Login Module Flags
Dear All,
We have build a new login module "MyLoginModule" to check the user session and if the user has one more session active, the custom built "MyLoginModule" will fail the authentication of the user.
We have added the login module to "TICKET" Authentication Scheme. So the "Ticket" Authentication Template contains the following :
EvaluateTicketLoginModule SUFFICIENT
MyLoginModule REQUISTE
BasicPasswordLoginModule REQUIRED
CreateTicketLoginModule SUFFICIENT
If "MyLoginModule" fails, the authentication should not proceed,and control returns to the application. This is what i required.
But the authentication still proceeds down, even if "MyLoginModule" Fails ..., though I set the "REQUISTE" Flag to MyLoginModule, .
How to resolve this?
Regards
Eben Chella Metilda V.A
I am just wondering... does your login module just return false when you want to fail the authentication? If you want it to stop proceeding through the login module stack, you have to throw a LoginException.
-- Katrina
Similar Messages
-
Error in some of the login modules
`Hi Experts,
I have deployed SPNEGO and when user trying to login to portal, it gives the error as taken from diagtoo(below)
Also would like to inform you that when I have configured the wizard, some how in VA for lots of the Components in Security
provider, I found lots of those components does have the value for the Evaluateticket, evaluateAssertion, basicpassword,
createticketlogon did not had any values to it.
The components which I have updated are,
1. sap.com.lcr*sld---> I have added for EvaulateTicketloginModule and EvaluateAssertion ticket module like
ume.configuration.active true
trustediss1 OU=J2EE,CN=ABC
trusteddn1 OU=J2EE,CN=ABC
trustedsys1 ABC,555
and for CreateTicketLoginModule
ume.configuration.active true
Like wise done for the following components also.
2. sap.com/sap.comtckmc.coll.room.wsdeplRoomABAPWS_config1
3. sap.com/sap.commonitoringsysteminfo*sap_monitoring( here only 3 login modules present. so updated accordingly
to the above mentioned values for whatever loginmodule was present)
4. jmx~spnego was not having the template as SPNEGO so selected SPNEGO template and updated whatever ( 5 login module accordingly)
5. sap.com/tcsecwssec~app*wssproc_cert
6. sap.com/tcsecwssec~app*wssproc_plain
7. sap.com/tcsecwssec~app*wssproc_ssl
8. sap.com/tcslmslmapp*slmServices_Config
9. sap.com/tcslmslmapp*slmSolManServices_Config
10. ....~eap*GPRuntimeFacadeWS_
11. ..RuntimeearCAFDataService
Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandleraT6d992c17)
13:47:15:804 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, trustedsys1=ABC,555, trusteddn1=OU=J2EE,CN=ABC}].
13:47:15:804 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~s.constructor(Map, Properties, boolean) Entering method with ({System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Sun Mar 15 13:01:44 AST 2009}, <null>)
13:47:15:804 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas got [ume.configuration.active]: [true]
13:47:15:804 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas no authscheme found that has auth template spnego
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;aT631dd237
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~ity.core.server.jaas.getMergedOptions() Entering method
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;aT3ad44bb7
13:47:15:805 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
13:47:15:805 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=spnego, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method
13:47:15:806 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper My GSS name is: J2ee-abcaTBah.ARAB.LOCAL
13:47:15:806 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper GSS name type is: 1
13:47:15:807 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper GSS mechanism is: 1.2.840.113554.1.2.2
13:47:15:808 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is J2ee-abcaTBah.ARAB.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
13:47:15:808 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Refreshing Keytab
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): Bah.ARAB.LOCAL
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): J2ee-abc
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTab: load() entry length: 60; type: 3
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out principal's key obtained from the keytab
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Acquire TGT using AS Exchange
13:47:15:811 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Error in some of the login modules.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:114)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: java.lang.NullPointerException
at java.lang.StringBuffer.append(StringBuffer.java:467)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:812 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Error in some of the login modules.
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: java.lang.NullPointerException
at java.lang.StringBuffer.append(StringBuffer.java:467)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
... 24 more
13:47:15:813 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: java.lang.NullPointerException
at java.lang.StringBuffer.append(StringBuffer.java:467)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
... 24 more
see below for more error13:47:15:814 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseSecurityException.<initat com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:815 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:816 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~es.security.authentication.logincontext LOGIN.FAILED
User: N/A
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
com.sun.security.auth.module.Krb5LoginModule REQUISITE ok exception false null
com.sap.security.core.server.jaas.SPNegoMappingLoginModule REQUISITE ok true
13:47:15:816 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Access Denied.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:114)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:286)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:817 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~rity.core.server.jaas.SPNegoLoginModule Exception in SPNegologinModule.initialize.
