Multiple LoginModules

Similar Messages

• Use of JAAS in WLS6 for sngle logon

  We're in the design stage of a product, which will be based on Weblogic Server 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read the documentation, I'm still not clear on a few points about how JAAS is used in WLS6.
  We're intending to provide a single logon for the system and then to log users on to other services such as email etc. behind the scenes, when the user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multiple LoginContexts at different times during the user session, each using a different Configuration pointing to different LoginModules to achieve this.
  A couple of other things I've come across which may be useful in this context are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

  Sorry for the delay in replying, I was on vacation
  Dave <[email protected]> wrote in message
  news:[email protected]...
  >
  Thanks for the reply Alex.
  If we just have a single LoginContext with multiple LoginModules, wouldn'tthat mean that when a user logged-on, it would log them on to all of the
  services at the same time ?
  Yes, that is the sequence specified under JAAS
  We were trying to make it so that after the initial logon to the system,the user would be logged on to other services only when they accessed them
  explicitly. Does that mean that we need multiple LoginContexts still ?
  Unfortunately yes, you will need multiple LoginContext instances to do that.
  set configuration
  new context
  context.login
  context.getSubject
  Subject.doAs(subject, action)
  >
  I understand that WLS6 will only provide for JAAS Authentication, notAuthorisation. Does that mean I need to use it in conjunction with the
  existing Weblogic Authorisation, such as ACLs and Realms ?
  >
  The WLS6 JAAS implementation wrappers the existing ACL implementation and is
  independant of the realm being used. Internally the Subject.doAs method
  checks the ACLs of the user associated with the specified Subject instance.
  Can I also ask about the granularity of Resources that can be protected byaccess control. Would these be at the level of Servlets, beans etc.
  I believe you can but I'm not sure, check in the documentation on Servlets &
  beans or post a followup question in those groups
  >
  Is the Beta Refresh available for downloaded now ? If not, how soon doyou think it would be ?
  >
  The beta refresh should be available early the week of 11/13
  As regards the <run-as-specified-identity> tag in the deploymentdescriptor. Could you briefly explain its use and whether it would help us
  with our logon approach ?
  Again I'm not sure, again please post this to the associated group Servlets,
  Beans, etc.
  >
  Thanks very much for your help again.
  Dave
  "Alex McDonald" <[email protected]> wrote:
  Dave,
  The WLS 6 JAAS implementation will support what you intend. While there
  were
  several bugs in the initial WLS 6 Beta these have been fixed in the Beta
  refresh, if you need the updated files sooner I can send you a zip.
  I would suggest the following. Single LoginContext, multipleloginModules.
  Set your first configured loginModule to prompt for theusername/password,
  each of the following loginModules can than use that information behindthe
  scenes or prompt as needed for additional user info. Configure the first
  loginModule as REQUISITE so that it must succeed for the login process to
  continue. The WLS 6 JAAS sample loginModule implementation contains theWLS
  login information, additional email, etc services can be added to the
  Subject container as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:[email protected]...
  We're in the design stage of a product, which will be based on WeblogicServer 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read thedocumentation, I'm still not clear on a few points about how JAAS is usedin
  WLS6.
  We're intending to provide a single logon for the system and then to
  log
  users on to other services such as email etc. behind the scenes, when the
  user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multipleLoginContexts at different times during the user session, each using a
  different Configuration pointing to different LoginModules to achievethis.
  >>>
  A couple of other things I've come across which may be useful in thiscontext are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

• JAAS: unclear doc on LoginContext.login()

  I'm having difficulty understanding some of the javadoc text for
  LoginContext.login(). Consider these three paragraphs:
  If the commit phase of the authentication process fails, then the
  overall authentication fails and this method invokes the abort method
  for each configured LoginModule.
  If the abort phase fails for any reason, then this method propagates
  the original exception thrown either during the login phase or the
  commit phase. In either case, the overall authentication fails.
  In the case where multiple LoginModules fail, this method propagates
  the exception raised by the first LoginModule which failed.Specific questions:
  1. Is it only when the abort phase fails that the original
  exception should be propagated? How about when the abort phase
  passes (ie, I presume, when there's no error in executing the
  LoginModules' abort() methods)?
  2. That 3rd paragraph: should it really be part of the 2nd paragraph,
  or is it really a new thought? That is, should the first of multiple
  LoginModule exceptions be propagated only when the abort phase
  fails? Or should the first exception be propagated whenever there are
  any exceptions, even when the abort phase passes?
  General questions:
  Generally, LoginExceptions are thrown upon login()
  failures. I presume this is because you don't want to give specific
  reasons for failed login attempts back to JoeCracker.
  1. Should specific exceptions be propagated back at all?
  2. It seems that the onus of logging the real problems should be the
  responsibility of the LoginModule implementation, is that right? That
  way, JoeCracker can't find out the real reasons for the failures, but
  JoeLegitEmployee can walk over to the sysadmin and ask to peruse the
  LoginModule logs ... does this make sense?

