Jaas authentication with cutom realm problem

I'm having this problem, I have a web application made with JSF running on Sun One Application Server 9, and I made a cutom realm with Jaas so that the server will be handeling the authentication and it is working fine. The problem is that i want to load some info into the user's session after that he have been authenticated based on the username. But I have on clue how to do it. so I'll be very thanks full it anybody helped me.

Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

Similar Messages

JAAS authentication with WebLogic 6 - "Invalid Configuration Class Name"

For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
package, compiled, and copied it to the right place in the classes directory of the webapp project.
The class is specified as a parameter in startWebLogic.cmd:
-Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
When a servlet attempts to get LoginContext, I get this error:
"Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
The class file is definitely in the right place. What's the deal?
Thanks,
Rob

Seems to be a ClassLoader problem. The sample is a client app, so no problem. But if you create
a Configuration class to run on the server (to set up a LoginModule for authenticating clients)...
I think what's happening is that the System class loader, using the CLASSPATH in the environment
of the WebLogic server when it starts, attempts to load the Configuration class and can't (because it
is in the CLASSPATH of the web app, not of the System class loader). If you add the Configuration
class to the CLASSPATH of the WebLogic server, then it gets loaded but the LoginModule can't be
found. If you add the LoginModule to the WebLogic server CLASSPATH, then any classes that it calls
must also be in the WebLogic server CLASSPATH.
Could someone from BEA please comment: is that the intention, that any classes used for JAAS
authentication be part of the server's CLASSPATH, not part of the web application?
Thanks,
Rob
"Rob Weltman" <[email protected]> wrote:
>
For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
package, compiled, and copied it to the right place in the classes directory of the webapp project.
The class is specified as a parameter in startWebLogic.cmd:
-Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
When a servlet attempts to get LoginContext, I get this error:
"Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
The class file is definitely in the right place. What's the deal?
Thanks,
Rob

AD Machine Authentication with Cisco ISE problem

Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,

You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

Web authentication with Radius server problem

Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538: Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538: protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538: Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40 .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603: Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603: protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603: Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605: structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605: resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605: protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605: Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.

Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

ASA 8.2(1) WEBVPN ntlm authentication with internal sharepoint problem

I have added internal sharepoint site in ssl vpn bookmark and setup all required permission , but after the user enter his credential in web authentication form , the connection reset with the server, when I used wireshark to sniff the traffic from ASA to sharepoint server I found that ASA does not send NTLMSSP_AUTH, User request.

Hi Oscar,
That's the reason why I requested that information.
Remember that we strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
For instance the release notes doc for 8.2.x does mention SharePoint 2007, but not 10. On the other hand, the specific release notes for 8.2.5 include information about 2010, please be aware of this bug:
CSCtn99416
WebVPN: Dropdown menu doesn't work in customized SharePoint 2010
I am glad to know you fix the issue by upgrading the ASA to 8.2(5).
Please mark this post as answered and rate any helpful posts
Portu

I have a problem with JDBC Realm in Tomcat/Oracle/Win XP

I have a problem with JDBC Realm in Tomcat.
I have attached my server.xml file located in the
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\server.xml
The Problem is that when I login I get the user name and password prompt but it does not resolve.
When I enter in the tomcat-users.xml password with memory realm uncommented it works fine.
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
Is there a cache or something I need to reset for the JDBC Realm to work?
I have attached my tables and contents as well...
Did I miss something????
Thanks
Phil
server.xml
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>

<GlobalNamingResources>

<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
</GlobalNamingResources>

<Service name="Catalina">

<Connector
port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

<Engine name="Catalina" defaultHost="localhost">

<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:oracle:thin:@localhost:1521:orcl"
connectionName="testName" connectionPassword="testPass"
userTable="users"
userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles"
roleNameCol="role_name" />

