SPNEGO - JAAS with KerberosLoginModule

Similar Messages

• Has anyone used JAAS with WebLogic?

  Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
  Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
  Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
  has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
  So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
  //THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
  public class BasicModule implements LoginModule
  private NameCallback strName;
  private PasswordCallback strPass;
  private CallbackHandler myCB;
  private Subject subj;
           //INITIALIZE THIS MODULE
             public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                    try
                         //SET SUBJECT
                           subj = subject;  //NOTE: THIS GIVES YOU REFERENCE
  TO LOGIN CONTEXT'S SUBJECT
                                                   // AND ALLOWS YOU TO PASS
  IT BACK TO THE LOGIN CONTEXT
                         //SET CALLBACKHANDLERS
                           strName = new NameCallback("Your Name: ");
                           strPass = new PasswordCallback("Password:", false);
                           Callback[] cb = { strName, strPass };
                         //HANDLE THE CALLBACKS
                           callbackHandler.handle(cb);
                    } catch (Exception e) { System.out.println(e); }
       //LOG THE USER IN
         public boolean login() throws LoginException
            //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
            System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
  subj.getPrincipals().size() + " Principals");
            //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
             MyPrincipal m = new MyPrincipal("Admin");
             subj.getPrincipals().add(m);
             return true;
           public boolean commit() throws LoginException
                 return true;
      }(Sorry for all that code)
  I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
  do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
  I think the key here is to understand JAAS's plug-in security model to mean:
  (Below are my words)
  The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
  In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
  That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
  checking code can be used regardless of whether a client connects through
  RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
  how they authenticate (except by choosing YOUR set ways).
  Before we even deal with a serialized subject, we need to see how JAAS can
  even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
  I think what needs to be done, is the client needs to have the stubs for our
  LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
  their info into those, and everything is handled server-side. So they may
  not even need to send a Subject across anyways (but they may want to as
  well).
  Please let me know if anyone sees this problem too, or if I am just completely
  off track with this one. I think figuring out how to do JAAS as though
  everything were local, and then putting RMI (or whatever) on top is the
  first thing to tackle.

  Send this to:
  newsgroups.bea.com / security-group.

• How to enable JAAS with jdeveloper

  hi all,
  I start reading about JAAS and previously i developed an web application and now i want to implement XML based JAAS in it i searched different articles which shows JAAS with DB support, can any one mention any good article with baby steps for xml based jaas in jdeveloper,
  I first to understand JAAS with babay steps then i will implement it in my application.
  A hello world type of tutorial with jdeveloper.
  Thanks & Regards
  imran

  Hi,
  I started a how-to about using the JAAS provider for container managed authentication. But this is about using container managed security with custom JAAS login modules.
  If you want to natively code in JAAS, all you need to do is to ensure you set the jaasMode in the aplication's orion-application.xml file. See the OC4J security guide, which is a part of teh OracleAs documentation available nline at otn.oracle.com --> documentation
  The XML provider is the dafult provider configured in OC4J and can have user and groups configured as well as JAAS permissions for each of them. You specify the JAAS LoginModule in the system-jazn-data.xml file of the OC4J container and access the login configuration name within your application as part of the created JAAS LoginContext. Once you have this, you obtain a authenticated subject with the user Principals. Using this principals you can now perform check permissions on the AccessController context.
  Frank

• I would like to integrate JAAS with Weblogic 8

  Hi,
  I would like to integrate JAAS with Weblogic 8, but I noticed that BEA%u2019s documentation on JAAS doesn't make it clear whether Weblogic uses a non-standard way of invoking JAAS. Can I suggest someone at BEA post a clear example on how to integrate JAAS with weblogic 8.1?
  Any help will be greatly appreciated.
  Thanks,
  Ana

