JAAS login module is calling password change page

Similar Messages

• JAAS Login Module using Deployable Web Service proxy

  Hi,
  We've created a JAAS Login Module that calls a deployable web service proxy to validate users on Netweaver Portal 2004 SP19. To do this the following steps were taken:
  1) created a deployable web proxy named 'SGU_proxy' and uploaded it to server. This project created 2 files: 'SGU_proxy.ear' (the one uploaded) and 'SGU_proxyClientAPI.jar'.
  2) created a Java project named 'AgregacaoLoginModule' with a single class to authenticate users, this is the class that calls the web service with the username and password. This project references the deployable web proxy project (Properties > Java Build Path > Projects > checkbox marked next to project SGU_proxy).
  3) exported the Java project class, not including the 'SGU_proxyClientAPI.jar'.
  4) created a 'J2EE Server Component' > 'Library' project named 'AgregacaoLoginModuleJ2EE'.
  On the 'provider.xml' file added 2 jars: 'AgregacaoLoginModule.jar' and 'SGU_proxyClientAPI.jar'. References were made to the standard portal libraries. No references were made to the proxy 'SGU_proxy' or the 'AgregacaoLoginModule' project.
  The library was uploaded to the server, everything was ok and no errors were reported.
  The login module was configured on the server and is called when users try to acess Portal server.
  The problem is that when trying to authenticate users: after getting a reference to the proxy using jndi I get a ClassCastException. Note that this proxy is used in a WebDyn Pro application and is working fine.
  The web service client proxy generated the interface 'pt.agregacao.ws.sgu.Servicos' and from jndi I get 'class pt.agregacao.ws.sgu.ServicosImpl'. So this seems to be ok, why the exception?
  Is it necessary to had a reference to 'SGU_proxy' on the 'AgregacaoLoginModuleJ2EE' project? If so, how?
  Thanks in advance.
  Alvaro

  Hi,
  We've created a JAAS Login Module that calls a deployable web service proxy to validate users on Netweaver Portal 2004 SP19. To do this the following steps were taken:
  1) created a deployable web proxy named 'SGU_proxy' and uploaded it to server. This project created 2 files: 'SGU_proxy.ear' (the one uploaded) and 'SGU_proxyClientAPI.jar'.
  2) created a Java project named 'AgregacaoLoginModule' with a single class to authenticate users, this is the class that calls the web service with the username and password. This project references the deployable web proxy project (Properties > Java Build Path > Projects > checkbox marked next to project SGU_proxy).
  3) exported the Java project class, not including the 'SGU_proxyClientAPI.jar'.
  4) created a 'J2EE Server Component' > 'Library' project named 'AgregacaoLoginModuleJ2EE'.
  On the 'provider.xml' file added 2 jars: 'AgregacaoLoginModule.jar' and 'SGU_proxyClientAPI.jar'. References were made to the standard portal libraries. No references were made to the proxy 'SGU_proxy' or the 'AgregacaoLoginModule' project.
  The library was uploaded to the server, everything was ok and no errors were reported.
  The login module was configured on the server and is called when users try to acess Portal server.
  The problem is that when trying to authenticate users: after getting a reference to the proxy using jndi I get a ClassCastException. Note that this proxy is used in a WebDyn Pro application and is working fine.
  The web service client proxy generated the interface 'pt.agregacao.ws.sgu.Servicos' and from jndi I get 'class pt.agregacao.ws.sgu.ServicosImpl'. So this seems to be ok, why the exception?
  Is it necessary to had a reference to 'SGU_proxy' on the 'AgregacaoLoginModuleJ2EE' project? If so, how?
  Thanks in advance.
  Alvaro

