JAAS/NT hackable problem...
Trying to develop a "fat client" to pass a Subject to the middle tier. Would somebody mind telling me how NTLoginModule is useful? Might be missing something obvious, but it is incredibly easy for somebody to re-write the pertinant "NT" classes to populate a Subject w/ false information. For instance, the NTUserPrincipal class has a method "getName()". I simply returned a bogus string, compiled, and added it to rt.jar and it worked - returned my bogus string instead of my login! Likewise, I was hoping that my server would come up w/ a "magic number" exception when the serialversionUID didn't match up, but alas, it's right there in the source, dammit.
This leaves me thinking a couple things: a) these classes are merely examples that should NOT be used. b) Sun really dropped the ball. c) I'm missing some kind of attribute that absolutely guarantees what the client sent over the wire is the class my server is expecting - ala the binary serialversionUID generated compile time.
To re-iterate, I'm trying to authenticate a user via "fat client" that passes the JAAS Subject to the middle tier.
Trying to develop a "fat client" to pass a Subject to
the middle tier. Would somebody mind telling me how
NTLoginModule is useful? Might be missing something
obvious, but it is incredibly easy for somebody to
re-write the pertinant "NT" classes to populate a
Subject w/ false information. For instance, the
NTUserPrincipal class has a method "getName()". I
simply returned a bogus string, compiled, and added it
to rt.jar and it worked - returned my bogus string
instead of my login! A similar concern, although more abstract, has been discussed on http://forum.java.sun.com/thread.jsp?forum=60&thread=519134
Actually, there is even an easier approach to fake a login that does not even require to change rt.jar - implement your own dummy login module that creates and adds a regular NTUserPrincipal to the Subject, and register this module instead of the NTLoginModule in the login config.
This leaves me thinking a couple things: a) these
classes are merely examples that should NOT be used.
b) Sun really dropped the ball. c) I'm missing some
kind of attribute that absolutely guarantees what the
client sent over the wire is the class my server is
expecting - ala the binary serialversionUID generated
compile time.JAAS is designed for login to a local client, and from its concepts seems to assume that key files (like rt.jar in your case, or the login config in my case) are protected accordingly, i.e. the app user does not have admin privilidges on his system. Like you, I was hoping for some way to be able to validate that the Subject and its associated Principals were created "correctly"...
To re-iterate, I'm trying to authenticate a user via
"fat client" that passes the JAAS Subject to the
middle tier.Had the same problem, and found two/three possible approaches, depending on your requirements:
- use a trusted third party that allows the middle tier to validate the subject, or validate that the client has correctly authenticated the user - the JRE currently provides Kerberos support, in my first approach, the middle-tier would have to use the user's ticket (passed from the client) and validate it with the KDC, the mostly cited approach is the combination of JAAS and J-GSS for Kerberos, which requires both the server/middle tier and the client (user) to authenticate against the KDC, and use their login contexts to establish a secure connection. This, however, does in both cases require a Kerberos deployment wtih a KDC, which may be a pretty hefty prerequiste for your application (AD implements Kerberos also)
- if you don't trust the client, then have it only do what it needs to do: obtaining the credentials from the user, and have the middle-tier do the critical part: authentication using the provided credentials. Linking this to JAAS: the client has the CallbackHandler that answers callback requests, the middle-tier has the actual LoginContext with its config file and authenticates using LoginModules. Since this involves a remote connection, you need to implement proxies for the LoginContext and the CallbackHandler, i.e. the client code does not create a LoginContext, but your LCProxy, and registers its CallbackHandler with the proxy - the LC proxy talks to its counterpart on the middle-tier, which creates the real LoginContext (which in turn loads the configured modules). The middle-tier part of the proxy needs to implement the CallbackHandler interface, such that it gets the callback requests from the modules and can pass them to the client-side of the proxy, which passes the callbacks to the real CallbackHandler of the client. The CallbackHandler answers the callbacks and sends them back via the proxy to the middle-tier proxy CallbackHandler, which passes them to the module, which authenticates the user, etc.
Note - with this approach, you pass the user's credentials over the net, thus you need to have this connection encrypted, e.g. through SSL!
