Login Module Logging

Hi All,
I've developped a custom login module. Into this loginModule I use the IUMTrace to log messages.
public static final IUMTrace trace = InternalUMFactory.getTrace("$Id: //shared_tc/com.sapall.security/dev/src/_core/java/com/sap/security/core/logon/imp/ExtendedWindowsloginModule.java#1 $ from $DateTime: 2003/05/13 18:05:03 $ ($Change: 8308 $)");
afterwards
trace.warningT(message)
This seemed to work fine on our development system (the logging appeared nicely in usermanagement.log, located in directory
\usr\sap\CEP6\j2ee\j2ee_XX\cluster\server\managers\log\portal\logs), but it does not work on the QA system (the file isn't even created). Both systems are EP6.0 SP2.
Is their some configuration I should change?
Is their an alternative/better way to log messages in a logon module?
Thanks in advance
Kind regards

Hi Geert,
I haven't worked with traces yet, just found http://help.sap.com/saphelp_nw04/helpdata/en/a6/66e540aa827e7fe10000000a1550b0/frameset.htm and http://help.sap.com/saphelp_nw04/helpdata/en/fa/5f933f09a5fb47e10000000a114084/content.htm (both for NW04).
The standard way to log(!) within the portal (explicitely to the location given) is by using com.sapportals.portal.prt.logger.ILogger, see http://media.sdn.sap.com/html/submitted_docs/60_sp2_javadocs/runtime/com/sapportals/portal/prt/component/IPortalComponentRequest.html#getLogger(java.lang.String)
Maybe the connection of the trace into the log file does work on your one but not on the other machine...?!
Ik hoop dat het helpt
groetjes
Detlev

Similar Messages

Opinions on implementing a JAAS login module to achieve SSO

We are looking at implementing SSO from a sharepoint website to the portal. The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
the desired user experience looks something like this.
user--login> sharepoint site -no login--
>portal
One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
I would like to get your opinions on how viable you think this method is. One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
the method is basically this.
1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
3. we don't want the user to have to login to access the resource when they click on the link
4. to facilitate this, sharepoint has constructed the link in the following way
5. the link is an https link
6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
7. the parameters are
8. un = the users AD username
9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
10. the user clicks the link and is directed to the SAP portal
11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
If you think there is an easier way, please let us know. We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

Hey Gary,
I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
-Kevin

Help - using custom login module with embedded jdev oc4j to access ejb 3

Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
 <application>
 <name>current-workspace-app</name>
 <login-modules>
 <login-module>
 <class>kr.security.KnowRushLoginModule</class>
 <control-flag>required</control-flag>
 <options>
 <option>
 <name>dataSource</name>
 <value>jdbc/DB_XE_KNOWRUSHDS</value>
 </option>
 <option>
 <name>user.table</name>
 <value>users</value>
 </option>
 <option>
 <name>user.pk.column</name>
 <value>id</value>
 </option>
 <option>
 <name>user.name.column</name>
 <value>email_address</value>
 </option>
 <option>
 <name>user.password.column</name>
 <value>password</value>
 </option>
 <option>
 <name>role.table</name>
 <value>roles</value>
 </option>
 <option>
 <name>role.to.user.fk.column</name>
 <value>user_id</value>
 </option>
 <option>
 <name>role.name.column</name>
 <value>name</value>
 </option>
 </options>
 </login-module>
 </login-modules>
 </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Member</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
 <security-role>
 <role-name>sr_Admin</role-name>
 </security-role>
 <security-role>
 <role-name>sr_Member</role-name>
 </security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
 <security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
 </security-role-mapping>
 <security-role-mapping name="sr_Member">
 <group name="Member"></group>
 </security-role-mapping>
 <default-method-access>
 <security-role-mapping name="sr_Member" impliesAll="true">
 </security-role-mapping>
 </default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
 <group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
 <property name="role.mapping.dynamic" value="true"></property>
 <property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </read-access>
 <write-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
 Hashtable env = new Hashtable();
 env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
 env.put(Context.SECURITY_CREDENTIALS, "welcome1");
 final Context context = new InitialContext(env);
 KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
 at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
 at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
 HttpServletResponse response)
 throws ServletException, IOException
 LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
 response.setContentType(CONTENT_TYPE);
 PrintWriter out = response.getWriter();
 out.println("<html>");
 out.println("<head><title>ExampleServlet</title></head>");
 out.println("<body>");
 out.println("The servlet has received a GET. This is the reply.");
 out.println(" getRemoteUser = " + request.getRemoteUser());
 out.println(" getUserPrincipal = " + request.getUserPrincipal());
 out.println(" isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
 out.println(" isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannon

Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>JAAS_Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
 </grant>If I add the following to orion-application.xml

<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping>
 <group name="JAAS_Admin"></group>
 </security-role-mapping>
 </namespace-resource>
 </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
 Vector v = new Vector();
 v.add(singleton.getCustomRmiConnectRole());
 // set principals in LoginModule
 m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
 JAZNConfig jc = JAZNConfig.getJAZNConfig();
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
 RealmManager realmMgr = jc.getRealmManager();
 try
 // Get the default realm .. e.g. jazn.com
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
 Realm r = realmMgr.getRealm(jc.getDefaultRealm());
 LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
 // Access the role manager for the remote connection role
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"calling default_realm.getRoleManager");
 RoleManager roleMgr = r.getRoleManager();
 LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
 CUSTOM_RMI_CONNECT_ROLE "'");
 RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 if (rmiConnectRole == null)
 LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
 rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
 Grantee gtee = new Grantee(rmiConnectRole);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
 RMIPermission login = new RMIPermission("login");
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"constructing subject.propagation rmi permission");
 RMIPermission subjectprop = new RMIPermission("subject.propagation");
 // make policy changes
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
 JAZNPolicy policy = jc.getPolicy();
 if (policy != null)
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'login' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, login);
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'subject.propagation' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, subjectprop);
 // m_Role = rmiConnectRole;
 m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.INFO, LOGPREFIX
 + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
 else
 LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
 else
 LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
 m_Role = rmiConnectRole;
 catch (JAZNException e)
 LOGGER.log(Level.WARNING,
 LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
 return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt.

Error in some of the login modules

`Hi Experts,
I have deployed SPNEGO and when user trying to login to portal, it gives the error as taken from diagtoo(below)
Also would like to inform you that when I have configured the wizard, some how in VA for lots of the Components in Security
provider, I found lots of those components does have the value for the Evaluateticket, evaluateAssertion, basicpassword,
createticketlogon did not had any values to it.
The components which I have updated are,
1. sap.com.lcr*sld---> I have added for EvaulateTicketloginModule and EvaluateAssertion ticket module like
ume.configuration.active true
trustediss1 OU=J2EE,CN=ABC
trusteddn1 OU=J2EE,CN=ABC
trustedsys1 ABC,555
and for CreateTicketLoginModule
ume.configuration.active true
Like wise done for the following components also.
2. sap.com/sap.comtckmc.coll.room.wsdeplRoomABAPWS_config1
3. sap.com/sap.commonitoringsysteminfo*sap_monitoring( here only 3 login modules present. so updated accordingly
to the above mentioned values for whatever loginmodule was present)
4. jmx~spnego was not having the template as SPNEGO so selected SPNEGO template and updated whatever ( 5 login module accordingly)
5. sap.com/tcsecwssec~app*wssproc_cert
6. sap.com/tcsecwssec~app*wssproc_plain
7. sap.com/tcsecwssec~app*wssproc_ssl
8. sap.com/tcslmslmapp*slmServices_Config
9. sap.com/tcslmslmapp*slmSolManServices_Config
10. ....~eap*GPRuntimeFacadeWS_
11. ..RuntimeearCAFDataService
Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandleraT6d992c17)
13:47:15:804 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, trustedsys1=ABC,555, trusteddn1=OU=J2EE,CN=ABC}].
13:47:15:804 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~s.constructor(Map, Properties, boolean) Entering method with ({System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Sun Mar 15 13:01:44 AST 2009}, <null>)
13:47:15:804 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas got [ume.configuration.active]: [true]
13:47:15:804 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas no authscheme found that has auth template spnego
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;aT631dd237
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~ity.core.server.jaas.getMergedOptions() Entering method
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;aT3ad44bb7
13:47:15:805 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
13:47:15:805 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=spnego, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method
13:47:15:806 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper My GSS name is: J2ee-abcaTBah.ARAB.LOCAL
13:47:15:806 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper GSS name type is: 1
13:47:15:807 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper GSS mechanism is: 1.2.840.113554.1.2.2
13:47:15:808 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is J2ee-abcaTBah.ARAB.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
13:47:15:808 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Refreshing Keytab
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): Bah.ARAB.LOCAL
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): J2ee-abc
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTab: load() entry length: 60; type: 3
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out principal's key obtained from the keytab
13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Acquire TGT using AS Exchange
13:47:15:811 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Error in some of the login modules.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:114)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: java.lang.NullPointerException
at java.lang.StringBuffer.append(StringBuffer.java:467)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:812 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Error in some of the login modules.
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: java.lang.NullPointerException
at java.lang.StringBuffer.append(StringBuffer.java:467)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
... 24 more
13:47:15:813 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: java.lang.NullPointerException
at java.lang.StringBuffer.append(StringBuffer.java:467)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
... 24 more
see below for more error

