LoginModule + LoginContext question

Hello there! I'm using a classical j_security_check security authentication approach. I've created a LoginModule (extends Jboss' UserNamePasswordLoginModule) and so far things have been workin fine. Well now I need to have a more complex control, so I decided to not use j_security_check. Instead I'll call a struts action and this one calls my SessionBean how starts the process.
I've read JAAS documentation and it fails in a crucial point, the client view of process. It does not explain how to instantiate a LoginContext's Configuration and how to pass the username/password provided. I mean it's easy through j_security_chek cuz it does everthing for you.
So I'd like to know:
1st. How to set my configuration (changing java policy properties seems to ackward to me, since It's a EAR application and should not be that intrusive)
2nd. How do I set my username/password to be accessible through my Callback interface?
What I've done is:
LoginContext lc = new LoginContext("myLoginModule"); // this name is set on my jboss-web.xml as java:/jaas//myLoginModule
lc.Login()I'm sure I'm doing everthing (or almost) wrong, since this does not work.
Could someone give me some directions???
Thanks and regards

Hi..
If you are implementing on an appserver, you would be manipulating the server.policy files instead of the java.policy file directly.
For callback interface.. maybe u've already seen this example but u can basically create a callbackhandler that takes the username/password in the constructor. This way u can pass your callback handler to the logincontext. I maybe stating the obvious to u..
I couldnt gather enough information from ur question to see what ur situation is -- might be able to share some ideas with u.. do elaborate on what u're working on
Regards
RR

Similar Messages

ADF wont work with custom LoginModule! Question for Mr. Nimphius!

ive setup login module as shown in:
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
code:
actionContext.getHttpServletRequest().isUserInRole("Administrators") works! but i also want this code to work in ADF:
appmod.getSession().isUserInRole("Administrators")
with default loginmodule "oracle.security.jazn.tools.Admintool" everything is ok! i can get roles in adf but with custom login module i cant!
in ApplicationModule config i have setup
jbo.security.config =
jbo.security.context = oracle.security.jazn
jbo.security.enforce = Must
jbo.security.loginmodule = oracle.sample.dbloginmodule.DBTableLM.DBTableLoginModule
please help!

thank you very much for the reply!!!!
i did what you told but no luck... :(((
i still can not get user role from application module!
this code:
if (AppModule.getSession().isUserInRole("Administrators"))
System.out.println("User is in role! ");
simply does not work!
ive tested on standallone oc4j, ive tested on embeded jdveloper 10.1.2.1 !
i get NullPointerException at at oracle.jbo.server.security.jazn.JboJAZNUserManager.isUserInRole(JboJAZNUserManager.java:113)
the thing is that i can use isUserInRole() from request but i can not from application modulle....
...ive lost hours in decompiling and tracking down ADF code just to realize that there is no way to use custom login module with ADF because the thing is hard coded to use xml or ldap..
the only way i see how to solve the problem is to extend oracle.jbo.server.SessionImpl
and override
getUserRoles()
and
isUserInRole(String s)
i can substitute session class with my own by setting
SessionClass = oracle.jbo.server.ExtendedSessionImpl
in file jboserver.properties (which is inside bc4jmt.jar)
the easier way is to write my own function isUserInRole() in EntityImpl... i always can get user principal name with AppModule.getUserPrincipalName()
what do you think?

Has anyone used JAAS with WebLogic?

Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
//THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
public class BasicModule implements LoginModule
private NameCallback strName;
private PasswordCallback strPass;
private CallbackHandler myCB;
private Subject subj;
         //INITIALIZE THIS MODULE
           public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                  try
                       //SET SUBJECT
                         subj = subject; //NOTE: THIS GIVES YOU REFERENCE
TO LOGIN CONTEXT'S SUBJECT
                                                 // AND ALLOWS YOU TO PASS
IT BACK TO THE LOGIN CONTEXT
                       //SET CALLBACKHANDLERS
                         strName = new NameCallback("Your Name: ");
                         strPass = new PasswordCallback("Password:", false);
                         Callback[] cb = { strName, strPass };
                       //HANDLE THE CALLBACKS
                         callbackHandler.handle(cb);
                  } catch (Exception e) { System.out.println(e); }
     //LOG THE USER IN
       public boolean login() throws LoginException
          //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
          System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
subj.getPrincipals().size() + " Principals");
          //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
           MyPrincipal m = new MyPrincipal("Admin");
           subj.getPrincipals().add(m);
           return true;
         public boolean commit() throws LoginException
               return true;
    }(Sorry for all that code)
I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
I think the key here is to understand JAAS's plug-in security model to mean:
(Below are my words)
The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
checking code can be used regardless of whether a client connects through
RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
how they authenticate (except by choosing YOUR set ways).
Before we even deal with a serialized subject, we need to see how JAAS can
even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
I think what needs to be done, is the client needs to have the stubs for our
LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
their info into those, and everything is handled server-side. So they may
not even need to send a Subject across anyways (but they may want to as
well).
Please let me know if anyone sees this problem too, or if I am just completely
off track with this one. I think figuring out how to do JAAS as though
everything were local, and then putting RMI (or whatever) on top is the
first thing to tackle.

Send this to:
newsgroups.bea.com / security-group.

LoginModule with JAAS, setup question for Frank Nimphius

Hi Frank,
i am trying to use a custom LoginModule in conjuction with the setup procedure in your "J2EE Security in Oracle ADF Web Applications" white paper. Have you done this before? can you provide roadmap for additional/alternate setup steps needed to use a LoginModule?
this is my original post from early this week:
JAAS Setup question
thanks,
brenden

Brenden,
please refer to the OC4J security documentation which si a part of the Oracle Application Server documentation that can be looked up online here on OTN. Custom LoginModule configurations require OC4J 9.0.4. In addition, this feature also only works with the jazn-data.xml provider and not with OID.
From the perspective of this whitepaper, the LoginModule will be used by the OC4J container to authenticate users and thus should not require any change in teh paper.
I haven't yet had the time created an example and document that showcases how to do this. Hopefully christmas will give me some rest to look into this.
Frank

JAAS: unclear doc on LoginContext.login()

I'm having difficulty understanding some of the javadoc text for
LoginContext.login(). Consider these three paragraphs:
If the commit phase of the authentication process fails, then the
overall authentication fails and this method invokes the abort method
for each configured LoginModule.
If the abort phase fails for any reason, then this method propagates
the original exception thrown either during the login phase or the
commit phase. In either case, the overall authentication fails.
In the case where multiple LoginModules fail, this method propagates
the exception raised by the first LoginModule which failed.Specific questions:
1. Is it only when the abort phase fails that the original
exception should be propagated? How about when the abort phase
passes (ie, I presume, when there's no error in executing the
LoginModules' abort() methods)?
2. That 3rd paragraph: should it really be part of the 2nd paragraph,
or is it really a new thought? That is, should the first of multiple
LoginModule exceptions be propagated only when the abort phase
fails? Or should the first exception be propagated whenever there are
any exceptions, even when the abort phase passes?
General questions:
Generally, LoginExceptions are thrown upon login()
failures. I presume this is because you don't want to give specific
reasons for failed login attempts back to JoeCracker.
1. Should specific exceptions be propagated back at all?
2. It seems that the onus of logging the real problems should be the
responsibility of the LoginModule implementation, is that right? That
way, JoeCracker can't find out the real reasons for the failures, but
JoeLegitEmployee can walk over to the sysadmin and ask to peruse the
LoginModule logs ... does this make sense?

Perhaps I can simplify the questions ...
It seems that the javadoc allows propagation of the original exception
only in the case when the abort phase fails. Am I reading this
right?
Shouldn't it be OK to propagate the original LoginException for any
sort of failure in overall authentication?

Can't find LoginModule

Hi all,
I can't seem to use the BasicPasswordLoginModule that is preconfigured in the J2EE engine. Here is what I have done:
1. Succesfully deployed the app that wants to use the login module.
2. Used the Visual Admin's Security Provider to associate the existing BasicPasswordLoginModule to both the Web and EJB components.
3. Try to programatically create a LoginContext from within the container (in a servlet, for instance). I am using the following code :
LoginContext = new
LoginContext("BasicPasswordLoginModule",cbHandler);
At this point I get the following error :
javax.security.auth.login.LoginException: No LoginModules configured for BasicPasswordLoginModule
     at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
     at javax.security.auth.login.LoginContext.<init>(LoginContext.java:404)
     at ......
What am I missing?
TIA,
Chad

