JAAS Authentication
Hi,
how can JAAS be used with sjsws? Are there JAAS-Howtos or other documents dealing with JAAS? Examples?
I have an already implemented JAAS-Login module using the javax.security.auth.spi.LoginModule interface.
Is it possible to use it with sjsws? How? Where can I configure what Principals are possible?
Can I use JAAS to authenticate webdav-users? How?
Yours
Arne
Edited by: Arne.v.Irmer on Nov 22, 2007 8:02 AM
Hi mv,
our JAAS-LoginModule is too complex to post it here. I made a small example, that is near to what we do here.
It authenticates the user "user" with the role/principal "userRole" and the user "admin" with the role "adminRole". Both have the principal "authenticateduser". Passwords are the same as the account.
Here is the LoginModule:
package sample.security.jaas;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
public class TestLoginModule implements LoginModule {
private CallbackHandler callbackHandler;
private Subject subject;
private boolean success;
public boolean abort() throws LoginException {
// Clean out state
success = false;
logout();
return true;
public boolean commit() throws LoginException {
if (success){
//Add a general principal
subject.getPrincipals().add(new TestPrincipal("authenticateduser"));
System.out.println("authenticateduser");
return true;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
// save the initial state
this.callbackHandler = callbackHandler;
this.subject = subject;
public boolean login() throws LoginException {
// Setup default callback handlers.
Callback[] callbacks = new Callback[] {
new NameCallback("Username: "),
new PasswordCallback("Password: ", false)
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
} catch (UnsupportedCallbackException e) {
String username = ((NameCallback)callbacks[0]).getName();
String password = new String(((PasswordCallback)callbacks[1]).getPassword());
((PasswordCallback)callbacks[1]).clearPassword();
//Check passwords and add principals
if(username!=null){
success = username.equalsIgnoreCase("admin") && password.equals("admin");
if(success){
subject.getPrincipals().add(new TestPrincipal("adminRole"));
}else{
success = username.equalsIgnoreCase("user") && password.equals("user");
if(success){
subject.getPrincipals().add(new TestPrincipal("userRole"));
} else
success=false;
callbacks[0]=callbacks[1]=null;
return true;
public boolean logout() throws LoginException {
// remove the principals
subject.getPrincipals(TestPrincipal.class).removeAll(subject.getPrincipals(TestPrincipal.class));
return false;
}And here is the Principal:
package sample.security.jaas;
import java.io.Serializable;
import java.security.Principal;
public class TestPrincipal implements Principal, Serializable {
private String uniqueIdentifier;
public TestPrincipal(String uniqueIdentifier) {
this.uniqueIdentifier = uniqueIdentifier;
public String getName() {
return this.uniqueIdentifier;
}You can download this code in a small project at
http://ews2.uni-dortmund.de/installation/jaas-src.tgz_
or if you want a tomcat 5.5.23 using this LoginModule to authenticate under
http://ews2.uni-dortmund.de/installation/jaastest.tgz_
I'm curious about your answer.
Yours
Arne
Similar Messages
-
Is it possible to bypass JAAS authentication and use Authorisation alone?
I have to implement jsp level security (by checking roles) for my JSF application.
Authentications in my appln are done by a different servers. I don't want to disturb that.
I have to implement authorisation alone using JAAS.
Is it possible to bypass JAAS authentication and use Authorisation alone?
I am using custom login module( implements DatabaseLoginModule) for authorisation.
Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
Any help would be great.
Thanks,
Adhil.JI have to implement jsp level security (by checking roles) for my JSF application.
Authentications in my appln are done by a different servers. I don't want to disturb that.
I have to implement authorisation alone using JAAS.
Is it possible to bypass JAAS authentication and use Authorisation alone?
I am using custom login module( implements DatabaseLoginModule) for authorisation.
Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
Any help would be great.
Thanks,
Adhil.J -
JAAS authentication with WebLogic 6 - "Invalid Configuration Class Name"
For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
package, compiled, and copied it to the right place in the classes directory of the webapp project.
The class is specified as a parameter in startWebLogic.cmd:
-Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
When a servlet attempts to get LoginContext, I get this error:
"Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
The class file is definitely in the right place. What's the deal?
