Problems with custom login module/authscheme in Portal iViews

Hi,
In our portal users must login with their username and password ("ticket" login module stack) to access most of the content. For some of the iViews containing confidential data we would like to ask the users some personal questions before giving them access.
I followed all the steps described in the [official documentation |http://help.sap.com/saphelp_nw04s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/content.htm]:
- created a custom login module
- added it to a custom login module stack
- added a custom authscheme in the authschemes.xml file
- assigned the iView to this authscheme
I also create a PortalComponent that reads the user entries and calls my login module (JSP not shown):
public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)     {
    HttpServletRequest req = request.getServletRequest();
    HttpServletResponse resp = request.getServletResponse(false);
    ILogonAuthentication ila = UMFactory.getLogonAuthenticator();
    Subject subject = ila.logon(req, resp, "myauthscheme");
    // if authenticated what to do next??
Now when I try to access the protected iView, I see my screen to answer the questions, I press submit and my login module is called. But, I never get redirected to the iView I'm supposed to go. So I still have two questions:
1) Which login modules should be in the login module stack? Should I include the BasicPasswordLoginModule?
For the moment I have:
EvaluateTicketLoginModule (SUFFICIENT)
MyCustomLoginModule (REQUISITE)
CreateTicketLoginModule (OPTIONAL)
2) How can I be redirected to the protected iView after the user is being authenticated? Is it the portal framework who is responsible to navigate there automatically? Or is it in my own code after the logon() call? In that case how can I retrieve the destination URL?
Thanks,
Martin

I'm using the version 10.1.3.0.4 (SU5).
The error is:
06/09/28 18:09:05 WARNING: Application.setConfig Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
28/09/2006 18:09:05 com.evermind.server.Application setConfig
WARNING: Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
2006-09-28 18:09:05.390 WARNING J2EE 0JR0013 Exception initializing deployed application: current-workspace-app. null
My JAAS-oc4j-app content is:
<log>
<file path="JAAS-oc4j-app.log" xmlns=""/>
</log>
<jazn provider="XML" location="JAAS-jazn-data.xml">
<property name="role.mapping.dynamic" value="true"/>
<property name="custom.loginmodule.provider" value="true"/>
<property name="jaas.username.simple" value="true"/>
</jazn>
<data-sources path="JAAS-data-sources.xml"/>
Thanks for reply.

Similar Messages

Problems with custom login module

Hi,
I'am getting a java.lang.InstantiationException when I enable the property 'role.mapping.dynamic' on my jazn-data.xml.
I readed older posts and I haven't find the solution. It's a bug from jDeveloper or have solution.
I'm deploying the application in Embedded OC4J.
Thanks.

I'm using the version 10.1.3.0.4 (SU5).
The error is:
06/09/28 18:09:05 WARNING: Application.setConfig Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
28/09/2006 18:09:05 com.evermind.server.Application setConfig
WARNING: Application: current-workspace-app is in failed state as initialization failedjava.lang.InstantiationException
2006-09-28 18:09:05.390 WARNING J2EE 0JR0013 Exception initializing deployed application: current-workspace-app. null
My JAAS-oc4j-app content is:
<log>
<file path="JAAS-oc4j-app.log" xmlns=""/>
</log>
<jazn provider="XML" location="JAAS-jazn-data.xml">
<property name="role.mapping.dynamic" value="true"/>
<property name="custom.loginmodule.provider" value="true"/>
<property name="jaas.username.simple" value="true"/>
</jazn>
<data-sources path="JAAS-data-sources.xml"/>
Thanks for reply.

Custom pluggable idm with custom login module

Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
Any suggestions? Thanks

Thanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
Thank you.

Problem with Customer Interaction Module in Web Channel Builder

Hello Everyone,
Facing an issue with Web Channel Builder Customer Interaction Module.
In Web channel builder we have done all the required configuration changes, but still we are not able to get the reviews and rating part in the product detail page.
We have created a new application and all the other module are working fine ,but the only module that is causing problem is Customer Interaction module. Every time we are activating this module rest modules stops working.
Can anyone please let us know what could be the root cause of this problem.
Are there any setting that has to be done ...that we are missing in?
I have studied that Product Catalogue is integrated with this module. Are there any setting that are to be done in the Product Catalogue module in Web channel builder?
Thanks in advance!
Regards,
PB

Hi PB,
Did you please get any proper error / exception in log file? Did you please check the web.xml as well that there is no same application name defined.
Can you please also copy paste the log please.
Thanks,
Hamendra

