Login module BasicPasswordLoginModule

Similar Messages

• SOAP Web Service +  Custom Login Module issue

  Hi Guys,
  We faced an authentication issue in our project. Could you please give any advice how the issue could be resolved.
  Environment: A simple SOAP Web Service on top of POJO class created in a Web Application. The web application deployed to the SAP NetWeaver 7.10 Application Server in the Enterprise Application Archive.
  Configuration:
        Single Service Administration Application(NetWeaver Administration -> SOA Management -> Application and Scenario Communication -> Single Service Administration)
         The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
      Authentication Application(NetWeaver Administration-> Configuration Management->Security->Authentication)
        The application(<vendorName>/<earName>*<vendor>~<webAppName>) has Authentication Stack configured to use our custom login module.
  Issue:  BasicPasswordLoginModule used by the J2EE when we are trying to execute the web service using Web Service Navigator(checked in debug mode). It seems that we missed something in configuration.
  Idea: The main Idea is to use our custom login module when we are executing a web service.
  Could you help me to resolve the issue.
  Thanks,
  Dmitry
  Edited by: Dmitry Eidin on Jul 17, 2009 3:46 PM

  > The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
  That's the point.

• Assigning a login module to a single WebDynpro to authenticate against LDAP

  Hi there,
  we are running the J2EE Engine 7.0 within XI on SAP NetWeaver 2004s / Linux x86_64.
  Basically, i want to Authenticate a Java WebDynpro against an LDAP (Active Directory). With the XI Usage installed, I can not customize the UME to authenticate against an LDAP (not supported and not possible).
  Thus, I want to use a custom login module or, if suitable, a standard login module to authenticate against LDAP. I know that all WebDynpro Apps use the default authentication scheme that in turn references the authentication template "ticket".
  1) Can I use a predefined Login Module to authenticate against Active Directory LDAP or do I have to write a custom login module?
  2) Is it possible to assign a login module to a single WebDynpro and how can I do this?
  Thanks a lot in advance,
  Oliver Kalkofen

  > Thus, I want to use a custom login module or, if
  > suitable, a standard login module to authenticate
  > against LDAP.
  We have developed a custom login module which does this. It looks to the user like the BasicPasswordLoginModule provided with SAP, but the userid and password entered has to be a valid accountpassword from the Active Director domain. We use the Kerberos protocol to perform this useridpassword validation, not LDAP. The userid can be just a name, in which case the default domain (realm in Kerberos terminology) or it can be specified as user@REALM in which case a non-default realm can be used to authenticate. Once the authentication is complete, we look in USRACL table to map this Kerberos principal name onto a SAP userid so we can then create an SSO2 ticket.
  If you interested to evaluate, or get a quote for purchasing this, please contact me offline. Of course, you can develop your own if you are happy to do so. I just thought you might be interested to know of an alternative.
  Thanks,
  Tim

• Configure JAAS login module stack to support x.509 certificates without SSL

  I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
  I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
  What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

  Hi Claus,
  you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
  There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
  Looking at this topic:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
  the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
  So with the above said your LM stack config should look like this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  If this doesn't work I'd suggest opening a support ticket.
  Regards,
  Yonko

• Portal authentication using two login module stacks?

  G'day,
  I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
  Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
  <authscheme name="mylogon">
    <authentication-template>mystack</authentication-template>
    <priority>21</priority>
    <frontendtype>2</frontendtype>
    <frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
  </authscheme>
  <authscheme-refs>
    <authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
    <authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
  </authscheme-refs>
  When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
  Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
  This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.OK
  User: Administrator
  Authentication Stack: mystack
  The "mylogonform" page is shown when logon is required in both cases.
  However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
  This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
  I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  (Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
  This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
  Message : LOGIN.FAILED
  User: Administrator
  Authentication Stack: mystack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception  false      true       authscheme not sufficient: basicauthentication<mylogonform
  Central Checks                                                                                exception             Call logout before login.
  I guess one cannot authenticate as a new user until the current user has been logged out.
  So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
  What is the logic behind portal authentication and showing a logon page?
  If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?

