Jaas + custom policy

I want to source my JAAS policy files from a database.
I extended java.security.Policy and I can dynamically assign permissions to a codesource. I also have JAAS authorization running without any problems. What I can't figure out is how I can associate a dynamic principal with a protection domain so that getPermissions(ProtectionDomain) will magically work with Subject.doAs without re-writing half of sun.security. Has anyone accomplished something like this? I'm concentrating on 1.4, altho I'm not above using a 1.3 specific solution.

I think I've worked it out (I don't think anyone cares anymore though). This post is just up here so people hit it when they search.
If you subclass Policy and set it (e.g. using Policy.setPolicy or with properties files), then you implment the
boolean implies(ProtectionDomain dom, Permission perm)Method, then it pretty much works!
Whenever you do some action with Subject.doAsPrivileged, for example, an array or principals is given you your implies method available in the ProtectionDomain, i.e. with
boolean implies(ProtectionDomain dom, Permission perm)
  Principal[] prins = dom.getPrincipals();
  for (int i = 0; i < prins.length; i++)
     if (prins[i] instanceof MyPrincipal) {
       MyPrincipal p = (MyPrincipal) prins;
return UserPermissions.getPermissionSetFor(p).contains(perm); // or something. Havn't worked out exactly what happens here
return false;
I think that's how it works.
Here's some code I wrote to test these ideas out. When you run it, you notice that none of the other Policy methods (getPermissions() in particular) are ever called.
import javax.security.auth.Subject;
import java.security.Policy;
import java.security.PrivilegedAction;
import java.io.FileInputStream;
import java.io.File;
import java.io.IOException;
import java.util.Set;
import java.util.HashSet;
import java.util.logging.Logger;
public class JaasExperiment {
    public static void main(String args[])
        Policy.setPolicy(new MyPolicy());
        Set pubcred = new HashSet();
        Set privcred = new HashSet();
        Set princips = new HashSet();
        princips.add(new MyPrincipal("keith"));
        Subject keith = new Subject(false, princips, pubcred, privcred);
        Subject.doAsPrivileged(keith, new MyAction(), null);
        Set mprincips = new HashSet();
        mprincips.add(new MyPrincipal("michelle"));
        Subject michelle = new Subject(false, mprincips, pubcred, privcred);
        Subject.doAsPrivileged(michelle, new MyAction(), null);
        Logger.global.info("Finished");
    private static class MyAction implements PrivilegedAction
        public Object run() {
             try {
                FileInputStream in = new FileInputStream(new File("src/JaasExperiment.java"));
                int ch;
                while ((ch = in.read()) != -1)
                    System.out.print((char)ch);
                in.close();
            } catch (IOException e) {
                e.printStackTrace();
            return null;
import java.security.*;
import java.util.logging.Logger;
public class MyPolicy extends Policy
    boolean checking = true;
    private static Logger log = Logger.getLogger("MyPolicy");
    static {
        log.info("MyPolicy loaded");
    public PermissionCollection getPermissions(ProtectionDomain domain) {
        log.info("getPermissions domain:"+domain.toString());
        return null;
    public PermissionCollection getPermissions(CodeSource codesource)
        log.info("getPermissions codewsource:"+codesource);
        return null;
    public boolean implies(ProtectionDomain domain, Permission permission) {
        //log.entering("MyPolicy", "implies");
        log.finest("Domain codsource is:"+domain.getCodeSource().toString());
        log.fine("Permission "+ permission.getClass().getName() +":"+permission.getName() + " Requested");
        if (domain instanceof Object) {
            Object o = (Object) domain;
        Principal[] ppls= domain.getPrincipals();
        for (int i=0; i < ppls.length; i++)
            log.info("Principal "+i+" is " + ppls.getName());
if (checking)
checking = false;
//log.info("Domain:"+domain.toString());
//log.info("permission:"+permission.toString());
//log.exiting("MyPolicy", "implies");
return true;
public void refresh()
import java.security.Principal;
public class MyPrincipal implements Principal{
private final String name;
public MyPrincipal(String name)
this.name = name;
public String getName() {
return name;

