JAAS: unclear doc on LoginContext.login()

I'm having difficulty understanding some of the javadoc text for
LoginContext.login(). Consider these three paragraphs:
If the commit phase of the authentication process fails, then the
overall authentication fails and this method invokes the abort method
for each configured LoginModule.
If the abort phase fails for any reason, then this method propagates
the original exception thrown either during the login phase or the
commit phase. In either case, the overall authentication fails.
In the case where multiple LoginModules fail, this method propagates
the exception raised by the first LoginModule which failed.Specific questions:
1. Is it only when the abort phase fails that the original
exception should be propagated? How about when the abort phase
passes (ie, I presume, when there's no error in executing the
LoginModules' abort() methods)?
2. That 3rd paragraph: should it really be part of the 2nd paragraph,
or is it really a new thought? That is, should the first of multiple
LoginModule exceptions be propagated only when the abort phase
fails? Or should the first exception be propagated whenever there are
any exceptions, even when the abort phase passes?
General questions:
Generally, LoginExceptions are thrown upon login()
failures. I presume this is because you don't want to give specific
reasons for failed login attempts back to JoeCracker.
1. Should specific exceptions be propagated back at all?
2. It seems that the onus of logging the real problems should be the
responsibility of the LoginModule implementation, is that right? That
way, JoeCracker can't find out the real reasons for the failures, but
JoeLegitEmployee can walk over to the sysadmin and ask to peruse the
LoginModule logs ... does this make sense?

Perhaps I can simplify the questions ...
It seems that the javadoc allows propagation of the original exception
only in the case when the abort phase fails. Am I reading this
right?
Shouldn't it be OK to propagate the original LoginException for any
sort of failure in overall authentication?

Similar Messages

  • JAAS Exception : javax.security.auth.login.FailedLoginException: Password

    Hi All,
    I am using JBOSS 4.0.5 GA Application Server. Eclipse3.0 IDE. Using JAAS 1.0 for authentication in login module.
    While it is running under command prompt it was running successfully as below.......................
    F:\Sample_Jaas1>java myapp.SomeStandAloneClient
    Logging in user: testUser
    Inside initialize method of SampleLoginModule
    Inside login method of SampleLoginModule
    Before call to callback handler
    After call to call back handler
    [SampleLoginModule] user entered username: testUser
    [SampleLoginModule] user entered password: testPassword
    [SampleLoginModule] authentication succeeded
    [SampleLoginModule] added SamplePrincipal to Subject
    Successfully logged in user: testUser
    User logged in successfull
    //Login.java
    final String authFile = "Some.config";
    System.out.println("Before setting system properties");
    System.setProperty("java.security.auth.login.config", authFile);
    System.out.println("After setting system properties");
    MyCallbackHandler handler = new MyCallbackHandler(username,password);
    try {
    LoginContext lc = new LoginContext("someXYZLogin",handler);
    System.out.println("Instantiate Login Context");
    lc.login();
    //*****when i am calling lc.login() method it is throwing the exceptions***
    System.out.println("After calling login method");
    System.out.println("Successfully logged in user: " + username);
    } catch (LoginException le) {
    System.out.println("Login failed");
    le.printStackTrace();
    //Some.config ---Config file
    someXYZLogin{
    dao.SampleLoginModule required debug=true;
    //SampleLoginModule.java
    public boolean login() throws LoginException {
    System.out.println("Inside login method of SampleLoginModule");
    if (callbackHandler == null)
    throw new LoginException("Error: no CallbackHandler available " +
    "to garner authentication information from the user");
         Callback[] callbacks = new Callback[2];
         callbacks[0] = new NameCallback("SampleModule username: ");
         callbacks[1] = new PasswordCallback("SampleModule password: ", false);
         try {
         System.out.println("Before call to callback handler");
         callbackHandler.handle(callbacks);
         username = ((NameCallback)callbacks[0]).getName();
         char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
         System.out.println("After call to call back handler");
         if (tmpPassword == null) {
              // treat a NULL password as an empty password
              tmpPassword = new char[0];
         password = new char[tmpPassword.length];
         System.arraycopy(tmpPassword, 0,
                   password, 0, tmpPassword.length);
         ((PasswordCallback)callbacks[1]).clearPassword();
         } catch (java.io.IOException ioe) {
         throw new LoginException(ioe.toString());
         } catch (UnsupportedCallbackException uce) {
         throw new LoginException("Error: " + uce.getCallback().toString() +
              " not available to garner authentication information " +
              "from the user");
    When it was running with JBOSS Server it is throwing the following exception:
    09:45:21,484 ERROR [STDERR] javax.security.auth.login.FailedLoginException: Pass
    word Incorrect/Password Required
    09:45:21,484 ERROR [STDERR] at org.jboss.security.auth.spi.UsernamePasswordL
    oginModule.login(UsernamePasswordLoginModule.java:213)
    09:45:21,500 ERROR [STDERR] at org.jboss.security.auth.spi.UsersRolesLoginMo
    dule.login(UsersRolesLoginModule.java:152)
    09:45:21,500 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(
    Native Method)
    09:45:21,500 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(U
    nknown Source)
    09:45:21,500 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invo
    ke(Unknown Source)
    09:45:21,500 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Sourc
    e)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke
    (Unknown Source)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.access
    $000(Unknown Source)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext$4.run(
    Unknown Source)
    09:45:21,500 ERROR [STDERR] at java.security.AccessController.doPrivileged(N
    ative Method)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke
    Module(Unknown Source)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.login(
    Unknown Source)
    Please tell me any body what might be the problem.....
    Thanks in Advance