Thanks,
RobSeems to be a ClassLoader problem. The sample is a client app, so no problem. But if you create
a Configuration class to run on the server (to set up a LoginModule for authenticating clients)...
I think what's happening is that the System class loader, using the CLASSPATH in the environment
of the WebLogic server when it starts, attempts to load the Configuration class and can't (because it
is in the CLASSPATH of the web app, not of the System class loader). If you add the Configuration
class to the CLASSPATH of the WebLogic server, then it gets loaded but the LoginModule can't be
found. If you add the LoginModule to the WebLogic server CLASSPATH, then any classes that it calls
must also be in the WebLogic server CLASSPATH.
Could someone from BEA please comment: is that the intention, that any classes used for JAAS
authentication be part of the server's CLASSPATH, not part of the web application?
Thanks,
Rob
"Rob Weltman" <[email protected]> wrote:
>
For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
package, compiled, and copied it to the right place in the classes directory of the webapp project.
The class is specified as a parameter in startWebLogic.cmd:
-Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
When a servlet attempts to get LoginContext, I get this error:
"Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
The class file is definitely in the right place. What's the deal?
Thanks,
Rob -
JAAS-authentication and wls-authorization in a webapp
Hi,
I am developing a webapp with jsp, servlets and ejbs.
My question:
Is it possible to use JAAS-authentication together with wls-authorization in a
webapp?
thanks
/ChrizHi, Office 365 tenants indeed include an Azure AD tenant in the background and you can implement Single Sign-On against that. The authentication scenario for this case is documented
here. For the code samples (with steps to create them) see the
samples' Github repository, especially the
WebApp-WSFederation-DotNet sample.
For the SQL database it's a bit different. Azure SQL Database connection can't be authenticated like this - there's no integration to the "domain" accounts there. So you should create one service account for the SQL connection and use that for
all the traffic in your web app. If you need authorization for accessing certain data in SQL, you have to implement that on your web application side. -
JAAS Authentication Example Error
I am working with the JAAS Authentication example provided by Sun at the following link:
http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/index.html
I am working with Windows NT. I am using a NTLoginModule in my config file. I would like to create a simple Login that uses the current OS's user ID. Once I add the security.manager and a policy file that includes anything besides full permisions (permission java.security.AllPermission;), I get a Security Exception, and more specifically a "java.security.AccessControlException:access denied...".
I am using the following config:
JaasConfig {
com.sun.security.auth.module.NTLoginModule required debug="true";
I would like to use a policy file that gives permission to a file for the current user. I would like to do something similar to the following, but get the error once this is added....
grant Principal com.sun.security.auth.NTUserPrincipal "user"
//Allow everything for now
//permission java.security.AllPermission;
permission java.io.FilePermission "ProtectedFile.txt", "read , write";
What am I doing wrong? Any help is very much appreciated!
Thanks!I got it...my policy file needed more to work in NT. Here is the entire file:
grant Principal com.sun.security.auth.NTUserPrincipal "s156898"
permission java.io.FilePermission "ProtectedFile.txt", "read";
grant {
//Allow everything for now
//permission java.security.AllPermission;
permission javax.security.auth.AuthPermission "createLoginContext.JAASConfig" permission java.io.FilePermission "ProtectedFile.txt", "read";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "getSubject";
However, I am trying to also do my work on a Solaris/Unix machine. I get an error that tells me that only Principal-based entries are allow. Anyone know how to give permission to all users in a Principal statemtent. The same setup as the above, using Unix Principals, will not work. Seems like I have to always have a grant and Principal for every set of permissions.
Lemme know if you can help. Thanks! -
JAAS Authentication Programmatically
On Web sphere I have defined a JAAS Authentication Entry with an Alias, Username and Password. There are 2 � 3 applications running on this instance of the server.
From one of these applications I would like verify the username and password as in �JAAS Authentication Entry� programmatically.
Is this possible? If so can you please help me with more details like:
1. Is there any change needed in the specific application�s web.xml to point at the JAAS security of the server.
2. Any specific JAVA API to access JAAS information (configured on server) from a java program.
ThanksYes - as long as it is serializable.
