Portal Security Context XI Propagation

Hi,
suppose a portal user has been authenticated using a certificate. Could this certifiate be used by XI to authenticate the user against a system connected by ABAP Proxies or the RFC adapter?
Kind regards,
Heiko

Hi Heiko,
XI support PP when using the folowing adapters
the XI protocol (both for ABAP and Java proxies)
for the SOAP adapter
for the RFC adapter.
see note 974873
Best Regards,
Guza

Similar Messages

  • How to set portal security context for a procedure

    Hi, I have procedure that needs to call some of the PDK APIs (WWSBR_API), but outside the scope of the web browser, i.e, automatically via a DBMS_JOB or queue. There is no HTML outputted, but rather a log entry made to a custom table.
    The schema that this custom pkg belongs has all the necessary grants made to it from provsyns so that it should run.
    How do I programatically set the context of the portal security so as to make the PDK APIs think it has been invoked by a Portal Adminstrator or a user with sufficient privs to perform the actions against the PDK and therefore not bomb out with security exceptions? I have seen this documented quite some time ago, but cannot find the details.
    Regards
    John

    You need to use the wwctx_api.set_context procedure.
    http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/PDK/plsql/doc/sdk11scp.htm

  • Question about security context in multithreading environment

    I have a need to make concurrent calls to multiple EJBs in parallel threads. Let's
    say I establish the security context once by creating an InitialContext with given
    security principal and credential. With the security context active, I spawn multiple
    threads from the current thread and in each of those threads I make a call to
    a secure EJB method, which my security principal is allowed to access. My question
    is, will the same security context be established in each of the spawned thread
    so that my EJB calls succeed? For various reasons it's not feasible to login in
    each of the spawned threads, only to login once from the main thread.
    I tried this with WebLogic 6.1sp3 and it seems to work as expected. However, I
    have not been able to find any documentation on how security contexts are propagated
    to spawned threads. All I could find was a statement that when an InitialContext
    is created, the corresponding security context becomes associated with the current
    thread.
    My concern is that even though it works in WebLogic 6.1, it may no longer work
    the same way in WebLogic 7.0 or later. And will it work when the JNDI login mechanism
    is replaced by JAAS? If any WebLogic/security guru out there could give me some
    info on how WebLogic security contexts work in a multithreaded environment, I
    would be much obliged.
    Thanks in advance!
    Minh-Tue Vo

    "Minh-Tue Vo" <[email protected]> wrote in message
    news:[email protected]..
    >
    \> My concern is that even though it works in WebLogic 6.1, it may no longer
    work
    the same way in WebLogic 7.0 or later. And will it work when the JNDIlogin mechanism
    is replaced by JAAS? If any WebLogic/security guru out there could give mesome
    info on how WebLogic security contexts work in a multithreadedenvironment, I
    would be much obliged.
    With the JAAS model, you should be able to get a subject once and then do a
    runas in the spawned threads.

  • JSP/SERVLETS NOT UNDERSTANDING JAAS SECURITY CONTEXT

    Hi ,
    Instead of using the default form action "j_security_check" for form based authentication
    .I have a custom JAAS loginmodule which is a servlet that gets calls when the
    user clicks on "OK" in the login form..
    Scenario1:
    I have a servlet(unprotected) which calls a EJB(which is protected).
    Depending on who has privileges to execute methods on the EJB bean , the authentication
    happens correctly..
    Scenario2:
    I have a PROTECTED servlet.
    When I execute the servlet in the browser , the login-form comes up .Once I click
    on OK,what is happening is I call my
    custom-loginmodule servlet which then calls the protected servlet.
    Now ..from the custom-loginmodule servlet when the request goes to the PROTECTED
    servlet ,the login-page again comes up...for some reason the servlets or JSPs'
    don't understand that the security context has already been created..
    But if the currently protected servlet is made unprotected and if it is made to
    call a protected EJB, the EJB bean gets the security context.
    I am thinking that security context is propagating but for some reason the JSP/servlet
    domain does not seem to get the already created security context.
    Another thing I noticed was with the default approach of using form-auth as "j_security_check"
    does not seem to work with URL rewriting.
    Any hints is greatly appreciated..
    Thanx,
    krish.
    Krishnan.Venkataraman
    Symphoni Interactive
    Technical Lead.
    [email protected]
    412 414 5385(mobile)
    412 446 2219(Work)
    1 800 439 7757 (# 2219) (Work)
    412 343 6549(Res)
    WEB:http://members.123india.com/krishnan