• Retrieving JDBC connection from datasource in JAAS login module

  Hi,
  I have a custom JAAS login module which calls a DAO for accessing user login details. The DAO looks up the datasource to retrieve connections from when the LoginModule is initialized. The datasource is simply defined through the admin interface. When a user tries to login (through the web container) an exception is thrown as shown below:
  com.sun.enterprise.InvocationException
       at com.sun.enterprise.resource.PoolManagerImpl.getResource(PoolManagerImpl.java:134)
       at com.sun.enterprise.resource.JdbcDataSource.internalGetConnection(JdbcDataSource.java:241)
       at com.sun.enterprise.resource.JdbcDataSource.getConnection(JdbcDataSource.java:154)
       at com.dmdsecure.mobile.security.store.impl.JDBCUserStore.fetchUser(JDBCUserStore.java:330)
       at com.dmdsecure.mobile.security.impl.LocalUserManager.authenticate(LocalUserManager.java:70)
       at com.dmdsecure.mobile.security.adapter.sunone.DMDLoginModule.authenticate(DMDLoginModule.java:66)
       at com.dmdsecure.mobile.security.adapter.sunone.DMDLoginModule.authenticate(DMDLoginModule.java:38)
       at com.iplanet.ias.security.auth.login.PasswordLoginModule.login(PasswordLoginModule.java:163)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at com.sun.enterprise.security.auth.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:382)
       at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:307)
       at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:116)
       at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:201)
       at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:140)
       at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:263)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:496)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:203)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:505)
       at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:157)
       at com.iplanet.ias.web.WebContainer.service(WebContainer.java:598)
  It seems the datasource is valid but trying to retrieve connections from it will fail.
  Anyone had any similar problems??

  Nope, sorry ... I am also having other troubles with JNDI lookups, this time from within the init method of a filter ... Seems there may still be some issues here for Sun to iron out ...
  -Johan

• JAAS Login Module Redirect to Iview

  I am having some difficulty getting a redirect to an Iview to work in our custom JAAS Login Module.  This code works in our current production environment, using Portal version EP6.0 SP2 Patch 35:
  callbacks[0] = new com.sap.security.api.logon.WebCallback();
  HttpServletResponse rsp = ((WebCallback) callbacks[0]).getResponse();
  rsp.sendRedirect(this.changepasswordurl + this.username);  //get url from property
  But this nearly identical code is not working in our development environment, running NetWeaver:
  WebCallback wcb = new WebCallback ();
  this.callbackHandler.handle(new Callback [] {wcb});
  HttpServletResponse rsp = wcb.getResponse();
  myLoc.infoT("URL: " + this.changepasswordurl + this.username);
  rsp.sendRedirect(this.changepasswordurl + this.username); //get url from property
  When the rsp.sendRedirect statement is executed, I get a stack dump:
  #1.5#00306EF4D7AD0048000000550000576000040C5F45EBE199#1139503241315#com.nike.portal.auth.PortalLoginModule#sap.com/irj#com.nike.portal.auth.PortalLoginModule#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Info##Plain###URL: https://dev.XXXXX.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fnikeconnect!2fiviews!2fcommon!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#on!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#
  #1.5#00306EF4D7AD0048000000570000576000040C5F45EC2971#1139503241326#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Error##Java###Error in some of the login modules.
  [EXCEPTION]
  #1#com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
          at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
          at java.security.AccessController.doPrivileged(Native Method)
          at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:153)
          at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
          at sun.reflect.GeneratedMethodAccessor260.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
  When I cut the exact URL being redirected to from the trace log and paste it into a browser, it goes to the page just fine.
  Can anyone suggest a different method of performing a redirect from withing my JAAS Login Module in NetWeaver?  I'm thinking maybe I'm not getting the response object properly - any ideas?
  Thank you...
  Dave

