JAAS Authentication in WLS 7.0

Similar Messages

• JAAS-authentication and wls-authorization in a webapp

  Hi,
  I am developing a webapp with jsp, servlets and ejbs.
  My question:
  Is it possible to use JAAS-authentication together with wls-authorization in a
  webapp?
  thanks
  /Chriz

  Hi, Office 365 tenants indeed include an Azure AD tenant in the background and you can implement Single Sign-On against that. The authentication scenario for this case is documented
  here. For the code samples (with steps to create them) see the
  samples' Github repository, especially the
  WebApp-WSFederation-DotNet sample. 
  For the SQL database it's a bit different. Azure SQL Database connection can't be authenticated like this - there's no integration to the "domain" accounts there. So you should create one service account for the SQL connection and use that for
  all the traffic in your web app. If you need authorization for accessing certain data in SQL, you have to implement that on your web application side.

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• 11g hybrid authentication / authorization: WLS plus external table

  I've implemented external table authentication / authorization in 11g. Now I'd like to add a twist.
  I have an external table containing users B, C, and D. That external table contains all of the columns I need for authentication (including a clear text password) and for authorization (roles, log level, a dynamic table name, and so forth). I have authentication in one initialization block, authorization in another. Everything works fine. I can log in as B, C, or D and see exactly what I'm supposed to see, based on the ROLES.
  The clear text passwords are generally not a problem, because this is a training instance and almost all of the passwords are the same. However, I want to add a user whose password should not be held in clear text. For that reason, I'd like to add that user into WLS. I've done that, and I'm able to log in to OBIEE. After confirming that I could log in to OBIEE with user A from the WLS, I added User A to the external table, left its password field blank, and filled in the other columns (roles, loglevel, etc...) that I need to assign into session variables.
  Here's the problem: the authorization init block properly assigns ALL session variables for users B, C, and D. It assigns all session varaibles EXCEPT the ROLES variable for user A. I've confirmed this by creating an Answers analysis that shows me the values of the session variables. The ROLES session variable for user A shows "authenticated-role;BIConsumer;AuthenticatedUser". For all other users (those who are authenticated using the clear text passwords in the external table) the ROLES variable is populated correctly, based on the values in the ROLES column in the external table. In short, the authorization init block is properly assigning the ROLES session variable only for those users that were authenticated using the authentication init block, but is assigning all other session variables correctly for all users, even the one in WLS.
  Here's my authentication init block code:
  select bi_user
  from bi_auth_ldap
  where bi_user = ':USER'
  and bi_user_pwd = ':PASSWORD'
  Here's the authorization init block code:
  select roles, bi_user_name, to_number(loglevel,0), channel_tbl
  from bi_auth_ldap
  where bi_user = ':USER'
  (returned results are assigned into ROLES, DISPLAYNAME, LOGLEVEL, and CHANNEL_TBL session variables, respectively)
  It feels like the ROLES session variable is populated in conjuction with the user logging on and being authenticated via WLS, and that the initialization block isn't able to overwrite that variable. Can an OBIEE developer confirm that for us, please? Once set in WLS, is it not possible to overwrite the ROLES session variable with SQL from an initialization block? If it IS possible, can you post some code that will accomplish it?
  Thanks!

  It occurs to me that Oracle's support model is a fantastic way to make money. Let's see, I wonder if I could become a billionaire doing this:
  Create some software. Sell that software. Then, charge customers several thousand MORE dollars, year after year, plus about $60 per bug, so that they have the right to report MY bugs to me. Yeah, that's the ticket - people PAYING for the right to report bugs to me. Oh, and if more than one person reports the same bug, I get to keep ALL of the money from ALL of them.
  Let's summarize, make sure I haven't missed something: You buy my software, you PAY ME additionally to report MY bugs to me, I don't necessarily have to fix the bugs (but I keep your money whether I fix it or not), and I can collect multiple times from different people who report the same bug.
  Sweeeeeeet.........
  Billionaire Acres, here I come!

