Storing authenticated Subject

I am creating a database application in which certain resources are restricted to certain resources. Such users with access can login. I am using the JAAS authentication so I use the LoginContext.login function and retrieve a Subject from the loginContext object. However, where should I store it so that whenever I execute code with the Subject.doAsPrivileged()?
Someone sujested using a custom security manager extending the standard SecurityManager and setting that as the security manager with System.setSecurityManager(). A variable of type Subject or the LoginContext would be stored in this security manager and can be retrieved with System.getSecurityManager().

Similar Messages

How To tell ADF Framework to use my authenticated subject?

Hi,
let's say that I have a subject instance which is authenticated through Weblogic server. Now I want to use this authenticated subject to protect my resources using ADF Security. So how should I tell this to ADF framework programmaically. For example I can think of storing my principal and roles in some type of objects and store it in session in a format that's understandable by the framework. By understandable I mean ADFContext.getCurrent.getSecurityContext.isUserAuthenticated returns true, getPrincipal returns my authenticated principal. I appreciate your helps.
Best Regards,
Salim

Hi Chris,
I want to implement programmatic authentication. I was able to authenticate given the LoginModule (weblogic.security.auth.login.UsernamePasswordLoginModule), LoginContext (javax.security.auth.login.LoginContext) and a callback handler.
try {
loginContext.login();
Subject subject = loginContext.getSubject();
It authenticates successfully. But he problem is that it does not push authenticated subject into session. My guess is that there should be a way to configure application server to use this subject for the session. I understand that adf security just delegates calls to application server. I thought may be there is a way to do it with adf. Thanks for the reply.
Best Regards,
Salim

How to access the authenticated Subject?

Hello
I'm using WS Security, and I have made a custom login module. I have registered the login module and he is working fine. But I have problems accessing later the authenticated subject.
Any suggestions ?

Hi,
where do you store the authenticated Subject ?
Frank

Ws-security runtime authentication subject

Hi,
When the ws-runtime performs the authentication based on the security token, does it attach the authenticated subject to the current thread?
In the server-side handler for a webservices on which ws-security is enabled via ws-policy, if I call
SubjectUtils.getUsername(weblogic.security.Security.getCurrentSubject()
I am not getting the username i passed in the token as the authenticated subject.
Can you please tell me which user does it attach to the current thread in webservices?

Thanks for reply.
Does that mean - there is NO WAY for X.509 certificate Authentication between OEG and OAM - regardless any OEG filter ?
Cliff

Bind authenticated Subject to container

In a web application I use JAAS to authenticate users of the web application. When the authentication is successful, I retrieve the authenticated Subject from my LoginContext using the getSubject() method. As a result of the successful authentication, one or more Principal objects will be associated with this Subject.
Here is the point: After the user has been authenticated, I want to use the isUserInRole() method to check whether the user possesses certain roles (i.e. Principal objects). However, in order to do so, the container which runs the web application (JBoss 4) must know about the authenticated Subject. In other words: Before I can use the isUserInRole() method, I must somehow bind the authenticated Subject to the container. Is there a way in which this can be accomplished?
Note: I do not want to use container managed security by enabling FORM authentication in web.xml because this has as disadvantage that I lose the control over the authentication process (JBoss wil then under the hood instantiate a LoginContext object and there is no way, as far as I know, to obtain a reference to this LoginContext).
Thanks for any help.
Ronald

