
-
Error: Unable to load the GSS-API Shared Library
Hi all,
I'm trying to install a working copy of SAP on a Debian Etch host. I've tried all versions available here: ftp://ftp.sap.com/pub/sapgui/java/ (710 r[2-6]) The jar installer completes successfully without error, but when I attempt to launch the application, I'm greeted with the same critical error each time. Here's my connection string:
conn=/M/my-server-hostname/S/3610/G/PRD_GENERIC&sncon=true&sncqop=3
Here's my (Sun) java version:
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Server VM (build 10.0-b22, mixed mode)
Here's the full error message:
Error: Unable to load the GSS-API Shared Library
named "sncgss.so"
Fri Nov 21 16:07:25 2008
Release 710
Component SNC (Secure Network Communication), version 5
rc = -1, module sncxxdl_mt.c, line 342
Detail SncPDLInit
System Call dlopen
Is there a software dependency I might be missing? This is my first attempt at installing SAP on a Linux host, so there may be something else even more obvious that I'm not seeing...
Thanks in advance for any help you can provide.
-EricHi,
one solution should be to set the env variable $SNC_LIB to you libseude.so, e.g.
$>setenv SNC_LIB /usr/sap/<sid>/SYS/exe/run/libsecude.o (or wherever the lib resides)
and then restart guilogon.
Also, as fas as I know, SAPGUI has issues with Java 6, so I would rather go with Java 5 or 1.4.2.
Oliver Stabel
Maybe you are looking for
-
HELP. Upgraded to 10.6.8 and now pics messed up!!
Hi, was happy with my old imac (really old - 7 years, 75 lines of pixels-but trying to get more life out of it) but hubby insisted i need to upgrade to snow leopard. so now i am at 10.6.8 (2ghz intel, cor 2 duo, 1gb 667mhz, ddr2, sdram) my ip
-
What happened to Alignment Guides? #APPLE are you being serious?! The new Pages 5 is a joke.
-
Has anyone lost movies in i-movie with OS X 10.10.3 update?
I updated my OS X software 10.10.3 about 2 weeks ago. At the same time I did a recovery update and a week later I did a the OS X supplement update. Since that time I am unable to find 3 years of i-movie videos that were uploaded. I had 2 file name fo
-
Hi all... I have this situation: during migo_gr from purchase order I must have the vat recordet to an account ; after miro this account should be cleared with the value posted there and put to another vat account.. The condition Navs is designed for
-
CSS Background Image - where is it?
Hello, Have placed a fixed background image within my CSS...it looks fine when I look at it in Dreamweaver. The problem is when I upload to my webspace the image isn't there. Any ideas? These are the attributes: background-attachment: fixed; backgrou