Looking for example: JAAS login module using ADF BC
Hello all,
I have seen the article at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm by Frank and Duncan detailing how to put together a login module that uses the database for authentication. Great idea. I would like to take it to the next level and use an ADF BC View Object to do the authentication and role assignment for users, but am stuck on a few points. First of all, is there anyone out there who has done this and would care to share? If not:
1). How do I get a reference to the AM so that I can look up a view object in the login module?
2). I assume that I am going to need to add my model project classes to the system classpath, correct?
3). What are the other gotchas?
4). Or should this be the first question, is this even possible?
Hi John,
I am trying to find a relevant example on JAAS login module with ADF BC,
i have this application that is ready to go in production deployed on a test application server
everything seems to work fine but it is totally deprived of security :o(
i have sent post to get some information i read most of it i even came across your blog on the matter
i am sort of understanding the things needed to do but i would need a working example to get a better grasp on the this subject. I need i think to built a custom login module but i dont know what exactly can be coded inside the jar file that is read from the application and that forces the authentification so if you could help in my research for an example you OR anyONE
it would be appreciated
Carl
Similar Messages
-
JAAS Login Module using Deployable Web Service proxy
Hi,
We've created a JAAS Login Module that calls a deployable web service proxy to validate users on Netweaver Portal 2004 SP19. To do this the following steps were taken:
1) created a deployable web proxy named 'SGU_proxy' and uploaded it to server. This project created 2 files: 'SGU_proxy.ear' (the one uploaded) and 'SGU_proxyClientAPI.jar'.
2) created a Java project named 'AgregacaoLoginModule' with a single class to authenticate users, this is the class that calls the web service with the username and password. This project references the deployable web proxy project (Properties > Java Build Path > Projects > checkbox marked next to project SGU_proxy).
3) exported the Java project class, not including the 'SGU_proxyClientAPI.jar'.
4) created a 'J2EE Server Component' > 'Library' project named 'AgregacaoLoginModuleJ2EE'.
On the 'provider.xml' file added 2 jars: 'AgregacaoLoginModule.jar' and 'SGU_proxyClientAPI.jar'. References were made to the standard portal libraries. No references were made to the proxy 'SGU_proxy' or the 'AgregacaoLoginModule' project.
The library was uploaded to the server, everything was ok and no errors were reported.
The login module was configured on the server and is called when users try to acess Portal server.
The problem is that when trying to authenticate users: after getting a reference to the proxy using jndi I get a ClassCastException. Note that this proxy is used in a WebDyn Pro application and is working fine.
The web service client proxy generated the interface 'pt.agregacao.ws.sgu.Servicos' and from jndi I get 'class pt.agregacao.ws.sgu.ServicosImpl'. So this seems to be ok, why the exception?
Is it necessary to had a reference to 'SGU_proxy' on the 'AgregacaoLoginModuleJ2EE' project? If so, how?
Thanks in advance.
AlvaroHi,
We've created a JAAS Login Module that calls a deployable web service proxy to validate users on Netweaver Portal 2004 SP19. To do this the following steps were taken:
1) created a deployable web proxy named 'SGU_proxy' and uploaded it to server. This project created 2 files: 'SGU_proxy.ear' (the one uploaded) and 'SGU_proxyClientAPI.jar'.
2) created a Java project named 'AgregacaoLoginModule' with a single class to authenticate users, this is the class that calls the web service with the username and password. This project references the deployable web proxy project (Properties > Java Build Path > Projects > checkbox marked next to project SGU_proxy).
3) exported the Java project class, not including the 'SGU_proxyClientAPI.jar'.
4) created a 'J2EE Server Component' > 'Library' project named 'AgregacaoLoginModuleJ2EE'.
On the 'provider.xml' file added 2 jars: 'AgregacaoLoginModule.jar' and 'SGU_proxyClientAPI.jar'. References were made to the standard portal libraries. No references were made to the proxy 'SGU_proxy' or the 'AgregacaoLoginModule' project.
The library was uploaded to the server, everything was ok and no errors were reported.