  Jayesh,
  there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
  - login module
  - logon stacks
  Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
  A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
  login module 1: check if valid sap logon ticket provided
  if module 1 fails: then login module 2: request user id/password
  if module 2 succeeds: then login module 3: create new sap logon ticket for user
  You can define multiple logon stacks and configure individual applications to use the one stack or the other.
  The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
  btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
  Regards,
  Dominik

• Autentication error in Web Service after Login Module

  Hi Experts,
  I am getting a failed autentication when i try to access a web service. This is my scenario:
  I have developed my own login module using JAAS. When i call a web service, the login module is executed, then it validate the credencials and make the authetication true. After that the web service is called. The web Service is mark as user/password authetication. But i always get this error:
  Authentication for web service UtilityService, configuration UtilityService using security policy BASIC___ws failed: Login failed.. (See SAP Note 880896 for further info).
  Just for you know, the credentials taht i use in login modulo isn't the user of UME. I use user store in another user store. I fthe credential is correct pass to the Principal an user of UME. To login stack is right when pass to login module:
  LOGIN.OK
  User: tecbmmab
  IP Address: 192.168.14.48
  Authentication Stack: tridmen.com.br/pegasus~ear*pegasus
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   SUFFICIENT  ok          false      false                
  2. br.com.tridmen.login.ERPCEHeaderLoginModule                             REQUISITE   ok          true       true                 
          #1 Client = 800
          #2 Destination_reference = CUSTOM_DEST
          #3 SysId = DE1
          #4 SysNum = 00
          #5 TargetHost = tecs220
          #6 TrATicket = TRATICKETCTRL
  Central Checks                                                                                true
  After this, the error mention above, of web service happen.
  As my knowledge, when i call the web service i already have the session autenticate with login module. But this is not happen.
  Could someone help with this question?
  Best regards
  Marcos Brandã

  Hi,
  in what order did you specify your login modules? In that error message it looks like it's in wrong order. Your custom module should be first with SUFFICIENT and then standard user name/password with REQUISITE.
  Cheers

• Content Player / Policy Configuration component login modules

  Problem using Content Player u2013 HTTP 401 errors, not authorized
  Because of security concerns, we have modified our login Policy Configuration component, u201Cticketu201D to no longer use the login module u201CBasicPasswordLoginModuleu201D. We use the login module u201CSAMLLoginModuleu201D instead and direct our users through our Shibboleth based identity provider.
  We now are having a problem with the Content Player. We have configured it in http://<server>:<port>/lms/mediator/config with connection information including a username and password for both access to the ABAP system and the CMS user. We also have set SNC.
  With the BasicPasswordLoginModule removed, we get HTTP 401 errors, not authorized. We see this in a pop-up window when we try to run a WBT course and we see it in the trace files.
  When we put the BasicPasswordLoginModule back in place, we can access the course.
  We are looking for a way to redirect the Content Player to a different Policy Configuration component that we can then allow to include the BasicPasswordLoginModule.
  Is this possible?
  Where is the configuration defined that directs the Content Player to use that default Policy Configuration component?
  Can we change it to use a different Policy Configuration component?
  Deb Nugent

  It appears that we cannot (or should not) redirect the login module for the Content Player to something other than the "ticket" login method. Since we require Content Player, we re-added the BasicLoginPassword Module to the "ticket" method of logon. We knew this would allow Content Player to work. We are using other / additional security measures to ensure no one is directly accessing our systems with username/password.
  Thank-you all.
  Deb Nugent.

• What is so special about the "ticket" login module stack?

  G'day,
  I am observing some odd behaviour with login module stacks.
  I have a custom login module that performs authentication using information in the HTTP servlet request. This custom login module does not require any interaction from the user. I want to use this custom login module when I authenticate to the portal.
  By default, the portal uses an authentication scheme known as "uidpwdlogon", which uses the "ticket" login module stack, which is configured to perform basic password login. When I attempt to access the portal I am presented with a username/password page and I need to enter a username and password, hit the "submit" button, and access to the portal is granted.
  So I replaced the BasicPasswordLoginModule entry in the "ticket" login module stack with my custom login module, and now access to the portal is granted automatically, as expected. There is no username/password page displayed.
  But if I create a new login module stack that contains exactly the same modules as "ticket" login module stack, and modify the "uidpwdlogon" authentication scheme to use my new login module stack instead of the "ticket" login module stack, then something odd occurs: I am now presented with a username/password page again. I need to hit the "submit" button to navigate away from this page before the custom login module stack will process, which will then grant access to the portal.
  If I change the "uidpwdlogon" authentication scheme back to use the "ticket" login module stack (which is exactly the same as the previous login module stack), then access to the portal is granted automatically without showing a username/password page.
  So: if the (modified) "ticket" login module stack is used, there's no username/password page shown. If a copy of that login module stack is used, then a username/password page is shown.
  What's going on here?