<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
Tables
create table users
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
create table roles
role_name varchar(15) not null primary key
create table user_roles
user_name varchar(15) not null,
role_name varchar(15) not null,
primary key( user_name, role_name )
select * from users;
----------------------+
| user_name | user_pass |
----------------------+
| tomcat | tomcat |
| user1 | tomcat |
| user2 | tomcat |
| user3 | tomcat |
----------------------+
select * from roles;
| role_name |
| tomcat |
| role1 |
select * from user_roles;
-----------------------+
| role_name | user_name |
-----------------------+
| tomcat | user1 |
| role1 | user2 |
| tomcat | tomcat |
| role1 | tomcat |
-----------------------+

Jan 2, 2008 11:49:35 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jan 2, 2008 11:49:35 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 734 ms
Jan 2, 2008 11:49:35 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 2, 2008 11:49:35 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.9
Jan 2, 2008 11:49:35 AM org.apache.catalina.realm.JDBCRealm start
SEVERE: Exception opening database connection
java.sql.SQLException: oracle.jdbc.driver.OracleDriver
 at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:684)
 at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:758)
 at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1004)
 at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
 at org.apache.catalina.core.StandardService.start(StandardService.java:450)
 at org.apache.catalina.core.StandardServer.start(StandardServer.java:683)
 at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
Jan 2, 2008 11:49:35 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Jan 2, 2008 11:49:36 AM org.apache.catalina.core.StandardContext resourcesStart

JAAS authentication is not working with IIOP and wlclient.jar

Hi,
I'm currently working on a remote client that requires authentication with JAAS.
The Application server is Weblogic 9.2 MP1.
The client is deployed with wlclient.jar and the used protocol is iiop.
I'm also using the default UsernamePasswordLoginModule module for authentication.
The LoginContext.login goes smoothly but the Principal Set in the obtained Subject object is empty!
Using the same code with weblogic.jar and t3 protocol the principals are filled(i.e. I can see the groups where the involved user is member).
Any suggestions ??
regards,
Luca

So, when you execute this, where exactly does it crash/stop, or what is the output you get from those dbms_output lines? Do you know the output of memberOf and are you sure that things will match?

I have a very similar problem (5506) in that I changed my appleID loginid and now none of my home shares work. All itunes have been re-authorized/authenticated with the new appleID string. Yet I still receive this error. I too am looking for suggestions.

I have a very similar problem in that I changed my appleID loginid and now none of my home shares work (5506) . All itunes have been re-authorized/authenticated with the new appleID string. Yet I still receive this error. I too am looking for suggestions.

If you no longer have the computer(s) you want to deauthorise,
Log in to iTunes, go to "view your account info" on the itunes store, deauthorise all five, (Please Note: this can only be done Once every 12 months) and then re-authorize your current Computer(s) one at a time.
Authorise / Deauthorise About
http://support.apple.com/kb/HT1420

Integrating RADIUS authentication with JAAS ???

Hi,
I have username/password JAAS authentication in my application.
Now I have to support RADIUS authentication on top of the existing username/password authenticaiton.
I am in the process of defining a login module for RADIUS.
Is there any opensource login module existing for RADIUS ??
After defining the RADIUS login module where to configure the multiple authentication policies ??
Thanks,
Dyanesh.

