on 01-20-2009 3:16 PM
Hi,
I have configured a web application with a login module stack in the security provider (AS Java 7.0 SP14). The login module stack has 2 login modules. Both are flagged as SUFFICIENT. According to SAP and JAAS documentation, when using this flag, if auhentication succeeds in the first module, control should return to the application immediately (i.e. the second module should not be called), however I've been watching the behaviour of the stack and the second module's login method is always executed, even if the first one succeeds Is this normal behaviour? Am I misreading the documentation? Can somebody provide any insight?
Mind you, the second one is not required to succeed for the overall login to succeed, so this behaves as expected.
Thanks.
Carlos
Hi Carlos, Can you post here the contents of the corresponding "LOGIN.OK" log message from security logs? The log message contains a table of all login modules used during the authentication, their control flags, the sequence of invocation of their methods and the results they return. This information will help analyze what happens.
You can extract the log message either from Log Viewer tool, or directly from the file (/usr/sap/<SystemID>/J<ComponentID>/j2ee/cluster/server<ServerNumber>/log/system/security_xx.x.log) in the file system.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Stephan,
sorry for the delay in responding.. I just came back from holidays
here is the log entry .. it doesn't contain much
LOGIN.OK
User: PIAPPLUSER
Authentication Stack: sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok true true
2. com.sap.CustomLoginModuleClass SUFFICIENT ok true
Central Checks true
I must add that there is also the following entry produced in the log (this one appears first, but belongs to the same login attempt):
LOGIN.FAILED
User: N/A
Authentication Stack: sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok false false
2. com.sap.CustomLoginModuleClass SUFFICIENT ok exception true Authentication did not succeed.
Thanks.
Carlos
Hi Carlos,
The table structure (first table) is not clearly visible in the forum message because all whites paces are handled by the browser the same way. I am able to reconstruct it from the HTML source and it looks like this:
-
Login Module | Control Flag | Login | Commit | Abort |
BasicPasswordLoginModule | SUFFICIENT | true | true | |
CustomLoginModuleClass | SUFFICIENT | true |
-
This means that the custom login module's login method has not been invoked, but its commit method has. This is the expected behavior.
The custom login module's login method has been invoked during the failed authentication (second table). This is also the expected behavior.
Can you confirm that when watching the behavior of the stack you see method "login" (and not "commit") being executed in both cases?
Hi Stephan,
Thanks for your prompt reply.
Correct, it is method "login()", and not "commit()" being executed in both cases. And that is exactly my question - why are both login methods being executed for the same login attempt? Since SUFFICIENT is used, I would have expected the login sequence to stop after succeeding in the first module of the stack (BasicPassword).
Can you shed some light on why this is the expected behaviour?
I'm still a bit confused: It would seem that the login module stack is being executed in reverse order (since the failed login appears first in the log) ???
Mind you, this is not causing a problem. I'm just trying to understand why it happens.
Thanks.
Carlos
I would like to focus on a specific of the server here. One logon attempt may involve several loops over the same JAAS login stack. In your case there are two of them. The first one fails because there are no credentials with the client request to the server. Thus the server responds to the browser asking for credentials. At this time you see the pop-up that asks you for user name and password. When you provide them there is another loop over the login module stack and this time it is successful. This should explain why the logs appear in the reverse order - each log is for a separate JAAS authentication, and not for a separate login module.
In some cases there may be additional loops if additional credentials are requested by another login module, or if the user must change password, etc.
So the table shown by the log message proves your login module's "login" method was not invoked after the previous sufficient login module succeeds.
Does this answer your question?
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.