-
Using Identity Server as a JAAS authentication provider
My client wants to use Identity Server to provide JAAS authentication for the Java application they're developing.
The JAAS tutorial shows how the name of the Java class that provides the authentication service is provided, then an instance of this class is instantiated and the .login method invoked to actually perform the authentication.
The stated principle behind the tutorial is one of using a pluggable authentication framework, and one should not care how authentication is performed. As long as the callbacks to allow the authentication framework to ask for the credentials required, it should not matter.
The example of how to do LDAP authentication using Identity server requires using some identity server classes. ie the com.sun.identity.authentication.AuthContext class. They specifically want to use pure JAAS authentication rather than creating a dependance in their application on Identity Server.
Is a Java class available which provides this functionality?
ThanksIn Apache you can specify the authentication parameters in the virtual host configuration
-
Problem with JAAS authentication using jboss client
I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
I followed all the steps in:
https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
But when it tries to do the authentication, sometimes it uses:
<b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
Other times (withouth changing anything) it uses:
<b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
<b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
I think it maybe has something to do with specific callback classes from sap implementation.
Any idea? I can't go forward.Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next
-
JAAS-authentication to external secure system within EJB?
I would like to write an EJB that accesses an external,
non-WebLogic system that uses JAAS security. It looks like using
plain vanilla JAAS client code would break some EJB programming rules.
I need to pass credentials to this external system
(private/public keys, etc.) that are on the filesystem.
I see WL has "Credential Mapping" but couldn't really see how
I'd use and implement this to authenticate to the external
system.
Any advice would be appreciated.
-Rolf Arandsone way, which I know that will work, is to run you JAAS code on some container. If authentication works, the code on you container forwards HTTP request to the WAS.
The WAS must have a Trust association interceptor (TAI), written for you purpose. You container forwards the HTTP request with the authenticated userid in the request. The TAI intercepts the requests and pulls the authenticated userid from the request and returns the userid to the WAS security manager.
I have created a small presentation that shows how security credentials is propagated to the WebLogic and WAS security managers. It can be found on my site.
/Bo
http://appliedcrypto.com -
JAAS Authentication in WLS 7.0
Hi,
I have a problem trying to authenticate a user using JAAS in WLS 7.0: in the
LoginModule I get a java.lang.IllegalAccessError:
java.security.acl.NotOwnerException when invoke the
weblogic.security.auth.Authenticate.authenticate(env, subject) method. The
environment I define as follows:
env.setProviderUrl("t3://localhost:7001");
env.setSecurityPrincipal("testuser");
env.setSecurityCredentials("testpassword");
where testuser belongs to the group Administrators and I use it successfully
for starting the server and manipulating the console.
At the same time I successfully pass authentication as anonymous if I set
only the provider URL.
I would be very grateful for any information related to this problem.
VladimirVladimir,
The the first problem you're having here is that you seem to be using a
depricated API. I can't tell from your description but I believe this API
was intended for use only within the process space of a t3 client, so check
your client's java security policy settings.
Alex
"Vladimir" <[email protected]> wrote in message
news:[email protected]..
Hi,
I have a problem trying to authenticate a user using JAAS in WLS 7.0: inthe
LoginModule I get a java.lang.IllegalAccessError:
java.security.acl.NotOwnerException when invoke the
weblogic.security.auth.Authenticate.authenticate(env, subject) method. The
environment I define as follows:
env.setProviderUrl("t3://localhost:7001");
env.setSecurityPrincipal("testuser");
env.setSecurityCredentials("testpassword");
where testuser belongs to the group Administrators and I use itsuccessfully
for starting the server and manipulating the console.
At the same time I successfully pass authentication as anonymous if I set
only the provider URL.
I would be very grateful for any information related to this problem.
Vladimir -
Jaas authentication with cutom realm problem
I'm having this problem, I have a web application made with JSF running on Sun One Application Server 9, and I made a cutom realm with Jaas so that the server will be handeling the authentication and it is working fine. The problem is that i want to load some info into the user's session after that he have been authenticated based on the username. But I have on clue how to do it. so I'll be very thanks full it anybody helped me.
Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next
-
JAAS, authentication only, in WLS 6
I've poured over the newsgroups and the sample client, and nothing matches what I'd
like to accomplish. What I want to do seems simple enough, but I haven't been able
to get it to work:
1. Configure WLS 6 SP1 to use its realms/authentication processes
2. From within an EJB's method, using JAAS, ask Weblogic if this is a valid user
(i.e., does this user/psw combination exist in the weblogic-managed realm(s)?).
That's all I want to do, nothing more, nothing less. I'm getting nowhere and I've
been at this for 2 days now. My latest incarnation was to specify the ServerPolicy
in my call to create a login context. This authenticates, all right, but it authenticates
everyone! My previous incarnation was to grit my teeth and write a login module
just like in the (client) sample, but then this didn't work either. It replaced
weblogic's authentication with mine (which I DON'T want) and I couldn't get it to
"call back" into WLS for it to authenticate for me.
This doesn't seem too difficult a task to me, but yet, none of the samples are clear,
none of the environment settings are clear, and none of the books I have (I've looked
at 2 WLS-specific books and the Sun JAAS site) are clear.
How might I go about accomplishing this task?
The current (within EJB) code I'm attempting is:
// Create a login context and an associated handler for the password...
LoginContext // Need a (JAAS) login context...
Ctx = new LoginContext(strJAAS,
new JAASAuthenticateCallback(strUsername,
strPassword));
Ctx.login(); // Perform the login
// If we get here, the user/password is authenticated.
Ctx.logout(); // Since we're just authenticating, log out!
This snippet of code ALWAYS authenticates successfully (no exceptions thrown) regardless
of what value is used for strJAAS, user ID and password!You can copy the JAAS example, implementing your own version of all the
classes they give, and it will (eventually) work.
Alternatively, if this is on the server, you can just grab the realm and
call the appropriate authentication method:
CachingRealm realm = (CachingRealm)Security.getRealm();
UserInfo info = new DefaultUserInfoImpl(name, password);
User user = realm.authenticate(info);
if (null != user) ...
(I'm using a caching realm, obviously).
Two days is pretty optimistic. It's taken me two weeks to get qn SQL-based
realm and login working (about a week each for the realm and the login)
(although I'm not programming full time as I have to manage a couple of
other prgrammers too).
Good luck,
Andrew
"Al Cilcius" <[email protected]> escribió en el mensaje
news:[email protected]...
>
I've poured over the newsgroups and the sample client, and nothing matcheswhat I'd
like to accomplish. What I want to do seems simple enough, but I haven'tbeen able
to get it to work:
1. Configure WLS 6 SP1 to use its realms/authentication processes
2. From within an EJB's method, using JAAS, ask Weblogic if this is avalid user
(i.e., does this user/psw combination exist in the weblogic-managedrealm(s)?).
>
That's all I want to do, nothing more, nothing less. I'm getting nowhereand I've
been at this for 2 days now. My latest incarnation was to specify theServerPolicy
in my call to create a login context. This authenticates, all right, butit authenticates
everyone! My previous incarnation was to grit my teeth and write a loginmodule
just like in the (client) sample, but then this didn't work either. Itreplaced
weblogic's authentication with mine (which I DON'T want) and I couldn'tget it to
"call back" into WLS for it to authenticate for me.
This doesn't seem too difficult a task to me, but yet, none of the samplesare clear,
none of the environment settings are clear, and none of the books I have(I've looked
at 2 WLS-specific books and the Sun JAAS site) are clear.
How might I go about accomplishing this task?
The current (within EJB) code I'm attempting is:
// Create a login context and an associated handler for the password...
LoginContext // Need a (JAAS) login context...
Ctx = new LoginContext(strJAAS,
new JAASAuthenticateCallback(strUsername,
strPassword));
Ctx.login(); // Perform the login
// If we get here, the user/password is authenticated.
Ctx.logout(); // Since we're just authenticating, logout!
