SALT authentication and a custom Tuxedo auth server
Hi,
After solving an issue with HTTP Basic Authentication, I've run into a
problem with our particular Tuxedo environment.
We have our own custom AUTHSVC that expects, in addition to the user name
and password, application-specific data in the TPINIT.data field.
Is there anyway to set the data passed in the TPINIT.data field by GWWS when
authenticating a client?
Does GWWS put anything in this field?
cheers
Dave Meibusch
S/W Architect
Intec
Dave,
Thanks for the feedback. Now we are considering enhance 2# in Salt release
so that password and other credentials can be passed to your customized
AUTHSVR server.
Best,
Wayne
"Dave Meibusch" <[email protected]> wrote in message
news:[email protected]..
Wayne,
1. The username, password and other credential information is binaryencoded
together in TPINIT.data.
2. Yes, this is possible.
And I tried it and found that the GWWS truncates the HTTP auth password at
the first 0x00 character, rather than passing through the entire Base64
encoded data. Unfortunately, our credentials can have embedded 0x00
characters.
cheers
Dave Meibusch
"Wayne Chen" <[email protected]> wrote in message
news:[email protected]..
Dave,
I guess there is a workaround for your cases. But first I would want to
confirm several points with you,
1. How you combine your user password and other data to TPINIT.data ?
2. Is it possible your SOAP client pass the "TPINIT.data" as the HTTP
authentication password?
If 2# is doable, GWWS can pass your "password+data" to your
authentication
server.
Thanks for the feedback.
Wayne, Bea
"Dave Meibusch" <[email protected]> wrote in message
news:[email protected]..
Hi,
After solving an issue with HTTP Basic Authentication, I've run into a
problem with our particular Tuxedo environment.
We have our own custom AUTHSVC that expects, in addition to the user
name
and password, application-specific data in the TPINIT.data field.
Is there anyway to set the data passed in the TPINIT.data field by GWWSwhen
authenticating a client?
Does GWWS put anything in this field?
cheers
Dave Meibusch
S/W Architect
Intec
Similar Messages
-
How to get ADF authentication and authorization working on server
I am having an issue with deployment & ADF authentication and authorization.
From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
When making an attempt to log in I get the following results:
Running Locally with ADF Authentication: Works Fine
Running Locally with ADF Authentication & Authorization: Works Fine
Deployed to server with ADF Authentication: Works Fine
Deployed to server with ADF Authentication & Authorization: Doesn’t Work
What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
JDeveloper Version: 11.1.2.4
Server Web Logic: 10.3.6
Server ADF: 11.1.1.16
Page Error when trying to log in:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Server error when trying to log in:
Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Web.xml
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
<param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
<param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
<param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
<param-value>differentOrigin</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_DECORATORS</param-name>
<param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
<param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
</context-param>
<filter>
<filter-name>JpsFilter</filter-name>
<filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
</filter>
<filter>
<filter-name>trinidad</filter-name>
<filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
</filter>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JpsFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>trinidad</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<servlet-name>adfAuthentication</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<listener>
<listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
</listener>
<listener>
<listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
</listener>
<listener>
<listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>BIGRAPHSERVLET</servlet-name>
<servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>BIGAUGESERVLET</servlet-name>
<servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>MapProxyServlet</servlet-name>
<servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/Pages/homePage.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/adf/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/afr/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>BIGRAPHSERVLET</servlet-name>
<url-pattern>/servlet/GraphServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>BIGAUGESERVLET</servlet-name>
<url-pattern>/servlet/GaugeServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MapProxyServlet</servlet-name>
<url-pattern>/mapproxy/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/bi/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>swf</extension>
<mime-type>application/x-shockwave-flash</mime-type>
</mime-mapping>
<mime-mapping>
<extension>amf</extension>
<mime-type>application/x-amf</mime-type>
</mime-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/faces/pages/*.</url-pattern>
<url-pattern>/faces/*.</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>valid-users</role-name>
</security-role>
</web-app>
Jazn-data.xml
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
<jazn-realm default="jazn.com">
<realm>
<name>jazn.com</name>
<users>
<user>
<name>*****</name>
<display-name>*******</display-name>
<description>******</description>
<credentials>********<credentials>
</user>
</users>
<roles>
<role>
<name>support</name>
<display-name>support</display-name>
<members>
<member>
<type>user</type>
<name>mobile</name>
</member>
</members>
</role>
</roles>
</realm>
</jazn-realm>
<policy-store>
<applications>
<application>
<name> myapp </name>
<app-roles>
<app-role>
<name>mob_mobile_support</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<display-name>mob_mobile_support</display-name>
<description>support role</description>
<members>
<member>
<name>mobile</name>
<class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
</member>
</members>
</app-role>
</app-roles>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<name>SUPPORT</name>
<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.*</name>
<actions>view</actions>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<name>mob_mobile_support</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.addapplicationPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>Pages.addappmsgtypPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>Pages.addoperationPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.homePagePageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.loggingSearchPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>myapp.view.pageDefs.workHistoryPageDef</name>
<actions>view</actions>
</permission>
</permissions>
</grant>
</jazn-policy>
</application>
</applications>
</policy-store>
</jazn-data>Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
Timo -
Authentication and authorization for a custom connector
I have the following problem: I have a software which tries to connect with the server through its own custom RMI connector.