This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

ClassCircularityError in JAAS Authorization with Weblogic Server 10.3

We are implementing JAAS authorization in which roles and policies are stored in a custom JAAS policy file and users are stored in the embedded LDAP server provided by Weblogic. We are facing problem is authorizing users using the custom policy created.
We have implemented the JAAS authentication service with weblogic server 10g R3 and user's information stored in embedded LDAP server provided WLS. Given below are the details of implementation for JAAS Authorization:
Following are the custom classes created:
1. Custom Principal Class
public class Principal implements java.security.Principal, java.io.Serializable {
private String name;
public Principal() {
name = "";
public Principal(String newName) {
name = newName;
public boolean equals(Object o) {
if (o == null)
return false;
if (this == o)
return true;
if (o instanceof Principal) {
if (((Principal) o).getName().equals(name))
return true;
else
return false;
else
return false;
public int hashCode() {
return name.hashCode();
public String toString() {
return name;
public String getName() {
return name;
2. Custom Permission Class
public class ActionPermission extends Permission {
 public ActionPermission(String name) {
 super(name);
 @Override
 public boolean equals(Object obj) {
 if ((obj instanceof ActionPermission)
 && ((ActionPermission) obj).getName().equals(this.getName())) {
 return true;
 } else {
 return false;
 @Override
 public String getActions() {
 return "";
 @Override
 public int hashCode() {
 return this.getName().hashCode();
 @Override
 public boolean implies(Permission permission) {
 if (!(permission instanceof ActionPermission)) {
 return false;
 String thisName = this.getName();
 String permName = permission.getName();
 if (this.getName().equals("*")) {
 return true;
 if (thisName.endsWith("*")
 && permName.startsWith(thisName.substring(0, thisName
 .lastIndexOf("*")))) {
 return true;
 if (thisName.equals(permName)) {
 return true;
 return false;
Following are the configuration changes:
1. Added custom policy to weblogic.policy.
grant Principal com.scotia.security.authorization.Principal "test" <User defined in the embedded LDAP server of WLS>{
permission com.scotia.security.authorization.permission.ActionPermission "viewScreen";
2. Set the java security manager in startWeblogic.cmd file.
%JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.manager -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS%
3. Set Realm "Security Model" to "Custom Roles and Policies".
Right now we are facing the given below exception:
java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipal
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Class.java:247)
 at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1381)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1268)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1231)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1167)
 at sun.security.provider.PolicyFile.implies(PolicyFile.java:1122)
 at weblogic.security.service.WLSPolicy.implies(Unknown Source)
 at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
 at java.security.AccessController.checkPermission(AccessController.java:546)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
 at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
 at java.io.File.exists(File.java:731)
 at weblogic.utils.classloaders.DirectoryClassFinder.getSource(DirectoryClassFinder.java:36)
Please help if anyone has some clue regarding this exception. We tried checking the jdk version used by eclipse and weblogic and found it to be same.

1. Custom Principal Class
public class Principal implements java.security.Principal, java.io.Serializable {Rename it. You are asking for trouble naming a class after an interface it implements.
java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipalWhat's that class? You haven't shown us.

Kerberos authentication with Active Directory

I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
import java.io.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
public class krb5ADLogin1 {
public static void main(String[] args){
LoginContext lc = null;
try {
lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
lc.login();
catch(Exception e){
e.printStackTrace();
Here is my config file:
krb5ADLogin1 {
com.sun.security.auth.module.Krb5LoginModule required;
The command I use to start the program is:
java -Djava.security.krb5.realm=mydomain.com
-Djava.security.krb5.kdc=DomainController.mydomain.com
-Djava.security.auth.login.config=sample.conf krb5ADLogin1

Hi there ... the Sun web site has the following snippet:
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
+ javax.security.auth.login.LoginException: KrbException::
Pre-authentication information was invalid (24) - Preauthentication failed
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key (e.g., by
setting the useKeyTab option to true in the Krb5LoginModule entry
in the JAAS login configuration file), then the key might have
changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new
keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client
differ significanlty (typically 5 minutes), this error can be
returned.
Solution 3: Synchronize the clocks (or have a system administrator
do so).
Good luck,
-Derek

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Basic Authentication with Web Service

