Kerberos authentication with Apache Kerberos Module
Hi,
Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
GET: http://www.myhost.com/protected_page.html
HOST: www.myhost.com
AUTHENTICATE: negotiate XXXXX
However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
Thanks for any help or advice,
Neil.
Here are your options:
1) Configure Krb5LoginModule programmatically.
If the environment variable KRB5CC_NAME points to the ticket cache location,
(which is updated each time), you can configure the Krb5LoginModule
programmatically and set the "ticketCache" option to the value obtained
from KRB5CC_NAME.
Refer to following docs for details:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
2) Use native Kerberos from the platform
Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
you will not be able to use this option.
For details refer to following docs:
http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
Seema
Similar Messages
-
Client authentication with apache+mod_ssl+tomcat
Hello.
My question is a little bit off topic.
I try to read client certificates with request.getAttribute("javax.servlet.request.X509Certificate"), but the result is always null.
Probably it's null because I have nothing on the session. So my tomcat does not have the certificate. I use apache + mod_ssl + mod_jk + tomcat.
And here is my question: how did you configured apache and tomcat so that tomcat has the client cert ?
Thanks.usually u generate a keystore for client, and mention that in ur SSL connector of tomcat
in apache, we need to configure things in ssl.conf -
Kerberos authentication with Active Directory
I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
import java.io.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
public class krb5ADLogin1 {
public static void main(String[] args){
LoginContext lc = null;
try {
lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
lc.login();
catch(Exception e){
e.printStackTrace();
Here is my config file:
krb5ADLogin1 {
com.sun.security.auth.module.Krb5LoginModule required;
The command I use to start the program is:
java -Djava.security.krb5.realm=mydomain.com
-Djava.security.krb5.kdc=DomainController.mydomain.com
-Djava.security.auth.login.config=sample.conf krb5ADLogin1Hi there ... the Sun web site has the following snippet:
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
+ javax.security.auth.login.LoginException: KrbException::
Pre-authentication information was invalid (24) - Preauthentication failed
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key (e.g., by
setting the useKeyTab option to true in the Krb5LoginModule entry
in the JAAS login configuration file), then the key might have
changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new
keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client
differ significanlty (typically 5 minutes), this error can be
returned.
Solution 3: Synchronize the clocks (or have a system administrator
do so).
Good luck,
-Derek -
Integrating Kerberos authentication with OBIEE
Hi,
Is it possible to integrate Kerberos authentication with OBIEE? If yes, how can that be done? Are there any documentation available?
Thankswe can integrate with LDAP with the help of below link
http://oraclebizint.wordpress.com/2007/10/10/oracle-bi-ee-101332-using-ldapoid-authentication/
Regards
Venkata -
[SOLVED] Error with the php5 module for apache
Hi!
I've installed Apache 2.0.55-1 and PHP5 5.1.4-4. When I try to run the apache server it fails. Then I do httpd -k start and I get:
Syntax error on line 262 of /etc/httpd/conf/httpd.conf:
API module structure `php5_module' in file /usr/lib/apache/libphp5.so is garbled - perhaps this is not an Apache module DSO?
The file libphp5 exists, but seems corrupted.
See you
NeOnsKuLLThat version of the package has been built with apache 2.2.x. Be sure to use that version of apache too, as 2.0 won't work with that specific package.
-
SAPRFC module not loading with Apache
I am running PHP4.4.0RC2-dev on Apache 1.3.29.
I have downloaded the SAPRFC.1.3.3-4.3.10 and installed the php_saprfc.dll and updated the PHP.INI file to load this extension.
When I run the command "php -m -c c:\php" I shows that the <b>SAPRFC</b> module has been loaded.
When I call the <b>get_loaded_extensions</b> inside a PHP webpage, the SAPRFC module does not show as being loaded.
Any ideas?
Thanks in advance.
DougThe documentation says it supports >= php version
eg >= 4.3.10 and >= 5.0.3
I have been testing the interface and can confirm that the SAPRFC is working. The versions I am using are:
<b>Apache/1.3.29 (Win32)
PHP/4.4.0RC2-dev
SAPRFC 1.3.3
SAPRFC32.DLL 640,0,70</b>
Why the PHP4.4? I spent 2 days trying to get PHP/Apache working in various combinations without success. I found a site that produced the compiled PHP version that will work with Apache. I installed this version and it worked first time. -
Hello Archers,
I've set up an svn Server with Apache folloing your wiki on my raspberry pi.
