JAAS LoginModule: how to getCurrentUser

Similar Messages

• JAAS LoginModule - how do I get path, port, resource accessed, etc

  Hi,
  I checked everywhere including the forums, but could not get any info on this. I'm writing a custom JAAS LoginModule for the WebAS 6.40 server. I'm trying to figure out how to get the following out of the request from within login() or initialize() or any other method:
  1. Name of the webserver (i.e. the WebAS server being accessed like www.mycompany.com)
  2. Resource (e.g. /QuickCarRental)
  3. Port through which the request comes in (e.g. 50000)
  The URL being accessed in the above case is http://www.mycompany.com:50000/QuickCarRental
  Appreciate your help, and points will be awarded. Have a nice day
  R Abraham

  This is only available for NetWeaver Portal, not NetWeaver Application Server(WebAS). host and port can be obtained using the following code:
                 Callback[] callbacks = new Callback[3];
                 callbacks[0] = new NameCallback("UserId: ");
                 callbacks[1] = new PasswordCallback("Password: ", false);
                 // get host name and port
                 HttpGetterCallback getterCallback = new HttpGetterCallback();
                 getterCallback.setType(HttpCallback.HEADER);
                 getterCallback.setName("Host");
                 callbacks[2] = getterCallback;
                 try {
                      callbackHandler.handle(callbacks);
                 } catch (Exception ex) {
                      throw new LoginException(ex + "");
                 Object retValue = ((HttpGetterCallback)callbacks[2]).getValue(); //get host
  host and port will be returned in the following format SERVER.COMPANY.COM:50000
  Currently WebAS is not able to return the resource as per SAP development.

• JAAS LoginModule - how do I get the "JSessionId"

  Hi,
  is there any possibility to get the JSessionId from a custom JAAS LoginModule for the WebAS 6.40 Server.
  My first attempt was to read the JSESSIONID-Cookie from the Http-Request via the HttpGetterCallback-Class.
  ((HttpGetterCallback) callbacks[1]).setType(HttpCallback.COOKIE);
  ((HttpGetterCallback) callbacks[1]).setName("JSESSIONID");
  It worked well, till I noticed that sometimes the JSessionId-Cookie doesn't exist.
  The reason is, that the JSession-Cookie was set after the http-request has passed my login-modul.
  So, if I got a cookie-value, it sometimes was the JSessionID from an earlier session.
  So, my question:
  Is there any other posibility to get the JSessionId?
  If there is a way to get the ServletRequest-instance,  I could reach the SessionId via "HttpServletRequest.getSession()".
  Any idea? Any hints?
  Regards
  Steffen Spahr

  This is only available for NetWeaver Portal, not NetWeaver Application Server(WebAS). host and port can be obtained using the following code:
                 Callback[] callbacks = new Callback[3];
                 callbacks[0] = new NameCallback("UserId: ");
                 callbacks[1] = new PasswordCallback("Password: ", false);
                 // get host name and port
                 HttpGetterCallback getterCallback = new HttpGetterCallback();
                 getterCallback.setType(HttpCallback.HEADER);
                 getterCallback.setName("Host");
                 callbacks[2] = getterCallback;
                 try {
                      callbackHandler.handle(callbacks);
                 } catch (Exception ex) {
                      throw new LoginException(ex + "");
                 Object retValue = ((HttpGetterCallback)callbacks[2]).getValue(); //get host
  host and port will be returned in the following format SERVER.COMPANY.COM:50000
  Currently WebAS is not able to return the resource as per SAP development.

• How to capture LoginException throwed by Customized JAAS LoginModule?