Also, this approach obviously only works for modules that are callback based (LDAP, etc.), not for modules like the NTLoginModule, which just checks for the user that started the JVM, using some native Windows calls. If you need the latter, and following the approach of separating callback handling an authentication module, simply implement a special callback (e.g. OSUserCallback), and a basic login module that asks for this OSUserCallback; then you can configure on the middle-tier to use this module, and have the callback sent to the client - which, unfortunately, would have to implement a handler for your non-standard callback, but which is not a big burden.
Hope this helps, good luck!
Similar Messages
-
JAAS loginModule implementation problems
I am playing with the JAAS Login Modules for WebAS 6.40. Using EP 6 on WebAS 6.40 SP9 - installed using RI 2.0.
I have been able to get the login module executing - however am receiving the following error:
...#/System/Security/Audit#Plain###vand | LOGIN.ERROR | NONE = null | | Login Method=[myTestLoginModule], UserID=[vand], IP Address=[127.0.0.1], Reason=[Call logout before login!]#
Once the permission check fails (above), it uses the j2ee_guest and gets an "access denied" error.
Any suggestions would be appreciated.
Peter VanderwystHi Peter,
have you found a solution for this issue? Actually I'm running in the same error.
Cheers
Lars -
Jaas tagish library problem.
Hello all,
I am using tagish library in my application to authenticate windows users. I have no problem in doing so for admin users, but for non-admin users i am getting an error as follows
javax.security.auth.login.FailedLoginException: Authentication failed
at com.tagish.auth.win32.NTSystem.logon(Native Method)
Anybody please let me know how to authenticate non-admin users.
Thanks,
BhaskaranI'm using the latest and greatest, 10.1.3.2 & embedded oc4j. I see your point though, it'll redirect you to the page you requested vs. the welcome page list in web.xml? I believe it's reproducable, at least it happens every time in my case and my case is pretty simple.
The idea is to use a "secured" redirect page, that first authenticates you and then redirects you where you need to go. ie. index.jspx from the adf faces sample. what exactly is the welcome page list for? -
hello,
my scenario
EJB application, with JCA and JAAS.
My problem is, that I'm not able to read the config file. where i have to copy the .conf file that my application find that file.
System.setProperty("java.security.auth.login.config", "demo.conf");
kind regards
JohannesHello!
I've done the following tasks:
Searched for jazn-data.xml file of OC4J-installation.
Added information of jaas.conf-file to a new entry of application.
e.g.
TestJaas { com.sun.security.auth.module.Krb5LoginModule required debug=false useTicketCache=false; };
<application>
<name>TestJaas</name>
<login-modules>
<login-module>
<class>com.sun.security.auth.module.Krb5LoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>false</value>
<name>useTicketCache</name>
<value>false</value>
</option>
</options>
</login-module>
</login-modules>
</application>
It should work.
regards
Harald. -
JAAS without a Security Manager
Can I get JAAS authentication and authorization without using a security manager? The reason I'm asking is I've built an ACL system using JAAS permissions and it appears to work even if I don't specify a security manager (only command line options are -Djava.security.policy=policy.conf -Djava.security.auth.login.config=login.conf)
All examples and documents I've been able to find have always included a security manager (-Djava.security.manager) so I was suprised to find it my system works without specifying one.
-dHello,
Just got a question for you. I've noticed in one of your postings that you implemented a permissions framework that reads the settings from a database? I was wondering how you went about it.
We are struggling with a security design we'd like to setup: we got a menuing system that allows a user to start some functionality if he has access to that. Now we want to augment that with more functional permissions instead of just access. We got the JAAS authentication setup; problem remains where to implement the check/read from the DB if a user has which permissions on a function.
thanks for any info on this!
Wim Van Leuven. -
Problem removing sample app JAAS from appServer 8
Running JSC 2.1 and packaged appserver 8.x with latest JSC updates
on windows XP SP2
Problem undeploying the JAAS sample application which shows up within the appserv admin console but does not showup from the JSC "Deployment Server" panel:
The application is not displayed within the "Deployment Server - Deployed Components" "panel" within Creator 2.1
How can I remove this application from the Application server 8 manually??
