Jazn LDAP help
hi, i'm new the thid jazn ldap. i'm trying to setup the jazn using ldap on 2 different ORACLE10gAS. Is it possible for 1 configuration file to be in 1 server pointing to the OID in another server?
Hi,
I am not sure what exactly you are referring to as you haven't metioned the Application Servers that you are using, OS, etc. ...here is the general information...
A part of the configuration process for JAZN LDAP is to include the details of the OID in theorion-application.xml configuration file. You can specify the access details for the OID like this :
<!-- use JAZN-LDAP provider type -->
<jazn provider="LDAP" location="<ldap://incq160.idc.oracle.com:3060>" />
So, in effect, you may deploy your application in an Application Server and access different OIDs, based on the connection information.
You can get more information at this link :
http://www.oracle.com/technology/sample_code/tech/java/codesnippet/security/jaznldap/index.html
Regards,
Sandeep
Similar Messages
-
Finally, a way to RMI connect to a JAZN-LDAP protected EJB
Finally months after AS9i's initial release and numerous TARs (including one of my own) a HowTo (released on 15th March) shows how you can call a JAZN-LDAP protected EJB.
Title: "An end-to-end example of OC4J security for EJB and WEB modules through JAAS"
Note Id: 253862.1I have been desperately looking for a document that shows how to call a JAZN-LDAP protected EJB (especially assigning "RMIPermission" to a LDAP role) and was surprised to see your posting.
I tried finding the document you had mentioned ("An end-to-end example of OC4J security for EJB and WEB modules through JAAS") but in vain. I would highly appreciate if you could help me in finding this document.
The how-to I looked at: http://www.oracle.com/technology/tech/java/oc4j/904/index.html
http://www.oracle.com/technology/sample_code/tech/java/codesnippet/security/index.html
http://www.oracle.com/technology/sample_code/tech/java/codesnippet/ejb/index.html
Thanks -
JAZN-LDAP: Make use of different LDAP Server
Hi,
I am trying to make use of a different LDAP Server (other than OID)-- With OID i am able to authenticate users.
Now i need to make use of a different LDAP Server (For ex: SunONe Directory Server).. I have tried specifying the LDAP URL location of the new LDAP Server in the Orion-Application.xml as below
<jazn provider="LDAP" location="ldap://ldaphost:ldapport" />
But I see that the application is still defaulting to the OID and not making use of the LDAPserver specified above.
Also, i see that I am unable to modify the LDAP URL Location
In Step2 of Deploying an Application :
Deploy Application: User Manager : I have selected the option "Use JAZN LDAP User Manager"
But the LDAP Location is non-editable and which defaults to the OID location as the one below
LDAP Location ldap://OIDLDAPURL:PORT
Could ne1 throw some light on the issue i am facing..
Thanks
JohnSee Configuring External LDAP Providers @:
http://matrix.csustan.edu/docs/oracle/oas/web.1012/b14013/ldap3rdparty.htm
Here are a few gotchas for active directory:
-if you plan to use the membership of the AD user to AD roles, set in orion-application:
<jazn provider="XML">
<property name="custom.ldap.provider" value="true"/>
<property name="role.mapping.dynamic" value="true"/>
</jazn>
in web.xml you should also define
<security-role>
<role-name>ldap-role-to-which-ldap-user-belongs-that-is-entitled to-acces-the-resource</role-name>
</security-role>
If you run the application in the embedded OC4J it seems it takes this hint from other file that you can determine looking at trace you can make appear with option:
-Djazn.debug.log.enable=true (in jvm start command)
When running in embedded OC4J the application is called: current-workspace-app
Good Luck -
JAZN-LDAP : retrieve inetOrgPerson attributes from principal object
Hello.
I 've extended callerInfo demo (in OC4J distrib :j2ee/home/jazn/demo) :
1. use of JAZN-LDAP
2. now the servlet prints the "HttpServletRequest.getUserPrincipal()" object attributes (class implementation : oracle.security.jazn.oc4j.JAZNUserAdaptor) : the servlet prints LDAP attributes like user DN, subscriber name, groups member, ....
Is it possible to retrieve other attributes of the LDAP object user (like description, businessCategory) by the java.security.Principal interface ?
Thanks.Try this
public String getCompanyByUserDN(String userDN) throws Exception
String result = null;
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://<<LDAP HOST>>:<<LDAP PORT>>");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, <<User DN>>);
env.put(Context.SECURITY_CREDENTIALS, <<User Password>>);
DirContext dirCtx = new InitialDirContext(env);
DirContext userCtx = (DirContext)dirCtx.lookup(userDN);
Attributes attrs = userCtx.getAttributes("", new String[] {"o"});
result = (String)attrs.get("o").get();
return result;
} -
ADF security : JAZN-LDAP
Hi,
We are working on the development of an application with Oracle ADF (JDev 10.1.3).
We implemented security with lightweight XML provider and it's working perfectly.
Next month we will deploy our application and so we will use a LDAP server.
Is it easy to jump from XML to LDAP?
Do we just have to select LDAP prodiver in the security wizard and then to map application groups to LDAP groups in the orion-application.xml file?
With this solution, is it still possible to edit authorizations at design time for pages, iterators, etc ?
Thanks in advance for your help!Hi,
you didn't read the documentation, do you ? Anyway, the LDAP upload is a bit difference from how you imagine it
- ADF Security permissions are written to the workspaces' \.adf\META-INF\app-jazn-data.xml file. So in fact you don't change the security settings for your project in JDeveloper. This means it remains for future addition
- You use a migration utility provided by OC4J Security to create an XLIFF file out of \.adf\META-INF\app-jazn-data.xml
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/configxml.htm#CIHIFGBJ
- Then you upload this to OID
Frank -
How can we check authentication using LDAP server and JSP
Hi pytir,
. Two body tags check authentication against the given LDAP server. Tag isAuthenticated executes own body is user is authenticated and tag isNotAuthenticated executes own body if user is not authenticated.
For example:
<%@ taglib uri="taglib.tld" prefix="if" %>
<if:isAuthenticated user="uid=guest" password="12345"
url="ldap://localhost:389" factory="com.sun.jndi.ldap.LdapCtxFactory">
I am a guest
</if:isAuthenticated>
For more info look at this url:
http://coldjava.hypermart.net/servlets/ldaptag.htm
I hope this will help you out.
Regards,
Tirumalarao
Developer Technical Support,
Sun Microsystems. -
It says in the documentation (Fusion developer guide) that any LDAPv3 will do the job...