• JAAS authentication with WebLogic 6 - "Invalid Configuration Class Name"

  For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
  package, compiled, and copied it to the right place in the classes directory of the webapp project.
  The class is specified as a parameter in startWebLogic.cmd:
  -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
  When a servlet attempts to get LoginContext, I get this error:
  "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
  The class file is definitely in the right place. What's the deal?
  Thanks,
  Rob

  Seems to be a ClassLoader problem. The sample is a client app, so no problem. But if you create
  a Configuration class to run on the server (to set up a LoginModule for authenticating clients)...
  I think what's happening is that the System class loader, using the CLASSPATH in the environment
  of the WebLogic server when it starts, attempts to load the Configuration class and can't (because it
  is in the CLASSPATH of the web app, not of the System class loader). If you add the Configuration
  class to the CLASSPATH of the WebLogic server, then it gets loaded but the LoginModule can't be
  found. If you add the LoginModule to the WebLogic server CLASSPATH, then any classes that it calls
  must also be in the WebLogic server CLASSPATH.
  Could someone from BEA please comment: is that the intention, that any classes used for JAAS
  authentication be part of the server's CLASSPATH, not part of the web application?
  Thanks,
  Rob
  "Rob Weltman" <[email protected]> wrote:
  >
  For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
  package, compiled, and copied it to the right place in the classes directory of the webapp project.
  The class is specified as a parameter in startWebLogic.cmd:
  -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
  When a servlet attempts to get LoginContext, I get this error:
  "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
  The class file is definitely in the right place. What's the deal?
  Thanks,
  Rob

• JAAS Authentication Example Error

  I am working with the JAAS Authentication example provided by Sun at the following link:
  http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/index.html
  I am working with Windows NT. I am using a NTLoginModule in my config file. I would like to create a simple Login that uses the current OS's user ID. Once I add the security.manager and a policy file that includes anything besides full permisions (permission java.security.AllPermission;), I get a Security Exception, and more specifically a "java.security.AccessControlException:access denied...".
  I am using the following config:
  JaasConfig {
  com.sun.security.auth.module.NTLoginModule required debug="true";
  I would like to use a policy file that gives permission to a file for the current user. I would like to do something similar to the following, but get the error once this is added....
  grant Principal com.sun.security.auth.NTUserPrincipal "user"
  //Allow everything for now
  //permission java.security.AllPermission;
  permission java.io.FilePermission "ProtectedFile.txt", "read , write";
  What am I doing wrong? Any help is very much appreciated!
  Thanks!

  I got it...my policy file needed more to work in NT. Here is the entire file:
  grant Principal com.sun.security.auth.NTUserPrincipal "s156898"
       permission java.io.FilePermission "ProtectedFile.txt", "read";
  grant {
  //Allow everything for now
  //permission java.security.AllPermission;
       permission javax.security.auth.AuthPermission "createLoginContext.JAASConfig"     permission java.io.FilePermission "ProtectedFile.txt", "read";
       permission javax.security.auth.AuthPermission "modifyPrincipals";
       permission javax.security.auth.AuthPermission "doAsPrivileged";
       permission javax.security.auth.AuthPermission "getSubject";
  However, I am trying to also do my work on a Solaris/Unix machine. I get an error that tells me that only Principal-based entries are allow. Anyone know how to give permission to all users in a Principal statemtent. The same setup as the above, using Unix Principals, will not work. Seems like I have to always have a grant and Principal for every set of permissions.
  Lemme know if you can help. Thanks!

• JAAS Authentication Programmatically

  On Web sphere I have defined a JAAS Authentication Entry with an Alias, Username and Password. There are 2 � 3 applications running on this instance of the server.
  From one of these applications I would like verify the username and password as in �JAAS Authentication Entry� programmatically.
  Is this possible? If so can you please help me with more details like:
  1.     Is there any change needed in the specific application�s web.xml to point at the JAAS security of the server.
  2.     Any specific JAVA API to access JAAS information (configured on server) from a java program.
  Thanks

  Yes - as long as it is serializable.