The login module was configured on the server and is called when users try to acess Portal server.
The problem is that when trying to authenticate users: after getting a reference to the proxy using jndi I get a ClassCastException. Note that this proxy is used in a WebDyn Pro application and is working fine.
The web service client proxy generated the interface 'pt.agregacao.ws.sgu.Servicos' and from jndi I get 'class pt.agregacao.ws.sgu.ServicosImpl'. So this seems to be ok, why the exception?
Is it necessary to had a reference to 'SGU_proxy' on the 'AgregacaoLoginModuleJ2EE' project? If so, how?
Thanks in advance.
Alvaro -
Looking for example - abap xslt - that uses xslt document() function
Hello,
I'm looking for an example that shows the use of abap xslt with the xslt document() function. Using the xslt document() function seems like a straightforward way to use xslt to create a result xml document by processing the content of two or more
source documents. For example, if source document A.xml and aux.xml are available in memory as xstringand using stylesheet ztransformwhat would be the argument for the document() function to associate aux.xml. Thanks for any insight.
Regards,
jb10809Hi,
Sorry, perhaps I should have been clearer! The function that I picked just to test what you need to do just happened to return a string that contains SPAN tags with style attributes. The actual function code is:
create or replace FUNCTION out_string_fn
RETURN VARCHAR2
IS
CURSOR emp_cur
IS
SELECT ename
FROM emp;
v_string VARCHAR2 (4000);
BEGIN
v_string := ' ';
FOR c IN emp_cur
LOOP
v_string :=
v_string
|| '<SPAN style="font-weight:bold;color:green">'
|| c.ename
|| '</SPAN>'
|| ', </br></br>';
END LOOP;
RETURN v_string;
END;And this returned a naff list in green (see [http://apex.oracle.com/pls/otn/f?p=55041:57] and click the Test button) - but it does show that you can style the validation error messages
Andy -
Looking for examples using BigDecimal
Two newbies to Java are looking for examples of code that use the BigDecimal features for rounding and truncating large numbers to more user-friendly values.
We are doing some hefty math calculations on values defined as doubles and want to round and truncate to within 1/100th for display purposes.
We've tried some stuff on our own, but it is not cooperating. Any help would be greatly appreciated!Here is a good article of how to use BigDecimal
http://www.javaworld.com/javaworld/jw-06-2001/jw-0601-cents.html
Hope this helps -
Use of portal service in JAAS Login Module
Is it possible to use an portal service in an JAAS Login Module?
I've tried to use the IUserMappingService and always run in an Null Pointer Exception.
All needed Used DC references are set and the build and the deployment of the
login module is possible without any errors.
Best regards,
ThomasI've debuged my JAAS login modul.
The following objects are in accessable over my context object
{broker=broker, com.sap.portal.pcm.collaborative.ipartstemplates={}, UME=UME, com.sap.workflow.es.portal.IKMCRoomService=com.sap.workflow.es.room.KMCRoomHelper@44c944c9, comp.sap.portal.fpn.marshallersrepository={com.sapportals.portal.workset=com.sap.portal.fpn.marshal.WorksetMarshaller@7cf07cf0, com.sapportals.portal.rolefolder=com.sap.portal.fpn.marshal.RoleFolderMarshaller@489b489b, com.sapportals.portal.operationmodifier=com.sap.portal.unification.semanticlayer.marshalling.OperationModifierMarshaller@1a1b1a1b, com.sapportals.portal.businessobject=com.sap.portal.unification.semanticlayer.marshalling.BusinessObjectMarshaller@1fc71fc7, com.sapportals.portal.layout=com.sap.portal.fpn.marshal.LayoutMarshaller@454f454f, com.sapportals.portal.role=com.sap.portal.fpn.marshal.RoleMarshaller@590e590e, com.sap.portal.obn.semanticlayer.businessobject.BusinessObject=com.sap.portal.unification.semanticlayer.marshalling.BusinessObjectNYMarshaller@68af68af, com.sap.portal.obn.semanticlayer.operation.IOperation=com.sap.portal.unification.semanticlayer.marshalling.OperationNYMarshaller@4f4a4f4a, com.sap.portal.pcm.admin.PlainFolderConverter=com.sap.portal.fpn.marshal.FolderMarshaller@284a284a, com.