  Hi Ana,
  I'm not understanding what you're trying to do:
  a) write a fat client that uses JAAS to login to a WLS server?
  If so, you should read the weblogic JAAS documentation for fat clients.
  Basically, the fat client should use the JAAS login module supplied by
  WLS that does a login to the server over the wire under the covers
  (vs. writing your own login module). The server will use its
  configured
  atn providers to complete the login.
  b) Write application code that runs inside WLS (e.g. a servlet) that uses
  JAAS to log into another WLS server?
  Similar to (a) above
  c) Customize how a WLS server logs in users - ie. write a
  login module that WLS will use whenever it needs to login
  a user?
  If so, you should read the weblogic documentation on how
  to write security providers and start from the sample security
  providers on the dev2dev center.
  Basically, you need to write an authentication provider. Part
  of writing an authentication provider is writing a login module.
  -tm
  "Ana" <[email protected]> wrote in message
  news:40168bcf$[email protected]..
  Hi,
  I would like to integrate JAAS with Weblogic 8, but I noticed thatBEA%u2019s documentation on JAAS doesn't make it clear whether Weblogic uses
  a non-standard way of invoking JAAS. Can I suggest someone at BEA post a
  clear example on how to integrate JAAS with weblogic 8.1?
  >
  Any help will be greatly appreciated.
  Thanks,
  Ana

• Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA

  Hello all,
  I am trying to build a very simple JavaEE application with JAAS, but I getting mad.
  I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.
  First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:
  <application-policy name="exemplo1">
       <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                 <module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option>
                 <module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option>
                 <module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option>
            </login-module>
       </authentication>
  </application-policy>Next I configured the "web.xml" file like this:
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Restricted</web-resource-name>
            <description>Declarative security tests</description>
            <url-pattern>*.do</url-pattern>
       </web-resource-collection>
       <auth-constraint>
            <role-name>xxx</role-name>
       </auth-constraint>
       <user-data-constraint>
            <description>no description</description>
            <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>exemplo1</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginErro.jsp</form-error-page>
       </form-login-config>
  </login-config>
  <security-role>
       <description>Role xxx</description>
       <role-name>xxx</role-name>
  </security-role>Notice that I am using the "xxx" role to protect the "*.do" URL pattern.
  The "jboss-web.xml" is like this:
  <?xml version="1.0"?>
  <jboss-web>
       <security-domain>java:/jaas/exemplo1</security-domain>
  </jboss-web>As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.
  Now I wanna to be able to also protect my EJBs.
  My Stateless Session Bean is implemented as follow:
  @RolesAllowed("yyy")
  @Stateless(name="UserManagement")
  public class UserManagementBean implements UserManagement {
       public void add(User user) {
  }When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.
  If I add the "jboss.xml" file, like this:
  <?xml version="1.0"?>
  <jboss>
       <security-domain>java:/jaas/exemplo1</security-domain>
  </jboss>I start getting this stack trace:
  ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
  java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
  at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
  at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  ... Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???
  Thanks
  Daniel

  Using @SecurityDomain("exemplo1") in my EJB and NOT providing jboss.xml, it works.
  @SecurityDomain("exemplo1")
  @RolesAllowed("yyy")
  @Stateless(name="UserManagement")
  public class UserManagementBean implements UserManagement {
    public void add(User user) {
  }Damn! This is some serious shit... I don�t want to configure this in every single EJB.
  EJB 3.0 is nice, but some small trivial details like this and others, that was forgotten by Sun, piss me off!

• Oracle JAAS with roles from database tables and Oracle SSO integration

  I have the following requirement for user authentication and authorization. The applications are build using ADF Faces and BC4J. User authentication should be done using Oracle SSO. User roles and functions will be stored in custom tables. These roles will be used on ADF application pages to restrict access to the UI components on a page. Example: User will "Employee" role cannot create a new employee; however, user with "HR" role can create a new employee.
  In this case, "Create" button will be visible on the ADF page.
  1. How can we use Oracle JAAS to use custom tables for roles instead of using flat XML files?
  2. How does ADF applications use these roles to restrict components on a page?
  3. For authentication, I guess we should be able to use SSO and integrate with Oracle JAAS?
  Thanks.

