Login Module Stack of EP
Hi guys,
I am in the process to setup HeaderVariable Authentication for accessing to EP and have a some questions.
1) What Login Module Stack needs to be adjusted to use the HeaderVariableLoginModule? SAP J2EE Root or Ticket or ....
2) Are changes in the policy configurations (adding logon module) applied immediately or is a J2EE restart required?
Thanks,
Mario.
Thank you Paul.
I've found on my own also to question 1. I have to modify the Login Module stack of template "tiket" as following:
1) EvaluateTicketLoginModule SUFFICIENT
2) HeaderVariableLoginModule OPTIONAL Header=REMOTE_USER
3) CreateTickeLoginModule SUFFICIENT
4) BasicPasswordLoginModule REQUISITE
5) CreateTicketLoginModule OPTIONAL
Now I'd like to know if is it possible to test the header variable login configuration without using any external web server but connect directly to Enerprise Portal.
When I try to connect directly to the Enerprise Portal using the URL
http://<server>:<port>/irj/portal?REMOTE_USER=<userID>
i'm not able to log into the system, but i'm redirected to the login page.
If I type in userID and password, portal doesn't authenticate the user.
Is the External Web Server mandatory for the Header Variable Login Module configuration?
Thanks in advance,
Mario.
Similar Messages
-
Configure JAAS login module stack to support x.509 certificates without SSL
I want to use x.509 certificates for authentication against a EP 7.0 but I dont want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the users certificate, default is SSL_CLIENT_CERT.
What I dont know is how to configure my JAAS login module stack, my suggestion would be this:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they dont, is there another login module that should be used in this case?Hi Claus,
you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
Looking at this topic:
http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
So with the above said your LM stack config should look like this:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
If this doesn't work I'd suggest opening a support ticket.
Regards,
Yonko -
Portal authentication using two login module stacks?
G'day,
I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
<authscheme name="mylogon">
<authentication-template>mystack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
</authscheme>
<authscheme-refs>
<authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
<authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
</authscheme-refs>
When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.OK
User: Administrator
Authentication Stack: mystack
The "mylogonform" page is shown when logon is required in both cases.
However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
(Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
Message : LOGIN.FAILED
User: Administrator
Authentication Stack: mystack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true authscheme not sufficient: basicauthentication<mylogonform
Central Checks exception Call logout before login.
I guess one cannot authenticate as a new user until the current user has been logged out.
So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
What is the logic behind portal authentication and showing a logon page?
If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?Jayesh,
there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
- login module
- logon stacks
Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
login module 1: check if valid sap logon ticket provided
if module 1 fails: then login module 2: request user id/password
if module 2 succeeds: then login module 3: create new sap logon ticket for user
You can define multiple logon stacks and configure individual applications to use the one stack or the other.
The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
Regards,
Dominik -
Custom Login Module, SSO Ticket validity & Login Module Stack
Hi everybody,
we have a portal (running on jboss) which links to a J2EE web application (running on SAP WAS 6.40) which itself is protected by a custom login module and redirects to different WebDynpro applications (running on same WAS as the J2EE app) depending on some parameters.
So when we go from the portal to the J2EE web application, the custom login module authenticates the user, creates a MYSAPSSO2 Cookie and then redirects to a webdynpro app.
What happens is that the webdynpro app doesn't accept the cookie and redirects to the login mask.
Looking at the request header parameter HOST we have the request coming from sub1.sub2.mycompany.com, which is the portal.
The WAS is located on sub3.mycompany.com.
If we manipulate the HOST parameter to sub2.mycompany.com everything works fine and the webdynpro app successfully authenticates the user.
This does sound either like a domain relaxing issue or a multi domain issue, which we added as parameters to the CreateTicketLoginModule in the Login Module Stack for the J2EE web app.
Unfortunately without result.
Did anybody have a similar problem and can give some hints on how to solve this?
Any help is appreciated
Regards,
md
Edited by: Minh-Duc Truong on Jul 17, 2008 7:18 PM
Edited by: Minh-Duc Truong on Jul 17, 2008 7:19 PM
Edited by: Julius Bussche on Jul 18, 2008 7:25 PMHi md,
I have split your 2nd question into a seperate thread => That would make them easier to answer as well, which will help.