Automate Login with Custom Login Module

Hi. I have successfully created a custom login module that calls a database stored procedure for our login procedures. However, there are conditions/cases where in a login will not be required (ie login page don't need to be displayed and it should direct to the home page right away).
I thought that putting these conditions/checks within the pl_sql will take care of it but that isn't the case. It turns out that the login page is always called before it goes to the pl_sql procedure we indicated in the orion-application.xml file. Now I am stumped on how to intercept the login page call.
Any help would be greatly appreciated. I have been working on this issues for months and haven't gotten a solution.
Thank you.
Edited by: 829489 on Jan 19, 2011 7:17 AM

You can not do this in a login module. Here's why:
1). You must (in web.xml) indicate which resources are secured and which are not. You cannot say "it's secured sometimes"
2). Once a login module indicates that a user is successfully authenticated, they are authenticated for the remainder of their session.
3). Now, in your login module, if you bypass any username/password check and mark them as authenticated (allowing them to access the secure resources), they will be authenticated for all requests in that session - including ones that you don't want to give them access to.
I'm guessing by your reference to orion-application.xml that you are using JDev 10g, therefore my suggestion of a task flow with a router to route users to either secure or not secure page is not applicable for you (it's only available in 11g).
John

RMI with custom login module

I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
 javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
 at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
 at javax.naming.InitialContext.lookup(InitialContext.java:351)
 at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
Caused by: javax.naming.AuthenticationException: Not authorized
 at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
 at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
 at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
 at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
 at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
 at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
 at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
The standalone application is setting these properties for JNDI lookup -
java.naming.security.principal=<user>
java.naming.security.credentials=<password>
java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
<jazn-policy>
 
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>uk.co.card.jaas.SimplePrincipal</class>
 <name>user</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
 </grant>
 </jazn-policy>
The ejb-jar.xml also has this defined in the assembly-descriptor.
<assembly-descriptor>
 <security-role>
 <role-name>user</role-name>
 </security-role>
</assembly-descriptor>
The orion-application.xml has the namespace access provided as -
 <namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping impliesAll="true">
 <group name="users" />
 </security-role-mapping>
 </namespace-resource>
 </read-access>
 <write-access>
 <namespace-resource root="">
 <security-role-mapping impliesAll="true">
 <group name="users" />
 </security-role-mapping>
 </namespace-resource>
 </write-access>
 </namespace-access>
Appreciate if someone can help me identify what I am missing.

I have an application EAR deployed on the application server that uses a custom login module for authentication. I also have a standalone java application that does a JNDI lookup on a remote EJB. The issue I am having is that this lookup always fails with an exception when the EAR is deployed onto the server, but this seems to work alright with a standalone OC4J. I am working with 10.1.3.4.0 of the OC4J container.
javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Not authorized; nested exception is:
 javax.naming.AuthenticationException: Not authorized [Root exception is javax.naming.AuthenticationException: Not authorized]
 at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
 at javax.naming.InitialContext.lookup(InitialContext.java:351)
 at uk.co.card.cms.esp.TestJndi.main(TestJndi.java:53)
Caused by: javax.naming.AuthenticationException: Not authorized
 at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:99)
 at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
 at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
 at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
 at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
 at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:283)
 at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
The standalone application is setting these properties for JNDI lookup -
java.naming.security.principal=<user>
java.naming.security.credentials=<password>
java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory
java.naming.provider.url=opmn:ormi://beefalo2:6003/CmsEnterprise
As far as I can see, the login module is going through the login() and commit() phases correctly and sets a role called 'user' for the authenticated subject. This role is given the RMI login permission in the jazn-data.xml
<jazn-policy>
 
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>uk.co.card.jaas.SimplePrincipal</class>
 <name>user</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
 </grant>
 </jazn-policy>
The ejb-jar.xml also has this defined in the assembly-descriptor.
<assembly-descriptor>
 <security-role>
 <role-name>user</role-name>
 </security-role>
</assembly-descriptor>
The orion-application.xml has the namespace access provided as -
 <namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping impliesAll="true">
 <group name="users" />
 </security-role-mapping>
 </namespace-resource>
 </read-access>
 <write-access>
 <namespace-resource root="">
 <security-role-mapping impliesAll="true">
 <group name="users" />
 </security-role-mapping>
 </namespace-resource>
 </write-access>
 </namespace-access>
Appreciate if someone can help me identify what I am missing.

