JAAS Implementation

Similar Messages

• JAAS implementation vs. ACL implementation

  Hello friends.
  I'm wondering if I can get some general advice on what I should be pursuing for a security implementation.
  We have a web application (STRUTS/Hibernate/Tomcat) that will have an increasing need for more complicated rules governing who can access specific components of the application. We have survived the 'prototyping' phase with a simple numerical scheme for providing access, but as more departments come on board they bring with them specialized needs. Thus, I have come to be evaluating our options for implementing a more complicated security system.
  Authentication has pretty much already been handled in our application; there isn't an overwhelming need to re-work that area. Our primary need is the ability to grant privileges to users on a user by user basis and then evaluate for those privileges within the application to detemine what links a user should receive, and if they are allowed to access a particular url.
  My preliminary evaluation makes me believe that jaas might not be what I'm looking for; authentication is handled already by LDAP lookup and I really don't need to lock down process/jar level access via java.policy level modifications (I don't think so, anyways). It would seem that our primary needs can be met by developing a series of objects implementing the ACL and related interfaces and assigning roles as appropriate to our user objects, and then writing appropriate code in the jsp / security filter servlet to identify the user, evaluate for the appropriate privilege, and forward as necessary.
  I worry that I'm missing something here, either that jaas can provide me with these abilities and provide flexibility for the future or that there are other good reasons not to implement a custom ACL based solution.
  Any and all advice is greatly appreciated.
  - cm

  Hi Sudipto,
  It'd help if you pasted the exact exception into the problem you're seeing.
  At any rate, I think this problem is because the JAAS classes should go in the /lib/ext directory of the JVM
  There are a few other threads on this newsgroup about the various JAAS classpath issues
  Check this search engine - it might help you to track them down
  http://search.beasys.com/weblogic/gonews/
  Hope this helps
  Joe Jerry
  sudipto wrote:
  Hi,
  This is regarding JAAS implementation in weblogic 6.1 sp1. When I try to load my configuration class through the log-in context, a null-pointer exception is thrown because weblogic is not able to find the configuration class. However when I run the same application as a stand alone program it works fine, what is that I am missing out on???

• My question to frank on his JAAS implementation?

  Hi Frank,
  Your document for implementing JAAS in J2EE applications on OC4J is superb and simple. I have a simple query. Is it possible to have a single screen built in the application which will list out the current logged in users from JAAS model. If you can throw some light on this would be a gr8 help for all of us.
  thanx and regards
  Amit

  Hi,
  I must admit I wrote so many documents about JAAS in J2EE so that I don't know exactly which document you refer to.
  If it is JAAS authentication within container managed authentication in OC4J then a call to getRemoteUser() on the Http request object returns the logged in username. You can also request for the user principal on the same API
  In case you use pure JAAS - which i only documented once - the the user name is within teh authenticated JAAS Subject
  Frank

• Weblogic poratl JAAS implementation with Oracle RDBMS

  Hi,
  Could you please help me to implement JAAS using oracle RDBMS store with Weblogic portal 10.3.2 or 10.3.0?
  or can anybody sent me the sample examples or tutorials to implement JAAS with oracle store?
  I want to store the the roles and users in custom tables (not predefined tables) and i want to access the roles and authentication information from oracle custom tables. I want to access the same roles for portal autorisation.
  Thanks & Regards,
  Sunil DK.

  Use the SQL Authenticator , you can specify your queries that should indicate which tables should be used. This will let you login to your app using these credentials
  Could you please help me to implement JAAS using oracle RDBMS storeIm not sure what you mean . The weblogic security frameowrk does use JAAS modules .

• JAAS implementation on tomact.

  hello.
  i am new to JAAS. i learnt how to implement JAAS in J2SE.
  but now i want to implement JAAS for web application.
  Now i want to implement JAAS for Tomcat server. i am totally stucked in it. there is almost no help available abt this or very vauge.
  can anyone tell me how to implement JAAS for tomcat. where to keep the files like config files,callback handlers etc and how to configure them, i mean their path in xml files etc. plz plz hlp.............................
  i am using Apache Tomcat 6.0.
  thanks in advance.