>
This snippet of code ALWAYS authenticates successfully (no exceptionsthrown) regardless
of what value is used for strJAAS, user ID and password! -
JAAS authentication is not working with IIOP and wlclient.jar
Hi,
I'm currently working on a remote client that requires authentication with JAAS.
The Application server is Weblogic 9.2 MP1.
The client is deployed with wlclient.jar and the used protocol is iiop.
I'm also using the default UsernamePasswordLoginModule module for authentication.
The LoginContext.login goes smoothly but the Principal Set in the obtained Subject object is empty!
Using the same code with weblogic.jar and t3 protocol the principals are filled(i.e. I can see the groups where the involved user is member).
Any suggestions ??
regards,
LucaSo, when you execute this, where exactly does it crash/stop, or what is the output you get from those dbms_output lines? Do you know the output of memberOf and are you sure that things will match?
-
WlClient.jar & JAAS authentication Issues
If I run the JAAS example (examples/security/jaas) that comes with
wl8.1 sp1 but use wlclient.jar instead of weblogic.jar, the
LoginContext.login() method returns a Subject even if I pass in an
invalid user/password combination. If weblogic.jar is in the
classpath, a javax.security.auth.login.LoginException is thrown which
is what I want to happen for invalid credentials. When running with
wlclient.jar, the code doesn't fail until it actually attempts to
access the EJB at which point it gets a org.omg.CORBA.NO_PERMISSION.
I am trying to use JAAS to login from a swing app and I want to use
wlclient.jar instead of weblogic.jar, but I need to be able to
determine whether the login was successful without waiting until I
access a secured EJB. Why does wlclient.jar behave differently than
weblogic.jar? How can I determine if my login worked if Weblogic is
going to return a Subject no matter what username/password I pass in?Hi,
I have a similar problem when using wlclient.jar. I am able to authenticate using
the UsernamePasswordLoginModule (with authOnLogin true), but I get an error when
invoking a secured EJB:
UsernamePasswordLoginModule.initialize(), debug enabled
UsernamePasswordLoginModule.initialize(), authOnLogin enabled
UsernamePasswordLoginModule.login(), username weblogic
UsernamePasswordLoginModule.login(), URL t3://localhost:7001
Logged in
Invoking EJB
java.rmi.AccessException: CORBA NO_PERMISSION 0 Maybe; nested exception is:
org.omg.CORBA.NO_PERMISSION: vmcid: 0x0 minor code: 0 completed: Maybe
at com.sun.corba.se.internal.iiop.ShutdownUtilDelegate.mapSystemException(ShutdownUtilDelegate.java:95)
at javax.rmi.CORBA.Util.mapSystemException(Util.java:65)
The login is successfull, but I get the org.omg.CORBA.NO_PERMISSION when invoking
the EJB. If I replace wlclient.jar with weblogic.jar it works fine! But we can't
use weblogic.jar in our deployed client, because a) it's HUGE, b) it conflicts
with Ant 1.6.1.
Any ideas?
"Memo S" <[email protected]> wrote:
>
Here is the answer
A UsernamePasswordLoginModule LoginModule was added for use by the IIOP
thin-client.
This class has the same API as that of the weblogic.security.auth.login.UsernamePasswordLoginModule
class, but in this implementation, there is a new property called authOnLogin.
When true, this property forces the login method to perform authentication
(rather
than on the first invocation). The default for this new property is false.
Regards.
Memo S
"Ganapathi" <[email protected]> wrote:
If I run the JAAS example (examples/security/jaas) that comes with
wl8.1 sp1 but use wlclient.jar instead of weblogic.jar, the
LoginContext.login() method returns a Subject even if I pass in an
invalid user/password combination. If weblogic.jar is in the
classpath, a javax.security.auth.login.LoginException is thrown which
is what I want to happen for invalid credentials. When running with
wlclient.jar, the code doesn't fail until it actually attempts to
access the EJB at which point it gets a org.omg.CORBA.NO_PERMISSION.
