JAAS-Seciruty without j_security_check

Similar Messages

• Use custom JAAS LoginModule without UME - possible?

  Hi all,
  I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
  When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
  When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
  But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
  The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
  So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
  Thanks for any reply
  Henning

  http://help.sap.com/saphelp_nw04s/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm

• JAAS login without a password

  I am trying to log-in a user with just the user-name.
  I have 2 applications, Application A logs-in with his username and password. When user tries to launch Application B, Application B receives the username from Application A which is already running. Now Application B must login automatically with just the password.
  Is this possible with JAAS authentication? any sample code will be appreciated too.
  Thanks

  I have the same problem. I want to remove the password prompt when I power up my Mac.
  I know how Automatic Login works but my wife and daughter have profiles on the Mac and when I set my log-in to Automatic, we don't get the list of users to choose from. It goes straight to my profile.
  So ... I want to remove (not reset, remove) the requirement for a password on my log-in at power up without reinstalling the entire system but we need to have the list of user profiles available on start-up.
  Is this possible or am I looking at reinstalling the entire system?
  Thanks.

• Bypass JAAS Login Module

  Hello together,
  we need to build a new call from oracle Forms to new JSP PAGE ( made in ADF).
  That means, we create a new HTTP Request from Forms and read the Request Parameters, such username and password in the called JSP Page.
  We are using JAAS Authorization which works fine, but her comes the Problem:
  We would like to use the request parameters to authorize in JAAS automatically without any Login Screen (Login Module)
  Is there any Solution.
  Regards
  Arni

  Hi Frank,
  so there is no Chance to bypass the login Screen ?

• How to approach authorization taking data into account (?)

  hi
  I have been similar to "Introduction to ADF Security in JDeveloper 10.1.3.2" for an approach to authorization taking data into account.
  For example to solve something like this:
  Some users should be able to update SCOTT.EMP.SAL, but only for those records where they "are manager" (e.g. based on SCOTT.EMP.MGR).
  Because the current (10.1.3) "OracleAS JAAS Provider" Re: ADF Security : custom SecurityContext seem to provide the API hooks or customization features I think I need for this, I tried the following approach:
  (1) A solution implementation should preferably be "JAAS like", using classes from the "java.security" package like java.security.Permission or java.security.AccessControlContext etc. This way it is more likely to be future proof and could possibly more easily be integrated with future JAAS solutions from Oracle.
  (2) To minimize dependencies in my application, I introduced only one custom interface that does what I really want to do, that is "to check permissions":
  package accesscontrolstuff.common.security;
  import java.security.AccessControlException;
  import java.security.Permission;
  public interface PermissionChecker
       public void checkPermission(Permission pPermission)
            throws AccessControlException;
  }(3) It should be possible to easily check permissions in the business service implementation (ADF BC) and the view/controller layer (JSF managed beans).
  I have created an example application that implements this approach (check README.txt) :
  http://verveja.footsteps.be/~verveja/files/oracle/AccessControlStuffApp-v0.01.zip
  It has an updateAllEmp.jspx page that has a button for each EMP row to give a raise (that is update SCOTT.EMP.SAL). It will show an error message when the user is not allowed to give a raise.
  It has an updateSomeEmp.jspx page that has a button only for the EMP rows where the user is allowed to give a raise.
  question :
  All suggestions for improvement, on the approach or the example application, are welcome.
  (using JDeveloper 10.1.3.3.0 : ADF Business Components and ADF Faces)
  regards
  Jan Vervecken

  Thanks for you reply Frank and for going through the example.
  (a1) about "... the example could be coded without JAAS in the application as well ..."
  I'm not sure I understand when an application is "with JAAS" or "without JAAS" (in an Oracle context)?
  (The AccessControlStuffApp-v0.01.zip example includes an orion-application file that has a jaas-mode configured, which I could probably use for an implementation variation the works with a javax.security.auth.Subject instance, but the current implementation works with the "no jaas-mode" variant using the getUserPrincipalName() method.)
  (a2) about "This makes it hard to manage security roles ..."
  I don't think I understand. For the example, all authorization configuration is in the EMP table, why would that be hard to manage?
  What alternative would you suggest to "manage" security on the EMP table as is intended in the example?
  (a3) about "I think the required enhancement would be to add the dynamic permissions to an existing ADFSecurityContext ..."
  That sounds like what I have been looking for (see forum thread "ADF Security : custom SecurityContext").
  (a4) about "... and make this available to the business service as well ..."
  That would probably be useful.
  see also http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  that says : "The defense-in-depth security design pattern demands that application developers implement application security with multiple lines of defense. ..."
  Thank you for pointing developers to this thread.
  regards
  Jan

