Login Modules-Authentication Providers
Are LoginModules embedded in Authentication
Providers for Weblogic 8.1 ga or do we require to write one ?
Siddhartha <[email protected]> wrote:
Are LoginModules embedded in Authentication
Providers for Weblogic 8.1 ga or do we require to write one ?If you're extending AuthenticationProvider you need to implement the method
public AppConfigurationEntry getLoginModuleConfiguration()
Where the AppConfigurationEntry constructor takes the following parameters:
<YourLoginModule>.class.getName(),
AppConfigurationEntry.LoginModuleControlFlag.(REQUIRED|SUFFICIENT etc)
java.util.Map
The docs at:
http://edocs.bea.com/wls/docs81/dvspisec/index.html
and
http://edocs.bea.com/wls/docs81/dvspisec/atn.html#1182704
The latter has code examples for LoginModules as well as the implementation of
AuthenticationProvider.
Hope this helps!
You don't happen to know how to deploy an EJB to the Weblogic Server Console -
ie: my AuthenticationProvider relies on an EJB - do you?
Best wishes,
Michael
Similar Messages
-
Custom login module Authentication works but Authorization Does not work
Hi:
I am using custom login module and switched on the ADF authentication using adf-config.xml file. My custom authentication works i.e. it returns true but when it finally tries to display the page 401 Unauthorized message is shown. I am using JDev 10.1.3.2.
Is there any other settings I need to perform. Could you please let me know.
ThanksI have the same issue, please refer to this thread.
Re: ADF Security Authorization -
Jaas Login module does not work
Hello,
I am developing simple web application wich uses jaas for authentication, but something strange happens, i have written security information in my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>simple</web-resource-name>
<url-pattern>/security/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.seam</form-login-page>
<form-error-page>/login.seam</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>my login module looks like this:
package com.auth.security;
public class SimpleLoginModule implements LoginModule {
// initial state
private Subject subject;
private CallbackHandler callbackHandler;
private Map sharedState;
private Map options;
// the authentication status
private boolean succeeded = false;
private boolean commitSucceeded = false;
// login info
private static final String[] userNames = { "admin", "guest", "user1", "user2" };
private static final String[] passwords = { "admin", "sesame", "pass1", "pass2" };
// current user
private String username;
private char[] password;
// user's principal object
private SimplePrincipal userPrincipal;
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
System.out.println("INITIALIZE");
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}// end initialize()
public boolean login() throws LoginException {
System.out.println("LOGIN");
// prompt for a user name and password
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available " + "to garner authentication information from the user");
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("\nuser name: ");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
username = ((NameCallback) callbacks[0]).getName();
char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
if (tmpPassword == null) // treat a NULL password as an empty
// password
tmpPassword = new char[0];
password = new char[tmpPassword.length];
System.arraycopy(tmpPassword, 0, password, 0, tmpPassword.length);
((PasswordCallback) callbacks[1]).clearPassword();
} catch (java.io.IOException ioe) {
throw new LoginException(ioe.toString());
} catch (UnsupportedCallbackException uce) {
throw new LoginException("Error: " + uce.getCallback().toString() + " not available to authenticate user.");
boolean usernameCorrect = false;
boolean passwordCorrect = false;
String passwordString = new String(password);
for (int x = 0; x < userNames.length; x++) {
if (username.equals(userNames[x]))
usernameCorrect = true;
if (usernameCorrect && passwordString.equals(passwords[x])) {
// authentication succeeded!!!
passwordCorrect = true;
succeeded = true;
break;
} else {
// authentication failed -- clean out state
succeeded = false;
usernameCorrect = false;
}// end if/else
}// end for( int x = 0; x < userNames.length; x++ )
return succeeded;
}// end login()
public boolean commit() throws LoginException {
System.out.println("COMMIT");
if (!succeeded) {
return false;
} else {
// add a Principal (authenticated identity)
// to the Subject
// assume the user we authenticated is the SimplePrincipal
userPrincipal = new SimplePrincipal(username);
if (!subject.getPrincipals().contains(userPrincipal))
subject.getPrincipals().add(userPrincipal);
// in any case, clean out state
username = null;
password = null;
commitSucceeded = true;
return true;
}// end if( succeeded == false )
}// end commit()
public boolean abort() throws LoginException {
System.out.println("ABORT");
if (succeeded == false) {
return false;
} else if (succeeded == true && commitSucceeded == false) {
// login succeeded but overall authentication failed
succeeded = false;
username = null;
if (password != null)
password = null;
userPrincipal = null;
} else {
// overall authentication succeeded and commit succeeded,
// but someone else's commit failed
logout();
}// end if/else
return true;
public boolean logout() throws LoginException {
System.out.println("LOGOUT");
subject.getPrincipals().remove(userPrincipal);
succeeded = false;
succeeded = commitSucceeded;
username = null;
if (password != null)
password = null;
userPrincipal = null;
return true;
}I am using Jboss-4.2.3.GA and configured login-config.xml like this:
<application-policy name="simpleLoginModule">
<authentication>
<login-module code="com.security.auth.simpleLoginModule" flag="required">
</login-module>
</authentication>
</application-policy>I have jboss-web.xml also correctly configured.