So I have the RMI Connector deployed via Mlet-Service. I have written a small TestClient and can get a RemoteMBeanServer with RemoteMBeanServer rs = getRemoteMBeanServer(), but if I try to call something like rs.getMBeanCount() I get :
com.sap.engine.services.jmx.exception.JmxSecurityException: Caller Guest not authorized, only role administrators is allowed to access JMX
So the WebAS considers someone who tries to connect with this connector as guest. How do can I get authentication and autorization to access the JMX parts? The manual seems only to cover JSP and webapplications, where it is possible to configure a role for them. I only have this connector.jar, configuration and mlet-file.
I still have the option to use JAAS authentication with this connector, then I have to configure it differently and, the more difficult, to implemend
a method "public Subject authenticate(Object credentials)" where credentials are two Strings with user and passwd. But I am not quite sure how to fill the Subject with useful information.
Thanks in advance
NilsJmx is secured resource and only administrator role user
can access it.
If your code is running in a servlet you can define
the servlet to run as administrator
1. Add in the web.xml
<security-role>
<role-name>AnyName</role-name>
</security-role>
2. Add in the web-j2ee-engine.xml
security-role-map>
<role-name>AnyName</role-name>
<server-role-name>administrators</server-role-name>
</security-role-map>
If you are runnig from a remote client you just have to
Properties connectionProperties = new Properties();
connectionProperties.setProperty(
Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
connectionProperties.setProperty
(Context.PROVIDER_URL, "<host:p4port>");
connectionProperties.setProperty
(Context.SECURITY_PRINCIPAL, "<ADMIN USER>");
connectionProperties.setProperty
(Context.SECURITY_CREDENTIALS, "<PASSWORD>");
MBeanServerConnection mbsc =
JmxConnectionFactory.getMBeanServerConnection(
JmxConnectionFactory.PROTOCOL_ENGINE_P4,
connectionProperties); -
SSO using WebLogic app server and AD as the auth source
Hi All,
I am trying to setup SSO on 10gR3 using MS Active Directory as the auth source and WebLogic as the app server.
Do I have to create a custom SSO or can this setup be configured using the basic SSO and config changes?
Any help or guidance will be appreciated.
Cheers
BobThere are many ways. The generic answer is federation via SAML, look at the docs for Oracle Identity Federation.
-
Task custom field and formula custom field don't correspond Project Server 2013
Hi people, I have an interesting case in Project Server 2013 SP1 CU Apr:
I have a custom task number field called AM. This field get's filled by a PSI action with actual material costs from an external system.
I also have a custom task cost formula field that is called AM*. This field is a formula field that has the formula [AM]. And summary tasks use the formula field as well.
As soon as I create a project, assign costs in the external system and let PSI fill the values within AM I get correct values in AM. But nothing is calculated on AM*. If I edit the project in the browser and publish, check in and revisit the project
AM* still isn't filled.
