JAAS loginModule implementation problems

I am playing with the JAAS Login Modules for WebAS 6.40. Using EP 6 on WebAS 6.40 SP9 - installed using RI 2.0.
I have been able to get the login module executing - however am receiving the following error:
...#/System/Security/Audit#Plain###vand | LOGIN.ERROR | NONE = null | | Login Method=[myTestLoginModule], UserID=[vand], IP Address=[127.0.0.1], Reason=[Call logout before login!]#
Once the permission check fails (above), it uses the j2ee_guest and gets an "access denied" error.
Any suggestions would be appreciated.
Peter Vanderwyst

Hi Peter,
have you found a solution for this issue? Actually I'm running in the same error.
Cheers
Lars

Similar Messages

Migrating JAAS LoginModule from oc4j to WLS

Hi,
We are trying to migrate oc4j enterprise web service application to weblogic which implements JAAS LoginModule.
Followed Weblogic Docs for :
Developing Custom Security Providers
http://download.oracle.com/docs/cd/E12890_01/ales/docs32/dvspisec/progrmng.html
CustomAuthProvider (SecurityProvider) class points to the LoginModule which references to
application-specific classes.
Following are the issues we are dealing with:
1.Security Provider exist at the global-context means every request to WLS is going to hit to the provider
which we do not want, we need LoginModule to work at the application-context and not the global
weblogic context.
2. Clearly there is a disconnect if LoginModule resides in EAR (web app) and standalon MBean jar is
trying to invoke the LoginModule. It can't find the LoginModule.
so, the question is how can we have the JAAS LoginModule implemented in Weblogic
at the application (EAR) level and not at Weblogic server global level
(by MBean JAR) as it used to be in oc4j
public class CustomAuthProviderimplements AuthenticationProviderV2 {
    public AppConfigurationEntry getLoginModuleConfiguration() {
        System.out.println("Inside getLoginModuleConfiguration.");
        return new AppConfigurationEntry("com.test.security.loginmodule.CustomLoginModule",
                                         LoginModuleControlFlag.REQUIRED,
                                         new HashMap());
}OC4J Doc Reference : Packaging Login Modules
http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/loginmod.htm#BABCFADI
Here's how it used to be done in oc4j
http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/loginmod.htm#i1006128
Thank you
Edited by: 877976 on Aug 8, 2011 11:11 AM

There is a WebLogic Server release specific for running Oracle Forms and Reports that is available for you to switch to from Oracle AS if you are current on your support and version. Just an FYI
Edited by: ChrisBaker on Jan 4, 2010 5:33 AM

JAAS LoginModule for SunOne Directory Server?

I have a customer who is using SunOne Directory Server for LDAP.
I have test code that uses the JAAS's com.sun.security.auth.module.JndiLoginModule to do authentication against an OpenLDAP test server.
The test code won't work at the customer site because they need to use a special userid/pw along with the subject userid/pw in order to do an authentication. I assume this is LDAP v3 stuff, but the customer is unsure. Unfortunately I have no direct access to the customer's LDAP admin folk. Typical bureaucracy stuff.
The customer was able to write java code that authenticates to his LDAP server using example code from http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html which uses the JNDI API and specifies the access userid/pw using Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS.
So thats great, however my application uses JAAS, and therfore only indirectly uses JNDI. The JndiLoginModule provided by JAAS does not appear to support the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS parameters.
A custom JAAS LoginModule could be written which interfaces to the JNDI LDAP stuff, however considering that JAAS and the SunOne Directory server are both Sun products, I thought perhaps SunOne Directory comes with a JAAS compatible LoginModule that my customer does not know about? I've looked at online docs, but haven't found any such thing yet.

Hey dav,
Sorry that I am not posting to give you a solution - it is more to ask for some guidance.
I am implementing a client-server arch system which has a lot of 'privileged' actions to be managed. I have thus succesfully integrated the basics of JAAS in to the system... but I am now desparately looking for away to have client-side policies distributed at runtime from the server.
I do not want to get involved with any web/application server stuff more than I need to; unfortunately one of the system requirements is for client-server comms to be facilitated by SOAP over HTTP, and thus probably JAX-RPC - but it is no problem. I have a developed a database backed Policy and (JAAS) Config which constitute parts of the server component. Now it is just a case of getting the policy to the client at client start-up and subsequently the configuration forJAAS authentication. The aim is that this data will be transfered once during login, and anytime that the the policy is requested to be refreshed.
Since reading you post, I'm wondering what services LDAP or JNDI can offer me?
Also, is JNDI an appropriate option for data persistence? is it better to go with JDO or some other object store abstraction.
Kind regards,
Darren B