Well I have a problem (that seems to be a little oracle specific). After configuring OpenLDAP (added some users and groups), I added it as an provider for WLS (an it works... meaning that the users and groups are retrieved). Then I started ADF Security wizard and choose LDAP, entered all the necessary info and finished. Now I have some problems:
1) Using BC Browser triggers the authentification, but the process fails with
javax.naming.NameNoFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=common, cn=products, cn=oraclecontext'I must say I do not have such entry 'cn=common, cn=products, cn=oraclecontext'. I would like to replicate that (I bet in OID it exists) but I don't know where it sits what it contains(attributes,sub-entry)
Anyone managed some other LDAP sever beside OID? How did you do it?
2)testing in browser (with internal WLS) i authenticate ( on a page i display my status)
username florinp
principal florinp
subject florinp; developers; authenticated-role; anonymous-role;
roles developers; authenticated-role; anonymous-role;
authenticated true
code behind is
public boolean isAuthenticated() {
return ADFContext.getCurrent().getSecurityContext().isAuthenticated();
public String getPrincipal() {
return ADFContext.getCurrent().getSecurityContext().getUserPrincipal().getName();
public String getRoles() {
StringBuffer sb = new StringBuffer();
int roles = ADFContext.getCurrent().getSecurityContext().getUserRoles().length;
String[] rol = ADFContext.getCurrent().getSecurityContext().getUserRoles();
for (int i = 0 ;i < roles ; i++) {
sb.append(rol[i]+"; ");
return sb.toString();
public String getSubject() {
StringBuffer sb = new StringBuffer();
for(Principal p :ADFContext.getCurrent().getSecurityContext().getSubject().getPrincipals()){
sb.append(p.getName()+"; ");
return sb.toString();
public String getUser() {
return ADFContext.getCurrent().getSecurityContext().getUserName();
}but trying to access a taskflow ( it contains deps.jspx with no grants) granted to authenticated-role gives me
oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: '/WEB-INF/task-flow-definition.xml#task-flow-definition' 'VIEW'.although is granted to any user
<grant>
<grantee>
<principals>
<principal>
<class>oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl</class>
<name>authenticated-role</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>hxbs.view.pageDefs.statusPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.controller.security.TaskFlowPermission</class>
<name>/WEB-INF/task-flow-definition.xml#task-flow-definition</name>
<actions>view</actions>
</permission>
</permissions>
</grant>and 'authenticated=true'
on standalone WLS Can't even access the status page (granted to anonymous-role and authenticated-role)... perhaps I have to migrate my policies... but why isn't it working on the internal wls?
thanks
Florin POPHi,
1) Setting LDAP as a security provider at design time is not supported and will be removed in a next release. So the solution is - don't configure LDAP.
2) for authorization,
<grantee>
<principals>
<principal>
<class>oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl</class>
<name>authenticated-role</name>
</principal>
</principals>
</grantee>
needs to be mapped to
Role (Group)
from oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl
to weblogic.security.principal.WLSGroupImpl
User --> weblogic.security.principal.WLSUserImpl
Frank -
Using a Filter on OC4J with JAZN security enabled using LDAP
I have a LDAP security in place on OC4J. I have to create a filter which uses the HttpRequestWrapper to do some preprocessing with the request parameters. I have all the code in place along and the Filter which uses HttpRequestWrapper. Now the problem is that the OC4J gives an error -
Servlet error
javax.servlet.ServletException: JAAS-OC4J: JAZNFilter.doFilter - unable to find the current servlet
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:16)
at com.myapp.filter.RequestFilter.doFilter(RequestFilter.java:429)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:617)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:794)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
The error happens while executing the following line:
chain.doFilter(new MyHttpServletRequestWrapper((HttpServletRequest) request ), response);
The constructor call MyHttpServletRequestWrapper is successful. Something seems to be wrong as it appears the server is not able to locate the path where to forward to from within the Filter.
If I execute the same code without the JAZN LDAP security everything works fine.
Can anybody please provide some help to resolve this issue?Yeah, it's a known problem - it caught me out as well.
The xml parser installed with OJSP is more strict than the one
with Orion. The order of the parameters becomes important. The
general solution is to check the dtd listed at the top of the
xml file for the parameter order and make sure any you specify
in the xml file are in this order.
Your specific case: the order of session-config and
welcome-file-list should be reveresed, ie session-config should
come first in the web.xml file.
Jonny -
Can JAZN-LDAP deal with user entries in LDAP that are not all under a single context? For example, suppose I have LDAP entries like
cn=foo,cn=Users,o=abc.com
cn=bar,cn=Users,o=abc.com
cn=baz,ou=unit,cn=Users,o=abc.com
and, for dn: cn=myrealm, cn=Realms, cn=JAZNContext, cn=Products, cn=OracleContext, the attribute
orcljaznsubscriberdn: cn=Users,o=abc.com
Will JAZN-LDAP be able to find the user "baz" as easily as it can find "foo" and "bar"?According to Oracle's documentation we can have only one realm specified for an application, surprisingly the JAZN manager will only look for the DN's of "Users" and "Roles" to formulate a Realm. The out of the box JANZ don't have the capability to search for Users in more than one subtree. Any suggestions from Oracle on improving the JAZN to make it to look for all the user objects starting from a top level tree, just have one more question, can we specify roles for all users in one DN?
Thank you
H.M.Mallik
Can JAZN-LDAP deal with user entries in LDAP that are not all under a single context? For example, suppose I have LDAP entries like
cn=foo,cn=Users,o=abc.com
cn=bar,cn=Users,o=abc.com
cn=baz,ou=unit,cn=Users,o=abc.com
and, for dn: cn=myrealm, cn=Realms, cn=JAZNContext, cn=Products, cn=OracleContext, the attribute
orcljaznsubscriberdn: cn=Users,o=abc.com
Will JAZN-LDAP be able to find the user "baz" as easily as it can find "foo" and "bar"? -
How do I use Generic LDAP Authentication in JDeveloper?
I have an existing JSP/Java Servlet application that uses a generic LDAP server for user authentication. Each JSP page checks the user name against a database entry for authorization to that page (itâs a legacy app).
The following web.xml fragment describes the
security/login configuration:
<security-constraint>
<display-name>I Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>ALL</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>I</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>I Enterprise Server</realm-name>
</login-config>
I want to use JDeveloper and the built-in OC4J environment for development/debugging. I have tried configuring jazn.xml to use a LDAP provider (both in **\j2ee\home\config\ and **\jdev\system9.0.3.1035\oc4j-config\)
1) How do I configure the internal OC4J environment to use the generic LDAP service?
2) Does the JAZN LDAP only work with Oracle OID?
3) Is there a document or list-of-documents that consolidates the JDeveloper OC4J server administration functions? The existing OC4J administrative documentation is splattered about various web documents.
Thanks
JakeTodd,
This how-to may help answer some of your questions
http://otn.oracle.com/tech/java/oc4j/htdocs/how-to-jazn.html
If you have additional questions on configuring jazn.xml for LDAP and OiD, I think your best bet is post to 9iAS J2EE forum.