13:47:15:814 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseSecurityException.<initat com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:815 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:816 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~es.security.authentication.logincontext LOGIN.FAILED
User: N/A
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
com.sun.security.auth.module.Krb5LoginModule REQUISITE ok exception false null
com.sap.security.core.server.jaas.SPNegoMappingLoginModule REQUISITE ok true
13:47:15:816 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Access Denied.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:114)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:286)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
13:47:15:817 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~rity.core.server.jaas.SPNegoLoginModule Exception in SPNegologinModule.initialize.
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
... 22 more
13:47:15:819 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.engine.services.security Cannot initialize login module com.sap.security.core.server.jaas.SPNegoLoginModule .
[EXCEPTION]
java.lang.RuntimeException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at com.sap.security.core.server.jaas.SPNegoLoginModule.initialize(SPNegoLoginModule.java:446)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.initialize(LoginModuleLoggingWrapperImpl.java:129)
at com.sap.engine.services.security.login.LoginContextFactory.initializeLoginContext(LoginContextFactory.java:167)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:141)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:131)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
13:47:15:821 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~.security.core.server.jaas.initialize() Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandleraT6d992c17, {System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Sun Mar 15 13:01:44 AST 2009}, {ume.configuration.active=true})
13:47:15:821 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas

Passing error message from login module to login page

Hello,
we have a custom login module to authenticate user in ldap and to grant application roles stored in db.
Is it possible to pass error catched in login module to the user (display the error message on login screen)? We think it is helpful to see correct reason why the user couln't be logged in.
Notes:
Jdev version is 10.1.3.1. Custom login module was written using Frank Nimphius guidelines and examples.
Rado

Hi,
if you followed this example then it is configured for container managed authentication, in which case the error message cannot be propagated to the view.
There was a similar discussion on the J2EE forum and the answer was that the OC4J team will put this on a list of enahncements they track. The technical reason appears to be that the J2EE spec does not foresee to tell users about the "why" authentication fails - which clearly is a limitation of the Spec.
Frank

Sample Login Module Not working

I have configured the sample login module shipped with identity server 6.0 for understanding the configuration of a custome login module.
As per the instruction when i try to run the example i get an Authentication faliure i have given the following url "http://<domain-name>:58080/amserver/UI/Login?module=LoginModuleSample&org=<my org name>"
Could anyone plz tell me y this error has occurred and if not then suggest me a way to return back to a state where i was before working with this example as now i cannot open the amconsole as well.
plz help as fast as possible
kirtan

use commandline to remove and then add (again) amauth service. you should be able to log into the console again.... with your amadmin id and password
for getting the sample auth module to work.. please read the docs carefully, it has a very clear step by step explanation on how to do it...