Accessing Tomcat 4.03 JNDI service from JAAS LoginModule

Hi!
I have following problem:
I have custom JAAS LoginModule that uses JNDI to lookup DataSource object.
My LoginModule and LoginConfiguration implementation classes are located
in Tomcat's classpath.
I tried first to put JAAS related classes under [TOMCAT-HOME]/common/lib,
but that caused exception:"Unable to load LoginConfiguration".
It looks like Java's core classes have no access/visibility to classes under Tomcat.
I'm using JAAS authentication directly from a servlet, so I'm using no
Tomcat specific realms in authentication.
Servlet just calls:
     LoginContext lc = new LoginContext( jaasApplName,
customUserPasswordCallbackHandler );
     lc.login( );
Everything works fine until LoginModule tries to lookup datasource
after obtaining InitialContext with
          InitialContext initCtx = new InitialContext( );
          DataSource ds = (javax.sql.DataSource) initCtx.lookup(
dataSourceName );
I got exception with message : "Name MIPCoreDS is not bound in this
context.".
MIPCoreDS is configured in Tomcats configuration file server.xml under
<GlobalNamingResources> tag.
Should this be visible for JAAS Login module or not?
When servlet's make same lookup under Tomcat, datasource is found fine.
It seems that loginModules have no visibility to JNDI objects configured
under Tomcat.
Is this right?
Is it possible any way to put JAAS working with Tomcat 4.0.3, so
that LoginModules can access JNDI objects bound to Tomcat's JNDI service?
Is it possible to call Tomcat's JNDI service outside Tomcat?
Any help is appreciated.
Best Regards,
Aki

Using JAAS in Servlets is messy - I found a working example at
http://www.loadedanswers.com
go to the Documents section and the eg is there.
Have fun :)

How to capture LoginException throwed by Customized JAAS LoginModule?

I have a customized JAAS LoginModule deployed on WebLogic, when authentication fails, it throws LoginException("Incorrect Password");
At remote fat-client side, I use following code to login to WebLogic:
Environment env = new Environment();
env.setInitialContextFactory(weblogic.jndi.Environment.DEFAULT_INITIAL_CONTEXT_FACTORY);
env.setProviderUrl(url);
env.setSecurityPrincipal("user1");
env.setSecurityCredentials("wrong password");
Subject subject = new Subject();
Authenticate.authenticate(env, subject);
With the wrong password, the client get exception:
javax.security.auth.login.LoginException: java.lang.SecurityException: User: user1, failed to be authenticated. (The exception message is replaced :-( )
How can the fat-client get the exact Exception("Incorrect Password") which is thowed by the LoginModule ???

I have also had the same problem. In the end, it is not possible to propagate a sub-class of a LoginException (or any other type of exception) to a remote client. The WLS Security Framework will always return to the caller its stand LoginException and message. The WLS documentation also clearly states this. Sorry to disappoint. The only other suggestion I have is to pass the name and credentials to a server-side client authentication proxy and let it return the authenticated Subject or a customized LoginException to the client (the server-side proxy should of course not required any authorization).
Let me know if you come up with some other way!
Eitan

Use custom JAAS LoginModule without UME - possible?

Hi all,
I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
Thanks for any reply
Henning

http://help.sap.com/saphelp_nw04s/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm

JAAS LoginModule: how to getCurrentUser

Hallo there everyone!
I'm creating a custom LoginModule for the WLS 7.0 and I'm trying to get the username
from the user request. Something like in servlets/jsp request.getRemoteUser()
or in WLS 6.0 weblogic.security.acl.Security.getCurrentUser() would have done
the job I think (but it’s been deprecated in 7.0).
Is there a way of doing this from within the JAAS LoginModule?
Regards
Patrick

request.getRemoteUser() still works fine for me after I implented a custom
Autthenication / LoginModule.
"patrik" <[email protected]> wrote in message
news:[email protected]..
>
Yes, I have. see:
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.develo
per.interest.security&item=8553&utag=
>
But if you've managed to get out the information from it I'd be gratefulto know
how.
/Patrik
"Utpal" <[email protected]> wrote:
Have you tried weblogic.security.Security.getCurrentSubject() ??
-utpal

JAAS LoginModule - how do I get path, port, resource accessed, etc

Hi,
I checked everywhere including the forums, but could not get any info on this. I'm writing a custom JAAS LoginModule for the WebAS 6.40 server. I'm trying to figure out how to get the following out of the request from within login() or initialize() or any other method:
1. Name of the webserver (i.e. the WebAS server being accessed like www.mycompany.com)
2. Resource (e.g. /QuickCarRental)
3. Port through which the request comes in (e.g. 50000)
The URL being accessed in the above case is http://www.mycompany.com:50000/QuickCarRental
Appreciate your help, and points will be awarded. Have a nice day
R Abraham