Similar Messages

  • Custom Policy vs. J2EE Security

    Hi there, Java Security architecture gurus,
    I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
    The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
    I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
    Now, I have the following questions:
    - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
    - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
    The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
    I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
    Thanks,
    Christoph

    Chris,
    There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
    http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
    Now, I have the following questions:
    - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
    Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
    - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
    This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
    In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
    // If the permission is not found here then delegate it
    // to the standard java Policy class instance.
    java.security.Policy policy = java.security.Policy.getPolicy();
    return policy.getPermissions(codeSource);
    Hope this helps.

  • Error while invoking webservice attached with custom policy

    I created a webservice in SOA 11g and attached a custom policy which is doing encryption(message protection) to its exposed service endpoint .This web service runs fine if i run it independently. Then i created a simple SOA process and call this web service.Then i am getting Fabric Invocation Exception.Can anyone tell me what can be the problem?

    I want to do the encyrpton only in secured webservice. I just want to invoke that web service from another process. In this case which policy can i attach in the reference of the SOA process which is calling secured web service?

  • Retrieve Client IP Address in a Oracle WebServices Manager Custom Policy

    Hi everybody,
    For some reasons i had to implement a custom policy in the OWSM, to restrict the access to webservices by Client IP Addresses. I´ve been following the examples for custom policies mentioned in the books: "Oracle Web Services Manager, Oracle Web Services Manager" by Sitaraman Lakshminarayanan, and the "Oracle® Web Services Manager Extensibility Guide 10g (10.1.3.3.0)" by Oracle. I followed the examples mentioned in those books to implement my Custom policy, the policy is successfully deployed to OWSM and it works, only by the issue that when i want to retrieve the Client Ip address it returns null, and following the example by the Oracle Guide, the HttpServletRequest its also returns null, im desperated because in every site that i finally find some info about it, quotes any of these 2 examples in those books, and mine doesnt work! this is the code of the custom policy, i´ve combined the 2 aproaches:
    package project1;
    import com.cfluent.ccore.util.logging.ILogger;
    import com.cfluent.ccore.util.logging.Level;
    import com.cfluent.ccore.util.logging.LogManager;
    import com.cfluent.pipelineengine.container.MessageContext;
    import com.cfluent.policysteps.sdk.AbstractStep;
    import com.cfluent.policysteps.sdk.Fault;
    import com.cfluent.policysteps.sdk.IMessageContext;
    import com.cfluent.policysteps.sdk.IResult;
    import com.cfluent.policysteps.sdk.InvocationStatus;
    import com.cfluent.policysteps.sdk.Result;
    import java.util.HashMap;
    import java.util.Iterator;
    import java.util.Vector;
    import javax.servlet.http.HttpServletRequest;
    public class CustomPolicy extends AbstractStep {
    private static String CLASSNAME = CustomPolicy.class.getName();
    private static ILogger LOGGER = LogManager.getLogger(CLASSNAME);
    private String allowedIpAddress = null;
    private String allowedRoleName = null;
    private String protectedServiceMethodName = null;
    public CustomPolicy() {
    public void init() throws IllegalStateException {
    // nothing to initialize
    public void destroy() {
    * This is the main method which will validate that the request is coming from
    * the correct IP Address and has permission to access the specified metod.
    public IResult execute(IMessageContext messageContext) throws Fault {
    LOGGER.entering(CLASSNAME, "execute");
    Result result = new Result();
    result.setStatus(IResult.FAILED); //initialize result
    String processingStage = messageContext.getProcessingStage();
    LOGGER.log(Level.INFO, "Processing stage is " + processingStage);
    HttpServletRequest httpServletRequest = (HttpServletRequest)
    messageContext.getProperty("javax.servlet.request");
