Setting permissions at entity object level using JAAS and LDAP

Hi,
I am using ldap-based provider for authorizaton. Every thing works fine. Authorization works fine based on the roles created in web.xml file.
Could you please let me know how I can define permissions at entity object level when using ldap based provider.
Following line is the permission created for an entity object (SpcStrBdgt) when using XML-based provider.
<permission>
<class>oracle.jbo.server.security.jazn.JboJAZNEntityPermission</class> <name>model.SpcStrBdgt/READONLY</name>
</permission>
Above is defined in jazn-data.xml file.How can I define the same thing when using ldap-based provider?
Thanks,
Seatre

Hi,
There is an enhancement request Bug2692994 for this feature.
Thanks,
Yvonne

Similar Messages

Authenticate using JAAS and LDAP

Hi,
I am trying to authenticate a user using JAAS against LDAP. I am able to hit LDAP, but failing when it comes to authentication.
Yes, I have made sure the user and password are right.
Here is my code and error message. Would really appreciate if someone can tell me what am I doing wrong here.
My 'jaas.config' file :
JNDILogin {
     com.sun.security.auth.module.JndiLoginModule Required
     debug=true
     useFirstPass=false
     strongDebug=true
     tryFirstPass=true
     storePass=true
     user.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX"
group.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX";
My implementation class 'ClientSideSecurityImp,java' :
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.log4j.*;
import com.sun.security.auth.callback.TextCallbackHandler;
import com.sun.security.auth.module.JndiLoginModule;
* Filename is ClientSideSecurity.java
public class ClientSideSecurityImp
private static final Logger log = Logger
.getLogger(ClientSideSecurityImp.class);
private Subject activeSubject = null;
private String userName = null;
private String appName = null;
private String viaMech = null;
private LoginContext lc = null;
public ClientSideSecurityImp(String appNameVal)
this.appName = appNameVal;
* (non-Javadoc)
public boolean userAuthenticate() throws SecurityException//,
// AuthenticationException
boolean authenticated = false;
String whereAmI = "ClientSideSecurityImp.UserAuthenticate()";
CallbackHandler handler = null;
JndiLoginModule jndi = new JndiLoginModule();
handler = new TextCallbackHandler();
if (lc == null)
try
lc = new LoginContext("JNDILogin", handler);
lc.login();
} catch (LoginException e)
// TODO Auto-generated catch block
e.printStackTrace();
activeSubject = lc.getSubject();
log.debug(activeSubject.toString());
// if we return with no exeption then authentication was sucessful.
authenticated = true;
return authenticated;
* @return success at removing the certificates.
public boolean logout()
String whereAmI = "ClientSideSecurityImp.logout()";
boolean success = false;
this.userName = "";
this.activeSubject = null;
return true;
My test class with main 'ClientSideSecurityImpTest.java' :
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;
import com.jaas.ClientSideSecurityImp;
import junit.framework.TestCase;
* TODO To change the template for this generated type comment go to
* Window - Preferences - Java - Code Style - Code Templates
public class ClientSideSecurityImpTest extends TestCase
private static ClientSideSecurityImp cssi = new ClientSideSecurityImp("MyApp");
private static final Logger log = Logger.getLogger(ClientSideSecurityImp.class);
public static void main(String[] args)
PropertyConfigurator.configure("log4j.properties");
boolean test = cssi.userAuthenticate();
log.debug("**##$$##** Authenticated :" + test);
Error I get :
I get some error messages here that is expected as I have 'tryFirstPass=true' in my 'jaas.config' file. Then it asks for the user and password again. After that this is what I get:
Ldap username: user
Ldap password: password
          [JndiLoginModule] user entered username: user
          [JndiLoginModule] user entered password: password
          [JndiLoginModule]: User not found
javax.naming.NoInitialContextException: Cannot instantiate class: =com.sun.jndi.ldap.LdapCtxFactory [Root exception is java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory]
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:652)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
     at javax.naming.InitialContext.init(InitialContext.java:219)
     at javax.naming.InitialContext.<init>(InitialContext.java:175)
     at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:496)
     at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
     at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
Caused by: java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:219)
     at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:42)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:649)
     ... 17 more
          [JndiLoginModule] regular authentication failed
          [JndiLoginModule]: aborted authentication failed
javax.security.auth.login.FailedLoginException: User not found
     at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:624)
     at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
     at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
java.lang.NullPointerException
     at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:65)
     at com.jaas.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
Thanks in advance.