    Franky Ronald D'Souza wrote:
    I am trying to connect to SQL Server 2000 from a JSP (Weblogic 7.0) using a
    connection pool. (Without datasource etc). I am getting the above mentioned
    exception.
    If i connect through sun.jdbc.odbc it works fine. I dont know what i am
    doing wrong. Can anyone help out with this problem.Whose SQLServer drier are you using? Can you connect to the DBMS using the
    driver in a simple standalone program?
    Joe
    >
    >
    thnx in advance.
    Franky

  • Oracle 9I JAAS problem: javax.security.auth.login.LoginException

    I have problem with Oracle 9IAS JAAS. I got "javax.security.auth.login.LoginException: unable to find LoginModule class" no matter where I put the classfile, either on JVM options(-cp), WAR file, or add it on the Web Admin, or manually edit 9iAS's configuration file.
    None works, any one can help, I am using JDK1.3
    I had the same problem on Tomcat, but I solved the problem by put the Class in the the JVM's classpath. But for 9iAS, it just ain't work.
    Thank you for the help

    Bet you have solved this, but
    the right place for jaas related stuff is
    as installed extension i.e:
    jre/lib/ext
    where jaas.jar and jars containing login modules should be located.
    /Kullervo

  • ClassCastException on LoginContext.login() with Krb5LoginModule

    I have an existing application, wich is working properly.
    I am now trying to run with a SecurityManager.
    After adding most of the rights it needs it runs the key exchange untill halfway.
    It gets stuck with a javax.security.auth.login.LoginException: java.lang.ClassCastException: java.lang.NumberFormatException.
    I don't get how this could happen, also the source is not available, it being a sun package.
    How could a strict security manager cause this?
    StackTrace:
    javax.security.auth.login.LoginException: java.lang.ClassCastException: java.lang.NumberFormatException
    at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:150)
    at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
    at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:330)
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:369)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
    Debug:
    Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null KeyTab is /root/krb5.keytab refreshKrb5Config is false principal is some/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Acquire TGT from Cache
    Principal is some/[email protected]
    null credentials from Ticket Cache
    principal's key obtained from the keytab
    principal is some/[email protected]
    Acquire TGT using AS Exchange
    EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 1C 8A 58 17 84 00 99 76 8E D0 E8 95 63 D9 E7 86 ..X....v....c...
    EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 7A E6 2C 6E 32 BA 9D 6B 6D F1 52 A4 61 08 D3 75 z.,n2..km.R.a..u
    0010: 1F F8 02 57 75 57 9D 1F
    EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 58 62 9E 61 26 37 3D DC
    EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 58 62 9E 61 26 37 3D DC

    JDK version:
    java version "1.5.0_07"
    Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03)
    Java HotSpot(TM) Client VM (build 1.5.0_07-b03, mixed mode)
    I have created a SecurityManager wich uses the SELinux policy and security server for it's access desissions. The internal workings quite differ, it uses thread's and threadgroups in stead of protection domains.
    Now when I run a Kerberos protected service in my SELinux enhanced Java environment it gets at the point where javax.crypto.SunJCE_n.<init> try's to create a SecurityManager, wich I authorize. But I am not sure why this should happen? What kind of security manager is needed there and why it just can't use the system security manager?
    But it works, shortly after that, it goes wrong.
    Without a SecurityManager the application runs fine, so it's not the kerberos environment.
    java.lang.RuntimePermission
    createSecurityManager
    system_u:system_r:jvm_webadmin_t
    java.lang.Thread.dumpThreads(Native Method)
    java.lang.Thread.getStackTrace(Thread.java:1383)
    org.spugium.spine.security.SELinuxSecurityManager.checkPermission(SELinuxSecurityManager.java:393)
    java.lang.SecurityManager.<init>(SecurityManager.java:282)
    javax.crypto.SunJCE_n.<init>(DashoA12275)
    javax.crypto.SunJCE_n.<init>(DashoA12275)
    javax.crypto.SunJCE_r.run(DashoA12275)
    java.security.AccessController.doPrivileged(Native Method)
    javax.crypto.SunJCE_n.<clinit>(DashoA12275)
    javax.crypto.Cipher.c(DashoA12275)
    javax.crypto.Cipher.getMaxAllowedKeyLength(DashoA12275)
    sun.security.krb5.internal.crypto.EType.getBuiltInDefaults(EType.java:180)
    sun.security.krb5.internal.crypto.EType.isSupported(EType.java:262)
    sun.security.krb5.internal.ktab.KeyTab.readServiceKeys(KeyTab.java:241)
    sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:139)
    com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:605)
    com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
    java.security.AccessController.doPrivileged(Native Method)
    javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
    javax.security.auth.login.LoginContext.login(LoginContext.java:575)
    org.spugium.spine.plug.webadmin.Webadmin.getServerSubject(Webadmin.java:584)
    org.spugium.spine.plug.webadmin.WebadminServer.run(WebadminServer.java:38)
    After that it is going wrong:
    javax.security.auth.login.LoginException: java.lang.ClassCastException: java.lang.NumberFormatException
    at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:150)
    at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
    at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:330)
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:369)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
    at org.spugium.spine.plug.webadmin.Webadmin.getServerSubject(Webadmin.java:584)
    at org.spugium.spine.plug.webadmin.WebadminServer.run(WebadminServer.java:38)
    at org.spugium.spine.plug.webadmin.WebadminServer.run(WebadminServer.java:1)
    at org.spugium.spine.SPinedSub$2.run(SPinedSub.java:51)
    at java.lang.Thread.run(Thread.java:595)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
    at org.spugium.spine.plug.webadmin.Webadmin.getServerSubject(Webadmin.java:584)
    at org.spugium.spine.plug.webadmin.WebadminServer.run(WebadminServer.java:38)