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
... 22 more
13:47:15:819 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.engine.services.security Cannot initialize login module com.sap.security.core.server.jaas.SPNegoLoginModule .
[EXCEPTION]
java.lang.RuntimeException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at com.sap.security.core.server.jaas.SPNegoLoginModule.initialize(SPNegoLoginModule.java:446)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.initialize(LoginModuleLoggingWrapperImpl.java:129)
at com.sap.engine.services.security.login.LoginContextFactory.initializeLoginContext(LoginContextFactory.java:167)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:141)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:131)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
13:47:15:821 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~.security.core.server.jaas.initialize() Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandleraT6d992c17, {System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Sun Mar 15 13:01:44 AST 2009}, {ume.configuration.active=true})
13:47:15:821 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas -
Portal authentication using two login module stacks?
G'day,
I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
<authscheme name="mylogon">
<authentication-template>mystack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
</authscheme>
<authscheme-refs>
<authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
<authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
</authscheme-refs>
When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.OK
User: Administrator
Authentication Stack: mystack
The "mylogonform" page is shown when logon is required in both cases.
However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
(Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
Message : LOGIN.FAILED
User: Administrator
Authentication Stack: mystack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true authscheme not sufficient: basicauthentication<mylogonform
Central Checks exception Call logout before login.
I guess one cannot authenticate as a new user until the current user has been logged out.
So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
What is the logic behind portal authentication and showing a logon page?
If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?Jayesh,
there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
- login module
- logon stacks
Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
login module 1: check if valid sap logon ticket provided
if module 1 fails: then login module 2: request user id/password
if module 2 succeeds: then login module 3: create new sap logon ticket for user
You can define multiple logon stacks and configure individual applications to use the one stack or the other.
The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
Regards,
Dominik -
How to get Custom Login Module to communicate with frontendtarget
We have created a custom login module and placed it in our login module stack.
So we have the following 3 Login Modules in our stack:
EvaluateTicketModule
OurCustomLoginModule
CreateTicketModule
Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
Question:
There are standard screens in the SAP login PAR:
changePasswordPage.jsp
umLogonProblemPage.jsp
umResetPasswordPage.jsp
How do I trigger one of these screens from my Login() method of my
custom login module? I thought if I throw some specific exception, these screens would
be called?A bit more info.
We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication.
I changed the Iview property "Authentication Scheme" to our custom one.
If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
Whis is what i expect.
I enter a username and password and click Logon button. I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
However, It always give iview runtime exception with Access Denied.
#1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
#1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
#1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true authscheme not sufficient: uidpwdlogon<cglogon
\#1 ume.configuration.active = true
2. companyname.com.CGLoginModuleClass REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
\#1 ume.configuration.com = true#
#1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36... com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
#1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
[EXCEPTION]
{0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
and here's my login method...
public boolean login() throws javax.security.auth.login.LoginException
this.succeeded = false;
String passwordString = "";
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
HttpGetterCallback httpgettercallback = new HttpGetterCallback();
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
catch (UnsupportedCallbackException e)
return false;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
else
username = userid;
if (password.length == 0)
throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
else
passwordString = new String(password);
String eccLoginResult = validateECCAuthentication(username, passwordString);
if (!eccLoginResult.equals(""))
myLoc.infoT(this.username + " - failed ECC authentication.");
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
myLoc.infoT(this.username + " - failed ECC authentication.");
this.succeeded = true;
if (this.succeeded)
try
refreshUserInfo(this.username);
catch (SecurityException e)
throwUserLoginException(e);
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, this.username);
this.nameSet = true;
else
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
return this.succeeded; -
Autentication error in Web Service after Login Module
Hi Experts,
I am getting a failed autentication when i try to access a web service. This is my scenario:
I have developed my own login module using JAAS. When i call a web service, the login module is executed, then it validate the credencials and make the authetication true. After that the web service is called. The web Service is mark as user/password authetication. But i always get this error:
Authentication for web service UtilityService, configuration UtilityService using security policy BASIC___ws failed: Login failed.. (See SAP Note 880896 for further info).
Just for you know, the credentials taht i use in login modulo isn't the user of UME. I use user store in another user store. I fthe credential is correct pass to the Principal an user of UME. To login stack is right when pass to login module:
LOGIN.OK
User: tecbmmab
IP Address: 192.168.14.48
Authentication Stack: tridmen.com.br/pegasus~ear*pegasus
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok false false
2. br.com.tridmen.login.ERPCEHeaderLoginModule REQUISITE ok true true
#1 Client = 800
#2 Destination_reference = CUSTOM_DEST
#3 SysId = DE1
#4 SysNum = 00
#5 TargetHost = tecs220
#6 TrATicket = TRATICKETCTRL
Central Checks true
After this, the error mention above, of web service happen.
