Role based menu using JAAS

Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
Can some one help me on this ?

Similar Messages

How to set role based Authorization in JAAS

how to set role based Authorization in JAAS
i had user name , password and role in FileLogin
thanks
arun .v.

http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last

Error in Role Based security using weblogic 9

Hi All,
Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Success</web-resource-name>
          <url-pattern>/form.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
          <role-name>admin</role-name>
     </auth-constraint>
     <user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>myrealm</realm-name>
</login-config>
<security-role>
     <role-name>admin</role-name>
</security-role>
When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
So can any one provide me the solution for the above problem.
Thanks in advance.
By,
Sandip Pradhan

Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

Roles based ' N 'step BADI

Hi,
Could any one tell, how to do the role based workflow using 'N'step BADI and also send sample code.
Thanks.
Prasad.

Check with SRM forum I think this question was discussed there. It seems some parameters in BADI needs to be populated for this issue.
Thanks
Arghadip

Dynamicaly manage role permissions using JAAS

Hi All,
I'm pretty much a newbie to JAAS and I need your help with the following requirement we have in our application.
We have a set of predefined permissions that we know in development time and we can assign to EJBs. We need to be able to assign those permissions to roles in the organization through API in the application.
We can't use simple role based security as the most granular actors in our application are roles, so we need to assign the permissions to the roles and not directly to the users (which are eventually assigned a role - managed in the customer user store).
As I mentioned before, the permissions are a closed set and are not configurable. The only configuration is who gets those permissions, and that ability should be given to the Admin of our application.
We considered using an hierarchy of roles, giving each logical role a set of permission-roles and use the standard role-based EJB security. For that we consider a custom login module to flatten the list of roles.
Let me know what you think and if there's any best practice for such scenario.
Just on thing. We want to stay in the JAAS realm as much as possible and avoid using some other security framework.
Thanks,
Eyal

JHeadstart uses roles and permissions only for maintenance reasons (for example, to quickly assign a number of permissions to a user). In runtime, differences between roles and permissions are discarded and both are treated the same. So, it is then comparable to JAAS, which only distinguishes between users and roles (called groups in OID).
The actual setup of the OID and JAAS is not part of JHeadstart. JHeadstart just uses the JAAS provider (when in JAAS mode) to check for the required roles (= permissions) for the current group.
Paco van der Linden,
JHeadstart Team.

To run OHS at port 80 using solaris role based access control

Hi.
I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
/etc/user_attr:
oracle::::type=normal;defaultpriv=basic,net_privaddr
Change OHS httpd.conf Listen from port 8888 to port 80.
However, opmnctl startproc process-type=OHS
failed as below with nothing showing in the diag logs:
opmnctl startproc: starting opmn managed processes...
================================================================================
opmn id=truffle:6701
0 of 1 processes started.
ias-instance id=asinst_1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ias-component/process-type/process-set:
ohs1/OHS/OHS/
Error
--> Process (index=1,uid=187636255,pid=25563)
failed to start a managed process after the maximum retry limit
Thx,
Ken

Just to add my two cents here.
The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
# usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
Restart the opmnctl daemond.
After that OHS/Apache user can bind to lower TCP ports.
Regards.
Edited by: Tuelho on Oct 9, 2012 6:05 AM

What is the mean of using Portal with Role Based security as entry point

Hi Experts we have requirement of integration of Portal and MDM
I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from SAP 4.6c
Please give me the clarity of what is the meanin of second point
Regards
Vijay

Hi
It requires the entire land scape like EP server and MDM server both should be configured in SLD.
Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
Please go through this link
http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
The estimation involves as per your requirement clearly
Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
Regards
Kalyan

Custom security JHeadstart 11gTP1 -Use Role-based Authorization is missing

In JHeadstart 11g TP1 the option Use Role-based Authorization is missing.
Will this option only be available in de production release of JHeadstart 11g? What is the reason why this is missing? Is it still possible to use CUSTOM authorization in JHeadstart 11g TP1?

It is not missing.
If you turn on custom authorization, you can specify your own roles against groups to access them, and use role names in the insert allowed/update allowed and delete allowed expressions.
Steven Davelaar,
JHeadstart Team.

Role based dynamic menu bar

I have been researching and researching and I do not know if I am going about it the wrong way or what, but I cant seem to find anyway to do a role based userbar,
so lets say I have a user who's role is a 7 in the ldap, I want to have it so he has a certain set of menu's show that is completely different than a user whos role is 2 or 3 and so forth
Is there a way to issue a line that states what a can and cannot see?
I was going through and going to make seperate static bars for each user account but I thought I'd see if this was even possible before I got too far into a flash build that could be easily distributed by creating one document and setting a user role.
Any help on this would greatly be appreciated
-Eric

You can create menuitems loading XML from external files based on the role. Search for XML based dataproviders for menubar. I'll bet there's an example at Peter DeHaan's site.

Can't use role-based authorization

We can't use role-based authorization because the permissions
and their assignments change frequently. Is there any alternative
where we can still use WLS to handle security?

Dave,
If you're using WLS6 the console supports dynamic user updates so you could
change each users configuration as needed.
Alex
Dave <[email protected]> wrote in message
news:3a672c81$[email protected]..
>
We can't use role-based authorization because the permissions
and their assignments change frequently. Is there any alternative
where we can still use WLS to handle security?

XWS-Security, JAAS and role-based authorization

What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
Thanks in advance.

Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?

EAM ID based or Role based? Why settle for just one?