Thanks,
Yvonne -
9.0.2 JAZN SSO doasprivileged-mode=true does not work
I've been trying to deploy an application to my "fresh" 9iR2 App Server that has been installed on Solaris 8 with all the patches 9.0.2. (I also have a second Solaris 8 machine with the 9iR2 Infrastructure installed, also patched up to the latest rev of 9.0.2). I'm deploying my EAR file with the Enterprise Manager deployment tool, and it works great (except for the following problem). I want to make my servlets run in "doasprivileged-mode" as described in
http://otn.oracle.com/tech/java/oc4j/doc_library/902/servicesjun02/jaas_j2a.htm
I believe I have everything setup correctly, but when I try (in my servlet) to try to access JAAS like this:
AccessControlContext acc = AccessController.getContext()
OR, do this:
AccessController.checkPermission(new FilePermission("/tmp/test.txt", "read"));
I get the following exception in my browser and then another exception in the opmn log. I believe the root cause is this: "The system is unable to retreive the specified role(s)." But I have no idea what role it's talking about... When I run the JAZN shell commands and look around in the "llnl" realm, I see the AUTHENTICATED_USERS group and the user I'm logging into SSO as, is a member of this group.
Thanks for any info/help on this matter. Also, if someone has a working example that shows the use of the doasprivliged-mode="true" that would really help. The callerInfo and ssoInfo examples don't seem to address this additional use of the JAAS environment (past asking the HttpServletRequest for the Principal object)
--Leif
java.security.PrivilegedActionException: javax.servlet.ServletException: A JAZN internal error has occurred.
at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:256)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:558)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:269)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java:64)
Root cause is; java.lang.IllegalStateException: A JAZN internal error has occurred.
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.checkValidity(LDAPGranteeEntry.java:286)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.getGranteeEntry(LDAPGranteeEntry.java:297)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGrantees(LDAPLocalPolicy.java:316)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGranteeEntries(LDAPLocalPolicy.java:264)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getPermissions(LDAPLocalPolicy.java:1029)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:649)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:680)
at oracle.security.jazn.spi.PolicyProvider.getPermissions(PolicyProvider.java:218)
at javax.security.auth.SubjectDomainCombiner$3.run(SubjectDomainCombiner.java:253)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:249)
at java.security.AccessControlContext.goCombiner(AccessControlContext.java:516)
at java.security.AccessControlContext.combineWithPrivilegedContext(AccessControlContext.java:305)
at java.security.AccessControlContext.optimize(AccessControlContext.java:404)
at java.security.AccessController.checkPermission(AccessController.java:398)
at gov.llnl.ais.test.TestServlet.doPost(TestServlet.java:59)
at gov.llnl.ais.test.TestServlet.doGet(TestServlet.java:44)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:244)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:252)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:558)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:269)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java:64)
I also get this exception in $ORACLE_HOME/opmn/logs/home.default_island.1
java.lang.reflect.InvocationTargetException: oracle.security.jazn.JAZNException: The system is unable to retreive the specified role(s).
at oracle.security.jazn.spi.ldap.LDAPRealmRole.<init>(LDAPRealmRole.java:91)
at java.lang.reflect.Constructor.newInstance(Native Method)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.init(LDAPGranteeEntry.java:218)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:121)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:116)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGrantees(LDAPLocalPolicy.java:315)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGranteeEntries(LDAPLocalPolicy.java:264)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getPermissions(LDAPLocalPolicy.java:1029)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:649)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:680)
at oracle.security.jazn.spi.PolicyProvider.getPermissions(PolicyProvider.java:218)
at javax.security.auth.SubjectDomainCombiner$3.run(SubjectDomainCombiner.java:253)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:249)
at java.security.AccessControlContext.goCombiner(AccessControlContext.java:516)
at java.security.AccessControlContext.combineWithPrivilegedContext(AccessControlContext.java:305)
at java.security.AccessControlContext.optimize(AccessControlContext.java:404)
at java.security.AccessController.checkPermission(AccessController.java:398)
at gov.llnl.ais.test.TestServlet.doPost(TestServlet.java:59)
at gov.llnl.ais.test.TestServlet.doGet(TestServlet.java:44)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:244)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:252)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:558)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:269)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
Here are my XML files:
=== application.xml start ===
<?xml version="1.0" encoding="windows-1252"?>
<!DOCTYPE application PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN" "http://java.sun.com/j2ee/dtds/application_1_2.dtd">
<application>
<display-name>TestMe</display-name>
<module>
<web>
<web-uri>test.war</web-uri>
<context-root>/testme</context-root>
</web>
</module>
<security-role>
<role-name>users</role-name>
</security-role>
</application>
=== application.xml end ===
=== orion-application.xml start ===
<?xml version="1.0" encoding="windows-1252"?>
<!DOCTYPE orion-application PUBLIC "-//Evermind//DTD J2EE Application runtime 1.2//EN" "http://xmlns.oracle.com/ias/dtds/orion-application.dtd">
<orion-application>
<web-module id="test" path="test.war"/>
<security-role-mapping name="users">
<group name="llnl/AUTHENTICATED_USERS"/>
</security-role-mapping>
<persistence path="persistence"/>
<log>
<file path="application.log"/>
</log>
<!-- use JAZN-XML by default
<jazn provider="XML" location="./jazn-data.xml"/> -->
<!-- use JAZN-LDAP instead -->
<jazn provider="LDAP" default-realm="llnl" location="my-ldap-server-is-here"/>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping impliesAll="true" name="<jndi-user-role>">
<group name="administrators"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping impliesAll="true" name="<jndi-user-role>">
<group name="administrators"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>
=== orion-application.xml end ===
=== orion-web.xml start ===
<?xml version="1.0"?>
<!DOCTYPE orion-web-app PUBLIC "-//Evermind//DTD Orion Web Application 2.3//EN" "http://xmlns.oracle.com/ias/dtds/orion-web.dtd">
<orion-web-app>
<jazn-web-app auth-method="SSO" runas-mode="true" doasprivileged-mode="true"/>
</orion-web-app>
=== orion-web.xml end -===
=== web.xml start ===
<?xml version="1.0"?>
<!DOCTYPE web-app SYSTEM "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>gov.llnl.ais.test.TestServlet</servlet-class>
<security-role-ref>
<role-name>users</role-name>
<role-link>users</role-link>
</security-role-ref>
<!-- <run-as>
<role-name>users</role-name>
</run-as> -->
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>404</error-code>
<location>/error.jsp</location>
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>authenticated</web-resource-name>
<url-pattern>/test</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
=== web.xml end ===
=== TestServlet.java start ===
package gov.llnl.ais.test;
import java.io.FilePermission;
import java.io.IOException;
import java.io.PrintWriter;
import javax.security.auth.Subject;
import javax.security.auth.SubjectDomainCombiner;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServlet;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.DomainCombiner;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import oracle.security.jazn.oc4j.JAZNUserAdaptor;
public class TestServlet extends HttpServlet {
* Constructor for TestServlet.