Help with custom login module

i've been following franks' tutorial on how to use a custom login module. but no matter what i do, i cant get the jsp to authenticate my valid database account.
jazn-data.xml file

<name>scott</name>
<credentials>!tiger</credentials>
<jazn-loginconfig>
<application>
<name>foo</name>
<login-modules>
<login-module>
<class>oracle.sample.dbloginmodule.DBTableLM.DBSystemLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
<option>
<name>jdbcUrl</name>
<value>jdbc:oracle:thin:@localhost:1521:orcl</value>
</option>
<option>
<name>log_level</name>
<value>ALL</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</jazn-data>
orion-application.xml
<jazn provider="XML" location="jazn-data.xml"
default-realm="jazn.com">
<property name="role.mapping.dynamic" value="true"/>
<property name="jaas.username.simple" value ="true" />
</jazn>
is there anything wrong with the settings?I've followed the tutorial to the last step. yet i cant get anything. Please help!

Sorry about the incomplete previous post:
I am trying to do the authentication using a customized login module in a stand alone OC4J server. I put some debug statements and found out that the authentication works but fails to authorize. I get the following error:
NOTIFICATION J2EE RMI-00005 Login permission not granted for myApp (testUser)
The only way I have been able to get this to work is to add the user 'testUser' in system-jazn-data.xml and specify that 'testUser' has the role 'USERS'. It's not practically possible to specify all the users in system-jazn-data.xml. Is there a workaround this? I have pasted below snippets of orion-application.xml and system-jazn-data.xml. Any help is greatly appreciated. Thanks in advance
I have specified the following in orion-application.xml
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="USERS"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping>
<group name="USERS"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>
In system-jazn-data.xml I have given permission for the role 'USERS' to login.
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/USERS</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>

Custom login module for weblogic portal 10.3.2

Hi everyone
i want to develop a custom portal login module for weblogic..
can anyone help me out with details how can i implement it ...any links provided will ve very useful
Thanks in advance.

The credentials given on that page are wrong for 10.3.2. (They might be correct for 10.3, but that's not my problem.) I found the correct credentials -- weblogic / webl0gic -- at this URL:
weblogic portal 10.3.2 sample domain admin console question
It's also given correctly in section 6 of the Getting Started Guide, but you have to know to look there first.
Edited by: dwschulze on Aug 19, 2010 1:47 PM

Problems with customizing blog modules.

I was wondering how to customize blog modules in dreamweaver. In dreamweaver when I add the "list of post module" into a template, then click on data, I do not see the tags to insert archive blog posts, or older and newer posts tags. How can I add and edit those tags. In the end I am looking to get a blog that looks like this. Also, is there not a way to edit the blog post detail in Dreamweaver? In BC I see that it is possible to add an image in the older and newer blog post tags. How do I do that? Thanks for all the help!

Hi,
If you download application you can see source.
I have not write any instructions, sorry.
If you are on Apex 4 you can just load jQuery UI autocomplete library and take ideas from my app.
If you download my sample in zip there is uncompressed htmldbQuery library.
You can see that and take only function htmldbAutocomplete.
Then check jQuery UI document
http://jqueryui.com/demos/autocomplete/#method-search
There is method search that you can use open list just by click of input.
I hope this helps at start.
Regards,
Jari

Help - using custom login module with embedded jdev oc4j to access ejb 3

Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
 <application>
 <name>current-workspace-app</name>
 <login-modules>
 <login-module>
 <class>kr.security.KnowRushLoginModule</class>
 <control-flag>required</control-flag>
 <options>
 <option>
 <name>dataSource</name>
 <value>jdbc/DB_XE_KNOWRUSHDS</value>
 </option>
 <option>
 <name>user.table</name>
 <value>users</value>
 </option>
 <option>
 <name>user.pk.column</name>
 <value>id</value>
 </option>
 <option>
 <name>user.name.column</name>
 <value>email_address</value>
 </option>
 <option>
 <name>user.password.column</name>
 <value>password</value>
 </option>
 <option>
 <name>role.table</name>
 <value>roles</value>
 </option>
 <option>
 <name>role.to.user.fk.column</name>
 <value>user_id</value>
 </option>
 <option>
 <name>role.name.column</name>
 <value>name</value>
 </option>
 </options>
 </login-module>
 </login-modules>
 </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>
<grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>Member</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
 <security-role>
 <role-name>sr_Admin</role-name>
 </security-role>
 <security-role>
 <role-name>sr_Member</role-name>
 </security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
 <security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
 </security-role-mapping>
 <security-role-mapping name="sr_Member">
 <group name="Member"></group>
 </security-role-mapping>
 <default-method-access>
 <security-role-mapping name="sr_Member" impliesAll="true">
 </security-role-mapping>
 </default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
 <group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
 <group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
 <property name="role.mapping.dynamic" value="true"></property>
 <property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </read-access>
 <write-access>
 <namespace-resource root="">
 <security-role-mapping name="sr_Admin">
 <group name="Admin"/>
 <group name="Member"/>
 </security-role-mapping>
 </namespace-resource>
 </write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
 Hashtable env = new Hashtable();
 env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
 env.put(Context.SECURITY_CREDENTIALS, "welcome1");
 final Context context = new InitialContext(env);
 KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
 at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
 at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
 HttpServletResponse response)
 throws ServletException, IOException
 LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
 response.setContentType(CONTENT_TYPE);
 PrintWriter out = response.getWriter();
 out.println("<html>");
 out.println("<head><title>ExampleServlet</title></head>");
 out.println("<body>");
 out.println("The servlet has received a GET. This is the reply.");
 out.println(" getRemoteUser = " + request.getRemoteUser());
 out.println(" getUserPrincipal = " + request.getUserPrincipal());
 out.println(" isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
 out.println(" isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannon

Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>kr.security.principals.KRRolePrincipal</class>
 <name>JAAS_Admin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>com.evermind.server.rmi.RMIPermission</class>
 <name>login</name>
 </permission>
 </permissions>
 </grant>If I add the following to orion-application.xml

<namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping>
 <group name="JAAS_Admin"></group>
 </security-role-mapping>
 </namespace-resource>
 </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
 Vector v = new Vector();
 v.add(singleton.getCustomRmiConnectRole());
 // set principals in LoginModule
 m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
 JAZNConfig jc = JAZNConfig.getJAZNConfig();
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
 RealmManager realmMgr = jc.getRealmManager();
 try
 // Get the default realm .. e.g. jazn.com
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
 Realm r = realmMgr.getRealm(jc.getDefaultRealm());
 LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
 // Access the role manager for the remote connection role
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"calling default_realm.getRoleManager");
 RoleManager roleMgr = r.getRoleManager();
 LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
 CUSTOM_RMI_CONNECT_ROLE "'");
 RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 if (rmiConnectRole == null)
 LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
 rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
 Grantee gtee = new Grantee(rmiConnectRole);
 LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
 RMIPermission login = new RMIPermission("login");
 LOGGER.log(Level.FINEST,
 LOGPREFIX +"constructing subject.propagation rmi permission");
 RMIPermission subjectprop = new RMIPermission("subject.propagation");
 // make policy changes
 LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
 JAZNPolicy policy = jc.getPolicy();
 if (policy != null)
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'login' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, login);
 LOGGER.log(Level.INFO, LOGPREFIX
 + "add to policy grant for RMI 'subject.propagation' permission to "
 + CUSTOM_RMI_CONNECT_ROLE);
 policy.grant(gtee, subjectprop);
 // m_Role = rmiConnectRole;
 m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
 LOGGER.log(Level.INFO, LOGPREFIX
 + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
 else
 LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
 else
 LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
 m_Role = rmiConnectRole;
 catch (JAZNException e)
 LOGGER.log(Level.WARNING,
 LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
 return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt.

Custom Login Module - all modules ignored

Hello,
we created a custom login module and deployed it as library to the server. We than configured the login module as described in the SAP manual:
http://help.sap.com/saphelp_nw70/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
First we had a little problem with the library path. The security log has a nice overview what login stack and what modules where called, for our module it stated u201CCannot load login module class u2026.u201D
After reading the forum, we found that our login module path was wrong, we only added the class name as described in the tutorial. Correct was to use the library name from Visual Admin.
But now, if we call the portal, the security log is just empty. It seems no stack and no module is called at all. If we remove our custom module from the ticket stack, everything is fine and we get an entry in the security log with the ticket stack and all remaining modules.
If we add the custom login module to the stack again and enter username and password we get an error message that all modules are ignored.
Does anybody know this error and maybe what to do?
Best regards,
Kai

Hi Kai,
have you solved your problem?
Currently we are facing a similar Problem.
We have a custom login module. I deployed everything like in the tutorial. There should be no Problem with the login module itself, as it is an exact copy of a working one. Class names are the same. The only difference is in package names, project names, library names. I adjusted the classloader to the new library and also adjusted the classname in the user store where the login module is configured.The login module is part of the "ticket" authentication stack.
When we want to log on to the portal, we get an error like "all modules ignored".
Maybe you have found a solution which is also suitable for our problem.
Thanks
Regards
Pascal

Custom Login Module - Commit Method return TRUE always?