  • JSF/JAAS j_security_check for role-based login pages

    I'm looking for a way to take the login request after j_security_check is through and invoke logic in a backing bean somewhere to redirect the user (using Faces) to the appropriate view (via an outcome defined in the faces-config.xml, of course) based on the user's role. Is there a "JSF" (i.e. non-filter) way to do this that I'm missing? If not, I suppose I could try a filter if it will work.
    I've thought of just going to the same page and displaying different components, but I don't like that a lot, even using subviews. I thought about having two web apps, but find that to be a poor option. I really don't like trusting the user to remember/get a URL right beyond http://xyz.com or something similarly simple, as much to save them from frustration as anything else.
    Any ideas would be appreciated. I've scoured forums and Googled all day without much success, so I apologize if this is posted somewhere already. This seems like something that should be pretty simple and I may want to kick myself when I see the answer.

    Hi Brian,
    I do not believe it is j_security_check's job to check for blank
    passwords.
    In many security realms, it is "legal" for a user to have a blank
    password. j_security_check forwards whatever password was entered so that
    even users with blank passwords can be authenticated by the realm on the
    backend. For this reason I believe that j_security_check is "doing the
    right thing" by just forwarding whatever is presented to it, rather than
    having its own logic. It is best if j_security_check just acts as a very
    dumb middle man.
    If behavior was altered, it is true that your particular problem would be
    solved, but then many other people would have a problem with their users
    with blank passwords authenticating properly...
    Try looking into how to disable anonymous logins on the LDAP end of
    things. Hope this helps.
    Cheers,
    Joe Jerry
    brian wrote:
    I am using the LDAP Security Realm to authenticate against an iPlanet
    Directory Server. All works as expected when a user-id and password
    are entered for form-based authentication.
    However, when a userid is entered but no password, j_security_check
    logs the user in successfully. Aparently, this is correct LDAP
    behaviour as anonymous login to the LDAP server is permitted. It seems
    that the j_security_check servlet should check for blank passwords
    before trying to authenticate against the LDAP server and fail
    authentication if this is the case.
    Has anyone else experienced this problem?

  • Finder and doc fail at login

    My Power Mac G5 with 10.5.1 was slow toward the end of the day yesterday and was very slow in shutting down. This morning it booted slowly but still gave me a login panel. It logged me in but then reported the dock failed to launch and the finder also did not. I repaired the disk from the installer but did not see any problem and the problems linger. How can I fix them?

    I can offer the next step in troubleshooting, reseting the Pram:
    Shut down the computer.
    Locate the following keys on the keyboard: Command, Option, P, and R. You will need to hold these keys down simultaneously in step 4.
    Turn on the computer.
    Press and hold the Command-Option-P-R keys. You must press this key combination before the gray screen appears.
    Hold the keys down until the computer restarts and you hear the startup sound for the second time.
    Release the keys.
    Hope this fixes the issue. Post back if it persists.
    Ray

  • Problems deploying custom JAAS login module (ClassNotFound)