As my knowledge, when i call the web service i already have the session autenticate with login module. But this is not happen.
Could someone help with this question?
Best regards
Marcos BrandãHi,
in what order did you specify your login modules? In that error message it looks like it's in wrong order. Your custom module should be first with SUFFICIENT and then standard user name/password with REQUISITE.
Cheers -
Custom Login Module Behavior (JAAS)...Help!
Problem: After successful authentication through a custom login module, the screen stays on the login screen and does not go to the iview you clicked on...
I have created a login module as documented [here|http://help.sap.com/saphelp_nw04s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm].
I have added a new entry in the authschemes.xml file:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
As you can see above, i wanted to try to use the standard sap screen: com.sap.portal.runtime.logon.certlogon
Also, the logon module stack called "form" contains one and only one login module: mycompany.com.CGLoginModuleClass (REQUISITE)
Here is also the code to my Login() method of my module:
public boolean login() throws LoginException
Exception exception_on_the_way = null;
String passwordString = "";
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
exception_on_the_way = e;
catch (UnsupportedCallbackException e)
exception_on_the_way = e;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throw new LoginException(MISSING_UID);
else
userName = userid;
if (password.length == 0)
throw new LoginException(MISSING_PASSWORD);
else
passwordString = new String(password);
try
refreshUserInfo(userName);
catch (SecurityException e)
exception_on_the_way = e;
if (exception_on_the_way != null)
// A productive application should write an entry
// into the trace here
exception_on_the_way.printStackTrace();
throw new LoginException("Could not handle callbacks");
String eccLoginResult = "";
//eccLoginResult = validateECCAuthentication(userName, passwordString);
if (!eccLoginResult.equals(""))
//throwNewLoginException(eccLoginResult);
//throw new LoginException(USER_AUTH_FAILED);
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
successful = true;
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
return true;
I set up a random iview in the portal to use our new authentication scheme: cglogon by changing the iview property Authentication Scheme.
After clicking the logon button, My login() method gets called and sucessful is set to true. Also the commit() method gets called.
Problem: However, the screen gets redirected to the logon screen again...
Here is the trace in the logs:
Used Passport Type: 3
#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD8007200003781000041C100045B07FD434AB8#1225989778316#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Persistent listeners of {0} notified#1#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD8007200003782000041C100045B07FD4353D2#1225989778319#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.logon#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering method with ({0})#1#com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@2cbd9a10, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@5db3e73e, cglogon#
#1.5 #0018FE8C6FD8007200003783000041C100045B07FD435510#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Security context [{0}] successfully loaded from cache.#1#form#
#1.5 #0018FE8C6FD8007200003784000041C100045B07FD43559B#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003785000041C100045B07FD43560F#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003786000041C100045B07FD435864#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New policy configuration modification context successfully created for configuration with path [{0}].#1#security/configurations/form#
#1.5 #0018FE8C6FD8007200003787000041C100045B07FD4358F8#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.getStorage(Configuration config)#
#1.5 #0018FE8C6FD8007200003788000041C100045B07FD435983#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New storage [{0}] created.#1#com.sap.engine.services.security.server.storage.AtomicStorage@3091c97c#
#1.5 #0018FE8C6FD8007200003789000041C100045B07FD435A00#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.getStorage(Configuration config)#
#1.5 #0018FE8C6FD800720000378A000041C100045B07FD435A7B#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.begin()#
#1.5 #0018FE8C6FD800720000378B000041C100045B07FD435B31#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New configuration handler [{0}] created.#1#com.sap.engine.core.configuration.impl.ConfigurationHandlerImpl@334304cd#
#1.5 #0018FE8C6FD800720000378C000041C100045B07FD435BC8#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.begin()#
#1.5 #0018FE8C6FD800720000378D000041C100045B07FD435C3A#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###New modification bundle started for the current thread.#
#1.5 #0018FE8C6FD800720000378E000041C100045B07FD435CC6#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Trying to get configuration [{0}] from storage; write access [{1}]; create if missing [{2}]#3#security/configurations/form/security/authentication#false#false#
#1.5 #0018FE8C6FD800720000378F000041C100045B07FD435DC0#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Configuration returned from storage successfully [{0}].#1#security/configurations/form/security/authentication#
#1.5 #0018FE8C6FD8007200003790000041C100045B07FD436148#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.forget()#
#1.5 #0018FE8C6FD8007200003791000041C100045B07FD436225#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.forget()#
#1.5 #0018FE8C6FD8007200003792000041C100045B07FD43629D#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###Successful forget of modification bundle for the current thread.#