• JSF/JAAS j_security_check for role-based login pages

  I'm looking for a way to take the login request after j_security_check is through and invoke logic in a backing bean somewhere to redirect the user (using Faces) to the appropriate view (via an outcome defined in the faces-config.xml, of course) based on the user's role. Is there a "JSF" (i.e. non-filter) way to do this that I'm missing? If not, I suppose I could try a filter if it will work.
  I've thought of just going to the same page and displaying different components, but I don't like that a lot, even using subviews. I thought about having two web apps, but find that to be a poor option. I really don't like trusting the user to remember/get a URL right beyond http://xyz.com or something similarly simple, as much to save them from frustration as anything else.
  Any ideas would be appreciated. I've scoured forums and Googled all day without much success, so I apologize if this is posted somewhere already. This seems like something that should be pretty simple and I may want to kick myself when I see the answer.

  Hi Brian,
  I do not believe it is j_security_check's job to check for blank
  passwords.
  In many security realms, it is "legal" for a user to have a blank
  password. j_security_check forwards whatever password was entered so that
  even users with blank passwords can be authenticated by the realm on the
  backend. For this reason I believe that j_security_check is "doing the
  right thing" by just forwarding whatever is presented to it, rather than
  having its own logic. It is best if j_security_check just acts as a very
  dumb middle man.
  If behavior was altered, it is true that your particular problem would be
  solved, but then many other people would have a problem with their users
  with blank passwords authenticating properly...
  Try looking into how to disable anonymous logins on the LDAP end of
  things. Hope this helps.
  Cheers,
  Joe Jerry
  brian wrote:
  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

• JAAS and j_security_check

  Hi there,
  I'm using Weblogic 6.1 and working on the security aspect of a project.
  What I want to do is to set up the app so that a user logs in and gets authenticated
  using JAAS. I also want to secure the app so that all requests for urls must
  be authenticated first i.e. They go through the login page first.
  The easiest way I can see to do this is to use FORM based authentication using
  j_security_check.
  Is there a way then to set whatever j_security_check in the session, within the
  JAAS part of the code? Rather than authenticating with JAAS and then sending
  username and password to j_security_check.
  Does anyone know what to set? I looked at previous messages but they seem to
  deal with earlier versions and these do not work with 6.1
  Any help would be appreciated,
  Thanks,
  Ian

  Frank, thanks for comments.
  Yes user info is in the sama database so I can get it from there, but I would like to call this DB function once after succesfull authentication. In addition we have kind of 2 level passwords in place, one application password and one internal db password for user to access database resources.
  User does not know his/her db password, we have just api to get db password after authentication and existing application api (developed for forms client originaly) assumes user access db by his own connection, so in many api's oracle function user is stored in some tables.
  So what I need is after authentication of user (with application password) I can get Oracle password and then make new DB connection to all application api, just would like to store Oracle password (or new user db connection )somewhere so I dont need to fetch it everytime I need to call application API.
  ferdo

• J_security_check, JAAS, password expiration, account locking and portals

  J2EE form-based authentication will redirect an unauthenticated user trying to connect to a secured resource to a login page and will 1) send the user to the originally requested page upon successful authentication OR 2) send the user to the error page in the event of authentication failure. There are a couple of problems that I have with this implementation - not with j_security_check specifically, but with the pattern generally.
  There are several events that a Portal must manage beyond simple authentication validation. Specifically
  - Notify a user after successful authentication that their account has been locked and they must contact someone to get it unlocked.
  - Notify a user after successful authentication that their password is about to expire and offer them a choice between changing their password immediately or proceeding to the requested resource.
  - Notify a user after successful authentication that their password has expired and require that they change it before proceeding to the requested resource.
  - Notify a user after successful authentication that they don't have rights to access to the requested resource even though they've been successfully authenticated and offer to redirect them to a page that they are authorized to access.
  I am currently investigating a scheme to solve these problems by using servlets for the login and error 'pages', having these servlets forward to different .JSP's based on roles, and writing some sort of JAAS module to add an access (authorization) role based on the password and account lock status.
  Has anyone else worked on this kind of problem? Are there any efforts to extend the J2EE specifications to handle these alternate flows in the j_security_check activity.
  I'm frustrated with each of the different container providers handling the JAAS Authorization differently. Further, since the j_security_check doesn't discuss how the server tracks the original request, each container provider has used a custom mechanism for keeping the original URI as j_security_check activity proceeds.
  One final gripe, since the J2EE specification does not specify how to deal with JAAS, and further define a mechanism to getting the Subject associated with the current ServletRequest, all providers have done this differently too. Perhaps this was avoided as a 'non-goal', but wouldn't it have been nice to state that 'should a provider decide to offer JAAS based security, the implementation must...'?