I am trying to use JAAS to login from a swing app and I want to use
wlclient.jar instead of weblogic.jar, but I need to be able to
determine whether the login was successful without waiting until I
access a secured EJB. Why does wlclient.jar behave differently than
weblogic.jar? How can I determine if my login worked if Weblogic is
going to return a Subject no matter what username/password I pass in? -
What's the point of Weblogic JAAS authentication?
Hello, I'm looking into one way authentication using weblogic and JAAS,
Weblogic say this is the preferred mechanism, however I can't see the
advantages. My (ok, limited) understanding of it is thus:
The advantage of JAAS is that you can specify different login modules to
utilise different types of authentication. However authentication to a
weblogic server will only work by calling
weblogic.security.auth.Authenticate.authenticate (due to weblogic's own
implementation of the javax.security.auth. classes), thus only one
loginmodule is available.
The ability to use different authentication types is provided by the
application server by using/creating different realms. The client possibly
being able to specify different authentication by one of the arguments to a
custom realm(?).
Thus why bother with JAAS seeing that it doesn't seem to offer anything
extra over JNDI authentication and requires more code?
Thanks, any ideas appreciated.
Alan.Good point.
"James" <[email protected]> wrote in message
news:3c506266$[email protected]..
This may not apply to you, but I have to consider the need to remain
portable between different vendor's application servers. WebLogic's
proprietary realm architecture makes it a pain to get up and going in a
Websphere or a Oracle AS. So I see that as a major advantage.
James
Viewlocity, Inc.
http://www.viewlocity.com
"Alan Phillips" <alan.phillips@|remove|ftid.com> wrote in message
news:[email protected]..
Hello, I'm looking into one way authentication using weblogic and JAAS,
Weblogic say this is the preferred mechanism, however I can't see the
advantages. My (ok, limited) understanding of it is thus:
The advantage of JAAS is that you can specify different login modules to
utilise different types of authentication. However authentication to a
weblogic server will only work by calling
weblogic.security.auth.Authenticate.authenticate (due to weblogic's own
implementation of the javax.security.auth. classes), thus only one
loginmodule is available.
The ability to use different authentication types is provided by the
application server by using/creating different realms. The client
possibly
being able to specify different authentication by one of the argumentsto
a
custom realm(?).
Thus why bother with JAAS seeing that it doesn't seem to offer anything
extra over JNDI authentication and requires more code?
Thanks, any ideas appreciated.
Alan. -
Programmatic JAAS Authentication for Web/EJBs on WebLogic 12c
Technologies: JSPs, Servlets, EJBs (version 2.1)
Database: Oracle 11g Database
Application Server: WebLogic 12c
I am working on a project where the users and roles are stored on an Oracle database (as database users with roles granted to them). We therefore need a custom authentication method (the default WebLogic UsernamePasswordLoginModule won't cut it). We created a DatabaseUserLoginModule prior to migrating from a 10g enviroment to 11g/12c.
public class DatabaseUserLoginModule implements LoginModule
public boolean login() throws LoginException
Connection conn = null;
try
s
InitialContext ic = new InitialContext();
DataSource ds = (DataSource)ic.lookup(jndiDSName);
conn = ds.getConnection(username, password);
List dbauth = new ArrayList();
String rolesSQL = "SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS UNION SELECT GRANTED_ROLE FROM ROLE_ROLE_PRIVS";
Statement rolesStmt = conn.createStatement();
ResultSet results = rolesStmt.executeQuery(rolesSQL);
dbauth.add(new DBUserPrincipal(username));
while (results.next())
String roleName = results.getString("GRANTED_ROLE");
DBRolePrincipal dbRolePrincipal = new DBRolePrincipal(roleName);
dbauth.add(dbRolePrincipal);
authPrincipals = (Principal[])dbauth.toArray(new Principal[dbauth.size()]);
catch (Exception e)
throw new LoginExcpetion(e.getMessage());
finally
try
conn.close();
catch (Exception e)
throw new LoginExcpetion(e.getMessage());
return true;
public boolean commit() throws LoginException
for (int i = 0; i < authPrincipals.length; i++)
subject.getPrincipals().add(authPrincipals[i]);
return true;
The getConnection() method on the datasource works with a database username and password thanks to the new "Use Database Credentials" option for WebLogic datasources and granting CONNECT THROUGH (datasource user) privilege for each user.