  This is the JSSE forum. Try the 'Other Security APIs, Tools, and Issues' forum. Locking this thread.

• J2ee implementation with jaas/LDAP

  Hi;
            I search a good j2ee implementation or light framework using jaas API and LDAP directory to authentifies and affects a profil to a user.
            I have already analysed the framework : JGuard.
            regards;

  If I understand you correctly, you want to have an application deployed in WebLogic (you don't say what version) use standard J2EE JAAS for declarative authentication and authorization, but use an LDAP provider for the actual implementation.
            If that's the case, at least in WebLogic 8.1 (I don't know about older versions), you shouldn't need any third-party packages. You can configure your WebLogic domain with authentication and authorization providers that interface with an LDAP server. This will work with the JAAS implementation in WebLogic. You can go to <http://e-docs.bea.com/wls/docs81/secmanage/> to read about configuring security in WebLogic (including the LDAP authentication provider).

• Plans to change JAAS/GSS for Windows XP SP2 and beyond

  Are there any plans to reimplement JAAS GSS on the windows platform to account for this issue:
  Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
  Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
  Thanks!
  -Bob

  This is an old thread, but one of my clients has run into the same problem. Hopefully someone is still monitoring....
  The answer is that the implementation should not be trying to do anything directly with keys. Delegation works just fine if it has been configured correctly in AD. Simply impersonate the context on the server side and then call the appropriate API to get a new service ticket and it will use the forwarded TGT. Credential delegation solved.
  MS was correct to "fix" the session key interface since it allowed user code to attain a "password equivalent". The JAAS implementation should be fixed to use the Windows authentication interfaces correctly.
  Thanks,
  Dave
  Feel free to contact me offline for more information or pointers at [email protected] (remove the no-spams).

• Problem with JAAS authentication using jboss client

  I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
  I followed all the steps in:
  https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
  and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
  I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
  But when it tries to do the authentication, sometimes it uses:
  <b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
  Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
  Other times (withouth changing anything) it uses:
  <b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
  <b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
  I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
  I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
  I think it maybe has something to do with specific callback classes from sap implementation.
  Any idea? I can't go forward.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• Oracle ADF security integration with Oracle E-Business Suite SDK JAAS

  I have an Oracle ADF 11.1.2.2 application that is using ADF security for authentication and authorization.
  When we deploy this application to our JDeveloper integrated weblogic server, we utilize the security setting of "Custom" and use weblogic users and roles to map to the ADF application roles. In that environment our security is working properly.
  I have a Weblogic 10.3.5 standalone server that has the ADF runtime installed as well as the Oracle E-Business Suite SDK JAAS implementation installed.
  When I deploy the Oracle ADF application to the standalone weblogic server, I am directed to the JAAS login page when I attempt to access any JSF page (including those that I have granted View access through the anonymous-role. Does the Oracle ADF anonymous-role work (allow for anonymous page access) when JAAS security is handled by the Oracle E-Business Suite SDK JAAS implementation?
  Per the SDK instructions, when we install the Oracle ADF deployment on Weblogic we have selected "DD only" for our security setting. We have defined enterprise roles in the Oracle ADF security setup (jazn-data.xml) that are assigned the appropriate application roles. Those enterprise roles have the same name (i.e. UMX|YOURROLE) as the E-Business Suite roles that are assigned to our test users. When we login with an E-Business Suite user / password we are receiving an error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  Any thoughts on why that would be?
  Thanks
  Dan

