JAAS, authentication only, in WLS 6

Similar Messages

• JAAS-authentication and wls-authorization in a webapp

  Hi,
  I am developing a webapp with jsp, servlets and ejbs.
  My question:
  Is it possible to use JAAS-authentication together with wls-authorization in a
  webapp?
  thanks
  /Chriz

  Hi, Office 365 tenants indeed include an Azure AD tenant in the background and you can implement Single Sign-On against that. The authentication scenario for this case is documented
  here. For the code samples (with steps to create them) see the
  samples' Github repository, especially the
  WebApp-WSFederation-DotNet sample. 
  For the SQL database it's a bit different. Azure SQL Database connection can't be authenticated like this - there's no integration to the "domain" accounts there. So you should create one service account for the SQL connection and use that for
  all the traffic in your web app. If you need authorization for accessing certain data in SQL, you have to implement that on your web application side.

• JAAS Authentication Example Error

  I am working with the JAAS Authentication example provided by Sun at the following link:
  http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/index.html
  I am working with Windows NT. I am using a NTLoginModule in my config file. I would like to create a simple Login that uses the current OS's user ID. Once I add the security.manager and a policy file that includes anything besides full permisions (permission java.security.AllPermission;), I get a Security Exception, and more specifically a "java.security.AccessControlException:access denied...".
  I am using the following config:
  JaasConfig {
  com.sun.security.auth.module.NTLoginModule required debug="true";
  I would like to use a policy file that gives permission to a file for the current user. I would like to do something similar to the following, but get the error once this is added....
  grant Principal com.sun.security.auth.NTUserPrincipal "user"
  //Allow everything for now
  //permission java.security.AllPermission;
  permission java.io.FilePermission "ProtectedFile.txt", "read , write";
  What am I doing wrong? Any help is very much appreciated!
  Thanks!

  I got it...my policy file needed more to work in NT. Here is the entire file:
  grant Principal com.sun.security.auth.NTUserPrincipal "s156898"
       permission java.io.FilePermission "ProtectedFile.txt", "read";
  grant {
  //Allow everything for now
  //permission java.security.AllPermission;
       permission javax.security.auth.AuthPermission "createLoginContext.JAASConfig"     permission java.io.FilePermission "ProtectedFile.txt", "read";
       permission javax.security.auth.AuthPermission "modifyPrincipals";
       permission javax.security.auth.AuthPermission "doAsPrivileged";
       permission javax.security.auth.AuthPermission "getSubject";
  However, I am trying to also do my work on a Solaris/Unix machine. I get an error that tells me that only Principal-based entries are allow. Anyone know how to give permission to all users in a Principal statemtent. The same setup as the above, using Unix Principals, will not work. Seems like I have to always have a grant and Principal for every set of permissions.
  Lemme know if you can help. Thanks!

• 802.1X Machine Authentication ONLY!

  Hi. I have a customer who wants to perform 802.1x machine authentication only to prevent users connecting there own devices to the corporate network. The machine credentials will be authenticated via Cisco ACS which will proxy the authentication to ActiveDirectory. If successful, the 802.1x assigns the port to a VLAN. At this point, the port is 'opened up' and the user can recieve an IP address and can then login to the domain as normal (AD username/password) via the network login screen. Is this a workable solution?
  I basically want the end user to not notice anything new, but 802.1x operates in the background to authenticate the machine before displaying the network login box. To the user, the PC boots and displays the login box and they login as normal :-) If they bring in their own device, it will fail 802.1x machine authentication and will not get any access.
  Has anyone implemented this? Is it a feasible design?
  Thanks
  Darren

  Hi Darren,
  good news for you.. you can do this using the "Machine Access Restriction" on both ACS 4.x and ACS 5.x:
  * ACS 5.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1254965
  * ACS 4.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105
  As soon as the machine performs the 802.1x using the client credentials, the ACS will keep this info on a cache and it will match any further auth attempt (e.g. using the user credentials) for this client using the "Calling-Station-ID", so basically the client's MAC address.
  Depending on whether a client performed or not Machine Authentication before, you can decide whether to assign a sort of restricted access/guest VLAN or to deny access.
  If the personal client doesn't have a 802.1x supplicant at all, then you can decide to enable the guest vlan feature on the switch itself.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• JAAS authentication with WebLogic 6 - "Invalid Configuration Class Name"

  For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
  package, compiled, and copied it to the right place in the classes directory of the webapp project.
  The class is specified as a parameter in startWebLogic.cmd:
  -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
  When a servlet attempts to get LoginContext, I get this error:
  "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
  The class file is definitely in the right place. What's the deal?
  Thanks,
  Rob