    Hi,
    I've developed a custom made JAAS login module that filters on IP addresse which I am moving from 6.20 to 6.40.
    I've pretty much followed the procedures from http://help.sap.com/saphelp_nw04/helpdata/de/46/3ce9402f3f8031e10000000a1550b0/content.htm , the only major difference is that I needed a reference to WebCallback and therefore a reference to com.sap.security.api.sda from my library project.
    I've especially followed the step with "Adding a Reference to the Classloader of the Security Provider" (http://help.sap.com/saphelp_nw04/helpdata/de/2b/23e4407211732ae10000000a155106/content.htm) , but I think its this step that fails. This has been set to library:<library name> , where <library name> is what is written on the right hand side of visual admin under library. I see that the library is deployed under the folder bin\ext\customer.com~com.customer.portal.login.IPRuleLibrary   , so maybe I will try that name tomorrow morning.
    The exceptions I get are
    #1.5#001321B3B106005C0000000800002E380004039375E59BA6#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error#1#/System/Audit#Java###Exception #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Cannot load a login module.
         at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:95)
         at com.sap.engine.services.security.login.LoginContextFactory.getLoginContext(LoginContextFactory.java:133)
         at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:227)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
         at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86)
         at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
         at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
         at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
         at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:295)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:351)
         at com.sap.portal.navigation.Gateway.service(Gateway.java:68)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
    Caused by: java.lang.ClassNotFoundException: com.customer.portal.login.IPRuleLoginModule
    Found in negative cache
    - Loader Info -
    ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
    Parent loader name: [Frame ClassLoader]
    References:
       library:com.sap.ip.basecomps
       library:core_lib
       common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
       library:servlet
       library:sapxmltoolkit
       library:com.sap.mw.jco
       library:com.sap.util.monitor.jarm
       library:j2eeca
       library:opensql
       interface:security
       interface:log
       interface:shell
       interface:keystore_api
       library:ejb20
       interface:webservices
       library:com.sap.guid
       interface:appcontext
       interface:endpoint_api
       interface:resourceset_api
       interface:resourcecontext_api
       common:service:iiop;service:naming;service:p4;service:ts
       interface:ejbcomponent
       interface:container
       interface:visual_administration
       interface:transactionext
       interface:dsr_ejbcontext_api
       service:timeout
       library:tc~jmx
       library:tcSLUTIL
       service:memory
       library:antlr
       library:jdbdictionary
       library:opensqlextensions
       interface:cross
       service:locking
       service:file
    Resources:
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_saml_toolkit_api.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    adminadapter
    adminadapter.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    com.sap.security.core.ume.service
    com.sap.security.core.ume.service.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    webservices_lib
    jaxrpc-api.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    com.sap.security.api.sda
    com.sap.security.api.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    dbpool
    opensqllib.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    jmx
    jmx_sec.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    webservices_lib
    jaxm-api.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    keystore
    keystore.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    security
    security.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    basicadmin
    jstartupapi.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_saml_jaas.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    connector
    connectorimpl.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    webservices_lib
    webservices_lib.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_jaas.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_saml_service_api.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_userstore_lib.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    webservices_lib
    saaj-api.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    com.sap.security.core.sda
    com.sap.security.core.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    com.sap.security.core.sda
    com.sap.security.core.tpd.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_csi.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_ssf.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    userstore
    userstore.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    dbpool
    sqljimpl.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_saml_xmlbind.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_saml_util.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    dbpool
    dbpool.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    deploy
    deploy.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_saml_toolkit_core.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    jmx
    jmx.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_compat.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    jmx_notification
    jmx_notification.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    configuration
    configuration.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    basicadmin
    jstartupimpl.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_https.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    services
    basicadmin
    basicadmin.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    security.class
    tc_sec_jaas_test.jar
       C:
    usr
    sap
    EQ2
    J13
    j2ee
    cluster
    server1
    bin
    ext
    com.sap.security.api.sda
    com.sap.security.api.perm.jar
    Loading model: {parent,local,references}
         at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
         at com.sap.engine.services.security.Util.loadClass(Util.java:262)
         at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:204)
         at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:92)
         ... 45 more
    #1.5#001321B3B106005C0000000900002E380004039375E5A109#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error##Java###Cannot load login module class .#1#com.customer.portal.login.IPRuleLoginModule#

    Hi,
    The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
    Also I was able to modify the properties of the login module runtime, which made me very happy
    Dagfinn

  • Custom JAAS Login Module 9.0.4 configuration problems

    Hello,
    We have created a custom JAAS Login Module on OC4J 9.0.4 and are having some sort of configuration problem
    We always get this error:
    Caused by: javax.security.auth.login.LoginException: Login Failure: all modules ignored
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:535)
    The Login Module is configured for a specific deployed application in the global jazn-data.xml and is being run as I have attached a debugger to the app server.
    Our authentication process succeeds and we return a "true" from the login() method. No exceptions are thrown from our Login Module.
    our ORACLE_HOME/j2ee/home/config/jazn-data.xml has this added
    <application>
    <name>helloworld</name>
    <login-modules>
    <login-module>
    <class>com.test.JaasLoginModule</class>
    <control-flag>required</control-flag>
    <options>
    </options>
    </login-module>
    </login-modules>
    </application>
    The j2ee/home/application-deployments/helloworld/jazn-data.xml looks like this:
    <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
    <!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data.dtd">
    <jazn-data />
    and we added this into the j2ee/home/application-deployments/helloworld/orion-applicaton.xml
    <jazn provider="XML" location="jazn-data.xml" >
    <property name="role.mapping.dynamic" value="true"/>
    <property name="custom.loginmodule.provider" value="true"/>
    <property name="jaas.username.simple" value="true" />
    </jazn>
    Are we missing anything? Our code runs, it seems like there is something lacking in the configuration on the OC4J side of things.
    Anyone know what we are missing?
    Thanks....