The problem is that when i type correct username/password happens the error:
HTTP Status 403 - Access to the requested resource has been denied
So can anyone help me? What i have to change/modify in my loginmodule java code?Hi,
no need to change the authschemes.xml file when you don't know if your code works (you can perfectly break logon to other applications when doing so).
Configure your application to use declarative authentication; this is done in the web.xml of the application:
http://help.sap.com/SAPhelp_nw70/helpdata/en/08/0f0e4d1ffece4d8b9c5b84793aac50/content.htm
http://help.sap.com/SAPhelp_nw70/helpdata/en/40/97ffdb74939747b402b0200780cab5/content.htm
http://help.sap.com/SAPhelp_nw70/helpdata/en/b9/9482887ddb3e47bd1a738c3e900195/content.htm
example:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>REALM</realm-name>
<form-login-config>
<form-login-page>logon.jsp</form-login-page>
<form-error-page>error.jsp</form-error-page>
</form-login-config>
</login-config>
With declarative authentication the AS Java will use the logon modules you confired in the VA for the application.
br,
Tobias -
hi,
I'm would like to configure a custom authentication module between OIM, JBOSS and AD.
I try to use the LdapLoginModule from JBOSS.
Add in xlconfig.xml :
<login-module>
<thirdPartyLoginModule>org.jboss.security.auth.spi.LdapLoginModule</thirdPartyLoginModule>
</login-module>
Change in login-config.xml :
<application-policy name = "xellerate">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://XXXX:389</module-option>
<module-option name="principalDNPrefix">XXXX</module-option>
<module-option name="principalDNSuffix">XXXX</module-option>
<module-option name="java.naming.security.principal">XXXX</module-option>
<module-option name="java.naming.security.credentials">XXXX</module-option>
<module-option name="rolesCtxDN">XXXX</module-option>
<module-option name="uidAttributeID">XXXX</module-option>
<module-option name="matchOnUserDN">XXXX</module-option>
<module-option name="roleAttributeID">XXXX</module-option>
<module-option name="roleAttributeIsDN">XXXX</module-option>
<module-option name="searchTimeLimit">XXXX</module-option>
<module-option name="searchScope">XXXX</module-option>
<module-option name="allowEmptyPasswords">XXXX</module-option>
</login-module>
</authentication>
</application-policy>
There is an Error when I try to login on OIM.
Server.log :
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(xellerate), size=9
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(xellerate), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: Anmeldemodul-Steuerflag: required
Options:name=uidAttributeID, value=member
name=matchOnUserDN, value=true
name=rolesCtxDN, value=XXXXX
name=principalDNPrefix, value=XXXXX
name=principalDNSuffix, value=XXXXX
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.credentials, value=XXXXX
name=allowEmptyPasswords, value=false
name=java.naming.provider.url, value=XXXXX
name=java.naming.security.principal, value=XXXXX
name=searchTimeLimit, value=5000
name=roleAttributeIsDN, value=false
name=searchScope, value=ONELEVEL_SCOPE
name=roleAttributeID, value=XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@6460623
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: xellerate
TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=XXXXXX...}
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@f24d4f
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Rebind SECURITY_PRINCIPAL to: cn=XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] searching rolesCtxDN=XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Checking answer: XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Assign user to role XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'XXXXX' authenticated, loginOk=true
TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true
TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=null
TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] Begin isValid, principal:null, cache info: null
TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] defaultLogin, principal=null
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(xellerate), size=9
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(xellerate), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: Anmeldemodul-Steuerflag: required
Options:name=uidAttributeID, value=member
name=matchOnUserDN, value=true
name=rolesCtxDN, value=XXXXX
name=principalDNPrefix, value=XXXXX
name=principalDNSuffix, value=XXXXX
name=java.naming.factory.initial, value=XXXXX
name=java.naming.security.credentials, value=XXXXX
name=allowEmptyPasswords, value=false
name=java.naming.provider.url, value=XXXXX
name=java.naming.security.principal, value=XXXXX
name=searchTimeLimit, value=5000
name=roleAttributeIsDN, value=false
name=searchScope, value=ONELEVEL_SCOPE
name=roleAttributeID, value=XXXXX
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@22168243
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: xellerate
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Authenticating as unauthenticatedIdentity=null
2009-09-18 14:44:49,576 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=null
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] abort
2009-09-18 14:44:49,576 TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
In login-config.xml, I comment the following code :
<!--
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
<login-module code="com.thortech.xl.security.jboss.UsernamePasswordLoginModule" flag = "required" >
<module-option name = "unauthenticatedIdentity">Unknown</module-option>
<module-option name = "data-source">java:/jdbc/xlDS</module-option>
</login-module>
-->
I think that my user is authenticated from AD, but OIM try a second authentication with a username = null.
