Login Module

Similar Messages

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin

• SOAP Web Service +  Custom Login Module issue

  Hi Guys,
  We faced an authentication issue in our project. Could you please give any advice how the issue could be resolved.
  Environment: A simple SOAP Web Service on top of POJO class created in a Web Application. The web application deployed to the SAP NetWeaver 7.10 Application Server in the Enterprise Application Archive.
  Configuration:
        Single Service Administration Application(NetWeaver Administration -> SOA Management -> Application and Scenario Communication -> Single Service Administration)
         The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
      Authentication Application(NetWeaver Administration-> Configuration Management->Security->Authentication)
        The application(<vendorName>/<earName>*<vendor>~<webAppName>) has Authentication Stack configured to use our custom login module.
  Issue:  BasicPasswordLoginModule used by the J2EE when we are trying to execute the web service using Web Service Navigator(checked in debug mode). It seems that we missed something in configuration.
  Idea: The main Idea is to use our custom login module when we are executing a web service.
  Could you help me to resolve the issue.
  Thanks,
  Dmitry
  Edited by: Dmitry Eidin on Jul 17, 2009 3:46 PM

  > The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
  That's the point.

• Assigning a login module to a single WebDynpro to authenticate against LDAP

  Hi there,
  we are running the J2EE Engine 7.0 within XI on SAP NetWeaver 2004s / Linux x86_64.
  Basically, i want to Authenticate a Java WebDynpro against an LDAP (Active Directory). With the XI Usage installed, I can not customize the UME to authenticate against an LDAP (not supported and not possible).
  Thus, I want to use a custom login module or, if suitable, a standard login module to authenticate against LDAP. I know that all WebDynpro Apps use the default authentication scheme that in turn references the authentication template "ticket".
  1) Can I use a predefined Login Module to authenticate against Active Directory LDAP or do I have to write a custom login module?
  2) Is it possible to assign a login module to a single WebDynpro and how can I do this?
  Thanks a lot in advance,
  Oliver Kalkofen

  > Thus, I want to use a custom login module or, if
  > suitable, a standard login module to authenticate
  > against LDAP.
  We have developed a custom login module which does this. It looks to the user like the BasicPasswordLoginModule provided with SAP, but the userid and password entered has to be a valid accountpassword from the Active Director domain. We use the Kerberos protocol to perform this useridpassword validation, not LDAP. The userid can be just a name, in which case the default domain (realm in Kerberos terminology) or it can be specified as user@REALM in which case a non-default realm can be used to authenticate. Once the authentication is complete, we look in USRACL table to map this Kerberos principal name onto a SAP userid so we can then create an SSO2 ticket.
  If you interested to evaluate, or get a quote for purchasing this, please contact me offline. Of course, you can develop your own if you are happy to do so. I just thought you might be interested to know of an alternative.
  Thanks,
  Tim

• Assigning a login module to a Web Dynpro application

  Hi everybody,
  I would like a Web Dynpro application to use a custom login module for authentication. How can I do this?
  What I found is the Security Provider (in the Visual Administrator tool) where I can add a login module to the "form" authentication mechanism for example. But if I do this I think all applications using this mechanism have to use my custom login module, right?
  I wonder if I have to add my Web Dynpro application as a component to the Security Provider so that I can assign login modules to it. Am I on the right way? If yes, how can I do this? If I choose "Add" from the "Policy Configurations" tab a popup appears where I can enter the name for a new component. How do I specify my application there?
  Thanks in advance for all answers,
  Torben

  Hi,
  Web Dynpro applications use the ticket authentication template. U wud need to add your login module to the ticket template's login stack.
  Incase you are accessing the Web Dynpro applications thru the EP u wud need to make changes to the authschemes.xml file too.
  regards,
  Vishal