Hello,
I am running S1AS7 on window XP. I have deployed the sample/jaxrpc/simple with basic authentication enabled. I have also changed to Client.java to set the USERNAME and PASSWORD (ie: stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, "j2ee");
Once I have deployed the war file and run the client, I got access denied exception.
I have checked the s1as7 log and here is the details:
FINE: Logging in user [j2ee] into realm: file using JAAS module: fileRealm
FINEST: Login module initialized: class com.iplanet.ias.security.auth.login.File
LoginModule
FINEST: File login succeeded for: j2ee
FINEST: JAAS login complete.
FINEST: JAAS authentication committed.
FINE: Password login succeeded for : j2ee
FINE: Set security context as user: j2ee
FINE: Authenticator[jaxrpc-simple]: Authenticated 'j2ee' with type 'BASIC'
FINE: SingleSignOn[server1]: Registering sso id '193F1461E0D9B982E6B4055C0134076
9' for user 'j2ee' with auth type 'BASIC'
FINE: Authenticator[jaxrpc-simple]: Calling accessControl()
FINEST: PRINCIPAL : j2ee hasRole?: staffmember
FINEST: PRINCIPAL TABLE: {}
FINE: Authenticator[jaxrpc-simple]: Failed accessControl() test
Please notice that the authentication worked, but the PRINCIPAL TABLE is null!!!! If I run the basic authentication sample, i can see from the log the PRINCIPAL TABLE is (...staff=[staffmember], j2ee=[staffmember],.....)
so somehow the app server treats the two sample differently with the same user id (j2ee/password)
any comments?
thanks..

Hello,
I am running S1AS7 on window XP. I have deployed the
sample/jaxrpc/simple with basic authentication
enabled. I have also changed to Client.java to set
the USERNAME and PASSWORD (ie:
stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY
"j2ee");
Once I have deployed the war file and run the client,
I got access denied exception.
I have checked the s1as7 log and here is the
details:
FINE: Logging in user [j2ee] into realm: file using
JAAS module: fileRealm
FINEST: Login module initialized: class
com.iplanet.ias.security.auth.login.File
LoginModule
FINEST: File login succeeded for: j2ee
FINEST: JAAS login complete.
FINEST: JAAS authentication committed.
FINE: Password login succeeded for : j2ee
FINE: Set security context as user: j2ee
FINE: Authenticator[jaxrpc-simple]: Authenticated
'j2ee' with type 'BASIC'
FINE: SingleSignOn[server1]: Registering sso id
'193F1461E0D9B982E6B4055C0134076
9' for user 'j2ee' with auth type 'BASIC'
FINE: Authenticator[jaxrpc-simple]: Calling
accessControl()
FINEST: PRINCIPAL : j2ee hasRole?: staffmember
FINEST: PRINCIPAL TABLE: {}
FINE: Authenticator[jaxrpc-simple]: Failed
accessControl() test
Please notice that the authentication worked, but the
PRINCIPAL TABLE is null!!!! If I run the basic
authentication sample, i can see from the log the
PRINCIPAL TABLE is (...staff=[staffmember],
j2ee=[staffmember],.....)
so somehow the app server treats the two sample
differently with the same user id (j2ee/password)
any comments?
thanks..
One more thing, here is my web.xml file:
<web-app>
<display-name>Hello World Application</display-name>
<description>A web application containing a simple JAX-RPC endpoint</description>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>basic secuity test</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>staffmember</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>basic-file</realm-name>
</login-config>
</web-app>

JAAS, authentication only, in WLS 6

I've poured over the newsgroups and the sample client, and nothing matches what I'd
like to accomplish. What I want to do seems simple enough, but I haven't been able
to get it to work:
1. Configure WLS 6 SP1 to use its realms/authentication processes
2. From within an EJB's method, using JAAS, ask Weblogic if this is a valid user
(i.e., does this user/psw combination exist in the weblogic-managed realm(s)?).
That's all I want to do, nothing more, nothing less. I'm getting nowhere and I've
been at this for 2 days now. My latest incarnation was to specify the ServerPolicy
in my call to create a login context. This authenticates, all right, but it authenticates
everyone! My previous incarnation was to grit my teeth and write a login module
just like in the (client) sample, but then this didn't work either. It replaced
weblogic's authentication with mine (which I DON'T want) and I couldn't get it to
"call back" into WLS for it to authenticate for me.
This doesn't seem too difficult a task to me, but yet, none of the samples are clear,
none of the environment settings are clear, and none of the books I have (I've looked
at 2 WLS-specific books and the Sun JAAS site) are clear.
How might I go about accomplishing this task?
The current (within EJB) code I'm attempting is:
// Create a login context and an associated handler for the password...
LoginContext // Need a (JAAS) login context...
Ctx = new LoginContext(strJAAS,
new JAASAuthenticateCallback(strUsername,
strPassword));
Ctx.login(); // Perform the login
// If we get here, the user/password is authenticated.
Ctx.logout(); // Since we're just authenticating, log out!
This snippet of code ALWAYS authenticates successfully (no exceptions thrown) regardless
of what value is used for strJAAS, user ID and password!