    Hi,
    if you are on 9.0.4 then <property name="custom.loginmodule.provider" value="true"/> shouldn't work because its a parameter of 10.1.3
    Frank

  • JAAS login module

    Hello all, I'm having a problem with authentication. I hava a jaas Login Module that authenticates users against a db. After some work I could configure it and got it working. But, even my Login Module works fine, after validating an user I get the exception:
    Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: User not authorized.
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:223)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at com.lumina.security.jaasrbac.SecurityFacade.authenticate(SecurityFacade.java:119)
    ... 51 more
    Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: User is locked.
    at com.sap.engine.services.security.server.jaas.CheckAction.checkUserLockStatus(CheckAction.java:181)
    at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:58)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.checkUserLockStatus(LoginModuleHelperImpl.java:116)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:175)
    ... 63 more
    This happens after my login module is invoked and succeeds authenticating an user.
    Is it really necessary to have a copy of the user data in the UME store?
    Thanks,
    Juan Manuel

    Hi Bhavik,
    You have to use the VisualAdministrator tool.
    These are the steps I did (or I think I did):
        1) I created a library whith Developer Studio which contained the Login Module implementing class and its dependencies.
        2) Deployed it to J2EE engine
        3) Using Visual Administrator go to security provider (J2E/Server0/services)
        4) Click UserManagement tab
        5) Click Manage Security Stores button
        6) Click Add Login Module button
        7) Click Ok in the first dialog that appears
        8) Fill the required data in the add Login Module dialog (className of the Login Module implementation,disply name, description and options (if any, iex: debug=true)
        9) Click Ok
        10)Click policy Configurations tab
        11) Click add button (bottom of the component's panel)
        12) Enter the name for the new policy configuration (I think it must be the same name you use in your application code when you refer to the login module) and click ok
        13) Now, the new configuration appears in the components list. Click on it
        14) Click 'add new' button which is at the bottom of the authentication tab (right panel)
        15) Select the login module you created in 8) and click ok
        16) In the authentication tab appears the login module you have created. There you can the right flag you desire for your login module (optional, required, requisite,sufficient)
        17) Click the Properties tab next to Runtime tab
        18) Click on property LoginModuleClassLoaders
        19) Modify this property value to: library:libraryName (where libraryName is the name you deployed your login module library classes in step 2) )
        20) Restart J2EE engine
    Regards,
    Juan Manuel

  • Retrieving JDBC connection from datasource in JAAS login module

    Hi,
    I have a custom JAAS login module which calls a DAO for accessing user login details. The DAO looks up the datasource to retrieve connections from when the LoginModule is initialized. The datasource is simply defined through the admin interface. When a user tries to login (through the web container) an exception is thrown as shown below:
    com.sun.enterprise.InvocationException
         at com.sun.enterprise.resource.PoolManagerImpl.getResource(PoolManagerImpl.java:134)
         at com.sun.enterprise.resource.JdbcDataSource.internalGetConnection(JdbcDataSource.java:241)
         at com.sun.enterprise.resource.JdbcDataSource.getConnection(JdbcDataSource.java:154)
         at com.dmdsecure.mobile.security.store.impl.JDBCUserStore.fetchUser(JDBCUserStore.java:330)
         at com.dmdsecure.mobile.security.impl.LocalUserManager.authenticate(LocalUserManager.java:70)
         at com.dmdsecure.mobile.security.adapter.sunone.DMDLoginModule.authenticate(DMDLoginModule.java:66)
         at com.dmdsecure.mobile.security.adapter.sunone.DMDLoginModule.authenticate(DMDLoginModule.java:38)
         at com.iplanet.ias.security.auth.login.PasswordLoginModule.login(PasswordLoginModule.java:163)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
         at com.sun.enterprise.security.auth.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:382)
         at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:307)
         at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:116)
         at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:201)
         at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:140)
         at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:263)
         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:496)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:203)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:505)
         at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:157)
         at com.iplanet.ias.web.WebContainer.service(WebContainer.java:598)
    It seems the datasource is valid but trying to retrieve connections from it will fail.
    Anyone had any similar problems??