#1.5 #0018FE8C6FD8007200003793000041C100045B07FD4363B9#1225989778323#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###Re-authentication requested.#
#1.5 #0018FE8C6FD8007200003794000041C100045B07FD4364BA#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Security context [{0}] successfully loaded from cache.#1#form#
#1.5 #0018FE8C6FD8007200003795000041C100045B07FD436534#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003796000041C100045B07FD4365A6#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003797000041C100045B07FD439765#1225989778336#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###User [{0}] attempt to re-authenticate.#1#kcf#
#1.5 #0018FE8C6FD8007200003798000041C100045B07FD439CA1#1225989778337#com.sap.engine.services.security.sessionmanagement#sap.com/irj#com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Principal {0} assigned to {1}#2#kcf#[Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]#
#1.5 #0018FE8C6FD8007200003799000041C100045B07FD439D6C#1225989778338#com.sap.engine.services.security.sessionmanagement#sap.com/irj#com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Subject {0} assigned to {1}#2#Subject:
Principal: kcf
#[Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]#
#1.5 #0018FE8C6FD800720000379A000041C100045B07FD439DF3#1225989778338#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Re-authentication for user [{0}] successfull.#1#kcf#
#1.5 #0018FE8C6FD800720000379C000041C100045B07FD439F9B#1225989778338#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.OK
User: kcf
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. mycompany.com.CGLoginModuleClass REQUISITE ok true true
Central Checks true #
#1.5 #0018FE8C6FD800720000379D000041C100045B07FD43A10D#1225989778338#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.logon#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###Security session assigned successfully to the http session.#
#1.5 #0018FE8C6FD800720000379F000041C100045B07FD43CC17#1225989778349#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting logon with authenticated subject.#
#1.5 #0018FE8C6FD80072000037A0000041C100045B07FD43D9FE#1225989778353#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.isAuthenticated#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering method with ({0})#1#KCF#
#1.5 #0018FE8C6FD80072000037A1000041C100045B07FD43DAC6#1225989778353#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.isAuthenticated#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Exiting method with {0}#1#false#
#1.5 #0018FE8C6FD80072000037A2000041C100045B07FD440358#1225989778364#com.sap.engine.services.security.authentication.logonapplication#sap.com/irj#com.sap.engine.services.security.authentication.logonapplication.initBeans#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###LanguagesBean created#
#1.5 #0018FE8C6FD80072000037A3000041C100045B07FD44045E#1225989778364#com.sap.engine.services.security.authentication.logonapplication#sap.com/irj#com.sap.engine.services.security.authentication.logonapplication.executeRequest#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###No command found, forwarding to umLogonPage#
#1.5 #0018FE8C6FD80072000037A4000041C100045B07FD4429BF#1225989778373#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering SecurityContext.empty() on {0}#1#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD80072000037A5000041C100045B07FD442AC1#1225989778374#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#Guest#0##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Notifying persistent listener {0} of {1}#2#
User ID : kcf
Service Type : Web Request
Action Name : Appl.: irj:com.cg.ivu_saplogon_0
Action Type : http
Additional Info : null
CPU Time [us] : 0
Queue Time [us] : 4295152
No of ext. calls : 0
Edited by: K Ferguson on Nov 6, 2008 6:07 PMI am facing the same problem.
And how was is solved ?
Thanks -
What is so special about the "ticket" login module stack?
G'day,
I am observing some odd behaviour with login module stacks.
I have a custom login module that performs authentication using information in the HTTP servlet request. This custom login module does not require any interaction from the user. I want to use this custom login module when I authenticate to the portal.
By default, the portal uses an authentication scheme known as "uidpwdlogon", which uses the "ticket" login module stack, which is configured to perform basic password login. When I attempt to access the portal I am presented with a username/password page and I need to enter a username and password, hit the "submit" button, and access to the portal is granted.
So I replaced the BasicPasswordLoginModule entry in the "ticket" login module stack with my custom login module, and now access to the portal is granted automatically, as expected. There is no username/password page displayed.
But if I create a new login module stack that contains exactly the same modules as "ticket" login module stack, and modify the "uidpwdlogon" authentication scheme to use my new login module stack instead of the "ticket" login module stack, then something odd occurs: I am now presented with a username/password page again. I need to hit the "submit" button to navigate away from this page before the custom login module stack will process, which will then grant access to the portal.
If I change the "uidpwdlogon" authentication scheme back to use the "ticket" login module stack (which is exactly the same as the previous login module stack), then access to the portal is granted automatically without showing a username/password page.
So: if the (modified) "ticket" login module stack is used, there's no username/password page shown. If a copy of that login module stack is used, then a username/password page is shown.
What's going on here?G'day,
Thanks for the reply.