sapportals.portal.iview=com.sap.portal.fpn.marshal.IViewMarshaller@7ba37ba3, com.sapportals.portal.page=com.sap.portal.fpn.marshal.PageMarshaller@a100a10, com.sapportals.portal.operation=com.sap.portal.unification.semanticlayer.marshalling.OperationMarshaller@ece0ece}, WP=com.sapportals.portal.prt.core.resource.MultiPropertiesResource@3b213b21, ContentCatalog=ContentCatalog, Navigation=Navigation, PCD=PCD, com.sap.portal.obn=com.sap.portal.obn, com.sap.portal.usermanagement.usermanagement=com.sapportals.portal.prt.service.usermanagement.UserManagementService@60cc60cc, ProductionMode=true, AdHocWorkflowConnector=com.sap.workflow.es.portal.WFEWorkitemProvider@30d630d6, com.sap.ip.bi=com.sap.ip.bi, com.sapportals.portal.pcm.registeredServies=com.sapportals.portal.pcm.registeredServies, UniversalWorklistService=com.sap.netweaver.bc.uwl.core.portal.UWLPortalService@57e957e9, com.sap.portal.appintegrator=com.sap.portal.appintegrator, rtmf_messaging=com.sap.ip.collaboration.core.api.rtmf.core.RTMFMessaging@41af41af, com.sap.workflow.es.portal.IKMNotificationService=com.sap.workflow.es.portal.KMNotificationService@1daa1daa, com.sap.portal.pcm.collaborative.pagestemplates={}, runtime=runtime, Authenticator=com.sapportals.portal.prt.service.authenticationservice.AuthenticationService@756f756f, com.sap.workflow.es.portal.IKMAttachmentService=com.sap.workflow.es.portal.KMAttachmentService@9750975, unification=unification}
The IUserMappingService is missing. Any ideas?
Best regards,
Thomas -
Opinions on implementing a JAAS login module to achieve SSO
We are looking at implementing SSO from a sharepoint website to the portal. The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
the desired user experience looks something like this.
user--login> sharepoint site -no login--
>portal
One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
I would like to get your opinions on how viable you think this method is. One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
the method is basically this.
1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
3. we don't want the user to have to login to access the resource when they click on the link
4. to facilitate this, sharepoint has constructed the link in the following way
5. the link is an https link
6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
7. the parameters are
8. un = the users AD username
9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
10. the user clicks the link and is directed to the SAP portal
11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
If you think there is an easier way, please let us know. We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.Hey Gary,
I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
-Kevin -
How to create Jaas Login module !! Urgent
<b>Hi developers</b>
I want to make some changes in logon messages. Right now we are getting only error <b>user authentication failed </b> on the portal even if user is locked or some other reason is there for failed authentiaction. I want proper message should be displaying based on user input. For it I hope its good to <b>create Jaas logon module</b> so that i can modify it accordingly .
kindly if any one can give me way out , its urgent.
how to create it step by step. it would be highly appriciable.
any inputs are appriciated .
Thanks in advance
<b>Abhay</b>Hi Abhay,
1.) Every question is "urgent"... Please read https://www.sdn.sap.com/irj/sdn/wiki?path=/display/home/rulesofEngagement - section "Use a Good Subject Line"
2.) For JAAS Login Modules examples, see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4d65ed90-0201-0010-3aba-9209836e8242
Hope it helps
Detlev -
Problems deploying custom JAAS login module (ClassNotFound)
Hi,
I've developed a custom made JAAS login module that filters on IP addresse which I am moving from 6.20 to 6.40.
I've pretty much followed the procedures from http://help.sap.com/saphelp_nw04/helpdata/de/46/3ce9402f3f8031e10000000a1550b0/content.htm , the only major difference is that I needed a reference to WebCallback and therefore a reference to com.sap.security.api.sda from my library project.