We have a howto for custom login modules here:
http://www.oracle.com/technology/tech/java/oc4j/1013/how_to/howtocustomjaasprovider/doc/howtocustomjaasprovider.html
As far as adding a third field, I think this would be managed in a login module's callback handler. This is from our docs:
A callback handler is a javax.security.auth.callback.CallbackHandler
instance that allows a login module to interact with a user to obtain login information.
The only method specified by CallbackHandler is the handle(Callback[])
method, which takes an array of callbacks, which are instances of a class that
implements the java.security.auth.callback.Callback interface. Callbacks
do not retrieve or display requested information from the underlying security service,
but simply provide the functionality to pass the requests to an application and, as
applicable, to return the requested information back to the security service.
Callback implementations in the javax.security.auth.callback package include: a
name callback handler (NameCallback) to handle a user name, a password callback handler (PasswordCallback) to handle a password, and a text input callback
handler (TextInputCallback) to handle any field in a login form other than a user
name or password field.
If authentication succeeds, then the authenticated subject can be retrieved by invoking
the getSubject() method of the LoginContext instance.
Different login modules can be configured with different applications, and a single
application can use multiple login modules. The JAAS framework defines a two-phase
authentication process to coordinate the login modules configured for an application.
You would probably follow these steps:
1. Create a LoginContext
2. Pass the CallbackHandlers to the LoginContext for gathering/processing authentication data
3. Then authenticate by calling the LoginContext's login() method
I think you can google examples of the TextInputHandler callback

Configuring J2EE Appl to obtain security roles from authentication Subject

http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm says
"Oracle JDeveloper can be used to add the orion-application.xml file to a web project, choosing orion-application.xml from the list of Deployment Descriptors in the JDeveloper New Gallery."
The wizard asks me to select the deployment description version I want to use, either 1.2 or 10.0. What's the difference and which is the preferred choice?
Regards,
Al Malin

Al Malin.
don't see a difference and usually use what is the default selected.
Frank

How to pass back Subject do Client app after authentication via identity assertion

I have developed an Identity Assertion Provider based on
SampleIdentityAsserterProviderImpl provided by BEA.
It seams that all works fine, but I don't now how to pass back authenticated
Subject to client application in order to call methods runAs(Subject,
PrivillegedAction). I have tried build Subject from
connection.getInputStream() but when I use Subject constructed in that way I
have received an error:
lava.lang.SecurityException: Invalid Subject: principals=[user, usergroup1,
usergroup1]
Thanks in advance for any suggestions.
Jerzy Nawrot

Hi,
as per the below comment.
We want to change this and do this dynamic way so that the XCM configuration application can read these dynamic parameters and behave accordingly(like customers with different languages, client systems etc). This is the 1st part .
You have to use different scanrios to be set in XCM like (customer specific to language, and client), and that to be passed in
Where language specifications should maintained in XCM settings only. also to be noted that Product catalog for those should also maintain in that specific language.
"/init.do?scenario=value2;
The 2nd part leading this scenario is after the portal user successfully lands into ISA application, if the user needs to go back to the WDP java screen, would the JSP based ISA application be able to navigate back to the original WD Java iView Screen. ? or would it open in a new window ? (probably this can be set to be launched in same window)
I am not sure, but if you go back to WD from ISA , ISA Session will die.
Let me know if you have any further queries.
Regards,
Devender V