  G'day,
  Thanks for the reply.
  The relevant parts of the authschemes.xml file are as follows:
          <authscheme name="uidpwdlogon">
              <authentication-template>myloginstack</authentication-template>
              <priority>21</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
          </authscheme>
          <authscheme-ref name="default">
              <authscheme>uidpwdlogon</authscheme>
          </authscheme-ref>
          <authscheme-ref name="UserAdminScheme">
              <authscheme>uidpwdlogon</authscheme>
          </authscheme-ref>
  Note that I have changed the uidpwdlogon element to use "myloginstack" instead of "ticket", and changed the priority from 20 to 21, as suggested (but it should be noted that the outcome is the same regardless of priority).
  The "ticket" login module stack is defined as follows:
    EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    MyLoginModule REQUISITE {...}
    CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
  and the "myloginstack" is defined identically as follows:
    EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    MyLoginModule REQUISITE {...}
    CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
  When the "uidpwdlogon" authentication scheme is configured to use the "myloginstack" login module stack, the browser immediately opens up the normal username/password page. I wait for a few minutes (for logging reasons), then hit submit, and access to the portal is granted.
  The log output for this is as follows:
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: myloginstack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
  MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
  Message : LOGIN.OK
  User: testuser
  Authentication Stack: myloginstack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
  MyLoginModule                                                           REQUISITE   ok          true       true                 
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
  Central Checks                                                                                true                 
  There are two login stack events because the first login stack event asks the browser to pass along authentication data, which is processed in the second login stack event.
  Also note that the time of the first login module event is a few minutes after the username/password page appears, suggesting that the portal is attempting to obtain information before it processes the login module stack.
  If I change the "uidpwdlogon" authentication scheme to use the "ticket" login module stack, then no username/password page appears and the security log is essentially identical to that of "myloginstack":
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
  MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
  Message : LOGIN.OK
  User: testuser
  Authentication Stack: ticket
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
  MyLoginModule                                                           REQUISITE   ok          true       true                 
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
  Central Checks                                                                                true                 
  I am creating the "myloginstack" login module stack using the Visual Administrator tool, by clicking the "Add" button for the "Policy Configurations" tab of the SecurityProvider service. Note that when I do this the entry for "myloginstack" gets a diamond icon, while the entry for "ticket" has a different icon (resembling a graph). I do not know what these different icons beside each policy configuration imply (is "ticket" different to "myloginstack" somehow?) nor how to create a new policy configuration that will have different icon.
  I assume the username/password page is shown because the <frontendtarget> element in the "uidpwdlogon" authentication scheme is defined to use "com.sap.portal.runtime.logon.certlogon". Perhaps there is another value I can use here that displays nothing and redirects the browser directly to the portal?

• Login Module Stack of EP

  Hi guys,
  I am in the process to setup HeaderVariable Authentication for accessing to EP and have a some questions.
  1) What Login Module Stack needs to be adjusted to use the HeaderVariableLoginModule? SAP J2EE Root or Ticket or ....
  2) Are changes in the policy configurations (adding logon module) applied immediately or is a J2EE restart required?
  Thanks,
  Mario.

  Thank you Paul.
  I've found on my own also to question 1. I have to modify the Login Module stack of template "tiket" as following:
    1) EvaluateTicketLoginModule SUFFICIENT
    2) HeaderVariableLoginModule OPTIONAL     Header=REMOTE_USER
    3) CreateTickeLoginModule    SUFFICIENT
    4) BasicPasswordLoginModule  REQUISITE
    5) CreateTicketLoginModule   OPTIONAL
  Now I'd like to know if is it possible to test the header variable login configuration without using any external web server but connect directly to Enerprise Portal.
  When I try to connect directly to the Enerprise Portal using the URL
     http://<server>:<port>/irj/portal?REMOTE_USER=<userID>
  i'm not able to log into the system, but i'm redirected to the login page.
  If I type in userID and password, portal doesn't authenticate the user.
  Is the External Web Server mandatory for the Header Variable Login Module configuration?
  Thanks in advance,
  Mario.