If I open the project in MS Project Pro the calculation comes through nicely, however I do not want to use MS project Pro to see correct data in browser.
Some tests I have already done:
I have noticed that when I create a new calculated task field AM2*, this get's calculated correctly on the already existing task.
I have also noticed that opening the custom field in server settings and just saving the field creates correct values on AM*.
What is going on? I don't want to save the custom formula field every day... There are 11 custom formula fields in the environment at the moment.Hi Gary,
Thank you for the quick response. Please note that the fieldnames are [AM] and [AM*]. There is a difference in field name due to the astrix. However I did think about the situation and changing one of the field names all together didn't do anything for the
situation at hand.
It looks like some kind of refresh thing, because without changing anything in the custom field just saving the field in server settings will turn op good values. However, values already turned up good in Project Professional 2013. And that suggest
that there is a calculation error on the PWA side wouldn't you say?
Anyway, thank you for taking time to look into this matter.
Erik -
Authentication and authorization capability in weblogic application server
Hi,
Need input from architecture point of view -
Requirement is typical - have to build a web center portal application with authentication and authorization capability.
I can think of three architecture options:
1. weblogic server (where webcenter portal application will be deployed) with oracle IDM (or any other full blown IDM suite)...
2. weblogic server with Active Directory (or any other LDAP directory), and a LDAP authenticator is configured in weblogic...
3. only weblogic server (users created in weblogic admin console)...
Obviously 1st one is costliest option (product cost, infrastructure cost, maintenance cost) and most flexible. However I am discarding it purely because of cost.
Confused between 2nd and 3rd.
2nd option - separate user store, user can be added/deleted without touching application server, cost wise - 1 extra server and 1 LDAP directory product (or open source LDAP server)...
3rd option - application server becomes very 'heavy' with all users information, you need to access server to add/delete users, probably cheapest option money wise... However it might affect application performance if users grow large...
Please let me know if I should consider more parameters/points before deciding. Is there any important thing I am missing? Your input appreciated.
Thanks.Hi,
You are right your first requirement make more costly and complex environment.
I would recommend to go with Second option instead of the third one.
In cause in future if you want to use different server also you will have option to use external AD.
Well now you will think why I recommend you second option instead of the third option.
external LDAP is more secure than internal one.
If you have any further query let me know.
Regards,
Kal -
How to implement Custom Authentication and Authorization in Oracle SOA 11g
Can anyone please tell me, how to implement Custom Authentication in Oracle SOA 11g ?
Because in Oracle SOA 10.1.3.4 , i have implemented this custom authentication and authorization by implementing BPMAuthenticationService, BPMAuthorizationService, BPMIdentityService to verify againt my database systems.
implementation classes like the mentioned below
1).
public class SampleAuthenticationService extends SampleServiceBase implements BPMAuthenticationService {
2).
public class SampleAuthorizationService extends SampleServiceBase implements BPMAuthorizationService {
3).
public class SampleIdentityService extends SampleServiceBase implements BPMIdentityService {
Please help me to implement the authentication and authorization in Oracle SOA 11g .
thanks in advanceTo start with please go through following document
http://docs.oracle.com/cd/E21764_01/integration.1111/e10231/adptr_jms.htm
http://docs.oracle.com/cd/E23943_01/integration.1111/e10231/adptr_file.htm
Regards
Arpit -
Custom Authentication and Single Sign On
Hello,
I was wondering if it is possible to have an application that has custom authentication based on tables be used as a MAIN application and have links to other HTMLdb applications within it. Then when they logged into the main application, they would not have to log in again within the 2nd or 3rd application?
regards,
JeffWell I finally got the main application to work with links to (2) other HTML db applications -- all 3 apps use the same custom authentication and within each apps authentication scheme the cookie name is the same.
From the main application, my navigational list link URL's look like this:
f?p=106:1:&SESSION. for one application
f?p=121:1:&SESSION. for the second application
Within each sub-application and in the authentication scheme I am using
wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=200:1
as the logout URL.
The main app ID is hardcoded in the logout URL and when the user logs out of the application is taken to the main login of the main application.