JNDI,AD,Kerberos Authentication, Windows

Hi all,
OS:
Server: LDAP Server AD running on win2k server with KDC on the same machine
Client: Sun's JNDI application on WinXP
Senario:
I managed to make the well-known tutorial example (list 1) work well on both jdk1.4.2_05 and jdk1.5.1_02. The main steps can be summarized as
step 1: Kerberose authtication with lc.login() based on JAAS
step 2: Assume the identity of the authenticated subject
step 3: Run JNDI client application under this identity with Subject.doAS()
Problem:
It's very hard to force users to run their JNDI applications UNDER step 1 & 2. As you know, step 3 is run by a spawn child's thread and for this reason it's very hard to convince users including myself of doing SSO in this way. There should be a better way. Actually, KDC's realm is built in such a way that all applications and computers under the same realm should be SSO Kerberose aware -- that is -- once the intial authentication is done, the identity assuming should be valid for the entire login session (usually 8~10 hours).
Solution:
Step 0: Create client's user account 'testuser' on AD
Step 1: Initially login using command kinit()
C\: kinit test
Password for testuser@REALM:mypassword
New ticket is stored in cache file C:\Documents and Settings\abc\kerb5cc_abc
Step 2: Run JNDI client application (list 2)
Error:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
 at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:133)
 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
 at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
 at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
 at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
 at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
 at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
 at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
 at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
 at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
 at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
 at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
 at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
 at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
 at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
 at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
 at javax.naming.InitialContext.init(InitialContext.java:223)
 at javax.naming.InitialContext.<init>(InitialContext.java:197)
 at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
 at JndiClientAction.main(JndiClientAction.java:61)
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]]
 at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
 at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
 at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
 at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
 at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
 at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
 at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
 at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
 at javax.naming.InitialContext.init(InitialContext.java:223)
 at javax.naming.InitialContext.<init>(InitialContext.java:197)
 at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
 at JndiClientAction.main(JndiClientAction.java:61)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]
 at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:174)
 at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
 ... 13 more
Caused by: GSSException: No valid credentials provided
 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:69)
 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
 at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
 at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
 at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
 at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
 ... 14 more
SOS:
Can anyone pin point what's going wrong?
Thanks in advance
Spencer
------------------- LIST 1 -------------------
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
import java.util.Hashtable;
* Demonstrates how to create an initial context to an LDAP server
* using "GSSAPI" SASL authentication (Kerberos v5).
* Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
* compliant implementation of J-GSS and a Kerberos v5 implementation.
* Jaas.conf
* racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
* 'qop' is a comma separated list of tokens, each of which is one of
* auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
class KerberosExample {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "MYCOMPANY.ORG");
p.setProperty("java.security.krb5.kdc", "mydomaincontroller.mycompany.org");
p.setProperty("java.security.auth.login.config", "C:\\WINNT\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext(GssExample.class.getName(),
new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("testuser");
public LDAPAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://mydomaincontroller.mycompany.org:389/DC=mycompany,DC=org");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",OU=mydivision,OU=Departments");
NamingEnumeration enumUserInfo = aAnswer.getAll();
while(enumUserInfo.hasMoreElements()) {
System.out.println(enumUserInfo.nextElement().toString());
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
------------------- LIST 2 ------------------------------
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;
class JNDIClientAction {
private static String[] sAttrIDs;
private static String sUserAccount = new String("testuser");
public static void main(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://mydomaincontroller.mycompany.org:389/DC=mycompany,DC=org");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",OU=mydivision,OU=Departments");
NamingEnumeration enumUserInfo = aAnswer.getAll();
while(enumUserInfo.hasMoreElements()) {
System.out.println(enumUserInfo.nextElement().toString());
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}

Hi,
these Notes will help you :
Note 352295 - Microsoft Windows Single Sign-On options
Note 595341 - Installation issues with Single Sign-On and SNC
Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry
http://help.sap.com/saphelp_nwes72/helpdata/en/44/0ea40dc6970d1ce10000000a114a6b/frameset.htm
For Windows SAP Servers pls download the libs of note 352295.
For Linux use the one on OS level ( /usr/lib64/libgssapi_krb5.so )
For Linux make sure that the krb5 rpm packages are installed
krb5-32bit.......
krb5-...............
krb5-client.......
I hope this helps
greetings
oliver

Configuration of Public Key Authentication Policy for SFTP on OAG 11.1.2.2

Hi
I'm working on the configuration of an SFTP server over OAG, using both password and public key authentication.
This particular listener need 3 policies:
- Password Authentication
- Public Key Authentication
- File upload
Both File upload and password auth are working OK, but I've been having a hard time with the PK policy. This policy uses the attribute ${authentication.subject.public.key} to store the PK info, which I confirmed is being sent to the gateway (as modulus + public exponent), however I can not find a way to verify the key received with the ones on the Key Pairs store.
OAG Version is 11.1.2.2
Any comments?