hi,
i am also facing same problem. I searched a lot on SAP forums but all this type of questions are still unanswered.
I hav implemented standard java LoginModule class.
Then created its library and deploy it according steps given in SAP Help.
Then referered it in my Applcation's servlet page as
LoginContext loginContext = new LoginContext("MyLoginModule", callbackHandler);
But still it is giving <b>loginException</b>:
javax.security.auth.login.LoginException: No LoginModules configured for MyLoginModule
at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
at javax.security.auth.login.LoginContext.(LoginContext.java:404)
Can anyone help me. Its very very urgent for me.

Multiple JAAS LoginModules: WL6.1 always calls default ServerLoginModule?

Hello All,
I'm trying to implement a set of custom LoginModule(s) to authenticate
a user (an "application user", not a Weblogic admin). From a JSP login
page, the app calls a Servlet that calls LoginContext("myLogin",
myCallbackHandler).login(). I have also create a custom
Callback/CallbackHandler (since the parameters are passed as HTTP
parameters) and added the required parameters in lib\server.policy:
myLogin {
com.andrej.myLoginModule required;
The problem is that it looks like WL always calls the default
LoginModule (ServerPolicy from the lib\server.policy file) even if it
doesn't correspond to "myLogin". Of course, my app crashes
miserably... :)
Two questions:
- is the above normal? Am I missing something of JAAS?
- am I following the right path i.e. can I use a custom LoginModule to
authenticate an application user via an entity EJB so that the
successive calls are then associated to the proper Subject/Principal?
Or can I only use a LoginModule to authenticate a Weblogic server
user?
Thank you in advance!
Andrej
PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

You must specify two properties:
weblogic.security.jaas.Configuration - your implementation of Configuration
class
weblogic.security.jaas.Policy - jaas config file location
For example:
System.setProperty("weblogic.security.jaas.Configuration",
"examples.security.jaas.SampleConfig");
System.setProperty("weblogic.security.jaas.Policy",
"C:/Sample.policy");
"Andrej" <[email protected]> wrote in message
news:[email protected]..
Hello All,
I'm trying to implement a set of custom LoginModule(s) to authenticate
a user (an "application user", not a Weblogic admin). From a JSP login
page, the app calls a Servlet that calls LoginContext("myLogin",
myCallbackHandler).login(). I have also create a custom
Callback/CallbackHandler (since the parameters are passed as HTTP
parameters) and added the required parameters in lib\server.policy:
myLogin {
com.andrej.myLoginModule required;
The problem is that it looks like WL always calls the default
LoginModule (ServerPolicy from the lib\server.policy file) even if it
doesn't correspond to "myLogin". Of course, my app crashes
miserably... :)
Two questions:
- is the above normal? Am I missing something of JAAS?
- am I following the right path i.e. can I use a custom LoginModule to
authenticate an application user via an entity EJB so that the
successive calls are then associated to the proper Subject/Principal?
Or can I only use a LoginModule to authenticate a Weblogic server
user?
Thank you in advance!
Andrej
PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

Using a JAAS compliant LoginModule in OC4j

Hi.
I'm trying to set up an application to use a custom LoginModule in OC4J. The OC4J security FAQ states that this can be done by adding ... to the jazn-data.xml file as it is done with the oracle.security.jazn.tools.Admintool. The only users I seem to be able to authenticate with is the ones defined in the <jazn-realm> section of jazn-data.xml. If I try to remove this or parts of this section, the application fails to start.
If I deliberately misspells the classname of the login module, no error message is displayed.
Do I have to enable the use of custom login modules in any way other then adding them to the jazn-data.xml file? I not, can anyone tell me why I cant get it to work, and what I can do to get it to work?
I am using a SampleLoginModule from sun.
The classfiles for the login module is placed in a jar file in <j2ee-home>\lib directory
The OC4J is version 9.0.3.0.0
(standalone)
The login module data in jazn-data.xml:
<jazn-loginconfig>
<application>
<name>jazntest</name>
<login-modules>
<login-module>
<class>sample.module.SampleLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
<application>
I am wondering about the name tag in application. What name is this?
The name of the app IS jazntest.
Both in server.xml:
<application name="jazntest" path="../applications/jazntest.ear" auto-start="true" />
and in http-web-site.xml:
<web-app application="jazn-test" name="jazntest" root="/jazntest" />
Any help appreciated.
Ole