• Using Identity Server as a JAAS authentication provider

  My client wants to use Identity Server to provide JAAS authentication for the Java application they're developing.
  The JAAS tutorial shows how the name of the Java class that provides the authentication service is provided, then an instance of this class is instantiated and the .login method invoked to actually perform the authentication.
  The stated principle behind the tutorial is one of using a pluggable authentication framework, and one should not care how authentication is performed. As long as the callbacks to allow the authentication framework to ask for the credentials required, it should not matter.
  The example of how to do LDAP authentication using Identity server requires using some identity server classes. ie the com.sun.identity.authentication.AuthContext class. They specifically want to use pure JAAS authentication rather than creating a dependance in their application on Identity Server.
  Is a Java class available which provides this functionality?
  Thanks

  In Apache you can specify the authentication parameters in the virtual host configuration

• JAAS, authentication only, in WLS 6

  I've poured over the newsgroups and the sample client, and nothing matches what I'd
  like to accomplish. What I want to do seems simple enough, but I haven't been able
  to get it to work:
  1. Configure WLS 6 SP1 to use its realms/authentication processes
  2. From within an EJB's method, using JAAS, ask Weblogic if this is a valid user
  (i.e., does this user/psw combination exist in the weblogic-managed realm(s)?).
  That's all I want to do, nothing more, nothing less. I'm getting nowhere and I've
  been at this for 2 days now. My latest incarnation was to specify the ServerPolicy
  in my call to create a login context. This authenticates, all right, but it authenticates
  everyone! My previous incarnation was to grit my teeth and write a login module
  just like in the (client) sample, but then this didn't work either. It replaced
  weblogic's authentication with mine (which I DON'T want) and I couldn't get it to
  "call back" into WLS for it to authenticate for me.
  This doesn't seem too difficult a task to me, but yet, none of the samples are clear,
  none of the environment settings are clear, and none of the books I have (I've looked
  at 2 WLS-specific books and the Sun JAAS site) are clear.
  How might I go about accomplishing this task?
  The current (within EJB) code I'm attempting is:
  // Create a login context and an associated handler for the password...
  LoginContext // Need a (JAAS) login context...
  Ctx = new LoginContext(strJAAS,
  new JAASAuthenticateCallback(strUsername,
  strPassword));
  Ctx.login(); // Perform the login
  // If we get here, the user/password is authenticated.
  Ctx.logout(); // Since we're just authenticating, log out!
  This snippet of code ALWAYS authenticates successfully (no exceptions thrown) regardless
  of what value is used for strJAAS, user ID and password!

  You can copy the JAAS example, implementing your own version of all the
  classes they give, and it will (eventually) work.
  Alternatively, if this is on the server, you can just grab the realm and
  call the appropriate authentication method:
  CachingRealm realm = (CachingRealm)Security.getRealm();
  UserInfo info = new DefaultUserInfoImpl(name, password);
  User user = realm.authenticate(info);
  if (null != user) ...
  (I'm using a caching realm, obviously).
  Two days is pretty optimistic. It's taken me two weeks to get qn SQL-based
  realm and login working (about a week each for the realm and the login)
  (although I'm not programming full time as I have to manage a couple of
  other prgrammers too).
  Good luck,
  Andrew
  "Al Cilcius" <[email protected]> escribió en el mensaje
  news:[email protected]...
  >
  I've poured over the newsgroups and the sample client, and nothing matcheswhat I'd
  like to accomplish. What I want to do seems simple enough, but I haven'tbeen able
  to get it to work:
  1. Configure WLS 6 SP1 to use its realms/authentication processes
  2. From within an EJB's method, using JAAS, ask Weblogic if this is avalid user
  (i.e., does this user/psw combination exist in the weblogic-managedrealm(s)?).
  >
  That's all I want to do, nothing more, nothing less. I'm getting nowhereand I've
  been at this for 2 days now. My latest incarnation was to specify theServerPolicy
  in my call to create a login context. This authenticates, all right, butit authenticates
  everyone! My previous incarnation was to grit my teeth and write a loginmodule
  just like in the (client) sample, but then this didn't work either. Itreplaced
  weblogic's authentication with mine (which I DON'T want) and I couldn'tget it to
  "call back" into WLS for it to authenticate for me.
  This doesn't seem too difficult a task to me, but yet, none of the samplesare clear,
  none of the environment settings are clear, and none of the books I have(I've looked
  at 2 WLS-specific books and the Sun JAAS site) are clear.
  How might I go about accomplishing this task?
  The current (within EJB) code I'm attempting is:
  // Create a login context and an associated handler for the password...
  LoginContext // Need a (JAAS) login context...
  Ctx = new LoginContext(strJAAS,
  new JAASAuthenticateCallback(strUsername,
  strPassword));
  Ctx.login(); // Perform the login
  // If we get here, the user/password is authenticated.
  Ctx.logout(); // Since we're just authenticating, logout!
  >
  This snippet of code ALWAYS authenticates successfully (no exceptionsthrown) regardless
  of what value is used for strJAAS, user ID and password!

