User Authentication and User Authorization

We have a scenario where the B2B customers are being provided EP user ids so that they can access certain data and create certain transactions. there are two issues out here:
(1) For multiple EP users, there will be one single SAP Backend user mapped (which is allowed by EP). However these multiple EP users would have different authorization based on which sales area/product they access/buy and this needs to be controlled via one SAP Backend user?
(2) Under the above user mapping model, is it possible to have authentication at EP level and  authorization at SAP Backend?
(3) Once the customer accesses the EP system, then the SAP Backend system is exposed to him? Are there possibilities of having any further layer of security between EP and SAP Backend?
Looking for response to this or any documentation which addresses the above. My mail id is [email protected]

This is a broad topic, let me try to point out some key issues: (I asume, B2B means actual SRM these days.)
(1) The user that is mapped is the generic EBP/SRM user.
Therefore, the SRM does only know this specific user. There is no way to pass additional data to the SRM. Once the authentication is done, the role assignement is done by SRM (i.e. derived from the generic SRM user, not the EP User) Whenever you want to pass extra context values from the EP to SRM, you can only do this with tricks.
My experience is, that SAP wants to have a 1:1 relationship between portal users and EBP, even if the bundled mapping is "allowed". (Rather grey'ish area).
The trick copuld be to set a cookie in the portal and use a BADI together with a Javascript, to  make addiional mappings. But this would count as modification, at the end.
(2) The authentication is mappped from EP to SRM via SSO2-Ticket, which is accepted by the SRM as authentication. The authorization (role assignement etc) is done solely by the SRM.
(3) The Backend is exposed to the usual content - the EP via https is considered secure, so is the connection via https to the SRM - you can harden the rfc connection between the srm and the backend as well.

Similar Messages

  • JAAS-authentication and wls-authorization in a webapp

    Hi,
    I am developing a webapp with jsp, servlets and ejbs.
    My question:
    Is it possible to use JAAS-authentication together with wls-authorization in a
    webapp?
    thanks
    /Chriz

    Hi, Office 365 tenants indeed include an Azure AD tenant in the background and you can implement Single Sign-On against that. The authentication scenario for this case is documented
    here. For the code samples (with steps to create them) see the
    samples' Github repository, especially the
    WebApp-WSFederation-DotNet sample. 
    For the SQL database it's a bit different. Azure SQL Database connection can't be authenticated like this - there's no integration to the "domain" accounts there. So you should create one service account for the SQL connection and use that for
    all the traffic in your web app. If you need authorization for accessing certain data in SQL, you have to implement that on your web application side.

  • Authentication and Authorization Problems with IIS 6 and Jrun 4

    Hello all,
    I am using IIS 6 with JRun 4 as my app server, and I am having problems trying to get authentication and role authorization with Windows Integrated Authentication to work. I have set up IIS 6 to pass-through the authentication credentials to Jrun, without using an anonymous user. What I have done is written a small test servlet that displays the username of the logged in user, and then tries to check if a user is in a test role that I set up in my database. I have specified that a roles table is to be used by specifying a JDBCLoginModule in Jrun's auth.config file. The code for the servlet is below:
    package testauthenticationapp;
    import java.io.IOException;
    import java.io.PrintWriter;
    import javax.servlet.*;
    import javax.servlet.http.*;
    public class SecureTestServlet extends HttpServlet {
       private static final String CONTENT_TYPE =
          "text/html; charset=windows-1252";
       public void init(ServletConfig config) throws ServletException {
          super.init(config);
       public void doGet(HttpServletRequest request,
                         HttpServletResponse response) throws ServletException,
                                                              IOException {
          response.setContentType(CONTENT_TYPE);
          PrintWriter out = response.getWriter();
          out.println("<h3>REMOTE USER: " + request.getRemoteUser() + "</h3>");
          if (request.getUserPrincipal() != null){
             out.println("<h3>" +request.getUserPrincipal().getName() + "</h3>");
          } else{
             out.println("<h3>User Principal is null</h3>");
          if (request.isUserInRole("Test_Role")){
             out.println("<h3>User is in Test_Role</h3>");
          } else {
             out.println("<h3>User is NOT in Test_Role</h3>");
          out.close();
    1.  What I am seeing is that when request.getRemoteUser() is called, the username information is what I expect it to be. It is of the form <Domain>\<Username>. When I try to redisplay the username using the request object's Principal object, the call to request.getUserPrincipal() returns null. This is a little confusing to me since I thought that essentially getRemoteUser() was a short cut for calling getUserPrincipal().getName(), and if I get something for getRemoteUser, getUserPrinicipal should return something as well. I guess they work differently at some level. Has anyone ever encountered this before?
    2. When I call request.isUserInRole("Test_Role"), it returns false. I've checked the role name being called for typos in both my database and in the code, and that does not seem to be the case. I think the setup in auth.config is properly configured because I have created many other applications using declaritive FORM based authentication, and the role information was retrieved fine from the database. I would think that when I use request.isUserInRole in my servlet code it would use the same role information, but I could be wrong since this is a different type of authentication. Do you think that the reason request.isUserInRole() is returning  false could be tied to the fact that request.getUserPrincipal() is returning null (even though getRemoteUser() is returning a valid username)? How does request.isUserInRole() get its user information, by using getUserPrincipal().getName() or getRemoteUser()?
    Any help that is provided is appreciated. Thanks in advance.