Ole, Anders,
A custom LoginModule can indeed be setup with JAZN if it's JAAS-compliant. In order to setup this up, you'll need to do the following:
1. Define the custom LoginModule in the global jazn-data.xml file (i.e. in the j2ee/home/config directory). The name-value tags are for optional parameters. Most LoginModules have a debug mode but this is optional (see the LoginModule specific documentation).
2. Put all the LoginModule files in the lib/ext directory of whichever JRE you are using (e.g. $oracle_home/jdk/jre/lib/ext). You may also need to place a copy of the "jaas.jar" file in that same directory.
3. For the actual application, you want to make sure that you do not use the container's security and authentication constraints defined in the application's web.xml file. Note: unlike the default JAZN RealmLoginModule, custom LoginModules are not integrated with these container security constraints. This means that with the custom LoginModule, you need to programmatically create a LoginContext and explicitly do a "login()" (as described in most JAAS tutorials). You may also need to restart the OC4J instance for some of these changes to take affect.
Regards,
-Lee

Problem mapping LoginModule roles to ejb security roles

I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
LoginContext lc = new LoginContext("current-workspace-app", cbh);
lc.login();
I then perform a lookup on a bean using the same user:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
env.put("java.naming.security.principal",username);
env.put("java.naming.security.credentials",password);
env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
Context ic = new InitialContext(env);
final SessionEJBHome sessionEJBHome =
(SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
Finally, I create an instance of the bean and call a method of this bean.
SessionEJB sessionEJB;
sessionEJB = sessionEJBHome.create( );
sessionEJB.testMe( );
I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
"username is not allowed to call this EJB method"
When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
Thanks
PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
     <role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
   <security-role-map>
      <role-name>test</role-name>
      <server-role-name>myUMErole</server-role-name>
   </security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question?

Authentication and Authorization question.

Hi All,
I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
Authentication.
1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
2. The end result of this process is true/false.
Authorization.
1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
2. The end result of this process is true/false.
Role mapping.
1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
2. The end result is list of roles for a user.
Security policy configuration.
Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
Thanks,
Prashanth Bhat.

The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
My question is whether thess(DAs and VEs) can also be put
our datastore for access rights??
Thanks,
Prashanth Bhat.

CC&B LoginModule for Weblogic Change of Password

Hi All,
I realise this is more of a Weblogic question, though I'm specifically after a working example of LoginModule that can be used within CC&B on Weblogic to:
a) Force users to change their password if their password is reset;
b) Force users to change their password if their password is expired (for example after 30 days);
b) Plus preferably also allow users to change their password on demand.
Can anyone point me at some examples of this (preferably also highlighting what needs to be set-up within Weblogic from an admin perspective to allow password expiry)?
Note - Kerberos Authentication is not currently an option, hence I need just basic JSP login modules.
Cheers,
Matt

Hi All ..
Thanks for reply .
I m new in this company. but once the password was changed by ex-DBA before my arrival in this company and that too created problems in RAC. This is what my PM says.
I think some where this password is given at the time of RAC installation .
What were the problems ? have gone with ex-DBA.
I have to look into it.
Can you figure out the possible problems ?
plz help.
Regards,
Edited by: Cool_DBA on Nov 21, 2008 1:38 AM

How to get the error raised in LoginModule into the error.jsp page?

Hi,
I would like to get the Exception message raised in a LoginModule and display it "friendly" into my error.jsp page.
How to do that?
Thanks.
Stephane

I have posted this question a few times. These forums are useless for all but the simplest of problems.
Here is what you can do, of course it is unsupported, and may or may not break with a future release - all I can say is that it works in 10.1.3
In your loginmodule login() method, add the JAZNContextCallback to your callbacks array, then after the callbacks are handled you can access the request in the following way:
HttpServletRequest request = (HttpServletRequest) ((JAZNContextCallback)callbacks[2]).getContextObject(JAZNContextCallback.HTTP_SERVLET_REQUEST, null);
You can then add the error message to the request and your jsp or whatever will be able to access it.
By the way, JAZNContextCallback is contained in the jazncore.jar file.