Urgent - error in Customized login module

hi
I have created a customise login module by using the following url
http://help.sap.com/saphelp_nw04/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
but when I login to the portal, my login module is not working .When I checked in defaultTrace.1.trc file, it showing following errors :
Caused by: java.lang.ClassNotFoundException: com.sap.test.TestLoginModuleClass
Found in negative cache
Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:com.sap.security.core.ume.service;service:connector;service:dbpool;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
 library:com.sap.ip.basecomps
 library:core_lib
 common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
 library:servlet
 library:sapxmltoolkit
 library:com.sap.mw.jco
 library:com.sap.util.monitor.jarm
 library:j2eeca
 library:opensql
 interface:security
 interface:log
 interface:shell
 interface:keystore_api
 library:ejb20
 interface:webservices
 library:com.sap.guid
 interface:appcontext
 interface:endpoint_api
 interface:resourceset_api
 interface:resourcecontext_api
 common:service:iiop;service:naming;service:p4;service:ts
 interface:ejbcomponent
 interface:container
 interface:visual_administration
 interface:transactionext
 interface:dsr_ejbcontext_api
 service:timeout
 service:memory
 service:deploy
 library:antlr
 library:jdbdictionary
 library:opensqlextensions
 service:adminadapter
 interface:cross
Resources:
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
dbpool.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_compat.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
security
security.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
webservices_lib.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_userstore_lib.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_jaas_test.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
sqljimpl.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
connector
connectorimpl.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
saaj-api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_jaas.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_xmlbind.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_util.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_ssf.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
userstore
userstore.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_https.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_service_api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
jaxrpc-api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
opensqllib.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_jaas.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
jaxm-api.jar
 C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
keystore
keystore.jar
Loading model: {parent,local,references}
 at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:298)
 at com.sap.engine.services.security.Util.loadClass(Util.java:257)
 at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:199)
 at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:89)
 ... 13 more
#1.5#001143F14283004C0000000000001F900004064B9EAAD383#1132821761187#com.sap.sl.util.cvers.impl.CVersFactory##com.sap.sl.util.cvers.impl.CVersFactory#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersFactory#
#1.5#001143F14283004C0000000100001F900004064B9EAAE147#1132821761187#com.sap.sl.util.cvers.impl.CVersManager##com.sap.sl.util.cvers.impl.CVersManager#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersManager#
#1.5#001143F14283004C0000000200001F900004064B9EAAFAD2#1132821761187#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.DBConnector#
#1.5#001143F14283004C0000000300001F900004064B9EAB2769#1132821761203#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersDao#
#1.5#001143F14283004C0000000400001F900004064B9EAB2B09#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering getDataSource#
#1.5#001143F14283004C0000000500001F900004064B9EAB2CAC#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### get initial contrext...#
#1.5#001143F14283004C0000000600001F900004064B9EAB315E#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### get data source...#
#1.5#001143F14283004C0000000900001F900004064B9EAB508E#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#/Applications/SL/UTIL#Plain###get data source CVERS failed! Trying SAP/BC_UME... #
#1.5#001143F14283004C0000000A00001F900004064B9EAB59E2#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### got data source!#
#1.5#001143F14283004C0000000B00001F900004064B9EAB5BAD#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting getDataSource#
#1.5#001143F14283004C0000000C00001F900004064B9EAB60C6#1132821761218#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering findByRealKey#
#1.5#001143F14283004C0000000D00001F900004064B9EAB6A53#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.HashKey#
#1.5#001143F14283004C0000000E00001F900004064B9EAB6B9D#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### concatenated hashKey: sap.comSAP-JEECOR#
#1.5#001143F14283004C0000000F00001F900004064B9EAB6C53#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### hashKey: sap.comSAP-JEECOR#
#1.5#001143F14283004C0000001000001F900004064B9EAB6D35#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### hashVal: -1330087332#
#1.5#001143F14283004C0000001100001F900004064B9EABCF31#1132821761250#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering findByRealKey#
#1.5#001143F14283004C0000001200001F900004064B9EAC1380#1132821761265#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### Found the following real key: com.sap.sl.util.cvers.impl.CVersDBObject@11399a6#
#1.5#001143F14283004C0000001300001F900004064B9EAC145C#1132821761265#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting findByRealKey#
#1.5#001143F14283004C0000001400001F900004064B9EAC440C#1132821761281#com.sap.sl.util.components.impl.ComponentFactory##com.sap.sl.util.components.impl.ComponentFactory#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.components.impl.ComponentFactory#
#1.5#001143F14283004C0000001500001F900004064B9EAC5182#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering closeConnection#
#1.5#001143F14283004C0000001600001F900004064B9EAC52B7#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting closeConnection#
#1.5#001143F14283004C0000001700001F900004064B9EAC5348#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting findByRealKey#
#1.5#001143F14283004F0000000000001F900004064BA94350C0#1132821938953#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: InstToolTopicFactoryFinishImage loader does not exist: . Using default class loader!!!#
#1.5#001143F14283004F0000000100001F900004064BA944042B#1132821939000#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: DAserviceQueueFactory loader does not exist: . Using default class loader!!!#
#1.5#001143F14283004F0000000200001F900004064BA9445581#1132821939015#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: InstToolTopicFactoryCreateEmptyImage loader does not exist: . Using default class loader!!!#
Can any one tell me what should I do for that ????
Thanks
shashank