You can find it here: Custom Login Module, LM Stack ignored
Cheers,
Julius
Edited by: Julius Bussche on Jul 18, 2008 7:26 PM -
What is so special about the "ticket" login module stack?
G'day,
I am observing some odd behaviour with login module stacks.
I have a custom login module that performs authentication using information in the HTTP servlet request. This custom login module does not require any interaction from the user. I want to use this custom login module when I authenticate to the portal.
By default, the portal uses an authentication scheme known as "uidpwdlogon", which uses the "ticket" login module stack, which is configured to perform basic password login. When I attempt to access the portal I am presented with a username/password page and I need to enter a username and password, hit the "submit" button, and access to the portal is granted.
So I replaced the BasicPasswordLoginModule entry in the "ticket" login module stack with my custom login module, and now access to the portal is granted automatically, as expected. There is no username/password page displayed.
But if I create a new login module stack that contains exactly the same modules as "ticket" login module stack, and modify the "uidpwdlogon" authentication scheme to use my new login module stack instead of the "ticket" login module stack, then something odd occurs: I am now presented with a username/password page again. I need to hit the "submit" button to navigate away from this page before the custom login module stack will process, which will then grant access to the portal.
If I change the "uidpwdlogon" authentication scheme back to use the "ticket" login module stack (which is exactly the same as the previous login module stack), then access to the portal is granted automatically without showing a username/password page.
So: if the (modified) "ticket" login module stack is used, there's no username/password page shown. If a copy of that login module stack is used, then a username/password page is shown.
What's going on here?G'day,
Thanks for the reply.
The relevant parts of the authschemes.xml file are as follows:
<authscheme name="uidpwdlogon">
<authentication-template>myloginstack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme-ref name="default">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
<authscheme-ref name="UserAdminScheme">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
Note that I have changed the uidpwdlogon element to use "myloginstack" instead of "ticket", and changed the priority from 20 to 21, as suggested (but it should be noted that the outcome is the same regardless of priority).
The "ticket" login module stack is defined as follows:
EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
MyLoginModule REQUISITE {...}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
and the "myloginstack" is defined identically as follows:
EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
MyLoginModule REQUISITE {...}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
When the "uidpwdlogon" authentication scheme is configured to use the "myloginstack" login module stack, the browser immediately opens up the normal username/password page. I wait for a few minutes (for logging reasons), then hit submit, and access to the portal is granted.
The log output for this is as follows:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: myloginstack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
MyLoginModule REQUISITE ok exception true Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
Message : LOGIN.OK
User: testuser
Authentication Stack: myloginstack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
MyLoginModule REQUISITE ok true true
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true
Central Checks true
There are two login stack events because the first login stack event asks the browser to pass along authentication data, which is processed in the second login stack event.
Also note that the time of the first login module event is a few minutes after the username/password page appears, suggesting that the portal is attempting to obtain information before it processes the login module stack.
If I change the "uidpwdlogon" authentication scheme to use the "ticket" login module stack, then no username/password page appears and the security log is essentially identical to that of "myloginstack":
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
MyLoginModule REQUISITE ok exception true Further authentication required from client
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
Message : LOGIN.OK
User: testuser
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
MyLoginModule REQUISITE ok true true
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true
Central Checks true
I am creating the "myloginstack" login module stack using the Visual Administrator tool, by clicking the "Add" button for the "Policy Configurations" tab of the SecurityProvider service. Note that when I do this the entry for "myloginstack" gets a diamond icon, while the entry for "ticket" has a different icon (resembling a graph). I do not know what these different icons beside each policy configuration imply (is "ticket" different to "myloginstack" somehow?) nor how to create a new policy configuration that will have different icon.
I assume the username/password page is shown because the <frontendtarget> element in the "uidpwdlogon" authentication scheme is defined to use "com.sap.portal.runtime.logon.certlogon". Perhaps there is another value I can use here that displays nothing and redirects the browser directly to the portal? -
Changing login module stack for Netweaver Portal?
G'day,
I want to change the login stack for Netweaver Portal (at http://<host:50100/irj).