You can copy the JAAS example, implementing your own version of all the
classes they give, and it will (eventually) work.
Alternatively, if this is on the server, you can just grab the realm and
call the appropriate authentication method:
CachingRealm realm = (CachingRealm)Security.getRealm();
UserInfo info = new DefaultUserInfoImpl(name, password);
User user = realm.authenticate(info);
if (null != user) ...
(I'm using a caching realm, obviously).
Two days is pretty optimistic. It's taken me two weeks to get qn SQL-based
realm and login working (about a week each for the realm and the login)
(although I'm not programming full time as I have to manage a couple of
other prgrammers too).
Good luck,
Andrew
"Al Cilcius" <[email protected]> escribió en el mensaje
news:[email protected]...
>
I've poured over the newsgroups and the sample client, and nothing matcheswhat I'd
like to accomplish. What I want to do seems simple enough, but I haven'tbeen able
to get it to work:
1. Configure WLS 6 SP1 to use its realms/authentication processes
2. From within an EJB's method, using JAAS, ask Weblogic if this is avalid user
(i.e., does this user/psw combination exist in the weblogic-managedrealm(s)?).
>
That's all I want to do, nothing more, nothing less. I'm getting nowhereand I've
been at this for 2 days now. My latest incarnation was to specify theServerPolicy
in my call to create a login context. This authenticates, all right, butit authenticates
everyone! My previous incarnation was to grit my teeth and write a loginmodule
just like in the (client) sample, but then this didn't work either. Itreplaced
weblogic's authentication with mine (which I DON'T want) and I couldn'tget it to
"call back" into WLS for it to authenticate for me.
This doesn't seem too difficult a task to me, but yet, none of the samplesare clear,
none of the environment settings are clear, and none of the books I have(I've looked
at 2 WLS-specific books and the Sun JAAS site) are clear.
How might I go about accomplishing this task?
The current (within EJB) code I'm attempting is:
// Create a login context and an associated handler for the password...
LoginContext // Need a (JAAS) login context...
Ctx = new LoginContext(strJAAS,
new JAASAuthenticateCallback(strUsername,
strPassword));
Ctx.login(); // Perform the login
// If we get here, the user/password is authenticated.
Ctx.logout(); // Since we're just authenticating, logout!
>
This snippet of code ALWAYS authenticates successfully (no exceptionsthrown) regardless
of what value is used for strJAAS, user ID and password!