https://wiki.archlinux.org/index.php/LAMP
https://wiki.archlinux.org/index.php/Subversion_Setup
Unfortunately I get errors when I try to commit several files (15 or so). I think it is a timeout issue, however I don't know where to specify the timeout in the httpd.conf (or httpd-ssl.conf)
This is a client error message:
Commit failed (details follow):
Unexpected end of svndiff Input
And this the corresponding server side log:
[date] [dav:error] [pid 448:tid 2854220848] (70007)The timeout specified has expired: [client 192.168.178.55:63819] Timeout reading the body (URI: /Dokumente/!svn/txr/9-q/Music/myfile.mp3) [408, #0]
[date] [dav:error] [pid 448:tid 2854220848] [client 192.168.178.55:63819] mod_dav_svn close_stream: error closing write stream [500, #185004]
[date] [dav:error] [pid 448:tid 2854220848] [client 192.168.178.55:63819] Unexpected end of svndiff input [500, #185004]
I assume it is some error like this: http://subversion.apache.org/faq.html#s … -truncated
I think I don't have specified the timeouts correctly, since I haven't found the default option.
tl:dr
Do you know how to set the timeouts in the apache configuration file?
I very much appreciate your help.
arch on pi
Here are my configuration Files with my position for the timeout order:
httpd-ssl.conf:
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailed information about these
# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# Required modules: mod_log_config, mod_setenvif, mod_ssl,
# socache_shmcb_module (for default value of SSLSessionCache)
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#SSLRandomSeed startup file:/dev/random 512
SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
SSLRandomSeed connect file:/dev/urandom 512
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
Listen 443
## SSL Global Context
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is an internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache "dbm:/run/httpd/ssl_scache"
SSLSessionCache "shmcb:/run/httpd/ssl_scache(512000)"
SSLSessionCacheTimeout 6000
## SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/mnt/sda1/svn"
ServerName 192.168.178.48:443
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "/etc/httpd/conf/server.crt"
#SSLCertificateFile "/etc/httpd/conf/server-dsa.crt"
#SSLCertificateFile "/etc/httpd/conf/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/etc/httpd/conf/server.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile "/etc/httpd/conf/server-ca.crt"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded).
# The CRL checking mode needs to be configured explicitly
# through SSLCARevocationCheck (defaults to "none" otherwise).
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath "/etc/httpd/conf/ssl.crl"
#SSLCARevocationFile "/etc/httpd/conf/ssl.crl/ca-bundle.crl"
#SSLCARevocationCheck chain
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# TLS-SRP mutual authentication:
# Enable TLS-SRP and set the path to the OpenSSL SRP verifier
# file (containing login information for SRP user accounts).
# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
# detailed instructions on creating this file. Example:
# "openssl srp -srpvfile /etc/httpd/conf/passwd.srpv -add username"
#SSLSRPVerifierFile "/etc/httpd/conf/passwd.srpv"
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/http/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "/var/log/httpd/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#SSLSessionTimeout 5m
Timeout 600000
<Location />
DAV svn
SVNParentPath /mnt/sda1/svn/repos
AuthzSVNAccessFile /home/svn/.svn-policy-file
AuthName "SVN Repositories"
AuthType Basic
AuthUserFile /home/svn/.svn-auth-file
# Satisfy Any
Require valid-user
</Location>
</VirtualHost>
httpd.conf
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
ServerRoot "/etc/httpd"
Timeout 60000
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
# Mutex default:/run/httpd
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#Listen 12.34.56.78:80
Listen 80
# Dynamic Shared Object (DSO) Support
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
# Example:
# LoadModule foo_module modules/mod_foo.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#nach fehlermeldung
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_form_module modules/mod_auth_form.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule file_cache_module modules/mod_file_cache.so
#Felhermeldung undefined symbols
LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#nach Fehlermeldung
LoadModule cache_socache_module modules/mod_cache_socache.so
#nochne Fehlermeldung
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
#LoadModule socache_memcache_module modules/mod_socache_memcache.so
#LoadModule watchdog_module modules/mod_watchdog.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule echo_module modules/mod_echo.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule data_module modules/mod_data.so
#LoadModule ratelimit_module modules/mod_ratelimit.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule request_module modules/mod_request.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
#LoadModule reflector_module modules/mod_reflector.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule sed_module modules/mod_sed.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule deflate_module modules/mod_deflate.so
#LoadModule xml2enc_module modules/mod_xml2enc.so
#LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule mime_module modules/mod_mime.so
#LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_debug_module modules/mod_log_debug.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule logio_module modules/mod_logio.so
#LoadModule lua_module modules/mod_lua.so
LoadModule env_module modules/mod_env.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
#LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule session_module modules/mod_session.so
#LoadModule session_cookie_module modules/mod_session_cookie.so
#LoadModule session_crypto_module modules/mod_session_crypto.so
#LoadModule session_dbd_module modules/mod_session_dbd.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
#Fuer die cipher suite
LoadModule ssl_module modules/mod_ssl.so
#LoadModule dialup_module modules/mod_dialup.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so
#1 for svn
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
#LoadModule suexec_module modules/mod_suexec.so
#LoadModule cgid_module modules/mod_cgid.so
#LoadModule cgi_module modules/mod_cgi.so
#2 for svn
LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
#LoadModule imagemap_module modules/mod_imagemap.so
#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so
#3 for svn
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<IfModule unixd_module>
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User http
Group http
</IfModule>
# 'Main' server configuration
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. [email protected]
ServerAdmin [email protected]
