Wls7 + custom auth module + abort instead of commit
Hi,
I've written a custom authentication module using a rdbms.
WHat does work:
- getting + verifying username
- getting + verifying password
- adding username to principal
- getting the groups
- adding the groups
- no exceptions are being thrown
- the login() method returs true
PROBLEM:
after that the loginModule returns true, the abort() method is being called and
not the commit().
Does anyone know in which scenario the abort() is getting called and not the commit()
or what could be a possible problem.
Thx
See if you also have the default weblogic authenticator configured as an authentication
provider, and if yes, make sure that the Control flag for that default one is
set to "SUFFICIENT"/"OPTIONAL".
"Reborn" <[email protected]> wrote:
>
Hi,
I've written a custom authentication module using a rdbms.
WHat does work:
- getting + verifying username
- getting + verifying password
- adding username to principal
- getting the groups
- adding the groups
- no exceptions are being thrown
- the login() method returs true
PROBLEM:
after that the loginModule returns true, the abort() method is being
called and
not the commit().
Does anyone know in which scenario the abort() is getting called and
not the commit()
or what could be a possible problem.
Thx
Similar Messages
-
Custom Auth Module + refer to other jar
Hi, I've just created a Custom Authentication Module based on a rdbms. Now I'm
trying to use common logging (+log4j) in that module.
<br><br>
Now the problem in order to use the logging, I've to refer to some additional
jars (common + log4j) en some propertie files. But HOW can I include these files
without having to put them in my server classpath.Hi,
If you running in Realm Mode, add the below line
iplanetAuthTestService=Authentication
<replace iplanetAuthTestService with the name of your Test login service>
to /opt/SUNWam/web-src/services/WEB-INF/classes/amServiceTable.properties
(or)
C:\Sun\AccessManager\web-src\services\WEB-INF\classes\amServiceTable.properties
redeploy amservices with deploy level=21 (amconfig.prop)
Hope this helps..
Shashi -
How to unconfigure a Custom Authentication Module for Convergence
After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
, I decided to try to revert back to the default.
How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
sudo /opt/SUNWappserver/bin/asadmin stop-appserv
sudo /opt/SUNWappserver/bin/asadmin start-appserv
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled
AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler
AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler
PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reasonjessethompson wrote:
After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
, I decided to try to revert back to the default.
How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.After enabling the custom login module using the steps in the earlier thread (http://forums.sun.com/thread.jspa?threadID=5318615), I performed the following steps to disable the custom module and re-enable the ldap auth module:
# Disable custom auth-module
cd /opt/sun/comms/iwc/sbin
./iwcadmin -w <admin password> -o auth.custom.servicename -v ""
./iwcadmin -w <admin password> -o auth.custom.loginimpl -v ""
./iwcadmin -w <admin password> -o auth.custom.callbackhandler -v ""
./iwcadmin -w <admin password> -o auth.misc.CredentialFile -v ""# Re-enable the LDAP auth-module
cd /opt/sun/comms/iwc/sbin
./iwcadmin -w <admin password> -o auth.ldap.callbackhandler -v com.sun.comms.client.security.auth.AppCallbackHandler
./iwcadmin -w <admin password> -o auth.ldap.loginimpl -v com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule# Restarte App Server
cd /opt/SUNWappserver/bin/
./asadmin stop-domain; ./asadmin start-domain# Login to iwc interface as user shjorth with password oldpwd
# Login successful with oldpwd -- custom auth module successfully disabled, LDAP re-enabled
Regards,
Shane. -
Custom pluggable idm with custom login module
Hello All. I've developed a custom implementation of the pluggable identity management framework as explained in chapter 13 of the book "Oracle® Containers for J2EE Security Guide10g (10.1.3.1.0)". I have OAS 10.1.3.1.0.
Everything works fine except when the identity is validated with in the tokenAsserter. The process is supposed to continue with the login method implemented in my custom login module but instead the default oracle implementation (RealmLoginModule) is being executed.
The application is a servlet and is configured to use a custom loginModule. If I don't use de custom auth method (auth-method="CUSTOM_AUTH" in orion-application) my loginModule is called but when I plug it to my custom idm implementation it doesn't.
The custom idm is packed in to a jar containing the idm and the login module. The jar is deployed to the <ORACLE_HOME>/ext/lib directory.
Any suggestions? ThanksThanks for your answer, it really helps. I had already cheeked all that stuff and it was correct, but knowing that another person had made it worked the same way I was doing it, made me think I was doing it right and the problem may simpler. It really was. OC4J was really calling my login module all the time but it was getting a runtime exception, a very simple one, that was making OC4J to propagate the authentication to the default login module (RealmLoginModule), and that was the error I was watching in the logs that had me all confused.
I will start another thread though about stolen cookie in a SSO solution that I’m developing with this implementation.
Thank you. -
Custom Login Module - Commit Method return TRUE always?
Hi,
I am creating a custom login module for my portal authentication.
For the login module, should the commit() method always return TRUE?
The example code on help.sap.com indicates yes to this question.
However, the JAVA Sun standard indicates that commit should return FALSE if the preceding login method returned FALSE.
Does the SAP example stray from the SUN standard? How should I code the commit() method such that it works (Always TRUE, or follow lead of login() method)?
Regards,
KevinHi Kevin,
I'm actually working with this document: <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/webinars/jaas%20login%20module%20development%20on%20webas%20java%20640.pdf#search=%22classloader%20sda%20jar%20reference%22">JAAS Login Modules</a>.
There is also example code. If it should be ignored they return false, otherwise true (page 32).
Regards,
Marcus
Message was edited by: Marcus Freiheit -
How to get Custom Login Module to communicate with frontendtarget
We have created a custom login module and placed it in our login module stack.