• SSO not authorized:no login module success

  Hi Friends,
  I am Geeting this error while opening the Report Designer any one help me???????
  "java system error call FM_BICS_CONS_GET_VIEW_DEF_J_PROXY to progid XXXXX on host
  APD with SSO not authorized:no login module success "
  Regards
  Vipul Kapadia

  solved by basis team

• Help - using custom login module with embedded jdev oc4j to access ejb 3

  Hi All (Frank ??),
  I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
  with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
  I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
  have to deploy to oc4j standalone instead.
  I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
  javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
  setting in orion-application.xml for details.
  Using the various guides available, I had no problem getting the custom login module working
  with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
  I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
  respectively in various config files.
  I'm using EJB 3 annotations for protecting methods .. for example
  @RolesAllowed("sr_Member")
  Steps that I had to do so far :-
  In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
      <application>
        <name>current-workspace-app</name>
        <login-modules>
          <login-module>
            <class>kr.security.KnowRushLoginModule</class>
            <control-flag>required</control-flag>
            <options>
              <option>
                <name>dataSource</name>
                <value>jdbc/DB_XE_KNOWRUSHDS</value>
              </option>
              <option>
                <name>user.table</name>
                <value>users</value>
              </option>
              <option>
                <name>user.pk.column</name>
                <value>id</value>
              </option>
              <option>
                <name>user.name.column</name>
                <value>email_address</value>
              </option>
              <option>
                <name>user.password.column</name>
                <value>password</value>
              </option>
              <option>
                <name>role.table</name>
                <value>roles</value>
              </option>
              <option>
                <name>role.to.user.fk.column</name>
                <value>user_id</value>
              </option>
              <option>
                <name>role.name.column</name>
                <value>name</value>
              </option>
            </options>
          </login-module>
        </login-modules>
      </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Admin</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Member</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
  My ejb-jar.xml contains :-
  <?xml version="1.0" encoding="utf-8"?>
  <ejb-jar xmlns ....
    <assembly-descriptor>
      <security-role>
        <role-name>sr_Admin</role-name>
      </security-role>
      <security-role>
        <role-name>sr_Member</role-name>
      </security-role>
    </assembly-descriptor>
  </ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
  My orion-ejb-jar.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-ejb-jar ...
    <assembly-descriptor>
      <security-role-mapping name="sr_Admin">
        <group name="Admin"></group>
      </security-role-mapping>
      <security-role-mapping name="sr_Member">
        <group name="Member"></group>
      </security-role-mapping>
      <default-method-access>
        <security-role-mapping name="sr_Member" impliesAll="true">
        </security-role-mapping>
      </default-method-access>
    </assembly-descriptor>My orion-application.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-application xmlns ...
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <jazn provider="XML">
      <property name="role.mapping.dynamic" value="true"></property>
      <property name="custom.loginmodule.provider" value="true"></property>
    </jazn>
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </read-access>
      <write-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </write-access>
    </namespace-access>
  </orion-application>My essentially auto-generated EJB 3 client does the following :-
        Hashtable env = new Hashtable();
        env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
        env.put(Context.SECURITY_CREDENTIALS, "welcome1");
        final Context context = new InitialContext(env);
        KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
  ...And throws the error
  20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
  EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  javax.naming.NoPermissionException: Not allowed to look
  up KRFacade, check the namespace-access tag setting in
  orion-application.xml for details
       at
  com.evermind.server.rmi.RMIClientConnection.handleLookupRe
  sponse(RMIClientConnection.java:819)
       at
  com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
  andResponse(RMIClientConnection.java:283)
  ....I can see from the console that the user was successfully authenticated :-
  20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
  WARNING: [KnowRushLoginModule] User matt.shannon authenticated
  And that user is granted both the Admin, and Member roles.
  The test servlet using basic authentication correctly detects the user and roles perfectly...
    public void doGet(HttpServletRequest request,
                      HttpServletResponse response)
      throws ServletException, IOException
      LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
      response.setContentType(CONTENT_TYPE);
      PrintWriter out = response.getWriter();
      out.println("<html>");
      out.println("<head><title>ExampleServlet</title></head>");
      out.println("<body>");
      out.println("<p>The servlet has received a GET. This is the reply.</p>");
      out.println("<br> getRemoteUser = " + request.getRemoteUser());
      out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
      out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
      out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
  cheers
  Matt.
  Message was edited by:
  mshannon

  Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
  Did you ever get the code working directly from JDeveloper?
  Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
  For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <realm-name>jazn.com</realm-name>
                           <type>role</type>
                           <class>kr.security.principals.KRRolePrincipal</class>
                           <name>JAAS_Admin</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>If I add the following to orion-application.xml
    <!-- Granting login permission to users accessing this EJB. -->
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping>
            <group name="JAAS_Admin"></group>
          </security-role-mapping>
        </namespace-resource>
      </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
  I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
  From custom login module :-
    private static KRSecurityHelper singleton = new KRSecurityHelper();
    protected Principal[] m_Principals;
      Vector v = new Vector();
        v.add(singleton.getCustomRmiConnectRole());
        // set principals in LoginModule
        m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
  Singleton class :-
  package kr.security;
  import com.evermind.server.rmi.RMIPermission;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import oracle.security.jazn.JAZNConfig;
  import oracle.security.jazn.policy.Grantee;
  import oracle.security.jazn.realm.Realm;
  import oracle.security.jazn.realm.RealmManager;
  import oracle.security.jazn.realm.RealmRole;
  import oracle.security.jazn.realm.RoleManager;
  import oracle.security.jazn.policy.JAZNPolicy;
  import oracle.security.jazn.JAZNException;
  public class KRSecurityHelper
    private static final Logger LOGGER = Logger.getLogger("kr.security");
    private static final String LOGPREFIX = "[KRSecurityHelper] ";
    public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
    private RealmRole m_Role = null;
    public KRSecurityHelper()
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
      JAZNConfig jc = JAZNConfig.getJAZNConfig();
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
      RealmManager realmMgr = jc.getRealmManager();
      try
        // Get the default realm .. e.g. jazn.com
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
        Realm r = realmMgr.getRealm(jc.getDefaultRealm());
        LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
        // Access the role manager for the remote connection role
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"calling default_realm.getRoleManager");
        RoleManager roleMgr = r.getRoleManager();
        LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
          CUSTOM_RMI_CONNECT_ROLE "'");
        RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
        if (rmiConnectRole == null)
          LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
          rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
          Grantee gtee = new Grantee(rmiConnectRole);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
          RMIPermission login = new RMIPermission("login");
          LOGGER.log(Level.FINEST,
            LOGPREFIX +"constructing subject.propagation rmi permission");
          RMIPermission subjectprop = new RMIPermission("subject.propagation");
          // make policy changes
          LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
          JAZNPolicy policy = jc.getPolicy();
          if (policy != null)
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'login' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, login);
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'subject.propagation' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, subjectprop);
            // m_Role = rmiConnectRole;
            m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
            LOGGER.log(Level.INFO, LOGPREFIX
              + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
          else
            LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
        else
          LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
          m_Role = rmiConnectRole;
      catch (JAZNException e)
        LOGGER.log(Level.WARNING,
          LOGPREFIX +"Cannot configure JAZN for remote connections");
    public RealmRole getCustomRmiConnectRole()
      return m_Role;
  }Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
  INFO: Login permission not granted for current-workspace-app (test.user)
  Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
  This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
  There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
  Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
  Matt.

• Custom login module on OC4J 10.1.3.3.0

  Hi,
  I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
  I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
  web.xml:
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>testJAAS</realm-name>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <!-- Security constraints -->
  <security-constraint>
       <web-resource-collection>
       <web-resource-name>Test Secure Application</web-resource-name>
       <description>Requires users to authenticate</description>
       <url-pattern>faces/*</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       <http-method>HEAD</http-method>     
       <http-method>PUT</http-method>     
       </web-resource-collection>     
       <auth-constraint>
       <description>Only allow role1 users</description>
       <role-name>role1</role-name>
       </auth-constraint>     
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <!-- Define the security role(s) -->
  <security-role>
  <description>Example role</description>
  <role-name>role1</role-name>
  </security-role>
  orion-web.xml:
  schema-major-version="10" schema-minor-version="0" >
       <!-- Uncomment this element to control web application class loader behavior.
            <web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
       -->
       <resource-ref-mapping name="jdbc/lics" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
       </security-role-mapping>
       <web-app>
       </web-app>
  orion-application.xml:
       <jazn provider="XML" >
            <property name="jaas.username.simple" value="true" />
            <property name="custom.loginmodule.provider" value="true" />
            <property name="role.mapping.dynamic" value="true" />
       </jazn>
  system-jazn-data.xml:
  <jazn-loginconfig>
       <application>
            <name>le5</name>
            <login-modules>
                 <login-module>
                      <class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>defaultRole</name>
                                <value>role1</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
  Doing as above, the orion-web.xml is below:
       <resource-ref-mapping name="jdbc/lic" />
       <security-role-mapping name="role1">
            <group name="oc4j-app-administrators" />
            <user name="user1" />
            <user name="user2" />
       </security-role-mapping>
  Any insight would be much appreciated. Thanks.