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
# If your host doesn't have a registered DNS name, enter its IP address here.
#ServerName www.example.com:80
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
<Directory />
AllowOverride none
Require all denied
</Directory>
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/mnt/sda1"
#<Directory "/mnt/sda1/svn/repos">
# # Possible values for the Options directive are "None", "All",
# # or any combination of:
# # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# # Note that "MultiViews" must be named *explicitly* --- "Options All"#
# # doesn't give it to you.
# # The Options directive is both complicated and important. Please see
# # http://httpd.apache.org/docs/2.4/mod/core.html#options
# # for more information.#
# Options Indexes FollowSymLinks
# # AllowOverride controls what directives may be placed in .htaccess files.
# # It can be "All", "None", or any combination of the keywords:
# # AllowOverride FileInfo AuthConfig Limit
# AllowOverride None
# # Controls who can get stuff from this server.
# Require all granted
#</Directory>
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog "/var/log/httpd/error_log"
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
<IfModule log_config_module>
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
CustomLog "/var/log/httpd/access_log" common
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#CustomLog "/var/log/httpd/access_log" combined
</IfModule>
<IfModule alias_module>
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
</IfModule>
<IfModule cgid_module>
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#Scriptsock cgisock
</IfModule>
# "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
<Directory "/srv/http/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
TypesConfig conf/mime.types
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#AddType application/x-gzip .tgz
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
# Filters allow you to process content before it is sent to the client.
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#EnableMMAP off
#EnableSendfile on
# Supplemental configuration
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf
# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
Include conf/extra/httpd-autoindex.conf
# Language settings
Include conf/extra/httpd-languages.conf
# User home directories
Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
Include conf/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
Include /etc/httpd/conf/extra/httpd-ssl.conf
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# uncomment out the below to deal with user agents that deliberately
# violate open standards by misusing DNT (DNT *must* be a specific
# end-user choice)
#<IfModule setenvif_module>
#BrowserMatch "MSIE 10.0;" bad_DNT
#</IfModule>
#<IfModule headers_module>
#RequestHeader unset DNT env=bad_DNT
#</IfModule>
Edit: inserted tl;dr
Last edited by arch_on_pi (2014-05-18 21:33:24)Remember that Arch Arm is a different distribution, but we try to bend the rules and provide limited support for them. This may or may not be unique to Arch Arm, so you might try asking on their forums as well.
-
Custom Authentication With Identity Store
Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
Package = "orkit"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate">
<MBeanAttribute
Name = "ProviderClassName"
Type = "java.lang.String"
Writeable = "false"
Default = ""orkit.OrkitVASPortalProviderImpl""
/>
<MBeanAttribute
Name = "Description"
Type = "java.lang.String"
Writeable = "false"
Default = ""WebLogic Simple Sample Audit Provider""
/>
<MBeanAttribute
Name = "Version"
Type = "java.lang.String"
Writeable = "false"
Default = ""1.0""
/>
<MBeanAttribute
Name = "LogFileName"
Type = "java.lang.String"
Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
private String description;
private LoginModuleControlFlag controlFlag;
public OrkitVASPortalProviderImpl() {
System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
@Override
public IdentityAsserterV2 getIdentityAsserter() {
return null;
// Our mapping of users to passwords/groups, instead of being in LDAP or in a
// database, is represented by a HashMap of MyUserDetails objects..
public class MyUserDetails {
String pw;
String group;
// We use this to represent the user's groups and passwords
public MyUserDetails(String pw, String group) {
this.pw = pw;
this.group = group;
public String getPassword() {
return pw;
public String getGroup() {
return group;
// This is our database
private HashMap userGroupMapping = null;
public void initialize(ProviderMBean mbean, SecurityServices services) {
System.out.println("The Orkit VASPortal Provider is intializing......");
OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
// We would typically use the realm name to find the database
// we want to use for authentication. Here, we just create one.