The relevant parts of the authschemes.xml file are as follows:
<authscheme name="uidpwdlogon">
<authentication-template>myloginstack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme-ref name="default">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
<authscheme-ref name="UserAdminScheme">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
Note that I have changed the uidpwdlogon element to use "myloginstack" instead of "ticket", and changed the priority from 20 to 21, as suggested (but it should be noted that the outcome is the same regardless of priority).
The "ticket" login module stack is defined as follows:
EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
MyLoginModule REQUISITE {...}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
and the "myloginstack" is defined identically as follows:
EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
MyLoginModule REQUISITE {...}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
When the "uidpwdlogon" authentication scheme is configured to use the "myloginstack" login module stack, the browser immediately opens up the normal username/password page. I wait for a few minutes (for logging reasons), then hit submit, and access to the portal is granted.
The log output for this is as follows:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: myloginstack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
MyLoginModule REQUISITE ok exception true Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
Message : LOGIN.OK
User: testuser
Authentication Stack: myloginstack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
MyLoginModule REQUISITE ok true true
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true
Central Checks true
There are two login stack events because the first login stack event asks the browser to pass along authentication data, which is processed in the second login stack event.
Also note that the time of the first login module event is a few minutes after the username/password page appears, suggesting that the portal is attempting to obtain information before it processes the login module stack.
If I change the "uidpwdlogon" authentication scheme to use the "ticket" login module stack, then no username/password page appears and the security log is essentially identical to that of "myloginstack":
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
MyLoginModule REQUISITE ok exception true Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
Message : LOGIN.OK
User: testuser
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
MyLoginModule REQUISITE ok true true
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true
Central Checks true
I am creating the "myloginstack" login module stack using the Visual Administrator tool, by clicking the "Add" button for the "Policy Configurations" tab of the SecurityProvider service. Note that when I do this the entry for "myloginstack" gets a diamond icon, while the entry for "ticket" has a different icon (resembling a graph). I do not know what these different icons beside each policy configuration imply (is "ticket" different to "myloginstack" somehow?) nor how to create a new policy configuration that will have different icon.
I assume the username/password page is shown because the <frontendtarget> element in the "uidpwdlogon" authentication scheme is defined to use "com.sap.portal.runtime.logon.certlogon". Perhaps there is another value I can use here that displays nothing and redirects the browser directly to the portal? -
Cannot load login module class
Hi,
i'm working on customizing Login Module now.
i have bulit the project and deploy the SDA file follow this link "[sap help|http://help.sap.com/saphelp_nw70/helpdata/en/76/08b34095070361e10000000a155106/frameset.htm]".
My Java project name is: MyLoginModule, with class file "MyLoginModuleClass" in "com.mycompany" package.
And my library project name is: MyLoginModuleLibrary, with "MyLoginModule.jar" in Jars,
and with "security_api" "com.sap.tc.logging" "com.sap.engin.lib.add_ejb" "security.class" "com.sap.security.api.sda" "com.sap.security.core.sda" in reference
After these steps, logon is failed.
and i get some log using "Note 1045019 - Web diagtool" below:
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule
--- SUFFICIENT ok false true
2. com.mycompany.MyLoginModuleClass
--- OPTIONAL Cannot load login module class. com.mycompany.MyLoginModuleClass
Found in negative cache
---Loader Info ---
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;
service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore
Parent loader name: [Frame ClassLoader]
References:
Why didn't i see MyLoginModuleLibrary in "ClassLoader name" though i've add it in ConfigTool already.
Maybe this is the reason "cannot load login module calss com.mycompany.MyLoginModule"?
Any suggestion?
Regards,
Fishyhi
this will give some idea
http://help.sap.com/saphelp_nw2004s/helpdata/en/2b/23e4407211732ae10000000a155106/content.htm
http://docs.sun.com/app/docs/doc/820-4801/gbyuw?a=view
Re: Deploying a custom login module to the J2EE engine
bvr
Edited by: bvr on May 7, 2009 12:53 PM -
How to configure login modules for certificate logon
Hello,
perhaps someone of you has also tried to implement SSO via Client Certificates and is able to help me...
I have configured the login modules for rule based authentication with the option Rule1.getUserFrom = wholeCert and I have attached my certificate to my user in useradmin.
And also added the login module to the template ticket, as suggested by the documentation at help.sap.com
But when I logon to the portal or other application (for example useradmin) via https the authentication doesn't work (but I'm still able to logon via password).
I also tried auto. certifcate mapping and mapping by subject name but in every case the system ignores the configured login module. There are no errors in the log files.
Thank You,
FrankHi Frank,
did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
Let me know if this helps...
