cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

J2EE 6.40 Custom Login Module - how to config

Former Member

on ‎07-29-2004 2:44 AM

0 Kudos

hello all,

i am using WAS J2EE 6.40 Sneak Preview edition. Read all i can find about custom login module, in the forum and the online help. still confused. pls help.

here is the background info:

- i am writing a web app. the EAR file contains 5 ejbs, 1 war and bunch of java classes in jars.

- access to my web app is protected through url pattern (in web.xml), i've defined the same named security role in web.xml and on j2ee engine.

- my login module does the user name and password checking. both are stored in database through some other means.

- login is FORM based

following the discussion in another thread on the topic, i did the following:

#1 develop my login module code. packaged it in a jar, then sda file. deploy the sda as a llibrary to the engine.

#2 add my login module to the security store through the security provider service.

#3 configure my web app to use the custom login module in web-j2ee-engine.xml

#4 deploy my web app through the ear file

at this point, in the visual administrator, i can see the library, the custom login module (added to the UME User Store), and also my web app has authentication set to use the custom login module (under policy configurations tab).

now i try to login to my web app. it correctly complains when i enter non-existent user or wrong password and brings me to the login failed jsp page. but when i enter both correctly (as stored in my database), i get http 403 error code. i know it is 403 because i set that error code to a special jsp page in web.xml.

question is why? now i create a user on the j2ee engine with the same name as in my user database. then i can login ok. i am confident that my login module is called since i see the println lines in j2ee engine server logs.

??? so i must be missing something obvious. is it because my web app is protected through security-role? i even tried removing all such roles, but still same problem.

??? or do i completely mis-understand how custom login modules are supposed to work. i thought it means i can authenticate users any way i want without having to use the j2ee engine's user mgmt. pls tell me if i am totally wrong.

??? or maybe my login module code is missing some key stmts. how should it tell the j2ee engine that a user is authenticated? in the login() method, it returns true if user name/passwd match. in the commit() method, it adds the principal to the subject. i don't what else is required.

does anyone have a working scenario using custom login modules?

thanks very much for your inputs and thoughts.

wentao

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎07-22-2005 4:19 PM
0 Kudos

Hello all, I'm having a problem like yours. My Login Module authenticates users against a db. After some work I could configure it and got it working. But, even my Login Module works fine, after validating an user I get the exception:

[code]Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: User not authorized.

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:223)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at com.lumina.security.jaasrbac.SecurityFacade.authenticate(SecurityFacade.java:119)

... 51 more

Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: User is locked.

at com.sap.engine.services.security.server.jaas.CheckAction.checkUserLockStatus(CheckAction.java:181)

at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:58)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.checkUserLockStatus(LoginModuleHelperImpl.java:116)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:175)

... 63 more[/code]

This happens after my login module is invoked and succeeds authenticating an user.

Is it really necessary to have a copy of the user data in the UME store?

Thanks,

Juan Manuel

Show replies
Show replies
Former Member
‎06-21-2006 10:35 AM
0 Kudos

Hi Juan,

I am also configuring Custom login module for authenticating users against DataBase.

But i found that my login module still not getting loaded.

I m using code,

LoginContext lg = new LoginContext("MyLoginStack", mycallbackHandler);

lg.login();

Here, LoginContext object is created but login() method is failling....giving same exception : User not authorized.

Kindly help.

Regards,

Sagar.

Former Member
‎06-22-2006 8:17 AM
0 Kudos

Hi,

if you really get the same error as above, check your user store. The nested exception tells you that the user is locked. Unlock the user before you try to login.

Best Regards, Astrid

Former Member
‎01-31-2007 7:24 PM
0 Kudos

I'm trying to make a little application works. It has two parts: a little client and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL.

It's a compiled application, so I cannot debug it, only the jdk classes it calls. It uses an "auth.conf" file. The client is a little class that works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.

I followed all the steps in:

https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF

and managed to apply the configuration into the security service of WAS, using jboss-client.jar as the library with the login module, and org.jboss.security.ClientLoginModule as the login module.

I'm trying to include the client class into a web service developed for my WAS, packing the class and its library with my ear.

But when it tries to do the authentication, sometimes it uses:

org.jboss.security.ClientLoginModule (that's the correct class) but throws a "User is locked" exception.

Have I need to create the user who I use to connect to the other jboss server in my was UME ? This has no sense. Anyway doesn't work either.

Other times (withouth changing anything) it uses:

com.sap.engine.system.SystemLoginModule

and throws this exception:

com.sap.engine.services.security.exceptions.BaseLoginException: Call logout before login

I'm desperate. I'm having nightmares trying to integrate things which works in every application server in WAS. Why couldn't they simply follow the standard!?!?

I'm thinking in installing a tomcat with the client, and use axis to wrap it with a proxy I can consume from my WAS. But I think this is an horrible solution.

Any idea? I can't go forward.

Former Member
‎07-29-2004 8:21 AM
0 Kudos

Hi,

I had the same problem and the explanation is:

you might very well do the jaas-authentification with your own database.

As long as the user who is registered in the session is not a user which exists in the UME it won't be authorized in your application do anything based on the JAAS-Authentication concept.

This is quite confusing since you get no error messages in your own login modules.

But if you search the forum a bit you might find the thread where I posted this question and got the above summarized answer.

