Urgent - flow in login module

HI
Can anyone tell me what is the flow in login module .Means how it work for user authentication .
Thanks
shashank

Hi Shashank,
Here is some good info
http://help.sap.com/saphelp_nw04/helpdata/en/8c/f03541c6afd92be10000000a1550b0/frameset.htm
If you want to see how the stacks work and which ones will be executed even if they fail, click on the Login Module Stacks link.
Let us know if you have any questions.
Thanks,
Marty

Similar Messages

How to create Jaas Login module !! Urgent

<b>Hi developers</b>
I want to make some changes in logon messages. Right now we are getting only error <b>user authentication failed </b> on the portal even if user is locked or some other reason is there for failed authentiaction. I want proper message should be displaying based on user input. For it I hope its good to <b>create Jaas logon module</b> so that i can modify it accordingly .
kindly if any one can give me way out , its urgent.
how to create it step by step. it would be highly appriciable.
any inputs are appriciated .
Thanks in advance
<b>Abhay</b>

Hi Abhay,
1.) Every question is "urgent"... Please read https://www.sdn.sap.com/irj/sdn/wiki?path=/display/home/rulesofEngagement - section "Use a Good Subject Line"
2.) For JAAS Login Modules examples, see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4d65ed90-0201-0010-3aba-9209836e8242
Hope it helps
Detlev

Urgent: JAAS Login Module Deployment Problem

Hi,
I have developed a JAAS Login module for the portal (EP6 SP9 sneak preview) and i am getting the following error:
GroupAssignmentLoginModuleLibrary does not exist in LoadContextWrapper.modifyName.
com.sap.engine.services.security.exceptions.BaseSecurityException: Can not load a login Module
The next line is a ClassNotFoundException for the Login Module and the class found in negative cache.
Please let me know if you know the solution to this problem.
It is an urgent issue and a solution will be suitably rewarded.
Regards,
Vibhu

Hi Diego,
Scenario 1: SAP EP to SAP Backend Integration
      In this scenario the most commonly used strategy
      is SAP logon tickets. As far as I know this is the
      best and simple way to implement SSO.
Scenario 2: SAP EP to Non SAP systems.
      In this scenario various mechanisms can be used.
      It depends on the application you are integrating
      with. SAP does deliver SSO soultions with Lotus
      Notes and Outlook etc. If supported probably it is
      simple to use the SAP solution [Reliability and
      Support].
Scenario 3: Enterprise Uses third party authetication
      Software.
      For the authntication if the company chooses to use
      some third party product like SiteMinder etc, then
      you can simply use this solution for SAP EP authe-
      tication, and also all your other enterprise
      applications based on the product support. But SAP
      EP to other SAP systems be best integrated with SAP
      logon tickets.
Scenario 4: SSO using homegrown authetication or some
      third party JAAS module.
      If you have significant applications that are home
      grown that uses some custom authentication mecha-
      nism (Example: Authentication based on ID and
      Password stored in company database ) you can write
      a JAAS module extention to authenticate using that
      database. In other words JAAS is flexible and
      for using external authentication mechanisms.
There are several mechanisms available that all depends
on your internal applications/security mechanism/integration etc.
Here is the link to one of the good articles on SDN about the SAP supported SSO mechanisms.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/58094632-0301-0010-a391-fc0de26f010e
Hope this information is useful.
-Venkat Malempati