    hi,
    you may set a <servlet-mapping> in web.xml or you may use
    <form action="/servlet/HelloWorldExample" method=post>
    instead of
    <form action="/HelloWorldExample" method=post>
    the <servlet-mapping> should be:
    <web>
    <servlet>
    <servlet-name>HelloWorldExample</servlet-name>
    </servlet>
    <servlet-mapping>
    <servlet-name>HelloWorldExample</servlet-name>
    <url-pattern>/helloWorld.html<url-pattern>
    <servlet-mapping>
    </web>
    after you add the servlet-mapping, you can access the servlet with the url-pattearn, that is:
    <form action="/helloWorld.html" method=post>
    the internal operation of the first and second methods are different, and you should use second one(user servlet-mapping), and the <url-pattern> has may way to use, if you want learn more, see servlet spec. for more.

  • SSO with AD error:An error has occurred propagating the security context...

    Hi.
    On Windows 2003, I have installed BOXI Edge 3.1 with SAP Integration Kit. My primary and only use of the SAPIK will be for retrieving SAP data for BOXI reports. I DO NOT want to use SAP Authentication. For BOXI, I want to set up only AD Authentication, but because the web.xml files change with the installation of the SAPIK, I have not been successful at setting up AD Authentication. I have modified the web.xml files so that they look like the original web.xml files (without SAPIK).
    The AD groups are imported successfully into BOXI. The members of those groups are imported successfully, too. But when a user attempts to login, they get error: An error has occurred propagating the security context between the security server and the client.
    I have tried nearly everything to clear this error and there are no Kerberos errors in Wireshark logs on the BOXI server.
    Help!
    Thank you!
    Luis
    PS - I asked this question in the SAP Integration Kit forum, and they suggested I ask here, I guess because in the end it may have nothing to do with the SAPIK...

    Thanks, Tim, for your willingness to help.
    The problem is resolved.
    I noticed in the Local Security Policy that the right "Log on as a service" displayed only the service account user ID, without the domain identifier - where I expected it to show as "DOMAIN\svcaccount", it only showed "svaccount".
    I stopped the Tomcat and SIA services, I removed "svaccount" from the list in "Log on as a service", I reset the account information in the Tomcat and SIA services as "DOMAIN\svcaccount" and saw that change reflected in "Log on as a service" and now AD Authentication works beautifully.
    My guess is that it must have been using the local account and not the domain account for running the services.
    Next task: SSO...
    Wish me luck!
    Thanks!
    Luis

  • Security Context Propagation between Managed Servers

              I'm using WLS 8.1 SP2. I have one domain, two managed servers, each on a separate
              hardware server. Each managed server hosts a different web application. I want
              to authenticate to Web App "A" and be able to invoke Web App "B" (from "A") without
              having to re-authenticate. Is this possible via configuration and, if so, how?
              Thanks.
              

    Frank,
    You do not have to do anything to propagate identity between the two
    containers. As long as the user is authenticating first..
    There have been a number of issues with the propagation, so be sure to stay up
    on the service packs.
    HTH.
    Frank wrote:
    How do you propagate security context information from Servlet to
    EJBs? I have an web app that uses the container's FORM based authentication.
    The servlet resource then calls a session EJB (w/ security contraints
    setup). The webapp and the ejbs are bundled into one EAR.
    Thanks!--
    Tom Mitchell
    [email protected]
    Very Current Stoneham, MA Weather
    http://www.tom.org

  • How to get Portal User Context  in Web Dynpro application

    I have successfully integrate a web dynpro app into SAP Netweaver Portal.
    Within my web dynpro app, how can I get portal user context information such as first name, last name, job title or some newly created ume attibutes.
    Is there any programmatical approach to get portal user context in my web dynpro. I not sure whether I can use the following codes in web dynpro?
    IUserContext userContext = request.getUser();
    String firstName = userContext.getFirstName();
    String lastName = userContext.getLastName();
    If yes, can someone point me the name of the jar file I have to import.
    Note : The SAP Netweaver installation that runs my web dynpro app is same with the SAP Portal.