Hi a82383ca-36ac-49d5-aa6e-c3307f7e56e1,
It would probably help if you place this question under the community for product you have questions about. I will see if I can help you move it to the proper one by asking around.
Best regards,
VictorI

Stored PDF files with Blob

I have being storing PDF files using Blob, but it is getting very time consuming to access these files again.
Is there a better way of doing it? Is there a right way of doing it? I do not need to search inside the PDF, but I do need to access them either inside the Database or outside.
Thank You for nay help

I have a need to store PDF files that are documents that will complement process that my systems creates. And I need that those PDF files be accessible from inside my system, I do not need to search insede them because they will be stored by subject inside another subject, therefore whoever need the files will know were to find it, but to store and to access it is taking longer and longer as more files are added to the first thead.

JAAS: How can I access the JAAS subject in an EJB?

Hello,
I try to understand the JAAS integration in J2EE 1.3.
I know:
J2EE defines a role-based container managed authorization for the web and ejb container. Roles, users and their relationship are defined in the realm.
JAAS has a more sophisticated policy-based authorisation model. Since J2EE1.3 I can define a realm using JAAS having the role-based authorization of the container managed security.
My question:
How can I access the JAAS subject object in an EJB or servlet to use the policy-based authorization?
Thank you for your answers
Peter

May be I should redefine my question:
If I use JAAS as J2EE-Realm, how can I receive the subject?
All JAAS-Tutorials contains code fragments like
LoginContext lc = new LoginContext("entryFoo");
    try {
        // authenticate the Subject
        lc.login();
        System.out.println("authentication successful");
        // get the authenticated Subject
        Subject subject = lc.getSubject();But if I use JAAS as J2EE-Realm the container creates the LoginContext.
Whom can I ask for the subject now?
There is no such method implemented in the EJBContext, the HttpServlet or HttpServletRequest!
Peter

OWSM Policy - how to access subject from within protected service

I am setting up a new instance of SOA Suite 11g for integration purposes at my organization. I am planning to use predefined WSM policies to protect the services (see http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/policies.htm).
Most communication is server-to-server (e.g. HR sending data to CRM), so it would make sense to use something like X.509 (i.e. oracle/wss11_x509_token_with_message_protection_service_policy). However, I have a requirement that the underlying services (BPEL processes, for example), must know the subject (i.e. the server) that sent the message. For example, did this incoming message come from the HR system or the CRM system. This is used internally by the BPEL process for audit logs and other things.
We also use OAM, so I will likely eventually use the oracle/wss_oam_token_service_policy to verify ObssoCookie values. In those cases, the underlying Java service or BPEL process will need to have access to the username of the authenticated user.
I've searched and searched the documentation, and I cannot find any instructions about how to access details about the authenticated subject (such as username, roles, or X.509 properties) from within the protected service, whether it be a Java-based service, a BPEL process, or anything else.
I did find some information about how to read SOAP header values from within Oracle BPEL processes (see http://chintanblog.blogspot.com/2007/12/insertextract-soap-headers-in-bpel-it.html). However, this looks like it will only work if I use the WSS UsernameToken policy (e.g. oracle/wss_username_token_service_policy), since that is the only policy where the actual subject identifier (username) is specified in a SOAP header.
Do the other policies (X.509, SAML, and OAM) provide a mechanism to convey properties of the authenticated subject to the underlying service? If so, where is this documented? Thanks much!
Sincerely,
Nathan Kopp

Is it wrong question or wrong thing to do?
Let's make it a little bit easier/better/worse:
How can I change policy permissions at runtime?

Weblogic Current Subject read-only

Hi,
I am doing a fat-client authentication using
import weblogic.security.auth.Authenticate;
Subject currentSubject = weblogic.security.Security.getCurrentSubject();
Authenticate authenticateUser = new Authenticate();
authenticateUser.authenticate(env, currentSubject);
I get the error saying the currentSubject is read-only, how can I do explicit authentication and make the subject current subject..
I want to add the principals from the authenticated subject to current subject so that I can authorize it based on the security role.
If the principal is not in the current subject, authorization fails.
Any tips/help is appreciated