Urgent - error in Customized login module

hi
I have created a customise login module by using the following url
http://help.sap.com/saphelp_nw04/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm
but when I login to the portal, my login module is not working .When I checked in defaultTrace.1.trc file, it showing following errors :
Caused by: java.lang.ClassNotFoundException: com.sap.test.TestLoginModuleClass
Found in negative cache
Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:com.sap.security.core.ume.service;service:connector;service:dbpool;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
   library:com.sap.ip.basecomps
   library:core_lib
   common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
   library:servlet
   library:sapxmltoolkit
   library:com.sap.mw.jco
   library:com.sap.util.monitor.jarm
   library:j2eeca
   library:opensql
   interface:security
   interface:log
   interface:shell
   interface:keystore_api
   library:ejb20
   interface:webservices
   library:com.sap.guid
   interface:appcontext
   interface:endpoint_api
   interface:resourceset_api
   interface:resourcecontext_api
   common:service:iiop;service:naming;service:p4;service:ts
   interface:ejbcomponent
   interface:container
   interface:visual_administration
   interface:transactionext
   interface:dsr_ejbcontext_api
   service:timeout
   service:memory
   service:deploy
   library:antlr
   library:jdbdictionary
   library:opensqlextensions
   service:adminadapter
   interface:cross
Resources:
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
dbpool.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_compat.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
security
security.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
com.sap.security.core.ume.service
com.sap.security.core.ume.service.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_toolkit_api.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
webservices_lib.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_userstore_lib.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_jaas_test.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
sqljimpl.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.core.sda
com.sap.security.core.tpd.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
connector
connectorimpl.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.api.sda
com.sap.security.api.perm.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
saaj-api.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_jaas.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_xmlbind.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_util.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_toolkit_core.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_ssf.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
userstore
userstore.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_https.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_saml_service_api.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
jaxrpc-api.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
dbpool
opensqllib.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
security.class
tc_sec_jaas.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.api.sda
com.sap.security.api.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
com.sap.security.core.sda
com.sap.security.core.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
ext
webservices_lib
jaxm-api.jar
   C:
usr
sap
J2E
JC00
j2ee
cluster
server0
bin
services
keystore
keystore.jar
Loading model: {parent,local,references}
     at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:298)
     at com.sap.engine.services.security.Util.loadClass(Util.java:257)
     at com.sap.engine.services.security.Util.loadClassFromAdditionalLoaders(Util.java:199)
     at com.sap.engine.services.security.login.LoginContextFactory.init(LoginContextFactory.java:89)
     ... 13 more
#1.5#001143F14283004C0000000000001F900004064B9EAAD383#1132821761187#com.sap.sl.util.cvers.impl.CVersFactory##com.sap.sl.util.cvers.impl.CVersFactory#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersFactory#
#1.5#001143F14283004C0000000100001F900004064B9EAAE147#1132821761187#com.sap.sl.util.cvers.impl.CVersManager##com.sap.sl.util.cvers.impl.CVersManager#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersManager#
#1.5#001143F14283004C0000000200001F900004064B9EAAFAD2#1132821761187#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.DBConnector#
#1.5#001143F14283004C0000000300001F900004064B9EAB2769#1132821761203#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.CVersDao#
#1.5#001143F14283004C0000000400001F900004064B9EAB2B09#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering getDataSource#
#1.5#001143F14283004C0000000500001F900004064B9EAB2CAC#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### get initial contrext...#
#1.5#001143F14283004C0000000600001F900004064B9EAB315E#1132821761203#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### get data source...#
#1.5#001143F14283004C0000000900001F900004064B9EAB508E#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#/Applications/SL/UTIL#Plain###get data source CVERS failed! Trying SAP/BC_UME... #
#1.5#001143F14283004C0000000A00001F900004064B9EAB59E2#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### got data source!#
#1.5#001143F14283004C0000000B00001F900004064B9EAB5BAD#1132821761218#com.sap.sl.util.cvers.impl.DBConnector##com.sap.sl.util.cvers.impl.DBConnector#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting getDataSource#
#1.5#001143F14283004C0000000C00001F900004064B9EAB60C6#1132821761218#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering findByRealKey#
#1.5#001143F14283004C0000000D00001F900004064B9EAB6A53#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.cvers.impl.HashKey#
#1.5#001143F14283004C0000000E00001F900004064B9EAB6B9D#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### concatenated hashKey: sap.comSAP-JEECOR#
#1.5#001143F14283004C0000000F00001F900004064B9EAB6C53#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### hashKey: sap.comSAP-JEECOR#
#1.5#001143F14283004C0000001000001F900004064B9EAB6D35#1132821761218#com.sap.sl.util.cvers.impl.HashKey##com.sap.sl.util.cvers.impl.HashKey#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### hashVal: -1330087332#
#1.5#001143F14283004C0000001100001F900004064B9EABCF31#1132821761250#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering findByRealKey#
#1.5#001143F14283004C0000001200001F900004064B9EAC1380#1132821761265#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Debug##Plain### Found the following real key: com.sap.sl.util.cvers.impl.CVersDBObject@11399a6#
#1.5#001143F14283004C0000001300001F900004064B9EAC145C#1132821761265#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting findByRealKey#
#1.5#001143F14283004C0000001400001F900004064B9EAC440C#1132821761281#com.sap.sl.util.components.impl.ComponentFactory##com.sap.sl.util.components.impl.ComponentFactory#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###14:12:41 /Applications/SL/UTIL entering class com.sap.sl.util.components.impl.ComponentFactory#
#1.5#001143F14283004C0000001500001F900004064B9EAC5182#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###-> 14:12:41 -> entering closeConnection#
#1.5#001143F14283004C0000001600001F900004064B9EAC52B7#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting closeConnection#
#1.5#001143F14283004C0000001700001F900004064B9EAC5348#1132821761281#com.sap.sl.util.cvers.impl.CVersDao##com.sap.sl.util.cvers.impl.CVersDao#Administrator#903####4632df305cc611da97d1001143f14283#SAPEngine_Application_Thread[impl:3]_9##0#0#Path##Plain###<--- exiting findByRealKey#
#1.5#001143F14283004F0000000000001F900004064BA94350C0#1132821938953#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: InstToolTopicFactoryFinishImage loader does not exist: . Using default class loader!!!#
#1.5#001143F14283004F0000000100001F900004064BA944042B#1132821939000#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: DAserviceQueueFactory loader does not exist: . Using default class loader!!!#
#1.5#001143F14283004F0000000200001F900004064BA9445581#1132821939015#com.sap.engine.services.jmsconnector##com.sap.engine.services.jmsconnector#Administrator#903####b027cf905cc611dac152001143f14283#SAPEngine_Application_Thread[impl:3]_21##0#0#Error##Plain###Factory: InstToolTopicFactoryCreateEmptyImage loader does not exist: . Using default class loader!!!#
Can any one tell me what should I do for that ????
Thanks
shashank