  Thanks Juan.
  With the debugging options enabled it appears the issue is not an issue with the user / role credentials - it seems like the resource grants from jazn-data.xml are not being reviewed in my standalone weblogic instance EAR deployment:
  [JpsAuth] Check Permission
  PolicyContext: [TestApp]
  Resource/Target: [untitled1PageDef]
  Action: [view]
  Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
  Result: [FAILED]
  Evaluator: [ACC]
  Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@13f5d07
  CodeSource=file:/app/oracle/product/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar
  Principals=total 2 of principals(
  1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null
  2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null)
  When I access the same page from my integrated weblogic server I see:
  [JpsAuth] Check Permission
  PolicyContext: [TestApp]
  Resource/Target: [untitled1PageDef]
  Action: [view]
  Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
  Result: [FAILED]
  Evaluator: [ACC]
  Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@13f5d07
  CodeSource=file:/app/oracle/product/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar
  Principals=total 2 of principals(
  1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null
  2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null)
  When I review my EAR - I do see jazn-data.xml at:
  /META-INF/jazn-data.xml
  I will review the system-jazn-data.xml to see if the policy information has been migrated properly as part of the EAR deployment.
  Thanks.
  -Dan

• Use of JAAS in WLS6 for sngle logon

  We're in the design stage of a product, which will be based on Weblogic Server 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read the documentation, I'm still not clear on a few points about how JAAS is used in WLS6.
  We're intending to provide a single logon for the system and then to log users on to other services such as email etc. behind the scenes, when the user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multiple LoginContexts at different times during the user session, each using a different Configuration pointing to different LoginModules to achieve this.
  A couple of other things I've come across which may be useful in this context are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

  Sorry for the delay in replying, I was on vacation
  Dave <[email protected]> wrote in message
  news:[email protected]...
  >
  Thanks for the reply Alex.
  If we just have a single LoginContext with multiple LoginModules, wouldn'tthat mean that when a user logged-on, it would log them on to all of the
  services at the same time ?
  Yes, that is the sequence specified under JAAS
  We were trying to make it so that after the initial logon to the system,the user would be logged on to other services only when they accessed them
  explicitly. Does that mean that we need multiple LoginContexts still ?
  Unfortunately yes, you will need multiple LoginContext instances to do that.
  set configuration
  new context
  context.login
  context.getSubject
  Subject.doAs(subject, action)
  >
  I understand that WLS6 will only provide for JAAS Authentication, notAuthorisation. Does that mean I need to use it in conjunction with the
  existing Weblogic Authorisation, such as ACLs and Realms ?
  >
  The WLS6 JAAS implementation wrappers the existing ACL implementation and is
  independant of the realm being used. Internally the Subject.doAs method
  checks the ACLs of the user associated with the specified Subject instance.
  Can I also ask about the granularity of Resources that can be protected byaccess control. Would these be at the level of Servlets, beans etc.
  I believe you can but I'm not sure, check in the documentation on Servlets &
  beans or post a followup question in those groups
  >
  Is the Beta Refresh available for downloaded now ? If not, how soon doyou think it would be ?
  >
  The beta refresh should be available early the week of 11/13
  As regards the <run-as-specified-identity> tag in the deploymentdescriptor. Could you briefly explain its use and whether it would help us
  with our logon approach ?
  Again I'm not sure, again please post this to the associated group Servlets,
  Beans, etc.
  >
  Thanks very much for your help again.
  Dave
  "Alex McDonald" <[email protected]> wrote:
  Dave,
  The WLS 6 JAAS implementation will support what you intend. While there
  were
  several bugs in the initial WLS 6 Beta these have been fixed in the Beta
  refresh, if you need the updated files sooner I can send you a zip.
  I would suggest the following. Single LoginContext, multipleloginModules.
  Set your first configured loginModule to prompt for theusername/password,
  each of the following loginModules can than use that information behindthe
  scenes or prompt as needed for additional user info. Configure the first
  loginModule as REQUISITE so that it must succeed for the login process to
  continue. The WLS 6 JAAS sample loginModule implementation contains theWLS
  login information, additional email, etc services can be added to the
  Subject container as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:[email protected]...
  We're in the design stage of a product, which will be based on WeblogicServer 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read thedocumentation, I'm still not clear on a few points about how JAAS is usedin
  WLS6.
  We're intending to provide a single logon for the system and then to
  log
  users on to other services such as email etc. behind the scenes, when the
  user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multipleLoginContexts at different times during the user session, each using a
  different Configuration pointing to different LoginModules to achievethis.
  >>>
  A couple of other things I've come across which may be useful in thiscontext are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

• OC4J 9.0.3: JAAS Compliant LoginModule support !