  Hi,
  I can give you the answers to 1 and 2 but haven't tried 3.
  1) Oracle OC4J since 10.1.3.1 has a database LoginModule that is explained in the OC4J security guide.
  I have a how-to document in review that will be published probaby next week and that explains how to set this LogiNModule up for JDeveloper and stand alone OC4J, though the OC4J documentation is pretty good as well
  http://download-west.oracle.com/docs/cd/B32110_01/web.1013/b28957/loginmod.htm#BABCDDAI
  2) Create a managed bean with boolan methods like isUserManager, isUserEmployee, isUserTechnician etc. In this methods check for the security role on teh request object's isUserInRole() method. Then access this methods from the disabled or rendered property using ExpressionLanguage
  A custom Login ModuleDoesn't use Oracle JAAS but plugs into it. So I am not sure if SSO would work with this because the custom LoginModule wouldn't get a username password pair but only a username that it has to trust.
  Frank

• How to implement JAAS With Weblogic 10.3

  I am working on a migration project. A project is to be migrated from JBOSS to Weblogic 10.3. JAAS has been used in JBOSS for security purpose.
  Required classess like LoginModule, CallBackHandler are customized and put into a jar file. Next a Login page has been created with action=”j_security_check”, which is supposed to be called whenever protected resource has been requested. In web.xml Roles and Policies are defined. There is a jboss-web.xml in which roles are mentioned. In web.xml
  There is a login-config.xml that has been put into Jboss server classpath. In this file, some sql queries are there.
  In weblogic I am not able to understand that how to configure this login-config, how to map roles and policies. Exactly I am not able to find what are the steps needed to implement this JAAS in weblogic10.3. I also tried using the Read-Only SQL Authenticator Provider under security Realms but not sure how to use groups, because I have no Group related tables in my DB.
  Kindly anyone share the knowledge.

  Hi,
  I also want to do the same thing. Did you get any solution for this problem. If yes then please share it with me. I am struggling with this.
  Thanks,
  Sanjay

• How to use GSS and JAAS with kerberos

  Hi,
  I am new to this subject, I have setup a kerberos server on win 2000, and i have registered my other servers to it, this setup works fine , now what i have to do is the following
  1, Display a HTML page where i will take the user id and password for domain 1,
  2 Validate this user id and password using JAAS
  3 Create a connection object with domain 2, (which is AS400)
  So how do i setup my websphere to do so, also can any one provide java code to get GSS credentials and create connection to any other server
  Ashish

  Look for "Single Sign-on Using Kerberos in Java" in google or on Sun's web site. Maybe this paper will help you.
  Claude

• Decl J2EE auth and auth with JAAS with custom module

  Hi Frank:
  I have posted another msg where I was trying the non-custom Login module with no luck. In the meantime, I tried the custom module and still having problem. When I click on dlmtest.jsp it brings up the inbuilt login module and not the custom one. My db_schema is "SECURITYTESTER" and pwd = "oracle"
  Hetre is my jazn-data.xml
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-10_0.xsd" filepath="" OC4J_INSTANCE_ID="">
  <jazn-loginconfig>
  <application>
  <name>DBLMTest</name>
  <login-modules>
  <login-module>
  <class>oracle.sample.dbloginmodule.DBProcLM.DBProcLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  <option>
  <name>jdbcDriver</name>
  <value>oracle.jdbc.driver.OracleDriver</value>
  </option>
  <option>
  <name>application_realm</name>
  <value>Online Trainings</value>
  </option>
  <option>
  <name>plsql_procedure</name>
  <value>DBPROCLM.GET_USER_AUTHENTICATION</value>
  </option>
  <option>
  <name>db_schema</name>
  <value>SECURITYTESTER</value>
  </option>
  <option>
  <name>jdbcUrl</name>
  <value>jdbc:oracle:thin:@localhost:1521:xe</value>
  </option>
  <option>
  <name>db_schema_pw</name>
  <value>oracle</value>
  </option>
  <option>
  <name>log_level</name>
  <value>ALL</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  </jazn-data>
  orien-app is here
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE orion-application PUBLIC "-//Evermind//DTD J2EE Application runtime 1.2//EN" "http://xmlns.oracle.com/ias/dtds/orion-application.dtd">
  <orion-application>
  <!--
  <jazn provider="XML"
  default-realm="jazn.com" location="./jazn-data.xml">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="jaas.username.simple" value ="true" />
  </jazn>
  -->
  <jazn provider="XML" location="./jazn-data.xml">
  <property name="custom.loginmodule.provider" value="true"/>
  <property name="role.mapping.dynamic" value="true"/>
  </jazn>
  </orion-application>
  My application.xml
  has
  <?xml version = '1.0' standalone = 'yes'?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" autocreate-tables="true" default-data-source="jdbc/OracleDS" schema-major-version="10" schema-minor-version="0">
  <web-module id="defaultWebApp" path="../default-web-app"/>
  <library path="C:\jdevstudio10132/j2ee/home/lib/DBLoginModule.jar"/>
  So, why is it not bringing up the custom login module. And, I can't authenticate in this case as well.
  Thanks for your help (and on your help on the non-customized version of my post)