userGroupMapping = new HashMap();
userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
userGroupMapping.put("system", new MyUserDetails("12341234",
"Administrators"));
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("Invalid control flag " + flag);
public AppConfigurationEntry getLoginModuleConfiguration() {
HashMap options = new HashMap();
options.put("usermap", userGroupMapping);
System.out.println("UserMap: " + options);
return new AppConfigurationEntry(
"orkit.OrkitVASPortalLoginModule",
controlFlag, options);
public String getDescription() {
return description;
public PrincipalValidator getPrincipalValidator() {
return new PrincipalValidatorImpl();
public AppConfigurationEntry getAssertionModuleConfiguration() {
return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private HashMap userMap;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsBeforeCommit = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
// Fetch user/password map that should be set by the authenticator
userMap = (HashMap) options.get("usermap");
* Called once after initialize to try and log the person in
public boolean login() throws LoginException {
// First thing we do is create an array of callbacks so that
// we can get the data from the user
Callback[] callbacks;
callbacks = new Callback[2];
callbacks[0] = new NameCallback("username: ");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException eio) {
throw new LoginException(eio.toString());
} catch (UnsupportedCallbackException eu) {
throw new LoginException(eu.toString());
String username = ((NameCallback) callbacks[0]).getName();
System.out.println("Username: " + username);
char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
String password = new String(pw);
System.out.println("PASSWORD: " + password);
if (username.length() > 0) {
if (!userMap.containsKey(username)) {
throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
}else{
System.out.println("Contstainded Username");
String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
if (realPassword == null || !realPassword.equals(password)) {
throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
}else{
System.out.println("Everyitng OKIE");
} else {
// No Username, so anonymous access is being attempted
loginSucceeded = true;
// We collect some principals that we would like to add to the user
// once this is committed.
// First, we add his username itself
principalsBeforeCommit.add(new WLSUserImpl(username));
// Now we add his group
principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
return loginSucceeded;
public boolean commit() throws LoginException {
if (loginSucceeded) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thank you very much!When i login with the password and username from my custom authentication provider, my login module check ok, but logon form still there.
-
I Need PHP 5.3 no longer avail in a VC6 compatable with Apache 2.2.15
I appologize if this question is already answered somewhere (I did search a bit)..
1. I have written a significant amount of my site using functions only available in PHP 5.3+ (ie not in PHP5.2)
( see php.net /manual/en/migration53.new-features.php )
2. PHP (in thier infinite wisdom) have decicided that not only is there no longer a VC6 (ie Apache 2.2.15 compatable) build of php 5.3.6 but they removed the 5.3.3 build and are offering only 5.2.17 in a VC6 build suitable for use with the version of Apache built into FMS4.
(see windows.php.net/download/ and note the lines:
Do NOT use VC9 version with apache.org binaries.
and
VC9 versions of Apache can be fetched at Apache Lounge. We use their binaries to build the Apache SAPIs.)
3. The FMS4 documentation says:
(see help.adobe.com/en_US/flashmediaserver/configadmin/WSE2A5A7B9-E118-496f-92F9-E295038DB7DB. html#WS02f7d8d4857b1677-469e53bb12984254411-8000
The recommended approach to upgrading the Apache web server is to install or build the Apache server in a directory that is separate from the existing server. Then copy the contents of newly-installed directories to the existing server.
In most cases, you do not replace the existing Apache configuration files with the newer versions of these files. This is because the Apache web server installation for Flash Media Server is pre-configured with specific modules and settings.)
My Question is:
Does this even work? I sounds like a REALY BAD idea to me to instal a version of Apache built to use the Visual C 9 runtime and then kludge in an httpd.conf file that starts loading modules that were built to interact with a version that uses the Visual C 6 library. Has anyone actually done this successfully???
I don't blame the FMS developers here (well except for the really bad idea of making Apache "part" of the FMS package in the first place) but you a shipping with a version of Apache that is incompatable with PHP! (OK, the _latest versions_ of PHP.. but that still makes this _your_ problem.. and a big problem at that if you ask me).
Suggestions?# This section includes everything in the Apache 2.2.19 httpd.conf file's module load section.
