Setting up JAAS?

Similar Messages

• What is JAAS ? Where can i get any information on it ?

  Hi ,
  Can somebody tell me what is JAAS ?.....Where can i get something to read on it ...??????
  Thanks
  Rajesh Nanda

  Rajesh,
  I am not sure what do you mean by setting up JAAS in ABAP.
  JAAS is a security framework for Java.
  You probably mean SSO from Java to ABAP system.
  It is possible to SSO from Java to ABAP.
  This could be a good starting point for SSO:
  http://help.sap.com/saphelp_nw04s/helpdata/en/46/55195e4e5d41b095d0371fa9df2781/frameset.htm
  Regards,
  Slava

• Problem with jaas config

  i new in jaas and stuck when develop jaas aplication using myeclipse
  i have follow the tutorial, create MyCallbackHandler class, MyLoginModule class dan some principal class and auth.conf
  my problem is where and how can i setting my jaas application so it can refrence to auth.conf
  thx

  where must i put this code (-Djava.security.auth.login.config=jaas.conf) in my application, because i using myeclipse ?
  or can i set this in web.xml? if i can how to do that?

• Multiple LDAP Servers in Fusion Middleware (OBIEE 11g)

  Hello,
  I have a question, regarding integration of multiple LDAP servers with single Weblogic Server of Fusion Middleware (OBIEE 11g). We are currently using OBIEE 10g. We are on verge of migrating to 11g. However, I have a question regarding the LDAP server.
  Our two applications run on two distinct LDAP servers. The plan is to provide a single sign on link for OBIEE 11g reports to the end users and depending on what application they are using, they must be authenticated against the respective LDAP server.
  So, my question, is it possible to Integrate two different LDAP servers in the Weblogic of Fusion Middleware (OBIEE 11g). If so, what would be the steps. Any helpful document will also be appreciated.
  Thank you,
  Chandu.

  Yes, you can configure multiple authentication providers one by one as you generally do.
  When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Administration Console.
  REQUIRED—The Authentication provider is always called, and the user must always pass its authentication test. If authentication succeeds or fails, authentication still continues down the list of providers.
  REQUISITE—The user is required to pass the authentication test of the Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
  SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
  OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
  refer - http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/atn.html
  Regards
  Mukesh Negi
  http://weblogicserveradministration.blogspot.in/

• Web application security. Getting username and password from database

  Hi!
  I need to write the following web application (I write it using java server faces):
  1) User enters his username/password on the login page
  2) Program goes to database where there are tens of thousands of usernames/passwords, and verifies it.
  3) If user and password exist in DB, user gets access to the other pages of the application
  Maybe I don't understand some point. I tried to use j_security_check(it's very easy to configure secured pages in web.xmp). The problem is that it works(as far as I understand) only with roles defined on server before the application runs. I can't add ALL these usernames to the roles on server. The best way, as I see it, is to go to DB, check username/password, create new role for the time of session, go to j_security_check where the j_username and j_password get the values from db and get the access to secured pages(as far as the roles have been dinamically added).
  Am I right and this should be the algorithm?
  How can I implement it?
  I've read about JAAS. How can it help to solve the problem? Do I need j_security_check if I use JAAS? How should I configure my application if I use it?
  Could you please give me some code example?
  All this must work on IIS (for now, I develope it in Netbeans and run it on Java Application Server)
  Please help.
  Edited by: nemaria on Jul 7, 2008 2:39 AM

  Hi,
  Any security constrained url pattern which calls the action j_security_check passes the parameter to the realm mentioned in the server.xml.If the realm is set as JAAS,then the authenticate method of the jaasrealm does the basic validation like non empty field value from the input form.The appname set as the realm parameter points to the one or more loginmodules which has the life cycle methods like initialize(...),login(),commit(),abort() and logout().Once the basic validation is done in the JaasRealm class of the webcontainer,the LoginContext is created and user is autheticated (against DB username/password) via the login().Then the user is authourised in the commit().Then Jaasrealm takes care of creating the LoginContext,calling login(),creating Subject with principals,credentials added and setting that in the session.
  I have a big trouble in accessing the HttpServletRequest object in the LoginModules.i.e getting the j_username and j_password in the LoginModules or in the CallBackHandlers.PolicyContext doesn't work for me.Is there any other way?
  Regards,
  Ganesh

• How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS

  Hi
  I have read the article on SDN called "How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS", which is also the name of my posting.
  The reason why I post this is that I've tried to follow the links in the PDF to get the file WebsphereEpSsoLib.zip but I get an error 403, which tells me that the file is not there.
  Does anybody know where this file went or can somebody tell me an alternative place to get this file?
  Jacob

  Please open the associated whitepaper, and you can find the download link to the .ZIP file on page 4.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ibm/how to set up single sign-on between an ibm websphere portal and the sap enterprise portal using jaas.pdf
  Hope that works!
  Elise