public TestServlet() {
super();
* @param request
* @param response
public void doGet(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException {
doPost(request, response);
public void doPost(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException {
PrintWriter pw = response.getWriter();
pw.println("<html><head><title>Hi</title><body>Hi there dude<br>You are:");
pw.println(request.getRemoteUser());
Principal p = request.getUserPrincipal();
if (p instanceof JAZNUserAdaptor) {
JAZNUserAdaptor jaznuser = (JAZNUserAdaptor) p;
pw.println("<br>SSO user DN [RealmPrincipal.getFullName] = " + jaznuser.getFullName() + "<br>");
pw.println("Subscriber name [Realm.getName] = " + jaznuser.getRealm().getName() + "<br>");
pw.println("Subscriber DN [Realm.getFullName] = " + jaznuser.getRealm().getFullName() + "<p>");
AccessController.checkPermission(new FilePermission("/tmp/test.txt", "read"));
Subject subject = null;
AccessControlContext acc = AccessController.getContext();
subject = Subject.getSubject(acc);
if (subject == null) {
pw.println("Subject via AccessControlContext is null.<br>");
DomainCombiner dc = acc.getDomainCombiner();
if (dc instanceof SubjectDomainCombiner) {
subject = ((SubjectDomainCombiner) dc).getSubject();
if (subject == null) {
pw.println("Subject via DomainCombiner is null.<br>");
if (subject != null) {
Set principals = subject.getPrincipals();
Iterator principalsIterator = principals.iterator();
while (principalsIterator.hasNext()) {
Principal principal = (Principal) principalsIterator.next();
pw.println("Principal: " + principal.toString() + "<br>");
pw.println("</body></html>");
=== TestServlet.java end ===More info...
When I go into the JAZN tool via:
java -jar jazn.jar -shell
Then do this:
JAZN:> cd realms/llnl/roles/AUTHENTICATED_USERS
JAZN:llnl> ls permissions
java.lang.reflect.InvocationTargetException: oracle.security.jazn.JAZNException: The system is unable to retreive the specified role(s).
at oracle.security.jazn.spi.ldap.LDAPRealmRole.<init>(LDAPRealmRole.java:91)
at java.lang.reflect.Constructor.newInstance(Native Method)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.init(LDAPGranteeEntry.java:218)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:121)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:116)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGrantees(LDAPLocalPolicy.java:315)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGranteeEntries(LDAPLocalPolicy.java:264)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getPermissions(LDAPLocalPolicy.java:1029)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:649)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:680)
at oracle.security.jazn.tools.Admintool.listRolePerms(Admintool.java:1140)
at oracle.security.jazn.tools.Admintool.processArgs(Admintool.java:404)
at oracle.security.jazn.tools.Admintool.lsCommand(Admintool.java:2782)
at oracle.security.jazn.tools.Admintool.shell(Admintool.java:2399)
at oracle.security.jazn.tools.Admintool.processArgs(Admintool.java:230)
at oracle.security.jazn.tools.Admintool.main(Admintool.java:123)
A JAZN internal error has occurred.
What could be causing this problem? It seems to be the same error that I'm getting in the OPMN log.
Thanks!
--Leif -
Is it possible to do basic authentication using JAZN LDAP on forms application?
I have modified the application.xml to include the following:
<jazn provider="LDAP" default-realm="coname.com" location="ldap://localhost:389" />
<security-role-mapping name="sr_manager">
<group name="managers" />
</security-role-mapping>
=======================================
and modified the web.xml found on
$ORA9iAS\forms90\j2ee\forms90app\forms90web\WEB-INF
<security-role>
<role-name>sr_manager</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>f90servlet</web-resource-name>
<url-pattern>/f90servlet*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sr_manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
====================
I've created the user 'manager' and defined it to belong to 'managers' group in OID under the realm 'coname.com'.
when accessing the forms application using
http://localhost:8888/forms90/f90servlet?config=myadmin
the authentication screen pops up but does not seem to recognize the username/pwd specified.
when doing the same configurations on ordinary web app, everything works fine, the pop up login screen correctly authenticates the same username/pwd specified.
Are there other configurations that has to set for basic authentication to work on forms?Grace,
did you modify the correct application.xml file? Also did you try to first run thie against the jazn-data.xml file to see if this works? I usually prefer to test the most basic functionality before testing the big picture.
This one worked for me
<security-constraint>
<web-resource-collection>
<web-resource-name>forms90servlets</web-resource-name>
<url-pattern>/f90servlet*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jazn.com</realm-name>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
Note that I used the jazn.com default realm, but this shouldn't be too much of a difference.
May I ask you why you prefer the jazn based authentication over Oracle9i Forms single sign-on? Your approach requires to do the same for the Reports Servlet if you want to call authenticated Reports from Forms.
Since you are access restricting the complete Forms URL to be used by sr_manager there isn't even a finer grained access control that you get out of this. Also, if not specifying teh database connectstring in teh formsweb.cfg file, your users will have to connect twice.
Don't get me wrong, I don't want to talk you this out, I am just interested in why you want to do this. Maybe its a good idea worth to share with the community on OTN.
Fran -
We are testing the JAZN callInfo sample. I have OID version 3.0.1.0, and Oracle9iAS (9.0.3.0.0) Containers for J2EE. We setup the jazn to use LDAP.
When starting oc4j we get the following:
java -jar oc4j.jar Error instantiating application 'callerInfo' at file:/u01/app/oracle/products/9iAS/j2ee/home/jazn/demo/callerInfo/callerInfo.ear: Error initializing userManager 'oracle.security.jazn.oc4j.JAZNUserManager': java.lang.StringIndexOutOfBoundsException (String index out of range: 32)
Oracle9iAS (9.0.3.0.0) Containers for J2EE initialized
We see it this connect to ldap and get a reply. I feel the string back is larger than jazn is expecting.
We check the tcp traffic and see it connecting:
09:10:57.377851 buckwheat.jxn.wcom.com.389 > buckwheat.jxn.wcom.com.35082: P 15:2641(2626) ack 131 win 32767 <nop,nop,timestamp 26118724 26118721> (DF)
0x0000 4500 0a76 8468 4000 4006 6450 9f62 8482 E..v.h@[email protected]..
0x0010 9f62 8482 0185 890a 1594 0e68 15e8 7584 .b.........h..u.