  Thanks for the pointers.  We were able to get an SAP developer to take a look at this and he coded up this solution, which takes what you suggested and filled in all the blanks.  I am baffled as to how I would have figured this out on my own (like the RESPONSE_CODE value of 302), given the limited documentation around the HttpCallback.  We haven't had the opportunity to try this yet - I'll respond with a new post either way to let you know.  Anyway, here's the code snippet for how to perform a redirect:
  In the custom JAAS Login Module:
  setRedirect(callbackHandler, this.changepasswordurl);
  This is the setRedirect method:
  private void setRedirect(CallbackHandler ch, String redirectURL)
        throws IOException, UnsupportedCallbackException
      HttpSetterCallback setRCodeCB = new HttpSetterCallback();
      setRCodeCB.setType(HttpCallback.RESPONSE_CODE);
      setRCodeCB.setName("Moved Temporarily");
      setRCodeCB.setValue("302");
      HttpSetterCallback setRedirCB = new HttpSetterCallback();
      setRedirCB.setType(HttpCallback.HEADER);
      setRedirCB.setName("Location");
      setRedirCB.setValue(redirectURL);
      Callback[] cbSetter = new Callback[2];
      cbSetter[0] = setRCodeCB;
      cbSetter[1] = setRedirCB;
      ch.handle(cbSetter);

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin

• JDEV deployment of web app with custom JAAS login module fails

  For the first time, I am trying to implement a custom JAAS login module.
  JDEV deployment to standalone OC4J only fails when my orion-application.xml is included. The deployment fails with a java.lang.InstantiationException.
  This what I have done:
  1) Wrote a custom LoginModule called com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule.
  2) Put it and its dependent classes in a jar named sjtcjaas.jar.
  3) Put the jar in $ORACLE_HOME\j2ee\home\lib
  4) Changed library_path in $ORACLE_HOME\j2ee\home\config\application.xml to
  <library path="../../home/lib/scheduler.jar;../../home/lib/sjtcjaas.jar" />
  5) Added an orion-application.xml to the JDEV project. (I used an Oracle How-to as a pattern, see below.)
  I think I'm close but no cigar, yet. Any help would be appreciated.
  Regards,
  Al Malin
  =============== orion-application.xml ========================================
  <?xml version="1.0"?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.0.0" default-data-source="jdbc/OracleDS" schema-major-version="10" schema-minor-version="0" >
  <security-role-mapping name="sr_manager">
  <group name="managers" />
  </security-role-mapping>
  <security-role-mapping name="sr_developer">
  <group name="developers" />
  </security-role-mapping>
  <log>
  <file path="application.log" />
  </log>
  <!-- Configuring a Login Module in an Application EAR file. -->
  <jazn-loginconfig>
  <application>
  <name>customjaas</name>
  <login-modules>
  <login-module>
  <class>com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  </orion-application>

  Starting OC4J from c:\oc4j\j2ee\home ...
  2006-09-07 13:45:28.484 NOTIFICATION JMS Router is initiating ...
  06/09/07 13:45:29 Oracle Containers for J2EE 10g (10.1.3.0.0) initialized
  2006-09-07 13:45:58.609 NOTIFICATION Application Deployer for aam STARTS.
  2006-09-07 13:45:58.640 NOTIFICATION Copy the archive to C:\oc4j\j2ee\home\applications\aam.ear
  2006-09-07 13:45:58.656 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear begins...
  2006-09-07 13:45:58.656 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear...
  2006-09-07 13:45:58.687 NOTIFICATION Unpacking aam.ear
  2006-09-07 13:45:58.687 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam.ear in C:\oc4j\j2ee\home\applications\aam
  2006-09-07 13:45:58.750 NOTIFICATION Done unpacking aam.ear
  2006-09-07 13:45:58.750 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear
  2006-09-07 13:45:58.750 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war...
  2006-09-07 13:45:58.750 NOTIFICATION Unpacking aam.war
  2006-09-07 13:45:58.765 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam\aam.war in C:\oc4j\j2ee\home\applications\aam\aam
  2006-09-07 13:45:58.765 NOTIFICATION Done unpacking aam.war
  2006-09-07 13:45:58.765 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war
  2006-09-07 13:45:58.812 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear ends...
  2006-09-07 13:45:58.828 NOTIFICATION Starting application : aam
  2006-09-07 13:45:58.828 NOTIFICATION Initializing ClassLoader(s)
  2006-09-07 13:45:58.828 NOTIFICATION Initializing EJB container
  2006-09-07 13:45:58.828 NOTIFICATION Loading connector(s)
  2006-09-07 13:45:58.843 NOTIFICATION application : aam is in failed state
  06/09/07 13:45:58 WARNING: Application.setConfig Application: aam is in failed state as initialization failedjava.lang.InstantiationException
  Sep 7, 2006 1:45:58 PM com.evermind.server.Application setConfig
  WARNING: Application: aam is in failed state as initialization failedjava.lang.InstantiationException
  06/09/07 13:45:58 oracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:510)
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
  06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
  06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
  06/09/07 13:45:58 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
  06/09/07 13:45:58 at java.lang.Thread.run(Thread.java:595)
  06/09/07 13:45:58 Caused by: java.lang.InstantiationException
  06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
  06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
  06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:391)
  06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:308)
  06/09/07 13:45:58 at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
  06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
  06/09/07 13:45:58 ... 6 more
  2006-09-07 13:45:58.890 NOTIFICATION Application Deployer for aam FAILED.
  2006-09-07 13:45:58.890 NOTIFICATION Application UnDeployer for aam STARTS.
  2006-09-07 13:45:58.906 NOTIFICATION Removing all web binding(s) for application aam from all web site(s)
  2006-09-07 13:45:59.015 NOTIFICATION Application UnDeployer for aam COMPLETES.
  06/09/07 13:45:59 WARNING: DeployerRunnable.run java.lang.InstantiationExceptionoracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
  at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:126)
  at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
  at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
  at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: java.lang.InstantiationException
  at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
  at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
  at com.evermind.server.Application.setConfig(Application.java:391)
  at com.evermind.server.Application.setConfig(Application.java:308)
  at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
  at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
  at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
  at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
  ... 4 more
  2006-09-07 13:45:59.031 WARNING java.lang.InstantiationException