  I have a customized JAAS LoginModule deployed on WebLogic, when authentication fails, it throws LoginException("Incorrect Password");
  At remote fat-client side, I use following code to login to WebLogic:
  Environment env = new Environment();
  env.setInitialContextFactory(weblogic.jndi.Environment.DEFAULT_INITIAL_CONTEXT_FACTORY);
  env.setProviderUrl(url);
  env.setSecurityPrincipal("user1");
  env.setSecurityCredentials("wrong password");
  Subject subject = new Subject();
  Authenticate.authenticate(env, subject);
  With the wrong password, the client get exception:
  javax.security.auth.login.LoginException: java.lang.SecurityException: User: user1, failed to be authenticated. (The exception message is replaced :-( )
  How can the fat-client get the exact Exception("Incorrect Password") which is thowed by the LoginModule ???

  I have also had the same problem. In the end, it is not possible to propagate a sub-class of a LoginException (or any other type of exception) to a remote client. The WLS Security Framework will always return to the caller its stand LoginException and message. The WLS documentation also clearly states this. Sorry to disappoint. The only other suggestion I have is to pass the name and credentials to a server-side client authentication proxy and let it return the authenticated Subject or a customized LoginException to the client (the server-side proxy should of course not required any authorization).
  Let me know if you come up with some other way!
  Eitan

• Migrating JAAS LoginModule from oc4j to WLS

  Hi,
  We are trying to migrate oc4j enterprise web service application to weblogic which implements JAAS LoginModule.
  Followed Weblogic Docs for :
  Developing Custom Security Providers
  http://download.oracle.com/docs/cd/E12890_01/ales/docs32/dvspisec/progrmng.html
  CustomAuthProvider (SecurityProvider) class points to the LoginModule which references to
  application-specific classes.
  Following are the issues we are dealing with:
  1.Security Provider exist at the global-context means every request to WLS is going to hit to the provider
  which we do not want, we need LoginModule to work at the application-context and not the global
  weblogic context.
  2. Clearly there is a disconnect if LoginModule resides in EAR (web app) and standalon MBean jar is
  trying to invoke the LoginModule. It can't find the LoginModule.
  so, the question is how can we have the JAAS LoginModule implemented in Weblogic
  at the application (EAR) level and not at Weblogic server global level
  (by MBean JAR) as it used to be in oc4j
  public class CustomAuthProviderimplements AuthenticationProviderV2 {
      public AppConfigurationEntry getLoginModuleConfiguration() {
          System.out.println("Inside getLoginModuleConfiguration.");
          return new AppConfigurationEntry("com.test.security.loginmodule.CustomLoginModule",
                                           LoginModuleControlFlag.REQUIRED,
                                           new HashMap());
  }OC4J Doc Reference : Packaging Login Modules
  http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/loginmod.htm#BABCFADI
  Here's how it used to be done in oc4j
  http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/loginmod.htm#i1006128
  Thank you
  Edited by: 877976 on Aug 8, 2011 11:11 AM

  There is a WebLogic Server release specific for running Oracle Forms and Reports that is available for you to switch to from Oracle AS if you are current on your support and version. Just an FYI
  Edited by: ChrisBaker on Jan 4, 2010 5:33 AM

• JAAS LoginModule sample

  Is there a sample on how to develop a custom JAAS LoginModule that uses Identity Server?

  I also want the similar sample, If some has worked with it then please help us ...
  Thanx
  Yasir Khan

• JAAS LoginModule for SunOne Directory Server?

  I have a customer who is using SunOne Directory Server for LDAP.
  I have test code that uses the JAAS's com.sun.security.auth.module.JndiLoginModule to do authentication against an OpenLDAP test server.
  The test code won't work at the customer site because they need to use a special userid/pw along with the subject userid/pw in order to do an authentication. I assume this is LDAP v3 stuff, but the customer is unsure. Unfortunately I have no direct access to the customer's LDAP admin folk. Typical bureaucracy stuff.
  The customer was able to write java code that authenticates to his LDAP server using example code from http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html which uses the JNDI API and specifies the access userid/pw using Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS.
  So thats great, however my application uses JAAS, and therfore only indirectly uses JNDI. The JndiLoginModule provided by JAAS does not appear to support the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS parameters.
  A custom JAAS LoginModule could be written which interfaces to the JNDI LDAP stuff, however considering that JAAS and the SunOne Directory server are both Sun products, I thought perhaps SunOne Directory comes with a JAAS compatible LoginModule that my customer does not know about? I've looked at online docs, but haven't found any such thing yet.

