Use custom JAAS LoginModule without UME - possible?

Similar Messages

• How to capture LoginException throwed by Customized JAAS LoginModule?

  I have a customized JAAS LoginModule deployed on WebLogic, when authentication fails, it throws LoginException("Incorrect Password");
  At remote fat-client side, I use following code to login to WebLogic:
  Environment env = new Environment();
  env.setInitialContextFactory(weblogic.jndi.Environment.DEFAULT_INITIAL_CONTEXT_FACTORY);
  env.setProviderUrl(url);
  env.setSecurityPrincipal("user1");
  env.setSecurityCredentials("wrong password");
  Subject subject = new Subject();
  Authenticate.authenticate(env, subject);
  With the wrong password, the client get exception:
  javax.security.auth.login.LoginException: java.lang.SecurityException: User: user1, failed to be authenticated. (The exception message is replaced :-( )
  How can the fat-client get the exact Exception("Incorrect Password") which is thowed by the LoginModule ???

  I have also had the same problem. In the end, it is not possible to propagate a sub-class of a LoginException (or any other type of exception) to a remote client. The WLS Security Framework will always return to the caller its stand LoginException and message. The WLS documentation also clearly states this. Sorry to disappoint. The only other suggestion I have is to pass the name and credentials to a server-side client authentication proxy and let it return the authenticated Subject or a customized LoginException to the client (the server-side proxy should of course not required any authorization).
  Let me know if you come up with some other way!
  Eitan

• Expired Password Custom JAAS LoginModule

  Hello,
  We need to be able to determine how long till a user's password expires.  We are authenticating with ldap / Microsoft AD.  We have attempted to create a jaas login module which causes the login to to be forwarded to the changePasswordPage.jsp unsuccessfully.  How can we implement so that if the password is expired the changePassword.jsp is shown?  Do we need to write the LoginComponent from scratch or is there another way?
  Thanks in Advance

  Hi Matthew,
  Did you solve the problem when the users password expires? We're experiencing the same problem!
  Thanks,
  Joachim

• JAAS LoginModule - how do I get the "JSessionId"

  Hi,
  is there any possibility to get the JSessionId from a custom JAAS LoginModule for the WebAS 6.40 Server.
  My first attempt was to read the JSESSIONID-Cookie from the Http-Request via the HttpGetterCallback-Class.
  ((HttpGetterCallback) callbacks[1]).setType(HttpCallback.COOKIE);
  ((HttpGetterCallback) callbacks[1]).setName("JSESSIONID");
  It worked well, till I noticed that sometimes the JSessionId-Cookie doesn't exist.
  The reason is, that the JSession-Cookie was set after the http-request has passed my login-modul.
  So, if I got a cookie-value, it sometimes was the JSessionID from an earlier session.
  So, my question:
  Is there any other posibility to get the JSessionId?
  If there is a way to get the ServletRequest-instance,  I could reach the SessionId via "HttpServletRequest.getSession()".
  Any idea? Any hints?
  Regards
  Steffen Spahr

  This is only available for NetWeaver Portal, not NetWeaver Application Server(WebAS). host and port can be obtained using the following code:
                 Callback[] callbacks = new Callback[3];
                 callbacks[0] = new NameCallback("UserId: ");
                 callbacks[1] = new PasswordCallback("Password: ", false);
                 // get host name and port
                 HttpGetterCallback getterCallback = new HttpGetterCallback();
                 getterCallback.setType(HttpCallback.HEADER);
                 getterCallback.setName("Host");
                 callbacks[2] = getterCallback;
                 try {
                      callbackHandler.handle(callbacks);
                 } catch (Exception ex) {
                      throw new LoginException(ex + "");
                 Object retValue = ((HttpGetterCallback)callbacks[2]).getValue(); //get host
  host and port will be returned in the following format SERVER.COMPANY.COM:50000
  Currently WebAS is not able to return the resource as per SAP development.