• Oracle Proxy Authentication and WLS 8.1/CMP

  Hey folks,
  Is there any way to configure WLS 8.1 to automatically set the Oracle CLIENT_IDENTIFIER
  variable or use Oracle Proxy Authentication on JDBC connections? I'm interested
  in using Oracle auditing with my CMP entity beans, but would like to capture the
  app tier user identity, instead of the data source pool user.
  Thanks.

  "Brent Smith" <[email protected]> wrote in message
  news:3fa15807$[email protected]..
  >
  Hey folks,
  Is there any way to configure WLS 8.1 to automatically set the OracleCLIENT_IDENTIFIER
  variable or use Oracle Proxy Authentication on JDBC connections? I'minterested
  in using Oracle auditing with my CMP entity beans, but would like tocapture the
  app tier user identity, instead of the data source pool user.
  I would ask in the weblogic.developer.interest.jdbc newsgroup.

• Problem with JAAS authentication using jboss client

  I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
  I followed all the steps in:
  https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
  and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
  I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
  But when it tries to do the authentication, sometimes it uses:
  <b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
  Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
  Other times (withouth changing anything) it uses:
  <b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
  <b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
  I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
  I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
  I think it maybe has something to do with specific callback classes from sap implementation.
  Any idea? I can't go forward.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• JAAS-authentication to external secure system within EJB?

  I would like to write an EJB that accesses an external,
  non-WebLogic system that uses JAAS security. It looks like using
  plain vanilla JAAS client code would break some EJB programming rules.
  I need to pass credentials to this external system
  (private/public keys, etc.) that are on the filesystem.
  I see WL has "Credential Mapping" but couldn't really see how
  I'd use and implement this to authenticate to the external
  system.
  Any advice would be appreciated.
  -Rolf Arands

  one way, which I know that will work, is to run you JAAS code on some container. If authentication works, the code on you container forwards HTTP request to the WAS.
  The WAS must have a Trust association interceptor (TAI), written for you purpose. You container forwards the HTTP request with the authenticated userid in the request. The TAI intercepts the requests and pulls the authenticated userid from the request and returns the userid to the WAS security manager.
  I have created a small presentation that shows how security credentials is propagated to the WebLogic and WAS security managers. It can be found on my site.
  /Bo
  http://appliedcrypto.com

• Jaas authentication with cutom realm problem

  I'm having this problem, I have a web application made with JSF running on Sun One Application Server 9, and I made a cutom realm with Jaas so that the server will be handeling the authentication and it is working fine. The problem is that i want to load some info into the user's session after that he have been authenticated based on the username. But I have on clue how to do it. so I'll be very thanks full it anybody helped me.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• JAAS authentication is not working with IIOP and wlclient.jar

  Hi,
  I'm currently working on a remote client that requires authentication with JAAS.
  The Application server is Weblogic 9.2 MP1.
  The client is deployed with wlclient.jar and the used protocol is iiop.
  I'm also using the default UsernamePasswordLoginModule module for authentication.
  The LoginContext.login goes smoothly but the Principal Set in the obtained Subject object is empty!
  Using the same code with weblogic.jar and t3 protocol the principals are filled(i.e. I can see the groups where the involved user is member).
  Any suggestions ??
  regards,
  Luca

  So, when you execute this, where exactly does it crash/stop, or what is the output you get from those dbms_output lines? Do you know the output of memberOf and are you sure that things will match?