Yonko -
How to configure Login Modules Stack for Kerberos/LDAP
Hello collegues,
currenty we are working on UME configuration for the following use case.
Clustered portal instance NW2004s running on AIX should be able to authenificate two groups of users.
The first one is described by LDAP Data Source (Sun Directory Server) and using some artificial unique userID. Based on this userID, the SSO Ticket is created to get acces to the backend R/3 system. The LDAP schema has an "userdomain" attribute in it.
The new group using ADS. These users are happy using it, because they have windows-based authentification and don't forced to type any credentials during login.
There are plenty of blogs decribing how to connect ADS (even as a second DataSource) to UME.
There are two unsolved problems:
1. ADS account attributes does not have the userID needed to get an SSO Ticket
2. LDAP DataSource has no ADS password and can not be used for Kerberos authentification.
What could be a solution for this case? I am sure we need an extra login module which enrich the Subject (user, which is already authentificated by SPNego module) with userID, selected from LDAP DataSource based on user attributes.
Is there any other solution? May be I can mix some attributes in a DataSource configuration file?
Best regards
Sergej NaimarkHi Frank,
did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
Let me know if this helps...
Yonko -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom login module on OC4J 10.1.3.3.0
Hi,
I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>testJAAS</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test Secure Application</web-resource-name>
<description>Requires users to authenticate</description>
<url-pattern>faces/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only allow role1 users</description>
<role-name>role1</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general. </description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Define the security role(s) -->
<security-role>
<description>Example role</description>
<role-name>role1</role-name>
</security-role>
orion-web.xml:
schema-major-version="10" schema-minor-version="0" >
<!-- Uncomment this element to control web application class loader behavior.
<web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
-->
<resource-ref-mapping name="jdbc/lics" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
<web-app>
</web-app>
orion-application.xml:
<jazn provider="XML" >
<property name="jaas.username.simple" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
system-jazn-data.xml:
<jazn-loginconfig>
<application>
<name>le5</name>
<login-modules>
<login-module>
<class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>defaultRole</name>
<value>role1</value>
</option>
</options>
</login-module>
</login-modules>
</application>
I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
Doing as above, the orion-web.xml is below:
<resource-ref-mapping name="jdbc/lic" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
<user name="user1" />
<user name="user2" />
</security-role-mapping>
Any insight would be much appreciated. Thanks.Hi,
role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
from orion-web.xml and it should start wrking
Frank -
Jaas Login module does not work
Hello,
I am developing simple web application wich uses jaas for authentication, but something strange happens, i have written security information in my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>simple</web-resource-name>
<url-pattern>/security/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.seam</form-login-page>
<form-error-page>/login.seam</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>my login module looks like this:
package com.auth.security;
public class SimpleLoginModule implements LoginModule {
// initial state
private Subject subject;
private CallbackHandler callbackHandler;
private Map sharedState;
private Map options;
// the authentication status
private boolean succeeded = false;
private boolean commitSucceeded = false;
// login info
private static final String[] userNames = { "admin", "guest", "user1", "user2" };
private static final String[] passwords = { "admin", "sesame", "pass1", "pass2" };
// current user
private String username;
private char[] password;
// user's principal object
private SimplePrincipal userPrincipal;
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
System.out.println("INITIALIZE");
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}// end initialize()
public boolean login() throws LoginException {
System.out.println("LOGIN");
// prompt for a user name and password
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available " + "to garner authentication information from the user");
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("\nuser name: ");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
username = ((NameCallback) callbacks[0]).getName();
char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
if (tmpPassword == null) // treat a NULL password as an empty
// password
tmpPassword = new char[0];
password = new char[tmpPassword.length];
System.arraycopy(tmpPassword, 0, password, 0, tmpPassword.length);
((PasswordCallback) callbacks[1]).clearPassword();
} catch (java.io.IOException ioe) {
throw new LoginException(ioe.toString());
} catch (UnsupportedCallbackException uce) {
throw new LoginException("Error: " + uce.getCallback().toString() + " not available to authenticate user.");
boolean usernameCorrect = false;
boolean passwordCorrect = false;
String passwordString = new String(password);
for (int x = 0; x < userNames.length; x++) {
if (username.equals(userNames[x]))
usernameCorrect = true;
if (usernameCorrect && passwordString.equals(passwords[x])) {
// authentication succeeded!!!