    String remoteAddr = httpServletRequest.getHeader("Host");
    LOGGER.log(Level.SEVERE, "Dir IP:"+remoteAddr);
    String remoteHost = httpServletRequest.getRemoteHost();
    LOGGER.log(Level.INFO, "ADDR" + remoteAddr+ "HOST"+remoteHost);
    boolean isRequest =
    (IMessageContext.STAGE_REQUEST.equals(messageContext.getProcessingStage()) ||
    IMessageContext.STAGE_PREREQUEST.equals(messageContext.getProcessingStage()));
    //Execute the step Only when its a Request pipeline else return success
    if (!isRequest) {
    result.setStatus(IResult.SUCCEEDED);
    return result;
    MessageContext msgCtxt = (MessageContext)messageContext;
    String _MethodName = msgCtxt.getRequest().getMethodName();
    LOGGER.log(Level.INFO,
    "Writing Allowed IP Addr before creating SOAP header " +
    allowedIpAddress);
    LOGGER.log(Level.INFO,
    "Writing Remote IP Addr before creating SOAP header " +
    msgCtxt.getRemoteAddr());
    /*LOGGER.log(Level.INFO,
    "Writing Remote IP Addr before creating SOAP header " +
    remoteAddr);*/
    String cadTempo = allowedIpAddress;
    Vector vect = new Vector();
    for (int i = 0; i < allowedIpAddress.length(); i++) {
    if (cadTempo.indexOf(",") != -1) {
    //vect.add(cadTempo.substring(0, cadTempo.indexOf(",") - 1));
    vect.add(cadTempo.substring(0, cadTempo.indexOf(",")));
    cadTempo =
    cadTempo.substring(cadTempo.indexOf(",") + 1, cadTempo.length());
    LOGGER.log(Level.INFO,
    "AQUI111");
    } else {
    if (!cadTempo.equalsIgnoreCase("")) {
    vect.add(cadTempo);
    LOGGER.log(Level.INFO,
    "AQUI222");
    break;
    for(int i=0;i<vect.size();i++){
    String temp = (String)vect.get(i);
    if (temp.equals(msgCtxt.getRemoteAddr()) &&
    _MethodName.equals(protectedServiceMethodName)) {
    LOGGER.log(Level.INFO,
    "AQUI333");
    result.setStatus(IResult.SUCCEEDED);
    break;
    } else {
    msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
    LOGGER.log(Level.INFO,
    "AQUI444");
    /*if(allowedIpAddress!=null){
    result.setStatus(IResult.SUCCEEDED);
    /*if (allowedIpAddress.equals(msgCtxt.getRemoteAddr()) &&
    _MethodName.equals(protectedServiceMethodName)) {
    result.setStatus(IResult.SUCCEEDED);
    } else {
    msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
    // Set the result to SUCCESS
    //result.setStatus(IResult.SUCCEEDED);
    return result;
    public String getIpAddress() {
    return allowedIpAddress;
    public void setIpAddress(String IpAddress) {
    this.allowedIpAddress = IpAddress;
    LOGGER.log(Level.INFO, "IP Address is.. " + allowedIpAddress);
    public String getServiceMethodName() {
    return protectedServiceMethodName;
    public void setServiceMethodName(String serviceMethodName) {
    this.protectedServiceMethodName = serviceMethodName;
    public String getRoleName() {
    return allowedRoleName;
    public void setRoleName(String roleName) {
    this.allowedRoleName = roleName;
    And the xml:
    <csw:StepTemplate xmlns:csw="http://schemas.confluentsw.com/ws/2004/07/policy"
    name="Custom authenticate step" package="project1"
    timestamp="Oct 31, 2005 05:00:00 PM" version="1"
    id="0102030405">
    <csw:Description>Custom step that authenticates the user against the
    credentials entered here. This step requires Extract
    credentials to be present before it in the request pipeline.</csw:Description>
    <csw:Implementation>project1.CustomPolicy</csw:Implementation>
    <csw:PropertyDefinitions>
    <csw:PropertyDefinitionSet name="Basic Properties">
    <csw:PropertyDefinition name="Enabled" type="boolean">
    <csw:Description>If set to true, this step is enabled</csw:Description>
    <csw:DefaultValue>
    <csw:Absolute>true</csw:Absolute>
    </csw:DefaultValue>
    </csw:PropertyDefinition>
    </csw:PropertyDefinitionSet>
    <csw:PropertyDefinitionSet name="Custom Access Rules">
    <csw:PropertyDefinition name="IpAddress" type="string" isRequired="true">
    <csw:DisplayName>IpAddress</csw:DisplayName>
    <csw:Description>IP Address that is allowed access</csw:Description>
    <csw:DefaultValue>
    <csw:Absolute>192.168.0.1</csw:Absolute>
    </csw:DefaultValue>
    </csw:PropertyDefinition>
    <csw:PropertyDefinition name="ServiceMethodName" type="string"
    isRequired="true">
    <csw:DisplayName>ServiceMethodName</csw:DisplayName>
    <csw:Description>Service Method Name that is Protected (Secured)</csw:Description>
    <csw:DefaultValue>
    <csw:Absolute>getTime</csw:Absolute>
    </csw:DefaultValue>
    </csw:PropertyDefinition>
    </csw:PropertyDefinitionSet>
    </csw:PropertyDefinitions>
    </csw:StepTemplate>
    Please any tip or idea is welcome, thanks in advance for the help.
    Carlos.