The error message clear cut says that the JVM cannot find the class com.sun.jndi.ldap.LdapCtxFactory. Make sure the LDAP provider jar which contains this class is in your program's classpath.

HT1692 Have recently installed itunes and outlook on a new computer. Have multiple email accounts set up in Outlook tho only use contacts and calendar in relation to one of these. Cannot sync itunes with the correct contacts and calendars, Help!

My new computer is 64-bit running Windows 7 pro, SP1 and Microsoft Office 2010 Pro Plus 32-bit
My phone is a 4S runing iOS 6.1.3
Very frustrated now that I have recently installed itunes and outlook on this new computer. Everything worked perfectly ok on my laptop which was also 64-bit Windows 7 and running 32-bit Microsoft Office 2010 Pro. I have multiple email accounts set up in Outlook tho only use contacts and calendar in relation to one of these. Cannot sync itunes with the correct contacts and calendars, when I sync the calendar and contacts are empty. Not sure if there is any way to point itunes to particular address books and calendars.
I have installed and uninstalled itunes 3 times and thank goodness have a backup
Can anyone help please?
thanks in anticipation

I had my home computer set up to sync to work's Exchange server. It worked well, but I didn't like seeing work email messages and other programs trying to sync with my default Outlook folder, which was then the Exchange (& work related) .ost file. I know there are various ways to manage those problems using filters, view, subfolders, etc., but it was a hassle for me. I think it could work well for many other folks.
For now, I have published my work calendar and subscribed to that calendar on my home computer. So I have view only access to my calendar on my home computer (and I can add/edit calendar items on my iPad (or Outlook Web Access) when away from work). This is not quite what I wanted, but it may work.
It almost makes me long for the days when I used my Windows Mobile Treo to sync back and forth between exchange at work and outlook at home (but had many sync conflicts as a result).

Setting up a small business network using mac and windows pcs

Setting up a small business network using mac and windows??

Ok that sounds great. What is your actual question as it relates to AirPort networking? Is it: Can I set up a wired/wireless network with an AirPort base station that support multiple Mac & PC clients? If so the answer is yes.
If, instead, it is how to I configure an AirPort network to support a small business you will have to provide more details on both your networking & computing equipment in order for any of us to help you.

Client remote Authentication using JAAS and EJB Access

Hi,
I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
I have implemented an EJB who's methods are protected through the deployment descriptor:
        <assembly-descriptor>
             <security-role>
                <description>role for clients outside of the server </description>
                <role-name>sedna</role-name>
              </security-role>
            <method-permission>
              <role-name>sedna</role-name>
              <method>
                <ejb-name>ServerInfoBean</ejb-name>
                <method-intf>Remote</method-intf>
                <method-name>*</method-name>
              </method>
            </method-permission>
            <method-permission>
              <unchecked/>
              <method>
                <ejb-name>ServerInfoBean</ejb-name>
                <method-name>getVersion</method-name>
              </method>
              <method>
                <ejb-name>ServerInfoBean</ejb-name>
                <method-name>create</method-name>
              </method>
            </method-permission>
        </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
But then I try to access another method which is protected and then I get this exception
org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000 minor code: 1806 completed: Maybe
        at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
        at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
        at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
Am I doing something wrong?
Need help! Thx,
Stephan

Hi.
I understand correctly that you call Subject.doAs on
the client to call the remote EJB. I guess It isn't
right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
>
>
Subject contextSubject =
Subject.getSubject(AccessController.getContext());
contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
Again, thanks for your effort,
Stephan

Single sign-on using Kerberos and Ldap

I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
I have the Kerberos authentication and part of the Ldap service working via pam & nss.
ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
BUT...
id gives:- userID, groupID (primary group only)
groups :- primary group only. (no secondary groups are listed)
Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
Thanks in advance for any help.

After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
//M.

How can i set page zoom level using css and javascript in firefox.

i have problem to set zoom level in firefox.
document.body.style.zoom = 150%; is worked in IE and Crome but not working in firefox so pls. i want to know a alise property that are provide a same functionality to me.

Currently there is now way of retaining zoom level across pages in Single Page Mode. We have noted down your request and this might get implemented in one of our future releases. Thanks for the feedback.
- Adobe Reader Team

How do I set up my MacBook Air to use Sparrow and Reeder's multitouch gestures?