Hi Joerg
Thanks !!!
I had checked. Pls check I had given the following things ...
in configtool ->Global service configuration ->services ->security
LoginModuleClassLoaders library:sap.com~TestLoginLibrary
As
my class name = com.sap.test.TestLoginModuleClass
In provider.xml,
 provider name = sap.com
 Component Name = TestLoginLibrary
 Display name = TestLoginLibrary
Can u pls tell me what should I do .
Thanks
shashank
Urs answer must be appreciate.

J2EE 6.40 Custom Login Module - how to config

hello all,
i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.
here is the background info:
- i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.
- access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.
- my login module does the user name and password checking. both are stored in database through some other means.
- login is FORM based
following the discussion in another thread on the topic, i did the following:
#1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.
#2 add my login module to the security store through the security provider service.
#3 configure my web app to use the custom login module in web-j2ee-engine.xml
#4 deploy my web app through the ear file
at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).
now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.
question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.
??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.
??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.
??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.
does anyone have a working scenario using custom login modules?
thanks very much for your inputs and thoughts.
wentao

Hi Astrid,
I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.
When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.
When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.
But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).
The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.
So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.
Thanks in advance
Henning

Security Provider(JAAS chaine module)logging with SAP J2EE Agent Policy 2.2

Hello,
I have installed and configured a SAP J2EE Policy Agent 2.2 on a SAP J2EE Application Server 7.0 and installed an opensso 8.0.
I have configured and deployed a jsp application with the descriptor containing the agent filter on the SAP J2EE.
I have configured the security provider (based on JAAS) as follows:
EvaluateTicketModule
AmSAPWASLoginModule
CreateTicketLoginModule
I have then increased the severity check of logging on the SAP J2EE Application Server for:
com.sap.security.server.jaas
com.sap.engine.services.security
But since the installation of the agent, I am not able to see the logs of the different logon modules and be sure that the CreateLoginModule has been done.
I need to check that after the success of the agent login module, it goes through the CreateTicketLoginModule, how can I check that.
Thanks,
Tanguy Mezzano
amFilter log:
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: now processing: Notification Task Handler
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: now processing: Port Check Task Handler
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
PortCheckTaskHandler: request is on valid port
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: now processing: FQDN Task Handler
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
FQDNHelper: Incoming Server Name: [myserver] Result: null
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: now processing: Not Enforced List Task Handler
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
NotenforcedURIHelper.isNotEnforced(/myApp.jsp) found in enforced cache
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
NotenforcedURIHelper.isNotEnforced(/myApp.jsp) => false
11/13/2008 06:02:39:810 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: now processing: SSO Task Handler
11/13/2008 06:02:40:122 PM CET: SAPEngine_Application_Thread[impl:3]_35
SSOTaskHandler: SSO Validation successful for id=myUser,ou=user,dc=myCompany,dc=com
11/13/2008 06:02:40:122 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: now processing: URL Policy Task Handler
11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
URLPolicyTaskHandler: access allowed by AmWebPolicy
11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: now processing: Redirect Check Result Handler
11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
RedirectCheckResultHandler: removing redirect counter cookie
11/13/2008 06:02:40:310 PM CET: SAPEngine_Application_Thread[impl:3]_35
AmFilter: result =>
FilterResult:
Status : CONTINUE
RedirectURL : null
RequestHelper:
null
Data:
null
-----------------------------------------------------------

I want to use my login page in BEA instead of Access Manager or Distributed Authentication Module. I think it is similar to the problem you have? Did you come up with a solution?
My problem is described in more detail on this thread:
http://forum.java.sun.com/thread.jspa?threadID=5197783

LMS 3.2 Windows - 10 minute timeout while using TACACS+ Login Module

Hello,
we have changed our login module to TACACS+ (Non-ACS). All works fine when we use users which are set up in TACACS+. Using an account which does not exist (or only exists in CiscoWorks Local login module - even as fallback user) we register a timeout of 10 minutes until the login module fails the request (turned on Debugging and watching the stdout.log of tomcat). While running the backup.pl script it seems that the user "admin" tries to access the web server, but as this user is not set up in TACACS+ we have to wait 20 or more minutes until the backup starts. So, is there a way to set a timeout value for that login module?Is it known that the admin account is needed to perform the backup?
Thanks and kind regards
Allessandro

This delay is coming from your TACACS server. Can you shorten the authentication failure there? As for the user ID, check your System Identity User under Common Services > Server > Security > System Identity Setup. Make sure this use exists in the TACACS databases.