• JAAS in Java StoredProcedures: How to set up LoginModule

  Hi,
  has anyone tried to use JAAS in a Java StoredProcedure on Oracle9i?
  I couldn't find out how to set up the JVM to find the login configuration. Here the error I get, whenn I run the StoredProcedure:
  ORA-29532: Java call terminated by uncaught Java exception: java.lang.SecurityException: Unable to locate a login configuration
  Here is what I did so far:
  1. copy jaas.jar into the $JAVA_HOME/lib/ext directory
  2. add to $JAVA_HOME/lib/security/java.security
  login.config.url.1=file:C:/my_jaas.config
  3. provide configuration file my_jaas.config
  Test {
  auth.MyLoginModule required debug=true;
  4. loadjava for jaas.jar (TEST schema)
  5. setup of the database security:
  dbms_java.grant_policy_permission( 'JAVA_ADMIN', 'TEST', 'javax.security.auth.AuthPermission', '*' );
  dbms_java.grant_permission( 'TEST', 'TEST:javax.security.auth.AuthPermission', 'createLoginContext', null );
  dbms_java.grant_permission( 'TEST', 'TEST:javax.security.auth.AuthPermission', 'getLoginConfiguration', null );
  dbms_java.grant_permission( 'TEST', 'SYS:java.security.SecurityPermission', '*', null );
  6. loadjava for the StoredProcedure (TEST schema)
  LoginContext lc = new LoginContext( "Test", new TestCallbackHandler() );
  lc.login();
  How can I tell the database where to look for the login configuration. Am I missing something here?
  Thanks for any help
  Regards,
  Christian

  Hi,
  has anyone tried to use JAAS in a Java StoredProcedure on Oracle9i?
  I couldn't find out how to set up the JVM to find the login configuration. Here the error I get, whenn I run the StoredProcedure:
  ORA-29532: Java call terminated by uncaught Java exception: java.lang.SecurityException: Unable to locate a login configuration
  Here is what I did so far:
  1. copy jaas.jar into the $JAVA_HOME/lib/ext directory
  2. add to $JAVA_HOME/lib/security/java.security
  login.config.url.1=file:C:/my_jaas.config
  3. provide configuration file my_jaas.config
  Test {
  auth.MyLoginModule required debug=true;
  4. loadjava for jaas.jar (TEST schema)
  5. setup of the database security:
  dbms_java.grant_policy_permission( 'JAVA_ADMIN', 'TEST', 'javax.security.auth.AuthPermission', '*' );
  dbms_java.grant_permission( 'TEST', 'TEST:javax.security.auth.AuthPermission', 'createLoginContext', null );
  dbms_java.grant_permission( 'TEST', 'TEST:javax.security.auth.AuthPermission', 'getLoginConfiguration', null );
  dbms_java.grant_permission( 'TEST', 'SYS:java.security.SecurityPermission', '*', null );
  6. loadjava for the StoredProcedure (TEST schema)
  LoginContext lc = new LoginContext( "Test", new TestCallbackHandler() );
  lc.login();
  How can I tell the database where to look for the login configuration. Am I missing something here?
  Thanks for any help
  Regards,
  Christian Hi, this is not supported yet - although some guys, on the forum, successfully implements JSSE but i am not allowed to disclose how they did it.
  we hope to provide formal support for JAAS, JSSE and JCE in upcoming major database release
  Kuassi

• How to Set username in ADF from JAAS

  Greetings :
  I have an application that is mostly working. The problem is this. A user logs in using a JAAS module I wrote. As the principal I set their username. That works, I can display it on a jsp page or put it in session just fine. The problem is that when this user creates a new record there is a owner field that I want to default to this username. For example, I have a table mapped to adf data controls. Somewhere in the entity object (or wherever you think if you tell me differently) I would like to do something like :
  setOwner(request.getUserPrincipal().getName());
  the problem is, that I don't have the request object inside the create for example (obviously so and it most certaily shouldn't be accessible there).
  Can anyone tell me the best way to do this sort of thing?
  Thanks
  Troy

  You can look in help under:
  Enabling a Database Audit Trail in an Entity Object Definition
  This will give you the option to save created by, created date, modified by and modified date with the record. The username will be prefixed by the realm.
  You can get the username inside an application module via:
  String userId = getUserPrincipalName();

• How to set role based Authorization in JAAS

  how to set role based Authorization in JAAS
  i had user name , password and role in FileLogin
  thanks
  arun .v.

  http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last

• JAAS - How to set up permissions for a specific code?

  I would like to set up permissions for specific code in JAAS policy files.
  In other words, let's say I have the followiong entry:
  permission java.util.PropertyPermission "java.home", "read";
  Then, when I do Subject.doAsPrivileged(..., MyAction), if this permission is absent, I will not be able to access the "java.home" property in my MyAction.
  If I, let's say, set up a file permission, I will not be able to read certain files if the permission is absent.
  I want something simpler. I want to be able to specify that the whole class MyAction cannot be executed if the permission is absent - I do not want the code to even go there. Basically, if the necessary entry in the Policy file is not present, I do not want the calling code to have access to class com.mypackage.MyAction.
  This must be really straight-forward, what am I missing?