  Hi,
  most likely the reason is that the deployed application name is not the same name you provided when configuring the LoginModule (DBLMTest). Its documented in the paper that comes with the LogiNmodules i wrote
  Frank

• SPNego  - SETSPN with alias for two separate physical servers

  Hi All
  We have a scenario where the client has a production server and a backup production server, and a single alias pointing to both (meaning - when the main production server fails, the requests are routed to the backup production server). We need to configure SPNego for these servers.
  Lets say the alias name is pralias.company.com
  and the main production host name is prod1.company.com
  and the backup production host name is backprod.company.com
  If I have to setspn to the production servers, can I use just one service user for all these three servers? My SETSPN commands would be:
  SETSPN -A HTTP/pralias.company.com scv-j2e-user
  SETSPN -A HTTP/prod1.company.com scv-j2e-user
  SETSPN -A HTTP/backprod.company.com scv-j2e-user
  In the above commands, I have the same service user for all three domain names. Would this work? Or would I need to have 3 separate service users?
  Thanks
  OJ

  >
  Olivier CHRETIEN wrote:
  > Why would you need 3 SETSPN commands ?
  > I would only type a SETSPN command for pralias.company.com and make sure that all users only use URLs with the alias.
  That's a common scenario, e.g., to connect to a load-balancer, but also to be able to connect to the individual servers (in case you're investigating if a problem is server-specific).
  See Note 1387370, which confirms that single service user can be used for multiple server names (or aliases).
  Regards,
  Sean

• Running JAAS with JBOSS

  Please anybody tell me how to configure JAAS in JBOSS
  I have included in my code . while i am runnin that code with JBOSS it is throwing the following exception:
  09:45:21,484 ERROR [STDERR] javax.security.auth.login.FailedLoginException: Pass
  word Incorrect/Password Required
  09:45:21,484 ERROR [STDERR] at org.jboss.security.auth.spi.UsernamePasswordL
  oginModule.login(UsernamePasswordLoginModule.java:213)
  09:45:21,500 ERROR [STDERR] at org.jboss.security.auth.spi.UsersRolesLoginMo
  dule.login(UsersRolesLoginModule.java:152)
  09:45:21,500 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(
  Native Method)
  09:45:21,500 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(U
  nknown Source)
  09:45:21,500 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invo
  ke(Unknown Source)
  09:45:21,500 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Sourc
  e)
  Please respond me how to configure it in JBOSS

  How did you packaged the web application - Is it a WAR file?i didnt make any war file I just worked with JBilderX which makes WEB MODULE and i think that is the WAR file??
  Where you put the web archive on the JBoss (Path please)?no where....:(
  hay! i just configured JBoss with JBuilderX and then started using it right away.
  is there any thing else to be done
  please tell me
  waiting...

• How integrate JAAS with EJB Server?

  I want to use JAAS to create a security Handler for an open source EJB Server. Does anyone have some suggestions on how best to integrate this with EJB's (using EJB 1.1 for now)?
  Any ideas, or problems you might see, or things to be careful of are all welcome!

  Weblogic 6 actually provides this as an example. They use JAAS login modules for authentication purposes. I don't think this integration is too difficult. In integrating authorization I believe they just delegate to one of their security realms.