Currently portal is configured in Visual Administrator to use the "ticket" authentication template. I can change this authentication template and change how I authenticate to portal.
But changing "ticket" authentication template also changes how other applications perform authentication. So I changed the login module stack for the "com.sap/irj*irj" component to not use an authentication template, and added my own login modules.
But when I access portal again, the "ticket" authentication is still used. I restarted the cluster to be sure but no matter what login modules I configure for "com.sap/irj*irj", only changes to "ticket" have any effect.
So: how do modify the login module stack for portal, without modifying the "ticket" authentication template?
--GeoffHi,
If you'd like to change the authentication stack only for the EP but not for all applications that use UME authentication, then you have to modify the descriptor authschemes.xml. You have to change the scheme "default" to point to another LM stack instead of "ticket" as it is shipped.
Kind regards,
Tsvetomir -
SPNEGO Login module Stack issue: Could not validate SPNEGO token
Hello to all,
We are deploying a SAP Netweavear 7.3 Enterprise Portal with SPNego login module activated.
We are performing some tests (performances and concurrent accesses).
During the tests we have found several times the folloiwing Issue linked to the spnego.
Could not validate SPNEGO token.
[EXCEPTION]
java.lang.NumberFormatException: multiple points
at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1082)
at java.lang.Double.parseDouble(Double.java:510)
at java.text.DigitList.getDouble(DigitList.java:151)
at java.text.DecimalFormat.parse(DecimalFormat.java:1303)
at java.text.SimpleDateFormat.subParse(SimpleDateFormat.java:1934)
at java.text.SimpleDateFormat.parse(SimpleDateFormat.java:1312)
at java.text.DateFormat.parse(DateFormat.java:335)
at com.sap.security.core.server.jaas.spnego.util.Utils.generalizedTimeStringToData(Utils.java:167)
at com.sap.security.core.server.jaas.spnego.krb5.KrbTicketEncryptedData.parseDecryptedData(KrbTicketEncryptedData.java:67)
at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:94)
at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:68)
at com.sap.security.core.server.jaas.SPNegoLoginModule.parseAndValidateSPNEGOToken(SPNegoLoginModule.java:315)
at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:474)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:160)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:254)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:352)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.loginWithRequestCredentials(AuthenticationService.java:337)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:321)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:60)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:163)
at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doCached(RequestDispatcherImpl.java:655)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:488)
at com.sap.portal.navigation.Gateway.service(Gateway.java:147)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:276)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
The user rlinked to this user is Guest.
could you please advice us how to solve this reccuring issue?
Kind regards
Julien LEFEVREHello Cathal,
Thank you for your answer.
In fact the new spnego wizard of the SAP Enterprise Portal 7.3 is used to get the the two keys files. The SAP Jvm is used in fact with the 1.6.1.
And in fact , it functions perfectly sometimes. but during the test of massive access ( More than 30 conurent users), I have this error that comes frequently.
Best regards
Julien LEFEVRE -
How to configure Login Modules Stack for Kerberos/LDAP
Hello collegues,
currenty we are working on UME configuration for the following use case.
Clustered portal instance NW2004s running on AIX should be able to authenificate two groups of users.
The first one is described by LDAP Data Source (Sun Directory Server) and using some artificial unique userID. Based on this userID, the SSO Ticket is created to get acces to the backend R/3 system. The LDAP schema has an "userdomain" attribute in it.
The new group using ADS. These users are happy using it, because they have windows-based authentification and don't forced to type any credentials during login.
There are plenty of blogs decribing how to connect ADS (even as a second DataSource) to UME.
There are two unsolved problems:
1. ADS account attributes does not have the userID needed to get an SSO Ticket
2. LDAP DataSource has no ADS password and can not be used for Kerberos authentification.
What could be a solution for this case? I am sure we need an extra login module which enrich the Subject (user, which is already authentificated by SPNego module) with userID, selected from LDAP DataSource based on user attributes.
Is there any other solution? May be I can mix some attributes in a DataSource configuration file?
Best regards
Sergej NaimarkHi Frank,
did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
Let me know if this helps...