• Login module for the J2EE application

  Hi ,
  I am trying to use the BasicPasswordLoginModule for my J2EE application which will be deployed in the SAP J2EE engine.My application will not be accessed through the portal.
  I am having a login screen in my application for which i want to use the already avaliable login module. ie.. BasicPasswordLoginModule.
  When i am trying to get the login(). i am getting the following the error.
  "javax.security.auth.login.LoginException: No LoginModules configured for BasicPasswordLoginModule".
  Please let me know what needs to be done.
  PS: The version environment is CE 7.1
  Regards
  Abu Bakar

  Hi Julius
  I am totally confused, my application is a pure J2EE application which has only one screen which just displays the details. And i want only the login screen to be implemented. I have gone through a couple of dec from sap which tells to created a custom login module if requiredl but i want to user the FORM based authentication and use the BasicPasswordLoginModule(in-built in WAS)
  All that i am doing is written a web.xml with the following information:
  <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
     <form-login-page>/home.jsp</form-login-page>
     <form-error-page>/relogin.jsp</form-error-page>
     </form-login-config>
    </login-config>
    <security-role>
      <role-name>App_Viewer</role-name>
    </security-role>
  web-j2ee-engine with following information:
  <security-role-map>
            <role-name>App_Viewer</role-name>
             <server-role-name>Administrator</server-role-name>
       </security-role-map>
       <login-module-configuration>
       <login-module-stack>
       <!-- Contains all login modules used for authentication -->
            <login-module>
            <!-- Contains information about one login module -->
                 <login-module-name>BasicPasswordLoginModule</login-module-name>
                 <flag>SUFFICIENT</flag>
                 <options>
                      <option>
                      <!-- The option UserNamePrefix determines that the user name must start with "Admin" -->
                      <name>UserNamePrefix</name>
                      <value>Admin</value>
                      </option>
                 </options>
            </login-module>
       </login-module-stack>
       <security-policy-domain></security-policy-domain>
  </login-module-configuration>
  And I am not sure, if the above mentioned details are enough. My implementation code is as follows:
  try {
            HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
            HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
            request.setAttribute(ILoginConstants.LOGON_UID_ALIAS, this.getUserName());
            request.setAttribute(ILoginConstants.LOGON_PWD_ALIAS, this.getPassword());
            UMFactory.getLogonAuthenticator().logon(request, response, "BasicPasswordLoginModule");
            status = success;
       } catch (Exception e) {
            e.printStackTrace();
            status = e.toString();
  In the NWA i have just configured the UserNamePrefix with Admin, thats all . Since the form login authentication method is already configure with the BasicPasswordLoginModule, I left it untouched.
  I also implemented a custom login module and deployed it but not sure how to use it in my code.
  Please let me know if i am in the rite track. Correct me if i am wrong. At the end of the day i want to use the login screen just to get authenticated. I am also not bothered about the password changing etc.. As the users who are going to use my application are the users in the Identity Management. Few portions of my screen should be allowed to be displayed based on the roles.
  PS: My application is not configured in the portal. Its an independent application deployed on the WAS(CE 7.1).
  Please advice
  Regards
  Abu Bakar

• Not able  to add login module to authentication stacks!

  HI Portal Gurus!
  we are implementing siteminder sso integration with portal.
  Iam trying to do following configuration ...
  Modify the ticket authentication template:
  a.)Remove from the stack:
  1)BasicPasswordLoginModule
  2)EvaluateTicketLoginModule
  b.)Add the following modules to the top of the stack, in the order shown:
  SiteMinderLoginModule
  CreateTicketLoginModule
  Iam not able to do either reomove exting one nor add new login module.Iam getting an error"Unable to add login module to authentication stacks! "
  Ilogged in to v.admin as administrator with admin & superadmin roles.
  It would be great if anyone could help me in this .
  Regards
  tag

  Hi,
  in change mode only getting an error.
  error"unable to add login module stack to authentication stacl! details are available in status bar"
  in status bar information below...
  Unable to add login module to the authentication stack!
  java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
       at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java(Compiled Code))
       at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java(Compiled Code))
       at com.sap.engine.services.security.server.AuthenticationContextImpl.setLoginModules(AuthenticationContextImpl.java(Compiled Code))
       at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImpl.setLoginModules(RemoteAuthenticationImpl.java(Compiled Code))
       at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImplp4_Skel.dispatch(RemoteAuthenticationImplp4_Skel.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
       at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
       at com.sap.engine.services.security.exceptions.BaseSecurityException.writeReplace(BaseSecurityException.java:349)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
       at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
       at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:1057)
       at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java(Compiled Code))
       at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl.throwException(DispatchImpl.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
       at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
  I would appreciate if anybody could help for resolving this issue.
  Regards
  Tag