  I understand this problem... I dont know whether I have term this as a "Feature" or a "Drawback".
  I have handled this problem differently in my project.
  Scenario: When user does normal login
  1. User is displayed a home page. During this process, I create a session variable "Initialized".
  2. I check for this session variable in all the pages. If this session variable is missing then I redirect to the home page which in turn creates the "Initialize" variable in the session.
  Scenarion: Session time out happens in Page 3
  1. User will be taken to login page.
  2. Typically scenarion, when user is authenticated successfully, Page 3 is displayed.
  3. I check for the session variable "Initialize" in Page 3. This "Initialize" variable will not be available due to session expiry.
  4. I redirect my page to "Home Page" which inturn creates session variable "Initialize".
  5. This solution solved the problem of showing home page when user does the login

• JAAS without a Security Manager

  Can I get JAAS authentication and authorization without using a security manager? The reason I'm asking is I've built an ACL system using JAAS permissions and it appears to work even if I don't specify a security manager (only command line options are -Djava.security.policy=policy.conf -Djava.security.auth.login.config=login.conf)
  All examples and documents I've been able to find have always included a security manager (-Djava.security.manager) so I was suprised to find it my system works without specifying one.
  -d

  Hello,
  Just got a question for you. I've noticed in one of your postings that you implemented a permissions framework that reads the settings from a database? I was wondering how you went about it.
  We are struggling with a security design we'd like to setup: we got a menuing system that allows a user to start some functionality if he has access to that. Now we want to augment that with more functional permissions instead of just access. We got the JAAS authentication setup; problem remains where to implement the check/read from the DB if a user has which permissions on a function.
  thanks for any info on this!
  Wim Van Leuven.

• How to redirect to j_security_check without the form based authentication

  Hi,
  I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
  1. when the user clicks on a protected url, the container will redirect the user to the login page.
  2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
  The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
  i hope that clarifies my problem.
  anyone out there has any solution to my problem?
  thanks a lot in advance.

  Hi Darren,
  Let me explain the whole authentication environment.
  There are actually 2 systems in this environment. Let;s call it system A and system B.
  System B is actually using the authentication mechanism that i described in my previous message.
  A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
  Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
  In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
  Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
  Appreciate your advice. Thanks in advance
  Anyway, i am using the ibm websphere server. :)

• JAAS LoginModule j_security_check and user info

  Hello there,
  I successfully implemented custom LoginModule which validates users against passwords stored in database by calling some server api's. I am using container managed security via j_security_check servlet.
  This is working fine, now I just wonder what is the best way to store additional information about user like name, surname email and make them accessible to JSP/JSF pages.
  I did not found any link from LoginModule to HttpSession so I am stuck on this. Ideally I would like to store this additional info immediately after user is successfully authenticated by LoginModule.
  Any hint on this?
  ferdo

  Frank, thanks for comments.
  Yes user info is in the sama database so I can get it from there, but I would like to call this DB function once after succesfull authentication. In addition we have kind of 2 level passwords in place, one application password and one internal db password for user to access database resources.
  User does not know his/her db password, we have just api to get db password after authentication and existing application api (developed for forms client originaly) assumes user access db by his own connection, so in many api's oracle function user is stored in some tables.
  So what I need is after authentication of user (with application password) I can get Oracle password and then make new DB connection to all application api, just would like to store Oracle password (or new user db connection )somewhere so I dont need to fetch it everytime I need to call application API.
  ferdo

• Configure JAAS login module stack to support x.509 certificates without SSL

  I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
  I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
  What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

  Hi Claus,
  you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
  There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
  Looking at this topic:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
  the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
  So with the above said your LM stack config should look like this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  If this doesn't work I'd suggest opening a support ticket.
  Regards,
  Yonko

• Using JAAS without config text files

  Hi everybody,
  I'm trying to develop an application using JAAS for authentication and authorization, but I don't want to depend on the text files for configuration.
  This application is going to be distributed using Webstart, so I don't know which configuration the user will have.
  Is there anyway to bypass these files?
  Thanks a lot,
  Luis Javier

  For the LoginModule part, you could try to set your own Configuration object.
  Ses javax.security.auth.login.Configuration.setConfiguration
  You should be able to inherit from Configuration and provide your own method to
  provide AppConfigEntries.