  Perhaps I can simplify the questions ...
  It seems that the javadoc allows propagation of the original exception
  only in the case when the abort phase fails. Am I reading this
  right?
  Shouldn't it be OK to propagate the original LoginException for any
  sort of failure in overall authentication?

• LoginModule login() method being called multiple times

  I have a J2EE application that is deployed in Oracle 10g 10.1.2.0.2 that implements a cutom login module. The custom class (MyClassLoginModule) implements the LoginModule interface. Everything works great if the username and password entered by an end user are correct. However, it appears that if a user enters an incorrect password after failing authentication the container executes the MyClassLoginModule.login() method again. In some cases, it calls it serveral time each failing authentication.
  This wouldn't be a problem however, the username and password are also the end users workstation accounts. This behaviour is capable of locking their accounts in one failed attempt.
  Any help or insight would be greatly appreciated.

  We're using FORM based authentication. The problem is not with multiple requests, but appears to be an issue with the container. See the following for more info:
  LoginModule login method called twice on unsuccessful logins

• Multiple JAAS LoginModules: WL6.1 always calls default ServerLoginModule?

  Hello All,
  I'm trying to implement a set of custom LoginModule(s) to authenticate
  a user (an "application user", not a Weblogic admin). From a JSP login
  page, the app calls a Servlet that calls LoginContext("myLogin",
  myCallbackHandler).login(). I have also create a custom
  Callback/CallbackHandler (since the parameters are passed as HTTP
  parameters) and added the required parameters in lib\server.policy:
  myLogin {
  com.andrej.myLoginModule required;
  The problem is that it looks like WL always calls the default
  LoginModule (ServerPolicy from the lib\server.policy file) even if it
  doesn't correspond to "myLogin". Of course, my app crashes
  miserably... :)
  Two questions:
  - is the above normal? Am I missing something of JAAS?
  - am I following the right path i.e. can I use a custom LoginModule to
  authenticate an application user via an entity EJB so that the
  successive calls are then associated to the proper Subject/Principal?
  Or can I only use a LoginModule to authenticate a Weblogic server
  user?
  Thank you in advance!
  Andrej
  PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

  You must specify two properties:
  weblogic.security.jaas.Configuration - your implementation of Configuration
  class
  weblogic.security.jaas.Policy - jaas config file location
  For example:
  System.setProperty("weblogic.security.jaas.Configuration",
  "examples.security.jaas.SampleConfig");
  System.setProperty("weblogic.security.jaas.Policy",
  "C:/Sample.policy");
  "Andrej" <[email protected]> wrote in message
  news:[email protected]..
  Hello All,
  I'm trying to implement a set of custom LoginModule(s) to authenticate
  a user (an "application user", not a Weblogic admin). From a JSP login
  page, the app calls a Servlet that calls LoginContext("myLogin",
  myCallbackHandler).login(). I have also create a custom
  Callback/CallbackHandler (since the parameters are passed as HTTP
  parameters) and added the required parameters in lib\server.policy:
  myLogin {
  com.andrej.myLoginModule required;
  The problem is that it looks like WL always calls the default
  LoginModule (ServerPolicy from the lib\server.policy file) even if it
  doesn't correspond to "myLogin". Of course, my app crashes
  miserably... :)
  Two questions:
  - is the above normal? Am I missing something of JAAS?
  - am I following the right path i.e. can I use a custom LoginModule to
  authenticate an application user via an entity EJB so that the
  successive calls are then associated to the proper Subject/Principal?
  Or can I only use a LoginModule to authenticate a Weblogic server
  user?
  Thank you in advance!
  Andrej
  PS: if possible, I'd like to avoid using Weblogic-specific classes. :)

• Multiple data sources with UME

  Hi,
  I want to run several (web) applications on my SAP WebAS. And these applications should have different user stores. That is, one should be a database, one a SAP ABAP System and another should be another ABAP System.
  How can I configure the UME correctly?
  Do I have to configure different data sources? Or do I have to write my own loginmodules?
  And what's the situation if I have WebDynpro Apps? There I cannot use custom loginmodules, can I?
  In the SAP Library it says that "UME can be configured to read and write user-related data from and to multiple data sources".
  http://help.sap.com/saphelp_nw04/helpdata/en/e5/618a3eacd49076e10000000a114084/frameset.htm
  Any hints?
  Best regards,
  Kilian.