    Hi again
    copied your code for testing. And it works fine.
    So both the code and policy-step definition is fine, log output below.
    What is your log output?
    Using soapui to send the request will give the ip of my localhost, using the test client will give the ip of the server, because that is the actual client.
    I guess the server ip is 192.168.0.1 in your case, as you are testing from test console.
    <b>anyway, results from SOAPUI:</b>
    2009-05-19 09:52:15,096 FINE [HTTPThreadGroup-4] CSWComponent - Executing policy step. Policy='SID0003004', Step Name='Custom Policy Step', Step Class='com.*.soa.wsm.CustomPolicy'
    2009-05-19 09:52:15,096 FINER [HTTPThreadGroup-4] wsm.CustomPolicy - com.*.soa.wsm.CustomPolicy execute:ENTERING
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Processing stage is Request
    2009-05-19 09:52:15,096 SEVERE [HTTPThreadGroup-4] wsm.CustomPolicy - Dir IP:hostname.domain:8890
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - ADDRhostname.domain:8890HOST10.47.89.116
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - MethodName=getHostNameElement
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.89.116
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
    2009-05-19 09:52:15,097 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI333
    2009-05-19 09:52:15,097 FINER [HTTPThreadGroup-4] agent.Agent - com.cfluent.agent.Agent intercept:ENTERING
    <b>But if I use the test client the remote IP would be 10.47.137.50 and execution fails, as code is written</b>
    <i>
    2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
    2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.137.50
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
    2009-05-19 09:54:12,267 FINE [HTTPThreadGroup-4] CSWComponent - Step execution failed: Policy=[SID0003004] Pipeline=[Request] Step Name=[Custom Policy Step] Step Class=[com.tandberg.soa.wsm.CustomPolicy]
    2009-05-19 09:54:12,267 FINER [HTTPThreadGroup-4] common.PrepareForServiceStep - Step PrepareForServiceStep called
    </i>

