JAAS in WLS6

Similar Messages

• Use of JAAS in WLS6 for sngle logon

  We're in the design stage of a product, which will be based on Weblogic Server 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read the documentation, I'm still not clear on a few points about how JAAS is used in WLS6.
  We're intending to provide a single logon for the system and then to log users on to other services such as email etc. behind the scenes, when the user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multiple LoginContexts at different times during the user session, each using a different Configuration pointing to different LoginModules to achieve this.
  A couple of other things I've come across which may be useful in this context are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

  Sorry for the delay in replying, I was on vacation
  Dave <[email protected]> wrote in message
  news:[email protected]...
  >
  Thanks for the reply Alex.
  If we just have a single LoginContext with multiple LoginModules, wouldn'tthat mean that when a user logged-on, it would log them on to all of the
  services at the same time ?
  Yes, that is the sequence specified under JAAS
  We were trying to make it so that after the initial logon to the system,the user would be logged on to other services only when they accessed them
  explicitly. Does that mean that we need multiple LoginContexts still ?
  Unfortunately yes, you will need multiple LoginContext instances to do that.
  set configuration
  new context
  context.login
  context.getSubject
  Subject.doAs(subject, action)
  >
  I understand that WLS6 will only provide for JAAS Authentication, notAuthorisation. Does that mean I need to use it in conjunction with the
  existing Weblogic Authorisation, such as ACLs and Realms ?
  >
  The WLS6 JAAS implementation wrappers the existing ACL implementation and is
  independant of the realm being used. Internally the Subject.doAs method
  checks the ACLs of the user associated with the specified Subject instance.
  Can I also ask about the granularity of Resources that can be protected byaccess control. Would these be at the level of Servlets, beans etc.
  I believe you can but I'm not sure, check in the documentation on Servlets &
  beans or post a followup question in those groups
  >
  Is the Beta Refresh available for downloaded now ? If not, how soon doyou think it would be ?
  >
  The beta refresh should be available early the week of 11/13
  As regards the <run-as-specified-identity> tag in the deploymentdescriptor. Could you briefly explain its use and whether it would help us
  with our logon approach ?
  Again I'm not sure, again please post this to the associated group Servlets,
  Beans, etc.
  >
  Thanks very much for your help again.
  Dave
  "Alex McDonald" <[email protected]> wrote:
  Dave,
  The WLS 6 JAAS implementation will support what you intend. While there
  were
  several bugs in the initial WLS 6 Beta these have been fixed in the Beta
  refresh, if you need the updated files sooner I can send you a zip.
  I would suggest the following. Single LoginContext, multipleloginModules.
  Set your first configured loginModule to prompt for theusername/password,
  each of the following loginModules can than use that information behindthe
  scenes or prompt as needed for additional user info. Configure the first
  loginModule as REQUISITE so that it must succeed for the login process to
  continue. The WLS 6 JAAS sample loginModule implementation contains theWLS
  login information, additional email, etc services can be added to the
  Subject container as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:[email protected]...
  We're in the design stage of a product, which will be based on WeblogicServer 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read thedocumentation, I'm still not clear on a few points about how JAAS is usedin
  WLS6.
  We're intending to provide a single logon for the system and then to
  log
  users on to other services such as email etc. behind the scenes, when the
  user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multipleLoginContexts at different times during the user session, each using a
  different Configuration pointing to different LoginModules to achievethis.
  >>>
  A couple of other things I've come across which may be useful in thiscontext are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

• Problem with JAAS example in WLS6.0sp1

  Hi,
  I tried to run the SampleClient from the JAAS example in WLS6.0sp1 and got an
  exception
  when a valid username/password combination is entered. Has anyone experienced
  that in WLS6.0sp1?
  Thanx
  Ralf
  SampleLoginModule.initialize(), debug enabled
  SampleLoginModule.initialize(), URL t3://localhost:7001
  SampleLoginModule.login(), username guest
  SampleLoginModule.login(), password guest
  Authentication Failed: Unexpected Exception, java.lang.NoSuchMethodError
       at weblogic.security.auth.Authenticate.authenticate(Authenticate.java:124)
       at examples.security.jaas.SampleLoginModule.login(SampleLoginModule.java:157)
       at java.lang.reflect.Method.invoke(Native Method)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:595)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
       at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:449)
       at examples.security.jaas.SampleClient.main(SampleClient.java:92)