Hi,
I am creating a custom login module for my portal authentication.
For the login module, should the commit() method always return TRUE?
The example code on help.sap.com indicates yes to this question.
However, the JAVA Sun standard indicates that commit should return FALSE if the preceding login method returned FALSE.
Does the SAP example stray from the SUN standard? How should I code the commit() method such that it works (Always TRUE, or follow lead of login() method)?
Regards,
Kevin

Hi Kevin,
I'm actually working with this document: <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/webinars/jaas%20login%20module%20development%20on%20webas%20java%20640.pdf#search=%22classloader%20sda%20jar%20reference%22">JAAS Login Modules</a>.
There is also example code. If it should be ignored they return false, otherwise true (page 32).
Regards,
Marcus
Message was edited by: Marcus Freiheit

RFC Call in a custom login module

Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

Hi All,
What is the best way to call a RFC/BAPI from a Custom Login Module, part of the login stacks?
I want to avoid using JCo Client Service, do not want to hard code the connection values in the class.
Have anyone of you come across such a situation?
Can the custom login module access the Portal Runtime resources, like the Connector Gateway Service/Destination Service?
Or it just runs inside the j2EE container?
Thanks for your help
Aakash
Edited by: Aakash Jain on Nov 24, 2008 11:42 PM

Problem with role mapping in custom login module

Hi all,
I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
I thought a source of the problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
Could anybody think of a solution to this problem ?
Thanks, Astrid

Astrid,
Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
I've tried to use the deploytool and deploy the module as a library...but I get a "cannot load a login module" in the logs when authenticating a user.

How to get Custom Login Module to communicate with frontendtarget

We have created a custom login module and placed it in our login module stack.
So we have the following 3 Login Modules in our stack:
EvaluateTicketModule
OurCustomLoginModule
CreateTicketModule
Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
<authscheme name="cglogon">
 <authentication-template>
 form
 </authentication-template>
 <priority>21</priority>
 <frontendtype>2</frontendtype>
 <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
 </authscheme>
Question:
There are standard screens in the SAP login PAR:
 changePasswordPage.jsp
 umLogonProblemPage.jsp
 umResetPasswordPage.jsp
How do I trigger one of these screens from my Login() method of my
custom login module? I thought if I throw some specific exception, these screens would
be called?

A bit more info.
We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication.
I changed the Iview property "Authentication Scheme" to our custom one.
If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
Whis is what i expect.
I enter a username and password and click Logon button. I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
However, It always give iview runtime exception with Access Denied.
#1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
#1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
#1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true authscheme not sufficient: uidpwdlogon<cglogon
 \#1 ume.configuration.active = true
2. companyname.com.CGLoginModuleClass REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
 \#1 ume.configuration.com = true#
#1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36... com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
#1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
[EXCEPTION]
{0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
 at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
 at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
 at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
 at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
 at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
 at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
 at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
 at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
and here's my login method...
 public boolean login() throws javax.security.auth.login.LoginException
 this.succeeded = false;
 String passwordString = "";
 if (callbackHandler == null)
 throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
 HttpGetterCallback httpgettercallback = new HttpGetterCallback();
 NameCallback nc = new NameCallback("User:");
 PasswordCallback pc = new PasswordCallback("Password:", false);
 Callback[] callbacks = new Callback[] { nc, pc };
 try
 callbackHandler.handle(callbacks);
 catch (IOException e)
 throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
 catch (UnsupportedCallbackException e)
 return false;
 String userid = nc.getName();
 char[] password = pc.getPassword();
 pc.clearPassword();
 if (userid.length() == 0)
 throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
 else
 username = userid;
 if (password.length == 0)
 throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
 else
 passwordString = new String(password);
 String eccLoginResult = validateECCAuthentication(username, passwordString);
 if (!eccLoginResult.equals(""))
 myLoc.infoT(this.username + " - failed ECC authentication.");
 throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
 else
 myLoc.infoT(this.username + " - failed ECC authentication.");
 this.succeeded = true;
 if (this.succeeded)
 try
 refreshUserInfo(this.username);
 catch (SecurityException e)
 throwUserLoginException(e);
 if (sharedState.get(AbstractLoginModule.NAME) == null)
 sharedState.put(AbstractLoginModule.NAME, this.username);
 this.nameSet = true;
 else
 throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
 return this.succeeded;

Problems with custom login module/authscheme in Portal iViews

Similar Messages

Maybe you are looking for