• Using oc4j Jaas with external user-base

  Hi,
  Im evaluating the possibility of migrating my application from BEA Weblogic 7.00 to Oracle9iAS. I Use OC4j 9.0.3 for the migration proof.
  My Weblogic application uses a LoginModule, written by us which access our existing user-base (stored in an rdbms).
  We use proprietary Principal classes and update the Subject when a login 'transaction' is committed.
  Our EJB code (which is the resource we want to protect) includes role definitions and the specific weblogic deployment-descriptors includes mapping between the roles defined in the ejb dd and the principal names we return with the login-module.
  I have some questions:
  1. How can i perform a similar mapping (propriatary principal names to ejb roles), do i have to declare all those principals in jazn.data?, where do I have to declare them?
  2. Can i disregard the UserManager concept?
  3. Do i have to implement a LoginContext on my own?
  4. Do I need to explicitly call LoginCOntext.login in my login code or is it automatically done (please elaborate)?
  5. Do i have to keep using RealmLoginManager along with my LoginModule?
  6. Where is the preferable place for putting the login module (application’s ear file?)
  7. Can i use any LoginModule which simply implements the JAAS LoginModule interface?, are there any specific oracle behavior/requirement i should know about?
  8. What is the class name for the JAZN class which serves as the default LoginContext?
  Note: I dont want to integrate with OID or manage the user-base using Oracles JAZN-XML, i want to simply integrate with my own existing user authentication data and use it for authorizing calls to EJBS.
  Thanks in advanced,
  Yuval.

  sorry for delay in repsonding.
  I only use my LDAP directory to manage poeple and groups but not organisational units.
  When a user logs in using BPM, you view the details for a person in process administrator or view a groups members etc that information is then stored in the bpm database. That information is refreshed whenever the directory service is polled. The frequency of this is determined by the value of 'Directory Polling Interval' set under the Other tab of your engine.
  I don't belive the user passwords etc are stored in the bpm database only meta information about people and groups and therefore your directory service must be available whenever a user tries to login to workspace etc.
  Hope that helps,
  Mike.

