JAAS + Autologin?

Similar Messages

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin

• Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA

  Hello all,
  I am trying to build a very simple JavaEE application with JAAS, but I getting mad.
  I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.
  First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:
  <application-policy name="exemplo1">
       <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                 <module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option>
                 <module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option>
                 <module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option>
            </login-module>
       </authentication>
  </application-policy>Next I configured the "web.xml" file like this:
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Restricted</web-resource-name>
            <description>Declarative security tests</description>
            <url-pattern>*.do</url-pattern>
       </web-resource-collection>
       <auth-constraint>
            <role-name>xxx</role-name>
       </auth-constraint>
       <user-data-constraint>
            <description>no description</description>
            <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>exemplo1</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginErro.jsp</form-error-page>
       </form-login-config>
  </login-config>
  <security-role>
       <description>Role xxx</description>
       <role-name>xxx</role-name>
  </security-role>Notice that I am using the "xxx" role to protect the "*.do" URL pattern.
  The "jboss-web.xml" is like this:
  <?xml version="1.0"?>
  <jboss-web>
       <security-domain>java:/jaas/exemplo1</security-domain>
  </jboss-web>As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.
  Now I wanna to be able to also protect my EJBs.
  My Stateless Session Bean is implemented as follow:
  @RolesAllowed("yyy")
  @Stateless(name="UserManagement")
  public class UserManagementBean implements UserManagement {
       public void add(User user) {
  }When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.
  If I add the "jboss.xml" file, like this:
  <?xml version="1.0"?>
  <jboss>
       <security-domain>java:/jaas/exemplo1</security-domain>
  </jboss>I start getting this stack trace:
  ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
  java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
  at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  ... Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???
  Thanks
  Daniel

  Using @SecurityDomain("exemplo1") in my EJB and NOT providing jboss.xml, it works.
  @SecurityDomain("exemplo1")
  @RolesAllowed("yyy")
  @Stateless(name="UserManagement")
  public class UserManagementBean implements UserManagement {
    public void add(User user) {
  }Damn! This is some serious shit... I don�t want to configure this in every single EJB.
  EJB 3.0 is nice, but some small trivial details like this and others, that was forgotten by Sun, piss me off!

• JAAS ,SSO and OC4J

  Hi ,
  Earlier , We were connecting our application as partner applications in portal for SSO authentication. We used SSO sdk for diverting requests to SSO. I was reading some literature and it seems oracle is supporting connecting to SSO from JAAS provider. Can i get a documentation for 10G JAAS (With details on how to connect to SSO).
  questions
  1. Is JAAS just replacement of SSO sdk and we still need to define partner applications?
  2.Do I need to configure mod_osso ? and then JAAS will give user details . (I don't need to define partner application.)
  thanks
  Simar

  I do believe there is a logout URL that you need to set. When the user logs out of the application, they also need to be redirected to the logout URL. This is covered in the Oracle Application Server Single Sign-On Application Developer's Guide
  From the doc:
  Security Issues: Single Sign-Off and Application Logout
  If you build custom applications using OracleAS release 9.0.4, note the following: when global logout, or single sign-off, is invoked, only the single sign-on and mod_osso cookies are cleared. This means that an OracleAS application must be coded to store single sign-on user and realm names in either the OC4J session or in the application session. The application must then compare these values to those passed by mod_osso. If a match occurs, the application must show personalized content. If no match occurs, which means that the mod_osso cookie is absent, the application must clear the application session and force the user to log in.
  They also have a code example:
  Application Logout: Recommended Code
  Most applications that authenticate users have a logout link. In a single-sign-on-enabled application, the user invokes the dynamic directive for logout in addition to other code in the logout handler of the application. Invoking the logout directive initiates single sign-off, or global logout. The example that follows shows what single sign-off code should look like in Java.
  // Clear application session, if any
  String l_return_url := return url to your application e.g. home page
  response.setHeader( "Osso-Return-Url", l_return_url);
  response.sendError( 470, "Oracle SSO" );