# The modules named in the FMS version of the httpd.conf file are _almost_ a subset of the 2.2.19 collection but
# many statements are "live" only in the FMS version.
# The numbers in parentheses are line numbers in the indicated httpd.conf file
# 2.2.19(60) LoadModule actions_module modules/mod_actions.so
# FMS(136)
LoadModule actions_module modules/mod_actions.so
# 2.2.19(61) LoadModule alias_module modules/mod_alias.so
# FMS(137)
LoadModule alias_module modules/mod_alias.so
# 2.2.19(62) LoadModule asis_module modules/mod_asis.so
# FMS(138)
LoadModule asis_module modules/mod_asis.so
# 2.2.19(63) LoadModule auth_basic_module modules/mod_auth_basic.so
# FMS(139)
LoadModule auth_basic_module modules/mod_auth_basic.so
# 2.2.19(64) #LoadModule auth_digest_module modules/mod_auth_digest.so
# FMS(140)
LoadModule auth_digest_module modules/mod_auth_digest.so
# 2.2.19(65) #LoadModule authn_alias_module modules/mod_authn_alias.so
# 2.2.19(66) #LoadModule authn_anon_module modules/mod_authn_anon.so
# FMS(141)
LoadModule authn_anon_module modules/mod_authn_anon.so
# 2.2.19(67) #LoadModule authn_dbd_module modules/mod_authn_dbd.so
# 2.2.19(68) #LoadModule authn_dbm_module modules/mod_authn_dbm.so
# FMS(142) #LoadModule authn_dbm_module modules/mod_authn_dbm.so
# 2.2.19(69) LoadModule authn_default_module modules/mod_authn_default.so
# FMS(143)
LoadModule authn_default_module modules/mod_authn_default.so
# 2.2.19(70) LoadModule authn_file_module modules/mod_authn_file.so
# FMS(144)
LoadModule authn_file_module modules/mod_authn_file.so
# 2.2.19(71) #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
# 2.2.19(72) #LoadModule authz_dbm_module modules/mod_authz_dbm.so
# FMS(145) #LoadModule authz_dbm_module modules/mod_authz_dbm.so
# 2.2.19(73) LoadModule authz_default_module modules/mod_authz_default.so
# FMS(146)
LoadModule authz_default_module modules/mod_authz_default.so
# 2.2.19(74) LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
# FMS(147)
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
# 2.2.19(75) LoadModule authz_host_module modules/mod_authz_host.so
# FMS(148)
LoadModule authz_host_module modules/mod_authz_host.so
# 2.2.19(76) #LoadModule authz_owner_module modules/mod_authz_owner.so
# 2.2.19(77) LoadModule authz_user_module modules/mod_authz_user.so
# FMS(149)
LoadModule authz_user_module modules/mod_authz_user.so
# 2.2.19(78) LoadModule autoindex_module modules/mod_autoindex.so
# FMS(150)
LoadModule autoindex_module modules/mod_autoindex.so
# 2.2.19(79) #LoadModule cache_module modules/mod_cache.so
# 2.2.19(80) #LoadModule cern_meta_module modules/mod_cern_meta.so
# FMS(151) #LoadModule cern_meta_module modules/mod_cern_meta.so
# 2.2.19(81) LoadModule cgi_module modules/mod_cgi.so
# FMS(152..154)
<IfModule mpm_winnt_module>
LoadModule cgi_module modules/mod_cgi.so
</IfModule>
# FMS(155..157)
<IfModule worker_module>
LoadModule cgid_module modules/mod_cgid.so
</IfModule>
# 2.2.19(82) #LoadModule charset_lite_module modules/mod_charset_lite.so
# 2.2.19(83) #LoadModule dav_module modules/mod_dav.so
# FMS(158)
LoadModule dav_module modules/mod_dav.so
# 2.2.19(84) #LoadModule dav_fs_module modules/mod_dav_fs.so
# FMS(159)
LoadModule dav_fs_module modules/mod_dav_fs.so
# 2.2.19(85) #LoadModule dav_lock_module modules/mod_dav_lock.so
# 2.2.19(86) #LoadModule dbd_module modules/mod_dbd.so
# 2.2.19(87) #LoadModule deflate_module modules/mod_deflate.so
# FMS(160)
LoadModule deflate_module modules/mod_deflate.so
# 2.2.19(88) LoadModule dir_module modules/mod_dir.so
# FMS(161)
LoadModule dir_module modules/mod_dir.so
# 2.2.19(89) #LoadModule disk_cache_module modules/mod_disk_cache.so
# 2.2.19(90) #LoadModule dumpio_module modules/mod_dumpio.so
# 2.2.19(91) LoadModule env_module modules/mod_env.so
# FMS(162)
LoadModule env_module modules/mod_env.so
# 2.2.19(92) #LoadModule expires_module modules/mod_expires.so
# FMS(163) #LoadModule expires_module modules/mod_expires.so
# 2.2.19(93) #LoadModule ext_filter_module modules/mod_ext_filter.so
# 2.2.19(94) #LoadModule file_cache_module modules/mod_file_cache.so
# FMS(164) #LoadModule file_cache_module modules/mod_file_cache.so
# 2.2.19(95) #LoadModule filter_module modules/mod_filter.so
# 2.2.19(96) #LoadModule headers_module modules/mod_headers.so
# FMS(165) #LoadModule headers_module modules/mod_headers.so
# 2.2.19(97) #LoadModule ident_module modules/mod_ident.so
# 2.2.19(98) #LoadModule imagemap_module modules/mod_imagemap.so
# FMS(166)
LoadModule imagemap_module modules/mod_imagemap.so