• Complete configuration of JAAS with JBOSS using database

  JAAS Configuration
  1.     Database
       Create following table:
  a.     Principals table consists of usernames (PrincipalID) and their passwords.
  CREATE TABLE Principals (PrincipalID VARCHAR (64) PRIMARY KEY,
  Password VARCHAR (64))
  Insert data
  INSERT INTO Principals VALUES ('java', 'echoman')
  INSERT INTO Principals VALUES ('duke', 'javaman')     
  b.     Roles table consists of usernames (PrincipalID) and their Role and the
  RoleGroup they belong.
  CREATE TABLE Roles (PrincipalID VARCHAR (64), Role
  VARCHAR (64), RoleGroup VARCHAR (64))
  Insert data
  INSERT INTO Roles VALUES ('java', 'Echo', 'Roles')
  INSERT INTO Roles VALUES ('java', 'caller_java', 'CallerPrincipal')
  INSERT INTO Roles VALUES ('duke', 'Java', 'Roles')
  INSERT INTO Roles VALUES ('duke', 'Coder', 'Roles')
  INSERT INTO Roles VALUES ('duke', 'caller_duke', 'CallerPrincipal')
  INSERT INTO Roles VALUES ('duke', 'Echo', 'Roles')
  2.     login-config.xml
  This file is located in jboss-3.2.1\server\default\conf
  a.     add the following lines
                           <application-policy name="example2">
                                <authentication>
                                     <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                                </login-module>
                           <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                           flag="required">
                           <module-option name="managedConnectionFactoryName">
                      jboss.jca:service=LocalTxCM,name=SybaseDB
                                     </module-option>
                                     <module-option name="dsJndiName">
                                          java:/SybaseDB
                                     </module-option>
            <module-option name="principalsQuery">
            Select Password from Principals where PrincipalID =?
            </module-option>
                                     <module-option name="rolesQuery">
                                          Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where                                              PrincipalID =?
                                     </module-option>
                           </login-module>
                      </authentication>
                 </application-policy>
  3.     jboss-web.xml
       Create a file jboss-web.xml and place the following code
            <?xml version="1.0" encoding="UTF-8"?>
            <jboss-web>
                 <security-domain>java:/jaas/example2</security-domain>
            </jboss-web>
  example2 is the name of the security domain which we specified in application policy of login-config.xml
  Copy this file in your applications WEB-INF folder
  4. auth.conf
       Create a file auth.conf and place it in jboss-3.2.1\client.
  client-login
            org.jboss.security.ClientLoginModule required;
  example2
            org.jboss.security.ClientLoginModule required;
  org.jboss.security.auth.spi.DatabaseServerLoginModule required;
  5.     auth.conf
       Create another auth.conf and place it in jboss-3.2.1\server\default\conf
  // The JBoss server side JAAS login config file for the examples
  client-login
            org.jboss.security.ClientLoginModule required;
  example2
            org.jboss.security.ClientLoginModule required;
       org.jboss.security.auth.spi.DatabaseServerLoginModule
  required
            dsJndiName="java:/SybaseDB"
  principalsQuery="Select Password from Principals where PrincipalID =?"
  rolesQuery="Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =?"
  5.     jndi
       Path jboss-3.2.1\server\default\conf
       java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
  java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
  # Do NOT uncomment this line as it causes in VM calls to go over
  # RMI!
  java.naming.provider.url=localhost:1099
  #localhost
  6.     web.xml
  Place the following code in your web.xml.(Change it according to your application requirements).
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>action</web-resource-name>
                 <description>Declarative security tests</description>
                 <url-pattern>*.do</url-pattern>
                 <http-method>HEAD</http-method>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
                 <http-method>PUT</http-method>
                 <http-method>DELETE</http-method>
            </web-resource-collection>
            // the role which can access these resources
            <auth-constraint>
                 <role-name>Echo</role-name>
                 <!--<role-name>Java</role-name>-->
            </auth-constraint>
            <user-data-constraint>
                 <description>no description</description>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
            //the login page in case of Basic authentication
       <!--<login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>JAAS Tutorial Servlets</realm-name>
       </login-config>-->
       //the login page in case of form based authentication
       <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                 <form-login-page>/logon.do</form-login-page> //path to login page
                 <form-error-page>/logoff.do</form-error-page> //path in case login fails
            </form-login-config>
       </login-config>
       <security-role>
            <description>A user allowed to invoke echo methods</description>
            <role-name>Echo</role-name>
       </security-role>
       <!--
       <security-role>
            <description>A user allowed to invoke echo methods</description>
       <role-name>Java</role-name>
       </security-role>
       -->
  7.     login.jsp
  <%@ page contentType="text/html; charset=UTF-8" %>
  <%@ page language="java" %>
  <html >
  <HEAD>
  <TITLE></TITLE>
  <!-- To prevent caching -->
  <%
  response.setHeader("Cache-Control","no-cache"); // HTTP 1.1
  response.setHeader("Pragma","no-cache"); // HTTP 1.0
  response.setDateHeader ("Expires", -1); // Prevents caching at the proxy server
  %>
  <SCRIPT>
  function submitForm() {
  var frm = document. logonForm;
  // Check if all the required fields have been entered by the user before
  // submitting the form
  if( frm.j_username.value == "" ) {
  alert("blank");
  frm.j_username.focus();
  return ;
  if( frm.j_password.value == "" ) {   
  alert("blank");
  frm.j_password.focus();
  return ;
  frm.submit();
  </SCRIPT>
  </HEAD>
  <BODY>
  <FORM name="logonForm" action="logon.do" METHOD=POST>
  <TABLE width="100%" border="0" cellspacing="0" cellpadding=
  "1" bgcolor="white">
  <TABLE width="100%" border="0" cellspacing=
  "0" cellpadding="5">
  <TR align="center">
  <TD align="right" class="Prompt"></TD>
  <TD align="left">
  <INPUT type="text" name="j_username" maxlength=20>
  </TD>
  </TR>
  <TR align="center">
  <TD align="right" class="Prompt"> </TD>
  <TD align="left">
  <INPUT type="password"
  name="j_password" maxlength=20 >
  <BR>
  <TR align="center">
  <TD align="right" class="Prompt"> </TD>
            <TD align="left">     
       <input type="submit" onclick="javascript:submitForm();" value="Login">
  </TD>
  </TR>
  </TABLE>
  </FORM>
  </BODY>
  </html>
  8. Your action class should contain the following code
       a. Pacakages to be imported
  import java.util.Set;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import org.jboss.security.SimplePrincipal;
  import org.jboss.security.auth.callback.SecurityAssociationHandler;
       try
  SecurityAssociationHandler handler = new
  SecurityAssociationHandler();
  user = new SimplePrincipal(username);
  handler.setSecurityInfo(user, password.toCharArray());
  LoginContext loginContext = new LoginContext("example2",
  (CallbackHandler)handler);
  loginContext.login();
  Subject subject = loginContext.getSubject();
  Set principals = subject.getPrincipals();
  principals.add(user);
  }catch(LoginException e)
  { errors.add("loginerror", new ActionError("Wrong Username or  Password")); saveErrors(request, errors);
  //other login related code