• How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS

  Hi
  I have read the article on SDN called "How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS", which is also the name of my posting.
  The reason why I post this is that I've tried to follow the links in the PDF to get the file WebsphereEpSsoLib.zip but I get an error 403, which tells me that the file is not there.
  Does anybody know where this file went or can somebody tell me an alternative place to get this file?
  Jacob

  Please open the associated whitepaper, and you can find the download link to the .ZIP file on page 4.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ibm/how to set up single sign-on between an ibm websphere portal and the sap enterprise portal using jaas.pdf
  Hope that works!
  Elise

• Autologin on Windows Server 2008 R2 - local Administrator problem

  I needed an user to autologin on a Windows Server 2008 R2 server.
  Configured it following this guide: http://www.danj.co.uk/2011/06/enable-autologon-for-windows-2008-r2.html
  In addition I added the login information by using the Autologon tool from sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
  Now the user I configured autologins successfully. The only downside is that now you can login with the local Administrator account by just hitting enter, as it now doesn't check the password and instead has a blank one. I think this comes from the User
  accounts screen where I unticked the checkbox and also the Administrator account is listed. When trying to remove the local Administrator it tells me that it will delete the account. I don't want that.
  How do I keep autologin of the user I configured but also have the local Administrator account check his password?

  Hello,
  please see
  http://www.expta.com/2008/04/how-to-enable-autologon-for-windows.html
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Plans to change JAAS/GSS for Windows XP SP2 and beyond

  Are there any plans to reimplement JAAS GSS on the windows platform to account for this issue:
  Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
  Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
  Thanks!
  -Bob

  This is an old thread, but one of my clients has run into the same problem. Hopefully someone is still monitoring....
  The answer is that the implementation should not be trying to do anything directly with keys. Delegation works just fine if it has been configured correctly in AD. Simply impersonate the context on the server side and then call the appropriate API to get a new service ticket and it will use the forwarded TGT. Credential delegation solved.
  MS was correct to "fix" the session key interface since it allowed user code to attain a "password equivalent". The JAAS implementation should be fixed to use the Windows authentication interfaces correctly.
  Thanks,
  Dave
  Feel free to contact me offline for more information or pointers at [email protected] (remove the no-spams).

• JAAS and Active Directory Problem

  I am attempting to use the JAAS Tutorial code to authenticate against a Windows 2000 domain controller. The code as is works against a domain controller that I set up, but when I attempt to authenticate against a client's domain, I receive an exception:
  Authentication failed:
  Pre-authentication information was invalid (24)
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
  The troubleshooting documentation indicates that this could mean 3 things:
  1. the password is incorrect - since I am logging in with my account, I am certain the password is correct.
  2. you are using the keytab to obtain the key and the key may have changed since obtaining the keytab - I am not using the useKeyTab option in my configuration of the Krb5oginModule and the option defaults to false.
  3. clock skew. I am sure that there is no time difference between my computer and the server.
  That said, does anyone know of any other reason that authentication will fail?

  I am using....
  AppConfigurationEntry entry = new AppConfigurationEntry(
  "com.sun.security.auth.module.Krb5LoginModule",
  AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
  options);
  and I get the same thing. Running Win2K Pro. Trying to use GSS-API to do Kerberos authentication.
  Jay

• How user OID (or other ldap) users with JAAS in my JEE application?

  Hy people,
  I'm developing a JEE application and for secuity I'm using JAAS, but I would like use users from my OID to authenticate. Is it possible? Can someone help me?
  Thanks!!!
  Regards,

  Hi, me again.
  It's possible. Just need configure the realm in Weblogic, configure your JAAS security in application. The realm name must be the same in application and WL.
  Just this.
  Thks!