We have configured a JAAS context to use this login module by creating a jaas.conf file and setting JAVA_OPTIONS to include "-Djava.security.auth.login.config=%DOMAIN_HOME%\bin\jaas.conf". The file looks like this:
Test {
xxxx.controller.security.loginmodule.DatabaseUserLoginModule required;
When the user logs in, the application uses a LoginContext object to perform authentication:
PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
lc = new LoginContext("Test", cbh);
lc.login();
This successfully uses the DatabaseUserLoginModule to authenticate the user and populate the Subject with the appropriate roles.
The next step is to use an InitialContext to lookup an EJB and call a method. We have permissions in ejb-jar.xml for each method, based on database roles:
<method-permission>
<role-name>XXXX_USER</role-name>
<method>
<ejb-name>AccessControl</ejb-name>
<method-intf>Home</method-intf>
<method-name>create</method-name>
<method-params>
<method-param>java.lang.String</method-param>
</method-params>
</method>
<method>
<ejb-name>AccessControl</ejb-name>
<method-intf>Remote</method-intf>
<method-name>remove</method-name>
</method>
<method>
<ejb-name>AccessControl</ejb-name>
<method-intf>Remote</method-intf>
<method-name>processFailedLogin</method-name>
<method-params>
<method-param>java.lang.String</method-param>
</method-params>
</method>
<method>
<ejb-name>AccessControl</ejb-name>
<method-intf>Remote</method-intf>
<method-name>processSuccessfulLogin</method-name>
<method-params>
<method-param>java.lang.String</method-param>
</method-params>
</method>
</method-permission>
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
env.put(Context.PROVIDER_URL, "t3://localhost:7101");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
InitialContext ic = new InitialContext(env);
ic.lookup("EJBName");
The problem is that when the InitialContext is initialised I get the following error:
javax.naming.AuthenticationException [Root exception is javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User XXXX_USER] javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User XXXX_USER denied]
It looks like the InitialContext is attempting to authenticate the user through WebLogic's default authenticator. How do I tell it to use the JAAS context (with the custom login module) I have already set up?
If I use the default constructor (new InitialContext()) then I get a different error when calling an EJB method:
<java.rmi.AccessException: [EJB:010160]Security violation: User <anonymous> has insufficient permission to access EJB type=<ejb>, application=TestApplication, module=TestEJB.jar, ejb=AccessControl, method=processSuccessfulLogin, methodInterface=Remote, signature={java.lang.String}.>
In this case, how do I propagate the Subject after using LoginContext so that the user calling EJB methods is not anonymous?This is the JDev & ADF forum. Your question is better asked in one of the WebLogic forums!
Timo
Maybe you are looking for
-
When I type anything in Firefox like an e-mail, spaces do not register immediately when I hit the spacebar, and it slows down my typing tremendously. I just installed Firefox today, and I had never had this problem before. I tested it in both my word
-
BAPI_SALESORDER_CREATEFROMDAT2 with Configuration
Hello, I need to create S/O with batch configuration. So I using this bapi to create it by fill-in batch configuration data table CFGS_REF, CFGS_INT, CFGS_PART_OF and CFGS_VALUE (note 549563). But it created S/O with header only (without any line it
-
Access restriction for business objects in same solution
Hi All, Requirement: I have one single solution with 4 modules. 1 module is common and other 3 are industry specific. When i roll it out to a customer, i what restrictions on Business Objects. So that i can roll out single or combination of modules a
-
GP: Process default Roles Cleared when transported
Hi, I have created an impersonalized form that triggers a process in guided procedures. I have set the default roles for process as impersonalized form needs all the roles to be defaulted. Its working fine in the test system. When I transport th
-
Is Bootable Backup of Snow Leopard Useless After Mountain Lion Install?.
An Apple tech support rep told me that after installing Mountain Lion, users will be prompted to update their Mac's firmware. The new firmware is supposed to make Mountain Lion run smoothly. Once you update the firmware, "there's no going back," acco