    Nope, sorry ... I am also having other troubles with JNDI lookups, this time from within the init method of a filter ... Seems there may still be some issues here for Sun to iron out ...
    -Johan

  • Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

    Hello,
    I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
    mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
    <security-role>
         <role-name>Admins</role-name>
    </security-role>
    <login-config>
         <auth-method>FORM</auth-method>
         <realm-name>default</realm-name>
         <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/badlogin.html</form-error-page>
         </form-login-config>
    </login-config>
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>empower</web-resource-name>
              <description>These pages are only accessible by authorized users.</description>
              <url-pattern>/admin/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
         </web-resource-collection>
    <auth-constraint>
    <description>These are the roles who have access</description>
    <role-name>Administrators</role-name>
    </auth-constraint>
         <user-data-constraint>
         <description>This is how the user data must be transmitted</description>
         <transport-guarantee>NONE</transport-guarantee>
         </user-data-constraint>
    </security-constraint>
    My weblogic.xml has:
    <?xml version="1.0" encoding="UTF-8"?>
    <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
    <wls:security-role-assignment>
    <wls:role-name>Admins</wls:role-name>
    <wls:principal-name>Administrators</wls:principal-name>
    <wls:principal-name>dashap</wls:principal-name>
    </wls:security-role-assignment>
    </wls:weblogic-web-app>
    With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

    Hi John,
    I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
    I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
    Ideally, the flow is something like:
    - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
    - user presses a link or button that takes him/her to a protected resource
    - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
    - the application can access the subject and principals
    - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
    the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
    I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
    If you more ideas to share - I would love to hear them.
    best regards,
    Lucas

  • JAAS: how to login / logout programmatically?

    Dear All,
    i am writing a web application.
    i have created a JSF login form for authentication. the application use JASS mechanism for pages protection.
    i want to use the oracle's prebuild loginmodule (class name is
    "oracle.security.jazn.login.module.LDAPLoginModule") to authenticate user from LDAP server.
    to authenticate the user, my code in the backing bean for the login are:
    public String authenticate()
    MyCallbackHandler callback = new MyCallbackHandler();
    callback.setName("name");
    callback.setPassword("password");
    //create a logoncontext for specific login module, and callbackhandler
    LoginContext ctx = new LoginContext("name of configuration", callback );
    //login
    ctx.login();
    callback handler code:
    public class MyCallbackHandler implements javax.security.auth.callback.CallbackHandler
    private String name = "";
    private String password = "";
    public void setName(String name)
    this.name = name;
    public void setPassword(String password)
    this.password = password;
    public void handle(Callback[] callbacks)
    for(Callback c : callbacks)
    if (c instanceof NameCallback)
    ((NameCallback)c).setName(name);
    else if(c instanceof PasswordCallback)
    ((PasswordCallback)c).setPassword(password.toCharArray());
    the login method SEEMS succeed as no exception thrown.
    but the HttpServletRequest.getUserPrincipal() return null and whenever i visit other
    protected page (after calling the logincontext.login())...i was redirected to the login page ...
    do anyone know what the problem is??
    thanks

    Hi Frank,
    I am also facing the same problem getting the container to recognize the user using login/logout programmatically. I cannot use j_security_check as my authentication module requires three fields for authenticating the user and also I have a jsf login form.
    I have attempted the container to recognize the user by writing a filter to field all request with url-pattern "/" to get the user information from the session(saved by login action) and wrapped the request with an implementation of HttpRequestWrapper where I have overridden the methods - getRemoteUser(), getUserPrincipal(), isUserInRole().
    It is the first mapping in the web.xml and I am unable to understand if the redirect is happening before/after it reaches my AuthenticationFilter and my user is never recognized by the container since my method implementations are not called. The AuthenticationFilter is being called and I think it is something to do with the ordering of the filter-mapping. Any help would be appreciated.
    I have pasted my code below
    AuthenticationFilter
    public void doFilter(ServletRequest request, ServletResponse response,
    FilterChain fc) throws IOException, ServletException {
    if (request instanceof HttpServletRequest) {
    HttpServletRequest httpRequest = (HttpServletRequest)request;
    HttpSession session = httpRequest.getSession();
    if (session != null &&
    session.getAttribute(SESSION_ATTR_USER) != null &&
    session.getAttribute(SESSION_ATTR_ROLES) != null) {
    String username =
    (String)session.getAttribute(SESSION_ATTR_USER);
    Set roleSet = (Set)session.getAttribute(SESSION_ATTR_ROLES);
    AuthRequestWrapper wrapper =
    new AuthRequestWrapper(httpRequest, username, roleSet);
    fc.doFilter(wrapper, response);
    } else {
    fc.doFilter(request, response);
    AuthRequestWrapper
    public class AuthRequestWrapper extends HttpServletRequestWrapper {
    private String username;
    private Set roleSet;
    private Principal principal;
    public AuthRequestWrapper(HttpServletRequest request, String username,
    Set roleSet) {
    super(request);
    this.username = username;
    this.roleSet = roleSet;
    this.principal = new UserPrincipal(username);
    public String getRemoteUser() {
    return username;
    public Principal getUserPrincipal() {
    return principal;
    public boolean isUserInRole(String roleName) {
    return roleSet.contains(roleName);
    web.xml
    <filter-mapping>
    <filter-name>AuthFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
    <filter-name>trinidad</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

