Authentication failure messages not showing in cus...

Former Member · ‎04-06-2006

Hi All

We have a custon logonModule that was reporting errors back to the user via the logon page when it was deployed in EP6. This is failing in NW04.

The loginExceptions are thrown by the module, The authentication works as well.

I am stumped... and need the help of an experienced developer that knows the JAAS login modules and their configuration in NW04.

Points gladly awarded!

Here is the info:

Portal Information:

OS: HP-UX

Version 11.11

J2EE Version: 6.40 PatchLevel 100627.313

Portal Version: 6.0.15.0.0

KMC Version: 6.0.15.1.0 (NW04 SPS15 Patch1)

Login Module Information:

Name: portalloginmodule.jar

Package: nikeConnect_LoginModules

Primary Class (extends AbstractLoginModule): PortalLogonModule.Java

UME for authentication: No

Authentication Type: Ticket

Authentication Route: LDAP (Two servers External and Internal)

Security: SSL Certificate

Authentication module bypasses UME and Authenticates Directly with LDAP

External users logon with e-mail that resolves to a Racf

Internal users logon through Corporate LDAP with Racf

Modules in Virtual Administrator:

Module: com.sap.security.core.server.jaas.EvaluateTicketLoginModule

Flag: Sufficient

Options: ume.configuration.active = true

Module: com.nike.portal.auth.PortalLoginModule

Flag: Optional

Options: ume.configuration.active = true

Module: com.sap.security.core.server.jaas.CreateTicketLoginModule

Module:

Flag: Sufficient

Options: ume.configuration.active = true

LoginModuleClassLoaders Value = library:nikeConnect.com~nikeConnect_LoginModules

Front end UI: Custom designed com.sap.portal.runtime.logon

(The issue is also present with the original shipping front end in place)

Configuration Files:

Authschemes.xml (Default without custom login module entries)

Detailed Explanation of Issue:

What works:

1. Logon is successful from either external or internal

2. Expired Password send user to change password page

What fails in NW04 but functioned in EP6 p35:

1. On failed logon view simply refreshes password field without showing exception to user (The default portal “stop sign icon with error message does not appear)

Additional Issues:

1. Logon is very slow (> 20 seconds)

What has been tried:

1. Util.jar and security are at latest versions

2. Throwing the logonException directly in the code

3. Setting up the authschemes.xml to reflect the custom code (This just blew up the portal)

Questions:

1. How does the front end see the error passed up by the logonModule? (I am thinking message bean that listens for a LogonException)

2. How is this configured?…do we need the authschemes.xml?

3. Are there sample logon modules that can validate using LDAP through UME? (We need to switch over from direct authentication)

4. Are there any useful Documents other than:

“JAAS Login Modules” and “How To… Authentication Guide”?

Code snippet from the logon module

Imports:

import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.interfaces.security.auth.LoginModuleHelper;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.tc.logging.*;
import com.sap.engine.lib.security.http.*;
import com.nike.pms.Pms;
import com.nike.pms.PmsFactory;
import com.nike.portal.util.Logger;


import javax.security.auth.spi.LoginModule;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.MissingResourceException;
import java.util.Calendar;
import java.io.IOException;

Class Declaration:

public class PortalLoginModule extends AbstractLoginModule {

Login() method

public boolean login() throws  javax.security.auth.login.LoginException {
        String passwordStr;
        Calendar cal = Calendar.getInstance();
        
        if (callbackHandler == null)
            throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
        
        
        HttpGetterCallback httpgettercallback = new HttpGetterCallback();       
        NameCallback namecallback = new NameCallback("user name: ");
        PasswordCallback pwdcallback = new PasswordCallback("password: ",false);
        
        
        try 
        {
            try
            {
               callbackHandler.handle((new Callback[]{namecallback,pwdcallback}));
            }
            catch(IOException ioe)
            {
                throwUserLoginException(ioe, LoginExceptionDetails.IO_EXCEPTION);
            }
            catch(UnsupportedCallbackException uce)
            {               
                return false;
            }
            