• Accessing Tomcat 4.03 JNDI service from JAAS LoginModule

  Hi!
  I have following problem:
  I have custom JAAS LoginModule that uses JNDI to lookup DataSource object.
  My LoginModule and LoginConfiguration implementation classes are located
  in Tomcat's classpath.
  I tried first to put JAAS related classes under [TOMCAT-HOME]/common/lib,
  but that caused exception:"Unable to load LoginConfiguration".
  It looks like Java's core classes have no access/visibility to classes under Tomcat.
  I'm using JAAS authentication directly from a servlet, so I'm using no
  Tomcat specific realms in authentication.
  Servlet just calls:
       LoginContext lc = new LoginContext( jaasApplName,
  customUserPasswordCallbackHandler );
       lc.login( );
  Everything works fine until LoginModule tries to lookup datasource
  after obtaining InitialContext with
            InitialContext initCtx = new InitialContext( );
            DataSource ds = (javax.sql.DataSource) initCtx.lookup(
  dataSourceName );
  I got exception with message : "Name MIPCoreDS is not bound in this
  context.".
  MIPCoreDS is configured in Tomcats configuration file server.xml under
  <GlobalNamingResources> tag.
  Should this be visible for JAAS Login module or not?
  When servlet's make same lookup under Tomcat, datasource is found fine.
  It seems that loginModules have no visibility to JNDI objects configured
  under Tomcat.
  Is this right?
  Is it possible any way to put JAAS working with Tomcat 4.0.3, so
  that LoginModules can access JNDI objects bound to Tomcat's JNDI service?
  Is it possible to call Tomcat's JNDI service outside Tomcat?
  Any help is appreciated.
  Best Regards,
  Aki

  Using JAAS in Servlets is messy - I found a working example at
  http://www.loadedanswers.com
  go to the Documents section and the eg is there.
  Have fun :)

• JAAS LoginModule for SunOne Directory Server?

  I have a customer who is using SunOne Directory Server for LDAP.
  I have test code that uses the JAAS's com.sun.security.auth.module.JndiLoginModule to do authentication against an OpenLDAP test server.
  The test code won't work at the customer site because they need to use a special userid/pw along with the subject userid/pw in order to do an authentication. I assume this is LDAP v3 stuff, but the customer is unsure. Unfortunately I have no direct access to the customer's LDAP admin folk. Typical bureaucracy stuff.
  The customer was able to write java code that authenticates to his LDAP server using example code from http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html which uses the JNDI API and specifies the access userid/pw using Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS.
  So thats great, however my application uses JAAS, and therfore only indirectly uses JNDI. The JndiLoginModule provided by JAAS does not appear to support the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS parameters.
  A custom JAAS LoginModule could be written which interfaces to the JNDI LDAP stuff, however considering that JAAS and the SunOne Directory server are both Sun products, I thought perhaps SunOne Directory comes with a JAAS compatible LoginModule that my customer does not know about? I've looked at online docs, but haven't found any such thing yet.

  Hey dav,
  Sorry that I am not posting to give you a solution - it is more to ask for some guidance.
  I am implementing a client-server arch system which has a lot of 'privileged' actions to be managed. I have thus succesfully integrated the basics of JAAS in to the system... but I am now desparately looking for away to have client-side policies distributed at runtime from the server.
  I do not want to get involved with any web/application server stuff more than I need to; unfortunately one of the system requirements is for client-server comms to be facilitated by SOAP over HTTP, and thus probably JAX-RPC - but it is no problem. I have a developed a database backed Policy and (JAAS) Config which constitute parts of the server component. Now it is just a case of getting the policy to the client at client start-up and subsequently the configuration forJAAS authentication. The aim is that this data will be transfered once during login, and anytime that the the policy is requested to be refreshed.
  Since reading you post, I'm wondering what services LDAP or JNDI can offer me?
  Also, is JNDI an appropriate option for data persistence? is it better to go with JDO or some other object store abstraction.
  Kind regards,
  Darren B

• JAAS LoginModule - how do I get path, port, resource accessed, etc

  Hi,
  I checked everywhere including the forums, but could not get any info on this. I'm writing a custom JAAS LoginModule for the WebAS 6.40 server. I'm trying to figure out how to get the following out of the request from within login() or initialize() or any other method:
  1. Name of the webserver (i.e. the WebAS server being accessed like www.mycompany.com)
  2. Resource (e.g. /QuickCarRental)
  3. Port through which the request comes in (e.g. 50000)
  The URL being accessed in the above case is http://www.mycompany.com:50000/QuickCarRental
  Appreciate your help, and points will be awarded. Have a nice day
  R Abraham

  This is only available for NetWeaver Portal, not NetWeaver Application Server(WebAS). host and port can be obtained using the following code:
                 Callback[] callbacks = new Callback[3];
                 callbacks[0] = new NameCallback("UserId: ");
                 callbacks[1] = new PasswordCallback("Password: ", false);
                 // get host name and port
                 HttpGetterCallback getterCallback = new HttpGetterCallback();
                 getterCallback.setType(HttpCallback.HEADER);
                 getterCallback.setName("Host");
                 callbacks[2] = getterCallback;
                 try {
                      callbackHandler.handle(callbacks);
                 } catch (Exception ex) {
                      throw new LoginException(ex + "");
                 Object retValue = ((HttpGetterCallback)callbacks[2]).getValue(); //get host
  host and port will be returned in the following format SERVER.COMPANY.COM:50000
  Currently WebAS is not able to return the resource as per SAP development.