  Weblogic comes with its own implementation of JAAS, unfortunately
  conflicting with Sun's. Contact customer support, they will tell you the
  exact differences and incompatibilities. Or reverse engineer the two
  versions, you'll find quite a few differences (apart from the BEA version
  not implementing JAAS authorization, which is documented).
  "Narinder Gaheer" <[email protected]> wrote in message
  news:[email protected]..
  I am happy someone came up with this problem. I also bent backwardssolving
  this problem
  in my application.
  I figured out that as soon as I remove the standard jaas.jar from my
  classpath , I can run the example successfully. Weblogic.jar does contain
  necessary jaas library , so don't need to include jaas.jar.
  I am not sure, but I get the feeling that there is a jaas library conflict
  here. May be weblogic
  guys are the best to put some light on this issue.
  "Ralf Fritsche" <[email protected]> wrote in message
  news:3b15188e$[email protected]..
  I found out, that the example runs with the JDK delivered by BEA,
  but not with a JDK I downloaded from SUN.
  Wheras with the first the provided way to set the user defined
  configuration class with the system property'weblogic.security.jaas.Configuration'
  works, this is not possible with another JDK. According to the
  JAAS standard, this class could only be defined in the properties
  file 'java.security' of the Java runtime.
  How is BEA doing this?
  Thanx
  Ralf

• WLS6.0 sp1 and MS Active Directory

  Hi,
  Is it possible to configure WLS' LDAP security realm to use MS' Active
  Directory to authenticate users? A quick yes or no would be appreciated -
  I'll worry about the finer details of how later!!
  Regards
  Laura Allen

  Custom realm of course with the weblogic....ldaprealmv2.LDAPRealm
  implementation class.
  We did not use Kerberos authentication - just the plain password
  authentication in "cleartext". Our servers are inside a secure data center -
  no encryption required. That's why we did not need jdk1.4.
  "Marc Carrion" <[email protected]> wrote in message
  news:[email protected]...
  >
  Are you telling that you configured the ldap realm of WL to use activedirectory?
  or you used your custom realm?
  To use the authentication with Kerberos you need to use GSS-API and it'snot
  included in jdk1.3 neither in jaas, that's why I needed to use jdk1.4
  Can you explain how did you do that?
  Thanks,
  Marc
  "Roy Cornell" <[email protected]> wrote:
  Hi Laura:
  No, BEA did not confirm the compatibility. We did our own investigation
  and
  found that the two systems work well together. One of the highlights
  of the
  research was the fact that the configuration of the WLS custom realm
  for
  Active Directory was more similar to Netscape Directory or Open LDAP
  than to
  the MS Site Server.
  I am attaching the sample settings for the LDAP realm:
  server.host=<some-ip-or-name>
  server.principal=CN=wlsadmin001,OU=WLSMEMBERS1,DC=company,DC=com
  user.filter=(&(cn=%u)(objectclass=user))
  user.dn=OU=WLSMEMBERS1,DC=company,DC=com
  group.filter=(&(cn=%g)(objectclass=group))
  group.dn=OU=WLSGROUPS1,DC=company,DC=com
  membership.filter=(&(member=%M)(objectclass=group))
  We used the AD for authenticating the users and for authorizing the EJB
  methods. AD contained the users and their security roles and the
  deployment
  descriptiors of the EJB's contained the permissions for the security
  roles.
  We ran repeated tests and were more or less satisfied.
  Regards
  P.S.
  we used WLS 6.1 Jdk 1.3
  ----- Original Message -----
  Sent: Tuesday, September 18, 2001 5:40 AM
  Subject: WLS6.0 and Active Directory
  Forgive me contacting you directly, but did you recieve a reply fromBEA
  as
  to whether WLS supports interaction with Active Driectory? And wereyou
  attempting to use Active Directory just for user authentication? Anyinfo
  on how WLS and Active Directory interact would be appreciated!
  Regards
  Laura Allen
  The information in this e-mail and any attached files is confidential.It
  is intended solely for the use of the addressee. Any unauthorised
  disclosure or use is prohibited. If you are not the intended
  recipient
  of
  the message, please notify the sender immediately and do not disclosethe
  contents to any other person, use it for any purpose, or store or copythe
  information in any medium. The views of the author may not necessarily
  reflect those of the Company.
  "Laura Allen" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  Is it possible to configure WLS' LDAP security realm to use MS' Active
  Directory to authenticate users? A quick yes or no would be
  appreciated
  I'll worry about the finer details of how later!!
  Regards
  Laura Allen

