Permission to assert Identity in weblogicDEFAULT realm
Hi,
Which users have the permission to assert identity in weblogic default realm? Is it only the "system" user?
The user gets authenticated using the username token at ws-security runtime and the currentsubject has only the authenticated user as the principal.
Now, when I try to assert the identity of another user with the call
weblogic.security.services.Authentication.assertIdentity(mytoken, token.getBytes)
I get the following exception:
java.lang.SecurityException: isAccessAllowed: currentSubject: principals=[in_user] does not have permission to assert identity of type mytoken in rea
lm weblogicDEFAULT
I have a custom identity asserter for this token.
Where do i have to set the permissions for in_user to allow it to assertIdentity
Please help..
I think I found the issue. The domain has a security policy specifically to control Identity Assertion.
Domain > Security > Policies > Identity Assertion
Add a new policy that will allow access to Identity Assertion. I've allowed access to everyone in my dev environment and I no longer get the error.
Similar Messages
-
Topology: CUCM ---- SIP ---- CUBE ---- SIP ---- SP
Sometimes, when I place a call, it redirects it to an internal extension. The only SIP message that I can see being sent when that happens is a 180 ringing with a p-asserted-identity in it. It only happens about 50% of the time. example: I dial 9.8001234567 and end up talking to someone at extension 3041. The Dialed Number Analyzer shows everything correctly. This SIP message is below. HELP!! please
10/01/2013 08:59:39.274 CCM|//SIP/SIPUdp/wait_SdlSPISignal: Outgoing SIP UDP message to -CUBE--->10.3.20.240:[5060]:
SIP/2.0 180 Ringing
Date: Tue, 01 Oct 2013 13:59:39 GMT
Call-Info: <sip:-CUCM--->10.3.20.10:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
From: <sip:5141234567@--SP Edge device----->22.22.22.22>;tag=739821B4-19C2
Allow-Events: presence
P-Asserted-Identity: "Switchboard" <sip:[email protected]>
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Remote-Party-ID: "Switchboard" <sip:[email protected]>;party=called;screen=yes;privacy=off
Content-Length: 0
To: <sip:[email protected]>;tag=87d22a15-fd7d-492e-85ed-0dc8d67386d5-30912190
Contact: <sip:[email protected]:5060>
Call-ID: [email protected]
Via: SIP/2.0/UDP 10.3.20.240:5060;branch=z9hG4bK2D01637
CSeq: 101 INVITEMy guess is that the call got hairpinned back to CUCM by the provider or CUBE. We need to see the full trace from CUBE to be sure. PAI is really just attempting to indicate who the call is actually alerting because the From and To headers cannot change after the INVITE message.
The fact that CUCM is sending a 180 RINGING message implies that it is processing an *incoming* call. This is reinforced by the headers because the From header is the SP SBC, the via header is CUBE, and the To header is CUCM. Inbound call!
Compare the Call-ID of the SIP INVITE CUCM first sends to CUBE for your outbound call to the one shown in this message. Are they different?
Run these if you want us to look deeper. If you have multiple calls going be certain to point out the calling/called number and the IPs if any differ from what you have called out above.
show run | section dial-peerdebug ccsip messagesdebug voip dialpeer
Please remember to rate helpful responses and identify helpful or correct answers. -
P-Asserted-Identity header being dropped by WLSS
Hello,
My SIP Servlet receives an INVITE request containing a P-Asserted-Identity header and a Privacy header and proxies it. But WLSS removes the P-Asserted-Identity header when the Privacy header value is "id".
Otherwise, my sipserver.xml specifies all hosts as trusted:
<?xml version="1.0" encoding="UTF-8"?>
<sip-server xmlns="http://www.bea.com/ns/wlcp/wlss/210">
<sip-security> <trusted-authentication-host>*</trusted-authentication-host>
<trusted-charging-host>*</trusted-charging-host>
</sip-security>
<engine-call-state-cache-enabled>true</engine-call-state-cache-enabled>
</sip-server>
Can someone help me?Hi,
I am facing the same issue. I have configured trusted host in sipserver.xml. Still when privacy=id is present, Wlss is stripping asserted header.
Did u find any solution for this?
if so plz share the same. Can any body put some light on it?
thanks in advance
jj -
Retreiving asserted identity is slow
Hi All,
We are using SAML assertion from many different applications (each hosted on a different domain - e.g foo.com, bar.com etc). All apps are protected by SSO.We use Hub and Spoke model as documeneted here :
http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25355/deployinstall.htm#CHDJGEEE
Each app goes thru OIF and retrieving asserted identity during each access to a resource is causing huge load and killing us in performance. We have OIF configured with OID. We are using Oracle 10.2 stack.