Yonko -
Custom Login Module, LM Stack ignored
Moderator's note: This is a question split from another thread:
Maybe someone with LoginModuleStack knowledge can give us a hand
Another issue (which is isolated from the other question) we have is that somehow the defined Login Module Stack for the J2EE app
doesn't get called when there exits already a MYSAPSSO2 cookie in the session.
The Login Module Stack looks like this:
Custom Login Module Position 1 Required (also tested with optional & requisite)
CreateTicketLoginModule Position 2 Sufficient (also tested with optional)
So if we call the J2EE web app with no existing MYSAPSSO2 cookie (e.g. open in new browser window), everything
works fine and the defined login module stack is run through.
If we call the app with existing MYSAPSSO2 cookie (e.g. open in same browser window after logout of previous app),
the login module stack is ignored and it seems that the EvaluateTicketLoginModule is called straight away, despite not being defined in the stack.
What could be the problem and how can this be solved?
Signed with greetings and a happy weekend on behalf of Minh-Duc Truong,
Your,
Julius
Edited by: Minh-Duc Truong on Jul 18, 2008 4:52 PM
Edited by: Julius Bussche on Jul 18, 2008 7:29 PMHi,
I cannot believe that the EvaluateTicketLoginModule is called if it is not defined in the stack. I guess the best way to track down the problem is to increase the severity of the following locations:
(use Visual Admin / Log Configurator / Locations TAB to do that):
com.sap.security.server.jaas
com.sap.engine.services.security
Set the Severity to ALL. After that call your application and paste the output in security.log here so I can have a look at it. It will contain a complete trace of the processing of your login modules so maybe we'll see what's going wrong.
Cheers -
Not able to add login module to authentication stacks!
HI Portal Gurus!
we are implementing siteminder sso integration with portal.
Iam trying to do following configuration ...
Modify the ticket authentication template:
a.)Remove from the stack:
1)BasicPasswordLoginModule
2)EvaluateTicketLoginModule
b.)Add the following modules to the top of the stack, in the order shown:
SiteMinderLoginModule
CreateTicketLoginModule
Iam not able to do either reomove exting one nor add new login module.Iam getting an error"Unable to add login module to authentication stacks! "
Ilogged in to v.admin as administrator with admin & superadmin roles.
It would be great if anyone could help me in this .
Regards
tagHi,
in change mode only getting an error.
error"unable to add login module stack to authentication stacl! details are available in status bar"
in status bar information below...
Unable to add login module to the authentication stack!
java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java(Compiled Code))
at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java(Compiled Code))
at com.sap.engine.services.security.server.AuthenticationContextImpl.setLoginModules(AuthenticationContextImpl.java(Compiled Code))
at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImpl.setLoginModules(RemoteAuthenticationImpl.java(Compiled Code))
at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImplp4_Skel.dispatch(RemoteAuthenticationImplp4_Skel.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
at com.sap.engine.services.security.exceptions.BaseSecurityException.writeReplace(BaseSecurityException.java:349)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:1057)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java(Compiled Code))
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl.throwException(DispatchImpl.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
I would appreciate if anybody could help for resolving this issue.
Regards
Tag -
How to call custom Login Module from JSP
Hi,
I am stuck with the following issue:
1) Exactly as presented in help.sap.com (http://help.sap.com/saphelp_nw04/helpdata/en/3f/1be040e136742ae10000000a155106/content.htm) I created custom login module and deployed it as a library on J2EE server. When I configured it to be used for my applications in the Security provider but I am getting "No user name provided" exception everytime when my applications use this custom login module.
2) I realized that I would need to call my custom module somewhere within my application (simple JSP) using LoginContext class and then use MyLoginContext.login() spec to initiate login process. But I am not able to pass CallbackHandler parameters from JSP application to my custom login module.
So I have the following questions:
1. Can I pass parameters using LoginContext and CallbackHandler from JSP to my custom login module (created as exact copy of HELP.SAP.COM example) or this module cannot be used this way.
2. How to pass CallbackHandler correctly to my custom login module from JSP. When I am trying to use CallbackHandler, I am getting "Abstract Class cannot be called" error.
I'd appreciate any little help on this matter.