I've especially followed the step with "Adding a Reference to the Classloader of the Security Provider" (http://help.sap.com/saphelp_nw04/helpdata/de/2b/23e4407211732ae10000000a155106/content.htm) , but I think its this step that fails. This has been set to library:<library name> , where <library name> is what is written on the right hand side of visual admin under library. I see that the library is deployed under the folder bin\ext\customer.com~com.customer.portal.login.IPRuleLibrary , so maybe I will try that name tomorrow morning.
The exceptions I get are
#1.5#001321B3B106005C0000000800002E380004039375E59BA6#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error#1#/System/Audit#Java###Exception #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Cannot load a login module.
at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:95)
at com.sap.engine.services.security.login.LoginContextFactory.getLoginContext(LoginContextFactory.java:133)
at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:227)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:295)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:351)
at com.sap.portal.navigation.Gateway.service(Gateway.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
Caused by: java.lang.ClassNotFoundException: com.customer.portal.login.IPRuleLoginModule
Found in negative cache
- Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
library:com.sap.ip.basecomps
library:core_lib
common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
library:servlet
library:sapxmltoolkit
library:com.sap.mw.jco
library:com.sap.util.monitor.jarm
library:j2eeca
library:opensql
interface:security
interface:log
interface:shell
interface:keystore_api
library:ejb20
interface:webservices
library:com.sap.guid
interface:appcontext
interface:endpoint_api
interface:resourceset_api
interface:resourcecontext_api
common:service:iiop;service:naming;service:p4;service:ts
interface:ejbcomponent
interface:container
interface:visual_administration
interface:transactionext
interface:dsr_ejbcontext_api
service:timeout
library:tc~jmx
library:tcSLUTIL
service:memory
library:antlr
library:jdbdictionary
library:opensqlextensions
interface:cross
service:locking
service:file
Resources:
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
adminadapter
adminadapter.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxrpc-api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
opensqllib.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx_sec.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
jaxm-api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
keystore
keystore.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
security
security.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupapi.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_jaas.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
connector
connectorimpl.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
webservices_lib.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_service_api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_userstore_lib.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
webservices_lib
saaj-api.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_csi.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_ssf.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
userstore
userstore.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
sqljimpl.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_xmlbind.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_util.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
dbpool
dbpool.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
deploy
deploy.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx
jmx.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_compat.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
jmx_notification
jmx_notification.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
configuration
configuration.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
jstartupimpl.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_https.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
services
basicadmin
basicadmin.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
security.class
tc_sec_jaas_test.jar
C:
usr
sap
EQ2
J13
j2ee
cluster
server1
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
Loading model: {parent,local,references}
at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
at com.sap.engine.services.security.Util.loadClass(Util.java:262)
at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:204)
at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:92)
... 45 more
#1.5#001321B3B106005C0000000900002E380004039375E5A109#1129831779936#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#1####ae7c5500419411daa7fd001321b3b106#SAPEngine_Application_Thread[impl:3]_17##0#0#Error##Java###Cannot load login module class .#1#com.customer.portal.login.IPRuleLoginModule#Hi,
The problem was solved by using the name customer.com~com.customer.portal.login.IPRuleLibrary for the library (so basically look at the name of your library folder under cluster\j2ee\serverx\bin\ext , not the name reported by visual admin).
Also I was able to modify the properties of the login module runtime, which made me very happy
Dagfinn -
Urgent: JAAS Login Module Deployment Problem
Hi,
I have developed a JAAS Login module for the portal (EP6 SP9 sneak preview) and i am getting the following error:
GroupAssignmentLoginModuleLibrary does not exist in LoadContextWrapper.modifyName.
com.sap.engine.services.security.exceptions.BaseSecurityException: Can not load a login Module
The next line is a ClassNotFoundException for the Login Module and the class found in negative cache.
Please let me know if you know the solution to this problem.
It is an urgent issue and a solution will be suitably rewarded.