• JAAS LoginModule sample

  Is there a sample on how to develop a custom JAAS LoginModule that uses Identity Server?

  I also want the similar sample, If some has worked with it then please help us ...
  Thanx
  Yasir Khan

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• I am using a mac mini 2011 an 3gs i phone 2010 macbook white 2008 and a new 2013 apple tv box. When i check info on the cloud I get 'upgrade your operating system to the latest. My question is is it possible to use the icloud system without an upgrade

  I am using a mac mini 2011 an 3gs i phone 2010 macbook white 2008 and a new 2013 apple tv box. When i check info on the cloud I get 'upgrade your operating system to the latest. My question is is it possible to use the icloud system without an upgrade

  iCloud requires OS X 10.7.2.

• How to create new Custom XML Report without using Form Builder

  Hi,
  What are the steps to create new Custom XML Report without using Report Builder ?
  Thanks and Regards,
  Abhi

  Hi,
  Steps we now follow
  1)Create Data Model in Reports Builder
  2)Create xml
  3)Insert xml in Publisher to build Fomat
  4)FTp rdf
  5)Create Data Definition and Template
  6)Create executable and Concurrent Program
  Is there any way we can build reports without use of Report Builder ? By writing PL SQL Package for Before Report and After Report etc ...
  Thanks and Regards,
  Abhijit Rode

• If I am buying single app adobe premier pro by annual prepaid plan,after the after the end of the year subscription would it be possible to use the program further without updating or I should pay each year?

  If I am buying single app adobe premier pro by annual prepaid plan,after the after the end of the year subscription would it be possible to use the program further without updating or I should pay each year?

  Thanks
  2 бер. 2015 15:50, користувач "Peru Bob" <[email protected]> написав:
      If I am buying single app adobe premier pro by annual prepaid
  plan,after the after the end of the year subscription would it be possible
  to use the program further without updating or I should pay each year?
  created by Peru Bob <https://forums.adobe.com/people/Peru+Bob> in *Premiere
  Pro* - View the full discussion
  <https://forums.adobe.com/message/7243337#7243337>

• Custom JAAS Module - How to use in certification test?

  Hello,
  I just read the document about certification for custom JAAS modules ("BC-AUTH-SAML Test Plan"). What I don't understand is how our custom login module can get the custom information it needs (like a certain request parameter).
  First, what we would like to do is to create a JAAS module which examines proprietary login tickets created by our reverse proxy / authentication server. The example code shows how to retrieve HTTP parameter and headers using the callback methods, so that part is all fine and clear to me.
  But for the certification test, the description says that in order to execute the test, the browser must be opened with a certain URL (Test 1, GET w/o password change). That action alone must lead to a valid authentication. However, in your real-world setup, the reverse proxy - sitting between the browser client and the SAP system - would insert a custom HTTP header with the login ticket. Obviously, in the test setup as dictated by the certification document, we don't have our reverse proxy, so my question basically is:
  How can I add custom HTTP headers or parameters while running the certification test?

  I'd gladly send you something by mail. Two other details first:
  - My name is actually not Remo, but Marcel Schoen. I'm just using a company account for this forum. My address is marcel.schoen<at>united-security-providers.ch
  - I'm swiss. Do you speak german? Your name sounds german. Falls ja koennen wir das auch auf Deutsch weiter besprechen.
  In short, our product is a Web Application Firewall; a reverse proxy for protecting and integrating web applications. Some of the functionality also allows to implement single-sign-on over existing legacy applications with different user bases. And now we're looking into ways to integrate SAP application servers as well (right now, the JAAS module and SAML are the two most likely approaches).

• Is it possible to use Custom Password Algorithm in SQLAuthenticator?