  • Custom Policy Step calling EJB

    Hi there,
    I'm a newby to OC4J and need some help in regards to some library issues. I've created an EJB using spring and deployed it to the oc4j container. Then I created an owsm custom policy step which retrieves the EJB bean using spring and retrieves the custom security header, which I then add to the current SOAP header. I wasn't quite sure how to create the custom policy step jar as it contains my spring jar as well as my ejb jar, so I used maven to create the jar with all my dependent jars as well. Everything works great, as in, it retrieves the EJB calls the method on the EJB which will retrieve a value from LDAP and then uses that value to query our data store and then return the object, but when it returns the object it throws the following exception:
    java.lang.LinkageError: Class com/cochlear/erpsecurity/domain/ErpSoapHeader violates loader constraints
    Which is due to the fact that I have the ErpSoapHeader in my custom policy step jar as well as my ejb jar. When I don't include the ejb jar in my custom policy step jar however then it give a class not found exception when trying to load the ejb with spring. Then I tried something dodgy and added the ejb jar to my server.xml in oracle.wsm.gateway shared library, but this caused the linkage error as well.
    Any help on how I can resolve this library issue will be great appreciated.
    Thanks so much,
    Ida

    Here's an example on how to add a custom SOAP header to the request message inside a custom step.
    public IResult execute(IMessageContext messageContext) throws Fault {
    MessageContext msgCtxt = (MessageContext) messageContext;
    SOAPEnvelope senv = msgCtxt.getRequest().getAxisMessage().getSOAPEnvelope();
    ((org.apache.axis.message.SOAPEnvelope)senv).setDirty(true);
    Name header = factory.createName("CustomHeader", "http://foo.com/custom/header");
    SOAPHeaderElement headerElement = senv.getHeader().addHeaderElement(header);
    headerElement.addTextNode("My custom header data");
    OWSM uses AXIS implementation internally to represent the SOAP message.
    Cheers,
    Vikas Jain

  • OWSM 11g: Custom policy implementation

    Hi all,
    I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
    1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
    2. Creation of the policy-config.xml file (same as Step 2)
    3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
    4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
    5. Updation of classpath (same as Step 5)
    6. Creation of oracle/ip_assertion_policy file (same as Step 2)
    7. Importing the Custom Policy File (same as Step 6)
    8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
    For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
    Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
    I shall be obliged if someone can help me.
    Thanks in advance

    In the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.

  • OWSM - Logging in Custom Policy Step

    I'm trying to implement a custom policy step for Oracle Web Service Management.
    For debugging purposes, I need to write a diagnostic log file (like gateway.log, policymanager.log, ccore.log...) with the behavior of my step. I have to use log4j library...
    Could you help me with OWSM log configuration?
    Thanks!

    I have been reading more about this issue but I have doubts yet...
    Now, I know that I must use the package "com.cfluent.ccore.util.logging" in my code. For example:
    ILogger logger = LogManager.getLogger(...);
    logger.log(Level.INFO, "..");
    In which owsm log file does this information appear?
    Thanks!

  • Custom Policy Step and the WS-Security header attibute "mustUnderstand"