Any suggestions to optimize this is highly appreciated.
Thanks
VissuMetalink Note - 435023.1: Optimizing Search Operations in OID 10.1.4 With Parameter orclinmemfiltprocess to Avoid Matching Many Entries in the Database
http://www.oracle.com/technology/products/oid/pdf/oid_tuning_configuration_quickreference_01.pdf
Pay special attention to the following section:
Tuning OID in OAM (COREid) and OIF deployments
-shetty2k -
Hi all
Does anyone know how i can define a group in the AgentRealm of the Policy Agent ???
I already map roles to principals using sun-web.xml and it works, but i don't know how to define a group in the AgentRealm so that i can map a role to a group of users using sun-web.xml
thanks a lotI had the same problem, and I discovered that although in the sun-web.xml descriptor you map security-roles to group-names, you must declare Roles in the identity server (with the name of the group-name in your descriptor, of course).
Seems like Groups in the identity server are not used for authorization.
Hope this helps,
6q -
SAML assertion Identity provider - SSO for ALL users
Hi ,
If we have a Corp AD configured on Windows 7/ Windows 8
but SAP-EP-UME is hooked up to the Corp AD ( read only ).
Can we consider the Active directory system(Windows ) to be the IDENTITY PROVIDER
and configure the SAP-EP ( portal to be the SERVICE PROVIDER) for SSO ?
Edited by: Franklin Jayasim on Aug 7, 2010 12:47 AMHi,
I don't have any experience with AD as IdP but you can find on net that AD can be SAML 2.0 indentity provider. The question is if it's part of standard installation or there is an extra cost. SAP supports only subset of standard but I assume that it covers all basic scenarios so it should be possible.
But if you want to play then have a look at project [Shibboleth|http://shibboleth.internet2.edu/]. It's an open source project and it supports Active Directory as identity store. I want to test it by myself with CE7.2 but I don't know when I'll have time.
Cheers -
Realm of my application for identity and access
I plan to replace Azure cloud services’ provided subdomain (myapp.cloudapp.net) with our own domain, customDomain.com. I eventually find out that I cannot do that. I have to configure a custom domain name to route traffic to myapp.cloudapp.net. Why does
not Azure allow me to replace myapp.cloudapp.net with my own custom domain? I end up having two domains for one site. Please look at this site:
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-custom-domain-name/
That custom domain name also has an SSL certificate from a CA. In addition to that, I also use single sign on for my application (Identity and Access). In this case, I configure the Identity and Access (realm of my application) with my custom domain name.
Is this the right way? It does not make sense to configure this with myapp.cloudapp.net. I currently have issues with ADFS but I could not figure out why.Hi,
Here providing article might helpful for your case.
Domain mapping, Domain forwarding, SSL certificate for Windows Azure
http://blogs.msdn.com/b/sriharsha/archive/2012/02/25/domain-mapping-on-windows-azure.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Access request in the identity asserter's assertIdentity method
Hello,
While asserting identity of the user i need to access the request in order to get a specific header.
I tried to use IdentityAsserterV2 and AuthenticationProviderV2 but build of the asserter failed because
the classes IdentityAsserterV2Impl, IdentityAsserterV2MBean, AuthenticationProviderV2Impl, AuthenticationProviderV2MBean are not found.
We are using Weblogic 8.1SP5.
Could someone help me.
Thank you.I was able to read the headers successfully by getting the HTTPServletRequest from the ContextHandler.
public CallbackHandler assertIdentity(String type, Object token, ContextHandler context) throws IdentityAssertionException
Object requestValue = context.getValue("com.bea.contextelement.servlet.HttpServletRequest");
HttpServletRequest request = (HttpServletRequest) requestValue;
java.util.Enumeration names = request.getHeaderNames();
while(names.hasMoreElements()){
String name = (String) names.nextElement();
System.out.println(name + ":" + request.getHeader(name));
Thanks,
Faisal -
Domain and realm of my application for identity and access
I plan to replace Azure cloud services’ provided subdomain (myapp.cloudapp.net) with our own domain, customDomain.com. I eventually find out that I cannot do that. I have to configure a custom domain name to route traffic to myapp.cloudapp.net. Why does
not Azure allow me to replace myapp.cloudapp.net with my own custom domain? I end up having two domains for one site. Please look at this site:
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-custom-domain-name/
That custom domain name also has an SSL certificate from a CA. In addition to that, I also use single sign on for my application (Identity and Access). In this case, I configure the Identity and Access (realm of my application) with my custom domain name.