• Use of portal service in JAAS Login Module

  Is it possible to use an portal service in an JAAS Login Module?
  I've tried to use the IUserMappingService and always run in an Null Pointer Exception.
  All needed Used DC references are set and the build and the deployment of the
  login module is possible without any errors.
  Best regards,
  Thomas

  I've debuged my JAAS login modul.
  The following objects are in accessable over my context object
  {broker=broker, com.sap.portal.pcm.collaborative.ipartstemplates={}, UME=UME, com.sap.workflow.es.portal.IKMCRoomService=com.sap.workflow.es.room.KMCRoomHelper@44c944c9, comp.sap.portal.fpn.marshallersrepository={com.sapportals.portal.workset=com.sap.portal.fpn.marshal.WorksetMarshaller@7cf07cf0, com.sapportals.portal.rolefolder=com.sap.portal.fpn.marshal.RoleFolderMarshaller@489b489b, com.sapportals.portal.operationmodifier=com.sap.portal.unification.semanticlayer.marshalling.OperationModifierMarshaller@1a1b1a1b, com.sapportals.portal.businessobject=com.sap.portal.unification.semanticlayer.marshalling.BusinessObjectMarshaller@1fc71fc7, com.sapportals.portal.layout=com.sap.portal.fpn.marshal.LayoutMarshaller@454f454f, com.sapportals.portal.role=com.sap.portal.fpn.marshal.RoleMarshaller@590e590e, com.sap.portal.obn.semanticlayer.businessobject.BusinessObject=com.sap.portal.unification.semanticlayer.marshalling.BusinessObjectNYMarshaller@68af68af, com.sap.portal.obn.semanticlayer.operation.IOperation=com.sap.portal.unification.semanticlayer.marshalling.OperationNYMarshaller@4f4a4f4a, com.sap.portal.pcm.admin.PlainFolderConverter=com.sap.portal.fpn.marshal.FolderMarshaller@284a284a, com.sapportals.portal.iview=com.sap.portal.fpn.marshal.IViewMarshaller@7ba37ba3, com.sapportals.portal.page=com.sap.portal.fpn.marshal.PageMarshaller@a100a10, com.sapportals.portal.operation=com.sap.portal.unification.semanticlayer.marshalling.OperationMarshaller@ece0ece}, WP=com.sapportals.portal.prt.core.resource.MultiPropertiesResource@3b213b21, ContentCatalog=ContentCatalog, Navigation=Navigation, PCD=PCD, com.sap.portal.obn=com.sap.portal.obn, com.sap.portal.usermanagement.usermanagement=com.sapportals.portal.prt.service.usermanagement.UserManagementService@60cc60cc, ProductionMode=true, AdHocWorkflowConnector=com.sap.workflow.es.portal.WFEWorkitemProvider@30d630d6, com.sap.ip.bi=com.sap.ip.bi, com.sapportals.portal.pcm.registeredServies=com.sapportals.portal.pcm.registeredServies, UniversalWorklistService=com.sap.netweaver.bc.uwl.core.portal.UWLPortalService@57e957e9, com.sap.portal.appintegrator=com.sap.portal.appintegrator, rtmf_messaging=com.sap.ip.collaboration.core.api.rtmf.core.RTMFMessaging@41af41af, com.sap.workflow.es.portal.IKMNotificationService=com.sap.workflow.es.portal.KMNotificationService@1daa1daa, com.sap.portal.pcm.collaborative.pagestemplates={}, runtime=runtime, Authenticator=com.sapportals.portal.prt.service.authenticationservice.AuthenticationService@756f756f, com.sap.workflow.es.portal.IKMAttachmentService=com.sap.workflow.es.portal.KMAttachmentService@9750975, unification=unification}
  The IUserMappingService is missing.  Any ideas?
  Best regards,
  Thomas