  Hi,
  role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
  <security-role-mapping name="role1">
  <group name="oc4j-app-administrators" />
  </security-role-mapping>
  from orion-web.xml and it should start wrking
  Frank

• SPNEGO Login module Stack issue: Could not validate SPNEGO token

  Hello to all,
  We are deploying a SAP Netweavear 7.3 Enterprise Portal with SPNego login module activated.
  We are performing some tests (performances and concurrent accesses).
  During the tests we have found several times the folloiwing Issue linked to the spnego.
  Could not validate SPNEGO token.
  [EXCEPTION]
  java.lang.NumberFormatException: multiple points
  at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1082)
  at java.lang.Double.parseDouble(Double.java:510)
  at java.text.DigitList.getDouble(DigitList.java:151)
  at java.text.DecimalFormat.parse(DecimalFormat.java:1303)
  at java.text.SimpleDateFormat.subParse(SimpleDateFormat.java:1934)
  at java.text.SimpleDateFormat.parse(SimpleDateFormat.java:1312)
  at java.text.DateFormat.parse(DateFormat.java:335)
  at com.sap.security.core.server.jaas.spnego.util.Utils.generalizedTimeStringToData(Utils.java:167)
  at com.sap.security.core.server.jaas.spnego.krb5.KrbTicketEncryptedData.parseDecryptedData(KrbTicketEncryptedData.java:67)
  at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:94)
  at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:68)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.parseAndValidateSPNEGOToken(SPNegoLoginModule.java:315)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:474)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:160)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:254)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:352)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.loginWithRequestCredentials(AuthenticationService.java:337)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:321)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:60)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:163)
  at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
  at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doCached(RequestDispatcherImpl.java:655)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:488)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:147)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
  at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
  at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
  at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
  at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
  at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:276)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
  at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
  at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
  at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
  at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
  at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
  The user rlinked to this user is Guest.
  could you please advice us how to solve this reccuring issue?
  Kind regards
  Julien LEFEVRE

  Hello Cathal,
  Thank you for your answer.
  In fact the new spnego wizard of the SAP Enterprise Portal 7.3 is used to get the the two keys files. The SAP Jvm is used in fact with the 1.6.1.
  And in fact , it functions perfectly sometimes. but during the test of massive access ( More than 30 conurent users), I have this error that comes frequently.
  Best regards
  Julien LEFEVRE