So we have the following 3 Login Modules in our stack:
EvaluateTicketModule
OurCustomLoginModule
CreateTicketModule
Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
Question:
There are standard screens in the SAP login PAR:
changePasswordPage.jsp
umLogonProblemPage.jsp
umResetPasswordPage.jsp
How do I trigger one of these screens from my Login() method of my
custom login module? I thought if I throw some specific exception, these screens would
be called?A bit more info.
We created a new Authentication Scheme for certain iviews that are deemed more "sensitive" that required a step-up authentication.
I changed the Iview property "Authentication Scheme" to our custom one.
If I navigate into one of these more sensitive Iviews, I get the standard SAP login screen: <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
Whis is what i expect.
I enter a username and password and click Logon button. I see that it successfully hits our custom login module and goes through Login(), and Commit() methods and finally displays the iview i originally requested.
However, on a failure, i want it to return focus to the SAP login screen with an error explaining why...(i.e. wrong password, account locked, etc.)
However, It always give iview runtime exception with Access Denied.
#1.5 #0018FE8C6FD800690000029000004D6C00045B6E5E7D6014#1226429496628#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Java###Login module {0} from authentication stack {1} does not authenticate the caller.#2#companyname.com.CGLoginModuleClass#form#
#1.5 #0018FE8C6FD800690000029100004D6C00045B6E5E7D6275#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029200004D6C00045B6E5E7D6308#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Debug##Plain###Internal Login Module data has been reset.#
#1.5 #0018FE8C6FD800690000029300004D6C00045B6E5E7D6386#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029400004D6C00045B6E5E7D6438#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule.abort()#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Plain###Entering method#
#1.5 #0018FE8C6FD800690000029500004D6C00045B6E5E7D64B2#1226429496629#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Path##Java###Exiting method with {0}#1#true#
#1.5 #0018FE8C6FD800690000029700004D6C00045B6E5E7D6750#1226429496630#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true authscheme not sufficient: uidpwdlogon<cglogon
\#1 ume.configuration.active = true
2. companyname.com.CGLoginModuleClass REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
\#1 ume.configuration.com = true#
#1.5 #0018FE8C6FD800690000029900004D6C00045B6E5E7DA973#1226429496647#System.err#sap.com/irj#System.err#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Plain###Nov 11, 2008 10:51:36... com.sap.portal.portal [SAPEngine_Application_Thread[impl:3]_24] Error: Exception ID:10:51_11/11/08_0002_176065950
#1.5 #0018FE8C6FD800690000029B00004D6C00045B6E5E7DCA91#1226429496647#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#JOHNDOE#182##servername_EPX_176065950#JOHNDOE#bb3365a0b02111ddabea0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_24##0#0#Error#1#/System/Server#Java###Exception ID:10:51_11/11/08_0002_176065950
[EXCEPTION]
{0}#1#com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.companyname.portal.capitalgroup/com.companyname.com.security/com.companyname.portal.cghressnaaa/com.sap.pct.ess.employee_self_service/com.companyname.pg_sensitiveWebdynpro/com.cg.ivu_saplogon_0 - user: Guest
at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1936)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:230)
at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:312)
at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:385)
at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:435)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
and here's my login method...
public boolean login() throws javax.security.auth.login.LoginException
this.succeeded = false;
String passwordString = "";
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
HttpGetterCallback httpgettercallback = new HttpGetterCallback();
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
catch (UnsupportedCallbackException e)
return false;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throwNewLoginException("USERID IS MISSING!", LoginExceptionDetails.IO_EXCEPTION);
else
username = userid;
if (password.length == 0)
throwNewLoginException("PASSWORD IS MISSING!", LoginExceptionDetails.NO_PASSWORD);
else
passwordString = new String(password);
String eccLoginResult = validateECCAuthentication(username, passwordString);
if (!eccLoginResult.equals(""))
myLoc.infoT(this.username + " - failed ECC authentication.");
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
myLoc.infoT(this.username + " - failed ECC authentication.");
this.succeeded = true;
if (this.succeeded)
try
refreshUserInfo(this.username);
catch (SecurityException e)
throwUserLoginException(e);
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, this.username);
this.nameSet = true;
else
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
return this.succeeded; -
Custom login module for EP7.4 with Captcha
Hi
I am trying to create a custom login module which validates the captcha shown at the login screen using SAP help link:
http://help.sap.com/saphelp_nw73/helpdata/en/48/ff4faf222b3697e10000000a42189b/content.htm?frameset=/en/48/fcea4f62944e88e10000000a421937/frameset.htm¤t_toc=/en/74/8ff534d56846e2abc61fe5612927bf/plain.htm&node_id=20
The session is being set in the Captcha servlet which is used to render the image on the login page.
However when I am trying to compare it with input or print the session value, its throwing an exception.
I checked in the NWA logs and it just shows the following error message:
6. com.temp.loginModule.MyLoginModuleClass OPTIONAL ok exception true Authentication did not succeed.
Please help me analyse the error stack. Can someone point where do i check the detailed logs to trace the issue?
Please find below source of my login module.
package com.temp.loginModule;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import nl.captcha.Captcha;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.engine.lib.security.http.HttpCallback;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.Principal;
public class MyLoginModuleClass extends AbstractLoginModule{
private CallbackHandler callbackHandler = null;
private Subject subject = null;
private Map sharedState = null;
private Map options = null;
// This is the name of the user you have created on
// the AS Java so you can test the login module
private String userName = null;
private boolean successful;
private boolean nameSet;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
// This is the only required step for the method
super.initialize(subject, callbackHandler, sharedState, options);
// Initializing the values of the variables
this.callbackHandler = callbackHandler;
this.subject = subject;
this.sharedState = sharedState;
this.options = options;
this.successful = false;
this.nameSet = false;
* Retrieves the user credentials and checks them. This is
* the first part of the authentication process.