• Accessing LDAP in a custom JAAS login module

  Hi,
  I have developed a custom jaas login module in CE 7.1. I created a java dc which contains a class extending AbstractLoginModule. This DC is deployed on to the server using an EAR DC. I am trying to access LDAP in the custom login module. I am trying to establish an SSL connection to LDAP. For this purpose i have created a custom socket factory class which extends SSLSocketFactory. I used the code below to establish the connection.
            Hashtable<String,String> env=new Hashtable<String,String>();
            DirContext dirContext=null;
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL,ldapURL);
                  env.put(Context.SECURITY_PROTOCOL,"ssl");
                  env.put("java.naming.ldap.factory.socket", "com.test.ldap.MySSLSocketFactory");
                  dirContext=new InitialDirContext(env);
  MySSLSocketFactory is the name of custom socket factory.
  During a login process, the above code results in error because the connection to LDAP server could not be established. However the same code when executed in a webdynpro DC is working without any problem. What could be the reason for this?
  This is the error i could see in defaultTrace
  javax.naming.CommunicationException: js24.na.domain.net:636 [Root exception is java.lang.ClassNotFoundException: com.test.ldap.MySSLSocketFactory
  Loader Info -
  ClassLoader name: [service:security]
  Living status: alive
  Direct parent loaders:
     [system:Frame]
     [library:j2eeca]
     [service:timeout]
     [service:com.sap.security.core.ume.service]
     [service:adminadapter]
  Resources:
     /usr/sap/SV3/J10/j2ee/cluster/bin/services/security/lib/private/sap.comtcjesecurityimpl.jar
  at com.sun.jndi.ldap.Connection.<init>(Connection.java:205)
  at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
  at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1579)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2681)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
  at com.sap.engine.system.naming.provider.DefaultInitialContext._getDefaultInitCtxt(DefaultInitialContext.java:64)
  at com.sap.engine.system.naming.provider.DefaultInitialContext.<init>(DefaultInitialContext.java:45)
  at com.sap.engine.system.naming.provider.DefaultInitialContextFactory.getInitialContext(DefaultInitialContextFactory.java:41)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
  at javax.naming.InitialContext.init(InitialContext.java:223)
  at javax.naming.InitialContext.<init>(InitialContext.java:197)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)

  Hi,
  I used an EJB to perform the LDAP search and called the EJB from the login module. It is working as expected.
  Regards,
  Shabeer