This is only available for NetWeaver Portal, not NetWeaver Application Server(WebAS). host and port can be obtained using the following code:
               Callback[] callbacks = new Callback[3];
               callbacks[0] = new NameCallback("UserId: ");
               callbacks[1] = new PasswordCallback("Password: ", false);
               // get host name and port
               HttpGetterCallback getterCallback = new HttpGetterCallback();
               getterCallback.setType(HttpCallback.HEADER);
               getterCallback.setName("Host");
               callbacks[2] = getterCallback;
               try {
                    callbackHandler.handle(callbacks);
               } catch (Exception ex) {
                    throw new LoginException(ex + "");
               Object retValue = ((HttpGetterCallback)callbacks[2]).getValue(); //get host
host and port will be returned in the following format SERVER.COMPANY.COM:50000
Currently WebAS is not able to return the resource as per SAP development.

JAAS LoginModule - how do I get the "JSessionId"

Hi,
is there any possibility to get the JSessionId from a custom JAAS LoginModule for the WebAS 6.40 Server.
My first attempt was to read the JSESSIONID-Cookie from the Http-Request via the HttpGetterCallback-Class.
((HttpGetterCallback) callbacks[1]).setType(HttpCallback.COOKIE);
((HttpGetterCallback) callbacks[1]).setName("JSESSIONID");
It worked well, till I noticed that sometimes the JSessionId-Cookie doesn't exist.
The reason is, that the JSession-Cookie was set after the http-request has passed my login-modul.
So, if I got a cookie-value, it sometimes was the JSessionID from an earlier session.
So, my question:
Is there any other posibility to get the JSessionId?
If there is a way to get the ServletRequest-instance, I could reach the SessionId via "HttpServletRequest.getSession()".
Any idea? Any hints?
Regards
Steffen Spahr

This is only available for NetWeaver Portal, not NetWeaver Application Server(WebAS). host and port can be obtained using the following code:
               Callback[] callbacks = new Callback[3];
               callbacks[0] = new NameCallback("UserId: ");
               callbacks[1] = new PasswordCallback("Password: ", false);
               // get host name and port
               HttpGetterCallback getterCallback = new HttpGetterCallback();
               getterCallback.setType(HttpCallback.HEADER);
               getterCallback.setName("Host");
               callbacks[2] = getterCallback;
               try {
                    callbackHandler.handle(callbacks);
               } catch (Exception ex) {
                    throw new LoginException(ex + "");
               Object retValue = ((HttpGetterCallback)callbacks[2]).getValue(); //get host
host and port will be returned in the following format SERVER.COMPANY.COM:50000
Currently WebAS is not able to return the resource as per SAP development.

JAAS LoginModule sample

Is there a sample on how to develop a custom JAAS LoginModule that uses Identity Server?

I also want the similar sample, If some has worked with it then please help us ...
Thanx
Yasir Khan

JAAS/NT hackable problem...

Trying to develop a "fat client" to pass a Subject to the middle tier. Would somebody mind telling me how NTLoginModule is useful? Might be missing something obvious, but it is incredibly easy for somebody to re-write the pertinant "NT" classes to populate a Subject w/ false information. For instance, the NTUserPrincipal class has a method "getName()". I simply returned a bogus string, compiled, and added it to rt.jar and it worked - returned my bogus string instead of my login! Likewise, I was hoping that my server would come up w/ a "magic number" exception when the serialversionUID didn't match up, but alas, it's right there in the source, dammit.
This leaves me thinking a couple things: a) these classes are merely examples that should NOT be used. b) Sun really dropped the ball. c) I'm missing some kind of attribute that absolutely guarantees what the client sent over the wire is the class my server is expecting - ala the binary serialversionUID generated compile time.
To re-iterate, I'm trying to authenticate a user via "fat client" that passes the JAAS Subject to the middle tier.