So the application is working fine -- only thing left is to change the invalid session URL in the applications and work on the frames design.
Thanks for all of your help!
Jeff -
N6131: 24 hrs stand-by time and bad customer servi...
I have been the Nokia fan since I bought my first Nokia cell phone 8210 in 2000, our family has used N8210, N8250 and N2100. We believed Nokia is a world leader in mobile communications before I faced problem of the N6131. The N6131 made my very disappointed for the cell phone and the customer services! Let’s me tell the whole story. Hope you would give me some good advices.
I bought the N6131 in Beijing on Oct. 1, 2006. The stand-by time of the cell phone was about 3 days when I bought it.
In May and June, 2007 I found the stand-by time of my N6131 decrease sharply from 2 days to 1.5 days while nearly no phone call and only several message. I began to contact Nokia customer service by phone and internet.
On June 27, 2007, I brought my cell phone to a Nokia customer service in Beijing. The staff examined the cellphone and said there was no problem and updated the software. They did not examine the battery as it over the warrant period, but they told me the short stand-by time is caused by the battery and suggest me buy a new one. They also said the Nokia battery can only use for merely one year!
The stand-by time of my cell phone was not better after that, so I bought a new Nokia BL-4C battery on July 28, 2007. With the new battery, the stand-by time was still no good, only 24 hours with nearly no phone call and only several message. Occasionally I found absurd enough the real stand-by time was too short! I turned off the cell phone after the battery had been fully charged, there is nearly no power when I turned on the phone 24 hours later!!!
On August 11, 2007, I brought my cell phone to the Nokia customer service in Beijing again for examination. The staff there said the cell phone should be sent to the manufacture factory to examine. I asked them whether they can be sure that the problem was cause by the phone or the battery, they said they could not. So the newly bought battery was also sent back to the manufacture factory for examination.
On August 24, 2007, I fetched back my N6131 and battery. The code of the problem is 290, the mainboard trouble. The battery was changed to a new one.
But!!! The stand-by time of the cell phone was still only 24 hours no matter with the new battery or the old one.
On September 1, 2007, I went to the Nokia customer service in Beijing the fourth times, they said the cell phone should be sent to the manufacture factory to examine again.
I could not use my cell phone in its normal condition since May this year, I bought an extra battery due to the Nokia customer service’s suggestion, I took taxi to the Nokia customer service 4 times for the examination , and I waste my many time to contact the Nokia customer service. Much less the influence to work and daily life caused by the problem. What the compensation the Nokia offers is only make the warrant period longer for the periods that cell phone return to the factory!!! Is it fair to we customer?!
I would like to present some words I have heard from the staff of Nokia Customer Service in Beijing, China when I contacted them several time:
“If Nokia lose you one customer, Nokia would not lose the whole market!”
“What loss do you have? The address book lost caused by the examining and repairing is your own responsibility. How can you say it delays your cell phone use while examining and repairing freely for you?”
“We asked you to buy an extra battery which can help you have one more battery to use. Coming our Nokia Customer Service several more times helps you have more chance to excise for health.”
“You could not buy anything if you would not choose Nokia cell phone next time.”
“What we can do is only like this, if you are not satisfy, you may contact 315, the Chinese Customer Right Protection Association for solution.”
ps. hope this post meet the requirment of the Disscussion board and will not be removed. Thank you.12-Sep-200709:40 PM
lchhy wrote:
The quality of the Nokia cellphone is decreasing.....
Its just the phones are constantly evolving while the batteries aren't.Better screen, better processor, better sounds and extensive multimedia tasks.....batteries are left behind...it wasn't changed at all -
Hi
I am trying to upload a customized web-auth bundle to a WLC 5508 and having some issues.
I have downloaded the web-auth bundle from Cisco and used this as a template to create the web pages.
I seem to recall that there is only a couple of Windows tools that you can use to TAR the file such as TUGZIP and IZARC. Anyway I have tried both and I still cannot get the file to extract. I have tried to strip the file out so that I only send up the login.html page and even this does not work.
I am using a software release 7.0.220.0
The error message I receive when I do a TFTP is
Error extracting webauth files.