    Hi ,
    you can use the below code to get User details and  add com.sap.security_2.0.0 > lib > com.sap.security.api.jar
    try
              IWDClientUser clientUser = WDClientUser.getCurrentUser();
    String firstName = clientUser.getFirstName();
    String lastname = clientUser.getLastName();
    catch (WDUMException e) {
                wdComponentAPI.getMessageManager().reportException("Error Retrieving User"+e.toString(),true);
    Regards,
    Sunitha Hari

  • How to share security context between different application ?

    Hi all,
    I have two applications(ADF faces + BC, JDev 10.1.3.1) deployed into OAS 10.1.3.1.
    The two applications are :
    1) SalesApp -> main menu page = SalesMenu.jspx
    2) ReportApp -> main menu page = ReportMenu.jspx
    I want implement security using CustomLogin.
    The question is :
    How can I share security context between the applications ?
    What I mean is, from SalesMenu.jspx there is one menu item to jump into ReportMenu.jspx, and I want user no need to Login again, Login is once and the user is recognized in the two apps. How to achieve that ?
    Thank you for your help,
    xtanto

    Xtanto,
    actually you can't if these are separate J2EE application deployments. The session is not shared and thus the authentication is lost. I heard that OracleAs is planning to implement a feature that allows you to share the session and thus a context between two J2EE deployments. I am not 100 % sure this is the case and will check with OC4J Product Management
    Frank

  • How to get security context in BPEL to get Logged in UserId

    Hi All,
    We have a requirement of getting security context in BPEL flow and from that we want to extract currentUserId. The requirement is to know who has initiated the composite flow. We are not passing userId in the event payload. In ADF we get the same through following expression:
    ADFContext.getCurrent().getSecurityContext().getUserName()
    Is there any similar api which we can access to get currentUserId?
    Thanks,
    Naga

    Hi,
    If your BPEL has oracle/wss_username_token_service_policy you can retrieve the username from the SOAP headers...
    Have a look at this...
    http://yuanmengblog.blogspot.com.au/2012/09/extracting-and-passing-wss-name-token.html
    Cheers,
    Vlad

  • The server principal "XYuser" is not able to access the database "Ydb" under the current security context

    SQL2005 on winserver 2003. I have a view in Xdb that accesses tables in 2 different databases (Xdb and Ydb) on the same server. I have mixed mode security. I have a SQL user (XYuser) that has read access to all tables and views on both databases, yet when I try to access the view using a C# windows application I get the following error:
    The server principal "XYuser" is not able to access the database "Ydb" under the current security context
    This same scenario works under SQL 2000. I looked through the postings and tried to set TRUSTWORTHY ON on both databases but that didn't help. I can access any other views or tables on the SQL 2005 server, just not the one that joins the tables cross databases. Any help is much appreciated... john

    This appears to be a Login/Database Mapping issue.  I was having this problem, but was able to resolve it as follows:
    Using the SQL Server management Studio:
    In the Object explorer, under the SERVER security folder (not the database security folder), expand Logins. 
    That is: ServerName -> Security -> Logins
    NOT: ServerName -> Databases -> DatabaseName -> Security -> Users
    Select the Login that is having the troubles.  Right click on the Login and select ‘Properties.’
    The ‘User Mapping’ page should list all databases on the server with a check mark on the databases that the Login has been mapped to.  When I was getting the error, the database in question was not checked (even though the Login was assigned as a User on the database itself).  Map the Login by checking the box next to the database name.  Set the default schema.  Then select the roles for the Login in the Database role membership list box.  I selected db_datareader and public.  After clicking OK to save the changes, the problem was resolved.
    In order to ‘Map’ the Login, the Login must not already be as User on the database, so you may have to go to the database security (ServerName -> Databases -> DatabaseName -> Security -> Users) and delete the Login from the list of database Users before mapping the Login to the database.