Just set up my 11" air for the first time, and I just can't seem to get these apps multitouch fanciness to work without holding down the ALT key. I have them working flawlessly on my iMac with Magic Trackpad. The settings all seem to be the same between the two computers too.

Ok, in this case your iMac will be performing as an application server. As such, it will need to be "reachable" from the Internet. This is typically done in one of two ways: 1) It is assigned a static Public IP address, or 2) It is assigned a static Private IP address.
In the first method, your iMac will be like any other publically available server (Web, E-Mail, etc.) To accomplish this, you would need for your ISP to provide you with a static Public IP. You can then configure the AirPort Extreme to allow remote clients to access this server by creating a DMZ for the server. This would fully expose your iMac to the Internet.
In the second method, you would assign the iMac a static Private IP address that is just outside of the default range of the AirPort's DHCP service. You would then configure the AirPort for port mapping. Which ports that will be needed to be mapped will depend on what your application's support tells you.

Dynamic Entity Member Lists using UD1 and UD2

Hello fellow HFM gurus:
I have created dynamic member lists to get all members of the entity dimension that have a UD1 or UD2 member as specified in the script.
THe member lists all appear in HFM, but when I try to select them, I get a run-time error. I am trying to select them in the member selection of a data form (in the same drop down with the different system member lists for entiites, like hierarchy, descendants, etc.).
I believe this is the standard syntax. Please let me know if something is wrong with it.
ElseIf HS.Dimension = "Entity" Then
If HS.MemberListID = 1 Then
ELi=Hs.Entity.List(",")
For i = Lbound(ELi) to Ubound(ELi)
If HS.Entity.IsBase("",ELi(i)) = TRUE Then
If (StrComp(Hs.Entity.UD1(ELi(i)),"DD",vbTextCompare)=0) Then
Hs.AddEntityToList "",ELi(i)
End If
End If
Next
End if
Error in HFM:
Invalid member selection. Error executing VBScript Microsoft VBScript runtime error, Line 475:Wrong number of arguments or invalid property assignment: 'HS.Entity.List'.Error executing VBScript 0.Error Reference Number: {9A7697E2-75AE-4A06-9A34-B45D58022984};User Name: mark.d.smith@Native DirectoryNum: 0x80042fc2;Type: 1;DTime: 9/10/2012 5:51:16 PM;Svr: VMHODDLPHP4;File: CHsvScriptEngine.cpp;Line: 392;Ver: 11.1.2.1.103.3505;Num: 0x80042fc2;Type: 0;DTime: 9/10/2012 5:51:16 PM;Svr: VMHODDLPHP4;File: CHsvDSMemberLists.cpp;Line: 2722;Ver: 11.1.2.1.103.3505;Num: 0x80042fc2;Type: 0;DTime: 9/10/2012 5:51:16 PM;Svr: VMHODDLPHP4;File: CommonMetadataInternal.cpp;Line: 461;Ver: 11.1.2.1.103.3505;Num: 0x80042fc2;Type: 0;DTime: 9/10/2012 5:51:16 PM;Svr: VMHODDLPHP4;File: CHsvEntities.cpp;Line: 338;Ver: 11.1.2.1.103.3505;Num: 0x80042fc2;Type: 1;DTime: 9/10/2012 5:51:16 PM;Svr: VMHODDLPHP4;File: CCommonDimension.cpp;Line: 1015;Ver: 11.1.2.1.103.3505;

Hi Mark,
Please check the double quotes after Entity.List. It should be "","".
Regards,
S

SQL Developer (using TNS and LDAP) fails

If I use a Basic Connection Type and specify the Host, Port and Service Name I can get connected.
If I use a TNS Connection Type and click on the appropriate Network Alias I get:
Status: Failure -lo exception: SO exception was generated.
The SQLNET.ORA file has this entry:
NAMES.DIRECTORY_PATH= (LDAP)
SQL*Plus connections work fine.
Has anyone seen this issue and resolved it ?
Thanks,
Bob Larsen

Bob,
TNS connection with Network Alias option should work.
I assume you have a local tnsnames.ora file with the database entry.
You can launch sqldeveloper from sqldeveloper\sqldeveloper\bin\sqldeveloper.exe
or sqldeveloper\sqldeveloper\bin\sqldeveloper.bat.
This will give a stack trace.
Thanks,
Sri

JAAS and LDAP

hi,
how can I check the password expiration time in the loginModule ???
I want to add this feature ..? can any one help???

solved..