0x0020 8018 7fff 37d6 0000 0101 080a 018e 8a44 ....7..........D
0x0030 018e 8a41 3082 0a3e 0201 0264 820a 3704 ...A0..>...d..7.
0x0040 1063 6e3d 4f72 6163 6c65 436f 6e74 6578 .cn=OracleContex
0x0050 7430 820a 2130 1504 0263 6e31 0f04 0d4f t0..!0...cn1...O
0x0060 7261 636c 6543 6f6e 7465 7874 3044 040b racleContext0D..
0x0070 6f62 6a65 6374 636c 6173 7331 3504 0374 objectclass15..t
0x0080 6f70 040b 6f72 636c 436f 6e74 6578 7404 op..orclContext.
0x0090 106f 7263 6c43 6f6e 7465 7874 4175 7838 .orclContextAux8
0x00a0 3204 0f6f 7263 6c52 6f6f 7443 6f6e 7465 2..orclRootConte
0x00b0 7874 3016 040b 6f72 636c 7665 7273 696f xt0...orclversio
0x00c0 6e31 0704 0539 3030 3030 3081 9104 116f n1...900000....o
0x00d0 7263 6c65 6e74 7279 6c65 7665 6c61 6369 rclentrylevelaci
0x00e0 317c 047a 6163 6365 7373 2074 6f20 656e 1|.zaccess.to.en
0x00f0 7472 7920 6279 2067 726f 7570 3d22 636e try.by.group="cn
0x0100 3d4f 7261 636c 654e 6574 4164 6d69 6e73 =OracleNetAdmins
0x0110 2c63 6e3d 4f72 6163 6c65 436f 6e74 6578 ,cn=OracleContex
0x0120 7422 2028 6164 6429 2062 7920 6772 6f75 t".(add).by.grou
0x0130 703d 2263 6e3d 4f72 6163 6c65 4442 4372 p="cn=OracleDBCr
0x0140 6561 746f 7273 2c63 6e3d 4f72 6163 6c65 eators,cn=Oracle
0x0150 436f 6e74 6578 7422 2028 6164 6429 3082 Context".(add)0.
0x0160 0914 0407 6f72 636c 6163 6931 8209 0704 ....orclaci1....
0x0170 7d61 6363 6573 7320 746f 2065 6e74 7279 }access.to.entry
0x0180 2062 7920 6772 6f75 703d 2263 6e3d 4f72 .by.group="cn=Or
0x0190 6163 6c65 436f 6e74 6578 7441 646d 696e acleContextAdmin
0x01a0 732c 636e 3d47 726f 7570 732c 636e 3d4f s,cn=Groups,cn=O
0x01b0 7261 636c 6543 6f6e 7465 7874 2220 2862 racleContext".(b
0x01c0 726f 7773 652c 6164 642c 6465 6c65 7465 rowse,add,delete
0x01d0 2920 6279 202a 2028 6272 6f77 7365 2c6e ).by.*.(browse,n
0x01e0 6f61 6464 2c6e 6f64 656c 6574 6529 0481 oadd,nodelete)..
0x01f0 a461 6363 6573 7320 746f 2061 7474 723d .access.to.attr=
0x0200 282a 2920 6279 2067 726f 7570 3d22 636e (*).by.group="cn
0x0210 3d4f 7261 636c 6543 6f6e 7465 7874 4164 =OracleContextAd
0x0220 6d69 6e73 2c63 6e3d 4772 6f75 7073 2c63 mins,cn=Groups,c
0x0230 6e3d 4f72 6163 6c65 436f 6e74 6578 7422 n=OracleContext"
0x0240 2028 7265 6164 2c73 6561 7263 682c 7772 .(read,search,wr
0x0250 6974 652c 7365 6c66 7772 6974 652c 636f ite,selfwrite,co
0x0260 6d70 6172 6529 2062 7920 2a20 2872 6561 mpare).by.*.(rea
0x0270 642c 7365 6172 6368 2c6e 6f77 7269 7465 d,search,nowrite
0x0280 2c6e 6f73 656c 6677 7269 7465 2c63 6f6d ,noselfwrite,com
0x0290 7061 7265 2904 81dd 6163 6365 7373 2074 pare)...access.t
0x02a0 6f20 656e 7472 7920 6669 6c74 6572 3d28 o.entry.filter=(
0x02b0 6f62 6a65 6374 636c 6173 733d 6f72 636c objectclass=orcl
0x02c0 4e65 7453 6572 7669 6365 2920 6279 2067 NetService).by.g
0x02d0 726f 7570 3d22 636e 3d4f 7261 636c 6544 roup="cn=OracleD
0x02e0 4253 6563 7572 6974 7941 646d 696e 732c BSecurityAdmins,
0x02f0 636e 3d4f 7261 636c 6543 6f6e 7465 7874 cn=OracleContext
0x0300 2220 2862 726f 7773 652c 6164 642c 6465 ".(browse,add,de
0x0310 6c65 7465 2920 6279 2067 726f 7570 3d22 lete).by.group="
0x0320 636e 3d4f 7261 636c 654e 6574 4164 6d69 cn=OracleNetAdmi
0x0330 6e73 2c63 6e3d 4f72 6163 6c65 436f 6e74 ns,cn=OracleCont
0x0340 6578 7422 2028 6272 6f77 7365 2c61 6464 ext".(browse,add
0x0350 2c64 656c 6574 6529 2062 7920 2a20 2862 ,delete).by.*.(b
0x0360 726f 7773 652c 6e6f 6164 642c 6e6f 6465 rowse,noadd,node
0x0370 6c65 7465 2904 81ec 6163 6365 7373 2074 lete)...access.t
0x0380 6f20 656e 7472 7920 6669 6c74 6572 3d28 o.entry.filter=(
0x0390 6f62 6a65 6374 636c 6173 733d 6f72 636c objectclass=orcl
0x03a0 4e65 7444 6573 6372 6970 7469 6f6e 4c69 NetDescriptionLi
0x03b0 7374 2920 6279 2067 726f 7570 3d22 636e st).by.group="cn
0x03c0 3d4f 7261 636c 6543 6f6e 7465 7874 4164 =OracleContextAd
0x03d0 6d69 6e73 2c63 6e3d 4772 6f75 7073 2c63 mins,cn=Groups,c
0x03e0 6e3d 4f72 6163 6c65 436f 6e74 6578 7422 n=OracleContext"
0x03f0 2028 6272 6f77 7365 2c61 6464 2c64 656c .(browse,add,del
0x0400 6574 6529 2062 7920 6772 6f75 703d 2263 ete).by.group="c
0x0410 6e3d 4f72 6163 6c65 4e65 7441 646d 696e n=OracleNetAdmin
0x0420 732c 636e 3d4f 7261 636c 6543 6f6e 7465 s,cn=OracleConte
0x0430 7874 2220 2862 726f 7773 652c 6164 642c xt".(browse,add,
0x0440 6465 6c65 7465 2920 6279 202a 2028 6272 delete).by.*.(br
0x0450 6f77 7365 2c6e 6f61 6464 2c6e 6f64 656c owse,noadd,nodel
0x0460 6574 6529 0481 e861 6363 6573 7320 746f ete)...access.to
0x0470 2065 6e74 7279 2066 696c 7465 723d 286f .entry.filter=(o
0x0480 626a 6563 7463 6c61 7373 3d6f 7263 6c4e bjectclass=orclN
0x0490 6574 4465 7363 7269 7074 696f 6e29 2062 etDescription).b
0x04a0 7920 6772 6f75 703d 2263 6e3d 4f72 6163 y.group="cn=Orac
0x04b0 6c65 436f 6e74 6578 7441 646d 696e 732c leContextAdmins,
0x04c0 636e 3d47 726f 7570 732c 636e 3d4f 7261 cn=Groups,cn=Ora
0x04d0 636c 6543 6f6e 7465 7874 2220 2862 726f cleContext".(bro
0x04e0 7773 652c 6164 642c 6465 6c65 7465 2920 wse,add,delete).