  Thank you for your input.
  My case is a little bit more complex.
  There is a request and approval process attached to the provision to this target system.
  The approval process has a first level of approval (including 1 to many approval steps) and the user gets the basic access to this target system. The user can then access the target system but is limited to what he/she can do.
  Then the approval goes to a second level of approval (including many approval steps) and if approved the user gets the elevated access to this target system.
  To accomplish this, the previous implementer created 2 resources for the same target. After the first level of approval, he provisioned resource A to the user. After the second level of approval, he provisioned resource B to the user, revoked resource B, and updated resource A.
  This is very confusing because we are dealing with 2 resources for the same target.
  I am looking for way to take advantage of the GTC to provision and reconcile with a system that takes a flat file and can write a flat file. But I also need to make it work with this approval nightmare.
  Do you have any ideas on how to make this better and simpler?
  Thanks
  Khanh

• Setting permissions at entity object level using JAAS and LDAP

  Hi,
  I am using ldap-based provider for authorizaton. Every thing works fine. Authorization works fine based on the roles created in web.xml file.
  Could you please let me know how I can define permissions at entity object level when using ldap based provider.
  Following line is the permission created for an entity object (SpcStrBdgt) when using XML-based provider.
  <permission>
       <class>oracle.jbo.server.security.jazn.JboJAZNEntityPermission</class>                    <name>model.SpcStrBdgt/READONLY</name>
  </permission>
  Above is defined in jazn-data.xml file.How can I define the same thing when using ldap-based provider?
  Thanks,
  Seatre

  Hi,
  There is an enhancement request Bug2692994 for this feature.
  Thanks,
  Yvonne

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin

• JAAS ,SSO and OC4J

  Hi ,
  Earlier , We were connecting our application as partner applications in portal for SSO authentication. We used SSO sdk for diverting requests to SSO. I was reading some literature and it seems oracle is supporting connecting to SSO from JAAS provider. Can i get a documentation for 10G JAAS (With details on how to connect to SSO).
  questions
  1. Is JAAS just replacement of SSO sdk and we still need to define partner applications?
  2.Do I need to configure mod_osso ? and then JAAS will give user details . (I don't need to define partner application.)
  thanks
  Simar

  I do believe there is a logout URL that you need to set. When the user logs out of the application, they also need to be redirected to the logout URL. This is covered in the Oracle Application Server Single Sign-On Application Developer's Guide
  From the doc:
  Security Issues: Single Sign-Off and Application Logout
  If you build custom applications using OracleAS release 9.0.4, note the following: when global logout, or single sign-off, is invoked, only the single sign-on and mod_osso cookies are cleared. This means that an OracleAS application must be coded to store single sign-on user and realm names in either the OC4J session or in the application session. The application must then compare these values to those passed by mod_osso. If a match occurs, the application must show personalized content. If no match occurs, which means that the mod_osso cookie is absent, the application must clear the application session and force the user to log in.
  They also have a code example:
  Application Logout: Recommended Code
  Most applications that authenticate users have a logout link. In a single-sign-on-enabled application, the user invokes the dynamic directive for logout in addition to other code in the logout handler of the application. Invoking the logout directive initiates single sign-off, or global logout. The example that follows shows what single sign-off code should look like in Java.
  // Clear application session, if any
  String l_return_url := return url to your application e.g. home page
  response.setHeader( "Osso-Return-Url", l_return_url);
  response.sendError( 470, "Oracle SSO" );

• Issue in setting custom identity service for soa 11.1.1.4

  Hello,
  I am facing issue in setting custom identity service for soa 11.1.1.4
  It is not picking up the implemented UserManager (in custom IDM) implemented via ServiceProvider and IdentityStoreService.
  This is configured in jps-config.xml
  The same setup was working in soa 11.1.1.2
  I believe there is a change done in JpsProvider in bpm-service.jar to authenticate via default login context from oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule
  If my uderstanding is correct,
  Please guide me in implementing custom identity store and services for bpm services for soa 11.1.1.4
  Tried various work arounds but no luck.
  Thanks
  Bala

  Hi...
  Can u tell me how did u set up custom identity service for 11.1.1.2 ?
  Thanks

• Plans to change JAAS/GSS for Windows XP SP2 and beyond

  Are there any plans to reimplement JAAS GSS on the windows platform to account for this issue:
  Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
  Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
  Thanks!
  -Bob

  This is an old thread, but one of my clients has run into the same problem. Hopefully someone is still monitoring....
  The answer is that the implementation should not be trying to do anything directly with keys. Delegation works just fine if it has been configured correctly in AD. Simply impersonate the context on the server side and then call the appropriate API to get a new service ticket and it will use the forwarded TGT. Credential delegation solved.
  MS was correct to "fix" the session key interface since it allowed user code to attain a "password equivalent". The JAAS implementation should be fixed to use the Windows authentication interfaces correctly.
  Thanks,
  Dave
  Feel free to contact me offline for more information or pointers at [email protected] (remove the no-spams).