  Seems to be a ClassLoader problem. The sample is a client app, so no problem. But if you create
  a Configuration class to run on the server (to set up a LoginModule for authenticating clients)...
  I think what's happening is that the System class loader, using the CLASSPATH in the environment
  of the WebLogic server when it starts, attempts to load the Configuration class and can't (because it
  is in the CLASSPATH of the web app, not of the System class loader). If you add the Configuration
  class to the CLASSPATH of the WebLogic server, then it gets loaded but the LoginModule can't be
  found. If you add the LoginModule to the WebLogic server CLASSPATH, then any classes that it calls
  must also be in the WebLogic server CLASSPATH.
  Could someone from BEA please comment: is that the intention, that any classes used for JAAS
  authentication be part of the server's CLASSPATH, not part of the web application?
  Thanks,
  Rob
  "Rob Weltman" <[email protected]> wrote:
  >
  For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
  package, compiled, and copied it to the right place in the classes directory of the webapp project.
  The class is specified as a parameter in startWebLogic.cmd:
  -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
  When a servlet attempts to get LoginContext, I get this error:
  "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
  The class file is definitely in the right place. What's the deal?
  Thanks,
  Rob

• JAAS Authentication Programmatically

  On Web sphere I have defined a JAAS Authentication Entry with an Alias, Username and Password. There are 2 � 3 applications running on this instance of the server.
  From one of these applications I would like verify the username and password as in �JAAS Authentication Entry� programmatically.
  Is this possible? If so can you please help me with more details like:
  1.     Is there any change needed in the specific application�s web.xml to point at the JAAS security of the server.
  2.     Any specific JAVA API to access JAAS information (configured on server) from a java program.
  Thanks

  Yes - as long as it is serializable.

• Using Identity Server as a JAAS authentication provider

  My client wants to use Identity Server to provide JAAS authentication for the Java application they're developing.
  The JAAS tutorial shows how the name of the Java class that provides the authentication service is provided, then an instance of this class is instantiated and the .login method invoked to actually perform the authentication.
  The stated principle behind the tutorial is one of using a pluggable authentication framework, and one should not care how authentication is performed. As long as the callbacks to allow the authentication framework to ask for the credentials required, it should not matter.
  The example of how to do LDAP authentication using Identity server requires using some identity server classes. ie the com.sun.identity.authentication.AuthContext class. They specifically want to use pure JAAS authentication rather than creating a dependance in their application on Identity Server.
  Is a Java class available which provides this functionality?
  Thanks

  In Apache you can specify the authentication parameters in the virtual host configuration

• JAAS Authentication in WLS 7.0

  Hi,
  I have a problem trying to authenticate a user using JAAS in WLS 7.0: in the
  LoginModule I get a java.lang.IllegalAccessError:
  java.security.acl.NotOwnerException when invoke the
  weblogic.security.auth.Authenticate.authenticate(env, subject) method. The
  environment I define as follows:
  env.setProviderUrl("t3://localhost:7001");
  env.setSecurityPrincipal("testuser");
  env.setSecurityCredentials("testpassword");
  where testuser belongs to the group Administrators and I use it successfully
  for starting the server and manipulating the console.
  At the same time I successfully pass authentication as anonymous if I set
  only the provider URL.
  I would be very grateful for any information related to this problem.
  Vladimir

  Vladimir,
  The the first problem you're having here is that you seem to be using a
  depricated API. I can't tell from your description but I believe this API
  was intended for use only within the process space of a t3 client, so check
  your client's java security policy settings.
  Alex
  "Vladimir" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  I have a problem trying to authenticate a user using JAAS in WLS 7.0: inthe
  LoginModule I get a java.lang.IllegalAccessError:
  java.security.acl.NotOwnerException when invoke the
  weblogic.security.auth.Authenticate.authenticate(env, subject) method. The
  environment I define as follows:
  env.setProviderUrl("t3://localhost:7001");
  env.setSecurityPrincipal("testuser");
  env.setSecurityCredentials("testpassword");
  where testuser belongs to the group Administrators and I use itsuccessfully
  for starting the server and manipulating the console.
  At the same time I successfully pass authentication as anonymous if I set
  only the provider URL.
  I would be very grateful for any information related to this problem.
  Vladimir

• What's the point of Weblogic JAAS authentication?