Howto put custom JAAS Login Module into NWDI

Hi there!
We are currently in migration phase and want to integrate existing codings to NWDI. We mainly had Web Dynpro projects which we figured out how to migrate through discovering help.sap.com
Formerly I developed a custom JAAS login module which is productive on our portal systems. Now I would like to integrate it to NWDI. Is this possible in general?
Best Regards
Christian

Can you clarify a bit more what didn't work? What issues do you face?
Our setup for security.jar (which is not available in one of the base SC's) (for the rest try to use as many base DC's as possible):
1. Create External Library DC for security.jar
2. Add security.jar to libraries folder, add to new pp for Compilation
3. Create J2EE Library DC for loginmodule
4. Create Java Library DC for loginmodule as Child DC
5. Define the External Library DC as Used DC of the Java DC, referencing the Compilation pp (Only a Build time dependency, since this will not be deployed, instead you'll reference the registered interface, see below).
6. Create a public part for Assembly in the Java DC. Add all your loginmodule classes to the pp.
7. Define the Java DC as Used DC of the J2EE Library DC, referencing the Assembly pp (only Build time dependency). (this packages the loginmodule jar in the J2EE library)
8. Create a provider.xml in the 'server' folder of the J2EE Library DC
9. Define references to libraries used by the Child DC and the Child DC's jar:
 <references>
 <reference
 provider-name="sap.com"
 strength="weak"
 type="library">com.sap.security.api.sda</reference>
 <reference
 provider-name="sap.com"
 strength="weak"
 type="interface">security_api</reference>
 <reference
 provider-name="sap.com"
 strength="weak"
 type="library">com.sap.tc.Logging</reference>
 <reference
 provider-name="sap.com"
 strength="weak"
 type="library">servlet</reference>
 </references>
 <jars>
 <jar-name>[vendor name]~[DC name]~Assembly.jar</jar-name>
 </jars>
The J2EE Library DC has only one Used DC: The child Java DC.
The Java DC has Used DCs for anything you need to compile your loginmodule code.
Hope I didn't forget anything else.

Problems deploying custom JAAS login module (ClassNotFound)

Hi,
I've developed a custom made JAAS login module that filters on IP addresse which I am moving from 6.20 to 6.40.
I've pretty much followed the procedures from http://help.sap.com/saphelp_nw04/helpdata/de/46/3ce9402f3f8031e10000000a1550b0/content.htm , the only major difference is that I needed a reference to WebCallback and therefore a reference to com.sap.security.api.sda from my library project.
I've especially followed the step with "Adding a Reference to the Classloader of the Security Provider" (http://help.sap.com/saphelp_nw04/helpdata/de/2b/23e4407211732ae10000000a155106/content.htm) , but I think its this step that fails. This has been set to library:<library name> , where <library name> is what is written on the right hand side of visual admin under library. I see that the library is deployed under the folder bin\ext\customer.com~com.customer.portal.login.IPRuleLibrary , so maybe I will try that name tomorrow morning.
The exceptions I get are
#1.5#001321B3B106005C0000000800002E380004039375E59BA6#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error#1#/System/Audit#Java###Exception #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Cannot load a login module.
 at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:95)
 at com.sap.engine.services.security.login.LoginContextFactory.getLoginContext(LoginContextFactory.java:133)
 at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:227)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:324)
 at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:324)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
 at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86)
 at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
 at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
 at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
 at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:295)
 at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:351)
 at com.sap.portal.navigation.Gateway.service(Gateway.java:68)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
 at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
 at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
 at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
Caused by: java.lang.ClassNotFoundException: com.customer.portal.login.IPRuleLoginModule
Found in negative cache
- Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
 library:com.sap.ip.basecomps
 library:core_lib
 common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
 library:servlet
 library:sapxmltoolkit
 library:com.sap.mw.jco
 library:com.sap.util.monitor.jarm
 library:j2eeca
 library:opensql
 interface:security
 interface:log
 interface:shell
 interface:keystore_api
 library:ejb20
 interface:webservices
 library:com.sap.guid
 interface:appcontext
 interface:endpoint_api
 interface:resourceset_api
 interface:resourcecontext_api
 common:service:iiop;service:naming;service:p4;service:ts
 interface:ejbcomponent
 interface:container
 interface:visual_administration
 interface:transactionext
 interface:dsr_ejbcontext_api
 service:timeout
 library:tc~jmx
 library:tcSLUTIL
 service:memory
 library:antlr
 library:jdbdictionary
 library:opensqlextensions
 interface:cross
 service:locking
 service:file
Resources:
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
adminadapter
adminadapter.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxrpc-api.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
opensqllib.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx_sec.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxm-api.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
keystore
keystore.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
security
security.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupapi.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_jaas.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
connector
connectorimpl.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
webservices_lib.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_service_api.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_userstore_lib.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
saaj-api.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_csi.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_ssf.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
userstore
userstore.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
sqljimpl.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_xmlbind.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_util.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
dbpool.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
deploy
deploy.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_compat.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx_notification
jmx_notification.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
configuration
configuration.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupimpl.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_https.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
basicadmin.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas_test.jar
 C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
Loading model: {parent,local,references}
 at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
 at com.sap.engine.services.security.Util.loadClass(Util.java:262)
 at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:204)
 at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:92)
 ... 45 more
#1.5#001321B3B106005C0000000900002E380004039375E5A109#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error##Java###Cannot load login module class .#1#com.customer.portal.login.IPRuleLoginModule#