Trying to develop a "fat client" to pass a Subject to
the middle tier. Would somebody mind telling me how
NTLoginModule is useful? Might be missing something
obvious, but it is incredibly easy for somebody to
re-write the pertinant "NT" classes to populate a
Subject w/ false information. For instance, the
NTUserPrincipal class has a method "getName()". I
simply returned a bogus string, compiled, and added it
to rt.jar and it worked - returned my bogus string
instead of my login! A similar concern, although more abstract, has been discussed on http://forum.java.sun.com/thread.jsp?forum=60&thread=519134
Actually, there is even an easier approach to fake a login that does not even require to change rt.jar - implement your own dummy login module that creates and adds a regular NTUserPrincipal to the Subject, and register this module instead of the NTLoginModule in the login config.
This leaves me thinking a couple things: a) these
classes are merely examples that should NOT be used.
b) Sun really dropped the ball. c) I'm missing some
kind of attribute that absolutely guarantees what the
client sent over the wire is the class my server is
expecting - ala the binary serialversionUID generated
compile time.JAAS is designed for login to a local client, and from its concepts seems to assume that key files (like rt.jar in your case, or the login config in my case) are protected accordingly, i.e. the app user does not have admin privilidges on his system. Like you, I was hoping for some way to be able to validate that the Subject and its associated Principals were created "correctly"...
To re-iterate, I'm trying to authenticate a user via
"fat client" that passes the JAAS Subject to the
middle tier.Had the same problem, and found two/three possible approaches, depending on your requirements:
- use a trusted third party that allows the middle tier to validate the subject, or validate that the client has correctly authenticated the user - the JRE currently provides Kerberos support, in my first approach, the middle-tier would have to use the user's ticket (passed from the client) and validate it with the KDC, the mostly cited approach is the combination of JAAS and J-GSS for Kerberos, which requires both the server/middle tier and the client (user) to authenticate against the KDC, and use their login contexts to establish a secure connection. This, however, does in both cases require a Kerberos deployment wtih a KDC, which may be a pretty hefty prerequiste for your application (AD implements Kerberos also)
- if you don't trust the client, then have it only do what it needs to do: obtaining the credentials from the user, and have the middle-tier do the critical part: authentication using the provided credentials. Linking this to JAAS: the client has the CallbackHandler that answers callback requests, the middle-tier has the actual LoginContext with its config file and authenticates using LoginModules. Since this involves a remote connection, you need to implement proxies for the LoginContext and the CallbackHandler, i.e. the client code does not create a LoginContext, but your LCProxy, and registers its CallbackHandler with the proxy - the LC proxy talks to its counterpart on the middle-tier, which creates the real LoginContext (which in turn loads the configured modules). The middle-tier part of the proxy needs to implement the CallbackHandler interface, such that it gets the callback requests from the modules and can pass them to the client-side of the proxy, which passes the callbacks to the real CallbackHandler of the client. The CallbackHandler answers the callbacks and sends them back via the proxy to the middle-tier proxy CallbackHandler, which passes them to the module, which authenticates the user, etc.
Note - with this approach, you pass the user's credentials over the net, thus you need to have this connection encrypted, e.g. through SSL!
Also, this approach obviously only works for modules that are callback based (LDAP, etc.), not for modules like the NTLoginModule, which just checks for the user that started the JVM, using some native Windows calls. If you need the latter, and following the approach of separating callback handling an authentication module, simply implement a special callback (e.g. OSUserCallback), and a basic login module that asks for this OSUserCallback; then you can configure on the middle-tier to use this module, and have the callback sent to the client - which, unfortunately, would have to implement a handler for your non-standard callback, but which is not a big burden.
Hope this helps, good luck!

Multiple JAAS LoginModules: WL6.1 always calls default ServerLoginModule?

Hello All,
I'm trying to implement a set of custom LoginModule(s) to authenticate
a user (an "application user", not a Weblogic admin). From a JSP login
page, the app calls a Servlet that calls LoginContext("myLogin",
myCallbackHandler).login(). I have also create a custom
Callback/CallbackHandler (since the parameters are passed as HTTP
parameters) and added the required parameters in lib\server.policy:
myLogin {
com.andrej.myLoginModule required;
The problem is that it looks like WL always calls the default
LoginModule (ServerPolicy from the lib\server.policy file) even if it
doesn't correspond to "myLogin". Of course, my app crashes
miserably... :)
Two questions:
- is the above normal? Am I missing something of JAAS?
- am I following the right path i.e. can I use a custom LoginModule to
authenticate an application user via an entity EJB so that the
successive calls are then associated to the proper Subject/Principal?
Or can I only use a LoginModule to authenticate a Weblogic server
user?
Thank you in advance!
Andrej
PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