Regards,
VibhuHi Diego,
Scenario 1: SAP EP to SAP Backend Integration
In this scenario the most commonly used strategy
is SAP logon tickets. As far as I know this is the
best and simple way to implement SSO.
Scenario 2: SAP EP to Non SAP systems.
In this scenario various mechanisms can be used.
It depends on the application you are integrating
with. SAP does deliver SSO soultions with Lotus
Notes and Outlook etc. If supported probably it is
simple to use the SAP solution [Reliability and
Support].
Scenario 3: Enterprise Uses third party authetication
Software.
For the authntication if the company chooses to use
some third party product like SiteMinder etc, then
you can simply use this solution for SAP EP authe-
tication, and also all your other enterprise
applications based on the product support. But SAP
EP to other SAP systems be best integrated with SAP
logon tickets.
Scenario 4: SSO using homegrown authetication or some
third party JAAS module.
If you have significant applications that are home
grown that uses some custom authentication mecha-
nism (Example: Authentication based on ID and
Password stored in company database ) you can write
a JAAS module extention to authenticate using that
database. In other words JAAS is flexible and
for using external authentication mechanisms.
There are several mechanisms available that all depends
on your internal applications/security mechanism/integration etc.
Here is the link to one of the good articles on SDN about the SAP supported SSO mechanisms.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/58094632-0301-0010-a391-fc0de26f010e
Hope this information is useful.
-Venkat Malempati -
Configure JAAS login module stack to support x.509 certificates without SSL
I want to use x.509 certificates for authentication against a EP 7.0 but I dont want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the users certificate, default is SSL_CLIENT_CERT.
What I dont know is how to configure my JAAS login module stack, my suggestion would be this:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they dont, is there another login module that should be used in this case?Hi Claus,
you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
Looking at this topic:
http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
So with the above said your LM stack config should look like this:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
If this doesn't work I'd suggest opening a support ticket.
Regards,
Yonko -
JAAS Login Module Redirect to Iview
I am having some difficulty getting a redirect to an Iview to work in our custom JAAS Login Module. This code works in our current production environment, using Portal version EP6.0 SP2 Patch 35:
callbacks[0] = new com.sap.security.api.logon.WebCallback();
HttpServletResponse rsp = ((WebCallback) callbacks[0]).getResponse();
rsp.sendRedirect(this.changepasswordurl + this.username); //get url from property
But this nearly identical code is not working in our development environment, running NetWeaver:
WebCallback wcb = new WebCallback ();
this.callbackHandler.handle(new Callback [] {wcb});
HttpServletResponse rsp = wcb.getResponse();
myLoc.infoT("URL: " + this.changepasswordurl + this.username);
rsp.sendRedirect(this.changepasswordurl + this.username); //get url from property
When the rsp.sendRedirect statement is executed, I get a stack dump:
#1.5#00306EF4D7AD0048000000550000576000040C5F45EBE199#1139503241315#com.nike.portal.auth.PortalLoginModule#sap.com/irj#com.nike.portal.auth.PortalLoginModule#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Info##Plain###URL: https://dev.XXXXX.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fnikeconnect!2fiviews!2fcommon!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#on!2fMyInfo!2f1-com-nike-iv_b2s-change-password?userid=ncportal02@yahoo.com#
#1.5#00306EF4D7AD0048000000570000576000040C5F45EC2971#1139503241326#com.sap.engine.services.security#sap.com/irj#com.sap.engine.services.security#Guest#192####cd56b800998a11da8f7300306ef4d7ad#SAPEngine_Application_Thread[impl:3]_9##0#0#Error##Java###Error in some of the login modules.
[EXCEPTION]
#1#com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:149)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:153)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.GeneratedMethodAccessor260.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
When I cut the exact URL being redirected to from the trace log and paste it into a browser, it goes to the page just fine.
Can anyone suggest a different method of performing a redirect from withing my JAAS Login Module in NetWeaver? I'm thinking maybe I'm not getting the response object properly - any ideas?
Thank you...