  Hi,
  I have a requirement where I need to migrate my JAAS Compliant LoginModule(implements LoginModule interface) from Weblogic to OC4J. I want to use my Custom LoginModule to perform authentication at the Web Tier and Ejb Tier and let the containers handle the details. I only want to plug in my Login Module as needed. The Login Module works absolutely fine as it is on Weblogic and JBoss, but fails to work on OC4J. This is the error that I get :-
  When I call a protected EJB function the following error is found in the server.log file:
  The run-as user is not an instance of com.evermind.security.User
  Why is it looking for a "User" of this instance? I am using all standard JAAS compliant
  classes:
  javax.security.auth.spi.LoginModule to implement my Login Module
  java.security.Principal to implement my Principal
  java.security.acl.Group to implement by Group/Role
  As of OC4J version 9.0.3 does it have Support for JAAS Compliant custom login module??
  These are the source files that I have
  1) JAAS Compliant Login Module (implement LoginModule interface)
  2) JAAS compliant Principal (implement Principal interface)
  3) JAAS compliant Group (implement Principal interface and Group interface)
  4) Allow Web Tier and EJB Tier to be authenticated and authorized
  Now how do I go about deploying the same on OC4J.
  Any help would be appreciated.
  Thanks in Advance,
  Easwar.

  Hello All,
  As I was going through JAAS implementation using the iPlanet LDAP as our user/role data source found that its not just the LoginModule you have to write in addition to this you would end up wirting a whole new set of classes for manaing the users i.e UserManager :(
  Here is the list of classes we have to implement to get the container managed declarative security model to work with the Web (web.xml) and EJB containers (ejb-jar.xml)
  1 SampleAuthenticator.java
  2 SampleLoginModule.java
  3 SampleProvider.java
  4 SampleRealm.java
  5 SampleRealmManager.java
  6 SampleRealmPrincipal.java
  7 SampleRealmRole.java
  8 SampleRealmUser.java
  9 SampleRoleManager.java
  10 SampleUserManager.java
  I have still some doubt that after implementing this there could be some more catch and the implementation may still not work!!! :(
  Have any one done such an implementation?
  if some one has done this please let us know is it worth implementing them?
  Thank you
  Mallik

• Using JAAS in JSP

  Hello Everyone,
  I am new to java and I am trying to get a jaas implementation completed. I am trying to create a jsp that will accept the username and password and then pass it on the jaas provider. Has anyone had a success with a jaas implementation called from a jsp page? Please provide examples.
  Thank you.

  Hi,
  basically the problem is not in JAAS but in the way you handle the callback.
  I remember having seen code samples for this and found the link for you
  http://www.jspservletcookbook.com/
  If you download the codesampels (accessible from the menu on the left) and unzip it for chapter 15, then this contains all you need.
  Frank

• Questions on Oracle E-Business Suite JAAS impl with ADF (Patch 8571001)

  I am working at a customer site, where we are developing extensions to EBS R12 using ADF 11g. I have some questions around Oracle E-Business Suite JAAS implementation (Patch 8571001). The answers to these would help us choose the right path for the overall project.
  1. How much integration is possible between ADF JAAS roles and the EBS User management roles? If we implement Oracle E-Business Suite JAAS implementation using this patch, how would the component/field level security work in ADF? Will ADF pages refer to roles in EBS UMX tables for field level security?
  2. Is there any detailed documentation as to how to Oracle E-Business Suite JAAS implementation works. I have read the metalink note # 974949.1; however it does not provide enough details on UMX/EBS integration. Any pointers would be really helpful.
  Thanks a lot.