• How to get both JDNI context and JAAS Subject with EJB

  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario. The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However, in
  the typical EJB scenario, the client initializes the JNDI context, then does
  the lookup on the bean name (which implicitly does the authentication to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

  In your login module you have to authenticate the user to the Weblogic Server as
  well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
  to login a subject with Weblogic Server.
  Once logged in, any thread that is invoked within the context of a Subject.doAs
  call gets that subject associated with it.
  Hope that helps
  "Allan" <dfusdfsdfsd> wrote:
  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario.
  The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However,
  in
  the typical EJB scenario, the client initializes the JNDI context, then
  does
  the lookup on the bean name (which implicitly does the authentication
  to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

• Web app security + JAAS

  I'm working on the authentication/authorisation aspects of a fairly
  large web application using WLS 6.0 (ie allowing users to login and
  access resources based on role etc).
  Its a standard JSP/Servlet/EJB type architecture and so far it seems
  the FORM-based authentication will serve our needs well. However, I've
  been instructed (by higher powers) to investigate JAAS authentication.
  It looks far more complex to implement so my question is, does it
  offer any significant advantages that justify the extra work?
  Thanks for your time.

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• How to Use Weblogic6.1 JAAS Sample in Servlet???

  Hi there,
  I am now developing JAAS security service based on weblogic. Here is the problem I met with:
  1. There is no problem when invoking JAAS sample from application.
  But Subject.doAs() is denied when moving the application to servlet.
  2. It is said that when invoking JAAS from servlet,
  an authenticated subject will be returned using:
  Subject subjectTest = loginContext.getSubject();
  How can I store the subject into the session and be called later?
  3. getUserPrincipal(), isUserInRole() are two important
  methods in authenticaion on web services.
  How is the user principal and role stored in the session?
  4. Where can I find some tutorials on invoking JAAS service from servlet?
  Thanks.
  ============================================================
  This is my source code
  package examples.security.jaas;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import javax.naming.Context;
  import javax.naming.InitialContext;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.callback.TextOutputCallback;
  import javax.security.auth.callback.TextInputCallback;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.PasswordCallback;
  import javax.security.auth.callback.UnsupportedCallbackException;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import javax.security.auth.login.FailedLoginException;
  import javax.security.auth.login.AccountExpiredException;
  import javax.security.auth.login.CredentialExpiredException;
  public class SampleServlet extends HttpServlet
  public void doGet(HttpServletRequest req, HttpServletResponse res)
  throws ServletException, IOException
  doPost(req, res);
  System.out.println("1\n");
  public void doPost(HttpServletRequest req, HttpServletResponse res)
  throws ServletException, IOException
  HttpSession session = req.getSession(true);
  res.setContentType("text/html");
  PrintWriter out = res.getWriter();
  System.out.println("2\n");
  String username = req.getParameter("username");
  String password = req.getParameter("password");
  String url = req.getParameter("url");
  LoginContext loginContext = null;
  Context ctx = null;
  try
  // Set server url for SampleLoginModule
  Properties property = new Properties(System.getProperties());
  property.put("weblogic.security.jaas.ServerURL", "http://localhost:7001");
  System.setProperties(property);
  property = new Properties(System.getProperties());
  property.put("weblogic.security.SSL.ignoredHostnameVerification", "TRUE");
  System.setProperties(property);
  // Set configuration class name to load SampleConfiguration
  property = new Properties(System.getProperties());
  property.put("weblogic.security.jaas.Configuration", "examples.security.jaas.SampleConfig");
  System.setProperties(property);
  // Set configuration file name to load sample configuration policy file
  property = new Properties(System.getProperties());
  property.put("weblogic.security.jaas.Policy", "Sample.policy");
  System.setProperties(property);
  // Create LoginContext; specify username/password login module
  loginContext = new LoginContext("SamplePolicy", new MyCallbackHandler());
  catch(SecurityException se)
  se.printStackTrace();
  System.exit(-1);
  catch(LoginException le)
  le.printStackTrace();
  System.exit(-1);
  System.out.println("SampleServlet:" + username + "\n");
  // Attempt authentication
  try
  // If we return without an exception, authentication succeeded
  loginContext.login();
  catch(FailedLoginException fle)
  out.println("Authentication Failed, " + fle.getMessage());
  System.exit(-1);
  catch(AccountExpiredException aee)
  out.println("Authentication Failed: Account Expired");
  System.exit(-1);
  catch(CredentialExpiredException cee)
  out.println("Authentication Failed: Credentials Expired");
  System.exit(-1);
  catch(Exception e)
  out.println("Authentication Failed: Unexpected Exception, " + e.getMessage());
  e.printStackTrace();
  System.exit(-1);
  // Retrieve authenticated subject, perform SampleAction as Subject
  out.println("Authentication succeeded " );
  System.out.println("===============start to trace333\n");
  Subject subject = loginContext.getSubject();
  System.out.println("Subject:"+subject.toString()+"\n");
  System.out.println("Subject.getclass:" + subject.getClass().getName());
  SampleAction sampleAction = new SampleAction();
  Subject.doAs(subject, sampleAction);
  System.out.println("4\n");
  // System.exit(0);
  ========================================================
  void doPost(
  HttpServletRequest req,
  HttpServletResponse resp) {
  Principal p =
  req.getUserPrincipal();
  auditCall(p.getName());
  if (req.isUserInRole(
  "ManagersRole")) {
  // Do some Manager stuff
  } else if
  (ctx.isUserInRole(
  "SalesRole")) {
  // Do some Sales stuff
  I'll describe where JAAS fits in to the web app model but please note that some of this should be automatically handled by your Servlet container.
  Servlet engine (or your MVC servlet controller) receives a request for a protected resource.
  It then checks for the existence of an "authenticated" token in the HttpSession.
  If that token doesn't exist then it forwards the user to the login page.
  The user fills in the form, and the login servlet receives the username and password at which point the JAAS Login Module is called with two callback objects: one that returns the username and one that returns the password.
  The JAAS Module checks to see if the credentials are valid, if not, it throws an authentication exception.
  Once control is returned to the Login Servlet, the Login Servlet would add the authenticated "Subject" to the HttpSession and if necessary, an authentication "token".
  So, JAAS is really only called ONCE, not for every web request, and it's called
  by the "logical" Login Servlet AFTER the user submits their login information.
  JAAS is not used to check for whether the user is authenticated already or not.
  the weblogic 6.1 server side exception
  username: joeuser
  password: joepass
  <May 25, 2002 11:05:20 PM PDT> <Error> <HTTP> <[WebAppServletContext(2169486,exa
  mplesWebApp,/examplesWebApp)] Servlet failed with Exception
  java.lang.SecurityException: Attempting Privileged Action With Unauthenticated S
  ubject
  at javax.security.auth.Subject.doAs(Subject.java:74)
  at examples.security.jaas.SampleClient.startWeb(SampleClient.java:200)
  at jsp_servlet.__poc1._jspService(__poc1.java:92)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm
  pl.java:265)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm
  pl.java:200)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
  rvletContext.java:2495)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
  pl.java:2204)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  >