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin

• Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA

  Hello all,
  I am trying to build a very simple JavaEE application with JAAS, but I getting mad.
  I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.
  First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:
  <application-policy name="exemplo1">
       <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                 <module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option>
                 <module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option>
                 <module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option>
            </login-module>
       </authentication>
  </application-policy>Next I configured the "web.xml" file like this:
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Restricted</web-resource-name>
            <description>Declarative security tests</description>
            <url-pattern>*.do</url-pattern>
       </web-resource-collection>
       <auth-constraint>
            <role-name>xxx</role-name>
       </auth-constraint>
       <user-data-constraint>
            <description>no description</description>
            <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>exemplo1</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginErro.jsp</form-error-page>
       </form-login-config>
  </login-config>
  <security-role>
       <description>Role xxx</description>
       <role-name>xxx</role-name>
  </security-role>Notice that I am using the "xxx" role to protect the "*.do" URL pattern.
  The "jboss-web.xml" is like this:
  <?xml version="1.0"?>
  <jboss-web>
       <security-domain>java:/jaas/exemplo1</security-domain>
  </jboss-web>As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.
  Now I wanna to be able to also protect my EJBs.
  My Stateless Session Bean is implemented as follow:
  @RolesAllowed("yyy")
  @Stateless(name="UserManagement")
  public class UserManagementBean implements UserManagement {
       public void add(User user) {
  }When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.
  If I add the "jboss.xml" file, like this:
  <?xml version="1.0"?>
  <jboss>
       <security-domain>java:/jaas/exemplo1</security-domain>
  </jboss>I start getting this stack trace:
  ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
  java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
  at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  ... Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???
  Thanks
  Daniel

  Using @SecurityDomain("exemplo1") in my EJB and NOT providing jboss.xml, it works.
  @SecurityDomain("exemplo1")
  @RolesAllowed("yyy")
  @Stateless(name="UserManagement")
  public class UserManagementBean implements UserManagement {
    public void add(User user) {
  }Damn! This is some serious shit... I don�t want to configure this in every single EJB.
  EJB 3.0 is nice, but some small trivial details like this and others, that was forgotten by Sun, piss me off!

• JAAS ,SSO and OC4J

  Hi ,
  Earlier , We were connecting our application as partner applications in portal for SSO authentication. We used SSO sdk for diverting requests to SSO. I was reading some literature and it seems oracle is supporting connecting to SSO from JAAS provider. Can i get a documentation for 10G JAAS (With details on how to connect to SSO).
  questions
  1. Is JAAS just replacement of SSO sdk and we still need to define partner applications?
  2.Do I need to configure mod_osso ? and then JAAS will give user details . (I don't need to define partner application.)
  thanks
  Simar

  I do believe there is a logout URL that you need to set. When the user logs out of the application, they also need to be redirected to the logout URL. This is covered in the Oracle Application Server Single Sign-On Application Developer's Guide
  From the doc:
  Security Issues: Single Sign-Off and Application Logout
  If you build custom applications using OracleAS release 9.0.4, note the following: when global logout, or single sign-off, is invoked, only the single sign-on and mod_osso cookies are cleared. This means that an OracleAS application must be coded to store single sign-on user and realm names in either the OC4J session or in the application session. The application must then compare these values to those passed by mod_osso. If a match occurs, the application must show personalized content. If no match occurs, which means that the mod_osso cookie is absent, the application must clear the application session and force the user to log in.
  They also have a code example:
  Application Logout: Recommended Code
  Most applications that authenticate users have a logout link. In a single-sign-on-enabled application, the user invokes the dynamic directive for logout in addition to other code in the logout handler of the application. Invoking the logout directive initiates single sign-off, or global logout. The example that follows shows what single sign-off code should look like in Java.
  // Clear application session, if any
  String l_return_url := return url to your application e.g. home page
  response.setHeader( "Osso-Return-Url", l_return_url);
  response.sendError( 470, "Oracle SSO" );