    Hi there,
    I have some issues testing the custom policy step that comes with OWSM (CustomAuthenticationStep), which i describe next.
    I manage to compile/deploy the custom step successfully. I also restart the server and add the brand new step into the request pipeline. The pipeline only has two steps, a log step and a custom authentication step.
    I develop a client for the gateway service which use the "Username to Authenticate" option of the Proxy Security. The other options (inbound/outbound integrity/encryption) are all unchecked.
    When I test the client, the following SOAP message is produced:
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:ns0="http://agesic.entidad/types/"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
    env:mustUnderstand="1">
    <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:Username>test</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    </env:Header>
    <env:Body>
    <ns0:reverseElement>
    <ns0:aString>Holas!</ns0:aString>
    </ns0:reverseElement>
    </env:Body>
    </env:Envelope>
    Which looks just fine. However I get the following exception:
    javax.xml.rpc.soap.SOAPFaultException: SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
         at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
         at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
         at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
         at agesic.cliente.gateway.proxy.runtime.EchoReverseSoapHttp_Stub.reverse(EchoReverseSoapHttp_Stub.java:78)
         at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.reverse(EchoReverseSoapHttpPortClient.java:44)
         at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.main(EchoReverseSoapHttpPortClient.java:33)
    If i look at the log produced by the custom step, it looks like the step was successfully passed.
    ********** Entering Custom Authentication execute method **********
    Processing stage is Request
    Request SOAP message is <?xml version="1.0" encoding="UTF-8"?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="h
    ttp://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-ins
    tance" xmlns:ns0="http://agesic.entidad/types/" xmlns:wsu="http://docs.oasis-ope
    n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><env:Header><wsse
    :Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004
    /01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.or
    g/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://sche
    mas.xmlsoap.org/soap/envelope/"><wsse:UsernameToken xmlns:wsse="http://docs.oasi
    s-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http:/
    /docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ws
    se:Username>test</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/
    wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse
    :Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body><ns0:rever
    seElement><ns0:aString>Holas!</ns0:aString></ns0:reverseElement></env:Body></env
    :Envelope>
    User locale is English
    Client ip address is rhel4.tecinfo.com.uy:7777
    Verified user is test
    The problems is with the mustUnderstand attribute. It looks like no step tells the OWSM that he understands the header, so the OWSM pass through the pipeline and when it ends it thinks that that header was not processed properly.
    I try to find documentation on this issue but I didn't find any.
    Any ideas? Is there any way to specify that the step actually understands the ws-security header?
    Thanks!
    Leo

    Ok. Thanks. The problem here is a little bit different. At the client side, we have the following:
    <?xml version="1.0" encoding="UTF-8"?>
    <oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
    <webservice-client>
    <service-qname namespaceURI="http://agesic.entidad/" localpart="EchoReverse"/>
    <port-info>
    <wsdl-port namespaceURI="http://agesic.entidad/" localpart="EchoReverseSoapHttpPort"/>
    <runtime enabled="security">
    <security>
    <inbound/>
    <outbound>
    <username-token password-type="PLAINTEXT" add-nonce="false" add-created="false"/>
    </outbound>
    </security>
    </runtime>
    <operations>
    <operation name='reverse'>
    </operation>
    </operations>
    </port-info>
    </webservice-client>
    </oracle-webservice-clients>
    The <outbound> here is requered in order to use the WSS UserName token profile. I try to remove the <inbound/> to check if it was a problem like yours, but we still have the same exception.
    The problem seems to be with the gateway at the server side.
    Intercepting the communication between the client and the server, we are getting the following response:
    <?xml version="1.0" encoding="UTF-8"?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:ns0="http://agesic.entidad/types/">
    <env:Body>
    <env:Fault>
    <faultcode>env:MustUnderstand</faultcode>
    <faultstring>SOAP must understand error:
    {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring>
    </env:Fault>
    </env:Body>
    </env:Envelope>
    We need a way to instruct the gateway that he actually understands the wss header.
    Any ideas?
    Thanks!
    Leo

  • Custom Policy Issue 10G

    Hi All,
    I have created a custom policy in OWSM 10g for WS-Header Insertion, that inserts user credentials(username/password) in UserToken of SOAP Headers.
    But I am getting following error while testing my web service on OWSM.
    SOAP-ENV:Envelope
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
    <SOAP-ENV:Fault>
    <faultcode
    xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults"
    xmlns="">p:Client.PolicyInitializationFailure</faultcode>
    <faultstring
    xmlns="">Failed to initialize pipeline 'Request' in policy 'testCustom(1.0)'</faultstring>
    null</SOAP-ENV:Fault>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    Kindly help

    Hi All,
    Pls help

  • Custom Policy steps in OWSM

    I am currenly implementing an integration systems between our systems and a third party system. There is a requirement for all messages sent across the interface to be acknowldeged by the other system. The transactions are synchronous so we have hand off approach where the receiving system must acknowledge message receipt by sending a synchronous response message back. This acknowledgement message will contain a boolean flag that either says true or false depending on whether they are receiving or rejecting the message. Messages could be rejected because they have an invalid digital certificate or failed message integrity. Is it possible to create custom policy step in the OWSM that allows me to send these acknoledgement messages. the message structure will contain only 3 elements:
    successfulDelivery (boolean)
    RejectedCode (Rejection ErrorCode)
    RejectedReason (Rejected Error Reason)
    Can any one help? I am still new to the OWSM.