public boolean login() throws LoginException {
// HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
// httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
// httpGetterCallback.setName("captchaInput");
String value = null;
// try {
// callbackHandler.handle(new Callback[] { httpGetterCallback });
// String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
// if(arrayRequestparam!=null && arrayRequestparam.length>0)
// value = arrayRequestparam[0];
// } catch (UnsupportedCallbackException e) {
// throwNewLoginException("An error occurred while trying to validate credentials.");
// } catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
value = getRequestValue("captchaInput");
userName = getRequestValue("j_username");
HttpGetterCallback httpGetterCallbackSessionCaptcha = new HttpGetterCallback();
httpGetterCallbackSessionCaptcha.setType(HttpCallback.SESSION_ATTRIBUTE);
httpGetterCallbackSessionCaptcha.setName("myCaptchaLogin");
try {
callbackHandler.handle(new Callback[] { httpGetterCallbackSessionCaptcha });
Captcha arraySessionParam = (Captcha) httpGetterCallbackSessionCaptcha.getValue();
// System.out.println("****************************************************httpGetterCallbackSessionCaptcha" + (arraySessionParam==null?"null session":arraySessionParam.getAnswer())+
// "\n captchaInput" + value+"*********************");
if(arraySessionParam==null || !arraySessionParam.isCorrect(value)){
throwNewLoginException("Entered code does not match with the image code.Session:"+(arraySessionParam==null?"null":arraySessionParam.getAnswer())+" Param:"+ value);
// throwUserLoginException(new Exception("Entered code does not match with the image code."));
httpGetterCallbackSessionCaptcha.setValue(null);
} catch (UnsupportedCallbackException e) {
throwNewLoginException("An error occurred while trying to validate credentials.");
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// Retrieve the user credentials via the callback
// handler.
// In this case we get the user name from the HTTP
// NameCallback.
// NameCallback nameCallback = new NameCallback("User name: ");
/* The type and the name specify which part of the HTTP request
* should be retrieved. For Web container authentication, the
* supported types are defined in the interface
* com.sap.engine.lib.security.http.HttpCallback.
* For programmatical authentication with custom callback
* handler the supported types depend on the used callback handler.
// try {
// callbackHandler.handle(new Callback[] {nameCallback});
// catch (UnsupportedCallbackException e) {
// return false;
// catch (IOException e) {
// throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
// userName = nameCallback.getName();
// if( userName == null || userName.length() == 0 ) {
// return false;
/* When you know the user name, update the user information
* using data from the persistence. The operation must
* be done before the user credentials checks. This method also
* checks the user name so that if a user with that name does not
* exist in the active user store, a
* java.lang.SecurityException is thrown.
// try {
// refreshUserInfo(userName);
// } catch (SecurityException e) {
// throwUserLoginException(e);
/* Checks if the given user name starts with the specified
* prefix in the login module options. If no prefix is specified,
* then all users are trusted.
// String prefix = (String) options.get("user_name_prefix");
// if ((prefix != null) && !userName.startsWith(prefix)) {
// throwNewLoginException("The user is not trusted.");
/* This is done if the authentication of the login module is
* successful.
* Only one and exactly one login module from the stack must put
* the user name in the shared state. This user name represents
* the authenticated user.
* For example if the login attempt is successful, method
* getRemoteUser() of
* the HTTP request will retrieve exactly this name.
if (sharedState.get(AbstractLoginModule.NAME) == null) {
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
successful = true;
return true;
* Commit the login. This is the second part of the authentication
* process.
* If a user name has been stored by the login() method,
* the user name is added to the subject as a new principal.
public boolean commit() throws LoginException {
if (successful) {
/* The principals that are added to the subject should
* implement java.security.Principal.You can use the class
* com.sap.engine.lib.security.Principal for this purpose.
Principal principal = new Principal(userName);
subject.getPrincipals().add(principal);
/* If the login is successful, then the principal corresponding
* to the <userName> (the same user name that has been added
* to the subject) must be added in the shared state too.
* This principal is considered to be the main principal
* representing the user.
* For example, this principal will be retrieved from method
* getUserPrincipal() of the HTTP request.
if (nameSet) {
sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
} else {
userName = null;
return true;
* Abort the authentication process.
public boolean abort() throws LoginException {
if (successful) {
userName = null;
successful = false;
return true;
* Log out the user. Also removes the principals and
* destroys or removes the credentials that were associated
* with the user during the commit phase.
public boolean logout() throws LoginException {
// Remove principals and credentials from subject
if (successful) {
subject.getPrincipals(Principal.class).clear();
successful = false;
return true;
private String getRequestValue(String parameterName)
throws LoginException {
HttpGetterCallback httpGetterCallback = new HttpGetterCallback();
httpGetterCallback.setType(HttpCallback.REQUEST_PARAMETER);
httpGetterCallback.setName(parameterName);
String value = null;
try {
callbackHandler.handle(new Callback[] { httpGetterCallback });
String[] arrayRequestparam = (String[]) httpGetterCallback.getValue();
value = arrayRequestparam[0];
} catch (UnsupportedCallbackException e) {
return null;
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
return value;
Regards
Ramanender SinghRamanender,
JAAS modules usually requires a restart whenever you need to change them. So be very careful with what you expect once you re-deploy your code.
Once the library is loaded it will never reload itself until you perform a restart of the VM.
Connect to the debug port may help, but basic debugging will not take you too far either.
I would recommend you to use the log tracing facility on your code. Just enter the following class attribute:
import com.sap.tc.logging.Location;
private static final Location trace = Location.getLocation(<your_classname_here>.class);
trace.warningT("Some Warning Text Here..." + variable here);
trace.debugT("Some Warning Text Here..." + variable here);
You may need to go NWA and set the Location Severity Level to Debug according to your needs.
Leave the trace code on your module for IT personnel to debug it if necessary. Don't forget to have the severity level of your code properly set.
Meaning: You don't want to have every trace message your module sills out with warningT() or infoT().
There is a excellent blog here on how this works
Then you will be able to inspect some variable contents while the callbackhandler is being executed.
Pay special attention with the timing - variables have a lifetime when dealing with login modules.