I knew it was going to be something simple and stupid! Thanks man!!! That's what it was!
Originally Posted by Markus Colorado
Hi,
following the docs, "Subject" is of type "FormattedText" so you need to specify the
correct property for your Subject;
i.e. oMsg.Subject.PlainText = "my subject..."
Hope this helped,
Markus
"Mcygee" <[email protected]> schrieb im Newsbeitrag
news:[email protected]..
>
> I managed to fix the error on...
>
>
> Code:
> --------------------
> objAppointment.Place = "A Test Place"
> --------------------
>
>
> by switching
>
>
> Code:
> --------------------
> Dim objAppointment As Appointment
> --------------------
>
>
> to
>
>
> Code:
> --------------------
> Dim objAppointment As Appointment10
> --------------------
>
>
> *So now the only issue I have is Subject (and BodyText though I don't
> need it right now) is read-only so I can't specify what it should be in
> the appointment.*
>
>
> --
> Mcygee
> ------------------------------------------------------------------------
> Mcygee's Profile: NOVELL FORUMS - View Profile: Mcygee
> View this thread: VB Appointments.Subject Read-Only? + Error - NOVELL FORUMS
>

Perimeter authentication with ISA server and AD

Hi,
We have a Microsoft ISA server that does all authentication at the perimeter. I'm trying to set up a WLS 10 that can inspect and pass on the authenticated Subject to the (SQLServer) database when performing searches.
I have configured the environment according to the steps in [url http://e-docs.bea.com/wls/docs100/secmanage/sso.html], and I have set up my security realm with an Active Directory Authentication provider and a Negotiate Identity Assertion provider. But soemthing is obviously not working, since I see no signs of the authenitcated subject in the server log, and Security.getCurrentSubject() returns an empty Subject. What am I doing wrong?
Thanks
Edited by tdirrenb at 04/18/2008 6:33 AM
Edited by tdirrenb at 04/18/2008 6:34 AM

Hi Vinod,
Looks like this is a AAA issue. Moving this to AAA domain for faster response.
thanks,
Vinay

Help, Authentication failed

I am having a very difficult time making a simple login program work
I am using Java SDK 1.4.2_02 on a Windows 2000 host, the DS is on the same host
My Directory Server is Sun One Directory Server 5.2
I am using the JAAS package, with a JndiLoginModule
When I use a bogus uid I get a �user not found� message so I know I am contacting the DS correctly
The Access log looks like this
[09/Dec/2003:13:09:52 -0600] conn=1606 op=0 msgId=1 - BIND dn="" method=128 version=3
[09/Dec/2003:13:09:52 -0600] conn=1606 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[09/Dec/2003:13:09:52 -0600] conn=1606 op=1 msgId=2 - SRCH base="ou=people,dc=auto-trol,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[09/Dec/2003:13:09:52 -0600] conn=1606 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
[09/Dec/2003:13:09:52 -0600] conn=1606 op=2 msgId=3 - SRCH base="ou=people,dc=auto-trol,dc=com" scope=1 filter="(uid=jpsb)" attrs=ALL
[09/Dec/2003:13:09:52 -0600] conn=1606 op=2 msgId=3 - RESULT err=0 tag=101 nentries=1 etime=0
[09/Dec/2003:13:09:52 -0600] conn=1606 op=3 msgId=4 - ABANDON targetop=NOTFOUND msgid=3
My config file looks like this
Sample
com.sun.security.auth.module.JndiLoginModule required debug=true
 user.provider.url="ldap://localhost:4661/ou=People,dc=auto-trol,dc=com"
 group.provider.url="ldap//localhost:4661/ou=Group,dc=auto-trol,dc=com";
The error I get is this:
[JndiLoginModule] user provider: ldap://localhost:4661/ou=People,dc=auto-trol,dc=com
[JndiLoginModule] group provider: ldap//localhost:4661/ou=Group,dc=auto-trol,dc=com
ldap username: jpsb
ldap password: jim
[JndiLoginModule] attemptAuthentication() failed
[JndiLoginModule] regular authentication failed
[JndiLoginModule]: aborted authentication failed
Authentication failed:
Login incorrect
A stack trace looks like this
javax.security.auth.login.FailedLoginException: Login incorrect
at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:552)
at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at LoginJaas.main(LoginJaas.java:93)
It appears to me that there must be some kind password problem, I can login from the 5.2 console or switch user ids from the console so I know the user and Directory Server are OK.
Can anyone help? I�ve been pounding on this for a few days and it is getting frustrating.
Thanks in advance
Jim