Hi Joerg
Thanks !!!
I had checked. Pls check I had given the following things ...
in configtool ->Global service configuration ->services ->security
<b>LoginModuleClassLoaders library:sap.com~TestLoginLibrary</b>
As
my class name = com.sap.test.TestLoginModuleClass
In provider.xml,
        provider name = sap.com
        Component Name = TestLoginLibrary
        Display name = TestLoginLibrary
Can u pls tell me what should I do .
Thanks
shashank
Urs answer must be appreciate.

URGENT: JAAS Login Module in Clustered Environment

Hello all,
I've created out own JAAS Login Module which works perfectly on a single-node environment... i dropped the jar in /server/additional-lib and modified library.txt and authschemes.xml as needed.
Now that we need to deploy it in a clustered node environment, we added the jar file into the additional-lib folders of all the nodes and edited all the library.txt files of all nodes.
UME cant seem to find our jar file anymore and we get the "missing handler" error when we try to login.
Any ideas?
Thanks,
Yves

If you are using SAP J2EE PL21+ there is a separate node called state controller (you have dispatcher, application nodes and state controller nodes). Basically the state controller makes sure all application nodes (server nodes) are synchronized
You can find the dispatcher under cluster\dispatcher, servers under cluster\server and state under cluster\state .
If you are using SAP J2EE PL20 or less this does not apply.

The flow of MM module to be known by an ABAPer ?

Plz tell the basic flow of MM module (work-flow of MM module) which must be known by an ABAP programmer, sothat he/she can code reports efiiciently,
(also mention the respective MM tables names and their major fields for each phase)