• Error in some of the login modules

  `Hi Experts,
  I have deployed SPNEGO and when user trying to login to portal, it gives the error as taken from diagtoo(below)
  Also would like to inform you that when I have configured the wizard, some how in VA for lots of the Components in Security
  provider, I found lots of those components does have the value for the Evaluateticket, evaluateAssertion, basicpassword,
  createticketlogon did not had any values to it.
  The components which I have updated are,
  1. sap.com.lcr*sld---> I have added for EvaulateTicketloginModule and EvaluateAssertion ticket module like
  ume.configuration.active     true
  trustediss1               OU=J2EE,CN=ABC
  trusteddn1               OU=J2EE,CN=ABC
  trustedsys1               ABC,555
  and for CreateTicketLoginModule
  ume.configuration.active     true
  Like wise done for the following components also.
  2. sap.com/sap.comtckmc.coll.room.wsdeplRoomABAPWS_config1
  3. sap.com/sap.commonitoringsysteminfo*sap_monitoring( here only 3 login modules present. so updated accordingly
  to the above mentioned values for whatever loginmodule was present)
  4. jmx~spnego was not having the template as SPNEGO so selected SPNEGO template and updated whatever ( 5 login module accordingly)
  5. sap.com/tcsecwssec~app*wssproc_cert
  6. sap.com/tcsecwssec~app*wssproc_plain
  7. sap.com/tcsecwssec~app*wssproc_ssl
  8. sap.com/tcslmslmapp*slmServices_Config
  9. sap.com/tcslmslmapp*slmSolManServices_Config
  10. ....~eap*GPRuntimeFacadeWS_
  11. ..RuntimeearCAFDataService
  Entering method with (Subject:
  , javax.security.auth.login.LoginContext$SecureCallbackHandleraT6d992c17)
  13:47:15:804 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, trustedsys1=ABC,555, trusteddn1=OU=J2EE,CN=ABC}].
  13:47:15:804 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~s.constructor(Map, Properties, boolean) Entering method with ({System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Sun Mar 15 13:01:44 AST 2009}, <null>)
  13:47:15:804 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas got [ume.configuration.active]: [true]
  13:47:15:804 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas no authscheme found that has auth template spnego
  13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;aT631dd237
  13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~ity.core.server.jaas.getMergedOptions() Entering method
  13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;aT3ad44bb7
  13:47:15:805 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
  13:47:15:805 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=spnego, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
  13:47:15:805 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas Exiting method
  13:47:15:806 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper My GSS name is: J2ee-abcaTBah.ARAB.LOCAL
  13:47:15:806 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper GSS name type is: 1
  13:47:15:807 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~er.jaas.spnego.util.ConfigurationHelper GSS mechanism is: 1.2.840.113554.1.2.2
  13:47:15:808 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is J2ee-abcaTBah.ARAB.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Refreshing Kerberos configuration
  13:47:15:808 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Refreshing Keytab
  13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): Bah.ARAB.LOCAL
  13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): J2ee-abc
  13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTab: load() entry length: 60; type: 3
  13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out principal's key obtained from the keytab
  13:47:15:809 Info J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] System.out Acquire TGT using AS Exchange
  13:47:15:811 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Error in some of the login modules.
  java.lang.Exception
  at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
  at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
  at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:114)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  Caused by: java.lang.NullPointerException
  at java.lang.StringBuffer.append(StringBuffer.java:467)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
  at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
  at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  13:47:15:812 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Error in some of the login modules.
  [EXCEPTION]
  com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
  at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  Caused by: java.lang.NullPointerException
  at java.lang.StringBuffer.append(StringBuffer.java:467)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
  at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
  ... 24 more
  13:47:15:813 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
  at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  Caused by: java.lang.NullPointerException
  at java.lang.StringBuffer.append(StringBuffer.java:467)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
  at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
  ... 24 more
  see below for more error

  13:47:15:814 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
  java.lang.Exception
  at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
  at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
  at com.sap.engine.services.security.exceptions.BaseSecurityException.<initat com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  13:47:15:815 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
  [EXCEPTION]
  com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  13:47:15:816 Error J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] ~es.security.authentication.logincontext LOGIN.FAILED
  User: N/A
  Authentication Stack: com.sun.security.jgss.accept
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sun.security.auth.module.Krb5LoginModule                            REQUISITE   ok          exception             false      null
  com.sap.security.core.server.jaas.SPNegoMappingLoginModule              REQUISITE   ok                                true       
  13:47:15:816 Path J2EE_GUEST ~ngine_Application_Thread[impl:3]_Group] com.sap.engine.services.security Exception : Access Denied.
  java.lang.Exception
  at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
  at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
  at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:114)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:286)
  at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:230)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:28)
  at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:330)
  13:47:15:817 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~rity.core.server.jaas.SPNegoLoginModule Exception in SPNegologinModule.initialize.
  [EXCEPTION]
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
  at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at java.security.AccessController.doPrivileged(Native Method)
  at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  ... 9 more
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [00144FB7C99A00B30000000C000040770004653A2C7E1DD8] is created. For more information contact your system administrator.
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:157)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
  ... 22 more
  13:47:15:819 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.engine.services.security Cannot initialize login module com.sap.security.core.server.jaas.SPNegoLoginModule .
  [EXCEPTION]
  java.lang.RuntimeException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.initialize(SPNegoLoginModule.java:446)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.initialize(LoginModuleLoggingWrapperImpl.java:129)
  at com.sap.engine.services.security.login.LoginContextFactory.initializeLoginContext(LoginContextFactory.java:167)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:141)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:131)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  13:47:15:821 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 ~.security.core.server.jaas.initialize() Entering method with (Subject:
  , javax.security.auth.login.LoginContext$SecureCallbackHandleraT6d992c17, {System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Sun Mar 15 13:01:44 AST 2009}, {ume.configuration.active=true})
  13:47:15:821 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_39 com.sap.security.core.server.jaas