Here it is along with some bat files to make and run. I can't understand why it does not work. It is mostly a slightly modified example from Sun. I'm using Sun code, a Sun Directory Server and a Sun's JndiLoginModule so why the damn thing does not work is a mystery. I have looked EVERYWHERE for a sample JAAS/LDAP Authenicate code and can't find a thing. Makes me think there isn't any and JAAS is not the way to go. I and going to try with a different DS maybe open LDP or active Directory and if that doesn't work I'll forget JAAS and use JNDI instead.
Any help would be greatly appreciated.
thanks in advance
jim
Start LoginJass.java
* @(#)LoginJaas.java
* Copyright 2001-2002 Sun Microsystems, Inc. All Rights Reserved.
* Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met:
* -Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* -Redistribution in binary form must reproduct the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* Neither the name of Sun Microsystems, Inc. or the names of
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
* This software is provided "AS IS," without a warranty of any
* kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
* WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
* EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
* DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
* RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
* ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
* FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
* SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
* CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
* THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
* You acknowledge that Software is not designed, licensed or
* intended for use in the design, construction, operation or
* maintenance of any nuclear facility.
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
import java.security.PrivilegedAction;
* This LoginJaas application attempts to authenticate a user
* and reports whether or not the authentication was successful.
* If successful, it then sets up subsequent execution of
* code in the run method of the SampleAction class such that
* access control checks for security-sensitive operations will be
* based on the user running the code.
public class LoginJaas
 private static Subject mySubject;
 public static void main(String[] args)
 // Obtain a LoginContext, needed for authentication. Tell it
 // to use the LoginModule implementation specified by the
 // entry named "JaasSample" in the JAAS login configuration
 // file and to also use the specified CallbackHandler.
 LoginContext lc = null;
 try
 lc = new LoginContext("Sample", new TextCallbackHandler());
 catch (LoginException le)
 System.err.println("le:Cannot create LoginContext. "
 + le.getMessage());
 le.printStackTrace();
 System.exit(-1);
 catch (SecurityException se)
 System.err.println("se:Cannot create LoginContext. "
 + se.getMessage());
 se.printStackTrace();
 System.exit(-1);
 try
 // attempt authentication
 lc.login();
 catch (LoginException le)
 System.err.println("Authentication failed:");
 System.err.println(" " + le.getMessage());
 le.printStackTrace();
 System.exit(-1);
 System.out.println("Authentication succeeded!");
 // now try to execute the SampleAction as the authenticated Subject
 Subject mySubject = lc.getSubject();
 PrivilegedAction action = new SampleAction();
 Subject.doAsPrivileged(mySubject, action, null);
End LoginJass.java
Start MyCallbackHandler.java
import java.io.*;
import javax.security.auth.*;
import javax.security.auth.callback.*;
public class MyCallbackHandler implements CallbackHandler
 public void handle(Callback callbacks[]) throws IOException, UnsupportedCallbackException
 for(int i=0;i<callbacks.length;i++)
 if(callbacks[i] instanceof NameCallback)
 NameCallback nc = (NameCallback) callbacks[0];
 System.err.print(nc.getPrompt());
 System.err.flush();
 String name = (new BufferedReader(new InputStreamReader(System.in))).readLine();
 nc.setName(name);
 else