passwordCorrect = true;
succeeded = true;
break;
} else {
// authentication failed -- clean out state
succeeded = false;
usernameCorrect = false;
}// end if/else
}// end for( int x = 0; x < userNames.length; x++ )
return succeeded;
}// end login()
public boolean commit() throws LoginException {
System.out.println("COMMIT");
if (!succeeded) {
return false;
} else {
// add a Principal (authenticated identity)
// to the Subject
// assume the user we authenticated is the SimplePrincipal
userPrincipal = new SimplePrincipal(username);
if (!subject.getPrincipals().contains(userPrincipal))
subject.getPrincipals().add(userPrincipal);
// in any case, clean out state
username = null;
password = null;
commitSucceeded = true;
return true;
}// end if( succeeded == false )
}// end commit()
public boolean abort() throws LoginException {
System.out.println("ABORT");
if (succeeded == false) {
return false;
} else if (succeeded == true && commitSucceeded == false) {
// login succeeded but overall authentication failed
succeeded = false;
username = null;
if (password != null)
password = null;
userPrincipal = null;
} else {
// overall authentication succeeded and commit succeeded,
// but someone else's commit failed
logout();
}// end if/else
return true;
public boolean logout() throws LoginException {
System.out.println("LOGOUT");
subject.getPrincipals().remove(userPrincipal);
succeeded = false;
succeeded = commitSucceeded;
username = null;
if (password != null)
password = null;
userPrincipal = null;
return true;
}I am using Jboss-4.2.3.GA and configured login-config.xml like this:
<application-policy name="simpleLoginModule">
<authentication>
<login-module code="com.security.auth.simpleLoginModule" flag="required">
</login-module>
</authentication>
</application-policy>I have jboss-web.xml also correctly configured.
The problem is that when i type correct username/password happens the error:
HTTP Status 403 - Access to the requested resource has been denied
So can anyone help me? What i have to change/modify in my loginmodule java code?Hi,
no need to change the authschemes.xml file when you don't know if your code works (you can perfectly break logon to other applications when doing so).
Configure your application to use declarative authentication; this is done in the web.xml of the application:
http://help.sap.com/SAPhelp_nw70/helpdata/en/08/0f0e4d1ffece4d8b9c5b84793aac50/content.htm
http://help.sap.com/SAPhelp_nw70/helpdata/en/40/97ffdb74939747b402b0200780cab5/content.htm
http://help.sap.com/SAPhelp_nw70/helpdata/en/b9/9482887ddb3e47bd1a738c3e900195/content.htm
example:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>REALM</realm-name>
<form-login-config>
<form-login-page>logon.jsp</form-login-page>
<form-error-page>error.jsp</form-error-page>
</form-login-config>
</login-config>
With declarative authentication the AS Java will use the logon modules you confired in the VA for the application.
br,
Tobias -
JDEV deployment of web app with custom JAAS login module fails
For the first time, I am trying to implement a custom JAAS login module.
JDEV deployment to standalone OC4J only fails when my orion-application.xml is included. The deployment fails with a java.lang.InstantiationException.
This what I have done:
1) Wrote a custom LoginModule called com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule.
2) Put it and its dependent classes in a jar named sjtcjaas.jar.
3) Put the jar in $ORACLE_HOME\j2ee\home\lib
4) Changed library_path in $ORACLE_HOME\j2ee\home\config\application.xml to
<library path="../../home/lib/scheduler.jar;../../home/lib/sjtcjaas.jar" />
5) Added an orion-application.xml to the JDEV project. (I used an Oracle How-to as a pattern, see below.)
I think I'm close but no cigar, yet. Any help would be appreciated.
Regards,
Al Malin
=============== orion-application.xml ========================================
<?xml version="1.0"?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.0.0" default-data-source="jdbc/OracleDS" schema-major-version="10" schema-minor-version="0" >
<security-role-mapping name="sr_manager">
<group name="managers" />
</security-role-mapping>
<security-role-mapping name="sr_developer">
<group name="developers" />
</security-role-mapping>
<log>
<file path="application.log" />
</log>
<!-- Configuring a Login Module in an Application EAR file. -->
<jazn-loginconfig>
<application>
<name>customjaas</name>
<login-modules>
<login-module>
<class>com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</orion-application>Starting OC4J from c:\oc4j\j2ee\home ...
2006-09-07 13:45:28.484 NOTIFICATION JMS Router is initiating ...
06/09/07 13:45:29 Oracle Containers for J2EE 10g (10.1.3.0.0) initialized
2006-09-07 13:45:58.609 NOTIFICATION Application Deployer for aam STARTS.
2006-09-07 13:45:58.640 NOTIFICATION Copy the archive to C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.656 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear begins...
2006-09-07 13:45:58.656 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear...
2006-09-07 13:45:58.687 NOTIFICATION Unpacking aam.ear
2006-09-07 13:45:58.687 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam.ear in C:\oc4j\j2ee\home\applications\aam
2006-09-07 13:45:58.750 NOTIFICATION Done unpacking aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war...
