JAAS and LDAP
hi,
how can I check the password expiration time in the loginModule ???
I want to add this feature ..? can any one help???
solved..
Similar Messages
-
Authenticate using JAAS and LDAP
Hi,
I am trying to authenticate a user using JAAS against LDAP. I am able to hit LDAP, but failing when it comes to authentication.
Yes, I have made sure the user and password are right.
Here is my code and error message. Would really appreciate if someone can tell me what am I doing wrong here.
My 'jaas.config' file :
JNDILogin {
com.sun.security.auth.module.JndiLoginModule Required
debug=true
useFirstPass=false
strongDebug=true
tryFirstPass=true
storePass=true
user.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX"
group.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX";
My implementation class 'ClientSideSecurityImp,java' :
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.log4j.*;
import com.sun.security.auth.callback.TextCallbackHandler;
import com.sun.security.auth.module.JndiLoginModule;
* Filename is ClientSideSecurity.java
public class ClientSideSecurityImp
private static final Logger log = Logger
.getLogger(ClientSideSecurityImp.class);
private Subject activeSubject = null;
private String userName = null;
private String appName = null;
private String viaMech = null;
private LoginContext lc = null;
public ClientSideSecurityImp(String appNameVal)
this.appName = appNameVal;
* (non-Javadoc)
public boolean userAuthenticate() throws SecurityException//,
// AuthenticationException
boolean authenticated = false;
String whereAmI = "ClientSideSecurityImp.UserAuthenticate()";
CallbackHandler handler = null;
JndiLoginModule jndi = new JndiLoginModule();
handler = new TextCallbackHandler();
if (lc == null)
try
lc = new LoginContext("JNDILogin", handler);
lc.login();
} catch (LoginException e)
// TODO Auto-generated catch block
e.printStackTrace();
activeSubject = lc.getSubject();
log.debug(activeSubject.toString());
// if we return with no exeption then authentication was sucessful.
authenticated = true;
return authenticated;
* @return success at removing the certificates.
public boolean logout()
String whereAmI = "ClientSideSecurityImp.logout()";
boolean success = false;
this.userName = "";
this.activeSubject = null;
return true;
My test class with main 'ClientSideSecurityImpTest.java' :
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;
import com.jaas.ClientSideSecurityImp;
import junit.framework.TestCase;
* TODO To change the template for this generated type comment go to
* Window - Preferences - Java - Code Style - Code Templates
public class ClientSideSecurityImpTest extends TestCase
private static ClientSideSecurityImp cssi = new ClientSideSecurityImp("MyApp");
private static final Logger log = Logger.getLogger(ClientSideSecurityImp.class);
public static void main(String[] args)
PropertyConfigurator.configure("log4j.properties");
boolean test = cssi.userAuthenticate();
log.debug("**##$$##** Authenticated :" + test);
Error I get :
I get some error messages here that is expected as I have 'tryFirstPass=true' in my 'jaas.config' file. Then it asks for the user and password again. After that this is what I get:
Ldap username: user
Ldap password: password
[JndiLoginModule] user entered username: user
[JndiLoginModule] user entered password: password
[JndiLoginModule]: User not found
javax.naming.NoInitialContextException: Cannot instantiate class: =com.sun.jndi.ldap.LdapCtxFactory [Root exception is java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:652)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:175)
at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:496)
at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
Caused by: java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:219)
at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:42)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:649)
... 17 more
[JndiLoginModule] regular authentication failed
[JndiLoginModule]: aborted authentication failed
javax.security.auth.login.FailedLoginException: User not found
at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:624)
at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
java.lang.NullPointerException
at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:65)
at com.jaas.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
Thanks in advance.The error message clear cut says that the JVM cannot find the class com.sun.jndi.ldap.LdapCtxFactory. Make sure the LDAP provider jar which contains this class is in your program's classpath.
-
Setting permissions at entity object level using JAAS and LDAP
Hi,
I am using ldap-based provider for authorizaton. Every thing works fine. Authorization works fine based on the roles created in web.xml file.
Could you please let me know how I can define permissions at entity object level when using ldap based provider.
Following line is the permission created for an entity object (SpcStrBdgt) when using XML-based provider.
<permission>
<class>oracle.jbo.server.security.jazn.JboJAZNEntityPermission</class> <name>model.SpcStrBdgt/READONLY</name>
</permission>
Above is defined in jazn-data.xml file.How can I define the same thing when using ldap-based provider?
Thanks,
SeatreHi,
There is an enhancement request Bug2692994 for this feature.
Thanks,
Yvonne -
Problem with ADS and LDAP
I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
After connection via LDAP I cann't get any object ( users or goups etc. ).
I try connect to ADS by java ( JNDI ).
When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
the same problem - no objects.
Can anybody help me?