# 2.2.19(99) LoadModule include_module modules/mod_include.so
# FMS(167)
LoadModule include_module modules/mod_include.so
# 2.2.19(100) #LoadModule info_module modules/mod_info.so
# FMS(168)
LoadModule info_module modules/mod_info.so
# 2.2.19(101) LoadModule isapi_module modules/mod_isapi.so
# FMS(169..171)
<IfModule mpm_winnt_module>
LoadModule isapi_module modules/mod_isapi.so
</IfModule>
# 2.2.19(102) #LoadModule ldap_module modules/mod_ldap.so
# 2.2.19(103) #LoadModule logio_module modules/mod_logio.so
# 2.2.19(104) LoadModule log_config_module modules/mod_log_config.so
# FMS(172)
LoadModule log_config_module modules/mod_log_config.so
# 2.2.19(105) #LoadModule log_forensic_module modules/mod_log_forensic.so
# 2.2.19(106) #LoadModule mem_cache_module modules/mod_mem_cache.so
# 2.2.19(107) LoadModule mime_module modules/mod_mime.so
# FMS(173)
LoadModule mime_module modules/mod_mime.so
# 2.2.19(108) #LoadModule mime_magic_module modules/mod_mime_magic.so
# FMS(174)
LoadModule mime_magic_module modules/mod_mime_magic.so
# 2.2.19(109) LoadModule negotiation_module modules/mod_negotiation.so
# FMS(181)
LoadModule negotiation_module modules/mod_negotiation.so
# 2.2.19(110) #LoadModule proxy_module modules/mod_proxy.so
# FMS(175) #LoadModule proxy_module modules/mod_proxy.so
# 2.2.19(111) #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
# FMS(176) #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
# 2.2.19(112) #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
# FMS(177) #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
# 2.2.19(113) #LoadModule proxy_connect_module modules/mod_proxy_connect.so
# FMS(178) #LoadModule proxy_connect_module modules/mod_proxy_connect.so
# 2.2.19(114) #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
# FMS(180) #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
# 2.2.19(115) #LoadModule proxy_http_module modules/mod_proxy_http.so
# FMS(179) #LoadModule proxy_http_module modules/mod_proxy_http.so
# 2.2.19(116) #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
# 2.2.19(117) #LoadModule reqtimeout_module modules/mod_reqtimeout.so
# 2.2.19(118) #LoadModule rewrite_module modules/mod_rewrite.so
# FMS(182)
LoadModule rewrite_module modules/mod_rewrite.so
# 2.2.19(119) LoadModule setenvif_module modules/mod_setenvif.so
# FMS(183)
LoadModule setenvif_module modules/mod_setenvif.so
# 2.2.19(120) #LoadModule speling_module modules/mod_speling.so
# FMS(184) #LoadModule speling_module modules/mod_speling.so
# 2.2.19(121) #LoadModule ssl_module modules/mod_ssl.so
# FMS(190) #LoadModule ssl_module modules/mod_ssl.so
# 2.2.19(122) #LoadModule status_module modules/mod_status.so
# FMS(185)
LoadModule status_module modules/mod_status.so
# 2.2.19(123) #LoadModule substitute_module modules/mod_substitute.so
# 2.2.19(124) #LoadModule unique_id_module modules/mod_unique_id.so
# FMS(186)
LoadModule unique_id_module modules/mod_unique_id.so
# 2.2.19(125) #LoadModule userdir_module modules/mod_userdir.so
# FMS(187)
LoadModule userdir_module modules/mod_userdir.so
# 2.2.19(126) #LoadModule usertrack_module modules/mod_usertrack.so
# FMS(188) #LoadModule usertrack_module modules/mod_usertrack.so
# 2.2.19(127) #LoadModule version_module modules/mod_version.so
# 2.2.19(128) #LoadModule vhost_alias_module modules/mod_vhost_alias.so
# FMS(189) #LoadModule vhost_alias_module modules/mod_vhost_alias.so
# FMS(191)
LoadModule f4fhttp_module modules/mod_f4fhttp.so
# This section includes items that appear in _BOTH_ in the FMS version of httpd.conf and the 2.2.19 version
# The numbers in parentheses are line numbers in the indicated httpd.conf file.
# In some case the lines appear identically in both versions.
# In some case the changes are not simple alternatives (see mpm_winnt_module for example)
# 2.2.19(46)
# Listen 80
# FMS(12)
Listen 8134
# 2.2.19(130..144)
# <IfModule !mpm_netware_module>
# <IfModule !mpm_winnt_module>
# User daemon
# Group daemon
# </IfModule>
# </IfModule>
# FMS(123..126)
<IfModule mpm_winnt_module>
ThreadsPerChild 250
MaxRequestsPerChild 0
</IfModule>
# 2.2.19(179)
# DocumentRoot "c:/Apache2/htdocs"
# FMS(39)
DocumentRoot "../webroot"
# 2.2.19(189..194)
# <Directory />
# Options FollowSymLinks
# AllowOverride None
# Order deny,allow
# Deny from all
# </Directory>
# FMS(43..50)
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Satisfy all
</Directory>
# 2.2.19(206..234)
# <Directory "c:/Apache2/htdocs">
# Options Indexes FollowSymLinks
# AllowOverride None
# Order allow,deny
# Allow from all
# </Directory>
# FMS(51..56)
<Directory "../webroot">