Use the entering(<method_name>) and exiting(<method_name> just ot make sure where in the code the variable should be populated and when.
BR,
Ivan -
hi,
I'm would like to configure a custom authentication module between OIM, JBOSS and AD.
I try to use the LdapLoginModule from JBOSS.
Add in xlconfig.xml :
<login-module>
<thirdPartyLoginModule>org.jboss.security.auth.spi.LdapLoginModule</thirdPartyLoginModule>
</login-module>
Change in login-config.xml :
<application-policy name = "xellerate">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://XXXX:389</module-option>
<module-option name="principalDNPrefix">XXXX</module-option>
<module-option name="principalDNSuffix">XXXX</module-option>
<module-option name="java.naming.security.principal">XXXX</module-option>
<module-option name="java.naming.security.credentials">XXXX</module-option>
<module-option name="rolesCtxDN">XXXX</module-option>
<module-option name="uidAttributeID">XXXX</module-option>
<module-option name="matchOnUserDN">XXXX</module-option>
<module-option name="roleAttributeID">XXXX</module-option>
<module-option name="roleAttributeIsDN">XXXX</module-option>
<module-option name="searchTimeLimit">XXXX</module-option>
<module-option name="searchScope">XXXX</module-option>
<module-option name="allowEmptyPasswords">XXXX</module-option>
</login-module>
</authentication>
</application-policy>
There is an Error when I try to login on OIM.
Server.log :
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(xellerate), size=9
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(xellerate), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: Anmeldemodul-Steuerflag: required
Options:name=uidAttributeID, value=member
name=matchOnUserDN, value=true
name=rolesCtxDN, value=XXXXX
name=principalDNPrefix, value=XXXXX
name=principalDNSuffix, value=XXXXX
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.credentials, value=XXXXX
name=allowEmptyPasswords, value=false
name=java.naming.provider.url, value=XXXXX
name=java.naming.security.principal, value=XXXXX
name=searchTimeLimit, value=5000
name=roleAttributeIsDN, value=false
name=searchScope, value=ONELEVEL_SCOPE
name=roleAttributeID, value=XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@6460623
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: xellerate
TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=XXXXXX...}
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@f24d4f
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Rebind SECURITY_PRINCIPAL to: cn=XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] searching rolesCtxDN=XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Checking answer: XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] Assign user to role XXXXX
TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'XXXXX' authenticated, loginOk=true
TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true
TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=null
TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] Begin isValid, principal:null, cache info: null
TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] defaultLogin, principal=null
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(xellerate), size=9
TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(xellerate), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: Anmeldemodul-Steuerflag: required
Options:name=uidAttributeID, value=member
name=matchOnUserDN, value=true
name=rolesCtxDN, value=XXXXX
name=principalDNPrefix, value=XXXXX
name=principalDNSuffix, value=XXXXX
name=java.naming.factory.initial, value=XXXXX
name=java.naming.security.credentials, value=XXXXX
name=allowEmptyPasswords, value=false
name=java.naming.provider.url, value=XXXXX
name=java.naming.security.principal, value=XXXXX
name=searchTimeLimit, value=5000
name=roleAttributeIsDN, value=false
name=searchScope, value=ONELEVEL_SCOPE
name=roleAttributeID, value=XXXXX
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@22168243
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: xellerate
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Authenticating as unauthenticatedIdentity=null
2009-09-18 14:44:49,576 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=null
2009-09-18 14:44:49,576 TRACE [org.jboss.security.auth.spi.LdapLoginModule] abort
2009-09-18 14:44:49,576 TRACE [org.jboss.security.plugins.JaasSecurityManager.xellerate] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
In login-config.xml, I comment the following code :
<!--
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
<login-module code="com.thortech.xl.security.jboss.UsernamePasswordLoginModule" flag = "required" >
<module-option name = "unauthenticatedIdentity">Unknown</module-option>
<module-option name = "data-source">java:/jdbc/xlDS</module-option>
</login-module>
-->
I think that my user is authenticated from AD, but OIM try a second authentication with a username = null.
Any clues will be helpful.
Can you help me ?Hi,
I solve the problem.
In xlconfig.xml :
<login-module>
<thirdPartyLoginModule>org.jboss.security.auth.spi.LdapLoginModule</thirdPartyLoginModule>
</login-module>
In login-config.xml
<application-policy name = "xellerate">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
<login-module code="com.thortech.xl.security.jboss.UsernamePasswordLoginModule" flag = "required" >
<module-option name = "unauthenticatedIdentity">Unknown</module-option>
<module-option name="java.naming.factory.initial ... </module-option>
</login-module>
</authentication>
</application-policy>
A user must have a role "User" in AD.
That's all.
Thanks. -
Custom Login Module Behavior (JAAS)...Help!
Problem: After successful authentication through a custom login module, the screen stays on the login screen and does not go to the iview you clicked on...
I have created a login module as documented [here|http://help.sap.com/saphelp_nw04s/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm].