Grzegorz Pszona
my e-mail: [email protected]Thanks a lot.
Softerra's browser is really good.
Thanks
Rashmi
"Anant Kadiyala" <[email protected]> wrote:
>
I used Softerra's LDAP browser. The browser is free. There is also a
java baded
LDAP browser from Univ of Michigan. I found the Softerra browser to be
more easier
to use.
-anant
"rashmi" <[email protected]> wrote:
Hi,
Can you please let me know which exact ADS tool that you used to examine
the
DN. I have Active Directory Users and Computers, Sites and Servicesand
Domain
and Trusts installed on my machine but I am not able to figure out how
to get
the DN?
Thanks
Rashmi
for Stephen Davies <[email protected]> wrote:
Grzegorz,
I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
a
fair bit of messing around to get it going. MS does have a few oddities,
for example the Administrators DN might look something like this:
cn=Administrator,cn=Users,dc=eglobal,dc=net
One tool that I found invaluable came with the additional support tools
for Windows 2000. The 'Active Directory Administration Tool' made it
easy to list the directory contents and examine the DNs.
Regards,
Steve
Stephen Davies
Principal Consultant
eGlobal Services Pty. Ltd.
Sydney, Australia
Ph. +61 2 9283 1033
http://www.eglobal.net/ -
Single sign-on using Kerberos and Ldap
I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
I have the Kerberos authentication and part of the Ldap service working via pam & nss.
ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
BUT...
id gives:- userID, groupID (primary group only)
groups :- primary group only. (no secondary groups are listed)
Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
Thanks in advance for any help.After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
//M. -
Hi there,
I'm using Weblogic 6.1 and working on the security aspect of a project.
What I want to do is to set up the app so that a user logs in and gets authenticated
using JAAS. I also want to secure the app so that all requests for urls must
be authenticated first i.e. They go through the login page first.
The easiest way I can see to do this is to use FORM based authentication using
j_security_check.
Is there a way then to set whatever j_security_check in the session, within the
JAAS part of the code? Rather than authenticating with JAAS and then sending
username and password to j_security_check.
Does anyone know what to set? I looked at previous messages but they seem to
deal with earlier versions and these do not work with 6.1
Any help would be appreciated,
Thanks,
IanFrank, thanks for comments.
Yes user info is in the sama database so I can get it from there, but I would like to call this DB function once after succesfull authentication. In addition we have kind of 2 level passwords in place, one application password and one internal db password for user to access database resources.
User does not know his/her db password, we have just api to get db password after authentication and existing application api (developed for forms client originaly) assumes user access db by his own connection, so in many api's oracle function user is stored in some tables.
So what I need is after authentication of user (with application password) I can get Oracle password and then make new DB connection to all application api, just would like to store Oracle password (or new user db connection )somewhere so I dont need to fetch it everytime I need to call application API.
ferdo -
Adding phones and users with bat and LDAP sync
What are the various ways of importing users with phones when the Communications Manager 9.0 is sync'd with LDAP. Also, what method is the easiest and fastest?
For example, I could do the following steps:
Sync CUCM with LDAP to import new users, add phones using bat files, manually update users to associate devices etc
I believe I should also be able to do the above method and use a bat file to update the users to associate devices etc. This method still involves 2 steps and the creation of 2 seperate bat files.
In CUCM version 9 it is possible to have local and LDAP users, so is it possible to add the phones and users using the phones/users tab of the bat file and have them beocme LDAP users?
Thank you,
Danny#1 Remove this embedded CSS code from your HTML document(s). You don't need it.
body {
background-color: #CCC;
body,td,th {
color: #FFF;
font-size: 14px;
#2 Open PW.css file and add this to the top:
body {
font-family: Arial, Helvetica, sans-serif;
font-size: 14px;
background-color: #CADFEB;
/**or insert a background-image using the CSS editor**/
#3 Remove font-family and font-size from all your other CSS selectors. You don't need to duplicate styles on every element.
#4 Replace this:
#content {
position:absolute;
left:199px;
top:10px;
width:860px;
z-index:1;
right: auto;
background-color: #FFF;
text-align: center;
color: #000;
height: auto;
with this:
#content {
width:860px;
margin: 20px auto;
border: 4px solid silver;
background-color: #FFF;
text-align: center;
color: #000;
-moz-box-shadow: 5px 5px 5px #888;
-webkit-box-shadow: 5px 5px 5px #888;
box-shadow: 5px 5px 5px #888;
#5 Save your PW.css file and upload to server.
Nancy O.
Alt-Web Design & Publishing
Web | Graphics | Print | Media Specialists
http://alt-web.com/
http://twitter.com/altweb -
Authentication & Authorization with SSO, JAAS and Database Tables mix
Hi,
I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
A lot of thanks in advanced.
And sorry, excuse my so bad english.