From the server log display with Creator 2.1
init:
deps-module-jar:
deps-ear-jar:
deps-jar:
library-inclusion-in-archive:
library-inclusion-in-manifest:
Compiling 1 source file to C:\Documents and Settings\gwheeler\My Documents\Creator\Projects\JAASAuthentication\build\web\WEB-INF\classes
compile:
compile-jsps:
pluto-hack-web-xml-run:
portlet-container-deploy:
jsCreatorDist:
run-deploy:
In-place deployment at C:\Documents and Settings\gwheeler\My Documents\Creator\Projects\JAASAuthentication\build\web
Start registering the project's server resources
Finished registering server resources
Application JAASAuthentication is already deployed on other targets. Please use create-application-ref command to create reference to the specified target; requested operation cannot be completed
deployment started : 0%
Application JAASAuthentication is already deployed on other targets. Please use create-application-ref command to create reference to the specified target; requested operation cannot be completed
deployment started : 0%
Deployment of application failed - null; requested operation cannot be completed
From "Web Application" within the Application Server Admin Console:
A "com.sun.enterprise.tools.guiframework.exception.FrameworkException" was caught. The message from the exception: "Unabled to handle pre-compiled JSP '/jsp/webApplicationsEdit.jsp'. Expected pre-compiled classname: 'org.apache.jsp.jsp.webApplicationsEdit_jsp'."
The root cause is "com.sun.enterprise.admin.common.exception.MBeanConfigException: Component not registered"
See the HTML source for more detailed (stack trace) information.
ThanksHi!
Try this:
1) Stop the Application Server
2) Go into $Server_Dir/domains/<domain_name>/config/ and edit domain.xml.
3) Find all the elements refering to your application and delete them.
4) Try to deploy again.
I hope it helps.
Thanks,
Roman. -
JAAS + VPD with BC4J problem
Following the instructions in http://otn.oracle.com/products/jdev/howtos/bc4j/bc4jvpdjaas.html, we set up an vpd+jazn-data.xml application according to which users see portions of the database.
In development with only one JAAS user created, this appeared to work properly.
In testing with several JAAS users created, we have discovered that the application username, as known to the Application Module, will drift in and out of sync with the setting in the database context. In other words
ApplicationModuleImpl.getUserPrincipalName()
remains correct, but
"select context_pkg.get_ctx_appuser from dual" in BC4J/JSP
varies.
Or, an example, one login as user1 sees user2's data, but not the data he is supposed to see.
Please help!!!!Hi,
Is your client app a JSP? How do you start each session? Do you have settings on SessionCookie state? Could you create a small test case? A test case will greatly help me diagnose the problem. BTW, the application user context get set/reset only after new transaction since it is in afterConnect().
Thanks,
Yvonne -
Hey all,
I've got problems when i want to use JAAS into a struts application (with BC4J). In jdev9.0.3 everything was working perfect. At the end you will find the message i get. My colleage who use JAAS without the BC4J, everything is working good. Can anybody give me a hint ?
For mho my configuration is correct.
This is snip of my java.security (located in D:/oracle/jdev10g/jdk/jre/lib/security) :
# Default login configuration file
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:D:/oracle/jdev10g/jdk/jre/lib/security/tagish.login
This is a snip of my tagish.login (located in D:/oracle/jdev10g/jdk/jre/lib/security)
FileLogin
com.tagish.auth.FileLogin required debug=true pwdFile="D:${/}oracle${/}jdev10g${/}jdk${/}jre${/}lib${/}security${/}passwd.txt";
This is a snip of my passwd.txt (located in D:/oracle/jdev10g/jdk/jre/lib/security)
# Passwords for com.tagish.auth.FileLogin
# login admin; password admin
# login docent; password docent
admin:21232f297a57a5a743894a0e4a801fc3:administrator:docent
docent:281ab35f26dc0a6d9dab6fd4fbc304fc:docent
Here is the error stacktrace i get :
03/12/10 16:26:12 javax.security.auth.login.LoginException: No LoginModules configured for FileLogin
03/12/10 16:26:12 at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
03/12/10 16:26:12 at javax.security.auth.login.LoginContext.<init>(LoginContext.java:404)
03/12/10 16:26:12 at view.checkLogin.execute(checkLogin.java:40)
03/12/10 16:26:12 at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
03/12/10 16:26:12 at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
03/12/10 16:26:12 at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1485)
03/12/10 16:26:12 at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:509)
03/12/10 16:26:12 at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
03/12/10 16:26:12 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
03/12/10 16:26:12 at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
03/12/10 16:26:12 at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:356)
03/12/10 16:26:12 at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:16)
03/12/10 16:26:12 at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:148)
03/12/10 16:26:12 at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:20)
03/12/10 16:26:12 at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:148)
03/12/10 16:26:12 at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:610)
03/12/10 16:26:12 at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:317)
03/12/10 16:26:12 at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:784)
03/12/10 16:26:12 at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:270)
03/12/10 16:26:12 at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:112)
03/12/10 16:26:12 at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
03/12/10 16:26:12 at java.lang.Thread.run(Thread.java:536)Hi.