 throw(new UnsupportedCallbackException(callbacks,
 "Callback handler not support"));
End MyCallbackHandler.java
Start Sample.java
* @(#)Sample.java 1.19 00/01/11
* Copyright 2000-01 Sun Microsystems, Inc. All rights reserved.
* Copyright 2000-01 Sun Microsystems, Inc. Tous droits reserves.
import java.io.*;
import java.util.*;
import java.security.Principal;
import javax.security.auth.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.*;
import com.sun.security.auth.*;
* This Sample application attempts to authenticate a user
* and executes a SampleAction as that user.
* If the user successfully authenticates itself,
* the username and number of Credentials is displayed.
* @version 1.19, 01/11/00
public class Sample {
* Attempt to authenticate the user.
* 
* @param args input arguments for this application. These are ignored.
public static void main(String[] args) {
 // use the configured LoginModules for the "Sample" entry
 LoginContext lc = null;
 try {
 lc = new LoginContext("Sample", new MyCallbackHandler());
 } catch (LoginException le) {
 le.printStackTrace();
 System.exit(-1);
 // the user has 3 attempts to authenticate successfully
 int i;
 for (i = 0; i < 3; i++) {
 try {
 // attempt authentication
 lc.login();
 // if we return with no exception, authentication succeeded
 break;
 } catch (AccountExpiredException aee) {
 System.out.println("Your account has expired. " +
 "Please notify your administrator.");
 System.exit(-1);
 } catch (CredentialExpiredException cee) {
 System.out.println("Your credentials have expired.");
 System.exit(-1);
 } catch (FailedLoginException fle) {
 System.out.println("Authentication Failed");
 try {
 Thread.currentThread().sleep(3000);
 } catch (Exception e) {
 // ignore
 } catch (Exception e) {
 System.out.println("Unexpected Exception - unable to continue");
 e.printStackTrace();
 System.exit(-1);
 // did they fail three times?
 if (i == 3) {
 System.out.println("Sorry");
 System.exit(-1);
 // let's see what Principals we have
 Iterator principalIterator = lc.getSubject().getPrincipals().iterator();
 System.out.println("Authenticated user has the following Principals:");
 while (principalIterator.hasNext()) {
 Principal p = (Principal)principalIterator.next();
 System.out.println("\t" + p.toString());
 System.out.println("User has " +
 lc.getSubject().getPublicCredentials().size() +
 " Public Credential(s)");
 // now try to execute the SampleAction as the authenticated Subject
 Subject.doAs(lc.getSubject(), new SampleAction());
 System.exit(0);
End Sample.java
Start SampleAction.java
* @(#)SampleAction.java 1.4 00/01/11
* Copyright 2000-01 Sun Microsystems, Inc. All rights reserved.
* Copyright 2000-01 Sun Microsystems, Inc. Tous droits reserves.
import java.io.File;
import java.security.PrivilegedAction;
* This is a Sample PrivilegedAction implementation, designed to be
* used with the Sample application.
* @version 1.4, 01/11/00
public class SampleAction implements PrivilegedAction {
* This Sample PrivilegedAction performs the following operations:
* <ul>
* <li> Access the System property, java.home
* <li> Access the System property, user.home
* <li> Access the file, foo.txt
* </ul>
* @return <code>null</code> in all cases.
* @exception SecurityException if the caller does not have permission
* to perform the operations listed above.
public Object run() {
 System.out.println("\nYour java.home property: "
 +System.getProperty("java.home"));
 System.out.println("\nYour user.home property: "
 +System.getProperty("user.home"));
 File f = new File("foo.txt");
 System.out.print("\nfoo.txt does ");
 if (!f.exists())
 System.out.print("not ");
 System.out.println("exist in the current working directory.");
 return null;
End SampleAction.java
Start princible/SamplePrincipal.java
package principal;
* @(#)SamplePrincipal.java 1.4 00/01/11
* Copyright 2000-01 Sun Microsystems, Inc. All rights reserved.
* Copyright 2000-01 Sun Microsystems, Inc. Tous droits reserves.
import java.security.Principal;
* This class implements the <code>Principal</code> interface