  If anyone of you, has got any answers related to the above mentioned problem, Post it here, Will folks from SUN respond to this at any time.
  Regards
  Jayendran

• Autologin to an account when using multiple users

  Is there a way to have a mac running Mac OS 9 set up with multiple users autologin to one of the accounts?
  Ok, since I know people will ask why do you want to do that. I have an old mac and found my old XTension home automation software. I want to make this machine a dedicated home lighting controller. (I have a new mac mini doing this in my house, but I wanted to play with the old machine for fun). Now, I have multiple users set up and one account for home automation that has the panel version of the finder and the only application visible is XTension. This all works great.
  If the power goes out, I want the machine to reboot into this home automation account automatically. I also want to have the machine power cycle once a week just to keep from any memory problems etc.

  Hi, Mark -
  I know of no way that could be set up, since nothing usable runs until an account is logged into.
  I assume that you want to retain the ability to switch to a full OS whenever needed; otherwise, the solution would be to turn Multiple Users off, and set the OS up the way you want it for automation purposes.
  Two possible solutions allowing the retention of the ability to have a fully-operational OS available -
  • Partition the hard drive, then install OS 9 on both (it can be installed on one, then copied via drag-and-drop to get it on the other partition also). Set one up as a fully-functional OS, and the other as a limited-to-automation one. Once you set the startup disk selection to the partition with the automation version, whenever the machine is restarted it will continue to use that one. You can use Startup Disk control panel to switch booting to the other OS when needed. Note - partitioning a drive will erase its entire contents, so you would need to first back up anything you do not want to lose.
  • Similar to the preceding, but, provided your machine has the capability to accept a second internal drive, add a hard drive to provide the second volume.
  The advantage of the first one is that there is no additional cost. The advantage of the second is that you need not erase the original drive.