  Hello, I'm looking into one way authentication using weblogic and JAAS,
  Weblogic say this is the preferred mechanism, however I can't see the
  advantages. My (ok, limited) understanding of it is thus:
  The advantage of JAAS is that you can specify different login modules to
  utilise different types of authentication. However authentication to a
  weblogic server will only work by calling
  weblogic.security.auth.Authenticate.authenticate (due to weblogic's own
  implementation of the javax.security.auth. classes), thus only one
  loginmodule is available.
  The ability to use different authentication types is provided by the
  application server by using/creating different realms. The client possibly
  being able to specify different authentication by one of the arguments to a
  custom realm(?).
  Thus why bother with JAAS seeing that it doesn't seem to offer anything
  extra over JNDI authentication and requires more code?
  Thanks, any ideas appreciated.
  Alan.

  Good point.
  "James" <[email protected]> wrote in message
  news:3c506266$[email protected]..
  This may not apply to you, but I have to consider the need to remain
  portable between different vendor's application servers. WebLogic's
  proprietary realm architecture makes it a pain to get up and going in a
  Websphere or a Oracle AS. So I see that as a major advantage.
  James
  Viewlocity, Inc.
  http://www.viewlocity.com
  "Alan Phillips" <alan.phillips@|remove|ftid.com> wrote in message
  news:[email protected]..
  Hello, I'm looking into one way authentication using weblogic and JAAS,
  Weblogic say this is the preferred mechanism, however I can't see the
  advantages. My (ok, limited) understanding of it is thus:
  The advantage of JAAS is that you can specify different login modules to
  utilise different types of authentication. However authentication to a
  weblogic server will only work by calling
  weblogic.security.auth.Authenticate.authenticate (due to weblogic's own
  implementation of the javax.security.auth. classes), thus only one
  loginmodule is available.
  The ability to use different authentication types is provided by the
  application server by using/creating different realms. The client
  possibly
  being able to specify different authentication by one of the argumentsto
  a
  custom realm(?).
  Thus why bother with JAAS seeing that it doesn't seem to offer anything
  extra over JNDI authentication and requires more code?
  Thanks, any ideas appreciated.
  Alan.

• Ignoring Http basic authentication header in wls 7.0.sp2 web service servlet (weblogic.webservice.server.servlet.WebServiceServlet)

  Hi!
  We need to implement authentication using our own methods, and the authentication
  information is provided to the web service implementation in a basic authentication
  header. The problem is, that the servlet
  weblogic.webservice.server.servlet.WebServiceServlet, which handles web services
  in
  wls 7.0.sp2, always attempts to perform authentication, if the header is present.
  Is there any way to circumvent this, because we want to implement authentication
  on our own?
  I already know two workarounds:
  The best would of course be to implement a custom security realm for our own
  authentication system. This is not an option, implementing an own security
  realm is overkill for this specific web service.
  The other way would be to route the requests by way of a custom servlet, which
  would
  remove the basic authentication header, and put the authentication info in custom
  headers, such as x-auth: <user:password>, or smthng similar, and after successful
  authentication, make a call to bea's servlet weblogic.webservice.server.servlet.WebServiceServlet.
  But still, I'd like to know if there is any way to tell bea's servlet to ignore
  the basic
  authentication header?
  Oh yeah, by the way, this is URGENT, as always. (really!! ;)
  Toni Nykanen

  Currently there is no option to turn off security check.
  I think you can use a servlet filter mapped to the URL
  of your service, instead of a proxy servlet?
  Regards,
  -manoj
  http://manojc.com
  "Toni Nykanen" <[email protected]> wrote in message
  news:3ef1577b$[email protected]..
  >
  Hi!
  We need to implement authentication using our own methods, and theauthentication
  information is provided to the web service implementation in a basicauthentication
  header. The problem is, that the servlet
  weblogic.webservice.server.servlet.WebServiceServlet, which handles webservices
  in
  wls 7.0.sp2, always attempts to perform authentication, if the header ispresent.
  Is there any way to circumvent this, because we want to implementauthentication
  on our own?
  I already know two workarounds:
  The best would of course be to implement a custom security realm for ourown
  authentication system. This is not an option, implementing an own security
  realm is overkill for this specific web service.
  The other way would be to route the requests by way of a custom servlet,which
  would
  remove the basic authentication header, and put the authentication info incustom
  headers, such as x-auth: <user:password>, or smthng similar, and aftersuccessful
  authentication, make a call to bea's servletweblogic.webservice.server.servlet.WebServiceServlet.
  >
  But still, I'd like to know if there is any way to tell bea's servlet toignore
  the basic
  authentication header?
  Oh yeah, by the way, this is URGENT, as always. (really!! ;)
  Toni Nykanen