• How to create Jaas Login module !! Urgent

  <b>Hi developers</b>
                      I want to make some changes in logon messages. Right now we are getting only error <b>user authentication failed </b> on the portal even if user is locked or some other reason is there for failed authentiaction. I want proper message should be displaying based on user input. For it I hope its good to <b>create Jaas logon module</b> so that i can modify it accordingly .
  kindly if any one can give me way out , its urgent.
  how to create it step by step. it would be highly appriciable.
  any inputs are appriciated .
  Thanks in advance
  <b>Abhay</b>

  Hi Abhay,
  1.) Every question is "urgent"... Please read https://www.sdn.sap.com/irj/sdn/wiki?path=/display/home/rulesofEngagement - section "Use a Good Subject Line"
  2.) For JAAS Login Modules examples, see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4d65ed90-0201-0010-3aba-9209836e8242
  Hope it helps
  Detlev

• Urgent: JAAS Login Module Deployment Problem

  Hi,
  I have developed a JAAS Login module for the portal (EP6 SP9 sneak preview) and i am getting the following error:
  GroupAssignmentLoginModuleLibrary does not exist in LoadContextWrapper.modifyName.
  com.sap.engine.services.security.exceptions.BaseSecurityException: Can not load a login Module
  The next line is a ClassNotFoundException for the Login Module and the class found in negative cache.
  Please let me know if you know the solution to this problem.
  It is an urgent issue and a solution will be suitably rewarded.
  Regards,
  Vibhu

  Hi Diego,
  Scenario 1: SAP EP to SAP Backend Integration
        In this scenario the most commonly used strategy
        is SAP logon tickets. As far as I know this is the
        best and simple way to implement SSO.
  Scenario 2: SAP EP to Non SAP systems.
        In this scenario various mechanisms can be used.
        It depends on the application you are integrating
        with. SAP does deliver SSO soultions with Lotus
        Notes and Outlook etc. If supported probably it is
        simple to use the SAP solution [Reliability and
        Support].
  Scenario 3: Enterprise Uses third party authetication
        Software.
        For the authntication if the company chooses to use
        some third party product like SiteMinder etc, then
        you can simply use this solution for SAP EP authe-
        tication, and also all your other enterprise
        applications based on the product support. But SAP
        EP to other SAP systems be best integrated with SAP
        logon tickets.
  Scenario 4: SSO using homegrown authetication or some
        third party JAAS module.
        If you have significant applications that are home
        grown that uses some custom authentication mecha-
        nism (Example: Authentication based on ID and
        Password stored in company database ) you can write
        a JAAS module extention to authenticate using that
        database. In other words JAAS is flexible and
        for using external authentication mechanisms.
  There are several mechanisms available that all depends
  on your internal applications/security mechanism/integration etc.
  Here is the link to one of the good articles on SDN about the SAP supported SSO mechanisms.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/58094632-0301-0010-a391-fc0de26f010e
  Hope this information is useful.
  -Venkat Malempati

• Create new JAAS login module & have to deploy in OC4J

  Dear Experts,
  Is it possible to create number of user roles under the group oc4jadmin. Then have to assign task for each user in group. please suggest me.
  Thanks,
  Rajesh
  Edited by: Rajesh A on Mar 12, 2009 10:15 AM
  Edited by: Rajesh A on Mar 12, 2009 6:48 PM

  h5. James,Anirudh
  Is it possible to define new JAAS module that would first check with Oracle DB & then check with LDAP directory. Actually my requirement was to authenticate user with the help of backends. Here backend denotes both Oracle DB & LDAP. In the sense when user enters valid id & password it checks for existence in DB & if exist DB returns a new value (role) then have to check new value with LDAP( what are the privileges available for specified role & who is the superior for the same). The details maintaining in LDAP are dynamic so we cant able to move into DB. Every process involving here is automatic in the sense no external server connection should provide for authentication. The custom login module should be deploy in same OC4J container. Always available as service. I want to know about the following
  1) How to define costom JAAS login module
  2) How to configure coutom JAAS login module over OC4J
  3) How to make use of it
  Thanks,
  Rajesh