• How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS

  Hi
  I have read the article on SDN called "How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS", which is also the name of my posting.
  The reason why I post this is that I've tried to follow the links in the PDF to get the file WebsphereEpSsoLib.zip but I get an error 403, which tells me that the file is not there.
  Does anybody know where this file went or can somebody tell me an alternative place to get this file?
  Jacob

  Please open the associated whitepaper, and you can find the download link to the .ZIP file on page 4.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ibm/how to set up single sign-on between an ibm websphere portal and the sap enterprise portal using jaas.pdf
  Hope that works!
  Elise

• WLS6.0sp1 and HP-UX 11.00

  I have completed a successful install of WLS6.0sp1 on an HP-UX 11.00
  machine. I am attempting to start the default server and am getting the
  output below (after system and model info). There is no mention of any
  required changes to kernel parameters in the install and I cannot locate any
  related information on the BEA site.
  Has anyone encountered this before?
  jfboyle:/home/jfboyle/bea/wlserver6.0sp1/config/mydomain > uname -a
  HP-UX uranium B.11.00 U 9000/800 637309363 unlimited-user license
  jfboyle:/home/jfboyle/bea/wlserver6.0sp1/config/mydomain > model
  9000/800/N4000-36
  jfboyle:/home/jfboyle/bea/wlserver6.0sp1/config/mydomain > startWebLogic.sh
  SHLIB_PATH=/opt/sybase/lib:/opt/visibroker_c++/lib:/home/jfboyle/bea/wlserve
  r6.0sp1/lib/hpux11
  SIGSEGV 11* segmentation violation
  Full thread dump Classic VM (jinteg:11/28/00-13:54, native threads):
  "JIT Compiler" (TID:0x640004d0, sys_thread_t:0x40080bd0, state:CW,
  native ID:0x6) prio=5
  "Finalizer" (TID:0x64000510, sys_thread_t:0x4007f2d8, state:CW, native
  ID:0x5) prio=8
  at java.lang.Object.wait(Native Method)
  at java.lang.ref.ReferenceQueue.remove(Unknown Source)
  at java.lang.ref.ReferenceQueue.remove(Unknown Source)
  at
  java.lang.ref.Finalizer$FinalizerWorker$FinalizerThread.run(Finalizer.java:1
  20)
  "Reference Handler" (TID:0x640002f8, sys_thread_t:0x4007a620, state:CW,
  native ID:0x4) prio=10
  at java.lang.Object.wait(Native Method)
  at java.lang.Object.wait(Unknown Source)
  at java.lang.ref.Reference$ReferenceHandler.run(Unknown Source)
  "Signal dispatcher" (TID:0x64000328, sys_thread_t:0x40078638, state:CW,
  native ID:0x3) prio=5
  "main" (TID:0x640001a8, sys_thread_t:0x40005050, state:R, native ID:0x1)
  prio=5
  at java.util.Hashtable.put(Unknown Source)
  at java.lang.System.initProperties(Native Method)
  at java.lang.System.initializeSystemClass(Unknown Source)
  Monitor Cache Dump:
  java.lang.ref.ReferenceQueue$Lock@64000520/64CD0318: <unowned>
  Waiting to be notified:
  "Finalizer" (0x4007f2d8)
  java.lang.ref.Reference$Lock@64000308/64CCFCD8: <unowned>
  Waiting to be notified:
  "Reference Handler" (0x4007a620)
  java.util.Properties@640006E8/64CD0BA0: owner "main" (0x40005050) 1
  entry
  Registered Monitor Dump:
  JIT thread lock: <unowned>
  Waiting to be notified:
  "JIT Compiler" (0x40080bd0)
  utf8 hash table: <unowned>
  JNI pinning lock 31: <unowned>
  JNI pinning lock 30: <unowned>
  JNI pinning lock 29: <unowned>
  JNI pinning lock 28: <unowned>
  JNI pinning lock 27: <unowned>
  JNI pinning lock 26: <unowned>
  JNI pinning lock 25: <unowned>
  JNI pinning lock 24: <unowned>
  JNI pinning lock 23: <unowned>
  JNI pinning lock 22: <unowned>
  JNI pinning lock 21: <unowned>
  JNI pinning lock 20: <unowned>
  JNI pinning lock 19: <unowned>
  JNI pinning lock 18: <unowned>
  JNI pinning lock 17: <unowned>
  JNI pinning lock 16: <unowned>
  JNI pinning lock 15: <unowned>
  JNI pinning lock 14: <unowned>
  JNI pinning lock 13: <unowned>
  JNI pinning lock 12: <unowned>
  JNI pinning lock 11: <unowned>
  JNI pinning lock 10: <unowned>
  JNI pinning lock 9: <unowned>
  JNI pinning lock 8: <unowned>
  JNI pinning lock 7: <unowned>
  JNI pinning lock 6: <unowned>
  JNI pinning lock 5: <unowned>
  JNI pinning lock 4: <unowned>
  JNI pinning lock 3: <unowned>
  JNI pinning lock 2: <unowned>
  JNI pinning lock 1: <unowned>
  JNI pinning lock 0: <unowned>
  JNI global reference lock: <unowned>
  BinClass lock: <unowned>
  Class linking lock: <unowned>
  System class loader lock: <unowned>
  Code rewrite lock: <unowned>
  Heap lock: <unowned>
  Monitor cache lock: owner "main" (0x40005050) 1 entry
  Thread queue lock: owner "main" (0x40005050) 1 entry
  Monitor registry: owner "main" (0x40005050) 1 entry
  startWebLogic.sh[138]: 3462 Abort(coredump)