I have the same problem with my custom usermanager for ias90401 solaris 2.9 but I am not sure where to add that 3 lines of codes. What do you mean by "a Listener"?
javax.security.auth.login.Configuration config = new
com.sun.security.auth.login.ConfigFile();
config.refresh();
javax.security.auth.login.Configuration.setConfiguration(config);
My deployment failed when I added it as a statio block or
in the init of my usermanager class which extends com.evermind.security.AbstractUserManager.
Thx.
Ken
ADMN-300075
Nested exception
Base Exception:
java.rmi.RemoteException:deploy failed!: ; nested exception is:
oracle.oc4j.admin.internal.DeployerException: Error initializing
userManager 'ca.bc.gov.srm.mjf.security.jaas.orion.JAASUserManager':
java.lang.ExceptionInInitializerError (null)
java.rmi.RemoteException: deploy failed!: ; nested exception is:
oracle.oc4j.admin.internal.DeployerException: Error initializing
userManager 'ca.bc.gov.srm.mjf.security.jaas.orion.JAASUserManager':
java.lang.ExceptionInInitializerError (null)
at
com.evermind.server.rmi.RMIConnection.EXCEPTION_ORIGINATES_FROM_THE_REMO
TE_SERVER(RMIConnection.java:1520)
at
com.evermind.server.rmi.RMIConnection.invokeMethod(RMIConnection.java:14
73)
at
com.evermind.server.rmi.RemoteInvocationHandler.invoke(RemoteInvocationH
andler.java:55)
at
com.evermind.server.rmi.RecoverableRemoteInvocationHandler.invoke(Recove
rableRemoteInvocationHandler.java:22)
at __Proxy0.deploy(Unknown Source)
at
oracle.ias.sysmgmt.deployment.j2ee.runtime.LocalDeploy.deployOnSingleIns
tance(Unknown Source)
at
oracle.ias.sysmgmt.deployment.j2ee.runtime.LocalDeploy.doExecute(Unknown
Source)
at
oracle.ias.sysmgmt.deployment.j2ee.runtime.RuntimeIf.execute(Unknown
Source)
at
oracle.ias.sysmgmt.deployment.j2ee.adapter.DeploymentAdapter.doEvaluateD
eploy(Unknown Source)
at
oracle.ias.sysmgmt.deployment.j2ee.adapter.DeploymentAdapter.evaluate(Un
known Source)
at oracle.ias.sysmgmt.task.TaskMaster.sync_evaluate(Unknown
Source)
at oracle.ias.sysmgmt.task.TaskMaster.internal_evaluate(Unknown
Source)
at oracle.ias.sysmgmt.task.RemoteEvaluate.execCommand(Unknown
Source)
at oracle.ias.sysmgmt.task.DaemonWorker.run(Unknown Source)
Caused by: oracle.oc4j.admin.internal.DeployerException: Error
initializing userManager
'ca.bc.gov.srm.mjf.security.jaas.orion.JAASUserManager':
java.lang.ExceptionInInitializerError (null)
at
oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:91)
at
com.evermind.server.administration.DefaultApplicationServerAdministrator
.internalDeploy(DefaultApplicationServerAdministrator.java:378)
at
com.evermind.server.administration.DefaultApplicationServerAdministrator
.deploy(DefaultApplicationServerAdministrator.java:305)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
com.evermind.server.rmi.RMICallHandler.run(RMICallHandler.java:124)
at
com.evermind.server.rmi.RMICallHandler.run(RMICallHandler.java:48)
at
com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(Releasab
leResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:536) -
Problem with JAAS authentication using jboss client
I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
I followed all the steps in:
https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
But when it tries to do the authentication, sometimes it uses:
<b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
Other times (withouth changing anything) it uses:
<b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
<b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
I think it maybe has something to do with specific callback classes from sap implementation.