DaveThanks for the pointers. We were able to get an SAP developer to take a look at this and he coded up this solution, which takes what you suggested and filled in all the blanks. I am baffled as to how I would have figured this out on my own (like the RESPONSE_CODE value of 302), given the limited documentation around the HttpCallback. We haven't had the opportunity to try this yet - I'll respond with a new post either way to let you know. Anyway, here's the code snippet for how to perform a redirect:
In the custom JAAS Login Module:
setRedirect(callbackHandler, this.changepasswordurl);
This is the setRedirect method:
private void setRedirect(CallbackHandler ch, String redirectURL)
throws IOException, UnsupportedCallbackException
HttpSetterCallback setRCodeCB = new HttpSetterCallback();
setRCodeCB.setType(HttpCallback.RESPONSE_CODE);
setRCodeCB.setName("Moved Temporarily");
setRCodeCB.setValue("302");
HttpSetterCallback setRedirCB = new HttpSetterCallback();
setRedirCB.setType(HttpCallback.HEADER);
setRedirCB.setName("Location");
setRedirCB.setValue(redirectURL);
Callback[] cbSetter = new Callback[2];
cbSetter[0] = setRCodeCB;
cbSetter[1] = setRedirCB;
ch.handle(cbSetter); -
JAAS Login Module development/deployment - getting en error
Guys,
I have developed a JAAS Login Module (as per the SAP documentation) and configured the J2EE Engine (as per the SAP documentation) for this module to sit amongst several other standard modules, but I have a problem. I am unable to get the Module working on one portal instance and I am getting an error in the default.trc file when the server restarts after SDM deployment.
The error is: "cannot load login module class....... java.lang.ClassNotFoundException........"
The whole thing works on another instance of EP6 SP16,17 and 18..... however it does not work on this one completely separate instance (there probably are configuration difference between these instances!)
Im not quite sure, given this set of circumstances, what could be causing the Login Module not to load. Which part of the configuration of the J2EE engine should I look in, something perhaps overlooked in the documentation?
Thanks
AdrianWith some help I have now solved this.
In the properties tab of Security Provider, the reference to your login module in the classloader needs to be prefixed with library:~<provider>. For the default SAP example the provider in com.sap...... or whatever you have changed it to. -
Accessing LDAP in a custom JAAS login module
Hi,
I have developed a custom jaas login module in CE 7.1. I created a java dc which contains a class extending AbstractLoginModule. This DC is deployed on to the server using an EAR DC. I am trying to access LDAP in the custom login module. I am trying to establish an SSL connection to LDAP. For this purpose i have created a custom socket factory class which extends SSLSocketFactory. I used the code below to establish the connection.
Hashtable<String,String> env=new Hashtable<String,String>();
DirContext dirContext=null;
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,ldapURL);
env.put(Context.SECURITY_PROTOCOL,"ssl");
env.put("java.naming.ldap.factory.socket", "com.test.ldap.MySSLSocketFactory");
dirContext=new InitialDirContext(env);
MySSLSocketFactory is the name of custom socket factory.
During a login process, the above code results in error because the connection to LDAP server could not be established. However the same code when executed in a webdynpro DC is working without any problem. What could be the reason for this?
This is the error i could see in defaultTrace
javax.naming.CommunicationException: js24.na.domain.net:636 [Root exception is java.lang.ClassNotFoundException: com.test.ldap.MySSLSocketFactory
Loader Info -
ClassLoader name: [service:security]
Living status: alive
Direct parent loaders:
[system:Frame]
[library:j2eeca]
[service:timeout]
[service:com.sap.security.core.ume.service]
[service:adminadapter]
Resources:
/usr/sap/SV3/J10/j2ee/cluster/bin/services/security/lib/private/sap.comtcjesecurityimpl.jar
at com.sun.jndi.ldap.Connection.<init>(Connection.java:205)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1579)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2681)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at com.sap.engine.system.naming.provider.DefaultInitialContext._getDefaultInitCtxt(DefaultInitialContext.java:64)
at com.sap.engine.system.naming.provider.DefaultInitialContext.<init>(DefaultInitialContext.java:45)
at com.sap.engine.system.naming.provider.DefaultInitialContextFactory.getInitialContext(DefaultInitialContextFactory.java:41)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)Hi,
I used an EJB to perform the LDAP search and called the EJB from the login module. It is working as expected.