  Thanks a lot Wayne !
  I tried with "./server.....bin -mode=console". I am facing the same problem.
  Although weblogic installation completes, it still just hangs at "Copying JDK....".
  Giving the output below for your reference.
  Choose Product Directory:
  ->1| Yes, use this product directory [home1/utils/bea/weblogic700]
  2| No, select another product directory
  Enter index number to select OR [Exit][Previous][Next]>
  <------------- WebLogic Platform Installer - WebLogic Platform 7.0.1.0 ---------
  ---->
  Copying files..
  0% 25% 50% 75% 100%
  [------------|------------|------------|------------]
  Copying JDK....
  I am also attaching the top output with this message.
  Thanks,
  Soundar
  "Wayne W. Scott" <[email protected]> wrote:
  When all else fails, read the manual! The method changed from 6.1 to
  7.0.
  http://edocs.bea.com/platform/docs70/install/index.html
  http://edocs.bea.com/platform/docs70/install/index.html
  ../filename.bin -mode=console
  /wws
  Soundar wrote:
  Hi,
  I am trying to install Weblogic 7.01 evaluation copy on HP-UX 11.00.After exporting
  DISPLAY variable to my workstation, when I run "./server701_hpux.bin",the extraction
  of the files is successful, followed by some warning messages regardingthe fonts
  and then the BEA Weblogic startup screen comes up. But it hangs thereforever.
  I am attaching the output. If I run "./server..." in text mode i.e.without
  exporting DISPLAY variable, although the installation of Weblogic softwareis
  successful, but it hangs at "Copying JDK..." i.e. hangs at JDK installation.
  I already have JDK installation on my HP-UX system (1.3.1_02).
  If someone knows how to solve this problem, please let me know. Also,as I already
  have JDK installation on my system, is it possible to disable JDK installation
  in weblogic installation.
  Thanks in Advance.
  Soundar
  [weblogic_top.txt]