Hi,
The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
Also I was able to modify the properties of the login module runtime, which made me very happy
Dagfinn

JDEV deployment of web app with custom JAAS login module fails

For the first time, I am trying to implement a custom JAAS login module.
JDEV deployment to standalone OC4J only fails when my orion-application.xml is included. The deployment fails with a java.lang.InstantiationException.
This what I have done:
1) Wrote a custom LoginModule called com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule.
2) Put it and its dependent classes in a jar named sjtcjaas.jar.
3) Put the jar in $ORACLE_HOME\j2ee\home\lib
4) Changed library_path in $ORACLE_HOME\j2ee\home\config\application.xml to
<library path="../../home/lib/scheduler.jar;../../home/lib/sjtcjaas.jar" />
5) Added an orion-application.xml to the JDEV project. (I used an Oracle How-to as a pattern, see below.)
I think I'm close but no cigar, yet. Any help would be appreciated.
Regards,
Al Malin
=============== orion-application.xml ========================================
<?xml version="1.0"?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.0.0" default-data-source="jdbc/OracleDS" schema-major-version="10" schema-minor-version="0" >
<security-role-mapping name="sr_manager">
<group name="managers" />
</security-role-mapping>
<security-role-mapping name="sr_developer">
<group name="developers" />
</security-role-mapping>
<log>
<file path="application.log" />
</log>

<jazn-loginconfig>
<application>
<name>customjaas</name>
<login-modules>
<login-module>
<class>com.whirlpoool.sjtc.jaas.gpa.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</orion-application>