* and represents a Sample user.
* Principals such as this <code>SamplePrincipal</code>
* may be associated with a particular <code>Subject</code>
* to augment that <code>Subject</code> with an additional
* identity. Refer to the <code>Subject</code> class for more information
* on how to achieve this. Authorization decisions can then be based upon
* the Principals associated with a <code>Subject</code>.
* @version 1.4, 01/11/00
* @see java.security.Principal
* @see javax.security.auth.Subject
public class SamplePrincipal implements Principal, java.io.Serializable {
* @serial
private String name;
* Create a SamplePrincipal with a Sample username.
* 
* @param name the Sample username for this user.
* @exception NullPointerException if the <code>name</code>
* is <code>null</code>.
public SamplePrincipal(String name) {
 if (name == null)
 throw new NullPointerException("illegal null input");
 this.name = name;
* Return the Sample username for this <code>SamplePrincipal</code>.
* 
* @return the Sample username for this <code>SamplePrincipal</code>
public String getName() {
 return name;
* Return a string representation of this <code>SamplePrincipal</code>.
* 
* @return a string representation of this <code>SamplePrincipal</code>.
public String toString() {
 return("SamplePrincipal: " + name);
* Compares the specified Object with this <code>SamplePrincipal</code>
* for equality. Returns true if the given object is also a
* <code>SamplePrincipal</code> and the two SamplePrincipals
* have the same username.
* 
* @param o Object to be compared for equality with this
* <code>SamplePrincipal</code>.
* @return true if the specified Object is equal equal to this
* <code>SamplePrincipal</code>.
public boolean equals(Object o) {
 if (o == null)
 return false;
if (this == o)
return true;
if (!(o instanceof SamplePrincipal))
return false;
SamplePrincipal that = (SamplePrincipal)o;
 if (this.getName().equals(that.getName()))
 return true;
 return false;
* Return a hash code for this <code>SamplePrincipal</code>.
* 
* @return a hash code for this <code>SamplePrincipal</code>.
public int hashCode() {
 return name.hashCode();
End princible/SamplePrincipal.java
Start ample_jaas.config
/** Login Configuration for the JAAS Sample Application **/
Sample
 //SampleLoginModule required debug=true;
 com.sun.security.auth.module.JndiLoginModule required debug=true
 user.provider.url="ldap://localhost:4661/ou=People,dc=testing,dc=com"
 group.provider.url="ldap//localhost:4661/ou=Group,dc=testing,dc=com";
End Sample_jaas.config
Start sample.policy
/** Java 2 Access Control Policy for the JAAS Sample Application **/
/** Code-Based Access Control Policy for LoginJaas **/
grant codebase "file:./sample.jar
permission javax.security.auth.AuthPermission
"createLoginContext.JaasSample";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission java.security.AllPermission; //darf alles
/** User-Based Access Control Policy for the LoginAction class
** instantiated by LoginJaas
grant codebase "file:./SampleAction.jar", Principal principal.SamplePrincipal "jimshi"
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.io.FilePermission "foo.txt", "read";
End sample.policy
Start makelogin.bat
REM
javac LoginJaas.java principal/SamplePrincipal.java
jar -cvf LoginJaas.jar LoginJaas.class principal/SamplePrincipal.java
REM
javac SampleAction.java
jar -cvf SampleAction.jar SampleAction.class
REM
REM javac SampleLoginModule.java
REM jar -cvf sample_module.jar SampleLoginModule.class
REM
javac Sample.java
REM jar -cvf sample.jar MyCallbackHandler.class Sample.class
javac com/sun/security/auth/module/*.java
End makelogin.bat
Start run.bat
REM java -classpath ./;SampleAction.jar;LoginJaas.jar -Djava.security.manager -Djava.security.policy=sample.policy -Djava.security.auth.login.config=sample_jaas.conf LoginJaas
java -classpath ./;SampleAction.jar;LoginJaas.jar -Djava.security.auth.login.config==D:\STUFF\LDAP\loginJim\sample_jaas.config LoginJaas
End run.bat

Storing authenticated Subject

Similar Messages

Maybe you are looking for