  Hi Michael, hi John,
  All these 3 apps are independent, i.e. they have different users no "overlapping" users. We need for every independent, homogeneous group of users an own user store.
  As John stated, we can edit a UME configuration XML file and define multiple data sources in it. However, this is still a server-wide user store.
  Is there no way to assign an application to a user store or a UME data source and not have a server-wide user store?
  And if not where can I get a description of these "initial namespace-attribute-value triples" mentioned in the SAP Library on User-Based Data Partitioning (see http://help.sap.com/saphelp_nw04/helpdata/en/cd/eafc3f8fc2c542e10000000a1550b0/content.htm).
  Many thanks,
  Kilian

• How do multiple family members use iTunes.? One account or multiple?

  How do multiple family members use iTunes. One account right now but apps gets added to all devices and iTunes messages go to all devices.  Can multiple accounts be setup and still have ability to share purchased items?

  Hey Ajtt!
  I have an article for you that can help inform you about using Apple IDs in a variety of ways:
  Using your Apple ID for Apple services
  http://support.apple.com/kb/ht4895
  Using one Apple ID for iCloud and a different Apple ID for Store Purchases
  You can use different Apple IDs for iCloud and Store purchases and still get all of the benefits of iCloud. Just follow these steps:
  iPhone, iPad, or iPod touch:
  When you first set up your device with iOS 5 or later, enter the Apple ID you want to use with iCloud. If you skipped the setup assistant, sign in to Settings > iCloud and enter the Apple ID you’d like to use with iCloud.
  In Settings > iTunes and App Stores, sign in with the Apple ID you want to use for Store purchases (including iTunes in the Cloud and iTunes Match). You may need to sign out first to change the Apple ID.
  Mac:
  Enter the Apple ID you want to use for iCloud in Apple () menu > System Preferences > iCloud.
  Enter the Apple ID you want to use for Store purchases (including iTunes in the Cloud and iTunes Match) in Store > Sign In. In iTunes 11, you can also click iTunes Store > Quick Links: Account.
  PC (Windows 8):
  Enter the Apple ID you want to use for iCloud in the Control Panel. To access the iCloud Control Panel, move the pointer to the upper-right corner of the screen to show the Charms bar, click the Search charm, and then click the iCloud Control Panel on the left.
  Enter the Apple ID you want to use for Store purchases (including iTunes in the Cloud and iTunes Match) in iTunes. In iTunes 10, select Store > Sign In. In iTunes 11, click iTunes Store > Quick Links: Account.
  PC (Windows 7 and Vista):
  Enter the Apple ID you want to use for iCloud in Control Panel > Network and Internet > iCloud.
  Enter the Apple ID you want to use for Store purchases (including iTunes in the Cloud and iTunes Match) in iTunes 10 in Store > Sign In. In iTunes 11, click iTunes Store > Quick Links: Account.
  Note: Once a device or computer is associated with your Apple ID for your iTunes Store account, you cannot associate that device or computer with another Apple ID for 90 days. Learn more about associating a device or computer to your Apple ID.
  Thanks for using the Apple Support Communities!
  Cheers,
  Braden

• How do I move multiple dimension members up one level in planning?

  I can't figure out how to select multiple members.
  I hope I don't have to cut and paste them individually.

  ODI maybe ?
  Cheers
  John
  http://john-goodwin.blogspot.com/

• How can I setup a mail-specific passcode/restriction on iPad used by multiple family members?

  How can I setup a mail-specific passcode/restriction on iPad used by multiple family members?
  Have an Exchange mail account setup and accessible in my mail on iPad... however my kids use it and i would like to restrict them from accessing this specific portion of the device.  I tried viewing restriction options and do not see that i can apply a restriction specifically to Mail.  Thanks for your help.

  Not a feature of iOS. Check the AppStore to see if there are other
  mail apps that allow passcode protection.
  Or use Safari to log onto your email via a web-based interface and
  enter your credentials each time. A bit slower, but the kids will
  not know the details to login.

• How can a family with multiple existing accounts use Home Sharing?