• Custom login module Authentication works but Authorization Does not work

  Hi:
  I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
  Is there any other settings I need to perform. Could you please let me know.
  Thanks

  I have the same issue, please refer to this thread.
  Re: ADF Security Authorization

• Use of portal service in JAAS Login Module

  Is it possible to use an portal service in an JAAS Login Module?
  I've tried to use the IUserMappingService and always run in an Null Pointer Exception.
  All needed Used DC references are set and the build and the deployment of the
  login module is possible without any errors.
  Best regards,
  Thomas

  I've debuged my JAAS login modul.
  The following objects are in accessable over my context object
  {broker=broker, com.sap.portal.pcm.collaborative.ipartstemplates={}, UME=UME, com.sap.workflow.es.portal.IKMCRoomService=com.sap.workflow.es.room.KMCRoomHelper@44c944c9, comp.sap.portal.fpn.marshallersrepository={com.sapportals.portal.workset=com.sap.portal.fpn.marshal.WorksetMarshaller@7cf07cf0, com.sapportals.portal.rolefolder=com.sap.portal.fpn.marshal.RoleFolderMarshaller@489b489b, com.sapportals.portal.operationmodifier=com.sap.portal.unification.semanticlayer.marshalling.OperationModifierMarshaller@1a1b1a1b, com.sapportals.portal.businessobject=com.sap.portal.unification.semanticlayer.marshalling.BusinessObjectMarshaller@1fc71fc7, com.sapportals.portal.layout=com.sap.portal.fpn.marshal.LayoutMarshaller@454f454f, com.sapportals.portal.role=com.sap.portal.fpn.marshal.RoleMarshaller@590e590e, com.sap.portal.obn.semanticlayer.businessobject.BusinessObject=com.sap.portal.unification.semanticlayer.marshalling.BusinessObjectNYMarshaller@68af68af, com.sap.portal.obn.semanticlayer.operation.IOperation=com.sap.portal.unification.semanticlayer.marshalling.OperationNYMarshaller@4f4a4f4a, com.sap.portal.pcm.admin.PlainFolderConverter=com.sap.portal.fpn.marshal.FolderMarshaller@284a284a, com.sapportals.portal.iview=com.sap.portal.fpn.marshal.IViewMarshaller@7ba37ba3, com.sapportals.portal.page=com.sap.portal.fpn.marshal.PageMarshaller@a100a10, com.sapportals.portal.operation=com.sap.portal.unification.semanticlayer.marshalling.OperationMarshaller@ece0ece}, WP=com.sapportals.portal.prt.core.resource.MultiPropertiesResource@3b213b21, ContentCatalog=ContentCatalog, Navigation=Navigation, PCD=PCD, com.sap.portal.obn=com.sap.portal.obn, com.sap.portal.usermanagement.usermanagement=com.sapportals.portal.prt.service.usermanagement.UserManagementService@60cc60cc, ProductionMode=true, AdHocWorkflowConnector=com.sap.workflow.es.portal.WFEWorkitemProvider@30d630d6, com.sap.ip.bi=com.sap.ip.bi, com.sapportals.portal.pcm.registeredServies=com.sapportals.portal.pcm.registeredServies, UniversalWorklistService=com.sap.netweaver.bc.uwl.core.portal.UWLPortalService@57e957e9, com.sap.portal.appintegrator=com.sap.portal.appintegrator, rtmf_messaging=com.sap.ip.collaboration.core.api.rtmf.core.RTMFMessaging@41af41af, com.sap.workflow.es.portal.IKMNotificationService=com.sap.workflow.es.portal.KMNotificationService@1daa1daa, com.sap.portal.pcm.collaborative.pagestemplates={}, runtime=runtime, Authenticator=com.sapportals.portal.prt.service.authenticationservice.AuthenticationService@756f756f, com.sap.workflow.es.portal.IKMAttachmentService=com.sap.workflow.es.portal.KMAttachmentService@9750975, unification=unification}
  The IUserMappingService is missing.  Any ideas?
  Best regards,
  Thomas