Is this the right way? It does not make sense to configure this with myapp.cloudapp.net.Hi,
If you want to configure SSL for azure cloud service, I think this article will help you:
http://azure.microsoft.com/en-gb/documentation/articles/cloud-services-configure-ssl-certificate/, if you want to ask some issues related to Identity and Access, I would suggest you move to azure Active Directory forum:
https://social.msdn.microsoft.com/Forums/en-US/home?forum=WindowsAzureAD
Best Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Security realm - Security:097533 - Developing own authentication provider
hi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thankshi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thanks -
Today I plugged in my seagate 1TB hard drive and every time I want to move my files to the hard drive or in the hard drive itself, I have to give my admin password. The pop up box says: Finder ask for permission, click on Identity control. I never had this before.. This happened today. The settings are set to System - Read and Write, Users - Read and Write and Everyone - Read
This is very confusing. I can still copy and move files but I have to give my password every single time.
Thank you so much!Thanks a lot! I have already downloaded Paragon Driver and it works well with seagate external hard drive. I am copying as of now my important files from my mac to it. However, I have only the trial version which will expire in 10 days. I don't have credit card to buy for it.
-
Hello,
I have a problem while using two identity asserters with two differents tokens.
My problem is:
I have two specific identity asserters i developped.
They are both in REQUIRED mode.
Identity Asserter one (tokenOne)
Identity Asserter two (tokenTwo)
I would like to fire the two asserters when the two tokens are in the request.
When the two tokens are in the request, il would like to have the name contained in the token two in the name of the request's principal.
Currently, only the first asserter is fired and the name i find in the request is the one who is contained in tokenOne.
Thanks you for your answers.
(Excuse me for my weak english)
Edited by: user5451975 on 21 janv. 2010 04:51Yes but if i return null in the method getAssertionModuleConfiguration, i have a error returned by weblogic:
javax.security.auth.login.LoginException: [Security:090300]Identity Assertion
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - Token Type: ICTicket>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: test11>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <userExists? user:test11>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=myrealm,dc=devdomain", "(&(uid=test11)(objectclass=person))", base DN & below)>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <DN for user test11: uid=test11,ou=people,ou=myrealm,dc=devdomain>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <user exists, user:test11>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <LDAP Atn Asserted Identity for test11>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <List groups that member: test11 belongs to>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=myrealm,dc=devdomain", "(&(uid=test11)(objectclass=person))", base DN & below)>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <DN for user test11: uid=test11,ou=people,ou=myrealm,dc=devdomain>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <search("ou=groups,ou=myrealm,dc=devdomain", "(&(uniquemember=uid=test11,ou=people,ou=myrealm,dc=devdomain)(objectclass=groupOfUniqueNames))", base DN & below)>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Result has more elements: false>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <login succeeded for username test11>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <LDAP Atn Commit>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <LDAP Atn Principals Added>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Signed WLS principal test11>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.validateIdentity>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Validate WLS principal test11 returns true>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <RoleManager.getRoles subject: Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("test11")
Resource: type=<url>, application=Cherika, contextPath=/remoting, uri=/remoteService.do, httpMethod=POST>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default RoleMapper getRoles(): input arguments:
Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("test11")
Resource: type=<url>, application=Cherika, contextPath=/remoting, uri=/remoteService.do, httpMethod=POST>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default RoleMapper getRoles(): returning roles: Anonymous>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <RoleManager.getRoles Subject: Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("test11")
Resource: <url> type=<url>, application=Cherika, contextPath=/remoting, uri=/remoteService.do, httpMethod=POST Anonymous roles.>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default Authorization isAccessAllowed(): input arguments:>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("test11")
>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < Roles:Anonymous>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < Resource: type=<url>, application=Cherika, contextPath=/remoting, uri=/remoteService.do, httpMethod=POST>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < Direction: ONCE>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < Context Handler: >
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < non-null>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default Authorization isAccessAllowed(): returning DENY>
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
####<27 janv. 2010 16 h 29 CET> <Debug> <SecurityDebug> <A82S002292> <myserver> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <AuthorizationManager.isAccessAllowed returning adjudicated: false>
Why does he try to authenticate the user via LDAP ??
Edited by: user5451975 on 27 janv. 2010 07:34 -
What is the recommended way to access a database from an identity assertion provider?
For assert identity the caller should have admin privs. Depending on how the client
obtains and communicate with the EJB you have the option to setup a <run-as> tag
then map the role to an admin user via <run-as-role-assignment> using the deployment
descriptors.
-Craig
"Claude" <[email protected]> wrote:
>
Thank you for your answer !
I had not thought of building a custom "UsernamePassword" authenticator
and use
the password as token. It seams to be a good simple way of solving the
problem.
The EJB that accepts a token as parameter is interesting as well (especially
if
they are
performance issues). Are you sure that the class
weblogic.security.services.Authentication is suitable to be called from
an EJB?