You must specify two properties:
weblogic.security.jaas.Configuration - your implementation of Configuration
class
weblogic.security.jaas.Policy - jaas config file location
For example:
System.setProperty("weblogic.security.jaas.Configuration",
"examples.security.jaas.SampleConfig");
System.setProperty("weblogic.security.jaas.Policy",
"C:/Sample.policy");
"Andrej" <[email protected]> wrote in message
news:[email protected]..
Hello All,
I'm trying to implement a set of custom LoginModule(s) to authenticate
a user (an "application user", not a Weblogic admin). From a JSP login
page, the app calls a Servlet that calls LoginContext("myLogin",
myCallbackHandler).login(). I have also create a custom
Callback/CallbackHandler (since the parameters are passed as HTTP
parameters) and added the required parameters in lib\server.policy:
myLogin {
com.andrej.myLoginModule required;
The problem is that it looks like WL always calls the default
LoginModule (ServerPolicy from the lib\server.policy file) even if it
doesn't correspond to "myLogin". Of course, my app crashes
miserably... :)
Two questions:
- is the above normal? Am I missing something of JAAS?
- am I following the right path i.e. can I use a custom LoginModule to
authenticate an application user via an entity EJB so that the
successive calls are then associated to the proper Subject/Principal?
Or can I only use a LoginModule to authenticate a Weblogic server
user?
Thank you in advance!
Andrej
PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

Expired Password Custom JAAS LoginModule

Hello,
We need to be able to determine how long till a user's password expires. We are authenticating with ldap / Microsoft AD. We have attempted to create a jaas login module which causes the login to to be forwarded to the changePasswordPage.jsp unsuccessfully. How can we implement so that if the password is expired the changePassword.jsp is shown? Do we need to write the LoginComponent from scratch or is there another way?
Thanks in Advance

Hi Matthew,
Did you solve the problem when the users password expires? We're experiencing the same problem!
Thanks,
Joachim

New GL implemented, problems in F.01 and trail balance report and balance carry forward.

Dear Friends,
One of the my client recently implemented New GL in the Dev system, and getting posted the documents. now we are facing the many problems in the Dev system.
1. F.01 Financial statement report not generating for the year 2008 to till 2014 fiscal years.
2. the same in trail balance also not generating data form the year 2008 to till 2014 fiscal years.
3.system is asking the carry forward the balances form the 2008 to till, when we try to carry forward the 2008 year amount only forwarding for the all the fiscal year, not adding the other balances.
i went through some forums and i did the some analysis on this, after implementing new GL the table GLT0 was desble, data was not updated in the GLT0 all the data has been moved to FAGLFLEXT table. later i activated the table GLT0 and able to storing the data both the tables.
now i want to see the all my privious year report in the DEV system. all the data is there in the tables expect GLT0. how can i recover reports as well as how can i do the carry forward balances?
even still i have not carry forward for the 2014 balances, those balances also not there in the reports? but data is there in the table.
Please help me on this.
Regards,
Krish

Hello,
balance carry forward is done with TCd.
FAGLGVTR
when you are on SAP nGL.
any further quesitions?
By the way why don´t you do searching?
all the best erwin

Could not resolve x to a component implementation problem

Hi,
I have run an example. The code is listed below:
[CODE]
package com.mydomain.components
import mx.controls.Label;
public class CircleLabel extends Label {
public var circleColor:uint = 0x000000;
public function CircleLabel(){
super();
override protected function
updateDisplayList(unscaledWidth:Number, unscaledHeight:Number):void
super.updateDisplayList(unscaledWidth, unscaledHeight);
// Draw a circle around the label text
graphics.lineStyle(1, this.circleColor, 1.0);
graphics.drawEllipse(-5,-5,this.width+10,this.height+10);
[/CODE]
[CODE]
<?xml version="1.0" encoding="utf-8"?>
<mx:Application
xmlns:mx="
http://www.adobe.com/2006/mxml"
xmlns:comps="com.mydomain.components.*"
backgroundColor="#FFFFFF" >
<mx:Panel title="CircleLabel Component" width="500"
height="90"
paddingTop="10" paddingLeft="10" paddingRight="10"
paddingBottom="10"
layout="horizontal">
<comps:CircleLabel text="Black Circle Label"
circleColor="0x000000" />
<mx:Spacer width="20" />
<comps:CircleLabel text="Red Circle Label"
circleColor="0xFF0000" />
</mx:Panel>
</mx:Application>
[/CODE]
I am using Flex Builder 2.0.1. These file are put in the same
Flex project and in the same folder. When I compilled them, there
was an error: Could not resolve <comps:CircleLabel> to a
component implementation.
Please help me to solve this problem.
Thank in advance,
Duc

to be more clear CircleLabel component should be under
com/mydomain/components cirectory

JAAS loginModule implementation problems

Similar Messages

Maybe you are looking for