Programmatic JAAS Authentication for Web/EJBs on WebLogic 12c

Technologies: JSPs, Servlets, EJBs (version 2.1)
Database: Oracle 11g Database
Application Server: WebLogic 12c
I am working on a project where the users and roles are stored on an Oracle database (as database users with roles granted to them). We therefore need a custom authentication method (the default WebLogic UsernamePasswordLoginModule won't cut it). We created a DatabaseUserLoginModule prior to migrating from a 10g enviroment to 11g/12c.
public class DatabaseUserLoginModule implements LoginModule
 public boolean login() throws LoginException
 Connection conn = null;
 try
 s
 InitialContext ic = new InitialContext();
 DataSource ds = (DataSource)ic.lookup(jndiDSName);
 conn = ds.getConnection(username, password);
 List dbauth = new ArrayList();
 String rolesSQL = "SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS UNION SELECT GRANTED_ROLE FROM ROLE_ROLE_PRIVS";
 Statement rolesStmt = conn.createStatement();
 ResultSet results = rolesStmt.executeQuery(rolesSQL);
 dbauth.add(new DBUserPrincipal(username));
 while (results.next())
 String roleName = results.getString("GRANTED_ROLE");
 DBRolePrincipal dbRolePrincipal = new DBRolePrincipal(roleName);
 dbauth.add(dbRolePrincipal);
 authPrincipals = (Principal[])dbauth.toArray(new Principal[dbauth.size()]);
 catch (Exception e)
 throw new LoginExcpetion(e.getMessage());
 finally
 try
 conn.close();
 catch (Exception e)
 throw new LoginExcpetion(e.getMessage());
 return true;
 public boolean commit() throws LoginException
 for (int i = 0; i < authPrincipals.length; i++)
 subject.getPrincipals().add(authPrincipals[i]);
 return true;
The getConnection() method on the datasource works with a database username and password thanks to the new "Use Database Credentials" option for WebLogic datasources and granting CONNECT THROUGH (datasource user) privilege for each user.
We have configured a JAAS context to use this login module by creating a jaas.conf file and setting JAVA_OPTIONS to include "-Djava.security.auth.login.config=%DOMAIN_HOME%\bin\jaas.conf". The file looks like this:
Test {
xxxx.controller.security.loginmodule.DatabaseUserLoginModule required;
When the user logs in, the application uses a LoginContext object to perform authentication:
 PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
 lc = new LoginContext("Test", cbh);
 lc.login();
This successfully uses the DatabaseUserLoginModule to authenticate the user and populate the Subject with the appropriate roles.
The next step is to use an InitialContext to lookup an EJB and call a method. We have permissions in ejb-jar.xml for each method, based on database roles:
<method-permission>
 <role-name>XXXX_USER</role-name>
 <method>
 <ejb-name>AccessControl</ejb-name>
 <method-intf>Home</method-intf>
 <method-name>create</method-name>
 <method-params>
 <method-param>java.lang.String</method-param>
 </method-params>
 </method>
 <method>
 <ejb-name>AccessControl</ejb-name>
 <method-intf>Remote</method-intf>
 <method-name>remove</method-name>
 </method>
 <method>
 <ejb-name>AccessControl</ejb-name>
 <method-intf>Remote</method-intf>
 <method-name>processFailedLogin</method-name>
 <method-params>
 <method-param>java.lang.String</method-param>
 </method-params>
 </method>
 <method>
 <ejb-name>AccessControl</ejb-name>
 <method-intf>Remote</method-intf>
 <method-name>processSuccessfulLogin</method-name>
 <method-params>
 <method-param>java.lang.String</method-param>
 </method-params>
 </method>
</method-permission>
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
env.put(Context.PROVIDER_URL, "t3://localhost:7101");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
InitialContext ic = new InitialContext(env);
ic.lookup("EJBName");
The problem is that when the InitialContext is initialised I get the following error:
javax.naming.AuthenticationException [Root exception is javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User XXXX_USER] javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User XXXX_USER denied]
It looks like the InitialContext is attempting to authenticate the user through WebLogic's default authenticator. How do I tell it to use the JAAS context (with the custom login module) I have already set up?
If I use the default constructor (new InitialContext()) then I get a different error when calling an EJB method:
<java.rmi.AccessException: [EJB:010160]Security violation: User <anonymous> has insufficient permission to access EJB type=<ejb>, application=TestApplication, module=TestEJB.jar, ejb=AccessControl, method=processSuccessfulLogin, methodInterface=Remote, signature={java.lang.String}.>
In this case, how do I propagate the Subject after using LoginContext so that the user calling EJB methods is not anonymous?

This is the JDev & ADF forum. Your question is better asked in one of the WebLogic forums!
Timo

Jaas authentication with cutom realm problem

Similar Messages

Maybe you are looking for