G'Day All,
I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.
ID-Based Firefighting vs. Role-Based Firefighting
So this is where I am at this point:
From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:
- Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)
Only one user at a time can use a FFID.
Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.
      ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you
      ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see the FFIDs assigned to you
- Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID.
Multiple users can use the FFROLE at once.
Firefighter has to exist in every system assigned to them - so multiple logons.
Hard to differentiate between FF tasks and normal tasks as no login required So easy to slip up
Time consuming to track FF tasks - No Specific log reports. No Reason Codes
     R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs
     R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work
So based on this there are pros and cons in both however according to SAP only one can be used. To me personally, it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?
    . Really critical tasks -> FFID
    . Normal EAM tasks -> FFRole
Alessandaro from the original post pointed this out:
"Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."
Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.
However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.
So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
What is stopping us from using it when ID based is the default?
If I were to do the following does it mean I can use both ?
    . Config Parameter: 4000 = 1 (GRC System) -> ID Based
    . Config Parameter: 4000 = 2 (Plug-In) - > Role Based
Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:
   . Config Parameter: 4000 = 2 (Plug-In) - > Role Based
However for ID based, it is a Central Logon, so the following is a must:
    . Config Parameter: 4000 = 1 (GRC System) -> ID Based
Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.
Cheers
Leo..

Gretchen,
Thank you for thoughts on this.
Looks like I'm failing to articulate my thoughts properly as the conversation seems to be going in a different direction from what I am after. I'll try once more!
My query/issue is not in regards to if/what SAP needs to do about this or why there isn't more support from Companies/Organizations and not even, which one is a better option.
My query is what is stopping us(as in the end users ) from using both ID/Role based at the same time?
Now before people start referencing SAP documentation and about parameter 4000, humour me with the following scenario please. Again I would like to reiterate that I am still in the learning phase so my logic might be all wrong/misguided, so please do point out to me where I am going wrong in my thought process as I sincerely would like to know why I am the odd one out in regards to this.
Scenario
I've created the following:
FFID
FFROLE
Assigned them to, two end users
John Doe
Jane Doe
I set the Configuration Parameters as follows:
IMG-> GRC-> AC-> Maintain Configuration Settings -> 4000:1 - ID Based
IMG-> GRC (Plug-in)-> AC-> Maintain Plug-In Configuration Settings-> 4000:2 - Role Based
User1
John Doe logs into his regular backend system (ECCPROD001)-> executes GRAC_SPM-> Enters the GRC system (GRCPROD001)-> Because the parameter is set to ID based in the GRC Box, so he will be able to see the FFID assigned to him-> and will be presented with the logon screen-> Logs in -> Enters the assigned system (lets say CRMPROD001) At this point the firefighting session is under progress
User2
Jane Doe logs into her regular backend system (ECCPROD001) -> (can execute GRAC_SPM to check which FF Role has been assigned to her but she can see that in her regular menu, so there is no point) -> Executes the transactions assigned in FFROLEThis is done at the same time while FFID session is in progress
So all I want to know is if this scenario is possible? if the answer is No, then why not?
I physically carried out this scenario in my system and I had no problems(unless I am really missing the plot here), which brings me back to my original question: Why settle for just one?
Again to reiterate I am not getting into the efficacy or merits of this or even if one should use this. Just want to know if it is possible/feasible or not.
So there you have it. That's the whole enchilada(as they say there in Texas). I tried to word my thoughts as concisely as I can, if there are still any clarifications, more information you or anyone else reading this would like, please do let me know.
Regards,
Leo..

Role Based Access problem in forms

This would be a long reading.
I'm having a problem with forms Role Based Access.
We have two databases, one in London and one in Zurich. We have installed
application server and oracle forms on London database. We have implemented
Role Based Access to forms. For this we have created a database role (say ZUR_USER)
in both databases. The view FRM50_ENABLED_ROLES which is used by forms role based access control
is also created in both databases with a 'grant select to public'.
Our form system has a menu and forms under that menu. Both menu and the underlying forms have been
assigned Menu Security/Item Roles to the above mentioned ZUR_USER role and the role is assigned
to various users.
Now a Zurich user is trying to login to Zurich database using the URL for forms installation
in London server. He can login successfully and can see the menu heading in the main screen but
when he clicks the menu he doesn't see the underlying forms list.
When we try the same user id and database from London (using the same URL) we see all the forms.
Any idea what are we missing. The Menu Security is setup at menu level as well as the form level under
that menu. User can see the menu but not the form under that menu from Zurich. No such problem while
login from London.

I'm using the Forms 10g
and yes the only difference is between login from Zurich and London.
Problem definitely is due to Role Based Access setup.
The user in Zurich can see the Menu but not the items under that menu.
I have set the security set up at both menu and menu item(i.e. form name) level.

ADF UIX Role Based Access Control Implementation

Hi,
Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
Thanks a lot.
Sathya

Brenden,
I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
Two links that you might be interested in to read are:
http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
Frank

Role based oracle adf security and filtering data

while oracle adf security looks great its only role based... does anyone know of any resources describing an architecture where this is used in addition to filtering of data based on say, organization?
it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...

Hi,
it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...
ADF Security is a JAAS based security implementation to protect resources (like entities). It is nota security provider like OPSS or OID which you can use for user provisioning and self service (if you code against the IDM APIs). ADF Security only checks for whether a user is authenticated and if the user has the permission to perform a task.
However, you can use groovy to access the security context from Groovy, which allows you to add the authenticated username to a query - for example to filter recrds out that match the username in one of its attributes.
For example, you could create a ViewCriteria that for example filters the query by a specific attribute. Say that managers can see data starting from department 10 whereas employees can see data starting from department 100. The ViewCriteria would reference a bind variable with the following default setting
adf.context.securityContext.isUserInRole('manager')? 10 : 100
Frank

Role based menu using JAAS

Similar Messages

Maybe you are looking for