Any help would be appreciated
Thanks
GregHi Greg:
I hope you find the answer here:
You can compress the page and image files used for displaying a web authentication login page into a.tar file for download to a controller. These files are known as the webauth bundle. The maximum allowed size of the files in their uncompressed state is 1 MB. When the .tar file is downloaded from a local TFTP server, it enters the controller's file system as an untarred file.
Note If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller cannot extract the files in the bundle and the following error messages appear: "Extracting error" and "TFTP transfer failed." Therefore, we recommend that you use an application that complies with GNU standards, such as PicoZip, to compress the .tar file for the webauth bundle.
Reference: http://tiny.cc/rbqbfw
So double check the size and tarring utility.
Try to use WinRar or 7Zip if the tarring format is the issue.
HTH
Amjad -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
RESTful Authentication to Service Bus for Windows Server - Multiple Scopes?
We currently have a three-node farm set up and have tested authentication and sending/receiving messages to each node individually, with which we've had no issues. However, we use NetScaler as a network load balancer, and once we configured NetScaler
in front of the three nodes we've encountered issues with RESTful authentication using OAuth.
The issue appears to be that when specifying a single scope (ex. for "server1/namespace"), if NetScaler routes the request to server1 it will provide a token back but if routed to server2 or server3 they fail with the following warning event logged:
Security token service finished processing a request with failure. TrackingId: (guid + server receiving request), Absolute Uri: https://(load balancer uri):9355/namespace/$STS/OAuth/, Message: System.UnauthorizedAccessException: Invalid user.
at Microsoft.Cloud.ServiceBus.Security.OAuthAuthenticationRequest.Parse(Message message, Int32 maxArrayLength)
at Microsoft.Cloud.ServiceBus.Security.SecurityTokenServiceProtocolHandler.GetTokenAsyncResult.ParseAuthenticationRequest(Message requestMessage, Int32 maxArrayLength)
at Microsoft.Cloud.ServiceBus.Security.SecurityTokenServiceProtocolHandler.GetTokenAsyncResult.<GetAsyncSteps>d__2c.MoveNext()
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.EnumerateSteps(CurrentThreadType state)
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.Start()
After reading the OAuth specifications, I tried changing the scope to be a space-delimited list of all three nodes (ex: "server1/namespace server2/namespace server3/namespace"), but this failed with a similar event being logged, though this one
specifying that the namespace could not be resolved for the scope provided.
When the server receiving the request matches the server in the scope and a token is provided, sending/receiving appears to function as normal across all three nodes. Is there a different way to specify multiple servers in the scope or otherwise solve/mitigate
this issue? I've read a couple threads regarding the support and use of NLB for load-balancing -- I think our infrastructure/network teams would prefer using NetScaler if possible, though any suggestions are welcome. Thanks!Hi,
Since this issue is more related to Microsoft Azure Pack. I move it to the Azure Pack forum. It is appropriate and more experts will assist you.
Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Authentication and Authorization Problems with IIS 6 and Jrun 4
Hello all,
I am using IIS 6 with JRun 4 as my app server, and I am having problems trying to get authentication and role authorization with Windows Integrated Authentication to work. I have set up IIS 6 to pass-through the authentication credentials to Jrun, without using an anonymous user. What I have done is written a small test servlet that displays the username of the logged in user, and then tries to check if a user is in a test role that I set up in my database. I have specified that a roles table is to be used by specifying a JDBCLoginModule in Jrun's auth.config file. The code for the servlet is below:
package testauthenticationapp;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.*;
import javax.servlet.http.*;
public class SecureTestServlet extends HttpServlet {
private static final String CONTENT_TYPE =
"text/html; charset=windows-1252";
public void init(ServletConfig config) throws ServletException {
super.init(config);
public void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException,
IOException {
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<h3>REMOTE USER: " + request.getRemoteUser() + "</h3>");
if (request.getUserPrincipal() != null){
out.println("<h3>" +request.getUserPrincipal().getName() + "</h3>");
} else{
out.println("<h3>User Principal is null</h3>");
if (request.isUserInRole("Test_Role")){
out.println("<h3>User is in Test_Role</h3>");
} else {
out.println("<h3>User is NOT in Test_Role</h3>");
out.close();
1. What I am seeing is that when request.getRemoteUser() is called, the username information is what I expect it to be. It is of the form <Domain>\<Username>. When I try to redisplay the username using the request object's Principal object, the call to request.getUserPrincipal() returns null. This is a little confusing to me since I thought that essentially getRemoteUser() was a short cut for calling getUserPrincipal().getName(), and if I get something for getRemoteUser, getUserPrinicipal should return something as well. I guess they work differently at some level. Has anyone ever encountered this before?