0x04f0 6279 2067 726f 7570 3d22 636e 3d4f 7261 by.group="cn=Ora
0x0500 636c 654e 6574 4164 6d69 6e73 2c63 6e3d cleNetAdmins,cn=
0x0510 4f72 6163 6c65 436f 6e74 6578 7422 2028 OracleContext".(
0x0520 6272 6f77 7365 2c61 6464 2c64 656c 6574 browse,add,delet
0x0530 6529 2062 7920 2a20 2862 726f 7773 652c e).by.*.(browse,
0x0540 6e6f 6164 642c 6e6f 6465 6c65 7465 2904 noadd,nodelete).
0x0550 81e8 6163 6365 7373 2074 6f20 656e 7472 ..access.to.entr
0x0560 7920 6669 6c74 6572 3d28 6f62 6a65 6374 y.filter=(object
0x0570 636c 6173 733d 6f72 636c 4e65 7441 6464 class=orclNetAdd
0x0580 7265 7373 4c69 7374 2920 6279 2067 726f ressList).by.gro
0x0590 7570 3d22 636e 3d4f 7261 636c 6543 6f6e up="cn=OracleCon
0x05a0 7465 7874 4164 6d69 6e73 2c63 6e3d 4772 textAdmins,cn=Gr
0x05b0 6f75 7073 2c63 6e3d 4f72 6163 6c65 436f oups,cn=OracleCo
0x05c0 6e74 6578 7422 2028 6272 6f77 7365 2c61 ntext".(browse,a
0x05d0 6464 2c64 656c 6574 6529 2062 7920 6772 dd,delete).by.gr
0x05e0 6f75 703d 2263 6e3d 4f72 6163 6c65 4e65 oup="cn=OracleNe
0x05f0 7441 646d 696e 732c 636e 3d4f 7261 636c tAdmins,cn=Oracl
0x0600 6543 6f6e 7465 7874 2220 2862 726f 7773 eContext".(brows
0x0610 652c 6164 642c 6465 6c65 7465 2920 6279 e,add,delete).by
0x0620 202a 2028 6272 6f77 7365 2c6e 6f61 6464 .*.(browse,noadd
0x0630 2c6e 6f64 656c 6574 6529 0481 e461 6363 ,nodelete)...acc
0x0640 6573 7320 746f 2065 6e74 7279 2066 696c ess.to.entry.fil
0x0650 7465 723d 286f 626a 6563 7463 6c61 7373 ter=(objectclass
0x0660 3d6f 7263 6c4e 6574 4164 6472 6573 7329 =orclNetAddress)
0x0670 2062 7920 6772 6f75 703d 2263 6e3d 4f72 .by.group="cn=Or
0x0680 6163 6c65 436f 6e74 6578 7441 646d 696e acleContextAdmin
0x0690 732c 636e 3d47 726f 7570 732c 636e 3d4f s,cn=Groups,cn=O
0x06a0 7261 636c 6543 6f6e 7465 7874 2220 2862 racleContext".(b
0x06b0 726f 7773 652c 6164 642c 6465 6c65 7465 rowse,add,delete
0x06c0 2920 6279 2067 726f 7570 3d22 636e 3d4f ).by.group="cn=O
0x06d0 7261 636c 654e 6574 4164 6d69 6e73 2c63 racleNetAdmins,c
0x06e0 6e3d 4f72 6163 6c65 436f 6e74 6578 7422 n=OracleContext"
0x06f0 2028 6272 6f77 7365 2c61 6464 2c64 656c .(browse,add,del
0x0700 6574 6529 2062 7920 2a20 2862 726f 7773 ete).by.*.(brows
0x0710 652c 6e6f 6164 642c 6e6f 6465 6c65 7465 e,noadd,nodelete
0x0720 2904 8201 1461 6363 6573 7320 746f 2061 )....access.to.a
0x0730 7474 723d 282a 2920 2066 696c 7465 723d ttr=(*)..filter=
0x0740 286f 626a 6563 7463 6c61 7373 3d6f 7263 (objectclass=orc
0x0750 6c4e 6574 5365 7276 6963 6529 2062 7920 lNetService).by.
0x0760 6772 6f75 703d 2263 6e3d 4f72 6163 6c65 group="cn=Oracle
0x0770 436f 6e74 6578 7441 646d 696e 732c 636e ContextAdmins,cn
0x0780 3d47 726f 7570 732c 636e 3d4f 7261 636c =Groups,cn=Oracl
0x0790 6543 6f6e 7465 7874 2220 2872 6561 642c eContext".(read,
0x07a0 7365 6172 6368 2c77 7269 7465 2c73 656c search,write,sel
0x07b0 6677 7269 7465 2c63 6f6d 7061 7265 2920 fwrite,compare).
0x07c0 6279 2067 726f 7570 3d22 636e 3d4f 7261 by.group="cn=Ora
0x07d0 636c 654e 6574 4164 6d69 6e73 2c63 6e3d cleNetAdmins,cn=
0x07e0 4f72 6163 6c65 436f 6e74 6578 7422 2028 OracleContext".(
0x07f0 636f 6d70 6172 652c 7365 6172 6368 2c72 compare,search,r
0x0800 6561 642c 7772 6974 6529 2062 7920 2a20 ead,write).by.*.
0x0810 2872 6561 642c 7365 6172 6368 2c63 6f6d (read,search,com
0x0820 7061 7265 2c6e 6f77 7269 7465 2c6e 6f73 pare,nowrite,nos
0x0830 656c 6677 7269 7465 2904 8201 1c61 6363 elfwrite)....acc
0x0840 6573 7320 746f 2061 7474 723d 282a 2920 ess.to.attr=(*).