Any idea? I can't go forward.Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next
-
Problems with JAAS setup in WL 8.1 SP3
Hi all,
I have WL 8.1 SP3 installed on a XP Prof box with JDK 1.4.2
I have an application that makes use of the JAAS. I keep getting the following error
javax.security.auth.login.LoginException: No LoginModules configured for <XXXXXX>
at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:350)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:465)
I know that this means that it couldnt find the login modules defined in the configuration file. But I have it defined there. The following is what I am doing
1. I have the startWebLogic.cmd as below.
%JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Dweblogic.ProductionModeEnabled=%PRODUCTION_MODE% -Djava.security.policy=%JAVA_HOME%\jre\lib\security\java.policy weblogic.Server
2. In the Java policy file located in security folder of the JDK home, I changed the security file to point to config file as below
login.config.url.1=file:${JAVA_HOME}/jre/lib/security/jaas.conf
Can someone suggest me a solution ?
Thanks
meka tokaDid you ever find a solution to this?
I am having the same problem. -
Problems deploying custom JAAS login module (ClassNotFound)
Hi,
I've developed a custom made JAAS login module that filters on IP addresse which I am moving from 6.20 to 6.40.
I've pretty much followed the procedures from http://help.sap.com/saphelp_nw04/helpdata/de/46/3ce9402f3f8031e10000000a1550b0/content.htm , the only major difference is that I needed a reference to WebCallback and therefore a reference to com.sap.security.api.sda from my library project.
I've especially followed the step with "Adding a Reference to the Classloader of the Security Provider" (http://help.sap.com/saphelp_nw04/helpdata/de/2b/23e4407211732ae10000000a155106/content.htm) , but I think its this step that fails. This has been set to library:<library name> , where <library name> is what is written on the right hand side of visual admin under library. I see that the library is deployed under the folder bin\ext\customer.com~com.customer.portal.login.IPRuleLibrary , so maybe I will try that name tomorrow morning.
The exceptions I get are
#1.5#001321B3B106005C0000000800002E380004039375E59BA6#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error#1#/System/Audit#Java###Exception #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Cannot load a login module.
at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:95)
at com.sap.engine.services.security.login.LoginContextFactory.getLoginContext(LoginContextFactory.java:133)
at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:227)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:295)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:351)
at com.sap.portal.navigation.Gateway.service(Gateway.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
Caused by: java.lang.ClassNotFoundException: com.customer.portal.login.IPRuleLoginModule
Found in negative cache
- Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
library:com.sap.ip.basecomps
library:core_lib
common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
library:servlet
library:sapxmltoolkit
library:com.sap.mw.jco
library:com.sap.util.monitor.jarm
library:j2eeca
library:opensql
interface:security
interface:log
interface:shell
interface:keystore_api
library:ejb20
interface:webservices
library:com.sap.guid
interface:appcontext
interface:endpoint_api
interface:resourceset_api
interface:resourcecontext_api
common:service:iiop;service:naming;service:p4;service:ts
interface:ejbcomponent
interface:container
interface:visual_administration
interface:transactionext
interface:dsr_ejbcontext_api
service:timeout
library:tc~jmx
library:tcSLUTIL
service:memory
library:antlr
library:jdbdictionary
library:opensqlextensions
interface:cross
service:locking
service:file
Resources:
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
adminadapter
adminadapter.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxrpc-api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
opensqllib.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx_sec.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxm-api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
keystore
keystore.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
security
security.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupapi.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_jaas.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
connector
connectorimpl.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
webservices_lib.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_service_api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_userstore_lib.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
saaj-api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_csi.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_ssf.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
userstore
userstore.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
sqljimpl.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_xmlbind.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_util.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
dbpool.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
deploy
deploy.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_compat.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx_notification
jmx_notification.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
configuration
configuration.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupimpl.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_https.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
basicadmin.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas_test.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
Loading model: {parent,local,references}
at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
at com.sap.engine.services.security.Util.loadClass(Util.java:262)
at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:204)
at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:92)
... 45 more
#1.5#001321B3B106005C0000000900002E380004039375E5A109#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error##Java###Cannot load login module class .#1#com.customer.portal.login.IPRuleLoginModule#Hi,
The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
Also I was able to modify the properties of the login module runtime, which made me very happy
Dagfinn -
Custom JAAS Login Module 9.0.4 configuration problems
Hello,
We have created a custom JAAS Login Module on OC4J 9.0.4 and are having some sort of configuration problem
We always get this error:
Caused by: javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:535)
The Login Module is configured for a specific deployed application in the global jazn-data.xml and is being run as I have attached a debugger to the app server.