I have added a new entry in the authschemes.xml file:
<authscheme name="cglogon">
<authentication-template>
form
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
As you can see above, i wanted to try to use the standard sap screen: com.sap.portal.runtime.logon.certlogon
Also, the logon module stack called "form" contains one and only one login module: mycompany.com.CGLoginModuleClass (REQUISITE)
Here is also the code to my Login() method of my module:
public boolean login() throws LoginException
Exception exception_on_the_way = null;
String passwordString = "";
NameCallback nc = new NameCallback("User:");
PasswordCallback pc = new PasswordCallback("Password:", false);
Callback[] callbacks = new Callback[] { nc, pc };
try
callbackHandler.handle(callbacks);
catch (IOException e)
exception_on_the_way = e;
catch (UnsupportedCallbackException e)
exception_on_the_way = e;
String userid = nc.getName();
char[] password = pc.getPassword();
pc.clearPassword();
if (userid.length() == 0)
throw new LoginException(MISSING_UID);
else
userName = userid;
if (password.length == 0)
throw new LoginException(MISSING_PASSWORD);
else
passwordString = new String(password);
try
refreshUserInfo(userName);
catch (SecurityException e)
exception_on_the_way = e;
if (exception_on_the_way != null)
// A productive application should write an entry
// into the trace here
exception_on_the_way.printStackTrace();
throw new LoginException("Could not handle callbacks");
String eccLoginResult = "";
//eccLoginResult = validateECCAuthentication(userName, passwordString);
if (!eccLoginResult.equals(""))
//throwNewLoginException(eccLoginResult);
//throw new LoginException(USER_AUTH_FAILED);
throwNewLoginException("Wrong UserId/Password", LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
else
successful = true;
if (sharedState.get(AbstractLoginModule.NAME) == null)
sharedState.put(AbstractLoginModule.NAME, userName);
nameSet = true;
return true;
I set up a random iview in the portal to use our new authentication scheme: cglogon by changing the iview property Authentication Scheme.
After clicking the logon button, My login() method gets called and sucessful is set to true. Also the commit() method gets called.
Problem: However, the screen gets redirected to the logon screen again...
Here is the trace in the logs:
Used Passport Type: 3
#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD8007200003781000041C100045B07FD434AB8#1225989778316#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Persistent listeners of {0} notified#1#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD8007200003782000041C100045B07FD4353D2#1225989778319#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.logon#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering method with ({0})#1#com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@2cbd9a10, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@5db3e73e, cglogon#
#1.5 #0018FE8C6FD8007200003783000041C100045B07FD435510#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Security context [{0}] successfully loaded from cache.#1#form#
#1.5 #0018FE8C6FD8007200003784000041C100045B07FD43559B#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003785000041C100045B07FD43560F#1225989778319#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003786000041C100045B07FD435864#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New policy configuration modification context successfully created for configuration with path [{0}].#1#security/configurations/form#
#1.5 #0018FE8C6FD8007200003787000041C100045B07FD4358F8#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.getStorage(Configuration config)#
#1.5 #0018FE8C6FD8007200003788000041C100045B07FD435983#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New storage [{0}] created.#1#com.sap.engine.services.security.server.storage.AtomicStorage@3091c97c#
#1.5 #0018FE8C6FD8007200003789000041C100045B07FD435A00#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.getStorage(Configuration config)#
#1.5 #0018FE8C6FD800720000378A000041C100045B07FD435A7B#1225989778320#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.begin()#
#1.5 #0018FE8C6FD800720000378B000041C100045B07FD435B31#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###New configuration handler [{0}] created.#1#com.sap.engine.core.configuration.impl.ConfigurationHandlerImpl@334304cd#
#1.5 #0018FE8C6FD800720000378C000041C100045B07FD435BC8#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.begin()#
#1.5 #0018FE8C6FD800720000378D000041C100045B07FD435C3A#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###New modification bundle started for the current thread.#
#1.5 #0018FE8C6FD800720000378E000041C100045B07FD435CC6#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Trying to get configuration [{0}] from storage; write access [{1}]; create if missing [{2}]#3#security/configurations/form/security/authentication#false#false#
#1.5 #0018FE8C6FD800720000378F000041C100045B07FD435DC0#1225989778321#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Configuration returned from storage successfully [{0}].#1#security/configurations/form/security/authentication#
#1.5 #0018FE8C6FD8007200003790000041C100045B07FD436148#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering Storage.forget()#
#1.5 #0018FE8C6FD8007200003791000041C100045B07FD436225#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting Storage.forget()#
#1.5 #0018FE8C6FD8007200003792000041C100045B07FD43629D#1225989778322#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###Successful forget of modification bundle for the current thread.#
#1.5 #0018FE8C6FD8007200003793000041C100045B07FD4363B9#1225989778323#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###Re-authentication requested.#
#1.5 #0018FE8C6FD8007200003794000041C100045B07FD4364BA#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Security context [{0}] successfully loaded from cache.#1#form#
#1.5 #0018FE8C6FD8007200003795000041C100045B07FD436534#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Entering PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003796000041C100045B07FD4365A6#1225989778323#com.sap.engine.services.security.policyconfiguration#sap.com/irj#com.sap.engine.services.security.policyconfiguration#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting PolicyConfigurationSecurityContext.getAuthenticationContext()#
#1.5 #0018FE8C6FD8007200003797000041C100045B07FD439765#1225989778336#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###User [{0}] attempt to re-authenticate.#1#kcf#
#1.5 #0018FE8C6FD8007200003798000041C100045B07FD439CA1#1225989778337#com.sap.engine.services.security.sessionmanagement#sap.com/irj#com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Principal {0} assigned to {1}#2#kcf#[Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]#
#1.5 #0018FE8C6FD8007200003799000041C100045B07FD439D6C#1225989778338#com.sap.engine.services.security.sessionmanagement#sap.com/irj#com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Subject {0} assigned to {1}#2#Subject:
Principal: kcf
#[Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]#
#1.5 #0018FE8C6FD800720000379A000041C100045B07FD439DF3#1225989778338#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Re-authentication for user [{0}] successfull.#1#kcf#
#1.5 #0018FE8C6FD800720000379C000041C100045B07FD439F9B#1225989778338#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info#1#/System/Security/Authentication#Plain###LOGIN.OK
User: kcf
Authentication Stack: form
Login Module Flag Initialize Login Commit Abort Details