Any clues will be helpful.
Can you help me ?Hi,
I solve the problem.
In xlconfig.xml :
<login-module>
<thirdPartyLoginModule>org.jboss.security.auth.spi.LdapLoginModule</thirdPartyLoginModule>
</login-module>
In login-config.xml
<application-policy name = "xellerate">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
<login-module code="com.thortech.xl.security.jboss.UsernamePasswordLoginModule" flag = "required" >
<module-option name = "unauthenticatedIdentity">Unknown</module-option>
<module-option name="java.naming.factory.initial ... </module-option>
</login-module>
</authentication>
</application-policy>
A user must have a role "User" in AD.
That's all.
Thanks. -
Portal authentication using two login module stacks?
G'day,
I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
<authscheme name="mylogon">
<authentication-template>mystack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
</authscheme>
<authscheme-refs>
<authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
<authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
</authscheme-refs>
When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.OK
User: Administrator
Authentication Stack: mystack
The "mylogonform" page is shown when logon is required in both cases.
However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
(Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
Message : LOGIN.FAILED
User: Administrator
Authentication Stack: mystack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true authscheme not sufficient: basicauthentication<mylogonform
Central Checks exception Call logout before login.
I guess one cannot authenticate as a new user until the current user has been logged out.
So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
What is the logic behind portal authentication and showing a logon page?
If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?Jayesh,
there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
- login module
- logon stacks
Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
login module 1: check if valid sap logon ticket provided
if module 1 fails: then login module 2: request user id/password
if module 2 succeeds: then login module 3: create new sap logon ticket for user
You can define multiple logon stacks and configure individual applications to use the one stack or the other.
The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
Regards,
Dominik -
Issues with OSSO ,custom login module and form based authentication
Hi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
AnilHi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
Anil -
Authenticating Host SPN using Kerberos Login module
Hi,
I have written an application that needs to support Java GSS based context establishment using Java's Kerberos Login module with the clients.This application is hosted in Tomcat and I have a limitation that tomcat is running as "LocalSystem" account on the host machine(Not to confuse with Administrator account on the host machine) so it is not having password.
On the AD to which this host is connected has SPN registered for this host machine like any other computer account. But my doubt is how will I authenticate my application(Using Kerberos Login module) using that Host SPN if I do not have any password for the "LocalSystem". I am giving user name as "HOST/<machine-name", or "<machine-name>" but it fails at the application side saying no encryption key found. If I try to give some random password I get error message from AD saying that Pre Authentication failed.
Without authentication my application to AD I am not able to get the Kerberos Key which is required for context establishment for GSS.
Any help in this regard will be really helpful.
Thanks.Thanks for your response!
My application is just an authentication module in a bigger application which is not under my control. This application is hosted on Apache Tomcat and provide both the options to run as "LocalSystem" account and domain account. So I have to provide support for both the options.
I am getting increasingly convinced that Java Kerberos module can't handle the authentication for "LocalSystem" account and I need to opt for some Windows Native Apis for that. If that is the case Can someone tell me how can i proceed for that. I have no idea which Windows apis to use for it.
Thanks.
Edited by: Java-Dev-01 on Mar 14, 2010 6:03 AM -
Not able to add login module to authentication stacks!