  I'd like to use the new Home Sharing feature, but it appears to be restricted to families in which all of the family members share a single user account.
  We already have separate accounts for each family member. Is there some way for us to use Home Sharing without abandoning most of our existing accounts, along with all of the purchases made by those accounts? I don't think anyone in this situation would be willing to do that.

  Eh. I am not too sure since I have not messed with it much but I do have a great deal of experience with multiple accounts. Each computer can be authorized for multiple accounts. As can iPods. iPods can sync songs/videos/apps from multiple accounts as long as the computer is authorized with them. What I have set up here, is I buy my stuff I want, my parents buy what they want and so do my brothers. When my bro gets something I want I just move it to my computer. That way all our accounts are separate, but if there is something I want I can get it. Also, since the music no longer has DRM, it won't matter. It will play on any computer. What you should see is if you can just do the shared library with multiple accounts. Then if you don't have videos or such, you can get apps or music. Hope this helps!

• How can multiple users use the same Creative Cloud Individual on one single-machine?

  We have one shared graphics workstation, which is infrequently in use by different people - therefore we bought a single-workstation license (which we were referred to "Creative Cloud Individual"). In the FAQs it says it installs locally, but whenever a user different from the installing adminstrator logs in, he is forced to use the trial.
  Is there a way to make the local installation usable on that single machine for multiple users?
  Thanks in advance for your reply

  Serenatasystems do the other users not have administrator access?  What happens if they sign in using the Adobe ID tied to your Creative Cloud subscription?  Do your Adobe Creative applications then exit trial mode?

• How can I use multiple ipad's on one account without sharing individuals personal email accounts?

  Is it possible to have multiple ipads on one account and share info, but also allow the individual users to have personal email that is not seen on the other ipad's? We have all ipads on same icloud account because we all need to see the same ical. It seems like that's the problem. If it IS related to icloud then if we have separate icloud accounts, how would we share the main ical otherwise? Sharing the ical is very important for this business so everyone can access the daily schedule. Of course each user still wants to have private email.
  Hope this wasn't too confusing!
  Thanks!
  Doreen

  you could set up the main icloud itunes acount for ical and not have in setup on the devices
  and share the calandar with the other itunes accounts on the devices
  or only have it on one device
  devices have the users indervidual itunes icloud setup
  they should be able to access the shared "main" itunes icloud ical account once it's shared
  http://howto.cnet.com/8301-11310_39-57542557-285/three-methods-for-sharing-an-ic loud-calendar/
  if the devices are company owned you could go futher and setup find my iphone on the main itunes account
  and not on the user icloud accounts

• What happens on iCloud (ex. contacts) when multiple family members use the same Apple ID?

  What happens on iCloud when multiple family members use the same Apple ID?  For example if we all choose to use iCloud for contacts, are they all merged together?  We use the same Apple ID so we can use find my iPhone to keep track of the whole family.

  Of course if you are both connected to the same iCloud account you have the same contacts - what did you expect?. The contacts live on the server and are read from there by the devices; so as you've both managed to sync your contacts up to iCloud they are now inextricably mixed. You can only delete your contacts by deleting individual ones, and doing that will delete them from your phone as well.
  You can only unravel this by
  1. In the iCloud contacts page at http://icloud.com, select all the contacts, click on the cogwheel icon at bottom left and choose 'Export vCard'.
  2. Sign out of System Preferences>iCloud
  3. Create a new Apple ID and open a new iCloud account with it for your own use.
  4. Import the vCard back into the iCloud contacts page.
  5. Go to http://icloud.com and sign in with the original ID. This is now his ID. Work through the contacts individually deleting the ones you don't want him to have. When done sign out and advise him to change his password.
  6. Go to the new iCloud account and delete his contacts individually.
  Of course if you have also been syncing calendars and using the same email address there are problems with doing this.

• ICloud with multiple family members sharing one iTunes account?

  How will iCloud work for the case where multiple family members share an iTunes account but each has his/her own iPhone/iPad/PC?
  Will iCloud replicate content based on email address, unique Apple ID, iTunes account, or??  If iTunes, we could have trouble as three of us share our iTunes account (started when our daughter was young and continued for simplicity).

  Keep one Apple ID for iTunes purchases (apps, music, etc.) for all family members on the iTunes Store and use different Apple IDs for each iCloud user. That worked for me.

• HT204053 I have multiple family members using one apple id account and all of each others information is going onto each others phones/how do i stop this?

  I have multiple family members using one apple id and all of our data is going onto each others phones/how do i stop this?

  Each person needs to have their own separate Apple ID along with their own separate computer user account and iTunes Library.