• Third party SSO with a custom login module

  Hello everyone,
  I've found a few posts on the forum with questions similar to mine, but none have been answered.  I'm using a 3rd party authentication product along with a custom implementation of the AbstractLoginModule interface.
  The setup is standard: A 3rd party agent is installed on a reverse proxy web server to SAP. The agent is configured to protect SAP resources, and it handles the login screens and authentication. Once the user has been authenticated, the AbstractLoginModule implementation kicks in, decrypts and validates an SSO token, retrieves the username from it and creates an SAP Principal.   
  The login ticket template is configured as follows:
  1.  EvaluateTicketLoginModule   SUFFICIENT
                      2.  MyLoginModule                      REQUISITE
                      3.  CreateTicketLoginModule       OPTIONAL
  One of the integration's key requirements is that direct interaction with standard SAP authentication must be avoided.  More specifically, the user should never need to enter an SAP password.  I'm only seeing two problems, both of which violate this requirement.
  The first is in cases where there is no existing SAP user that matches the authenticated user.  In this case, the third party token and SAP Principal are created, the abort method is called, and the user is redirected to the SAP login page.   I need to either bring to user back to the third party login page or to a custom error page~.
  The second problem occurs when an SAP password change is required. Again in this case, an SAP form is displayed after the module has created the Principal (although once the user changes the SAP password, all's well). If I were to disable mandatory password changes, would this apply to fat client access as well? If so, then it's not a viable option.
  The general idea in both instances is that the SAP I'd appreciate any help or suggestions.  
  Thanks
  ~ Since the SSO token applies to applications outside of SAP, I may add a login module parameter to make this a configurable choice. (I.e. allow the administrator to decide whether to inform the user that SAP authentication failed while preserving the SSO token, or to destroy the token and force re-authentication). However, if there is a way to configure the "bad credentials" URL outside of the module's code/parameters, it may be better to place the choice there.

  Hi Julius,
  Thank you for the quick response - and on a Sunday, no less!
  I have considered verifying that the user existed in SAP before creating the Principal.  One might argue that that would be the common sense thing to do.  The reason I've held off is that the error should be so rare that it may not justify the overhead.  There's a requirement to have a one-to-one username mapping between SAP and the authentication application.  It would be more efficient to assume that this requirement has been met and to handle the Exception when it hasn't been.  Of course, that doesn't mean that it's the right way to go.
  +_Julius Bussche wrote:_+
  For the first concern, if they can access the logon page directly (anyway) you could disable it as you do not want any password based logons (right?) and redirect it to your external page or an error page.
  Yes, this is what I'm hoping to do, but I'm not sure how to do it.  Here are some comments and questions about this:
  1. What's involved in disabling the login page?  I would think you'd need to replace it with something else rather than just switch it off.   Could I limit this change to the login ticket template so that other templates (basic authentication, for example) are still available?
  2. Keep in mind that users will never get past the "real" login page unless they have been authenticated.  This complicates matters because we're dealing with a scenario in which the user has already been authenticated but doesn't exist in SAP.  Therefore, it wouldn't make sense to go back to either login page.   
  3. What's involved in redirecting to an external page?  Is this an explicit redirect in the module code, or can it be decoupled from the module?  It's not a big deal, but it would be nice to avoid mandatory module parameters for relative paths to error pages.   
  I think the question I'm after is: "Can I simply change an SAP login URL parameter to point to a custom error page, and allow everything to work as it does now (where SAP handles the redirect)".  If so, could I limit the scope of the change to the login ticket template?  What would be even better is if I could configure SAP's response to this error.  Somewhere, it's currently configured to display the login page.  Ideally, I'd be able to configure it to display myErrorPage, and then set myErrorPage to the appropriate URL.  
  +_Julius Bussche wrote:_+
  For the second concern, I assume that there are no valid passwords involved here which might have expired, so as long as the user does not have the option to activate a password again and anyway cannot logon via password as the option is not presented... then you should be fine here as well with a forward proxy. Not sure which Java APIs are offered here, but you could check this together with the existence check and react to both prior to accessing SAP "from the outside".
  The problem here is that the SAP passwords are needed outside of the integration.  It's true that whether an SAP password has expired is irrelevant to the integration.  However,  this is a Web-based integration; SAP passwords must still be available to users who have access to other clients.  With this in mind, could I create a user password policy that disables password expiration and automatic password change, but only apply it to Web client access?  If not, do you know how I might override SAPu2019s behavior?
  Once again, thank you for taking your time to help me out.  I am very grateful.
  - John