  Hey dav,
  Sorry that I am not posting to give you a solution - it is more to ask for some guidance.
  I am implementing a client-server arch system which has a lot of 'privileged' actions to be managed. I have thus succesfully integrated the basics of JAAS in to the system... but I am now desparately looking for away to have client-side policies distributed at runtime from the server.
  I do not want to get involved with any web/application server stuff more than I need to; unfortunately one of the system requirements is for client-server comms to be facilitated by SOAP over HTTP, and thus probably JAX-RPC - but it is no problem. I have a developed a database backed Policy and (JAAS) Config which constitute parts of the server component. Now it is just a case of getting the policy to the client at client start-up and subsequently the configuration forJAAS authentication. The aim is that this data will be transfered once during login, and anytime that the the policy is requested to be refreshed.
  Since reading you post, I'm wondering what services LDAP or JNDI can offer me?
  Also, is JNDI an appropriate option for data persistence? is it better to go with JDO or some other object store abstraction.
  Kind regards,
  Darren B

• JAAS LoginModule ???

  Hello,
  In Tomcat, we can use container based authorization.
  Those username/password information can be place in a XML files or use DBRealm, right ?
  How can I implement a login module, so that the Web Container will called my module instead of the default login module.
  For example, the following is my login.jsp.
  <form action="j_security_check" method="post" name="fm">
  <input name="j_username">
  <input name="j_password">
  <input type="submit" value="Login">
  </form>
  When the above submit, it will pass to my LoginModule, how can I implement that part?
  Best regards,
  Eric

  Eric,
  Logically i would think, you may have to make an entry for the configuration file in your java.security file that is used by the web container. That entry will specify what loginmodule should be called. Once your login module is invoked you can use the user input value from the form.
  Hope that helps!

• Accessing Tomcat 4.03 JNDI service from JAAS LoginModule

  Hi!
  I have following problem:
  I have custom JAAS LoginModule that uses JNDI to lookup DataSource object.
  My LoginModule and LoginConfiguration implementation classes are located
  in Tomcat's classpath.
  I tried first to put JAAS related classes under [TOMCAT-HOME]/common/lib,
  but that caused exception:"Unable to load LoginConfiguration".
  It looks like Java's core classes have no access/visibility to classes under Tomcat.
  I'm using JAAS authentication directly from a servlet, so I'm using no
  Tomcat specific realms in authentication.
  Servlet just calls:
       LoginContext lc = new LoginContext( jaasApplName,
  customUserPasswordCallbackHandler );
       lc.login( );
  Everything works fine until LoginModule tries to lookup datasource
  after obtaining InitialContext with
            InitialContext initCtx = new InitialContext( );
            DataSource ds = (javax.sql.DataSource) initCtx.lookup(
  dataSourceName );
  I got exception with message : "Name MIPCoreDS is not bound in this
  context.".
  MIPCoreDS is configured in Tomcats configuration file server.xml under
  <GlobalNamingResources> tag.
  Should this be visible for JAAS Login module or not?
  When servlet's make same lookup under Tomcat, datasource is found fine.
  It seems that loginModules have no visibility to JNDI objects configured
  under Tomcat.
  Is this right?
  Is it possible any way to put JAAS working with Tomcat 4.0.3, so
  that LoginModules can access JNDI objects bound to Tomcat's JNDI service?
  Is it possible to call Tomcat's JNDI service outside Tomcat?
  Any help is appreciated.
  Best Regards,
  Aki