Regards,
Shabeer -
How to deploy and configure custom JAAS login module
Dear Experts,
I have created a custom jaas login module, In my .jar I am having
1. MyLoginModule.class
2. Handler.class
3. MyPrincipal.class
I want to know how to deploy the custom jaas module to oc4j. And make available to all
other application to use the same for authentication & authorization. Please suggest me.
Thanks,
Rajesh AThis article does not mention that you can put the <jazn-loginconfig> tag into the orion-application.xml as well.
Much easier to deploy and test.
--olaf -
Howto put custom JAAS Login Module into NWDI
Hi there!
We are currently in migration phase and want to integrate existing codings to NWDI. We mainly had Web Dynpro projects which we figured out how to migrate through discovering help.sap.com
Formerly I developed a custom JAAS login module which is productive on our portal systems. Now I would like to integrate it to NWDI. Is this possible in general?
Best Regards
ChristianCan you clarify a bit more what didn't work? What issues do you face?
Our setup for security.jar (which is not available in one of the base SC's) (for the rest try to use as many base DC's as possible):
1. Create External Library DC for security.jar
2. Add security.jar to libraries folder, add to new pp for Compilation
3. Create J2EE Library DC for loginmodule
4. Create Java Library DC for loginmodule as Child DC
5. Define the External Library DC as Used DC of the Java DC, referencing the Compilation pp (Only a Build time dependency, since this will not be deployed, instead you'll reference the registered interface, see below).
6. Create a public part for Assembly in the Java DC. Add all your loginmodule classes to the pp.
7. Define the Java DC as Used DC of the J2EE Library DC, referencing the Assembly pp (only Build time dependency). (this packages the loginmodule jar in the J2EE library)
8. Create a provider.xml in the 'server' folder of the J2EE Library DC
9. Define references to libraries used by the Child DC and the Child DC's jar:
<references>
<reference
provider-name="sap.com"
strength="weak"
type="library">com.sap.security.api.sda</reference>
<reference
provider-name="sap.com"
strength="weak"
type="interface">security_api</reference>
<reference
provider-name="sap.com"
strength="weak"
type="library">com.sap.tc.Logging</reference>
<reference
provider-name="sap.com"
strength="weak"
type="library">servlet</reference>
</references>
<jars>
<jar-name>[vendor name]~[DC name]~Assembly.jar</jar-name>
</jars>
The J2EE Library DC has only one Used DC: The child Java DC.
The Java DC has Used DCs for anything you need to compile your loginmodule code.
Hope I didn't forget anything else.
Maybe you are looking for
-
Interest accrual method calculation for loan interest
Hello, Our company is using the Trsy module for intercompany loans with these settings on the deal: - Interest calculation method of 7 360/360 - Linear Interest Calculation and the - Pro Rata Temporis Calculation selected for both the first and last
-
Using LR 4.4, I'm seeing duplicate files not detected when the files have the same name and identical content (same MD5). Adobe support takes me here, although I'd rather file a bug. I've isolated a small test case where I have a directory with a sma
-
44 kHz of FPGA audio data..best way to implement?
I have a program that will be taking 4 channels of audio data using FPGA at 44 kHz. The user may only care about 1 channel, or they may care about all 4. This data could be taken for anywhere between 30 and 120 seconds. Worst case, from my calculatio
-
Overview page opens/highlighted the wrong tab, but the right view
Hi all, I'm Using EP7.0 and SP22.I copied the UWL iView from this location (content provided by Sap --> End User Content --> Standard Portal User --> iViews --> com.sap.netweaver.bc.uwl.iviews --> Universal Worklist). Changed the iView Properties: Di
-
New to Weblogic 7 - How do I verify digital certificates?
Hello, I am new to Weblogic and my department has 2 servers running Weblogic 7 and they have asked me to verify whether the servers have both root and intermediate digital certificates installed. How do I check for this?