• Problem with JAAS authentication using jboss client

  I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
  I followed all the steps in:
  https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
  and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
  I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
  But when it tries to do the authentication, sometimes it uses:
  <b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
  Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
  Other times (withouth changing anything) it uses:
  <b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
  <b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
  I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
  I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
  I think it maybe has something to do with specific callback classes from sap implementation.
  Any idea? I can't go forward.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• ISE Guest Authentication only with email address

  Hi,
  I want to know is there an option to use ONLY the email address as an authentication credential for Guest user authentication using Guest Protal and this should be done only with Self Registration not with Sponsored accounts.
  Appreciate if someone has done this and advise us how to achieve this.?
  thanks

  The exact scenario explained above is unachievable , however a little different from that can be achieved , see below
  New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2
  Support for Guest Self-Registration Based on Email Domain Whitelist
  You can allow guests to create their own accounts by enabling the self-service feature by choosing: Administration  > Web Portal Management > Settings > Guest > Multi-Portal  Configurations > Operations > Guest users should be allowed to do  self service. When you enable this feature, the account credentials  display on the screen, and they are also emailed to the email address  used to create the account.
  You can restrict this feature by limiting guests' ability to create  their own accounts based on their email domain. By creating an email  domain whitelist, you can ensure that only guest users with email  accounts on those domains can create guest accounts.
  To prevent the account credentials from displaying on the screen, you  must create a custom portal when using an email domain whitelist. These  steps provide an overview:
  1. Create a custom portal, following these guidelines:
  –Add  a required email field and an acceptable use policy (AUP) page to the  Self-Registration html file. See the "Sample Code for Sponsor and Guest  Portal Customizations" appendix in the Cisco Identity Services Engine User Guide, Release 1.2 for a sample file.
  –Add  text to refer users to their email for their login credentials on the  Self-Registration Results html file. See the "Sample Code for Sponsor  and Guest Portal Customizations" appendix in the Cisco Identity Services Engine User Guide, Release 1.2 for a sample file.
  –Map the Login file to the Self-Registration page. See the "Mapping HTML Files to Guest Portal Pages" section in the Cisco Identity Services Engine User Guide, Release 1.2 for detailed instructions.
  2. Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server).
  3. Specify  the default e-mail address from which to send all guest notifications.  (Administration > System > Settings > SMTP Server and choose Use Default email address).
  4. Create the email domain whitelist. See the "Restricting Self-Registration Based on Email Domain" section.
  5. Customize the self-registration credentials email message. See the "Customizing the Self-Registration Credentials Email" section.
  6. Customize the self-registration failure message. See the "Customizing the Self-Registration Failure Message" section

• ISE machine authentication - only plug in to the network after booting

  Hi experts.
  I have recently deployed ISE with machine authentication. 
  However, when the machine is already plugged in to the switch before booting, the machine does not authenticate automatically. It isn't until I log on, using a local computer account, that 802.1X authentication occurs. Using wireshark, I have verified again that this authentication is MACHINE authentication, not user-authentication.
  Is there a way to solve this problem, other than having my users unplug their computer and only plug in to the network after booting?
  Eric

  Hi Vattulu,
    The method of machine access restriction will be used, because there is no a plan to use anyconnect NAM on the client environment, since the prerequisite for EAP-chaining is to use anyconnect.
  Regards,
  Eric

• JAAS-authentication to external secure system within EJB?

  I would like to write an EJB that accesses an external,
  non-WebLogic system that uses JAAS security. It looks like using
  plain vanilla JAAS client code would break some EJB programming rules.
  I need to pass credentials to this external system
  (private/public keys, etc.) that are on the filesystem.
  I see WL has "Credential Mapping" but couldn't really see how
  I'd use and implement this to authenticate to the external
  system.
  Any advice would be appreciated.
  -Rolf Arands

  one way, which I know that will work, is to run you JAAS code on some container. If authentication works, the code on you container forwards HTTP request to the WAS.
  The WAS must have a Trust association interceptor (TAI), written for you purpose. You container forwards the HTTP request with the authenticated userid in the request. The TAI intercepts the requests and pulls the authenticated userid from the request and returns the userid to the WAS security manager.
  I have created a small presentation that shows how security credentials is propagated to the WebLogic and WAS security managers. It can be found on my site.
  /Bo
  http://appliedcrypto.com