  Using JAAS in Servlets is messy - I found a working example at
  http://www.loadedanswers.com
  go to the Documents section and the eg is there.
  Have fun :)

• How-to use the DBTableOraDataSourceLoginModule JAAS LoginModule in jdev 11g

  how to configure it in 11g?
  My codes work well in jdev 10g, according the http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm

  Hi,
  actually JDeveloper 11 and OC4J is in early preview and the documents for 11 haven't been written yet. The change in the configuration mainly is that LoginModules are no longer configured in system-jazn-data.xml but jps-config.xml. Another change is - though not yet implemented in teh current preview - that jps-config.xml definitions can be deployed with the application, which is in contrast to 10.1.3 where everything has to be in the OC4J bootstrapping config files.
  As soon as we have a production date for 11 I'll revisit the paper you referenced for 10.1.3 and update it to 11.
  Frank

• Custom JAAS Module - How to use in certification test?

  Hello,
  I just read the document about certification for custom JAAS modules ("BC-AUTH-SAML Test Plan"). What I don't understand is how our custom login module can get the custom information it needs (like a certain request parameter).
  First, what we would like to do is to create a JAAS module which examines proprietary login tickets created by our reverse proxy / authentication server. The example code shows how to retrieve HTTP parameter and headers using the callback methods, so that part is all fine and clear to me.
  But for the certification test, the description says that in order to execute the test, the browser must be opened with a certain URL (Test 1, GET w/o password change). That action alone must lead to a valid authentication. However, in your real-world setup, the reverse proxy - sitting between the browser client and the SAP system - would insert a custom HTTP header with the login ticket. Obviously, in the test setup as dictated by the certification document, we don't have our reverse proxy, so my question basically is:
  How can I add custom HTTP headers or parameters while running the certification test?

  I'd gladly send you something by mail. Two other details first:
  - My name is actually not Remo, but Marcel Schoen. I'm just using a company account for this forum. My address is marcel.schoen<at>united-security-providers.ch
  - I'm swiss. Do you speak german? Your name sounds german. Falls ja koennen wir das auch auf Deutsch weiter besprechen.
  In short, our product is a Web Application Firewall; a reverse proxy for protecting and integrating web applications. Some of the functionality also allows to implement single-sign-on over existing legacy applications with different user bases. And now we're looking into ways to integrate SAP application servers as well (right now, the JAAS module and SAML are the two most likely approaches).

• Expired Password Custom JAAS LoginModule

  Hello,
  We need to be able to determine how long till a user's password expires.  We are authenticating with ldap / Microsoft AD.  We have attempted to create a jaas login module which causes the login to to be forwarded to the changePasswordPage.jsp unsuccessfully.  How can we implement so that if the password is expired the changePassword.jsp is shown?  Do we need to write the LoginComponent from scratch or is there another way?
  Thanks in Advance

  Hi Matthew,
  Did you solve the problem when the users password expires? We're experiencing the same problem!
  Thanks,
  Joachim

• Use custom JAAS LoginModule without UME - possible?

  Hi all,
  I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
  When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
  When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
  But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
  The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
  So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
  Thanks for any reply
  Henning

  http://help.sap.com/saphelp_nw04s/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm

• Multiple JAAS LoginModules: WL6.1 always calls default ServerLoginModule?

  Hello All,
  I'm trying to implement a set of custom LoginModule(s) to authenticate
  a user (an "application user", not a Weblogic admin). From a JSP login
  page, the app calls a Servlet that calls LoginContext("myLogin",
  myCallbackHandler).login(). I have also create a custom
  Callback/CallbackHandler (since the parameters are passed as HTTP
  parameters) and added the required parameters in lib\server.policy:
  myLogin {
  com.andrej.myLoginModule required;
  The problem is that it looks like WL always calls the default
  LoginModule (ServerPolicy from the lib\server.policy file) even if it
  doesn't correspond to "myLogin". Of course, my app crashes
  miserably... :)
  Two questions:
  - is the above normal? Am I missing something of JAAS?
  - am I following the right path i.e. can I use a custom LoginModule to
  authenticate an application user via an entity EJB so that the
  successive calls are then associated to the proper Subject/Principal?
  Or can I only use a LoginModule to authenticate a Weblogic server
  user?
  Thank you in advance!
  Andrej
  PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