  • Oracle Forms and Portal. & Portal Security

    I need the following questions answered for a client who is
    trying to move from IIS to Oracle Portal. any pointers would be
    extremely helpful
    1. How to configure Oracle Forms to run with Portal.
    2. Is it possible to display forms inside a Portlet. If so, will
    the forms hold the same state when the page is refresed.
    3. Is it possible to display WORD/PDF/EXECL documents in their
    native format inside a Portlet.
    4. Any information on how IIS security integration is possible
    with POrtal. i.e ( if there are ASP pages running on IIS
    security, how to integrate it with Portal Security mechanism
    -Thanks
    ganesh

    You can create roles in Oracle with the appropriate privileges to access the application. For example,
    you could create a role that has only read access to all the tables in the database. You could assign this role to the menu. Also, you may want a role for a manager that whould enable him to insert data or to see a few special forms. You could assign this role to the menu associated with the form.
    Using Form Builder, you can manage menu security with Oracle server roles. After defining the roles to use for a menu module, you could then specify the roles that have access to each menu item. When you set the 'Use Security' property of a menu module to 'Yes', the form enforces security. After setting the 'Use Security' property to 'Yes', you can use 'Module Roles' property to construct the entire list of roles with access to that menu module.
    I hope it helps.

  • HTTP (Axis) Receiver Adapter error: The security context token is expired or is not valid

    Hi Experts,
    We are required to send a message through PI 7.31 (single stack) in a Soap-to-Soap scenario connecting to a Soap 1.2 Web Service.
    We are getting a Security Context Token expired or Invalid error.
    Please help us resolving this error.
    Thanks in advance!
    The Channel Configurations are as follows:
    Processing sequence:
    Module configurations:
    1.
    2.
    3.
    4.
    Best Regards
    Vikram

    Hi all !
    First of all, thanks for your answers..
    Stefan Grube:
    Itu2019s not a Adapter Module.
    The module tab  following configuration
    Processing Sequence:
    AF_Adapters/axis/AFAdapterBean     Local Enterprise Bean     afreq
    AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     xireq
    AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     trp
    AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     dcres
    AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     xires
    AF_Adapters/axis/AFAdapterBean     Local Enterprise Bean     afres
    Module Configuration
    xireq          handler.type     java:com.sap.aii.axis.xi.XI30OutboundHandler
    trp          handler.type     java:com.sap.aii.adapter.axis.ra.transport.http.HTTPSender
    trp          module.pivot     true
    xires          handler.type     java:com.sap.aii.axis.xi.XI30OutboundHandler
    How can i know if those values are correct ?
    Srinivas Reddy:
    Thanks for the documentation
    I have applied SAP Note 11016021 and the error changed, now it says:
    Axis: fatal error in invocation: java.lang.NoSuchMethodError: com/sap/aii/axis/xi/XIUtils.setOperation(Ljava/lang/String;Lorg/apache/axis/MessageContext;)V
    Message processing failed. Cause: com.sap.engine.services.ejb.exceptions.BaseTransactionRolledbackLocalException: Exception thrown in method process. The transaction is marked for rollback.
    Edited by: Antonio Guzman on Jul 9, 2008 5:29 PM

  • Setting security context in sql*plus session

    Hi,
    For a SQL*Plus session under an account that doesn't have execute privileges on fnd_global, is there any way to set the application security context similar to the way fnd_global.apps_initialize does?
    For example, as APPS one can do this:
    <br>
    sqlplus apps/...
    SQL>  select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
    FND_USER_ID
    1 row selected.
    SQL> execute fnd_global.apps_initialize( ... );
    SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
    FND_USER_ID
    123456
    1 row selected.What I'd like to do is something like this ...
    <br>
    sqlplus scott/...
    SQL> ... call some EBizSuite procedure where I can supply or
    be prompted for an EBizSuite user name, password, and responsibility ...
    SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
    FND_USER_ID
    123456
    1 row selected.