See you.Marcel,
Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
We currently plan to have the patch release available sometime in the second half of May.
Kind regards,
Peter Ebell
JHeadstart Team -
Hi all!
After connecting our OBIEE 11.1.1.5 to LDAP we faced with a strange problem: after one user enters the system any next user logged in has the same privileges in OBIEE as the first one.
We turned off the following caches:
- WebLogic Principal Validator Cache in a security realm Performance section
- Group Membership Lookup Hierarchy Caching in our LDAP authentication provider Performance section
But the problem still occurs. Does anyone have any suggestions on this?Hi I was having endless issues with OBIEE and LDAP, I followed the exact steps here:
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG169
These worked for me, so you could check for a start these recommended setting are same in your environment.
Thanks -
XI 3.1 Client Tools and LDAP Authentication
I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos -
I want to see list of Disabled user from AD and LDAP
Hi
i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
having all the details of AD (Attributes)Hi
i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
having all the details of AD (Attributes) -
Connected MDM and LDAP, but but now what? Why user mapping?
Hi Gurus,
In my last thread, I posted that I was not able to connect MDM with LDAP. I was finally able to.
My problem now is I have to define user mapping in SAP Portal for the MDM business iViews to work.
By connecting MDM and LDAP, I got the benefit that now the authentication and authorization is happening via LDAP.
But this does eliminate the need for user mapping. If this is the case then why the real benefit of using LDAP?
In this case this becomes worse as I need to know the user's LDAP Password which no body will share for sure.
Any ideas? I want to get rid off this user mapping stuff.
Warn Regards,
Karanwithout knowing specifics of ur architecture, i can quickly point out two things:
1) LDAP is primarily used for authentication, true.
2) Portal User mapping should not be an issue if u already have portal tied up to the active directory or some kind of single sign on?
So portal knows the users who has logged it, polls the Active directory for authentication and Active directory logs into MDM with that users role.
-Sudhir -
Hello,
I have a question about the LDAP integration with the ISE:
Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
Even I tried to change the base DN and the search DN but without luck.
The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
Is there any missing information/tips required in such integration?Hello,
I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
This section contains the following:
•Directory Service
•Multiple LDAP Instances
•Failover
•LDAP Connection Management
•User Authentication
•Authentication Using LDAP
•Binding Errors
•User Lookup
•MAC Address Lookup
•Group Membership Information Retrieval
•Attributes Retrieval
•Certificate Retrieval
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913 -
I'm trying to use JAAS to log in a user on a JBOSS app, but am running into a problem. I'm able to successfully authenticate the user, and retrieve a Subject from my LoginContext. However, once that request is done (i.e. the browser displays the "log in complete" page), the application seems to forget that the user was logged in. How does JAAS and JBOSS keep track of the logged in user? Is this done by keeping a singleton of LoginContext around in some scope? Right now I'm creating a new instance of LoginContext, and using it to load a new instance of my CallbackHandler. Note, when I used JBOSS default form based authentication, it kept the user logged in. However, I can't use their default auth because I have some custom things I need to do.
Thanks in advance for any help you provide.Hi,
I tested this on OC4J for you and here - after setting jbo.security.enforce to Must, the user principal name and the roles are displayed.
So there are three possibilities why you don't see things working
- JBoss doesn't add the role principals to the Subject so they become available in the session
- You attempt accessing this information in a prepareSession() override without enforcing authentication to happen for the root page - URL pattern = /
- ADF BC security doesn't recognize the custom role principal
After briefly reviewing the security implementation code, it seems that ADF BC security is dependent on Oracle JAZN for authorization.
Frank -
Database Table and LDAP Authentication in the same repository?
I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-MattAnother thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.
Maybe you are looking for
-
How to integrate different database in SAP B1 into unique DB?
Hello, In our landscape, we've SAP B1 System and we also build SAP BW on Hana reports using B1 as a source system. Currently, in SAP B1 system, we don't have unique database. Rather, we have distinct database for different Sales Offices. At present
-
How do I change the color of my text messages?
Can you change the color of your messages?
-
Testing WebService through WS Navigator in CE 7.1.1
Hello All, We have a scenario where the web service in created in ECC and hosted on PI Service Registry. When we try to test this web service through WS Navigator, I am getting the error "Invalid Transport binding settings [_confidentiality0210] Exp
-
SIMPLE FIX for XP SP2 Installs
Greetings. I'll cut to the chase and won't explain here in detail what's really going on with this fix, but it has now successfully cleared a range of installation problems for iTunes 5.0, 5.01, and QuickTime 7, on two unrelated XP SP2 systems. Feel
-
After purchasing and implementing iTunes match I can't watch a bunch of my movies and I can't update my apps because of an error message stating that I do not have "write access" or another error message stating that I don't have correct permissions.