  • Configuring PAM login modules with weblogic 6.1

    I am trying to configure my own PAM login module to work on the same JVM as weblogic.
    I have my own security policy that does not rely on weblogic however when trying
    to login after creating a specific login context :
    LoginContext loginContext = new LoginContext("XXLogin",subject,
    callbackHandler);
    loginContext.login();
    The JVM tries to invoke weblogic's own internal server login module. It looks
    for the callback the login module uses and then fails.
    The same problem ocurrs at weblogic startup. Weblogic appears to overide the -Djava.security.auth.login.config=jaas.config
    with their own login configuration file:WLHOME\lib\server.policy. Is this supposed
    to be a standard PAM login configuration file or weblogic's own interpretation
    of it ? (It is called a policy file which normally relates to grants and permissions
    in JAVA). Anyway we modified this file to include our own login module under a
    different AuthenticationConfigurationName. However weblogic attempted to use our
    login module as well as their own. According to the jaas api when creating a login
    context the application configuration name is specified however weblogic appears
    to be ignoring this !! Also we have found that a PAM configuration file that we
    had did not parse with weblogic, however it worked with the standard PAM configuration
    file parser. This implies that weblogic does not use the standard parser. Any
    help welcome !!

    Hi Parthasarathy,
    Thanks for the pointer. Your suggestion was the first step to getting our Security
    Model to be compatible with the WebLogic 6.1 model. As suggested I removed the
    the default LoginModule (ServerLoginModule) from the Server.policy file and replaced
    it with our Login Module. Then we defined JVM properties for the weblogic.management.password
    property in the startweblogic command file to supply the authentication information
    required by WebLogic.
    The next problem that I encountered was that we use files in the jaas.jar for
    Authorisation when I tried to access these files (e.g. javax.security.auth.Policy)
    I got a sealing violation as the JVM had previously loaded other class files in
    this package from the weblogic.jar (as weblogic uses these files for authorisation).
    It was possible to get around this problem by putting the jaas.jar ahead of the
    weblogic.jar in the classpath.
    After this I just needed to set up permissions in the weblogic.policy file for
    authorisation and we were there.
    Regards
    Paul
    Parthasarathy Seshadri <[email protected]> wrote:
    Please note from the documentation:
    http://e-docs.bea.com/wls/docs61//security/prog.html#1039659
    that WLS uses the default Login Module (weblogic.security.internal.ServerLoginModule)
    to gather authentication informatino
    during server initialization. To replace the default Login module, edit
    the Server.policy file and replace the name of the
    default Login module with the name of a custom Login module.
    Please inform whether the above information is useful. Thank you.
    Paul Petley wrote:
    I am trying to configure my own PAM login module to work on the sameJVM as weblogic.
    I have my own security policy that does not rely on weblogic howeverwhen trying
    to login after creating a specific login context :
    LoginContext loginContext = new LoginContext("XXLogin",subject,
    callbackHandler);
    loginContext.login();
    The JVM tries to invoke weblogic's own internal server login module.It looks
    for the callback the login module uses and then fails.
    The same problem ocurrs at weblogic startup. Weblogic appears to overidethe -Djava.security.auth.login.config=jaas.config
    with their own login configuration file:WLHOME\lib\server.policy. Isthis supposed
    to be a standard PAM login configuration file or weblogic's own interpretation
    of it ? (It is called a policy file which normally relates to grantsand permissions
    in JAVA). Anyway we modified this file to include our own login moduleunder a
    different AuthenticationConfigurationName. However weblogic attemptedto use our
    login module as well as their own. According to the jaas api when creatinga login
    context the application configuration name is specified however weblogicappears
    to be ignoring this !! Also we have found that a PAM configurationfile that we
    had did not parse with weblogic, however it worked with the standardPAM configuration
    file parser. This implies that weblogic does not use the standard parser.Any
    help welcome !!--
    Developer Relations Engineer
    BEA Support

  • JAAS 1.0 sample error

    I was trying to run the JAAS1.0 sample on win2000, jdk1.3. I have followd the steps with regard to the classpath and editing the policy files (with '/') etc. But when I run it I get this error:
    C:\jaas>java -classpath lib\jaas.jar;doc\samples\sample.jar;doc\samples\sample
    action.jar;doc\samples\samplemodule.jar -Djava.security.manager -Djava.securit
    y.policy=doc\samples\config\sample_java2.policy -Djava.security.auth.policy=doc\
    samples\config\sample_jaas.policy -Djava.security.auth.login.config=doc\samples
    \config\sample_jaas.config sample.Sample
    Exception in thread "main" java.lang.ExceptionInInitializerError: java.security.
    AccessControlException: access denied (java.util.PropertyPermission java.securit
    y.auth.debug read)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
    at java.lang.System.getProperty(Unknown Source)
    at javax.security.auth.login.Debug$1.run(Debug.java:27)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.Debug.<clinit>(Debug.java:24)
    at javax.security.auth.login.LoginContext.<clinit>(LoginContext.java:147
    at sample.Sample.main(Sample.java:41)
    Thanks a lot,
    Sanjay

    Can you post your conf and policy files.
    Problems are often form there.
    Yann