    Try This...
    Close All Open Apps...  Perform a Reset... Try again...
    Reset  ( No Data will be Lost )
    Press and hold the Sleep/Wake button and the Home button at the same time for at least ten seconds, until the Apple logo appears. Release the Buttons.
    http://support.apple.com/kb/ht1430

  • Please guide me for user authentication and authorization in WebDynPro App

    Hi,
        I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
    I need to ask you some question to clarify my doubt :
    1. SAP Portal  is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
    2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
    3.Could you please suggest the best practice for authentication and authorization in webDynPro.
    Many Thanks
    Noppong J

    in most case you don't have to write code to deal with session, authentication and authorization.
    1. yes,
    2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
    3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

  • Is it possible to do machine and user authentication in same Authorization profile?

    Hi,
    I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
    Condition
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    Permissions
    then Vlan x
    Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
    Any help will be of great value.

    Hi,
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    - Not possible
    As user and machine authentication occur at different contexts.
    ACS cannot verify the both at the same time.
    Using MAR, you can, though club the both together and achieve:
    "machine is part of domain and user is valid only then he should be able to have full access"
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
    Tips for configuring MAR:
    1) Set the client to perform user or computer authentication.
    2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
    3) Enable MAR under the AD configuration page on ACS and set the aging time.
    4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
    Rate if useful

  • Open Directory: user authentication and logining takes a lot of time

    We have Mac OS X Server Snow Leopard 10.6.8 with OpenDirectory and some iMacs with Mac OS X Snow Leopard 10.6.8. After adding Network Account Server in iMacs (System Preferences->Accounts->Login Options->Network Account Server Edit) OD works normally and users authenticate and login their accounts rather fast (5-10 seconds). But some days or weeks later the time for authentication and logining takes for about 5 minutes. If I re-add Network Account Server, then all works greatly again. What's the matter? How to avoid this re-adding?

    Hello,
    can you tell us what is the size of this Universe in terms of:
    number of tables, number of objects, size of the .unv file?
    Also, is this behaviour specific to this universe or you have other universes having the same problem?
    Last, are you 'opening it' as in File/Open or importing it as in 'File/Import...' ?
    Thanks
    PPaolo

  • See users/connections, who ar authenticated and sending huge amount of spam

    I have delay in SMTP server. SMTP server has user authentication, so it means - if someone is sendig mail to outside of my domain, he must be authenticated.
    I have turned on logging on all channels i have one main tcp_local channel, but the logging shows only information about message - from-to, reason. But does not show information about real source.
    1) how can I see, "who" is sending huge amount of mail?
    2) How can I drop connection, diallow this user for time or manage this user connections?
    At this moment queue says:
    qm.maint> summarize
    Queued Queued
    Channel Messages = Active + Delayed Size (Mb)
    ims-ms 0 0 0 0.0
    process 0 0 0 0.0
    reprocess 0 0 0 0.0
    tcp_auth 0 0 0 0.0
    tcp_intranet 0 0 0 0.0
    tcp_local 1461 1461 0 3.5
    tcp_submit 0 0 0 0.0
    Totals 1461 1461 0 3.5
    and main TOP TO domains are:
    Count Destination domain
    ====== ======================================================================
    59 hse.ie
    38 teagasc.ie
    28 oireachtas.ie
    22 entemp.ie
    18 home.com
    17 wexfordcoco.ie
    14 ireland.com

    >
    As always, please provide the exact version of Messaging Server you are running (./imsimta version).
    I have delay in SMTP server.What do you mean by this statement? What "delay"?
    SMTP server has user authentication, so it means - if someone is sendig mail to outside of my domain, he must be authenticated.
    I have turned on logging on all channels i have one main tcp_local channel, but the logging shows only information about message - from-to, reason. But does not show information about real source.There is a whole guide about how to get additional logging information here:
    http://docs.sun.com/app/docs/doc/819-4428/bgbex?a=view
    e.g. enable LOG_USERNAME to see the user that authenticated, and LOG_CONNECTION to see additional IP connection information.
    1) how can I see, "who" is sending huge amount of mail?
    2) How can I drop connection, diallow this user for time or manage this user connections? You could change the users password to stop them authenticating, or set their mailuserstatus: attribute to disabled and so forth.
    Regards,
    Shane.