Thanks and regards,
MikeYou have two alternatives to do this:
You can declare your JSP as a protected resource with the use of the deployment descriptors of the application (web.xml) and add the custom login module in the authentication stack of the application. This way, you will use container-based authentication, i.e. the Web Container will enforce the authentication and it will call the custom login module before it dispatches to the JSP. I recommend you this approach because it requires less coding and it makes the whole thing a matter of configuration. The configuration can be later on enhanced or changed runtime without the need to re-build and re-deploy the application. If you choose this approach you can go to the documentation of the server for help on how to modify the login module stack of the application.
You can also use programmatic authentication by using JAAS API. To do this you need to create a custom security policy configuration with login module stack containing the custom login module, and then use the standard JAAS mechanism - new LoginContext(<configuration>, <callback-handler>).login(). This approach requires that you write your own callback handler and handle any LoginException.
Let us know which approach you prefer and whether you have difficulties implementing it! -
Help : Call Login Module directly when iView is launched - without submit
Hi there,
we have developed a login module on for our NW2004S SP13 Portal, that checks the IP address of the client to be in a valid range. If so, the standard SAP login screen must be bypassed. If not, the standard login screen needs to be shown (we use the standard sap umLogonPage, we only made a copy z.com.portal.runtime.logon.par) and added to the portalapp.xml an entry which is a copy of the 'certlogon' entry..
-> What we like to achieve is that the logonstack is called directly when the application is launched.
a) Code below functions, but only one problem : when the IP Address is invalid (login module returns false), a blank page is shown instead of the default userid / pw page.
In case of valid IP OK, invalid IP (login module returns false) blank page :o(
b) As an alternatice, in my opinion, it would be best to use the standard SAP class in the portalapp.xml (com.sap.sapportals.portal.ume.component.logon.SAPMLogonComponent) & have some sort of servlet in front
The behaviour of which page to return in case of failed logon is contained in com.sap.portal.runtime.logon_api.jar, class com.sap.sapportals.portal.ume.component.logon.SAPMLogonComponent -> class SAPMLogonLogic).
How can this be done? I've already cracked my head over it, but can't get this to work -
My coding for a) :
package z.x.sapportals.portal.ume.component.logon;
import com.sap.security.api.logon.ILogonFrontend;
import com.sapportals.portal.prt.component.AbstractPortalComponent;
import com.sapportals.portal.prt.component.IPortalComponentRequest;
import com.sapportals.portal.prt.component.IPortalComponentResponse;
import com.sapportals.portal.prt.session.IUserContext;
public class xSAPMLogonComponent extends AbstractPortalComponent implements ILogonFrontend
protected void doContent(IPortalComponentRequest request, IPortalComponentResponse response)
response.write("\n<!-- component context:" + request.getComponentContext().getComponentName() + "-->\n");
response.write("<!-- class: " + getClass().getName() + "-->\n");
String firstName ="";
String lastName = "";
String logonUid = "";
String password = "";
String authscheme = "";
IUserContext userContext = request.getUser();
if (userContext != null)
firstName = userContext.getFirstName();
lastName = userContext.getLastName();
logonUid = userContext.getLogonUid();
password = "dummy";
authscheme = (String)request.getValue("com.sap.security.logon.authscheme.required");
response.write("Welcome :");
response.write("logonUid = " + logonUid + "<br><br>");
response.write("j_password = " + password + "<br><br>");
response.write("<form id=\"redirform\" method=\"post\" >");
response.write("<input type=\"hidden\" name=\"login_submit\" value=\"on\">");
response.write("<input type=\"hidden\" name=\"j_user\" value=\"" + logonUid + "\">");
response.write("<input type=\"hidden\" name=\"j_password\" value=\"" + password + "\">");
response.write("<input type=\"hidden\" name=\"j_authscheme\" value=\"" + authscheme + "\">");
response.write("<input type=\"submit\" value=\"send\">");
response.write("</form>");
// Commented out javascript auto submit to press submit manually for testing
/* (non-Javadoc)
@see com.sap.security.api.logon.ILogonFrontend#getTarget()
public Object getTarget()
// TODO Auto-generated method stub
return this;
/* (non-Javadoc)
@see com.sap.security.api.logon.ILogonFrontend#getType()
public int getType() {
// TODO Auto-generated method stub
return 2;
Portalapp.xml :
<component name="iplogon">