    Here's an example on how to add a custom SOAP header to the request message inside a custom step.
    public IResult execute(IMessageContext messageContext) throws Fault {
    MessageContext msgCtxt = (MessageContext) messageContext;
    SOAPEnvelope senv = msgCtxt.getRequest().getAxisMessage().getSOAPEnvelope();
    ((org.apache.axis.message.SOAPEnvelope)senv).setDirty(true);
    Name header = factory.createName("CustomHeader", "http://foo.com/custom/header");
    SOAPHeaderElement headerElement = senv.getHeader().addHeaderElement(header);
    headerElement.addTextNode("My custom header data");
    OWSM uses AXIS implementation internally to represent the SOAP message.
    Cheers,
    Vikas Jain

  • Extend OWSM with Custom Policy Step: MessageContext.setResponseMessage()?

    Hi,
    I intend to create a custom policy step for OWSM.
    In the execute method of my step (that extends AbstractStep) I want to set the Response Message using the setResponseMessage() method. According to the Extensibility Guide, this method should be passed a com.cfluent.ccore.message.SOAPMessage object as parameter.
    Basically, the code looks something like this:
    public IResult execute(IMessageContext messageContext) throws Fault {
    MessageContext msgCtxt = (MessageContext)messageContext;
    Result result = new Result();
    msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
    result.setStatus(IResult.SUCCEEDED);
    return result;
    At compile time however, JDeveloper throws the following error:
    SOAPMessage not found in class nl.amis.soa.CustomStep
    and points to the line
    msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
    Should I use AXIS SOAP objects (knowing OWSM is based on AXIS or uses it)? Or a MessageFactory? Or ... ?
    Any tips and preferably a code sample is much appreciated!
    Thanks, Sjoerd

    Hi Sjoerd ,
    Looks like documentation error. Are you importing the om.cfluent.ccore.message.SOAPMessage class? Try compiling without the import. I was able to compile your code with no issues. All I have is coresv-4.0.jar added to my jDev project.
    FYI MessageContext.get/setRequestMessage() really takes javax.xml.soap.SOAPMessage as parameter.
    Here is the code I can compile:
    package com.junk.wsm;
    import com.cfluent.pipelineengine.container.MessageContext;
    import com.cfluent.policysteps.sdk.AbstractStep;
    import com.cfluent.policysteps.sdk.IMessageContext;
    import com.cfluent.policysteps.sdk.IResult;
    import com.cfluent.policysteps.sdk.Result;
    public class junkStep extends AbstractStep {
    public junkStep() {
    public IResult execute(IMessageContext messageContext) {
    MessageContext msgCtxt = (MessageContext)messageContext;
    Result result = new Result();
    msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
    result.setStatus(IResult.SUCCEEDED);
    return result;
    Regards,
    Rajesh

  • OWSM Custom Policy Step: use of the setProcessingStage() method?