2006-09-07 13:45:58.750 NOTIFICATION Unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam\aam.war in C:\oc4j\j2ee\home\applications\aam\aam
2006-09-07 13:45:58.765 NOTIFICATION Done unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war
2006-09-07 13:45:58.812 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear ends...
2006-09-07 13:45:58.828 NOTIFICATION Starting application : aam
2006-09-07 13:45:58.828 NOTIFICATION Initializing ClassLoader(s)
2006-09-07 13:45:58.828 NOTIFICATION Initializing EJB container
2006-09-07 13:45:58.828 NOTIFICATION Loading connector(s)
2006-09-07 13:45:58.843 NOTIFICATION application : aam is in failed state
06/09/07 13:45:58 WARNING: Application.setConfig Application: aam is in failed state as initialization failedjava.lang.InstantiationException
Sep 7, 2006 1:45:58 PM com.evermind.server.Application setConfig
WARNING: Application: aam is in failed state as initialization failedjava.lang.InstantiationException
06/09/07 13:45:58 oracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:510)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
06/09/07 13:45:58 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
06/09/07 13:45:58 at java.lang.Thread.run(Thread.java:595)
06/09/07 13:45:58 Caused by: java.lang.InstantiationException
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:391)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:308)
06/09/07 13:45:58 at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
06/09/07 13:45:58 ... 6 more
2006-09-07 13:45:58.890 NOTIFICATION Application Deployer for aam FAILED.
2006-09-07 13:45:58.890 NOTIFICATION Application UnDeployer for aam STARTS.
2006-09-07 13:45:58.906 NOTIFICATION Removing all web binding(s) for application aam from all web site(s)
2006-09-07 13:45:59.015 NOTIFICATION Application UnDeployer for aam COMPLETES.
06/09/07 13:45:59 WARNING: DeployerRunnable.run java.lang.InstantiationExceptionoracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:126)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.InstantiationException
at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
at com.evermind.server.Application.setConfig(Application.java:391)
at com.evermind.server.Application.setConfig(Application.java:308)
at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
... 4 more
2006-09-07 13:45:59.031 WARNING java.lang.InstantiationException -
Custom JAAS Login Module 9.0.4 configuration problems
Hello,
We have created a custom JAAS Login Module on OC4J 9.0.4 and are having some sort of configuration problem
We always get this error:
Caused by: javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:535)
The Login Module is configured for a specific deployed application in the global jazn-data.xml and is being run as I have attached a debugger to the app server.
Our authentication process succeeds and we return a "true" from the login() method. No exceptions are thrown from our Login Module.
our ORACLE_HOME/j2ee/home/config/jazn-data.xml has this added
<application>
<name>helloworld</name>
<login-modules>
<login-module>
<class>com.test.JaasLoginModule</class>
<control-flag>required</control-flag>
<options>
</options>
</login-module>
</login-modules>
</application>
The j2ee/home/application-deployments/helloworld/jazn-data.xml looks like this:
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data.dtd">
<jazn-data />
and we added this into the j2ee/home/application-deployments/helloworld/orion-applicaton.xml
<jazn provider="XML" location="jazn-data.xml" >
<property name="role.mapping.dynamic" value="true"/>
<property name="custom.loginmodule.provider" value="true"/>
<property name="jaas.username.simple" value="true" />
</jazn>
Are we missing anything? Our code runs, it seems like there is something lacking in the configuration on the OC4J side of things.
Anyone know what we are missing?
Thanks....Hi,
if you are on 9.0.4 then <property name="custom.loginmodule.provider" value="true"/> shouldn't work because its a parameter of 10.1.3
Frank
Maybe you are looking for
-
I can't open quicktime or iTunes, help!
When I try to open quicktime or iTunes, the little black arrow appears for a few seconds under the icon on my dock and then it says "The application Quicktime/ iTunes quit unexpectedly". I've had several mac problems and I'm getting VERY frustrated.
-
trying to resolve -- the application LoaderAgent quit unexpectedly (keeps popping up)
-
How to fix: "Unable to find Adobe PDF resource files?"
Acrobat 10 Pro: When creating PDF file, I get the message "Unable to find Adobe PDF resource files". How do I fix this?
-
My Devices In iTunes (I can't find the list)
For some reason my device list is not showing up on the left side in my itunes, can someone suggest why? This is what I get. I have been syncing my iPad for a year now, but all of a sudden I can'rt even access my devices. HELP !
-
Error : How to execute *.BAT file
Some of the friend said me to execute any file following code Runtime rt=Runtime.getRuntime(); Process pr=null; pr = rt.exec("cmd.exe /c start " + "myfilename"); I get error as CreateProcess: cmd.exe /c start myfilename error=0 Press any key to conti