  You must specify two properties:
  weblogic.security.jaas.Configuration - your implementation of Configuration
  class
  weblogic.security.jaas.Policy - jaas config file location
  For example:
  System.setProperty("weblogic.security.jaas.Configuration",
  "examples.security.jaas.SampleConfig");
  System.setProperty("weblogic.security.jaas.Policy",
  "C:/Sample.policy");
  "Andrej" <[email protected]> wrote in message
  news:[email protected]..
  Hello All,
  I'm trying to implement a set of custom LoginModule(s) to authenticate
  a user (an "application user", not a Weblogic admin). From a JSP login
  page, the app calls a Servlet that calls LoginContext("myLogin",
  myCallbackHandler).login(). I have also create a custom
  Callback/CallbackHandler (since the parameters are passed as HTTP
  parameters) and added the required parameters in lib\server.policy:
  myLogin {
  com.andrej.myLoginModule required;
  The problem is that it looks like WL always calls the default
  LoginModule (ServerPolicy from the lib\server.policy file) even if it
  doesn't correspond to "myLogin". Of course, my app crashes
  miserably... :)
  Two questions:
  - is the above normal? Am I missing something of JAAS?
  - am I following the right path i.e. can I use a custom LoginModule to
  authenticate an application user via an entity EJB so that the
  successive calls are then associated to the proper Subject/Principal?
  Or can I only use a LoginModule to authenticate a Weblogic server
  user?
  Thank you in advance!
  Andrej
  PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

• JAZN - JAAS - DB how to implement?

  Hi all,
  I need to implement authentication in my application but I don't now how.
  I have many users of application and they will be more of them in future...
  So, I need to provide user registration for administrators of the application...
  Where should I store usernames and passwords for users?... database?... xml?... or something else?... and how to use that with jazn?
  There are some instructions for JDev10 but seams it doesn't work in JDev11TP.
  Thanks in advance
  SOVIET

  Hi,
  as much as I like to help, I am actually hitting hard at the end of my bandwidth. Even if I would be able to find time this wont be before Christmas anyway.
  1) Create a user - I assume I can use the above code provided by SOVIET to create a sample user.
  Haven't looked at the code (just jumped to this last entry), but if it uses the JAZNUserManager then forget it
  2) Create a permission - I assume I can modify the java.policy file to add a permission definition.
  You can always modify the java.policy file. Wondering though for which you need this as the application specific permissions are stored where the security provider (which could be JAZN) expects it)
  3) Create a permission-grant: I assume I can modify the system-jazn-data.xml file to add a permission grant
  Sure. You just need the right set of APIs by hand to do this programmatically. Normally permissions are configured in a configuration file upon deployment but can be granted dynamically
  I assume, now, either in the servlet code or in jps page, we can call AccessControl.checkPermission to see if the logged in user has permission-granted.
  You can always do this if you perform JAAS authorization. ADF Security would be a better option to use in 11, but the decision is all your to do this on the lowest level
  Questions:
  ========
  1) Do you have any sample code for us to take a look and model after?
  No. I hope that the JAZN folks will come up with these samples. I am a consumer of this technology as you are (except for that I can ping the developers if I have questions )
  2) Is the above approach correct? If not, what's missing? If correct, then how and where do I establish the session as the user created in above step 1)?
  I would read up on ADF Security. The TP3 in December will have updated documentation and ADF Security has been updated there as well. Using ADF Security as framework makes more sense to me. However, using custom module authentication with it hasn't been yet tested (I am sure about that)
  Frank