  • Transport roles and analysis authorization with user assigned

    Hi expert,
    I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
    Thanks for your time,
    Luis

    Hi,
    In role administration, you have the following options for transporting roles:
    You can download the roles from one system and upload them into another  
    You can import the role from a remote system using RFC  
    You can transport the roles with the transport function.
    Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
    Transporting Roles with the Role Transport Function
           1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
           2.      Enter the role to be transported and choose Transport Role.
    The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
    You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
    For more information go thrpugh the below link
    http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
    Regards,
    Marasa.

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

  • SOLMAN 7.0 SPS 17: MOPZ and EWA user authorization

    Hi!
    I installed SOLMAN 7.0 SPS 17 and have multiple solutions within tcode DSWP.
    Now I would like to give a MOPZ and EWA authorization for user x to see content of special solution x within DSWP.
    It should look like:
    User X --> tcode DSWP: Solution X (authorizations for MOPZ, EWA)
    User Y --> tcode DSWP: Soution Y (authorizations for MOPZ, EWA)
    What are the appropriate roles/profiles for this approach? 
    Thank you very much!
    regards

    >
    Holger Thomasson wrote:
    > Hi!
    >
    > I installed SOLMAN 7.0 SPS 17 and have multiple solutions within tcode DSWP.
    >
    > Now I would like to give a MOPZ and EWA authorization for user x to see content of special solution x within DSWP.
    >
    > It should look like:
    > User X --> tcode DSWP: Solution X (authorizations for MOPZ, EWA)
    > User Y --> tcode DSWP: Soution Y (authorizations for MOPZ, EWA)
    >
    > What are the appropriate roles/profiles for this approach? 
    >
    > Thank you very much!
    >
    > regards
    See information in Security Guide, too.
    Please check authorization object D_SOL_VSBL. to restrict display, edit authorization for specific solutions.
    Best regards,
    Ruediger

  • Define and assign user authorization groups in FI

    Hi All,
    In order to allow some specific group of users to post in AUGR allowed periods, how do I define and assign user authorization groups in FI?
    Thanks,
    Teo

    Hi Teo,
    Here i am giving some authorisations in fi
    F_AVIK_BUK FI Payment Advice: Authorization for Company Codes
    F_BKPF_BED FI Accounting Document: Account Authorization for Customers
    F_BKPF_BEK FI Accounting Document: Account Authorization for Vendors
    F_BKPF_BES FI Accounting Document: Account Authorization for G/L Accounts
    F_BKPF_BLA FI Accounting Document: Authorization for Document Types
    F_BKPF_BUK FI Accounting Document: Authorization for Company Codes
    F_BKPF_BUP FI Accounting Document: Authorization for Posting Periods
    F_BKPF_GSB FI Accounting Document: Authorization for Business Areas
    F_BKPF_KOA FI Accounting Document: Authorization for Account Types
    F_BKPF_VW FI Acc. Document: Change/Display Default Vals for Doc.Type/PKey
    F_BL_BANK FI Authorization for House Banks and Payment Methods
    F_BNKA_BUK FI Banks: Authorization for Company Codes
    I hope it will help.
    BR,
    Satya

  • Query to fetch users and User Authorizations

    Hi
    I have a task to retrieve the all users and the authorizations. I am trying to run a query to get the results.
    Inorder to get the users, I use
    select * from OUSR
    But I am stuck with authorizations.
    Can anyone help.
    Thanks in advance.
    MSJ.

    Hi Manoj,
    It is not possible in SAPB1.
    Try to Export to Excel File.
    check the thread,
    Re: Authorisations List
    Regards,
    Madhan.