2. When I call request.isUserInRole("Test_Role"), it returns false. I've checked the role name being called for typos in both my database and in the code, and that does not seem to be the case. I think the setup in auth.config is properly configured because I have created many other applications using declaritive FORM based authentication, and the role information was retrieved fine from the database. I would think that when I use request.isUserInRole in my servlet code it would use the same role information, but I could be wrong since this is a different type of authentication. Do you think that the reason request.isUserInRole() is returning false could be tied to the fact that request.getUserPrincipal() is returning null (even though getRemoteUser() is returning a valid username)? How does request.isUserInRole() get its user information, by using getUserPrincipal().getName() or getRemoteUser()?
Any help that is provided is appreciated. Thanks in advance.Try This...
Close All Open Apps... Perform a Reset... Try again...
Reset ( No Data will be Lost )
Press and hold the Sleep/Wake button and the Home button at the same time for at least ten seconds, until the Apple logo appears. Release the Buttons.
http://support.apple.com/kb/ht1430 -
Authentication and Authorization question.
Hi All,
I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
Authentication.
1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
2. The end result of this process is true/false.
Authorization.
1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
2. The end result of this process is true/false.
Role mapping.
1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
2. The end result is list of roles for a user.
Security policy configuration.
Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
Thanks,
Prashanth Bhat.The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
My question is whether thess(DAs and VEs) can also be put
our datastore for access rights??
Thanks,
Prashanth Bhat. -
WLC Custom Web Auth Bundle sample .tar file is not on WCS
The WLC documentation would make it appear (or maybe previously) you should download a sample web auth bundle code from the WCS Templates. I was never able to find a sample .tar file on the WCS 7.0.172.0 templates.
However I found on Cisco.com under Support > Downloads > Products >Wireless> Wireless LAN Controller Standalone Controllers> Cisco 5500 Series Wireless Controllers > Cisco 5508 Wireless Controller > Wireless Lan Controller Web Authentication Bundle-1.0.2 > webauth_bundle-1.0.2.zip
It was updated in June 2011, some pretty good sample html code.
The readme.html in the sample webauth_bundle-1.0.2.zip file has been very helpful , almost as good as the suppport community web page on custom web auth.
https://supportforums.cisco.com/docs/DOC-13954WCS config guide 7.0.172 is correct
http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/temp.html#wp1129979
The bundle in WCS is downloaded through :
configure->controller
"select a command"-> download customized webauth bundle.
Just tested it and it was there.
The one on cisco.com is better though
Maybe you are looking for
-
Filters not showing up in Squirrelmail
I am running the mail server component on an Apple Server (10.5.7) and have been trying very hard to configure it so the users can create an "out of office" reply. I have read through all of Apple's documentation, along with a variety of posts on thi
-
3D Axis System (bar type) doesn't work when there is only one z-channel
Hello, I have a problem with a 3D Axis System, bar type. Everything works fine as long as the y-channel contains more than one value (meaning there is more than one z-channel too). But when my y-channel has only one value, and there is only one z-cha
-
SD create Collective delivery document against scheduling agreement.
Dear freinds, I have created scheduling agreements for single material , and updated forecast deliery agaisnt IDOCS, now I want to make a single delivery agaisnt four different materials. I use Transaction VL 10 for Delivery due list and selected d
-
While creating a asset class error is coming "Screen Layout Control 200" is not maintained. Where as i maintained the account determination as well as the screen layout Pls help.
-
Games app not working In I Phone 6
Hello: My game app went stark white and blank when trying to set up, and responds to nothing at this point. Help please...