1. mycompany.com.CGLoginModuleClass REQUISITE ok true true
Central Checks true #
#1.5 #0018FE8C6FD800720000379D000041C100045B07FD43A10D#1225989778338#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.logon#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Plain###Security session assigned successfully to the http session.#
#1.5 #0018FE8C6FD800720000379F000041C100045B07FD43CC17#1225989778349#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Plain###Exiting logon with authenticated subject.#
#1.5 #0018FE8C6FD80072000037A0000041C100045B07FD43D9FE#1225989778353#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.isAuthenticated#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering method with ({0})#1#KCF#
#1.5 #0018FE8C6FD80072000037A1000041C100045B07FD43DAC6#1225989778353#com.sap.engine.services.security.authentication.programmatic#sap.com/irj#com.sap.engine.services.security.authentication.programmatic.isAuthenticated#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Exiting method with {0}#1#false#
#1.5 #0018FE8C6FD80072000037A2000041C100045B07FD440358#1225989778364#com.sap.engine.services.security.authentication.logonapplication#sap.com/irj#com.sap.engine.services.security.authentication.logonapplication.initBeans#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###LanguagesBean created#
#1.5 #0018FE8C6FD80072000037A3000041C100045B07FD44045E#1225989778364#com.sap.engine.services.security.authentication.logonapplication#sap.com/irj#com.sap.engine.services.security.authentication.logonapplication.executeRequest#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###No command found, forwarding to umLogonPage#
#1.5 #0018FE8C6FD80072000037A4000041C100045B07FD4429BF#1225989778373#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#kcf#3929##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Path##Java###Entering SecurityContext.empty() on {0}#1#[Security Context : [Security Session (3929) for kcf created at Thu Nov 06 08:40:44 PST 2008]]#
#1.5 #0018FE8C6FD80072000037A5000041C100045B07FD442AC1#1225989778374#com.sap.engine.services.security.sessionmanagement##com.sap.engine.services.security.sessionmanagement#Guest#0##castoldi_EPX_176065950#KCF#a839a030ac2111ddb3dd0018fe8c6fd8#SAPEngine_Application_Thread[impl:3]_35##0#0#Debug##Java###Notifying persistent listener {0} of {1}#2#
User ID : kcf
Service Type : Web Request
Action Name : Appl.: irj:com.cg.ivu_saplogon_0
Action Type : http
Additional Info : null
CPU Time [us] : 0
Queue Time [us] : 4295152
No of ext. calls : 0
Edited by: K Ferguson on Nov 6, 2008 6:07 PMI am facing the same problem.
And how was is solved ?
Thanks -
Custom login module error: Login permission not granted for myapp (myuser)
I have developed a custom login module for my application. I have followed the steps outlined in security guide and other postings. I could not log into the application when I access EJBs from an RMI client. I get the following error.
Login permission not granted for myapp (myuser)
I did grant the login permission to myuser.
I am using OC4J 10.1.3.1.0
Here are the steps I followed and the configuration files. Can anybody help me out?
1. Created a custom login module and packaged it in EAR along with other classes. In the commit method, I added my user into principals of subject. Here is the code,
==================================================================
public boolean commit() throws LoginException {
try {
if (!loginOk) {
return false;
Set<Principal> principals = subject.getPrincipals();
principals.add(user);
loginOk = true;
} finally {
// Some audit logs are written here.
return loginOk;
===============================================================
2. Added custom login module in orion-application.xml. Here are the relevant portions of orion-application.xml
===============================================================
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.compare.ignorecase" value="true" />
</jazn>
<jazn-loginconfig>
<application>
<name>myApp</name>
<login-modules>
<login-module>
<class>com.test.myServerLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>maxRetries</name>
<value>3</value>
</option>
<option>
<name>debug</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="myUser">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
<security-role-mapping name="esp_operator">
<group name="users"/>
<group name="oc4j-app-administrators"/>
</security-role-mapping>
</namespace-resource>
</read-access>
</namespace-access>
===============================================================
3. After the application is deployed on the EAR, I can see the custom login module in system-jazn-data.xml. The command line jazn admin tool lists my custom login module for my application.
4. I have an RMI client, the client JNDI properties are
==============================================================
java.naming.factory.initial=oracle.j2ee.naming.ApplicationClientInitialContextFactory
java.naming.factory.url.pkgs=oracle.j2ee.naming
==============================================================
The value for java.naming.provider.url is constructed dynamically and it is ormi://myserver:23791/myapp
java.naming.security.principal is set to the user who is trying to login, myuser, in this case.
java.naming.security.credentials is set to the password entered by myuser, password in this case.
5. I used jazn admin tool to grant login permission to my user.
===============================================================
a. Added user
java -jar jazn.jar -user oc4jadmin -password welcome -adduser jazn.com myuser password
b. Grant roles
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole users ja
zn.com myuser
java -jar jazn.jar -user oc4jadmin -password welcome -grantrole oc4j-app
-administrators jazn.com myuser
c. Grant RMI permission
java -jar jazn.jar -user oc4jadmin -password welcome -grantperm jazn.com
-user myuser com.evermind.server.rmi.RMIPermission login
===============================================================
After the permission is granted, the folowing piece of XML is added to system-jazn-data.xml.
===============================================================
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>user</type>
<class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
<name>jazn.com/esp_administrator</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
==============================================================
My principal class is not of type, oracle.security.jazn.spi.xml.XMLRealmUser. Hence, I changed system-jazn-data.xml to include com.test.MyUser instead of oracle.security.jazn.spi.xml.XMLRealmUser. Either way, I get Not Authorized and Login permission not granted for myapp (myuser).
Can anybody help me out, please?
Thank you,
Sri
Message was edited by:
user532586I finally got it to work. But I have a problem granting RMI Permission "login", if the depth of my Principal class within the inheritance hierarachy is more than one. My hierarachy of my principal class is
Object --> ObjectA --> ObjectB --> ObjectC --> ObjectD
ObjectD is my principal class. ObjectB implements java.security.Principal. ObjectA has implementations for methods equals, hashcode and toString. ObjectB has implementations for getName.
When I try to grant RMI permission for ObjectD, I get an error that says null.
If I override the methods, equals, hashcode, toString, and getName in ObjectD and provide implementations, I still could not grant permission using jazn tool. I get error that says null. If I update the system-jazn-data.xml with the following grant tag, I could get into the application without any errors.