Options -Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# 2.2.19(240.242)
# <IfModule dir_module>
# DirectoryIndex index.html
# </IfModule>
# FMS(41)
DirectoryIndex index.html index.html.var index.php index.php3 index.php4 index.php5 index.py index.pl index.rb
# 2.2.19(248..252)
# <FilesMatch "^\.ht">
# Order allow,deny
# Deny from all
# Satisfy All
# </FilesMatch>
# FMS(118..121)
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>
# 2.2.19(261)
# ErrorLog "logs/error.log"
# FMS(34)
ErrorLog logs/error_log
# 2.2.19(268)
# LogLevel warn
# FMS(35)
LogLevel info
# 2.2.19(270..297)
# <IfModule log_config_module>
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
# LogFormat "%h %l %u %t \"%r\" %>s %b" common
# <IfModule logio_module>
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
# </IfModule>
# CustomLog "logs/access.log" common
# </IfModule>
# FMS(36..37)
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog logs/access_log combined
# 2.2.19(299..328)
# <IfModule alias_module>
# ScriptAlias /cgi-bin/ "c:/Apache2/cgi-bin/"
# </IfModule>
# FMS(77)
ScriptAlias /cgi-bin/ "cgi-bin/"
# 2.2.19(342..347)
# <Directory "c:/Apache2/cgi-bin">
# AllowOverride None
# Options None
# Order allow,deny
# Allow from all
# </Directory>
# FMS(78..83)
<Directory "cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
# 2.2.19(358)
# DefaultType text/plain
# FMS(196)
DefaultType text/plain
# 2.2.19(360..406)
# <IfModule mime_module>
# TypesConfig conf/mime.types
# #AddEncoding x-compress .Z
# #AddEncoding x-gzip .gz .tgz
# AddType application/x-compress .Z
# AddType application/x-gzip .gz .tgz
# #AddHandler cgi-script .cgi
# #AddHandler type-map var
# #AddType text/html .shtml
# #AddOutputFilter INCLUDES .shtml
# </IfModule>
# FMS(194)
TypesConfig conf/mime.types
# FMS(200..201)
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# FMS(204..206)
AddHandler type-map var
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
# 2.2.19(413)
#MIMEMagicFile conf/magic
# FMS(195)
MIMEMagicFile conf/magic
# 2.2.19(474..484)
# <IfModule ssl_module>
# SSLRandomSeed startup builtin
# SSLRandomSeed connect builtin
# </IfModule>
# FMS(208.211)
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule> -
After upgrade resin no longer works with Apache!BIG ISSUE
Hi Af!
After the huge update - i ran into some big issue's !!!
Normaly i have apache,php and resin running. but now with the "new" apache - it can no longer accept resin's mod_caucho.so?
Running apachectl -t gives an error:
configerror at line 428 - mod_caucho.so cannot load the module - its proberly been garbled - perhaps this is not a reguar apache DSO module.
(this is not the correct error - but close - i've shut it down - becaurse people are able to se the code)
Normally this have worked fine - Apache is accepting the mod.so and have compiled resin from the button after - just for trying!
Have anybody got an idea about this!
thanks
PequeWell - here's an update !
Now I have tried to get the old version of Apache - but still that doesen't help me.
After a total install(clean - 0.7.2 ) i do a pacman -Syu to get the final steps uptodate!! Afterwards i do
pacman -U apache.2.0.55
installing that (missing expat) so installing that to!
Afterwards I'm trying to install Resin - and get the error its a bad apxs! so go back to the old configuration is out of the question!
So what have been going so wrong that I'm not able to have a running Apache server along with Resin to handle my jsp pages!
I know others use tomcat - but I have never tried this - and loves Resin! Does anybody have an answer for this part!!!!!
Please help ! I have a quite a lot of pages that are not online at this point!
Peque -
I have recently upgraded a clients servers to Windows Server 2012 & since doing so have lost the ability to scan to folder.
Both servers are domain controllers and previously on a 2008 domain controller I would have had to make the following change to allow scan to folder:
Administrative Tools
Server Manager
Features
Group Policy Manager
Forest: ...
Default Domain Policy
Computer configuration
Policies
Windows Settings
Security Settings
Local Policies
Security Options
Microsoft Network Server: Digitally Sign Communications (Always)
- Define This Policy
- Disabled
However I have applied this to the Windows 2012 server but am still unable to scan, possibly due to added layers of security in server 2012. The error on the scanner is Authentication with the destination has failed check settings.