HI,
MM starts with creation of <b>purchase requsition</b> ,it is an internal document raised inside the orgasitation.If suppose ur pc is not working you will tell this to your manager and he/she in turn need to place an order to the it dept for the new pc .this is internal doc flowing inside the organisation.this is purchse requistion.
After the purchase requisition IT dept checks for the satndard vendors that are avaiable to buy pc like Hp,IBM,DELL.(<b>vendor</b> :A company which supplies parts or services to another company. also called supplier. )IF there are any standard vendors we directly place an order.
If not IT dept will send <b>R.F.Q</b>(request for quotation) for the vendors and in turn vendors will send quotaion .
After they send the quotation IT dept will compare all the quotations selects one based on the price simulation ans select one like from HP and place an <b>purchase order .</b>(Commercial documents used to request vendors to supply a product or service in return for payment and providing specifications and quantities. )
after placing the purchase order <b>goods recepit</b> will be done based on the purchase order.(goods receipt will some times with out considering purchase order as Po will not be placed sometimes for urgent requirement)
->Then comes invoice verification.Invoice verification be sometimes before goods receipt also.
<b>Tcodes</b>
1)Purchase requisition     ->ME51n
2)RFQ                            ->ME41
3)Quotation                    ->ME47
4)Purchase order           ->ME22n
5)Goods Receipt           ->MIGO
6)Invoice verification       ->MIRO
...Purchase Requisition --- T.code ---ME51
2...Source List -
T.code-----ME41
3...Request for Quation (RFQ)-T.codeME21N (To Vendor)
4...Purchase Order -
T.code -
ME21N (To Vendor)
      (tables:Ekko,Ekpo)
5...Goods Receipt-------T.code....MIGO
      (Tables: MKPF, MSEG)
6...Invoice Verification----T.code...MIRO
      (Tables: BKPF , BSEG)
7...Vendor Payment----T.code...FB60 (FI - Account Payable)
You can get the complete list of all tables of a particular module using the following steps:
1. Go to SE11 and press F4 in the database table column
2. Write MM* in the Application Component column
3. Leave the column 'max no. of hits' blank
Sail

Custom Login Module for Tomcat to procted apps using Oracle Access Manager

Hi all,
I have the following scenario.
A web application deployed in Tomcat to be protected using OAM. One solution is to use Access Gate though we have other alternative as Proxy infront of Tomcat with a webgate. Now I am implementing the Access Gate solution.
So, when the user clicks the tomcat application, then the prompt (BASIC) appears for login details. custom login module should kick in and take those login details and authenticate against OAM using Access SDK API.
I have created access gate profile and installed Access SDK. Ran the ConfigureAccessGateTool as well.
I did some research googling for login module. I came to know that we need to write a custom realm for it. So, this realm implementation involves specifying role-name etc., in web.xml where the role-name would have been defined in tomcat-users.xml.
This means that the user trying to authenticate against OAM has to have some roles defined in Tomcat to login. I didnot understand the flow end to end as how this will work.
Please let me know if anybody has done this of customization.
Thanks,
Mahendra.

Hi Ambarish,
Initially I thought of implementing the way you suggested in Option 2.
But there will be various redirections when we use option 2 as the login page should redirect it to a page where OAM authentication and authorization stuff has to be handled. And accordingly we have to redirect it to specific pages upon successful atn and atz. Hence, I was opted using Custom Login Module.
However, I have been trying Option 2 now. In web.xml, I have specified a login page with FORM scheme. The login redirects it to another page say OAM_Authentication_Handler.jsp. Here we code which serves atn and atz. Upon doing this, I have observed that the protected resource in OAM is not getting evaluated using the method
String ms_protocol = "http";
String ms_method = "GET";
String ms_resource = "http://localhost:8080/FormLogin/private.jsp";
ObResourceRequest rrq = new ObResourceRequest(ms_protocol, ms_resource, ms_method);
The method rrq.isProtected() is returning false which implies it to unprotected. I have tested using Access Tester for the resource and it results in expected behaviour.
Is there any limitation here by using this approach?
Any ideas?
Thanks,
Mahendra.

Automate Login with Custom Login Module

Hi. I have successfully created a custom login module that calls a database stored procedure for our login procedures. However, there are conditions/cases where in a login will not be required (ie login page don't need to be displayed and it should direct to the home page right away).
I thought that putting these conditions/checks within the pl_sql will take care of it but that isn't the case. It turns out that the login page is always called before it goes to the pl_sql procedure we indicated in the orion-application.xml file. Now I am stumped on how to intercept the login page call.
Any help would be greatly appreciated. I have been working on this issues for months and haven't gotten a solution.
Thank you.
Edited by: 829489 on Jan 19, 2011 7:17 AM