Starting OC4J from c:\oc4j\j2ee\home ...
2006-09-07 13:45:28.484 NOTIFICATION JMS Router is initiating ...
06/09/07 13:45:29 Oracle Containers for J2EE 10g (10.1.3.0.0) initialized
2006-09-07 13:45:58.609 NOTIFICATION Application Deployer for aam STARTS.
2006-09-07 13:45:58.640 NOTIFICATION Copy the archive to C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.656 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear begins...
2006-09-07 13:45:58.656 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear...
2006-09-07 13:45:58.687 NOTIFICATION Unpacking aam.ear
2006-09-07 13:45:58.687 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam.ear in C:\oc4j\j2ee\home\applications\aam
2006-09-07 13:45:58.750 NOTIFICATION Done unpacking aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam.ear
2006-09-07 13:45:58.750 NOTIFICATION Auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war...
2006-09-07 13:45:58.750 NOTIFICATION Unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Unjar C:\oc4j\j2ee\home\applications\aam\aam.war in C:\oc4j\j2ee\home\applications\aam\aam
2006-09-07 13:45:58.765 NOTIFICATION Done unpacking aam.war
2006-09-07 13:45:58.765 NOTIFICATION Finished auto-unpacking C:\oc4j\j2ee\home\applications\aam\aam.war
2006-09-07 13:45:58.812 NOTIFICATION Initialize C:\oc4j\j2ee\home\applications\aam.ear ends...
2006-09-07 13:45:58.828 NOTIFICATION Starting application : aam
2006-09-07 13:45:58.828 NOTIFICATION Initializing ClassLoader(s)
2006-09-07 13:45:58.828 NOTIFICATION Initializing EJB container
2006-09-07 13:45:58.828 NOTIFICATION Loading connector(s)
2006-09-07 13:45:58.843 NOTIFICATION application : aam is in failed state
06/09/07 13:45:58 WARNING: Application.setConfig Application: aam is in failed state as initialization failedjava.lang.InstantiationException
Sep 7, 2006 1:45:58 PM com.evermind.server.Application setConfig
WARNING: Application: aam is in failed state as initialization failedjava.lang.InstantiationException
06/09/07 13:45:58 oracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:510)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
06/09/07 13:45:58 at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
06/09/07 13:45:58 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
06/09/07 13:45:58 at java.lang.Thread.run(Thread.java:595)
06/09/07 13:45:58 Caused by: java.lang.InstantiationException
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/09/07 13:45:58 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:391)
06/09/07 13:45:58 at com.evermind.server.Application.setConfig(Application.java:308)
06/09/07 13:45:58 at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
06/09/07 13:45:58 at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
06/09/07 13:45:58 ... 6 more
2006-09-07 13:45:58.890 NOTIFICATION Application Deployer for aam FAILED.
2006-09-07 13:45:58.890 NOTIFICATION Application UnDeployer for aam STARTS.
2006-09-07 13:45:58.906 NOTIFICATION Removing all web binding(s) for application aam from all web site(s)
2006-09-07 13:45:59.015 NOTIFICATION Application UnDeployer for aam COMPLETES.
06/09/07 13:45:59 WARNING: DeployerRunnable.run java.lang.InstantiationExceptionoracle.oc4j.admin.internal.DeployerException: java.lang.InstantiationException
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:126)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDeployerRunnable.doRun(OC4JDeployerRunnable.java:52)
at oracle.oc4j.admin.jmx.server.mbeans.deploy.DeployerRunnable.run(DeployerRunnable.java:81)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:814)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.InstantiationException
at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
at com.evermind.server.Application.setConfig(Application.java:391)
at com.evermind.server.Application.setConfig(Application.java:308)
at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1771)
at oracle.oc4j.admin.internal.ApplicationDeployer.addApplication(ApplicationDeployer.java:507)
at oracle.oc4j.admin.internal.ApplicationDeployer.doDeploy(ApplicationDeployer.java:191)
at oracle.oc4j.admin.internal.DeployerBase.execute(DeployerBase.java:93)
... 4 more
2006-09-07 13:45:59.031 WARNING java.lang.InstantiationException

Problem with role mapping in custom login module

Hi all,
I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
I thought a source of the problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
Could anybody think of a solution to this problem ?
Thanks, Astrid

Astrid,
Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
I've tried to use the deploytool and deploy the module as a library...but I get a "cannot load a login module" in the logs when authenticating a user.

Portal authentication using two login module stacks?

G'day,
I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
<authscheme name="mylogon">
<authentication-template>mystack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
</authscheme>
<authscheme-refs>
<authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
<authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
</authscheme-refs>
When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.OK
User: Administrator
Authentication Stack: mystack
The "mylogonform" page is shown when logon is required in both cases.
However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
(Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
Message : LOGIN.FAILED
User: Administrator
Authentication Stack: mystack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true authscheme not sufficient: basicauthentication<mylogonform
Central Checks exception Call logout before login.
I guess one cannot authenticate as a new user until the current user has been logged out.
So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
What is the logic behind portal authentication and showing a logon page?
If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?

Jayesh,
there is no such thing like "login module stacks". The do exist on the other hand:
- login module
- logon stacks
Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
login module 1: check if valid sap logon ticket provided
if module 1 fails: then login module 2: request user id/password
if module 2 succeeds: then login module 3: create new sap logon ticket for user
You can define multiple logon stacks and configure individual applications to use the one stack or the other.
The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
Regards,
Dominik

Login Module Logging

Similar Messages

Maybe you are looking for