How can we create an entity object using multiple tables?

Hi All,
I'm a newbie to OAF.
I'm trying to create a simple page using OAF.
While creating Entity object, there is an option to add the database objects from which we can create our Entity Object.
There we can enter only one database object.
If suppose I need to create a Entity object by using mutiple data base objects, how can I add other database objects?
Is there any option for multiple selection of database objects there?
Thanks in Advance

User,
a). You should use the [url http://forums.oracle.com/forums/forum.jspa?forumID=210]OA Framework Forum for this question.
b). Entity objects always correspond to a single table. I think you want to create a View object instead.
c). Really, you want to be using the OA Framework forum.
John

How to trace the missing authorizations using NWBC at object level

Hi all,
In SAP R/3 any authorization issue can be tracked down till authorization object level using SU53 tcode and ST01 tcode.
1 - I have a super user who has all the roles in Solution manager system and test user which I created with just 1 role Incident management role. But when I login with Super user ID I can see in tcode (WDY_APPLICATION - Incident Management ) I have 4 tabs (Overview,Messages,Reports and Queries) but when I execute the same tcode using test ID I can only see Overview and Messages tab. Report and Query tab were missing . Please advice on how to trace the missing authorizations using NWBC at object level? or how to solve this issue......
2 - How to add a Web dynpro Transaction code (example WDY_APPLICATION - Incident Management )while building a role in PFCG?
Thanks
LAK

Hi Gurus,
Can anyone please help me with my questions.
In addition here are few more info that I need
How to bring in the new authorizations without logiing off and logging in back in NWBC ( Equivalent to Menu-->Refresh in SAP GUI)
Thanks
LAK

Entity Object's "addNewRow" Permission, how to implement?

Hi,
this is a generic question about an implementation strategy to be followed for ADF Authorization.
I've been researching the definition of permissions at the entity object level, and successfully tested the 3 permission targets available: read, update, removeCurrentRow.
However, I'd actually need the full set of permission targets for CRUD operations, which means that ADF lacks an "addNewRow" to secure row creation on EOs.
What should be the strategy to implement that?
Is it a planned feature so waiting till, say, 11g Release 2 should bring it to the table, or has it been left out by design and thus it just won't be added? In the latter case, how to actually implement it?
I'd need to actually hide/disable the Create/CreateInsert button on my edit pages if the underlying EO does not allow new row creation for the current role. I gave a thought to EO's Custom Properties as a way to handle that extra permission flag, but is it a viable way? Can they be accessed through EL so that I can, say, use them directly in the Rendered/Disabled property of the button to regulate access?
Or would you suggest another strategy altogether?
Please share your ideas.
thanks,
RickyS

Well, I can definitely see some benefits in having security at the model layer, at least in our scenario. In a complex app with many edit pages often dealing multiple times with the same EOs, having to specify a single set of policies on the EO itself and see it automatically implemented on every page seems a plus and a step ahead from 10g - not that I tried Security in 10g, but I know the approach. Seeing fields automatically become read-only or datacontrol operation buttons such as Delete become disabled without specifying anything on the page is cleaner and will speed up development a bit, too (for large numbers of pages that might be significant, on a small app it's probably irrelevant).
Probably not as useful and powerful as model-driven lists, but still a welcome feature. You probably have a point about the double mainteinance, but that may be avoided if the BC layer security truly encompasses everything (e.g. if I can't rely on a "create" permissions, I'll certainly have to maintain additional code as well as additional BC data such as custom properties to deal with that, and this is even worse).
Another point is that I might want to enable/disable functionality on the page via EL/backing bean based on BC permissions, and that seems useful. Being able to express a condition like "this EO is accessible" or "this attribute is accessible" is sometimes much superior to "user belongs to this role". It's better to decouple roles from the secured targets and just use the latter, IMHO. Especially becuse we'll likely won't have a fixed set of static roles defined in advance for all customers we'll deploy our webapp to.
Just my 2 cents, anyway, you might end up being totally right :-)
Cheers,
RickyS

Validation at View Object level and not Enity Object

How would you create validation logic at the view object level and not at the entity object level? I have many VOs that reference the same EO and want some validation logic to be applied only to certain VOs.
Thanks,
Quoc

My use case for this is to perform form validation inputted by the user via a JSPX page.

Setting permissions at entity object level using JAAS and LDAP

Similar Messages

Maybe you are looking for