0x0850 2066 696c 7465 723d 286f 626a 6563 7463 .filter=(objectc
0x0860 6c61 7373 3d6f 7263 6c4e 6574 4465 7363 lass=orclNetDesc
0x0870 7269 7074 696f 6e4c 6973 7429 2062 7920 riptionList).by.
0x0880 6772 6f75 703d 2263 6e3d 4f72 6163 6c65 group="cn=Oracle
0x0890 436f 6e74 6578 7441 646d 696e 732c 636e ContextAdmins,cn
0x08a0 3d47 726f 7570 732c 636e 3d4f 7261 636c =Groups,cn=Oracl
0x08b0 6543 6f6e 7465 7874 2220 2872 6561 642c eContext".(read,
0x08c0 7365 6172 6368 2c77 7269 7465 2c73 656c search,write,sel
0x08d0 6677 7269 7465 2c63 6f6d 7061 7265 2920 fwrite,compare).
0x08e0 6279 2067 726f 7570 3d22 636e 3d4f 7261 by.group="cn=Ora
0x08f0 636c 654e 6574 4164 6d69 6e73 2c63 6e3d cleNetAdmins,cn=
0x0900 4f72 6163 6c65 436f 6e74 6578 7422 2028 OracleContext".(
0x0910 636f 6d70 6172 652c 7365 6172 6368 2c72 compare,search,r
0x0920 6561 642c 7772 6974 6529 2062 7920 2a20 ead,write).by.*.
0x0930 2872 6561 642c 7365 6172 6368 2c63 6f6d (read,search,com
0x0940 7061 7265 2c6e 6f77 7269 7465 2c6e 6f73 pare,nowrite,nos
0x0950 656c 6677 7269 7465 2904 8201 1961 6363 elfwrite)....acc
0x0960 6573 7320 746f 2061 7474 723d 282a 2920 ess.to.attr=(*).
0x0970 2066 696c 7465 723d 286f 626a 6563 7463 .filter=(objectc
0x0980 6c61 7373 3d6f 7263 6c4e 6574 4465 7363 lass=orclNetDesc
0x0990 7269 7074 696f 6e29 2062 7920 6772 6f75 ription).by.grou
0x09a0 703d 2263 6e3d 4f72 6163 6c65 436f 6e74 p="cn=OracleCont
0x09b0 6578 7441 646d 696e 732c 636e 3d47 726f extAdmins,cn=Gro
0x09c0 7570 732c 636e 3d4f 7261 636c 6543 6f6e ups,cn=OracleCon
0x09d0 7465 7874 2220 2872 6561 642c 7365 6172 text".(read,sear
0x09e0 6368 2c77 7269 7465 2c73 656c 6677 7269 ch,write,selfwri
0x09f0 7465 2c63 6f6d 7061 7265 2920 6279 2067 te,compare).by.g
0x0a00 726f 7570 3d22 636e 3d4f 7261 636c 654e roup="cn=OracleN
0x0a10 6574 4164 6d69 6e73 2c63 6e3d 4f72 6163 etAdmins,cn=Orac
0x0a20 6c65 436f 6e74 6578 7422 2028 636f 6d70 leContext".(comp
0x0a30 6172 652c 7365 6172 6368 2c72 6561 642c are,search,read,
0x0a40 7772 6974 6529 2020 6279 202a 2028 7265 write)..by.*.(re
0x0a50 6164 2c73 6561 7263 682c 636f 6d70 6172 ad,search,compar
0x0a60 652c 6e6f 7772 6974 652c 6e6f 7365 6c66 e,nowrite,noself
0x0a70 7772 6974 6529 write)
JAZN is setup as following
java -jar jazn.jar -getconfig
<jazn provider="LDAP" location="ldap://buckwheat:389" default-realm="sample_subrealm" />
oracle@buckwheat:/u01/app/oracle/products/9iAS/j2ee/home> java -jar jazn.jar -getconfig sample_subrealm
<jazn provider="LDAP" location="ldap://buckwheat:389" default-realm="sample_subrealm" />
<OC4J_HOME>/config/jazn.xml
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!--
<!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn.dtd">
<jazn provider="XML" location="./jazn-data.xml" />
-->
<jazn provider="LDAP"
default-realm="sample_subrealm"
location="ldap://buckwheat:389" />
<OC4J_HOME>/j2ee/home/jazn/demo/callerInfo/etc/orion-application.xml
<?xml version="1.0"?>
<!DOCTYPE orion-application PUBLIC "-//Evermind//DTD J2EE Application runtime 1.2//EN" "http://xmlns.oracle.com/ias/dtds/orion-application.dtd">
<orion-application deployment-version="1.0.2.2" default-data-source="jdbc/OracleDS">
<web-module id="callerInfo-web" path="callerInfo-web.war" />
<persistence path="persistence" />
<!-- mapping for realm "jazn.com"
<security-role-mapping name="sr_manager">
<group name="administrators" />
</security-role-mapping>
<security-role-mapping name="sr_developer">
<group name="users" />
</security-role-mapping>
-->
<!-- mapping for realm "sample_subrealm" -->
<security-role-mapping name="sr_manager">
<group name="manager" />
</security-role-mapping>
<security-role-mapping name="sr_developer">
<group name="developer" />
</security-role-mapping>
<!-- h -->
<!-- use JAZN-XML by default
<jazn provider="XML" location="./jazn-data.xml" />
-->
<!-- use JAZN-LDAP instead -->
<jazn provider="LDAP" default-realm="sample_subrealm" location="ldap://buckwheat.jxn.wcom.com:389" />
<!-- -->
<log>
<file path="application.log" />
</log>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="<jndi-user-role>">
<group name="administrators" />
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="<jndi-user-role>">
<group name="administrators" />
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>
<OC4J_HOME>/j2ee/home/jazn/demo/callerInfo/etc/web.xml
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>JAZN Demo: CallerInfo</display-name>
<servlet>
<servlet-name>callerInfo</servlet-name>
<description>Servlet retrieves remote user info</description>
<servlet-class>oracle.security.jazn.samples.http.CallerInfo</servlet-class>
<!-- role name used in code -->
<security-role-ref>
<role-name>FOO</role-name>
<role-link>sr_manager</role-link>
</security-role-ref>
<security-role-ref>
<role-name>ar_manager</role-name>
<role-link>sr_manager</role-link>
</security-role-ref>
<security-role-ref>
<role-name>ar_developer</role-name>
<role-link>sr_developer</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>callerInfo</servlet-name>
<url-pattern>/callerInfo/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>callerInfo</servlet-name>
<url-pattern>/callerInfoA</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>callerInfo</servlet-name>
<url-pattern>/callerInfoB</url-pattern>
</servlet-mapping>
<!-- security roles -->
<security-role>
<role-name>sr_manager</role-name>
</security-role>
<security-role>
<role-name>sr_developer</role-name>
</security-role>
<!-- security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>CallerInfoA</web-resource-name>
<url-pattern>/callerInfoA</url-pattern>
</web-resource-collection>
<!-- authorization -->
<auth-constraint>
<role-name>sr_developer</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>CallerInfoB</web-resource-name>
<url-pattern>/callerInfoB</url-pattern>
</web-resource-collection>
<!-- authorization -->
<auth-constraint>
<role-name>sr_manager</role-name>
</auth-constraint>
</security-constraint>
<!-- authentication -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>OID 3.0.1.0 is the latest product release to public. I did add the Install data to allow it to work. I see the data in OID but when I connect with jazn I get error.