• Login Module Flags

  Dear All,
  We have build a new login module "MyLoginModule"  to check the user session and if the user has one more session active, the custom built "MyLoginModule"  will fail the authentication of the user.
  We have added the login module to "TICKET" Authentication Scheme. So the "Ticket" Authentication Template contains the following :
  EvaluateTicketLoginModule               SUFFICIENT
  MyLoginModule                                  REQUISTE
  BasicPasswordLoginModule             REQUIRED
  CreateTicketLoginModule                  SUFFICIENT
  If "MyLoginModule" fails, the authentication should not proceed,and control returns to the application. This is what i required.
  But the authentication still proceeds down, even if "MyLoginModule" Fails ...,     though I set the "REQUISTE" Flag to  MyLoginModule,  . 
  How to resolve this?
  Regards
  Eben Chella Metilda V.A

  I am just wondering... does your login module just return false when you want to fail the authentication?  If you want it to stop proceeding through the login module stack, you have to throw a LoginException.
  -- Katrina

• Reg: Authentication using login modules

  Hi all
  I have a web module and I want to protect it through JEE authentication scheme :: BASIC. I am using CE NW710 SP 04. I have edited the web.xml file and web-j2ee-engine.xml file as well. I have given basicpasswordloginmodule as the login module web-j2ee-engine.xml. I wish to see a logon page when my web module is accessed, is there any other step needed?
  Thank you.
  regards
  Lakshminarayanan.V

  I'm not sure, but I would think that you also need to appoint a policy configuration template to your application which forces the basic authentication module to be called. This you do in the Visual Administrator -> Security Provider
  Marcel

• Problems with custom login module/authscheme in Portal iViews

  Hi,
  In our portal users must login with their username and password ("ticket" login module stack) to access most of the content. For some of the iViews containing confidential data we would like to ask the users some personal questions before giving them access.
  I followed all the steps described in the [official documentation |http://help.sap.com/saphelp_nw04s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/content.htm]:
  - created a custom login module
  - added it to a custom login module stack
  - added a custom authscheme in the authschemes.xml file
  - assigned the iView to this authscheme
  I also create a PortalComponent that reads the user entries and calls my login module (JSP not shown):
  public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)     {          
      HttpServletRequest req = request.getServletRequest();
      HttpServletResponse resp = request.getServletResponse(false);
      ILogonAuthentication ila = UMFactory.getLogonAuthenticator();
      Subject subject = ila.logon(req, resp, "myauthscheme");
      // if authenticated what to do next??
  Now when I try to access the protected iView, I see my screen to answer the questions, I press submit and my login module is called. But, I never get redirected to the iView I'm supposed to go. So I still have two questions:
  1) Which login modules should be in the login module stack? Should I include the BasicPasswordLoginModule?
  For the moment I have:
  EvaluateTicketLoginModule (SUFFICIENT)
  MyCustomLoginModule (REQUISITE)
  CreateTicketLoginModule (OPTIONAL)
  2) How can I be redirected to the protected iView after the user is being authenticated? Is it the portal framework who is responsible to navigate there automatically? Or is it in my own code after the logon() call? In that case how can I retrieve the destination URL?
  Thanks,
  Martin

  I'm using the version 10.1.3.0.4 (SU5).
  The error is:
  06/09/28 18:09:05 WARNING: Application.setConfig Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
  28/09/2006 18:09:05 com.evermind.server.Application setConfig
  WARNING: Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
  2006-09-28 18:09:05.390 WARNING J2EE 0JR0013 Exception initializing deployed application: current-workspace-app. null
  My JAAS-oc4j-app content is:
  <log>
  <file path="JAAS-oc4j-app.log" xmlns=""/>
  </log>
  <jazn provider="XML" location="JAAS-jazn-data.xml">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="custom.loginmodule.provider" value="true"/>
  <property name="jaas.username.simple" value="true"/>
  </jazn>
  <data-sources path="JAAS-data-sources.xml"/>
  Thanks for reply.

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin