What is so special about the "ticket" login module stack?

Similar Messages

• What is so special about the "Hot Towel" project template?

  I think one could already have build single page applications back in 2003 with classic ASP.NET.

  Hi galien82,
  Do you mean that you use the VS2003 or the VS2013?
  Actually it is the asp.net issue like this document:
  http://www.asp.net/single-page-application/overview/templates/hottowel-template
  I suggest you post this issue to the ASP.net forum:
  http://forums.asp.net
  I get the extension tool for VS2012 and VS2013 if you mean that it is the VS2013. You know that the VS2003 is really old, we don’t support this product now.
  http://visualstudiogallery.msdn.microsoft.com/1eb8780d-d522-4dcf-bf56-56f0eab305c2
  http://visualstudiogallery.msdn.microsoft.com/1f68fbe8-b4e9-4968-9fd3-ddc7cbc52dca
  Best Regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Portal authentication using two login module stacks?

  G'day,
  I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
  Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
  <authscheme name="mylogon">
    <authentication-template>mystack</authentication-template>
    <priority>21</priority>
    <frontendtype>2</frontendtype>
    <frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
  </authscheme>
  <authscheme-refs>
    <authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
    <authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
  </authscheme-refs>
  When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
  Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
  This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.OK
  User: Administrator
  Authentication Stack: mystack
  The "mylogonform" page is shown when logon is required in both cases.
  However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
  This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
  I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  (Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
  This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
  Message : LOGIN.FAILED
  User: Administrator
  Authentication Stack: mystack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception  false      true       authscheme not sufficient: basicauthentication<mylogonform
  Central Checks                                                                                exception             Call logout before login.
  I guess one cannot authenticate as a new user until the current user has been logged out.
  So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
  What is the logic behind portal authentication and showing a logon page?
  If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?

  Jayesh,
  there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
  - login module
  - logon stacks
  Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
  A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
  login module 1: check if valid sap logon ticket provided
  if module 1 fails: then login module 2: request user id/password
  if module 2 succeeds: then login module 3: create new sap logon ticket for user
  You can define multiple logon stacks and configure individual applications to use the one stack or the other.
  The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
  btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
  Regards,
  Dominik

• Oracle Security : what do you think about the following policy violation ?

  If you install OEM10, you will be able to see if you violate some security guidelines :
  Interresting is revoking UTL_FILE from public, which is critical. Also revoke UTL_TCP and UTL_SMTP. This is going to upset an expert I know...
  Take care about the failed login attempts. If you set it to 10 to the default profile, and if your DBSNMP password is NOT the default password, then Oracle will lock your account after node discovery!
  In Solaris, you can disable execution of the user stack with the system parameters set noexec_user_stack=1
  set noexec_user_stack_log=1. I did not find how to do it on AIX. However, those settings may have side effects.
  About the ports, it complains about open ports, even if this is the port oracle listener is using! Simply ignore most of the violations there.
  About JAccelerator (NCOMP), it is located on the "companion" CD.
  Ok, Waiting for your feedback
  Regards
  Laurent
  [High]      Critical Patch Advisories for Oracle Homes     Configuration     Host     Checks Oracle Homes for missing critical patches          
  [High]      Insufficient Number of Control Files     Configuration     Database     Checks for use of a single control file          
  [High]      Open ports     Security     Host     Check for open ports          
  [High]      Remote OS role     Security     Database     Check for insecure authentication of remote users (remote OS role)          
  [High]      EXECUTE UTL_FILE privileges to PUBLIC     Security     Database     Test for PUBLIC having EXECUTE privilege on the UTIL_FILE package          
  [High]      Listener direct administration     Security     Listener     Ensure that listeners cannot be administered directly          
  [High]      Remote OS authentication     Security     Database     Check for insecure authentication of remote users (remote OS authentication)          
  [High]      Listener password     Security     Listener     Test for password-protected listeners          
  [High]      HTTP Server Access Logging     Security     HTTP Server     Check that HTTP Server access logging is enabled          
  [High]      Web Cache Access Logging     Security     Web Cache     Check that Web Cache access logging is enabled          
  [High]      Web Cache Dummy wallet     Security     Web Cache     Check that dummy wallet is not used for production SSL load.          
  [High]      HTTP Server Dummy wallet     Security     HTTP Server     Check that dummy wallet is not used for production SSL load.          
  [High]      Web Cache owner and setuid bit'     Security     Web Cache     Check that webcached binary is not owned by root and setuid is not set          
  [High]      HTTP Server Owner and setuid bit     Security     HTTP Server     Check the httpd binary is not owned by root and setuid bit is not set.          
  [High]      HTTP Server Directory Indexing     Security     HTTP Server     Check that Directory Indexing is disabled on this HTTP Server          
  [High]      Insufficient Redo Log Size     Storage     Database     Checks for redo log files less than 1 Mb          
  [Medium]      Insufficient Number of Redo Logs     Configuration     Database     Checks for use of less than three redo logs          
  [Medium]      Invalid Objects     Objects     Database     Checks for invalid objects          
  [Medium]      Insecure services     Security     Host     Check for insecure services          
  [Medium]      DBSNMP privileges     Security     Database     Check that DBSNMP account has sufficient privileges to conduct all security tests          
  [Medium]      Remote password file     Security     Database     Check for insecure authentication of remote users (remote password file)          
  [Medium]      Default passwords     Security     Database     Test for known accounts having default passwords          
  [Medium]      Unlimited login attempts     Security     Database     Check for limits on the number of failed logging attempts          
  [Medium]      Web Cache Writable files     Security     Web Cache     Check that there are no group or world writable files in the Document Root directory.          
  [Medium]      HTTP Server Writable files     Security     HTTP Server     Check that there are no group or world writable files in the Document Root directory          
  [Medium]      Excessive PUBLIC EXECUTE privileges     Security     Database     Check for PUBLIC having EXECUTE privileges on powerful packages          
  [Medium]      SYSTEM privileges to PUBLIC     Security     Database     Check for SYSTEM privileges granted to PUBLIC          
  [Medium]      Well-known accounts     Security     Database     Test for accessibility of well-known accounts          
  [Medium]      Execute Stack     Security     Host     Check for OS config parameter which enables execution of code on the user stack          
  [Medium]      Use of Unlimited Autoextension     Storage     Database     Checks for tablespaces with at least one datafile whose size is unlimited          
  [Informational]      Force Logging Disabled     Configuration     Database     When Data Guard Broker is being used, checks primary database for disabled force logging          
  [Informational]      Not Using Spfile     Configuration     Database     Checks for spfile not being used          
  [Informational]      Use of Non-Standard Initialization Parameters     Configuration     Database     Checks for use of non-standard initialization parameters          
  [Informational]      Flash Recovery Area Location Not Set     Configuration     Database     Checks for flash recovery area not set          
  [Informational]      Installation of JAccelerator (NCOMP)     Installation     Database     Checks for installation of JAccelerator (NCOMP) that improves Java Virtual Machine performance by running natively compiled (NCOMP) classes          
  [Informational]      Listener logging status     Security     Listener     Test for logging status of listener instances          
  [Informational]      Non-uniform Default Extent Size     Storage     Database     Checks for tablespaces with non-uniform default extent size          
  [Informational]      Not Using Undo Space Management     Storage     Database     Checks for undo space management not being used          
  [Informational]      Users with Permanent Tablespace as Temporary Tablespace     Storage     Database     Checks for users using a permanent tablespace as the temporary tablespace          
  [Informational]      Rollback in SYSTEM Tablespace     Storage     Database     Checks for rollback segments in SYSTEM tablespace          
  [Informational]      Non-System Data Segments in System Tablespaces     Storage     Database     Checks for data segments owned by non-system users located in tablespaces SYSTEM and SYSAUX          
  [Informational]      Users with System Tablespace as Default Tablespace     Storage     Database     Checks for non-system users using SYSTEM or SYSAUX as the default tablespace          
  [Informational]      Dictionary Managed Tablespaces     Storage     Database     Checks for dictionary managed tablespaces (other than SYSTEM and SYSAUX)          
  [Informational]      Tablespaces Containing Rollback and Data Segments     Storage     Database     Checks for tablespaces containing both rollback (other than SYSTEM) and data segments          
  [Informational]      Segments with Extent Growth Policy Violation     Storage     Database     Checks for segments in dictionary managed tablespaces (other than SYSTEM and SYSAUX) having irregular extent sizes and/or non-zero Percent Increase settings

  Interresting is revoking UTL_FILE from public, which is critical. Also revoke UTL_TCP and UTL_SMTP. This is going to upset an expert I know...Okay, as this is (I think) aimed at me, I'll fall for it ;)
  What is the point of revoking UTL_FILE from PUBLIC? Yes I know what you think the point is, but without rights on an Oracle DIRECTORY being able to execute UTL_FILE is useless. Unless of course you're still using the init.ora parameter
  UTL_FILE_DIR=*which I sincerely hope you're not.
  As for UTL_SMTP and UTL_TCP, I think whether a program is allowed to send e-mail to a given SMTP server is really in the remit of the e-mail adminstrator rather than the DBA.
  Look, DBAs are kings of their realm and can set their own rules. The rest of us have to live with them. A couple of years ago I worked a project where I was not allowed access to the USER_DUMP_DEST directory. So every time I generated a TRC file I had to phone up the DBA and a couple of hours later I got an e-mail with an attachment. Secure yes, but not very productive when I was trying to debug a Row Level Security implementation.
  I have worked on both sides of the DBA/Developer fence and I understand both sides of the argument. I think it is important for developers to document all the privileges necessary to make their app run. Maybe you don't have a better way of doing that than revoking privileges from PUBLIC. Or maybe you just want to generate additional communication with developers. That's fine. I know sometimes even DBAs get lonely.
  Cheers, APC

• What is so "Pro" about the MacBook Pro?

  "Pro" is short for professional and the Apple brand has been synonymous with creative professionals for at least 20 years... I know, asI am one of them. 
  Now, the MAC PRO (tower) is no doubt, a professional grade machine. With 4 hard drives, 2 DVD drives, 4 expansion bays, 5 USB ports and 4 Firewire ports, and a whopping 128GB RAM, I'd say it lives up to the name "Pro". This machine IS the industry standard in film editing, recording studios, graphic design, ect... The one catch, is that it's not portable...
  In come the MAC BOOK PRO. It's lightweight and has excellent battery life which is ideal for portability.
  Now here's what I'm getting at: When you're on the road, at a meeting, or working in the field, you're probably not going to need all of the hardware of the Mac Pro, but only 2 USB ports? That sounds like a joke to me!
  Say you meet someone at a cafe and you decide to transferring some files from your USB drive to his... That's it, you're done for USB ports. You can't even can't grab a charge for your phone, your ipad, plug in a digital camera or whatever because it only has 2 USB ports. And it really annoys me when I see these PC guys with laptops half the price of a MacBook and they're sitting there with all kinds of stuff plugged in. Notebooks like the Inspiron's and ASUS have 5 USB ports... FIVE!!! 
  So I ask you, "what's so pro about the MacBook Pro?" Having to constantly plug and unplug peripherals is quite amateur to me.

  Melophage wrote:
  rick268,
  the “Pro” in MacBook Pro was in comparison to the “Pro-less” MacBook. If the two USB ports on a MacBook Pro don’t suffice for your needs, then you can either bring along a powered USB hub, or you can simply not get a MacBook Pro — get one of its competitors instead, which has the number of USB ports which you need.
  I know I can get a USB hub, or better yet, I've been looking into a thunderbolt hub- I just wish I didn't have to sacrifice ports in Apple's conquest to make the thinnest laptop in existance.

• What can I do about the hackers in my devices.

  What can I do about the hackers in my devices. Pls help i need to know what I can do to take the hackers out of my devices.

  Aww drat! I was going to recommend "AttackA-Hak" which was free from VapourWare Inc.
  a) The likelihood of your Apple device being hacked is millions to one against.
  b) If it was, Apple would be very interested in seeing your device as you would be one of the first.
  c) Can I have whatever you're drinking please ...

• What can I do about the Other Item on my iPhone... It is using 2.2 GBs of memory...

  What can I do about the Other Item.  It is using 2.2 GBs of memory.... The largest user....
  That is 25% of RAM.....

  What can I do about the Other Item.  It is using 2.2 GBs of memory.... The largest user....
  That is 25% of RAM.....

• What do you think about the html5?

  I've been seeing developers philosophizing about the future, and I want to know what do you think about the brand new html5?
  mainly because the html5 can take out of the market technology ( flex ).
  thanks for the opinion!!!
  [email protected]

  Yep this is most definitely not just a rumor, I've found plenty of sources talking about this.
  Here's someone's take on HTML5, a non-Adobe perspective, from a Silverlight developer.  I thought this would be interesting to mention.  Not sure I agree 100% with everything said (IE may not be most used browser and I don't believe in DRM), but it's an interesting read anyway:
  Yes, you can do a LOT of stuff with HTML5 + JS that Silverlight is good for. But HTML5 will only reach Candidate Recommendation status in 2012 - if Silverlight keeps the current pace, it will be at V7 by then.
  HTML5 will only get you approximately what Silverlight had at V1.0. A Canvas element, some video playback capabilites, and a Javascript programming model. Can you imagine how further advanced Silverlight 4 is at the moment?
  Actually, scratch that - the video quality and availability of HTML5 is a lot worse than what Silverlight has to offer. There is no DRM, no Smooth Streaming, not even full screen! No GPU acceleration either. Even the codec HTML5 has to support is not standardized! This results in Firefox 3.6 having only Theora decoder, and Youtube experimenting with HTML in H.264 (on the same day FF3.6 launched), only playable in approx. 4-5% of the world's browsers.
  Internet Explorer is still the most widely used browser on the web, and does not have HTML5. Currently, there are more Silverlight capable browsers browsing the web than HTML5 compatible ones. I don't think that in the next 3 years you will be able to create an HTML5 app and hope that at least 50% of the world's population can view it without switching browsers. (and remember: installing a plugin is a lot less hassle than switching to a new browser!)
  HTML5 will not be truly cross-browser standard for quite a long time, if ever. There are too many things that the browser developer can do as they wish - just think about the aforementioned video codec issue. There are too many little differences in each browser's Javascript implementation to make it really portable.
  The developer story: nothing in the HTML + JS world comes close to the awesome Visual Studio and Expression Blend tools. Javascript is cool for small apps, but cannot hold a candle to C# when it comes to serious development. Fighting with browser and OS incompatilities takes up a huge amount of time for any HTML website or web app - with Silverlight you don't have this.
  Just compare what the best HTML / Ajax company in the world (Google) did with maps, and what MS did to see the difference. Go tohttp://maps.google.com/ (watch out - the Streetview part is in Flash, not Ajax), and compare it to http://www.bing.com/maps/explore/. That is the difference I am talking about.
  Of course he means (or should have meant) Flex/Flash rather than just Flash.  As for the GWT and other AJAX fanboys who I guess think browser compatibility problems are going to be a thing of the past (or won't be a drag on corporate bottom lines - haha), it makes you wonder what other wild fantasies they're envisioning for the future.  Next they'll come and tell us XML-based protocols are going to be as fast as AMF...

• What do you think about the iPhone 4 for my 11 year old daughter

  What do you think about the iPhone 4 for my 11 year old daughter

  It should be a good choice. I recently got the 5C which typically is $99 with supported carriers. Verizon, AT&T, Sprint provide attractive pricing with a two year contract or it you are adding a line to your current service. I have several friends using the 4S, and they have been very pleased with them.

• What do you think about the value of MacKeeper?

  What do you think about the value of the free download MacKeeper?

  See below.
  https://discussions.apple.com/docs/DOC-3036

• What do u think about the new imac quad, what do u think about the new imac quad

  what do u think about the new imac quad, what do u think about the new imac quad?

  I think you should buy me one.

• What do you think about the new and improved SiriusDecisions Waterfall?

  SiriusDecisions launched their new and improved Demand Waterfall this week at their Summit in Scottsdale, Arizona. For those of you who haven't seen it yet, I have attached the PDF for your viewing pleasure. What do you think? What's strong? What's weak? Do you agree with Tony Jaros that teleprospecting is a required step in the Marketing Qualification process?

  It makes a lot of sense from our perspective.  Our sales organization has always generated the bulk of our leads, so it makes sense to account for them and to build programs to support them.  It was a great conference - my first SiriusDecisions Summit.  I came away both energized and overwhelmed.
  Our Inside Sales team qualifies almost all inquiries via telephone, so it makes sense to me that "teleprospecting" is a required step.  The only exceptions are sales-generated leads, so the waterfall reflects that perfectly.
  What I like most about the new waterfall is that it creates a clear structure for us to focus more on developing lead nurturing and pipeline acceleration programs specifically for teleprospecting- and sales-generated leads.  I'll admit that we've neglected this (simply including those contacts in our marketing-generated lead nurtures).  Furthermore, it reinforces the need to tailor nurtures to the buyer's stage in the buying process.  We tend to move all of our contacts through the same campaign and nurture activities as if they're progressing together, which obviously isn't the case.
  I'd be interested in learning how other Eloqua users are getting data back from their CRM on a contact who has turned into a qualified lead.  How do you find this information out?  Do you then put them through an individual nurture that is focused on accelerating the deal?

• Custom Login Module, SSO Ticket validity & Login Module Stack

  Hi everybody,
  we have a portal (running on jboss) which links to a J2EE web application (running on SAP WAS 6.40) which itself is protected by a custom login module and redirects to different WebDynpro applications (running on same WAS as the J2EE app) depending on some parameters.
  So when we go from the portal to the J2EE web application, the custom login module authenticates the user, creates a MYSAPSSO2 Cookie and then redirects to a webdynpro app.
  What happens is that the webdynpro app doesn't accept the cookie and redirects to the login mask.
  Looking at the request header parameter HOST we have the request coming from sub1.sub2.mycompany.com, which is the portal.
  The WAS is located on sub3.mycompany.com.
  If we manipulate the HOST parameter to sub2.mycompany.com everything works fine and the webdynpro app successfully authenticates the user.
  This does sound either like a domain relaxing issue or a multi domain issue, which we added as parameters to the CreateTicketLoginModule in the Login Module Stack for the J2EE web app.
  Unfortunately without result.
  Did anybody have a similar problem and can give some hints on how to solve this?
  Any help is appreciated
  Regards,
  md
  Edited by: Minh-Duc Truong on Jul 17, 2008 7:18 PM
  Edited by: Minh-Duc Truong on Jul 17, 2008 7:19 PM
  Edited by: Julius Bussche on Jul 18, 2008 7:25 PM

  Hi md,
  I have split your 2nd question into a seperate thread => That would make them easier to answer as well, which will help.
  You can find it here: Custom Login Module, LM Stack ignored
  Cheers,
  Julius
  Edited by: Julius Bussche on Jul 18, 2008 7:26 PM

• Configure JAAS login module stack to support x.509 certificates without SSL

  I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
  I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
  What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

  Hi Claus,
  you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
  There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
  Looking at this topic:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
  the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
  So with the above said your LM stack config should look like this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  If this doesn't work I'd suggest opening a support ticket.
  Regards,
  Yonko

• Login Module Stack of EP

  Hi guys,
  I am in the process to setup HeaderVariable Authentication for accessing to EP and have a some questions.
  1) What Login Module Stack needs to be adjusted to use the HeaderVariableLoginModule? SAP J2EE Root or Ticket or ....
  2) Are changes in the policy configurations (adding logon module) applied immediately or is a J2EE restart required?
  Thanks,
  Mario.

  Thank you Paul.
  I've found on my own also to question 1. I have to modify the Login Module stack of template "tiket" as following:
    1) EvaluateTicketLoginModule SUFFICIENT
    2) HeaderVariableLoginModule OPTIONAL     Header=REMOTE_USER
    3) CreateTickeLoginModule    SUFFICIENT
    4) BasicPasswordLoginModule  REQUISITE
    5) CreateTicketLoginModule   OPTIONAL
  Now I'd like to know if is it possible to test the header variable login configuration without using any external web server but connect directly to Enerprise Portal.
  When I try to connect directly to the Enerprise Portal using the URL
     http://<server>:<port>/irj/portal?REMOTE_USER=<userID>
  i'm not able to log into the system, but i'm redirected to the login page.
  If I type in userID and password, portal doesn't authenticate the user.
  Is the External Web Server mandatory for the Header Variable Login Module configuration?
  Thanks in advance,
  Mario.