• Has anyone used JAAS with WebLogic?

  Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
  Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
  Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
  has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
  So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
  //THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
  public class BasicModule implements LoginModule
  private NameCallback strName;
  private PasswordCallback strPass;
  private CallbackHandler myCB;
  private Subject subj;
           //INITIALIZE THIS MODULE
             public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                    try
                         //SET SUBJECT
                           subj = subject;  //NOTE: THIS GIVES YOU REFERENCE
  TO LOGIN CONTEXT'S SUBJECT
                                                   // AND ALLOWS YOU TO PASS
  IT BACK TO THE LOGIN CONTEXT
                         //SET CALLBACKHANDLERS
                           strName = new NameCallback("Your Name: ");
                           strPass = new PasswordCallback("Password:", false);
                           Callback[] cb = { strName, strPass };
                         //HANDLE THE CALLBACKS
                           callbackHandler.handle(cb);
                    } catch (Exception e) { System.out.println(e); }
       //LOG THE USER IN
         public boolean login() throws LoginException
            //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
            System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
  subj.getPrincipals().size() + " Principals");
            //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
             MyPrincipal m = new MyPrincipal("Admin");
             subj.getPrincipals().add(m);
             return true;
           public boolean commit() throws LoginException
                 return true;
      }(Sorry for all that code)
  I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
  do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
  I think the key here is to understand JAAS's plug-in security model to mean:
  (Below are my words)
  The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
  In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
  That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
  checking code can be used regardless of whether a client connects through
  RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
  how they authenticate (except by choosing YOUR set ways).
  Before we even deal with a serialized subject, we need to see how JAAS can
  even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
  I think what needs to be done, is the client needs to have the stubs for our
  LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
  their info into those, and everything is handled server-side. So they may
  not even need to send a Subject across anyways (but they may want to as
  well).
  Please let me know if anyone sees this problem too, or if I am just completely
  off track with this one. I think figuring out how to do JAAS as though
  everything were local, and then putting RMI (or whatever) on top is the
  first thing to tackle.

  Send this to:
  newsgroups.bea.com / security-group.

• Is this a bug of JAAS/JAZN  in JDev 10.1.3 ?

  Hi All,
  I implement file based security eith JAAS and JDev10.1.3, that works but there are two strange things that I wonder where it is bug :
  1.) When I go to JAZN Data Properties from JDev , I see many 'uncreated' users like : DataBase_User_zbLu50HDPQULTOUZkmbSn3fjEowJ-YHy, DataBase_User_lE4mfb1ETJPcD3sOeYaSfiHw3n0hM8BQ etc, what are these ?
  (they get deployed also when I deploy the app to OC4J)
  2) When I deploy to OC4J stand alone, my real users I created from JDev for testing do not seem to get deployed, only the 'garbage' users that I mentioned above get deployed.
  On the OC4J Server, to make it workm I have to manually copy : jazn-data.xml
  FROM : C:\OC4J\j2ee\home\applications\MyApp\MyAppViewArchive\WEB-INF\classes\META-INF
  TO : C:\OC4J\j2ee\home\application-deployments\MyApp
  Is this also a bug ?
  Thank you for your help,
  xtanto

  Xtanto,
  1) what you call "garbage" users are the database connects you have defined in JDeveloper. You can delete them from jazn-data.xml before deployment. The "garbage" you see is used for password indirection, to make sure the clear password is not added to the jazn-data.xml file
  2) Create jazn-data.xml file in your project. Add the users you like to use. Then create orion-application.xml in the same project, which by default points to the jazn-data.xml file in the project. This then should make OC4J using the jazn-data.xml file of your project instead of generating a new one
  Frank