HI Portal Gurus!
we are implementing siteminder sso integration with portal.
Iam trying to do following configuration ...
Modify the ticket authentication template:
a.)Remove from the stack:
1)BasicPasswordLoginModule
2)EvaluateTicketLoginModule
b.)Add the following modules to the top of the stack, in the order shown:
SiteMinderLoginModule
CreateTicketLoginModule
Iam not able to do either reomove exting one nor add new login module.Iam getting an error"Unable to add login module to authentication stacks! "
Ilogged in to v.admin as administrator with admin & superadmin roles.
It would be great if anyone could help me in this .
Regards
tagHi,
in change mode only getting an error.
error"unable to add login module stack to authentication stacl! details are available in status bar"
in status bar information below...
Unable to add login module to the authentication stack!
java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java(Compiled Code))
at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java(Compiled Code))
at com.sap.engine.services.security.server.AuthenticationContextImpl.setLoginModules(AuthenticationContextImpl.java(Compiled Code))
at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImpl.setLoginModules(RemoteAuthenticationImpl.java(Compiled Code))
at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImplp4_Skel.dispatch(RemoteAuthenticationImplp4_Skel.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
at com.sap.engine.services.security.exceptions.BaseSecurityException.writeReplace(BaseSecurityException.java:349)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:1057)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java(Compiled Code))
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl.throwException(DispatchImpl.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
I would appreciate if anybody could help for resolving this issue.
Regards
Tag -
Reg: Authentication using login modules
Hi all
I have a web module and I want to protect it through JEE authentication scheme :: BASIC. I am using CE NW710 SP 04. I have edited the web.xml file and web-j2ee-engine.xml file as well. I have given basicpasswordloginmodule as the login module web-j2ee-engine.xml. I wish to see a logon page when my web module is accessed, is there any other step needed?
Thank you.
regards
Lakshminarayanan.VI'm not sure, but I would think that you also need to appoint a policy configuration template to your application which forces the basic authentication module to be called. This you do in the Visual Administrator -> Security Provider
Marcel -
Opinions on implementing a JAAS login module to achieve SSO
We are looking at implementing SSO from a sharepoint website to the portal. The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
the desired user experience looks something like this.
user--login> sharepoint site -no login--
>portal
One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
I would like to get your opinions on how viable you think this method is. One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
the method is basically this.
1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
3. we don't want the user to have to login to access the resource when they click on the link
4. to facilitate this, sharepoint has constructed the link in the following way
5. the link is an https link
6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
7. the parameters are
8. un = the users AD username
9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
10. the user clicks the link and is directed to the SAP portal
11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
If you think there is an easier way, please let us know. We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.Hey Gary,
I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
-Kevin -
SOAP Web Service + Custom Login Module issue
Hi Guys,
We faced an authentication issue in our project. Could you please give any advice how the issue could be resolved.
Environment: A simple SOAP Web Service on top of POJO class created in a Web Application. The web application deployed to the SAP NetWeaver 7.10 Application Server in the Enterprise Application Archive.
Configuration:
Single Service Administration Application(NetWeaver Administration -> SOA Management -> Application and Scenario Communication -> Single Service Administration)
The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
Authentication Application(NetWeaver Administration-> Configuration Management->Security->Authentication)
The application(<vendorName>/<earName>*<vendor>~<webAppName>) has Authentication Stack configured to use our custom login module.
Issue: BasicPasswordLoginModule used by the J2EE when we are trying to execute the web service using Web Service Navigator(checked in debug mode). It seems that we missed something in configuration.
Idea: The main Idea is to use our custom login module when we are executing a web service.
Could you help me to resolve the issue.
Thanks,
Dmitry
Edited by: Dmitry Eidin on Jul 17, 2009 3:46 PM> The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
That's the point. -
Assigning a login module to a single WebDynpro to authenticate against LDAP
Hi there,
we are running the J2EE Engine 7.0 within XI on SAP NetWeaver 2004s / Linux x86_64.
Basically, i want to Authenticate a Java WebDynpro against an LDAP (Active Directory). With the XI Usage installed, I can not customize the UME to authenticate against an LDAP (not supported and not possible).
Thus, I want to use a custom login module or, if suitable, a standard login module to authenticate against LDAP. I know that all WebDynpro Apps use the default authentication scheme that in turn references the authentication template "ticket".