  Dear All,
  I need to use User table of my other application for OBIEE authentication.
  I'm trying to use database tables as authentication provider in WebLogic.
  But my password is using custom algorithm.
  Similar like:
  create or replace FUNCTION encpass
  ( p_username in varchar2, p_password in varchar2 ) return varchar2 is
  begin
     return ltrim( to_char( dbms_utility.get_hash_value(upper(p_username)||'##'||upper(p_password),
              1000000000, power(2,30) ), rpad( 'X',29,'X')||'X' ) );
  end digest;Is it possible to use custom algorithm on OBIEE authentication? If possible, how?
  Thank you,
  Eba

  I had same situation like this & just put a custom function at application side, to convert the password in same format what saved in database.
  While my wls setting was SHA-1 & PLAIN PASSWORD.

• Help - using custom login module with embedded jdev oc4j to access ejb 3

  Hi All (Frank ??),
  I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
  with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
  I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
  have to deploy to oc4j standalone instead.
  I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
  javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
  setting in orion-application.xml for details.
  Using the various guides available, I had no problem getting the custom login module working
  with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
  I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
  respectively in various config files.
  I'm using EJB 3 annotations for protecting methods .. for example
  @RolesAllowed("sr_Member")
  Steps that I had to do so far :-
  In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
      <application>
        <name>current-workspace-app</name>
        <login-modules>
          <login-module>
            <class>kr.security.KnowRushLoginModule</class>
            <control-flag>required</control-flag>
            <options>
              <option>
                <name>dataSource</name>
                <value>jdbc/DB_XE_KNOWRUSHDS</value>
              </option>
              <option>
                <name>user.table</name>
                <value>users</value>
              </option>
              <option>
                <name>user.pk.column</name>
                <value>id</value>
              </option>
              <option>
                <name>user.name.column</name>
                <value>email_address</value>
              </option>
              <option>
                <name>user.password.column</name>
                <value>password</value>
              </option>
              <option>
                <name>role.table</name>
                <value>roles</value>
              </option>
              <option>
                <name>role.to.user.fk.column</name>
                <value>user_id</value>
              </option>
              <option>
                <name>role.name.column</name>
                <value>name</value>
              </option>
            </options>
          </login-module>
        </login-modules>
      </application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Admin</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>
    <grant>
      <grantee>
        <principals>
          <principal>
            <realm-name>jazn.com</realm-name>
            <type>role</type>
            <class>kr.security.principals.KRRolePrincipal</class>
            <name>Member</name>
          </principal>
        </principals>
      </grantee>
      <permissions>
        <permission>
          <class>com.evermind.server.rmi.RMIPermission</class>
          <name>login</name>
        </permission>
      </permissions>
    </grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
  My ejb-jar.xml contains :-
  <?xml version="1.0" encoding="utf-8"?>
  <ejb-jar xmlns ....
    <assembly-descriptor>
      <security-role>
        <role-name>sr_Admin</role-name>
      </security-role>
      <security-role>
        <role-name>sr_Member</role-name>
      </security-role>
    </assembly-descriptor>
  </ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
  My orion-ejb-jar.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-ejb-jar ...
    <assembly-descriptor>
      <security-role-mapping name="sr_Admin">
        <group name="Admin"></group>
      </security-role-mapping>
      <security-role-mapping name="sr_Member">
        <group name="Member"></group>
      </security-role-mapping>
      <default-method-access>
        <security-role-mapping name="sr_Member" impliesAll="true">
        </security-role-mapping>
      </default-method-access>
    </assembly-descriptor>My orion-application.xml contains ...
  <?xml version="1.0" encoding="utf-8"?>
  <orion-application xmlns ...
    <security-role-mapping name="sr_Admin">
      <group name="Admin"></group>
    </security-role-mapping>
    <security-role-mapping name="sr_Member">
      <group name="Member"></group>
    </security-role-mapping>
    <jazn provider="XML">
      <property name="role.mapping.dynamic" value="true"></property>
      <property name="custom.loginmodule.provider" value="true"></property>
    </jazn>
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </read-access>
      <write-access>
        <namespace-resource root="">
          <security-role-mapping name="sr_Admin">
            <group name="Admin"/>
            <group name="Member"/>
          </security-role-mapping>
        </namespace-resource>
      </write-access>
    </namespace-access>
  </orion-application>My essentially auto-generated EJB 3 client does the following :-
        Hashtable env = new Hashtable();
        env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
        env.put(Context.SECURITY_CREDENTIALS, "welcome1");
        final Context context = new InitialContext(env);
        KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
  ...And throws the error
  20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
  EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  javax.naming.NoPermissionException: Not allowed to look
  up KRFacade, check the namespace-access tag setting in
  orion-application.xml for details
       at
  com.evermind.server.rmi.RMIClientConnection.handleLookupRe
  sponse(RMIClientConnection.java:819)
       at
  com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
  andResponse(RMIClientConnection.java:283)
  ....I can see from the console that the user was successfully authenticated :-
  20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
  WARNING: [KnowRushLoginModule] User matt.shannon authenticated
  And that user is granted both the Admin, and Member roles.
  The test servlet using basic authentication correctly detects the user and roles perfectly...
    public void doGet(HttpServletRequest request,
                      HttpServletResponse response)
      throws ServletException, IOException
      LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
      response.setContentType(CONTENT_TYPE);
      PrintWriter out = response.getWriter();
      out.println("<html>");
      out.println("<head><title>ExampleServlet</title></head>");
      out.println("<body>");
      out.println("<p>The servlet has received a GET. This is the reply.</p>");
      out.println("<br> getRemoteUser = " + request.getRemoteUser());
      out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
      out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
      out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
  cheers
  Matt.
  Message was edited by:
  mshannon

  Thanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
  Did you ever get the code working directly from JDeveloper?
  Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
  For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <realm-name>jazn.com</realm-name>
                           <type>role</type>
                           <class>kr.security.principals.KRRolePrincipal</class>
                           <name>JAAS_Admin</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>If I add the following to orion-application.xml
    <!-- Granting login permission to users accessing this EJB. -->
    <namespace-access>
      <read-access>
        <namespace-resource root="">
          <security-role-mapping>
            <group name="JAAS_Admin"></group>
          </security-role-mapping>
        </namespace-resource>
      </read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
  I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
  From custom login module :-
    private static KRSecurityHelper singleton = new KRSecurityHelper();
    protected Principal[] m_Principals;
      Vector v = new Vector();
        v.add(singleton.getCustomRmiConnectRole());
        // set principals in LoginModule
        m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
  Singleton class :-
  package kr.security;
  import com.evermind.server.rmi.RMIPermission;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import oracle.security.jazn.JAZNConfig;
  import oracle.security.jazn.policy.Grantee;
  import oracle.security.jazn.realm.Realm;
  import oracle.security.jazn.realm.RealmManager;
  import oracle.security.jazn.realm.RealmRole;
  import oracle.security.jazn.realm.RoleManager;
  import oracle.security.jazn.policy.JAZNPolicy;
  import oracle.security.jazn.JAZNException;
  public class KRSecurityHelper
    private static final Logger LOGGER = Logger.getLogger("kr.security");
    private static final String LOGPREFIX = "[KRSecurityHelper] ";
    public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
    private RealmRole m_Role = null;
    public KRSecurityHelper()
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
      JAZNConfig jc = JAZNConfig.getJAZNConfig();
      LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
      RealmManager realmMgr = jc.getRealmManager();
      try
        // Get the default realm .. e.g. jazn.com
        LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
        Realm r = realmMgr.getRealm(jc.getDefaultRealm());
        LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
        // Access the role manager for the remote connection role
        LOGGER.log(Level.FINEST,
          LOGPREFIX +"calling default_realm.getRoleManager");
        RoleManager roleMgr = r.getRoleManager();
        LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
          CUSTOM_RMI_CONNECT_ROLE "'");
        RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
        if (rmiConnectRole == null)
          LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
          rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
          Grantee gtee = new Grantee(rmiConnectRole);
          LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
          RMIPermission login = new RMIPermission("login");
          LOGGER.log(Level.FINEST,
            LOGPREFIX +"constructing subject.propagation rmi permission");
          RMIPermission subjectprop = new RMIPermission("subject.propagation");
          // make policy changes
          LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
          JAZNPolicy policy = jc.getPolicy();
          if (policy != null)
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'login' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, login);
            LOGGER.log(Level.INFO, LOGPREFIX
              + "add to policy grant for RMI 'subject.propagation' permission to "
              + CUSTOM_RMI_CONNECT_ROLE);
            policy.grant(gtee, subjectprop);
            // m_Role = rmiConnectRole;
            m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
            LOGGER.log(Level.INFO, LOGPREFIX
              + m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
          else
            LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
        else
          LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
          m_Role = rmiConnectRole;
      catch (JAZNException e)
        LOGGER.log(Level.WARNING,
          LOGPREFIX +"Cannot configure JAZN for remote connections");
    public RealmRole getCustomRmiConnectRole()
      return m_Role;
  }Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
  INFO: Login permission not granted for current-workspace-app (test.user)
  Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
  This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
  There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
  Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
  Matt.