    Hi
    Is there any method to initialize the environment using Java API.
    how to call the function fnd_global.apps_initialize
    Can you explain the required parameters.
    Asheesh

  • Current Security Context Not Trusted When Using Linked Server From ABAP

    Hello,
    I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system.  We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
    The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server.  The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server.  I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance.  This alias and Linked Server worked great for several years.
    Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1.  The application itself has been upgraded to ECC 6.0.  I performed the migration with a homogeneous system copy, and everything has worked just fine.  I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio.  It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase).  From outside of R/3, I cannot make it fail.  It works perfectly.
    That all changes when I try to use the Linked Server within an ABAP application, however.  The basic code in use is
    EXEC SQL.
       SET XACT_ABORT ON
       DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
    ENDEXEC.
    The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
    The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR.  The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
    I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account).  I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954.  I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
    What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not.  A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
    Any insight someone could offer on this thorny problem would be most appreciated.
    Best regards,
    Matt

    Good news! We have got it to work. However, we did it in something of
    a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
    At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
    reference the tables in SAP via the Linked Server defined on the remote
    server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
    So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
    Then, in our ABAP code, we simply do something along the lines of
    exec sql.
       set connection 'REMOTE'
    endexec.
    exec sql.
       connect to 'REMOTE'
    endexec.
    exec sql.
       insert into REMOTE_TABLE
          select * from SAPSERV.SID.sid.SAP_TABLE
    endexec.
    exec sql.
       commit
    endexec.
    exec sql.
       disconnect 'REMOTE'
    endexec.
    This is, of course, a test program, but it demonstrated that it worked,
    and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
    I don't know if this solution will have applicability to any other customers, but it works for us, for now.
    SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
    Best regards,
    Matt

  • How to get current IUser (com.sapportals.portal.security.usermanagement)

    Hi,
    does anybody know how to get IUser for the current user?
    I know how to get current IUser from com.sap.security.api package:
    IWDClientUser wdcu = WDClientUser.getCurrentUser();
    IUser sapUser = wdcu.getSAPUser();
    but I need to have IUser from com.sapportals.portal.security.usermanagement package.
    Regards,
    Ladislav

    Ladislav,
    Try this:
    Get the IUser uisng the API com.sap.security.api.IUser and store it in a variable, say <i>sapUser</i>.
    Then,
    // Convert the logged in user to old EP5 usermanagement API
    com.sapportals.portal.security.usermanagement.IUser user = null;
    try
         com.sapportals.portal.security.usermanagement.IUser user = WPUMFactory.getUserFactory().getEP5User(sapUser);
    catch (UserManagementException e)
         e.printStackTrace();
    Bala

Maybe you are looking for

  • Automatic creation of NB purch.order from UB re-stock order

    Hi SAP gurus, we have the following business case (we operate in an R/3 4.6C version): we purchase goods from an Intercompany/3rd party vendor (e.g in US) which are imported in a different EU country (e.g. BE) before being physically received in the

  • WorkFlow Step By Step Example

    Hi Latheesh, Could you please send a Work Flow Step by Step Example this is my personal mail id [email protected] [email protected] Thanks & Regards, Ashok Kumar

  • Thread safe servlets

    I have a question regarding the semantice of servlets. Consider you are calling a method public StringmodifyAddress(){......}in the service method of the servlet. Now considering that a servlet could be sericing multiple requests would this method be

  • Account suspended- how do I re activate?

    How can I re activated my Apple ID which has been suspended?

  • T61p - IEEE 1394 (Firewire) port does not show up in device manager in Windows 7 x64

    I have a T61p.  On the front, in the left corner, right next to the wireless on/off switch, is a IEEE 1394 (Firewire) port.  However, if I plug anything into it, it's not recognized by Windows, and if I go into the device manager in Windows, there is