• Jaas Authorization in jboss without using policy file

  HI,
  i am working on j2ee application in which i am using jaas for authentication and authorization.
  authentication is done but in authorization i dont want to use
  policy file because roles can be added it is not predefined so jaas should refer database for roles names and permissin i.e action class(URL permission) that are accesible to the user.
  how to implement this using jaas?
  pl can u help me to solve this problem.

  Has anyone ever implemented a simple web page authorization with Jaas?
  Please do help me by posting a sample code
  or suggest me a better security tool to use

• Form-based authentication in JBoss using a database and JAAS

  I am trying to set up simple authentication using a database. I am initially trying to secure all web resources, since my application accesses the EJBs via servlets (and is working fine without security). Later I will tighten things down so that the EJB's business methods will also have security in place.
  It seems that everything is in place but I am unable to authenticate a user when I use a valid login/password combination (I am being redirected to the login error page). No exceptions appear in the JBoss console, and the database tables are populated with proper values. I'm clueless as to why this isn't working -- hopefully someone reading this can give me a clue as to what is going wrong.
  Here is what I have done so far:
  1) I have two tables in my database, one for the username and password, and another for roles. The database tables look like this:
  table name: principals
  column: principal_id VARCHAR(64) primary key
  column: password VARCHAR(64)
  table name: roles
  column: principal_id VARCHAR(64)
  column: user_role VARCHAR(64)
  column: role_group VARCHAR(64)
  2) I have added an entry in $JBOSS/server/default/conf/login-config.xml to declare an application policy which uses a DatabaseServerLoginModule. In this entry I have specified the SQl to be used by the module for selecting the password and role, following the example in the JBoss Getting Started Guide (p. 57):
      <!-- added for HIM Server security -->
      <application-policy name="HIM-client-login">
          <authentication>
              <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                            flag="required">
                  <module-option name="dsJndiName">java:/OracleDS</module-option>
                  <module-option name="principalsQuery">select password from principals where principal_id=?</module-option>
                  <module-option name="principalsQuery">select user_role, role_group from roles where principal_id=?</module-option>
              </login-module>
          </authentication>
      </application-policy>
       ...3) I have added a security domain entry in the jboss-web.xml file:
      <!-- All secure web resources will use this security domain -->
      <security-domain>java:/jaas/HIM-client-login</security-domain>
      ... 4) I have declared a security constraint in the web.xml file:
      <!-- security configuration -->
      <security-constraint>
          <display-name>Server Configuration Security Constraint</display-name>
          <!-- the collection of resources to which the sucurity constraint applies -->
          <web-resource-collection>
              <web-resource-name>Secure Resources</web-resource-name>
              <description>Security constraint for all resources</description>
              <!-- the pattern that this constraint applies to -->
              <url-pattern>/*</url-pattern>
              <!-- the HTTP methods that this constraint applies to -->
              <http-method>POST</http-method>
              <http-method>GET</http-method>
          </web-resource-collection>
          <!-- the user roles that should be permitted access to this resource collection -->
          <auth-constraint>
              <description>Only allow those users that are in the following role</description>
              <role-name>user</role-name>
          </auth-constraint>
          <!-- declare a transport guarantee, if any -->
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint>
      ... 5) I have a simple login form (LoginForm.jsp) which encodes j_security_check:
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <html>
      <head>
          <title>HIM Client Login</title>
      </head>
      <body>
          <form method="POST"
                action='<%= response.encodeURL( "j_security_check" ) %>'>
              Username: <input type="text"
                               name="j_username"><br/>
              Password: <input type="password"
                               name="j_password"><br/>
              <br/>
              <input type="submit"
                     value="Login">
              <input type="reset"
                     value="Reset">
          </form>
      </body>
  </html>
      Can anyone see from the above that I have missed something, or that I have done something wrong ?
  Is there a way to get more information ? All I see in the access log file are logs of the requests for the servlet, j_security_check, and the login and error pages, and it might be helpful to have a little more information as to what is going on.
  Thanks in advance for any insight.
  -James

  Hi,
  I have exactly followed your configurations. However, I dont have the same database tables in my database. I used the following:
  <module-option name="principalsQuery">select password from s_users where username=?</module-option>
  <module-option name="rolesQuery">select role from s_users where username=?</module-option>However, when I try to logon I get the following error message from jboss:
  "ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] Failed to load users/passwords/role files
  java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found" although I do not want to use property files as I want to use the oracle database.
  Any help appreciated!