You can not do this in a login module. Here's why:
1). You must (in web.xml) indicate which resources are secured and which are not. You cannot say "it's secured sometimes"
2). Once a login module indicates that a user is successfully authenticated, they are authenticated for the remainder of their session.
3). Now, in your login module, if you bypass any username/password check and mark them as authenticated (allowing them to access the secure resources), they will be authenticated for all requests in that session - including ones that you don't want to give them access to.
I'm guessing by your reference to orion-application.xml that you are using JDev 10g, therefore my suggestion of a task flow with a router to route users to either secure or not secure page is not applicable for you (it's only available in 11g).
John

Opinions on implementing a JAAS login module to achieve SSO

We are looking at implementing SSO from a sharepoint website to the portal. The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
the desired user experience looks something like this.
user--login> sharepoint site -no login--
>portal
One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
I would like to get your opinions on how viable you think this method is. One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
the method is basically this.
1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
3. we don't want the user to have to login to access the resource when they click on the link
4. to facilitate this, sharepoint has constructed the link in the following way
5. the link is an https link
6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
7. the parameters are
8. un = the users AD username
9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
10. the user clicks the link and is directed to the SAP portal
11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
If you think there is an easier way, please let us know. We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

Hey Gary,
I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
-Kevin

SOAP Web Service + Custom Login Module issue

Hi Guys,
We faced an authentication issue in our project. Could you please give any advice how the issue could be resolved.
Environment: A simple SOAP Web Service on top of POJO class created in a Web Application. The web application deployed to the SAP NetWeaver 7.10 Application Server in the Enterprise Application Archive.
Configuration:
      Single Service Administration Application(NetWeaver Administration -> SOA Management -> Application and Scenario Communication -> Single Service Administration)
       The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
    Authentication Application(NetWeaver Administration-> Configuration Management->Security->Authentication)
      The application(<vendorName>/<earName>*<vendor>~<webAppName>) has Authentication Stack configured to use our custom login module.
Issue: BasicPasswordLoginModule used by the J2EE when we are trying to execute the web service using Web Service Navigator(checked in debug mode). It seems that we missed something in configuration.
Idea: The main Idea is to use our custom login module when we are executing a web service.
Could you help me to resolve the issue.
Thanks,
Dmitry
Edited by: Dmitry Eidin on Jul 17, 2009 3:46 PM

> The web service endpoint has authentication configured to use User ID/Password HTTP Authentication.
That's the point.

Assigning a login module to a single WebDynpro to authenticate against LDAP

Hi there,
we are running the J2EE Engine 7.0 within XI on SAP NetWeaver 2004s / Linux x86_64.
Basically, i want to Authenticate a Java WebDynpro against an LDAP (Active Directory). With the XI Usage installed, I can not customize the UME to authenticate against an LDAP (not supported and not possible).
Thus, I want to use a custom login module or, if suitable, a standard login module to authenticate against LDAP. I know that all WebDynpro Apps use the default authentication scheme that in turn references the authentication template "ticket".
1) Can I use a predefined Login Module to authenticate against Active Directory LDAP or do I have to write a custom login module?
2) Is it possible to assign a login module to a single WebDynpro and how can I do this?
Thanks a lot in advance,
Oliver Kalkofen

> Thus, I want to use a custom login module or, if
> suitable, a standard login module to authenticate
> against LDAP.
We have developed a custom login module which does this. It looks to the user like the BasicPasswordLoginModule provided with SAP, but the userid and password entered has to be a valid accountpassword from the Active Director domain. We use the Kerberos protocol to perform this useridpassword validation, not LDAP. The userid can be just a name, in which case the default domain (realm in Kerberos terminology) or it can be specified as user@REALM in which case a non-default realm can be used to authenticate. Once the authentication is complete, we look in USRACL table to map this Kerberos principal name onto a SAP userid so we can then create an SSO2 ticket.
If you interested to evaluate, or get a quote for purchasing this, please contact me offline. Of course, you can develop your own if you are happy to do so. I just thought you might be interested to know of an alternative.
Thanks,
Tim