• Plans to change JAAS/GSS for Windows XP SP2 and beyond

  Are there any plans to reimplement JAAS GSS on the windows platform to account for this issue:
  Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
  Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
  Thanks!
  -Bob

  This is an old thread, but one of my clients has run into the same problem. Hopefully someone is still monitoring....
  The answer is that the implementation should not be trying to do anything directly with keys. Delegation works just fine if it has been configured correctly in AD. Simply impersonate the context on the server side and then call the appropriate API to get a new service ticket and it will use the forwarded TGT. Credential delegation solved.
  MS was correct to "fix" the session key interface since it allowed user code to attain a "password equivalent". The JAAS implementation should be fixed to use the Windows authentication interfaces correctly.
  Thanks,
  Dave
  Feel free to contact me offline for more information or pointers at [email protected] (remove the no-spams).

• JAAS and Active Directory Problem

  I am attempting to use the JAAS Tutorial code to authenticate against a Windows 2000 domain controller. The code as is works against a domain controller that I set up, but when I attempt to authenticate against a client's domain, I receive an exception:
  Authentication failed:
  Pre-authentication information was invalid (24)
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
  The troubleshooting documentation indicates that this could mean 3 things:
  1. the password is incorrect - since I am logging in with my account, I am certain the password is correct.
  2. you are using the keytab to obtain the key and the key may have changed since obtaining the keytab - I am not using the useKeyTab option in my configuration of the Krb5oginModule and the option defaults to false.
  3. clock skew. I am sure that there is no time difference between my computer and the server.
  That said, does anyone know of any other reason that authentication will fail?

  I am using....
  AppConfigurationEntry entry = new AppConfigurationEntry(
  "com.sun.security.auth.module.Krb5LoginModule",
  AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
  options);
  and I get the same thing. Running Win2K Pro. Trying to use GSS-API to do Kerberos authentication.
  Jay

• HOW DO I REMOVE AN APPLICATION IN WLS6?

  Hi everybody,
  I compiled an ejb into a jar file and ADDED it to the list of already
  added applications through the WLS6 console (I have WLS6 installed on my Windows
  2000 machine).
  In the WLS6 console I clicked Deployments->EJB->Install a new EJB->Upload
  (to add a new ejb jar file).
  Now I wish to REMOVE (uninstall) this ejb from the list of added
  (installed) EJBs.
  I tried to delete the jar file from the WebLogic folder where this
  jar file was stored, but when I restarted WLS6 it displayed a panic that it was
  unable to find the EJB component. So I had to undelete the jar file from the Recycle
  Bin to the same WebLogic folder.
  What I conclude is that although the ejb component got removed it
  did not get UNINSTALLED .i.e some references to the jar file stayed on somewhere.
  How do I remove and UNINSTALL my ejb?
  Thanks in advance. As usual I am posting this everywhere to get attention.
  As usual sorry for the multiple postings.
  snodx

  Hello,
  To remove it for good, you have to make sure you remove the .jar/.war/.ear
  from the applications directory, and then modify the config.xml file.
  To modify the config.xml file, make sure the admin server is not running,
  and remove the <application> section that refers to the .jar/.war/.ear file
  you no longer want to show up. When you restart the server, that
  application will no longer show up in the console.
  Of course, I must warn about modifying the config.xml file by hand. It's
  not a recommended practice, but in this case, it's the only way to
  accomplish this.
  Regards,
  dennis
  "snodx" <[email protected]> wrote in message
  news:3b5be01d$[email protected]..
  >
  Hi everybody,
  I compiled an ejb into a jar file and ADDED it to the list ofalready
  added applications through the WLS6 console (I have WLS6 installed on myWindows
  2000 machine).
  In the WLS6 console I clicked Deployments->EJB->Install a newEJB->Upload
  (to add a new ejb jar file).
  Now I wish to REMOVE (uninstall) this ejb from the list ofadded
  (installed) EJBs.
  I tried to delete the jar file from the WebLogic folder wherethis
  jar file was stored, but when I restarted WLS6 it displayed a panic thatit was
  unable to find the EJB component. So I had to undelete the jar file fromthe Recycle
  Bin to the same WebLogic folder.
  What I conclude is that although the ejb component gotremoved it
  did not get UNINSTALLED .i.e some references to the jar file stayed onsomewhere.
  >
  How do I remove and UNINSTALL my ejb?
  Thanks in advance. As usual I am posting this everywhere toget attention.
  As usual sorry for the multiple postings.
  snodx

• HOW DO I REMOVE APPLICATIONS FROM WLS6 CONSOLE?