<grant>
<grantee>
<principals>
<principal>
<class>com.test.ObjectD</class>
<name>developers</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
If I create a new class, myPrincipal that implements java.security.Principal, I donot have any problems. I can grant permission and access application.
Any ideas why I could not use ObjectD as my principal class for granting RMI permission?
Message was edited by:
user532586 -
How do I use my own Custom Auth/Authentication/Entitlement (Token)?
[ Background ]
Adobe Access DRM provides for 3 authentication mechanisms:
Anonymous - Licenses are issued irregardless on if there is/isn't a valid authentication token attached to the license request.
UsernamePassword - Licenses are ONLY issued if the license request has a valid Adobe-Access-Server-Issued authentication token.
Custom - Licenses are ONLY issued if there is a valid cusom authentication token attached to the license request.
Typically, customers already have some authentication scheme in place and choose to re-use that system, instead of leveraging Adobe Access' built-in usernamePassword support. For this to succeed, accomodations must be made during packaging time, on the client device, and at the Adobe Access license server endpoint.
[ More Background ]
Here's a forum thread that prompted this thread: http://forums.adobe.com/message/5085330#5085330
[ Recipe ]
1. Adobe Access DRM Policy is created that specifies a "custom" authentication token. As of Adobe Access 4.0, the tools that ship with the Java SDK cannot create a DRM policy with "custom" authentication out the box; a small Java application will have to be written to do this, which is covered in the thread posted above.
2. Content is packaged using this custom_auth policy.
3. Client device performs authentication via whatever channel already exists for you to perform authentication (e.g. SAML tokens, etc...)
4. Client device sets the authentication token: DRMManager.setAuthenticationToken()
5. Client device attempts to acquire a license for the content created in step #2: DRMManager.loadVoucher();
5a) Because step #4 set the authentication, all license requests going forward will automatically have this custom auth token appended to it
6. License server receives request & extracts custom auth token to parse & perform additional entitlement checks
7. Licnese server generates a license to return to client device.
[ Server Code Snippet (RefImplLicenseReqHandler.java) ]
try {
ServletInputStream in = request.getInputStream();
ServletOutputStream out = response.getOutputStream();
HandlerConfiguration context = super.getHandlerContext();
ServerCredential licenseServerCred = getLicenseParams().getLicenseServerCred();
licenseHandler = new LicenseHandler(context, in, out, licenseServerCred);
licenseHandler.parseRequest();
List<? extends LicenseRequestMessage> requests = licenseHandler.getRequests();
// Multiple request in one message is not supported in FAXS 2.0 or 3.0 client.
for (LicenseRequestMessage licenseReq : requests) {
try {
// TODO: If custom authentication is specified in the DRM policy, here is where
// you can retrieve the custom authentication token and perform custom parsing to
// determine further business rules and entitlement before issuing a license.
// The "Custom Authentication" will look like:
// 1. Client device obtains auth token using some other channel
// 2. Client device sets auth token by calling DRMManager.setAuthenticationToken()
// 3. Client makes a license request by calling DRMManager.loadVoucher()
// 4. Adobe Access Server receives request and:
// 4a) Determines Custom Auth is required by DRM Policy: licenseReq.getContentInfo().getContentMetadata().getPolicies()[0].getLicenseServerInfo(). getAuthenticationType();
// 4b) Retrieves Custom Auth token for custom parsing/handling: licenseReq.getRawAuthenticationToken()
// 5. If there are no errors when parsing the custom token, Adobe Access Server generates a license.
V2ContentMetaData metadata = licenseReq.getContentInfo().getContentMetadata();
ApplicationProperties applicationProperties = null;
String usageModelString = null;
if (metadata != null) {
applicationProperties = metadata.getCustomProperties();
if (applicationProperties != null) {
usageModelString = applicationProperties.getSingleValueAsUTF8String(DEMOMODE);
cheers,
/Eric.Google Search: '''firefox create a persona'''
* '''Personas for Firefox''' | How to Create Personas<br>https://www.getpersonas.com/en-US/demo_create
* '''Personas for Firefox''' | Frequent Questions<br>http://www.getpersonas.com/en-US/faq
* '''Personas for Firefox''' | Getting Started<br>http://www.getpersonas.com/en-US/getting_started
'''I think you'd have a lot more fun with Styles though''', personas tend to hide things on toolbars, styles can be more helpful (or just as bad)
* '''Stylish''' :: Add-ons for Firefox<br>https://addons.mozilla.org/en-US/firefox/addon/stylish/
* '''Restyle the web with Stylish!''' - userstyles.org<br>http://userstyles.org/
* '''Scrollbar Context Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/54
* '''Scrollbar Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/52
* '''Link Warning''' - Themes and Skins for Mozilla - userstyles.org<br>http://userstyles.org/styles/1301
* '''Tabs, Enlarge list-all-tabs button''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/18553
* '''Tabs Bar Minimal Size''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/9043
* '''Tab Color Underscoring active/read/unread (Fx3.6)''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/24728 -
Custom Authentication Module on Identity Server
Hi,
I have a custom authentication module which I am trying to access through the policy agent.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
My login module code is something like this:
package com.iplanet.am.samples.authentication.providers;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import java.rmi.RemoteException;
import java.io.FileInputStream;
import java.util.Properties;
public class LoginModule1 extends AMLoginModule
private String userName;
private String userTokenId;
private HashMap usersMap;
private java.security.Principal userPrincipal = null;
public LoginModule1() throws LoginException
public void init(Subject subject, Map sharedState, Map options)
System.out.println("LoginModule1 initialization");
usersMap = new HashMap();
ResourceBundle bundle = ResourceBundle.getBundle("users");
Enumeration users = bundle.getKeys();
while (users.hasMoreElements())
String user = (String)users.nextElement();
String password = bundle.getString(user.trim());
usersMap.put(user, password);
public int process(Callback[] callbacks, int state) throws AuthLoginException
int currentState = state;
if (currentState == 1)
userName = ((NameCallback) callbacks[0]).getName().trim();
char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
String passwdString = new String (passwd);
if (userName.equals(""))
throw new AuthLoginException("names must not be empty");
if (userName.equals("testuser") && passwdString.equals("testuser"))
userTokenId = userName;
return -1;
if (usersMap.containsKey(userName))
if (usersMap.get(userName).equals(new String(passwd)))
userTokenId = userName;
return -1;
return 0;
public java.security.Principal getPrincipal()
if (userPrincipal != null)
return userPrincipal;
else
if (userTokenId != null)
userPrincipal = new SamplePrincipal("testuser");
return userPrincipal;
else
return null;
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
SrinivasDoes the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why. -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
Custom login module on OC4J 10.1.3.3.0
Hi,
I need to implement custom web form-based authentication on OC4J, in order to port an existing JBoss app. I was following Frank's example at http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm. Trying to access protected pages will correctly redirect to the j_security_check page, and from there call my custom login module - through LoginContext. The issue is that - even if the LoginModule correctly authenticates user's credentials, the request still doesn't get through, coming back to the authentication page.