• URGENT: JAAS Login Module in Clustered Environment

  Hello all,
  I've created out own JAAS Login Module which works perfectly on a single-node environment... i dropped the jar in /server/additional-lib and modified library.txt and authschemes.xml as needed.
  Now that we need to deploy it in a clustered node environment, we added the jar file into the additional-lib folders of all the nodes and edited all the library.txt files of all nodes.
  UME cant seem to find our jar file anymore and we get the "missing handler" error when we try to login.
  Any ideas?
  Thanks,
  Yves

  If you are using SAP J2EE PL21+ there is a separate node called state controller (you have dispatcher, application nodes and state controller nodes). Basically the state controller makes sure all application nodes (server nodes) are synchronized
  You can find the dispatcher under cluster\dispatcher, servers under cluster\server and state under cluster\state .
  If you are using SAP J2EE PL20 or less this does not apply.

• JAAS Login Module development/deployment  - getting en error

  Guys,
  I have developed a JAAS Login Module (as per the SAP documentation) and configured the J2EE Engine  (as per the SAP documentation) for this module to sit amongst several other standard modules,  but I have a problem. I am unable to get the Module working on one portal instance and I am getting an error in the default.trc file when the server restarts after SDM deployment.
  The error is:  "cannot load login module class....... java.lang.ClassNotFoundException........"
  The whole thing works on another instance of EP6 SP16,17 and 18..... however it does not work on this one completely separate instance  (there probably are configuration difference between these instances!)
  Im not quite sure, given this set of circumstances,  what could be causing the Login Module not to load.  Which part of the configuration of the J2EE engine should I look in, something perhaps overlooked in the documentation? 
  Thanks
  Adrian

  With some help I have now solved this.
  In the properties tab of Security Provider,  the reference to your login module in the classloader needs to be prefixed with library:~<provider>.   For the default SAP example the provider in com.sap...... or whatever you have changed it to.

• JAAS Login module SOAP

  Hi all,
  I’m developing a new JAAS login module which will use Apache's Axis API to call a remote SOAP server.
  During the development process, I added the Axis library by using the classic Java Build path=> libraries on Sap Netweaver developer Studio.
  The compilation, the deployment of the SDA and the configuration via Visual Admin are working well.
  But when I tried to authenticate on the SAP EP through this module, I’ve got the following error message:
  java.lang.NoClassDefFoundError: org.apache.axis.client.Service
  In my opinion, it seems that the Apache Axis API (jar files) is not present on the SAP EP.
  Is there any way to add external libraries like   Apache Axis API (jar files) on the SAP EP?
  Is there any way to add external libraries like   Apache Axis API (jar files) on the sda generated by Sap Netweaver developer Studio?
  Thanks,

  Hi,
  can't you add the Axis libs to the SDA? In the file server/provider.xml you have the possibility to add jars via the NWDS.
  HTH
  Daniel

• Initialize method in JAAS login module

  Hi All,
  In my JAAS login module (extended AbstractLoginModule) deployed on WAS 6.40 (sneak preview) my initialize method is being called for every browser session. I have added some logging in the login module contructor, even that is being called for every new browser session. Is this the expected behaviour?
  I guess the initialize method should be called on once.
  regards,
  Vishal

  Hi,
  We had the same problem.
  What we found was that Sap has a new Login Module called HeaderVariableLoginModule which you have to create using the class com.sap.security.core.server.jaas.HeaderVariableLoginModule. You can do this in NWA -> Configuration -> Authentication and Single Sign-On -> Login Module, then click on the create button and fill out the fields with the information i just gave you.
  The list of Login Modules should now include HeaderVariableLoginModule, which you can configure by selecting the row of this module, and adding two options-  ume.configuration.active=true and Header=REMOTE_USER.
  It appears that this Login Module is covertly delivered as a class in every Netweaver version >= 7.0.
  Good luck,
  Steven McElwee, Duke University
  PS- I tried to attach a word document that shows the procedure for this, but this system rejected it. I can email it you if you let me know where to send it. In our case we used "Header=uid" rather than "Header="REMOTE_USER".