Thanks, Claude
"Craig" <[email protected]> wrote:
I don't know of many uses outside of WebService or WebApp except when
using 2-way
SSL where the client certificate can be used to assert identity.
You could write an EJB that accepted the token and then the EJB would
programmatically
call identity assertion. Or if you had a custom authenticator you could
take the
token as the "password".
http://edocs.bea.com/wls/docs81/javadocs/weblogic/security/services/Authentication.html
-Craig
"Claude" <[email protected]> wrote:
Hello
I'm wondering whether an Identity Assertion Provider can be used with
a Java-client
or
if they are only for Web-clients (or Web-services).
I'm also wondering how the client sends its token (through the credential
set
of the JAAS
subject ?).
Thanks
Claude -
Creating a new request in a servlet and proxy it to the next service
Hello all.
My scenario is the following:
- I have a service that when I receive a message request from a user it creates another request and then I want to proxy this new request to the next service.
- Is this possible to do? I'm not talking about using the request.send() method since it tries to send the new request outside the OCMS, I was thinking more of the proxy.proxyTo() method...Hi Lucas and thanks for the reply.
I think my problem is DNS related. I don't know why but the following code stop to work properly when I installed a new OCMS instance with a diferent realm (I was using example.com and now I'm using the same domain as my company, novabase.pt). I put "172.18.88.21 novabase.pt" in the hosts.config file and the only thing that stopped working is the creation of new requests within the SipServlet.
The code:
SipApplicationSession applicationSession =
req.getApplicationSession();
Address to = req.getTo();
Address from =
getSipFactory().createAddress(convertMobile2Address(req.getFrom()));
SipServletRequest request =
getSipFactory().createRequest(applicationSession, "MESSAGE",
from, to);
Object content = req.getContent();
String contentType = req.getContentType();
request.setContent(content, contentType);
from.setDisplayName(req.getFrom().getDisplayName());
request.setHeader("P-Asserted-Identity",
req.getTo().getURI().toString());
System.out.println(request);
request.send();
SipServletResponse response =
req.createResponse(200, "Enderecos trocados!");
response.send(); -
When linking a BP and Customer, it complains about creating the customer
I am using transaction FLBPD2 to link an existing business partner to an existing FI customer using a business partner role.
It returns the error: Customer 0000200000 already exists
Message no. FLBP155
Diagnosis
You tried to create a business partner in a customer role. The system has been set up in Customizing in such a way that the number selected for the business partner is to be transferred to the customer.
Transaction FLBPD2 is used to link existing BPs to FI customers, not to creating the FI customer! What is causing this?Hi Lucas and thanks for the reply.
I think my problem is DNS related. I don't know why but the following code stop to work properly when I installed a new OCMS instance with a diferent realm (I was using example.com and now I'm using the same domain as my company, novabase.pt). I put "172.18.88.21 novabase.pt" in the hosts.config file and the only thing that stopped working is the creation of new requests within the SipServlet.
The code:
SipApplicationSession applicationSession =
req.getApplicationSession();
Address to = req.getTo();
Address from =
getSipFactory().createAddress(convertMobile2Address(req.getFrom()));
SipServletRequest request =
getSipFactory().createRequest(applicationSession, "MESSAGE",
from, to);
Object content = req.getContent();
String contentType = req.getContentType();
request.setContent(content, contentType);
from.setDisplayName(req.getFrom().getDisplayName());
request.setHeader("P-Asserted-Identity",
req.getTo().getURI().toString());
System.out.println(request);
request.send();
SipServletResponse response =
req.createResponse(200, "Enderecos trocados!");
response.send();
Maybe you are looking for
-
I need help so I can have iTunes on my iPad.
-
Exporting images changing sizes
Hi, I am exporting some artwork with is on an A4 sized canvas and when I place that image into pages its half sized. I have reopened the .png in illustrator and it shows the correct size. Does anyone know if this is a problem with Illustrator or if i
-
How do I get remove unwanted RAID slices?
I have two 300GB firewire drives. I have them configured as a mirrored RAID set. One drive failed and the RAID volume went into a degraded status. I replaced the drive, peformed a rebuild, and the drive is part of the the mirrored RAID set again and
-
Printing problem with the character u00D8
Hi SAP Experts, I have a very unique problem while printing the character Ø thru the Quality Reports. I am able to see the said character in print preview of the quality report. I am able to see the same character stored in the respective table. But
-
I have several one-page documents from various programs that I'd like to print as a batch but I'd like to print 2-sided. So, for example, on one page is a word doc on one side and a Quicken page on the other side ... a spreadsheet on one side of the