Best Regards, Astrid

Show replies
Show replies
former_member122641
Associate
Associate
‎07-29-2004 1:45 PM
0 Kudos

Hi,

There can be only one active userstore at a time on the engine. The authenticated user must belong to the engine user store so that the server is able to identify him and grant or deny an access to him for any resource.

Since SP7 the login throws an exception when the user is not registered in the engine user store.

Kind Regards,

Svetlana Stancheva

Former Member
‎07-29-2004 7:05 PM
0 Kudos

hello Astrid and Svetlana,

thank you both for the reply. at least i know why it is behaving the way it is now.

Astrid, i found and read your other thread. sorry for kinda duplicated posting. somehow the search didn't return that one. anyway, in the end you mentioned about a workaround. would you mind sharing some hints on what it is? does it still require creating users both in the j2ee engine UME store and your own db?

another follow-up question: is there a simple way to 'upload' users into the active UME user store? say, specify the user id, and group info in an xml file?

wentao

Former Member
‎07-29-2004 7:58 PM
0 Kudos

Hi Wenton,

Based on my understanding of the JAAS framework, what Svetlena said is the precise explanation. JAAS does not really care about your application's db and you can store anything you want and authenticate it or skip the authentication or hard code your implementation with some of your own user id/passwords but what JAAS needs is a user as understood by the J2EE Engine i.e. some user stored in the active UME Store which is looked up by the UME Service (and as you know UME Service is the one on which every application on the J2EE Engine including the portal is dependent on). JAAS needs a user from the UME Store because the corresponding role/access permissions as stored in the J2EE Engine would be used to determine the possible operations/privileges for the user(user of your own application) that you are trying to logon as.

Hope this helps..

Former Member
‎07-30-2004 5:51 PM
0 Kudos

thank you all for replying. yes, i've come to the conclusion that it is not a good idea to mess around with UME user stores, since other sap components, such as portal etc, may be replying on it as well.

for the time being, i will concede and simply create the same user ids both in UME and my own db tables. i found in the documentation that there is a way to batch import/export the user and user group data into/from the current active UME user store. on the j2ee engine only, it is accessible online through http://server:port/useradmin. today it requires manual copy/paste of the user data into a form field. perhaps next patch or release there will be a script or file interface. portal apparantly has a better interface for doing it already.

i will still explore the possibility of creating UME users at runtime in my login module. but i will have to report on the progress at a later point in time.

again, thanks to all who provided inputs. i too, am anticipating the tutorial on the subject.

wentao

Former Member
‎08-02-2004 12:03 PM
0 Kudos

Hi,

I have a different understanding of JAAS. It should be possible to authenticate and authorize a user independant from the user management of the underlying application server.

In general, it is possible to deploy many different applications on the same application server. And it doesn't make any sense at all that they share the same user store. What about an information application that authenticates against an NT-Domain. Where is the sense to create 1,500 dummy users just to match the application server's JAAS concept ?

I agree that for administrating the serve the user must be registered in the UME.

In my point of view it is a very bad design gap to join the UME and JAAS so close together that they cannot live one without the other.

Sorry, but this should be a fully qualified Application server and not just an SAP front end.

Best Regards, Astrid

Former Member
‎08-25-2004 4:35 PM
0 Kudos

Hi Astrid,

I guess I have the same understanding of JAAS as you. I want to deploy an application that internally makes use of JAAS to authenticate users. There is a LoginModule that authenticates users against some database tables containing all the user data and profile. The application was not designed to be deployed to NetWeaver. So it does not make use of UME or some other NetWeaver specific feature. Actually it handles user management and authoroization issues completely on its own. The only reason for having JAAS is to allow customers to plug in their own LoginModule to use some other kind of user store.

When deploying the web application to a simple servlet engine like Tomcat, all I have to do is to register my LoginModule in the "jaas.conf" file that is parsed by JAAS default implementation. I also tell the JVM where my jaas.conf file is located by appending a "-Djava..." runtime parameter to the JVM startup script.

When using other application servers like IBM WebSphere things become a bit different. Normally you use the administration GUI of that server to configure your LoginModules. WebSphere for example keeps the login configuration in an internal database rather than writing everything into a "jaas.conf" text file. But the way the application can use the LoginModule is the same as in Tomcat.

But when it comes to Netweaver, it seems to me that it's not possible to define a LoginModule that your application can use WITHOUT having to couple it tightly to UME. Or did I get something wrong? Initially I've tried to modify the JVM's parameters (using SAP J2EE Config Tool) to include the location of my "jaas.conf" file containing the my login configuration. But that did not work. The parameter was really passed to the JVM but anyway my LoginModule was not found, I guess that NetWeaver has some own implementation of the JAAS interfaces that just ignore the plain text JAAS configuration files (like WebSphere also does).

The documentation that I have downloaded from SDN doesn't seem to match the 6.4 sneak preview version that I just downloaded some days ago. They say you should deploy your LoginModule as a library and add a refernce to the application. I tried that out but it did not help. The login configuration that the application wants to access is still not found. Actually there seems to be no way to specify the name for a JAAS Login Configuration in NetWeaver. At least I cound not find that in the documentation.

So basically my question is: is it possible to deploy an application that wants to use some own LoginModule (either deployed separately or together with the application, that does not matter) without making use of Netweaver specific features like UME? The application has its own user management infrastructure and just needs a way to setup a JAAS Login Configuration to access its own LoginModule.

Thanks in advance

Henning

Ask a Question