Some basic questions about JAAS

I am confused about the general use of the JAAS mechanism in Java. Hopefully someone can answer these hopefully not too naive questions:
1. Does it ever make sense to use java.net.Authenticator instead of JAAS?
2. JAAS allows the definition of an assumedly text based Configuration file that instructs the LoginContext how to stack various login mechanisms on top of each other. Wouldn't this be easily hacked by the user, where one would only need to edit this known file and remove the authentication requirement(s)?
3. I am confused about the utility of the Subject.doAs... priviledged security actions. Specifically, does this absolutely prevent a hacker from running the program in a debugger and running certain bytecode? I have read the tutorial section on what Subject.doAs... provides, but does this stop a hacker from obtaining the PrivilegedAction object (or code inside it) and somehow executing that code in a debugger or in a custom jar?
Thank You,
Eric

I'll follow up to my own post with two more questions:
4. The app I'm targeting here is a JavaWebStart client, that connects to a remote server app. Assuming I use JAAS on the client, do I also use it on the server to re-check the client-login (to prevent a hacker from circumventing the client-side JAAS authentication checks)?
5. If I use JAAS for authorization in a JavaWebStart app, but I need the JNLP to include the following:
<security>
<all-permissions/>
</security>
Does this completely circumvent any authorization checks I need to do using JAAS, seeing as I'm already granting all-permissions to the Java security module?

Is it possible to use Glassfish JDBCLoginModule with LoginContext???

Hi
Don't call me crazy but, i tried to use the class "com.sun.enterprise.security.auth.login.JDBCLoginModule" as a LoginModule for a LoginContext Instance and a custom CallbackHandler in order to push authentication information to the appserver.
I was wondering if this could be done because i'm getting a extrange behavior when setting up the environment!!!
this is what i'm doing:
*1.-* Added this to my Appserver java.security file located at C:\Program Files\Java\jdk1.6.0_05\jre\lib\security:
login.config.url.1=file:C:/login.conf (There aren't any other login.config.url.N entry on the file)
*2.-* Created a file called login.conf in c:\ with this content:
*SisInvWebClient {*
* com.sun.enterprise.security.auth.login.JDBCLoginModule required*
*3.-* Restarted the server in order to changes to take effect
After server restarts the extrange behaviors comes up!!! The server starts but it doesn't let me log in into the Admin Console, and in case you were wondering!! Yes i'm providing the correct user name and password for the Appserver Admin.
In fact, the appserver begins to work fine again when i comment this line: login.config.url.1=file:C:/login.conf in the appserver java.security file and restart it.
So is obvious that i'm doing something wrong!!!! I just want to be able to push the user name and password from a custom UI using the login() method of a LoginContext's Instance (with its respective custom CallbackHandler)
Any Ideas????

I found the problem:
I forgot to put a "*;*" at the end of LoginModule entry
My working login.conf file looks like this:
SisInvWebClient {
com.sun.enterprise.security.auth.login.JDBCLoginModule required;
(Note the ";" after com.sun.enterprise.security.auth.login.JDBCLoginModule required entry, without the ; my App Server refuse to give me access to Admin Console even with correct uername and password...

JAAS: location of Configuration, LoginModule classes

Hi,
I've created a custom JAAS implementation (Configuration & LoginModule classes) for use in a web-environment (Tomcat + Expresso).
Question: at the moment, my set-up will only work with Tomcat and a very simple non-Expresso web-app, if and only if, I put the Configuration and LoginModule classes in the jre/lib/ext directory.
Is there a way to move the classes to WEB-INF/lib ? The reason for this would be that I would like to use specific Expresso classes in the LoginModule, that also need an environment (connection pool, etc.) to function properly.
Or would this generally be a stupid idea.
TIA,
Jaap

Hi ...
Interested from your posting, seems successfully implemented JAAS using Tomcat.
I have exception ... cannot instantiate LoginConfiguration. Seems no solution till date.
Could you share the procedures to implement JAAS to Tomcat (4, I pressumed) ?
TIA.
BAM

LoginModule + LoginContext question

Similar Messages

Maybe you are looking for