I perform the deployment using Oracle Enterprise Manager, and the relevant files are:
web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>testJAAS</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test Secure Application</web-resource-name>
<description>Requires users to authenticate</description>
<url-pattern>faces/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only allow role1 users</description>
<role-name>role1</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general. </description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Define the security role(s) -->
<security-role>
<description>Example role</description>
<role-name>role1</role-name>
</security-role>
orion-web.xml:
schema-major-version="10" schema-minor-version="0" >
<!-- Uncomment this element to control web application class loader behavior.
<web-app-class-loader search-local-classes-first="true" include-war-manifest-class-path="true" />
-->
<resource-ref-mapping name="jdbc/lics" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
<web-app>
</web-app>
orion-application.xml:
<jazn provider="XML" >
<property name="jaas.username.simple" value="true" />
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
system-jazn-data.xml:
<jazn-loginconfig>
<application>
<name>le5</name>
<login-modules>
<login-module>
<class>com.tx.lic.oc4jsx.ext.LicLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>defaultRole</name>
<value>role1</value>
</option>
</options>
</login-module>
</login-modules>
</application>
I assume something is wrong with the deployment configuration, b/c when I specifically add users to the defined role1 role, it works fine(see below). But this is not an option, since users should only be specified in the data store of the LoginModule.
Doing as above, the orion-web.xml is below:
<resource-ref-mapping name="jdbc/lic" />
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
<user name="user1" />
<user name="user2" />
</security-role-mapping>
Any insight would be much appreciated. Thanks.Hi,
role to group mapping doesn't seem to work for custom LoginModules. This means hat your web applcation (web.xml) should use th same role names as used on the database authentication. So remove
<security-role-mapping name="role1">
<group name="oc4j-app-administrators" />
</security-role-mapping>
from orion-web.xml and it should start wrking
Frank -
Error in Custom Function Module
Hi,
I am working on implementing General Ledger Business content in financial Accounting.
We had a requirement of creating a Custom Virtual cube similar to 0FIGL_V10. Hence, we had copied the standard function module RS_BCT_FIGL_DATA_GET_VC10 and created a custom function module. Before doing that, we had copied the function group RS_BCT_FIGL and created a custom function group for the custom function module.Both were activated subsequently. Then, we had created a custom virtual cube (ZFIGL_V10) using the custom function module.
The queries on the Standard virtual cube were migrated to ZFIGL_V10 using the RSZC transaction code. when the queries are executed in RSRT, we get an error message "**An exception with the type CX_SY_DYN_CALL_ILLEGAL_FUNC occurred" and the ABAP debugger is started post that error.
Has anyone faced this problem before?could any of you provide some pointers to it.
Regards,
SainathYou cannot use the standard function module which is used for standard cube for another cube.
You should not change the function module.
Instead you can make a copy of the function module you are using aand use this copy in ur virtual cube which will work in the same way the actual Fm used to work and it will make you perfrom the changes.
Follow the below steps:
1) Goto SE37 and In the top tool bar click on the copy button which is on right side of delete button.
2) in fr FM give the name of the actual FM and in to Fm give the name of the function module you want to copy.
3) Then click on copy.
4) Now open this new function in edit mode and goto the import/export parameters and check. it will have all the same parameters as the actual FM. Here you can make the changes you want.
5) Now use this FM in your virtual cube and it will be working as per your requirement
https://forums.sdn.sap.com/click.jspa?searchID=9605118&messageID=4999763
Hope it Helps
Chetan
@CP..
Maybe you are looking for
-
How to run Excel 2013 in MDI rather than SDI
Greetings All, I am interested in knowing how to make all my excel documents open in one window like the Excel 2010 did in Excel 2013. I understand that SDI is the new way of opening documents for the ease of looking at documents with multiple windo
-
I am very new to java and am trying to do a simple transformation from XML to HTML using. I have been working in JavaScript and do this all the time but i am really strugling to make it work in JAVA. i have a simple function public void transformXML(
-
I want to use Quartz from OpenSymphony with WebLogic. It is all running fine with Tomcat 5.5 and JBoss 4.01. Using WebLogic 8.1 SP4 I get the following errors: <15.04.2005 9.26 Uhr GMT+01:00> <Notice> <WebLogicServer> <BEA-000327>
-
How to Re install the photo shop CC (Whe)
When trying to add Photoshop CC as an application in Wacom menu, somehow lost it. Icon still there and still show in Finder but now get a message to reinstall. How??
-
Re: Can not get AX configured to wireless network/blinking amber light
Discovered my AX wasn't connected to my AEBS when i couldn't play iTunes through it. I probably screwed up the settings trying to get it to work. I'm running Leopard and Airport Utility shows my AX with an amber light and says that it found an AX wit