Our authentication process succeeds and we return a "true" from the login() method. No exceptions are thrown from our Login Module.
our ORACLE_HOME/j2ee/home/config/jazn-data.xml has this added
<application>
<name>helloworld</name>
<login-modules>
<login-module>
<class>com.test.JaasLoginModule</class>
<control-flag>required</control-flag>
<options>
</options>
</login-module>
</login-modules>
</application>
The j2ee/home/application-deployments/helloworld/jazn-data.xml looks like this:
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data.dtd">
<jazn-data />
and we added this into the j2ee/home/application-deployments/helloworld/orion-applicaton.xml
<jazn provider="XML" location="jazn-data.xml" >
<property name="role.mapping.dynamic" value="true"/>
<property name="custom.loginmodule.provider" value="true"/>
<property name="jaas.username.simple" value="true" />
</jazn>
Are we missing anything? Our code runs, it seems like there is something lacking in the configuration on the OC4J side of things.
Anyone know what we are missing?
Thanks....Hi,
if you are on 9.0.4 then <property name="custom.loginmodule.provider" value="true"/> shouldn't work because its a parameter of 10.1.3
Frank -
Urgent: JAAS Login Module Deployment Problem
Hi,
I have developed a JAAS Login module for the portal (EP6 SP9 sneak preview) and i am getting the following error:
GroupAssignmentLoginModuleLibrary does not exist in LoadContextWrapper.modifyName.
com.sap.engine.services.security.exceptions.BaseSecurityException: Can not load a login Module
The next line is a ClassNotFoundException for the Login Module and the class found in negative cache.
Please let me know if you know the solution to this problem.
It is an urgent issue and a solution will be suitably rewarded.
Regards,
VibhuHi Diego,
Scenario 1: SAP EP to SAP Backend Integration
In this scenario the most commonly used strategy
is SAP logon tickets. As far as I know this is the
best and simple way to implement SSO.
Scenario 2: SAP EP to Non SAP systems.
In this scenario various mechanisms can be used.
It depends on the application you are integrating
with. SAP does deliver SSO soultions with Lotus
Notes and Outlook etc. If supported probably it is
simple to use the SAP solution [Reliability and
Support].
Scenario 3: Enterprise Uses third party authetication
Software.
For the authntication if the company chooses to use
some third party product like SiteMinder etc, then
you can simply use this solution for SAP EP authe-
tication, and also all your other enterprise
applications based on the product support. But SAP
EP to other SAP systems be best integrated with SAP
logon tickets.
Scenario 4: SSO using homegrown authetication or some
third party JAAS module.
If you have significant applications that are home
grown that uses some custom authentication mecha-
nism (Example: Authentication based on ID and
Password stored in company database ) you can write
a JAAS module extention to authenticate using that
database. In other words JAAS is flexible and
for using external authentication mechanisms.
There are several mechanisms available that all depends
on your internal applications/security mechanism/integration etc.
Here is the link to one of the good articles on SDN about the SAP supported SSO mechanisms.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/58094632-0301-0010-a391-fc0de26f010e
Hope this information is useful.
-Venkat Malempati -
Renewable Ticket using keytab (JAAS) - Problem
Hi,
I am using a Key tab file with the below JAAS configuration.