  • JAAS between WLS (untrusted) domains - ServerIdentity failed validation

    I'm trying to create a proxy/delegate class that can be used by clients to
    transparently access a server.
    The class should be usable from clients within WLS containers and from
    regular java apps.
    Using JNDI authentication everything works fine.
    Using JAAS I'm having a problem when my client is a EJB app in an untrusted
    WLS domain. When the login is requested the following error is occuring:
    <ServerIdentity failed validation, downgrading to anonymous.>
    I want to be able to do a JAAS login to a non-trusted domain. I'm assuming
    that the server is trying to pass the subject who is logged into the current
    container, and my call to LoginContext.login()
    Any thoughts?
    //Example of code
    loginContext = new LoginContext("ServiceSecurity", new
    FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    loginContext.login();
    Subject subject = loginContext.getSubject();
    serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //JNDI lookup
    //Create session bean instance
    weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //do operation on instance

    Then I'd start talking to BEA support to see if they even know how to do
    this.
    Without the trust relationship I'm not sure if you can achieve what you
    want.
    Dejan
    Mark Fine wrote:
    This is exactly what I am doing.
    Implicitly there is a security context within the session bean (the user
    logs in via the web app and context is propagated). I obtain a LoginContext
    to the other server and call the method within that context.
    It doesn't work because it is implicitly passing the security context of the
    session bean and failing due to lack of trust.
    //Example of code
    loginContext = new LoginContext("ServiceSecurity", new
    FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    loginContext.login();
    Subject subject = loginContext.getSubject();
    serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //JNDI lookup
    //Create session bean instance
    weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //do operation on instance
    "Deyan D. Bektchiev" <[email protected]> wrote in message
    news:[email protected]...
    In that case you should be able to get the two different Subjects from
    the two different domains (return a different url from the URLCallback
    when you login with JAAS), and afterwards use
    weblogic.security.Security.doAs(...);
    with the correct Subject for the appropriate server when you access the
    servers.
    HTH,
    --dejan
    Mark Fine wrote:
    Thanks, but i think the content was miscommunicated. Everything works
    fine
    when the domains are "trusted". I want to know how to have "untrusted"
    domains talk to each other through explicit logins.
    ie. imagine an application on a domain in a finance department. What if
    they are trusted against other domains and can't / don't want to
    establish
    trust with your domain. They just need access to one particular service
    you
    expose.
    Thanks,
    m
    "Deyan D. Bektchiev" <[email protected]> wrote in message
    news:[email protected]...
    Hi Mark,
    You should first establish a trust relationship between your Weblogic
    servers:
    http://e-docs.bea.com/wls/docs70/secmanage/domain.html#1171534
    Then you can use JAAS to authenticate and get valid Subjects for the two
    users.
    --dejan
    Mark Fine wrote:
    I'm trying to create a proxy/delegate class that can be used by clients
    to
    transparently access a server.
    The class should be usable from clients within WLS containers and from
    regular java apps.
    Using JNDI authentication everything works fine.
    Using JAAS I'm having a problem when my client is a EJB app in an
    untrusted
    WLS domain. When the login is requested the following error is
    occuring:
    <ServerIdentity failed validation, downgrading to anonymous.>
    I want to be able to do a JAAS login to a non-trusted domain. I'm
    assuming
    that the server is trying to pass the subject who is logged into the
    current
    container, and my call to LoginContext.login()
    Any thoughts?
    //Example of code
    loginContext = new LoginContext("ServiceSecurity", new
    FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    loginContext.login();
    Subject subject = loginContext.getSubject();
    serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //JNDI lookup
    //Create session bean instance
    weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //do operation on instance

Maybe you are looking for

  • How can I enable Firefox to redirect to another part of the site I use regularly without asking permission

    I use a website about 2 or 3 times a week. After logging onto the website, it needs to redirect me to another page but always asks for my permission to allow. Where in the Tools, Options does it allow me to give automatic permission to be redirected.

  • 8.1 update failure

    Trying to upgrade from Windows 8 Pro 64 bit to 8.1.  Just prior to finishing and after updating settings the installer says "a few more things" and then says it has encountered a problem and the system must reboot.  After rebooting it reverts to Wind

  • Portrait/landscape problems.

    Photos taken in 'portrait' (camera turned 90 degrees) usually upload into iPhoto correctly. Just one batch have uploaded incorrectly and, although portrait in the library thumbnails, are loading individually, full frame, as landscape. The only way I'

  • Is passing parameter to ORDER BY clause possible?

    I'm using a function to return a ref cursor and currently pass a parameter without any problems. I would like to change the sort on the fly by passing a parameter to the order by clause, but Oracle ignores it. CREATE OR REPLACE PACKAGE pkg_agent_appt

  • Downloaded 9.0.4 imovie, how to get it to work??

    We downloaded the 9.0.4 imovie update & the system states it is installed, however the icon on the desktop gives me this message when I open it: The version of iMovie installed on this Mac must be updated through the Mac App Store. Check the Mac App