1) Can I use a predefined Login Module to authenticate against Active Directory LDAP or do I have to write a custom login module?
2) Is it possible to assign a login module to a single WebDynpro and how can I do this?
Thanks a lot in advance,
Oliver Kalkofen> Thus, I want to use a custom login module or, if
> suitable, a standard login module to authenticate
> against LDAP.
We have developed a custom login module which does this. It looks to the user like the BasicPasswordLoginModule provided with SAP, but the userid and password entered has to be a valid accountpassword from the Active Director domain. We use the Kerberos protocol to perform this useridpassword validation, not LDAP. The userid can be just a name, in which case the default domain (realm in Kerberos terminology) or it can be specified as user@REALM in which case a non-default realm can be used to authenticate. Once the authentication is complete, we look in USRACL table to map this Kerberos principal name onto a SAP userid so we can then create an SSO2 ticket.
If you interested to evaluate, or get a quote for purchasing this, please contact me offline. Of course, you can develop your own if you are happy to do so. I just thought you might be interested to know of an alternative.
Thanks,
Tim -
Assigning a login module to a Web Dynpro application
Hi everybody,
I would like a Web Dynpro application to use a custom login module for authentication. How can I do this?
What I found is the Security Provider (in the Visual Administrator tool) where I can add a login module to the "form" authentication mechanism for example. But if I do this I think all applications using this mechanism have to use my custom login module, right?
I wonder if I have to add my Web Dynpro application as a component to the Security Provider so that I can assign login modules to it. Am I on the right way? If yes, how can I do this? If I choose "Add" from the "Policy Configurations" tab a popup appears where I can enter the name for a new component. How do I specify my application there?
Thanks in advance for all answers,
TorbenHi,
Web Dynpro applications use the ticket authentication template. U wud need to add your login module to the ticket template's login stack.
Incase you are accessing the Web Dynpro applications thru the EP u wud need to make changes to the authschemes.xml file too.
regards,
Vishal -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom login module on OC4J 10.1.3.3.0
Hi,
I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>testJAAS</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test Secure Application</web-resource-name>
<description>Requires users to authenticate</description>
<url-pattern>faces/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only allow role1 users</description>
<role-name>role1</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general. </description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Define the security role(s) -->
<security-role>
<description>Example role</description>
<role-name>role1</role-name>
</security-role>
orion-web.xml:
schema-major-version="10" schema-minor-version="0" >
<!-- Uncomment this element to control web application class loader behavior.
<web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
-->
<resource-ref-mapping name="jdbc/lics" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
<web-app>
</web-app>
orion-application.xml:
<jazn provider="XML" >
<property name="jaas.username.simple" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
system-jazn-data.xml:
<jazn-loginconfig>
<application>
<name>le5</name>
<login-modules>
<login-module>
<class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>defaultRole</name>
<value>role1</value>
</option>
</options>
</login-module>
</login-modules>
</application>
I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
Doing as above, the orion-web.xml is below:
<resource-ref-mapping name="jdbc/lic" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
<user name="user1" />
<user name="user2" />
</security-role-mapping>
Any insight would be much appreciated. Thanks.Hi,
role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
from orion-web.xml and it should start wrking
Frank
Maybe you are looking for
-
Photo Orientation around the Compass
When upgrading to the 3.0 for the iphone, I noticed when viewing photos, the orientation only works to 3 sides. If you viewing in a landscape mode, I can turn my iphone 180º, the photos will flip to match orientation. When viewing in portrait and tur
-
Which model number is my ibook?
hi, i need to know the 'M....." number of my machine. it's a G4, 14.1" model, 1.07ghz, 32mb vram, 2x usb, one x firewire, internal modem... can someone help please? Message was edited by: ash89
-
HT1222 Can someone explain why the Safari 5.1.7 update seven times and counting?
The latest Safari 5.1.7 update seven times and counting? Is this required or is there something else a foot? Tomez
-
How can you tell who has FaceTime?
My brother called me on FaceTime a couple of weeks ago. He said that he'd "opened FaceTime, saw you were on and figured I'd say hi." How could I tell who has FaceTime and who doesn't, and how someone who has it is "on"? I have Mac OS X Lion 10.7.5, a
-
hi everyone.. i'm trying to center an image on the stage and am unable to use the "align" feature in the modify menu.. it seems to always be grayed out no matter what i do. is there a trick to using it? thanks for your help!