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab = true
useTicketCache = true
keyTab="xyz.keytab"
storeKey=true
principal="user/xyz.com"
The configuration works only if the Kinit is called before hand and the ticket is present in the cache. I am checking a condition for renewable ticket using JAAS API and it works.
Now if I modify the JAAS configuration not to use ticket cache i.e., by setting the useTicketCache = false then without calling Kinit and just using the keyTab is failing to set the renewable flag although I am able to get the ticket authenticated from the kerberos using JAAS API. Below is the JAAS configuration.
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab = true
useTicketCache = false
keyTab="xyz.keytab"
storeKey=true
principal="user/xyz.com"
Please let me know how do we use keytab in JAAS API bypassing kinit command and the renewable ticket flag is set.
Thanks,
Raghavendra NandagopalThanks for the reply
When I run this code
loginCtx = new LoginContext( "Client",
new LoginCallbackHandler( username, password));
which uses this package import javax.security.auth.login.LoginContext;
It starts connecting to kerberos and I see it mentioning UDP ports in the console, I thought this was part of JAAS but it seems I was mistaken, that is not a problem now
So the question now is, is there a way to get SOAP in between the client and the kerberos without sending the username and password? -
Package problems in JAAS!
I have problems with packages i have start with the JAAS sample that sun has and put in some classes to have a login promt insted of the commando window.
I put all the java files in the package sample and try to complie it, and get errors. I have all java files in the same directory ...MyProjects Please can anyone tell me how to do.
eg. when a try to compile the file SampleLoginModule.java a get this errors, it looks that the file SamplePrincipal dont exist in the directory ..MyProjects
Compiling C:\SitePadPro\MyProjects\SampleLoginModule.java
Command line: "C:\jdk1.4\bin\javac.exe" -deprecation -g -classpath "C:\SitePadPro\MyProjects" "C:\SitePadPro\MyProjects\SampleLoginModule.java"
The current directory is: C:\SitePadPro\MyProjects
C:\SitePadPro\MyProjects\SampleLoginModule.java:63: cannot resolve symbol
symbol : class SamplePrincipal
location: class sample.SampleLoginModule
^
C:\SitePadPro\MyProjects\SampleLoginModule.java:304: cannot resolve symbol
symbol : class SamplePrincipal
location: class sample.SampleLoginModule
// overall authentication succeeded and commit succeeded,
^
2 errors
FinishedHi,
This is what you'll have to do:
1) rename "MyProjects" into "sample" (since these classes belong to the package "sample")
2) open a command prompt
3) type:
cd SitePadPro
C:\jdk1.4\bin\javac.exe -deprecation -g -classpath %CLASSPATH%;. -d . sample\SampleLoginModule.java
Hope this helps,
Kurt.
Maybe you are looking for
-
Has anyone gotten ADF RC to work on Tomcat (or JBoss or Glassfish). I know an updated ADF RC installer is not out, but I wanted to know if someone got something working. Here are the following links I have found... [unanswered question on a blog|http
-
Determination of Delivery Adress in PO
Dear All, In a purchase order, on component level, the delivery adresse is maintained by the system (the adress number is filled in EKPO-ADRN2). I know that the storage location defines the adresse. But how can we change this definition? Thank you ve
-
Proposal for Nokia to have a bulletin borad about ...
It is a real mess this theme of the different regions and carriers dates for the new firmware updates. Why can´t Nokia post a very simple bulletin borad where one can see the actual dates fir the updates around the world?. It is very simple fir Nokia
-
Workflow Dangling Error ?
Hi , I am getting this error " WFLDRLFK_FAIL WFLDRLFK_DANGLING_REF_ACT LABEL=VERIFY_COUNTRY PROCESS_NAME=ROOT PROCESS_ITEM_TYPE=XXAPLSHP NAME=VERIFY_COUNTRY ITEM_TYPE=XXAPLSHP " in my workflow earlier I have defined a function by name "Verfiy Country
-
IPod not showing up in iTunes, is on desktop
Hi, hope someone knows about this ... my iPod has been trouble free, now it appears on the desktop, but not in my iTunes. I'm not sure what to do, so want to ask before I do something that creates more problems for me. Thanks!