  Hi,
  Can I just first of all say how useful I found this article.
  It has been a great help in explaining what I need to do.
  I just had a couple of questions about the details...
  1) The jndi.properties file appears to be much the same except for the line...
  java.naming.provider.url=jnp://localhost:1099
  Are you saying we need to add that line to the jndi.properties or else all calls will go through rmi ?
  2) Should the line be java.naming.provider.url=jnp://localhost:1099 or url=localhost:1099 ?
  Thanks again for the article
  Dave

• SPNego configuration with Active Directory as UME datasource

  Here are some additional informations:
  According to SAP note 718383 changing an existing datasource configuration "dataSourceConfiguration_abap.xml" is not possible.
  But my aim is to connect an ADS server as datasource
  (dataSourceConfiguration_ads_readonly_db_with_krb5.xml).
  Can I use my existing J2EE Engine at all?
  The system has evolved like this:
  BW 3.5 installation, upgrade to NW2004s, then Java Add In-Installation.
  Or is it necessary to install an additional java instance?
  I have just experiemented a bit:
  In the Offline-Configtool the UME Property "Global server configuration ->
  services -> com.sap.security.core.ume.service ->
  ume.persistence.data_source_configuration" changed like this:
  OLD: dataSourceConfiguration_abap.xml
  NEW: dataSourceConfiguration_ads_readonly_db_with_krb5.xml
  Then I restarted the J2EE cluster.
  Result: the server0 process does not start anymore.
  But at least now I could enter same values for the LDAP server (in the Offline-Configtool),
  choose values from the drilldown list for the several configuration files and so on...
  -> but is this the correct way at all?
  Kind regards
  Rüdiger Höckel
  apetito AG

  Hi Rüdiger,
  It all depends on what you want to do. You installed the AS Java as an Add-in to take adavantage of the existing user base in your AS ABAP and to access the resource from the AS ABAP from a portal.
  OK, but now you want to do something about SSO and enable kerberos logon. For this you need the kerberos principal name from your ADS. OK, authentication is not my strong suit, but here are some ideas you can try. By the way in SAP NetWeaver 7.1 there is a configuration to log on to the AS Java using logon data from an LDAP, but still use the backend AS ABAP. See Configuring the UME for Directory Service Sync with AS ABAP for details. However, since you are still using 7.0, let's stick with that for now.
  1. Use the LDAP Sync of the AS ABAP function to synchronize the user data of the AS ABAP and your ADS. You must populate the AS ABAP user records with the kerberos principal name. Which ABAP field you populate with this value I am not sure. You would then have to adapt the following procedure to get this data into your AS Java: Configuring the UME when Using Non-ADS Data Sources.
  2. Set up a second AS Java and portal with the ADS as the datasource. Then migrate your users from the old one to the new one. Unfortunately, the users have different user IDs on the AS Java and the AS ABAP, so you would have to maintain user mapping between the two systems.
  3. Use SAP NetWeaver Identity Management Identity Center to distribute the user data between the systems.
  Unfortunately this kind of configuration is not well documented. I will see if I can find someone who can comment on this kind of setup.
  -Michael