Assigning a login module to a Web Dynpro application

Hi everybody,
I would like a Web Dynpro application to use a custom login module for authentication. How can I do this?
What I found is the Security Provider (in the Visual Administrator tool) where I can add a login module to the "form" authentication mechanism for example. But if I do this I think all applications using this mechanism have to use my custom login module, right?
I wonder if I have to add my Web Dynpro application as a component to the Security Provider so that I can assign login modules to it. Am I on the right way? If yes, how can I do this? If I choose "Add" from the "Policy Configurations" tab a popup appears where I can enter the name for a new component. How do I specify my application there?
Thanks in advance for all answers,
Torben

Hi,
Web Dynpro applications use the ticket authentication template. U wud need to add your login module to the ticket template's login stack.
Incase you are accessing the Web Dynpro applications thru the EP u wud need to make changes to the authschemes.xml file too.
regards,
Vishal

SSO not authorized:no login module success

Hi Friends,
I am Geeting this error while opening the Report Designer any one help me???????
"java system error call FM_BICS_CONS_GET_VIEW_DEF_J_PROXY to progid XXXXX on host
APD with SSO not authorized:no login module success "
Regards
Vipul Kapadia

solved by basis team

Help - using custom login module with embedded jdev oc4j to access ejb 3

Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
    <application>
      <name>current-workspace-app</name>
      <login-modules>
        <login-module>
          <class>kr.security.KnowRushLoginModule</class>
          <control-flag>required</control-flag>
          <options>
            <option>
              <name>dataSource</name>
              <value>jdbc/DB_XE_KNOWRUSHDS</value>
            </option>
            <option>
              <name>user.table</name>
              <value>users</value>
            </option>
            <option>
              <name>user.pk.column</name>
              <value>id</value>
            </option>
            <option>
              <name>user.name.column</name>
              <value>email_address</value>
            </option>
            <option>
              <name>user.password.column</name>
              <value>password</value>
            </option>
            <option>
              <name>role.table</name>
              <value>roles</value>
            </option>
            <option>
              <name>role.to.user.fk.column</name>
              <value>user_id</value>
            </option>
            <option>
              <name>role.name.column</name>
              <value>name</value>
            </option>
          </options>
        </login-module>
      </login-modules>
    </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>kr.security.principals.KRRolePrincipal</class>
          <name>Admin</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>com.evermind.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
</grant>
<grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>kr.security.principals.KRRolePrincipal</class>
          <name>Member</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>com.evermind.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
    <security-role>
      <role-name>sr_Admin</role-name>
    </security-role>
    <security-role>
      <role-name>sr_Member</role-name>
    </security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <default-method-access>
      <security-role-mapping name="sr_Member" impliesAll="true">
      </security-role-mapping>
    </default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
    <group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
    <group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
    <property name="role.mapping.dynamic" value="true"></property>
    <property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
    <read-access>
      <namespace-resource root="">
        <security-role-mapping name="sr_Admin">
          <group name="Admin"/>
          <group name="Member"/>
        </security-role-mapping>
      </namespace-resource>
    </read-access>
    <write-access>
      <namespace-resource root="">
        <security-role-mapping name="sr_Admin">
          <group name="Admin"/>
          <group name="Member"/>
        </security-role-mapping>
      </namespace-resource>
    </write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
      Hashtable env = new Hashtable();
      env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
      env.put(Context.SECURITY_CREDENTIALS, "welcome1");
      final Context context = new InitialContext(env);
      KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
     at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
     at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
                    HttpServletResponse response)
    throws ServletException, IOException
    LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
    response.setContentType(CONTENT_TYPE);
    PrintWriter out = response.getWriter();
    out.println("<html>");
    out.println("<head><title>ExampleServlet</title></head>");
    out.println("<body>");
    out.println("<p>The servlet has received a GET. This is the reply.</p>");
    out.println("<br> getRemoteUser = " + request.getRemoteUser());
    out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
    out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
    out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannon

Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
     <grant>
          <grantee>
               <principals>
                    <principal>
                         <realm-name>jazn.com</realm-name>
                         <type>role</type>
                         <class>kr.security.principals.KRRolePrincipal</class>
                         <name>JAAS_Admin</name>
                    </principal>
               </principals>
          </grantee>
          <permissions>
               <permission>
                    <class>com.evermind.server.rmi.RMIPermission</class>
                    <name>login</name>
               </permission>
          </permissions>
     </grant>If I add the following to orion-application.xml