    Hello,
    When creating a Custom Policy Step for use in an OWSM pipeline the API provides the option to set the processing stage. Possible values are STAGE_PREREQUEST, STAGE_REQUEST, STAGE_RESPONSE and so on.
    Can anyone tell me the use of setting the processing stage. Would it allow me to literally take the message request to a different stagewhat, e.g. what should happen when in the Request Stage I set it to STAGE_RESPONSE?
    I have tried this and cannot see any effect.
    Thanks, Sjoerd

    Hi Vikas,
    Thanks for the reply.
    I suspect that the "fiddling with the Outgoing Transport Protocol that is between OWSM Gateway and actual service" as mentioned in my original post is probably the same as "creating a custom transport messenger between gateway and service" as mentioned by you.
    Any pointers to get me going, e.g. what interfaces te implement, classes to extend, how to register and manage with OWSM?
    Thanks and best regards,
    Sjoerd

  • Dynamically change the JAAS auth policy file

    We want to honor the JAAS auth policy file change while the java process is still running. Currently, if you change the permissions in the JAAS auth policy file after the java process is launched, the changes are not picked up by the security manager. Is there a way to honor the permission changes without re-launch the java process?
    Thank you very much!
    JST

    Hey,
    No you do not call policy.refresh() at this time; you call it when the underlying policy file which supports the default implementation is changed - otherwise what are you refreshing.
    Perhaps consider implementing a database backed policy; I can't help feeling it would be a less troublesome method if you need a certain level of dynamism in you policy entries.
    Warm regards,
    D

  • Urgent: JAAS authorization policy file

    Hi.
    I just decided to implement JAAS technology in my 3-tiered application. I did authentication, but can not beleive that the only way to specify authorization is to place all grants in one ore more text files and specify this(ose) file(s) in batch file running my application. I do not think that it is secure. The same for authentication. It is possible to redirect my application to pass through some other LoginModule and so on.
    I gues there is some other way to store jaas config and policy files. Please help me to get that way.
    Thanks in advance,
    Kanan

    the default file-based LoginContext configuration and Policy-based permission files are certainly rudimentary.
    it is for this reason that the javax.security.auth.login.Configuration and java.security.Policy implementations are pluggable. instead of defining only one way of storing the data, it is possible to develop custom implementations to store data in any way a developer desires.
    you can directly subclass either of these abstract classes and then programmatically set your subclass in the VM via the respective "setConfiguration" or "setPolicy" methods. or you can statically specify your custom implementation in the login.configuration.provider or policy.provider security property (set inside the java.security file inside the ~jre/lib/security directory of your installation).
    both of these options should be documented in the Configuration and Policy javadocs.
    in the Configuration case, J2SE 5.0 introduced a new constructor on the javax.security.auth.login.LoginContext class that can take a Configuration object as an input parameter. this gives you extra flexibility for managing login configuration entries per LoginContext.
    your custom implementations would then need to manage the configuration and permission data as it so desires (perhaps in memory, perhaps on a server, or perhaps even in custom files).

  • How do I move the policy from Default domain policy to a custom policy.

    I want to implement a new password policy.  In the past we had a fairly loose policy, now I want to implement minimum length and complexity.  I know how to set this up in Computer Config Policies windows settings security settings and account policies
    password policy. However after I set it up I notice that it is not being applied.  I have run gpupdate, and even waited several days but still it's not taking effect.  I have created what im calling a custom gpo calling it "password policy". 
    It is situated under domains/mydomain.com .  There are a number of other policies here.
    When I run gpresult /h c:\temp\gpreport.html  its all a bit confusing. It looks like it being applied but then further down it says under Group policies Applied GPOs Denied GPOs Pssword Policy mydomain.com empty. ??
    But let me ask this first off .
    The previous administrator I think has the password policy set up in the "default domain policy"
    Is it possible that the default domain policy which IS indeed set differently is overriding my custom "password policy"
    If this is so how can I make it so  my custom password policy is applied over the default domain policy.
    Or what other answers could it be.

    Hi,
    Based on your requirement you can create Fine Grained Password Policies.
    This feature introduced in Windows Server 2008 allows you to override password policy set at the Default Domain Policy for specific users or groups.
    Checkout the below link for creating Fine Grained Password Policies from GUI in Windows Server 2012,
    http://blogs.technet.com/b/reference_point/archive/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac.aspx
    Regards,
    Gopi
    JiJi
    Technologies

Maybe you are looking for