java -jar jazn.jar -shell
JAZN:> ls
realms policy
JAZN:> cd realms
JAZN:> ls
String index out of range: 32
JAZN:> cd ../policy
JAZN:> ls
JAZN:> exit
JAZN:>
It does not error on policy dirictory but it does on the realm side. If I watch the tcp packets it is working. -
How to configure jazn-data.xml for two realms?
Hi,
in my test application a JSP page is secured with <auth-method>BASIC</auth-method>.
I use the jazn-data.xml configurtion in the Embedded OC4J in JDeveloper 10.1.2.
With the standard configuration of jazn-data.xml I can sign in with user admin/welcome without any problems.
In this case only the jazn.com realm exists.
If I configure a second realm over the JDeveloper menu "Tools -> Embedded OC4J Server Preferences ..." then I can´t sign in any more.
The new realm domain.com have some users in the group myusers. In the orion-web.xml I add the new group in the role-mapping.
What is the problem? I can´t find informations in the documentation.
Oracle® Application Server Containers for J2EE
Security Guide
10g Release 2 (10.1.2)
B14013-02
Thanks and best regards,
Tobias
orion-web.xml
<orion-web-app servlet-webdir="/servlets/">
<security-role-mapping impliesAll="false" name="user">
<group name="jazn.com/users"/>
<group name="domain.com/myusers"/>
</security-role-mapping>
</orion-web-app>
web.xml
<web-app>
<description>Empty web.xml file for Web Application</description>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>TestApp</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>Hi,
I switched my above example from jazn-data.xml to LDAP and deployed this in iAS.
In the OID are two realms configured, realm_1 and realm_2 and some users for each.
But I can only access my JSP with users of realm_1 or realm_2 and not
simultaneous users of both realms. That´s dependents on the configured "Default
realm" of the JAZN LDAP User Manager in the EAR.
If I set "Default realm" = realm_1 in the enterprise manager of the iAS then
only members of realm_1 can access the JSP and vice versa for realm_2.
I packaged my above example as EAR and configured the default generated
orion-application.xml in the enterpise manager of the iAS.
orion-application.xml
<?xml version = '1.0'?>
<!DOCTYPE orion-application PUBLIC "-//ORACLE//DTD OC4J Application runtime
9.04//EN" "http://xmlns.oracle.com/ias/dtds/orion-application-9_04.dtd">
<orion-application deployment-version="10.1.2.0.2"
default-data-source="jdbc/OracleDS" treat-zero-as-null="true">
<web-module id="webapp" path="webapp.war"/>
<persistence path="persistence"/>
<principals path="principals.xml"/>
<jazn provider="LDAP">
<property name="ldap.user" value="cn=orcladmin"/>
<property name="ldap.password" value="!ias_admin10g"/>
</jazn>
<log>
<file path="application.log"/>
</log>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="jazn.com/administrators"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping>
<group name="jazn.com/administrators"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>
orion-web.xml
<orion-web-app servlet-webdir="/servlets/">
<security-role-mapping impliesAll="false" name="user">
<group name="realm_1/users"/>
<group name="realm_2/myusers"/>
</security-role-mapping>
</orion-web-app>
What do I have to configure to get access to the JSP with both realms?
Best regards,
Tobias -
Hi,
I am trying to use OID for J2EE Security and using oracle.security.jazn.oc4j.JAZNUserManager. I tried to use XML as the provider and it worked,but when I tried to use OID for the same,it failed.
(entry in orion-application.xml)
<jazn provider="LDAP" default-realm="jazn.com" location="ldap://oidhost:389" >
<jazn-web-app auth-method="SSO" />
</jazn>
Whenever I start my OC4J, I get an error as
oracle.security.jazn.JAZNNamingException: The system is unable to retreive the specified realm(s).
I tried
java -jar jazn.jar -listrealms
And that too gave error.
It would be great if someone can tell me if I need to specify the base dn anywhere,or the entries that should be in the oid.
Thanks,
ShipraHi,
We are also in a similar predicament, about to use OID 3.0.1 on Windows 2000 with JAZN-LDAP provider to do authentication in our web application. We also can get the XML provider to work successfully. We haven't tried LDAP provider yet because of reading this thread.
Lee, you state that JAZN-LDAP isn't certified with OID 3.0.1, but does it work? The reason we ask is we have been made aware that OID 9 for Windows NT /2000 will not be available for another six to eight weeks therefore as our requirements are to use OID we do not wish to go down another route.
However, if this is not possible what are our options? Could you also clarify when OID 9 release 2 for Windows NT /2000 will be available?
regards
Fran
Maybe you are looking for
-
Itunes says sofware too old on Ipod, will not sync perchased music or video
Hello Well after battling this issue for two years since I purchased my 5th gen ipod here is where I stand. MY ipod does have ver 1.2.1 software installed on the unit. this was done on a friends computer with no problem, in fact my ipod seems to be w
-
Hey guys, I tried many times and can't get around this problem. So I have about 5500 messages on my N97 and want to transfer them to N8 but when it try the phone switch and transfer them with Bluetooth it literally takes for ever, last time I tried i
-
Why is submitting an app such a frustrating process????
Ok off the bat, I'm a designer not a programer and I just find this whole process of submitting an app so much harder than it has to be. For FOUR DAYS i've been trying to submit a simple app to no avail. Where's Apple's famed "ease of use" when it co
-
"Open Photos to see your photos in this list"
Since Photos supplanted iPhoto, my photos do not show up in open file dialogs boxes. Instead, I get the completely unhelpful and inaccurate message, "Open Photos to see your photos in this list."
-
Is the macbook pro 13-inch: 2.4 GHz suitable for editing HD video?
I am a university student, and for some of my projects, I am required to edit HD video, approx around 15 minutes in length and making short films. Will the macbook pro 13-inch: 2.4 GHz be able to live up to this and handle the large video files?