<namespace-access>
    <read-access>
      <namespace-resource root="">
        <security-role-mapping>
          <group name="JAAS_Admin"></group>
        </security-role-mapping>
      </namespace-resource>
    </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
    Vector v = new Vector();
      v.add(singleton.getCustomRmiConnectRole());
      // set principals in LoginModule
      m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
    LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
    JAZNConfig jc = JAZNConfig.getJAZNConfig();
    LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
    RealmManager realmMgr = jc.getRealmManager();
    try
      // Get the default realm .. e.g. jazn.com
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
      Realm r = realmMgr.getRealm(jc.getDefaultRealm());
      LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
      // Access the role manager for the remote connection role
      LOGGER.log(Level.FINEST,
        LOGPREFIX +"calling default_realm.getRoleManager");
      RoleManager roleMgr = r.getRoleManager();
      LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
        CUSTOM_RMI_CONNECT_ROLE "'");
      RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
      if (rmiConnectRole == null)
        LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
        rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
        LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
        Grantee gtee = new Grantee(rmiConnectRole);
        LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
        RMIPermission login = new RMIPermission("login");
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"constructing subject.propagation rmi permission");
        RMIPermission subjectprop = new RMIPermission("subject.propagation");
        // make policy changes
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
        JAZNPolicy policy = jc.getPolicy();
        if (policy != null)
          LOGGER.log(Level.INFO, LOGPREFIX
            + "add to policy grant for RMI 'login' permission to "
            + CUSTOM_RMI_CONNECT_ROLE);
          policy.grant(gtee, login);
          LOGGER.log(Level.INFO, LOGPREFIX
            + "add to policy grant for RMI 'subject.propagation' permission to "
            + CUSTOM_RMI_CONNECT_ROLE);
          policy.grant(gtee, subjectprop);
          // m_Role = rmiConnectRole;
          m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.INFO, LOGPREFIX
            + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
        else
          LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
      else
        LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
        m_Role = rmiConnectRole;
    catch (JAZNException e)
      LOGGER.log(Level.WARNING,
        LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
    return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt.

Custom login module on OC4J 10.1.3.3.0

Hi,
I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>testJAAS</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
     <web-resource-collection>
     <web-resource-name>Test Secure Application</web-resource-name>
     <description>Requires users to authenticate</description>
     <url-pattern>faces/*</url-pattern>
     <http-method>POST</http-method>
     <http-method>GET</http-method>
     <http-method>HEAD</http-method>
     <http-method>PUT</http-method>
     </web-resource-collection>
     <auth-constraint>
     <description>Only allow role1 users</description>
     <role-name>role1</role-name>
     </auth-constraint>
     <user-data-constraint>
     <description>Encryption is not required for the application in general. </description>
     <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
</security-constraint>

<security-role>
<description>Example role</description>
<role-name>role1</role-name>
</security-role>
orion-web.xml:
schema-major-version="10" schema-minor-version="0" >
     
     <resource-ref-mapping name="jdbc/lics" />
     <security-role-mapping name="role1">
          <group name="oc4j-app-administrators" />
     </security-role-mapping>
     <web-app>
     </web-app>
orion-application.xml:
     <jazn provider="XML" >
          <property name="jaas.username.simple" value="true" />
          <property name="custom.loginmodule.provider" value="true" />
          <property name="role.mapping.dynamic" value="true" />
     </jazn>
system-jazn-data.xml:
<jazn-loginconfig>
     <application>
          <name>le5</name>
          <login-modules>
               <login-module>
                    <class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
                    <control-flag>required</control-flag>
                    <options>
                         <option>
                              <name>defaultRole</name>
                              <value>role1</value>
                         </option>
                    </options>
               </login-module>
          </login-modules>
     </application>
I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
Doing as above, the orion-web.xml is below:
     <resource-ref-mapping name="jdbc/lic" />
     <security-role-mapping name="role1">
          <group name="oc4j-app-administrators" />
          <user name="user1" />
          <user name="user2" />
     </security-role-mapping>
Any insight would be much appreciated. Thanks.

Hi,
role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
from orion-web.xml and it should start wrking
Frank

Urgent - flow in login module

Similar Messages

Maybe you are looking for