I have also tried the following at the server:
Policies -> Security Policies
Change Network Security: LAN Manager authentication level to: Send LM & NTLM - Use NTLMv2 session security if negotiated.
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and uncheck the require 128 bit.
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers and uncheck the require 128 bit
I have created a user account on the server for the ricoh and set this in the settiings of the Ricoh and verified everything is correct.
Are there any other things I have missed?I can email anybody the firmware module if interested and how to...
Tell me your model and email
If your offer still stands we have an Aficio MP C3300
Firmwareversion
Modulnavn Version Delnummer
System/Copy 1.13 D0255562H
Network Support 8.16.1 D0255563D
Font EXP 1.03 D0255588
OptionPCLFont 1.02 D0255589
animation 1.3.1 D0255568A
Fax 01.10.00 D0255569B
RemoteFax 01.10.00 D0255564B
Printer 1.11 D0255572A
RPCS 3.7.5.4.1 D0255574A
Option PCL 1.00 D0255580A
Scanner 01.17 D0255570C
Network DocBox 1.00 D0255567B
Web Support 1.06 D0255565B
Web Uapl 1.07 D0255566C
libcvm(v4) 4.13 D4135765B
GWFCU3-13(WW) 03.00.00 D3935570C
PowerSaving Sys 1.10 D0255560C
Engine 1.51:09 D0255117E
OpePanel 1.03 D0251492A
LANG0 1.03 D0251496
LANG1 1.03 D0251496
ADF 03.420:02 D3665604
Finisher 01.090:03 D3725112
Best Regards/
Henrik Plougstad
henrik(a)pieroth.dk -
Policy agent 2.2 amfilter local authentication with session binding failed
Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
-----------------------------------------------------------Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip -
Integrating tomcat 5.0.28 with apache web server 2.2
hi all
i tried a lot on net but could not get the steps for
connctivity between tomcat 5.0.28 with apache web server 2.2.
any one pzl do help me in finding the solution
pzl do tel me the step by step process for this connectivity
sushi :-)
you need jk modules ;-)
i havent try the integrating the version of apache web
and tomcat you specify but you can refer to the links below :-)
gudluck :-)
http://www.serverwatch.com/tutorials/article.php/2203891
http://www.onjava.com/lpt/a/2826
http://raibledesigns.com/tomcat/
regards, -
Portal authentication using two login module stacks?
G'day,
I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
<authscheme name="mylogon">
<authentication-template>mystack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
</authscheme>
<authscheme-refs>
<authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
<authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
</authscheme-refs>
When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.OK
User: Administrator
Authentication Stack: mystack
The "mylogonform" page is shown when logon is required in both cases.
However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
(Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
Message : LOGIN.FAILED
User: Administrator
Authentication Stack: mystack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true authscheme not sufficient: basicauthentication<mylogonform
Central Checks exception Call logout before login.
I guess one cannot authenticate as a new user until the current user has been logged out.
So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
What is the logic behind portal authentication and showing a logon page?
If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?Jayesh,
there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
- login module
- logon stacks
Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
login module 1: check if valid sap logon ticket provided
if module 1 fails: then login module 2: request user id/password
if module 2 succeeds: then login module 3: create new sap logon ticket for user
You can define multiple logon stacks and configure individual applications to use the one stack or the other.
The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
Regards,
Dominik -
I'm Working with the Apache Jserv module.
When anyone access to any of my servlets, goes to any link, and then return back with the 'Back' button of the browser, the servlet reloads itself, there's no cache or something like that. It means doing the database access again, etc. I'll be greatfull if anybody could help me.
Thanks
Andres BenitoI'm assuming that your database access code in a java bean. If that is the case, you might need to instantiate the bean in your JSP page with SCOPE = "session".
Dennis
null
Maybe you are looking for
-
How can I make a call from iPad
How can I make a call from IPad
-
I can't load a PDF from my Mac to my iPad
I have made changes to a PDF doc on my MAC. When I send it to my email and open it on my iPad, I only have a blank doc. What am I doing wrong? It shows up fine when I check my email on my MAC.
-
How to get router's IP Address programmatically?
While on my computer, behind the router Verizon router, I need to know my the router's IP address, so I can ssh into my box from remote hosts. When I subscribed to cable, and had a Linksys router as my main gateway at 192.168.1.1, I could log into it
-
Photoshop (all versions): Inconsistency/Bug in automatic File Naming algorithm
Hello, I discovered this problem in PS CS3 and CS5 (don't have CS4) after a student of mine found it in PS Elements 8. Here's one way to replicate the issue: 1) Open any image in Camera Raw. Let's call that file FILENAME.dng 2) Click "Save Image" but
-
I received this email yesterday, but can't find details on the free websites. For example, are they basic sites (not eCommerce)? "Did you know your Adobe Creative Cloud™ membership plan includes site hosting? An Adobe Creative Cloud membership plan i