<component-config>
<property name="ClassName" value="z.x.sapportals.portal.ume.component.logon.xSAPMLogonComponent"/>
<property name="SafetyLevel" value="no_safety"/>
<property name="LocalModeAllowed" value="true"/>
</component-config>
<component-profile>
<property name="AuthScheme" value="anonymous"/>
<property name="com.sap.portal.pcm.Category" value="platform">
<property name="inheritance" value="final"/>
</property>
<property name="SupportedUserAgents" value="(MSIE, >=5.0, *) (Netscape, *, ) (Mozilla,,*)">
<property name="inheritance" value="final"/>
</property>
</component-profile>
</component>
authschemes.xml
<authscheme name="iplogon">
<authentication-template>
radiusExtended
</authentication-template>
<priority>22</priority>
<frontendtype>2</frontendtype>
<frontendtarget>z.x.portal.runtime.logon.iplogon</frontendtarget>
</authscheme>Hi,
I'm not sure if you have already solved this issue, I was looking up another issue and came across this topic, maybe I can close this topic for you.....
Here is what you could do...
1) Create a custom login module stack with your login module
2) Create a authentication scheme that refers this stack
For example, you have defined a login module stack called certlogon in the Security Provider service in the Visual Administrator. You want to create an authentication scheme that uses this login module stack. To do this, you add the following excerpt to the authschemes.xmlfile.
<authscheme name="myauthscheme">
<!-- multiple login modules can be defined -->
<authentication-template>
certlogon
</authentication-template>
<priority>20</priority>
<!-- the frontendtype TARGET_FORWARD = 0 -->
<!-- TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
<frontendtype>2</frontendtype>
<!-- target object -->
<frontendtarget>
com.mycompany.certlogonapp
</frontendtarget>
</authscheme>
In this schema refer your custom login application.
thanks,
Sudhir -
How to get Custom Login Module to communicate with frontendtarget
We have created a custom login module and placed it in our login module stack.
So we have the following 3 Login Modules in our stack:
EvaluateTicketModule
OurCustomLoginModule
CreateTicketModule
Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
Question:
There are standard screens in the SAP login PAR:
changePasswordPage.jsp
umLogonProblemPage.jsp
umResetPasswordPage.jsp
How do I trigger one of these screens from my Login() method of my
custom login module? I thought if I throw some specific exception, these screens would
be called?A bit more info.
We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication.
I changed the Iview property "Authentication Scheme" to our custom one.
If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
Whis is what i expect.
I enter a username and password and click Logon button. I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
However, It always give iview runtime exception with Access Denied.
#1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
#1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
#1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true authscheme not sufficient: uidpwdlogon<cglogon
\#1 ume.configuration.active = true
2. companyname.com.CGLoginModuleClass REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
\#1 ume.configuration.com = true#
#1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36... com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
#1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
[EXCEPTION]
{0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
and here's my login method...
public boolean login() throws javax.security.auth.login.LoginException
this.succeeded = false;
String passwordString = "";
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
HttpGetterCallback httpgettercallback = new HttpGetterCallback();
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
catch (UnsupportedCallbackException e)
return false;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
else
username = userid;
if (password.length == 0)
throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
else
passwordString = new String(password);
String eccLoginResult = validateECCAuthentication(username, passwordString);
if (!eccLoginResult.equals(""))
myLoc.infoT(this.username + " - failed ECC authentication.");
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
myLoc.infoT(this.username + " - failed ECC authentication.");
this.succeeded = true;
if (this.succeeded)
try
refreshUserInfo(this.username);
catch (SecurityException e)
throwUserLoginException(e);
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, this.username);
this.nameSet = true;
else
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
return this.succeeded; -
HI
Can anyone tell me what is the flow in login module .Means how it work for user authentication .