• Passing error message from login module to login page

  Hello,
  we have a custom login module to authenticate user in ldap and to grant application roles stored in db.
  Is it possible to pass error catched in login module to the user (display the error message on login screen)? We think it is helpful to see correct reason why the user couln't be logged in.
  Notes:
  Jdev version is 10.1.3.1. Custom login module was written using Frank Nimphius guidelines and examples.
  Rado

  Hi,
  if you followed this example then it is configured for container managed authentication, in which case the error message cannot be propagated to the view.
  There was a similar discussion on the J2EE forum and the answer was that the OC4J team will put this on a list of enahncements they track. The technical reason appears to be that the J2EE spec does not foresee to tell users about the "why" authentication fails - which clearly is a limitation of the Spec.
  Frank

• RFC Call in a custom login module

  Hi All,
  What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
  I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
  Have anyone of you come across such a situation?
  Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
  Or it just runs inside the j2EE container?
  Thanks for your help
  Aakash
  Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

  Hi All,
  What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
  I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
  Have anyone of you come across such a situation?
  Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
  Or it just runs inside the j2EE container?
  Thanks for your help
  Aakash
  Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

• Custom JAAS login module configuration in Oracle application server

  I have a LDAP login module implementing javax.security.auth.spi.LoginModule. This login module works well with tomcat and weblogic, if I configure the JVM arguments -Djava.security.auth.login.config and -Djava.security.policy to point to the login.conf and access.policy files. The login.conf file has the below content
  FREEWAY_SERV
  com.wipro.freeway.security.LdapLoginModule required debug=true portal=false;
  FREEWAY_PORT
  com.wipro.freeway.security.LdapLoginModule required debug=true portal=true;
  The access.policy file has contains content like below:
  grant Principal com.wipro.freeway.security.RolePrincipal "UserAdministration" {
       permission com.wipro.freeway.security.URLPermission "/createOtherUser.frw";
       permission com.wipro.freeway.security.URLPermission "/createDealer.frw";
  The application uses these login modules by passing Name of the JAAS configuration (FREEWAY_SERV or FREEWAY_PORT).
  I would like to use the same login module and code in Oracle application sever 10.1.3 and I haven't got any success yet. I am not getting how to set these JVM properties and make my application identify this custom login module. I have tried configuring the custom login module via oc4j admin console and I couldn't give a name to my configuration. I also set the system properties for
  -Djava.security.auth.login.config and -Djava.security.policy with no success.
  Could anybody please help me to get this right?
  Thanks in advance.

  Hello,
  In OracleAS 10g R3 (10.1.3.x) you can register your login module in your application (and server) using Enterprise Manager, and config file. That is easier and more flexible that the parameter.
  I would invite you to take a look to the security how-to:
  - 10.1.3 How-tos, and How to integrate a custom login module
  You can also take a look to the 10.1.3 Documentation and the LDAP/Login Module integration.
  - Security guide: Login Modules