• WlClient.jar & JAAS authentication Issues

  If I run the JAAS example (examples/security/jaas) that comes with
  wl8.1 sp1 but use wlclient.jar instead of weblogic.jar, the
  LoginContext.login() method returns a Subject even if I pass in an
  invalid user/password combination. If weblogic.jar is in the
  classpath, a javax.security.auth.login.LoginException is thrown which
  is what I want to happen for invalid credentials. When running with
  wlclient.jar, the code doesn't fail until it actually attempts to
  access the EJB at which point it gets a org.omg.CORBA.NO_PERMISSION.
  I am trying to use JAAS to login from a swing app and I want to use
  wlclient.jar instead of weblogic.jar, but I need to be able to
  determine whether the login was successful without waiting until I
  access a secured EJB. Why does wlclient.jar behave differently than
  weblogic.jar? How can I determine if my login worked if Weblogic is
  going to return a Subject no matter what username/password I pass in?

  Hi,
  I have a similar problem when using wlclient.jar. I am able to authenticate using
  the UsernamePasswordLoginModule (with authOnLogin true), but I get an error when
  invoking a secured EJB:
       UsernamePasswordLoginModule.initialize(), debug enabled
       UsernamePasswordLoginModule.initialize(), authOnLogin enabled
       UsernamePasswordLoginModule.login(), username weblogic
       UsernamePasswordLoginModule.login(), URL t3://localhost:7001
       Logged in
       Invoking EJB
       java.rmi.AccessException: CORBA NO_PERMISSION 0 Maybe; nested exception is:
            org.omg.CORBA.NO_PERMISSION: vmcid: 0x0 minor code: 0 completed: Maybe
            at com.sun.corba.se.internal.iiop.ShutdownUtilDelegate.mapSystemException(ShutdownUtilDelegate.java:95)
            at javax.rmi.CORBA.Util.mapSystemException(Util.java:65)
  The login is successfull, but I get the org.omg.CORBA.NO_PERMISSION when invoking
  the EJB. If I replace wlclient.jar with weblogic.jar it works fine! But we can't
  use weblogic.jar in our deployed client, because a) it's HUGE, b) it conflicts
  with Ant 1.6.1.
  Any ideas?
  "Memo S" <[email protected]> wrote:
  >
  Here is the answer
  A UsernamePasswordLoginModule LoginModule was added for use by the IIOP
  thin-client.
  This class has the same API as that of the weblogic.security.auth.login.UsernamePasswordLoginModule
  class, but in this implementation, there is a new property called authOnLogin.
  When true, this property forces the login method to perform authentication
  (rather
  than on the first invocation). The default for this new property is false.
  Regards.
  Memo S
  "Ganapathi" <[email protected]> wrote:
  If I run the JAAS example (examples/security/jaas) that comes with
  wl8.1 sp1 but use wlclient.jar instead of weblogic.jar, the
  LoginContext.login() method returns a Subject even if I pass in an
  invalid user/password combination. If weblogic.jar is in the
  classpath, a javax.security.auth.login.LoginException is thrown which
  is what I want to happen for invalid credentials. When running with
  wlclient.jar, the code doesn't fail until it actually attempts to
  access the EJB at which point it gets a org.omg.CORBA.NO_PERMISSION.
  I am trying to use JAAS to login from a swing app and I want to use
  wlclient.jar instead of weblogic.jar, but I need to be able to
  determine whether the login was successful without waiting until I
  access a secured EJB. Why does wlclient.jar behave differently than
  weblogic.jar? How can I determine if my login worked if Weblogic is
  going to return a Subject no matter what username/password I pass in?