  Hi everybody,
  I compiled an ejb into a jar file and ADDED it to the list of already
  added applications through the WLS6 console (I have WLS6 installed on my Windows
  2000 machine).
  In the WLS6 console I clicked Deployments->EJB->Install a new EJB->Upload
  (to add a new ejb jar file).
  Now I wish to REMOVE (uninstall) this ejb from the list of added
  (installed) EJBs.
  I tried to delete the jar file from the WebLogic folder where this
  jar file was stored, but when I restarted WLS6 it displayed a panic that it was
  unable to find the EJB component. So I had to undelete the jar file from the Recycle
  Bin to the same WebLogic folder.
  What I conclude is that although the ejb component got removed it
  did not get UNINSTALLED .i.e some references to the jar file stayed on somewhere.
  How do I remove and UNINSTALL my ejb?
  Thanks in advance. As usual I am posting this everywhere to get attention.
  As usual sorry for the multiple postings.
  snodx

  Manual method:
  Stop the server. Back up anything important.
  There is a config.xml file that has an entry that points to your JAR. Delete
  this entry.
  There is your JAR file. Delete this JAR.
  There is data from/about your JAR in "do not delete" directory. Delete the
  directory that says "do not delete".
  Peace,
  Cameron Purdy
  Tangosol Inc.
  << Tangosol Server: How Weblogic applications are customized >>
  << Download now from http://www.tangosol.com/download.jsp >>
  "snodx" <[email protected]> wrote in message
  news:3b5bdc84$[email protected]..
  >
  Hi everybody,
  I compiled an ejb into a jar file and ADDED it to the list ofalready
  added applications through the WLS6 console (I have WLS6 installed on myWindows
  2000 machine).
  In the WLS6 console I clicked Deployments->EJB->Install a newEJB->Upload
  (to add a new ejb jar file).
  Now I wish to REMOVE (uninstall) this ejb from the list ofadded
  (installed) EJBs.
  I tried to delete the jar file from the WebLogic folder wherethis
  jar file was stored, but when I restarted WLS6 it displayed a panic thatit was
  unable to find the EJB component. So I had to undelete the jar file fromthe Recycle
  Bin to the same WebLogic folder.
  What I conclude is that although the ejb component gotremoved it
  did not get UNINSTALLED .i.e some references to the jar file stayed onsomewhere.
  >
  How do I remove and UNINSTALL my ejb?
  Thanks in advance. As usual I am posting this everywhere toget attention.
  As usual sorry for the multiple postings.
  snodx

• How user OID (or other ldap) users with JAAS in my JEE application?

  Hy people,
  I'm developing a JEE application and for secuity I'm using JAAS, but I would like use users from my OID to authenticate. Is it possible? Can someone help me?
  Thanks!!!
  Regards,

  Hi, me again.
  It's possible. Just need configure the realm in Weblogic, configure your JAAS security in application. The realm name must be the same in application and WL.
  Just this.
  Thks!

• How to get both JDNI context and JAAS Subject with EJB

  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario. The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However, in
  the typical EJB scenario, the client initializes the JNDI context, then does
  the lookup on the bean name (which implicitly does the authentication to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

  In your login module you have to authenticate the user to the Weblogic Server as
  well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
  to login a subject with Weblogic Server.
  Once logged in, any thread that is invoked within the context of a Subject.doAs
  call gets that subject associated with it.
  Hope that helps
  "Allan" <dfusdfsdfsd> wrote:
  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario.
  The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However,
  in
  the typical EJB scenario, the client initializes the JNDI context, then
  does
  the lookup on the bean name (which implicitly does the authentication
  to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!