Thanks
shashankHi Shashank,
Here is some good info
http://help.sap.com/saphelp_nw04/helpdata/en/8c/f03541c6afd92be10000000a1550b0/frameset.htm
If you want to see how the stacks work and which ones will be executed even if they fail, click on the Login Module Stacks link.
Let us know if you have any questions.
Thanks,
Marty -
Login module for the J2EE application
Hi ,
I am trying to use the BasicPasswordLoginModule for my J2EE application which will be deployed in the SAP J2EE engine.My application will not be accessed through the portal.
I am having a login screen in my application for which i want to use the already avaliable login module. ie.. BasicPasswordLoginModule.
When i am trying to get the login(). i am getting the following the error.
"javax.security.auth.login.LoginException: No LoginModules configured for BasicPasswordLoginModule".
Please let me know what needs to be done.
PS: The version environment is CE 7.1
Regards
Abu BakarHi Julius
I am totally confused, my application is a pure J2EE application which has only one screen which just displays the details. And i want only the login screen to be implemented. I have gone through a couple of dec from sap which tells to created a custom login module if requiredl but i want to user the FORM based authentication and use the BasicPasswordLoginModule(in-built in WAS)
All that i am doing is written a web.xml with the following information:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/home.jsp</form-login-page>
<form-error-page>/relogin.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>App_Viewer</role-name>
</security-role>
web-j2ee-engine with following information:
<security-role-map>
<role-name>App_Viewer</role-name>
<server-role-name>Administrator</server-role-name>
</security-role-map>
<login-module-configuration>
<login-module-stack>
<!-- Contains all login modules used for authentication -->
<login-module>
<!-- Contains information about one login module -->
<login-module-name>BasicPasswordLoginModule</login-module-name>
<flag>SUFFICIENT</flag>
<options>
<option>
<!-- The option UserNamePrefix determines that the user name must start with "Admin" -->
<name>UserNamePrefix</name>
<value>Admin</value>
</option>
</options>
</login-module>
</login-module-stack>
<security-policy-domain></security-policy-domain>
</login-module-configuration>
And I am not sure, if the above mentioned details are enough. My implementation code is as follows:
try {
HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
request.setAttribute(ILoginConstants.LOGON_UID_ALIAS, this.getUserName());
request.setAttribute(ILoginConstants.LOGON_PWD_ALIAS, this.getPassword());
UMFactory.getLogonAuthenticator().logon(request, response, "BasicPasswordLoginModule");
status = success;
} catch (Exception e) {
e.printStackTrace();
status = e.toString();
In the NWA i have just configured the UserNamePrefix with Admin, thats all . Since the form login authentication method is already configure with the BasicPasswordLoginModule, I left it untouched.
I also implemented a custom login module and deployed it but not sure how to use it in my code.
Please let me know if i am in the rite track. Correct me if i am wrong. At the end of the day i want to use the login screen just to get authenticated. I am also not bothered about the password changing etc.. As the users who are going to use my application are the users in the Identity Management. Few portions of my screen should be allowed to be displayed based on the roles.
PS: My application is not configured in the portal. Its an independent application deployed on the WAS(CE 7.1).
Please advice
Regards
Abu Bakar
Maybe you are looking for
-
The MBP is mid-2012. The display is working fine when I connect it to my TV. I have a HDMI that can carry sound to my LG tv when it is coming from a DVD. I have changed my preferences in sound to output to be LGtv, but it still won't work when I want
-
Formatting XML written to a file
Hi, I am trying to write runtime data (XML) to a file. I am doign the following to write to the file: public void saveFile() throws Exception { try { TransformerFactory transformerFactory = TransformerFactory.newInstance(); Transformer transformer =
-
I'm having an issue with an application that uses a VBscript to install and hope someone can help me. It will work fine regardless where I put if you double click it, it will also work fine from a batch file if you double click the batch. It will not
-
How does Vision Film compare to SkyMovies (premier...
It looks like Vision Box Office ppv films are much the same as Sky Box Office (now "Store"), but how does the free Vision Film channel compare to Sky Movies Premier? From looking at the listings it would seem that VF is some way behind Sky Premier,
-
Others can't see my calendar appointments
My colleagues cannot see my calendar appointments and sometimes can't see the ones I have invited them to.