  • An issue with authentication and authorization on ISE 1.2

    Hi, I'm new to ISE.
    I have an issue with authentication and authorization.
    I have ISE 1.2 plus patch 6 installed on VMware.
    I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
    On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
    I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
    I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
    I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
    What  should I do to resolve this issue?
    Switch configuration:
     testISE#sh runn
    Building configuration...
    Current configuration : 7103 bytes
    ! Last configuration change at 12:20:15Tue Apr 15 2014
    ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname testISE
    boot-start-marker
    boot-end-marker
    no logging console
    logging monitor informational
    enable secret 5 ************
    enable password ********
    username radius-test password 0 ********
    username admin privilege 15 secret 5 ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
     client 172.16.0.90 server-key ********
    aaa session-id common
    clock timezone 4 0
    system mtu routing 1500
    authentication mac-move permit
    ip dhcp snooping vlan 1,22
    ip dhcp snooping
    ip domain-name elauloks
    ip device tracking probe use-svi
    ip device tracking
    epm logging
    crypto pki trustpoint TP-self-signed-1888913408
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1888913408
     revocation-check none
     rsakeypair TP-self-signed-1888913408
    crypto pki certificate chain TP-self-signed-1888913408
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    ip ssh version 2
    interface FastEthernet0/5
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/6
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/7
    interface Vlan1
     ip address 172.16.0.204 255.255.240.0
     no ip route-cache
    ip default-gateway 172.16.0.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     deny   icmp any host 172.16.0.1
     permit ip any any
    ip radius source-interface Vlan1
    logging origin-id ip
    logging source-interface Vlan1
    logging host 172.16.0.90 transport udp port 20514
    snmp-server community public RO
    snmp-server community ciscoro RO
    snmp-server trap-source Vlan1
    snmp-server source-interface informs Vlan1
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host 172.16.0.90 ciscoro
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    radius server ISE-Alex
     address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key ******
    ntp server 172.16.0.1
    ntp server 172.16.0.5
    end

    Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

  • How to get ADF authentication and authorization working on server

    I am having an issue with deployment & ADF authentication and authorization.
    From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
    When making an attempt to log in I get the following results:
    Running Locally with ADF Authentication:                                           Works Fine
    Running Locally with ADF Authentication & Authorization:         Works Fine
    Deployed to server with ADF Authentication:                                    Works Fine
    Deployed to server with ADF Authentication & Authorization:  Doesn’t Work
    What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
    JDeveloper Version: 11.1.2.4
    Server Web Logic: 10.3.6
    Server ADF: 11.1.1.16
    Page Error when trying to log in:
    Error 401--Unauthorized
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.2 401 Unauthorized
    The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
    Server error when trying to log in:
    Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
    at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
            at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
            at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
            at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
            at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
            at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
            at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
            at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
            at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
            at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
            at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
            at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
            at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
            at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
            at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
            at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
            at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
            at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
            at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
            at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
            at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
            at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
            at java.security.AccessController.doPrivileged(Native Method)
            at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
            at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
            at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
            at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
            at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
            at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
            at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
            at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
            at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
            at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
            at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Web.xml
    <?xml version = '1.0' encoding = 'windows-1252'?>
    <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
             version="2.5">
      <context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
        <param-value>false</param-value>
      </context-param>
      <context-param>
        <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
        <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
        <param-value>false</param-value>
      </context-param>
      <context-param>
        <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
        <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
        <param-value>false</param-value>
      </context-param>
      <context-param>
        <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
        <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
        <param-value>differentOrigin</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
        <param-value>true</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
        <param-value>true</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_DECORATORS</param-name>
        <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
        <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
      </context-param>
      <filter>
        <filter-name>JpsFilter</filter-name>
        <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
      </filter>
      <filter>
        <filter-name>trinidad</filter-name>
        <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
      </filter>
      <filter>
        <filter-name>adfBindings</filter-name>
        <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>JpsFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
      </filter-mapping>
      <filter-mapping>
        <filter-name>trinidad</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ERROR</dispatcher>
      </filter-mapping>
      <filter-mapping>
        <filter-name>adfBindings</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
        <filter-name>adfBindings</filter-name>
        <servlet-name>adfAuthentication</servlet-name>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <listener>
        <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
      </listener>
      <listener>
        <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
      </listener>
      <listener>
        <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
      </listener>
      <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet>
        <servlet-name>resources</servlet-name>
        <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>BIGRAPHSERVLET</servlet-name>
        <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>BIGAUGESERVLET</servlet-name>
        <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>MapProxyServlet</servlet-name>
        <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>adfAuthentication</servlet-name>
        <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
        <init-param>
          <param-name>success_url</param-name>
          <param-value>/faces/Pages/homePage.jspx</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>resources</servlet-name>
        <url-pattern>/adf/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>resources</servlet-name>
        <url-pattern>/afr/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>BIGRAPHSERVLET</servlet-name>
        <url-pattern>/servlet/GraphServlet/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>BIGAUGESERVLET</servlet-name>
        <url-pattern>/servlet/GaugeServlet/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>MapProxyServlet</servlet-name>
        <url-pattern>/mapproxy/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>resources</servlet-name>
        <url-pattern>/bi/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>adfAuthentication</servlet-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </servlet-mapping>
      <mime-mapping>
        <extension>swf</extension>
        <mime-type>application/x-shockwave-flash</mime-type>
      </mime-mapping>
      <mime-mapping>
        <extension>amf</extension>
        <mime-type>application/x-amf</mime-type>
      </mime-mapping>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>test</web-resource-name>
          <url-pattern>/faces/pages/*.</url-pattern>
          <url-pattern>/faces/*.</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>valid-users</role-name>
        </auth-constraint>
      </security-constraint>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>adfAuthentication</web-resource-name>
          <url-pattern>/adfAuthentication</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>valid-users</role-name>
        </auth-constraint>
      </security-constraint>
      <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
          <form-login-page>/login.html</form-login-page>
          <form-error-page>/error.html</form-error-page>
        </form-login-config>
      </login-config>
      <security-role>
        <role-name>valid-users</role-name>
      </security-role>
    </web-app>
    Jazn-data.xml
    <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
    <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
      <jazn-realm default="jazn.com">
        <realm>
          <name>jazn.com</name>
          <users>
            <user>
              <name>*****</name>
              <display-name>*******</display-name>
              <description>******</description>
              <credentials>********<credentials>
            </user>
          </users>
          <roles>
            <role>
              <name>support</name>
              <display-name>support</display-name>
              <members>
                <member>
                  <type>user</type>
                  <name>mobile</name>
                </member>
              </members>
            </role>
          </roles>
        </realm>
      </jazn-realm>
      <policy-store>
        <applications>
          <application>
            <name> myapp </name>
            <app-roles>
              <app-role>
                <name>mob_mobile_support</name>
                <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                <display-name>mob_mobile_support</display-name>
                <description>support role</description>
                <members>
                  <member>
                    <name>mobile</name>
                    <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
                  </member>
                </members>
              </app-role>
            </app-roles>
            <jazn-policy>
              <grant>
                <grantee>
                  <principals>
                    <principal>
                      <name>SUPPORT</name>
                      <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
                    </principal>
                  </principals>
                </grantee>
                <permissions>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.*</name>
                    <actions>view</actions>
                  </permission>
                </permissions>
              </grant>
              <grant>
                <grantee>
                  <principals>
                    <principal>
                      <name>mob_mobile_support</name>
                      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                    </principal>
                  </principals>
                </grantee>
                <permissions>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.addapplicationPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name>Pages.addappmsgtypPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name>Pages.addoperationPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.homePagePageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.loggingSearchPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name>myapp.view.pageDefs.workHistoryPageDef</name>
                    <actions>view</actions>
                  </permission>
                </permissions>
              </grant>
            </jazn-policy>
          </application>
        </applications>
      </policy-store>
    </jazn-data>

    Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
    Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
    Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
    Timo

  • Authentication and Authorization question.

    Hi All,
    I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
    Authentication.
    1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
    2. The end result of this process is true/false.
    Authorization.
    1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
    2. The end result of this process is true/false.
    Role mapping.
    1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
    2. The end result is list of roles for a user.
    Security policy configuration.
    Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
    Thanks,
    Prashanth Bhat.

    The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
    The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
    The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
    My question is whether thess(DAs and VEs) can also be put
    our datastore for access rights??
    Thanks,
    Prashanth Bhat.

Maybe you are looking for

  • Been stuck for over  a year, please help me do this

    so i have this laptop with 8gb ram and core i7 as well as 2 hdd (no raid). Now i heard about premiere (cs4) and my laptop is ready to take most of the advantage but the hard drive is the bootleneck. Basically, all i want is to do few cuts in a video

  • Dock mail icon problem

    The Mail dock icon always shows there are 7 unread messages in my inbox, when there are none. When there are some, their number is added to 7. This developed after I migrated the contents of my drive to my new computer. How can I get rid of the omnip

  • LR 5.6 and new Nikon D750, import of NEF files, is not working!!

    Hello, i have lightroom 5.6 and brandnew a Nikon D750 DSLR. But! I can´t import the .NEF (RAW) files from the camera. Whast do i need? I have read, that the camera is to new for LR? When does the plug in is coming out?

  • Short turntime on i7 iMac

    Ordered new iMac i7 on Feb 27, and received it on Mar 1st. Thought that was amazing timing. Plan to have Apple store transfer data, etc. I am one of those that has been waiting until some of the issues have been resolved on this model. Hoping all wil

  • Sporadic Disconnect to AppleTV

    Just wondering if anyone is having a similar issue with AirPlay and AppleTV. Once in a while, I'll lose connectivity from my iPad to my AppleTV via AirPlay. In other words, I lose the AirPlay icon so I cannot stream any media to AppleTV. However, I s