  wrong forum - sorry.
  Please try the Applications forums on OTN
  Frank

• JAAS: location of Configuration, LoginModule classes

  Hi,
  I've created a custom JAAS implementation (Configuration & LoginModule classes) for use in a web-environment (Tomcat + Expresso).
  Question: at the moment, my set-up will only work with Tomcat and a very simple non-Expresso web-app, if and only if, I put the Configuration and LoginModule classes in the jre/lib/ext directory.
  Is there a way to move the classes to WEB-INF/lib ? The reason for this would be that I would like to use specific Expresso classes in the LoginModule, that also need an environment (connection pool, etc.) to function properly.
  Or would this generally be a stupid idea.
  TIA,
  Jaap

  Hi ...
  Interested from your posting, seems successfully implemented JAAS using Tomcat.
  I have exception ... cannot instantiate LoginConfiguration. Seems no solution till date.
  Could you share the procedures to implement JAAS to Tomcat (4, I pressumed) ?
  TIA.
  BAM

• JAAS problems

  I'm trying to use the WebLogic JAAS implementation. When my demo code
  manages to successfully login I get the following error:
  java.lang.NoSuchMethodError
  at
  weblogic.security.auth.Authenticate.authenticate(Authenticate.java:124)
  at
  demo.kernel.security.weblogic.WebLogicLoginModuleHelper.login(WebLogicLoginM
  oduleHelper.java:38)
  at
  demo.kernel.security.auth.JRiskLoginModule.login(JRiskLoginModule.java:110)
  at java.lang.reflect.Method.invoke(Native Method)
  at
  javax.security.auth.login.LoginContext.invoke(LoginContext.java:595)
  at
  javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
  at
  javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
  at java.security.AccessController.doPrivileged(Native Method)
  at
  javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
  at
  javax.security.auth.login.LoginContext.login(LoginContext.java:449)
  at demo.security.JAASDemo.run(JAASDemo.java:86)
  at demo.security.JAASDemo.main(JAASDemo.java:56)
  Are there mis-matches versions of class files floating around? Can anyone
  help.
  Thanks.

  As it turns out, incompatable JAAS libs was indeed my problem. Thanks
  everyone.
  It seems to me that BEA has implemented a pre-1.0 version of JAAS for
  Weblogic 6.0. Does anyone know if this is still the case for 6.1, and what
  the plan is on this issue? The problem with pre-1.0 is there's no gentle
  deprecation stage for methods - they just suddenly dissapear and things stop
  working.
  Loren
  "Jerry" <[email protected]> wrote in message
  news:[email protected]..
  Hi Loren,
  I believe your problem is related to having multiple JAAS implementationsin
  your classpath.
  Perhaps you have both Sun's and WebLogic's JAAS implementations in your
  classpath?
  Loren Davie wrote:
  I'm trying to use the WebLogic JAAS implementation. When my demo code
  manages to successfully login I get the following error:
  java.lang.NoSuchMethodError
  at
  weblogic.security.auth.Authenticate.authenticate(Authenticate.java:124)
  at
  demo.kernel.security.weblogic.WebLogicLoginModuleHelper.login(WebLogicLoginM
  oduleHelper.java:38)
  at
  demo.kernel.security.auth.JRiskLoginModule.login(JRiskLoginModule.java:110)
  at java.lang.reflect.Method.invoke(Native Method)
  at
  javax.security.auth.login.LoginContext.invoke(LoginContext.java:595)
  at
  javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
  at
  javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
  at java.security.AccessController.doPrivileged(Native Method)
  at
  javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
  at
  javax.security.auth.login.LoginContext.login(LoginContext.java:449)
  at demo.security.JAASDemo.run(JAASDemo.java:86)
  at demo.security.JAASDemo.main(JAASDemo.java:56)
  Are there mis-matches versions of class files floating around? Cananyone
  help.
  Thanks.