            
            this.username = namecallback.getName();
            this.password = pwdcallback.getPassword();
            pwdcallback.clearPassword();            
            passwordStr = new String(this.password);
            this.succeeded = true;
            
            //pms is our custom authentication module... it authenticates directly against LDAP
            Pms pms = null;
            try {
                pms = PmsFactory.getInstance(this.username, passwordStr);
                if(pms == null)
                {
                   this.succeeded = false;                   
	          throwNewLoginException(this.username + " -  - WRONG USERID/PASSWORD", LoginExceptionDetails.IO_EXCEPTION);
                }
                else
                   myLoc.infoT(pms.getADDetail());                   
                if (!pms.isAuthenticated() && this.succeeded == true) {
		throwNewLoginException(this.username + " -  - WRONG USERID/PASSWORD", LoginExceptionDetails.IO_EXCEPTION);
                }
                boolean ispasswordneverexpires = pms.isPasswordNeverExpires();
                if (!ispasswordneverexpires && userPasswordExpired(pms) &&  this.succeeded == true)
                {
                    this.succeeded = false;
				    //WebCallback wcb = new WebCallback ();
                  //this.callbackHandler.handle(new Callback [] {wcb});
                 //HttpServletResponse rsp = wcb.getResponse();
                    setRedirect(callbackHandler, this.changepasswordurl + this.username); 
                }
                if(this.succeeded == true)
                {
                    if(isExternalUser())
                    {                        
                        String samaccountname = pms.getsAMAccountName();
                        this.username = samaccountname;
                    }
                    else
                    {                       
						String samaccountname = pms.getsAMAccountName();
						this.username = samaccountname;
                    }                                  
					//when you have a user id, refresh user info	
					try
					{
						refreshUserInfo(this.username);   
					}
					catch(SecurityException e)
					{
					   throwUserLoginException(e);
					}
					myLoc.infoT("PortalLoginModule.login - END REFRESH USER: " + this.username);	
                    if(!pms.isUserInPortal(this.username))
                    {
                        myLoc.infoT(this.username + " -  is NOT in portal group");
                        this.succeeded = false;
                    }
                    else
                    {                       
                        myLoc.infoT(this.username + " -  is in portal group");
                    }
                }
            } 
            catch (Exception e) 
            {
                this.succeeded = false;
            }
        }
        catch(Exception e)
        {
            this.succeeded = false;
            throw new LoginException(e.toString());
        }
        myLoc.infoT(this.username + " - Authenticated  : " + this.succeeded);
         if (this.succeeded)
         {		 
			if (this.sharedState.get(AbstractLoginModule.NAME) == null) 
			{
			   this.sharedState.put(AbstractLoginModule.NAME, this.username);
			   this.nameSet = true;
			}         	
             return true;
         }
         else
         {
            throwNewLoginException("Wrong UserId/Password",LoginExceptionDetails.WRONG_USERNAME_PASSWORD_COMBINATION);
            return false;
         }
    }

Thanks!

Cory

fanglin_ye · ‎03-14-2013

Hello Cory,

i met the same problem. Did you solve your problem? If yes, how? Thx.

regards,

Fanglin

Former Member · ‎05-18-2009

Hi Cory,

I know your message was raised a long time ago. But did you ever solve your problem?

Rgds

John Moy

Former Member · ‎11-11-2008

We have created a custom login module and placed it in our login module stack. We are using this new stack for an additional Authentication Scheme on the iview properties, (not the entry login to portal). So our requirement is to have some iviews in the portal use an addtional authentication scheme.

So we have the following 3 Login Modules in our stack:

EvaluateTicketModule

OurCustomLoginModule

CreateTicketModule

Also we are using the standard SAP login screen for our frontendtarget, see our authschemes.xml entry:

<authscheme name="cglogon">
            <authentication-template>
                form
            </authentication-template>
            <priority>21</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>

Question:

There are standard screens in the SAP login PAR:

changePasswordPage.jsp

umLogonProblemPage.jsp

umResetPasswordPage.jsp

How do I trigger one of these screens from my Login() method of my

custom login module? I thought if I throw some specific exception, these screens would

be called?

Former Member · ‎05-16-2006

Hi Cory,

I'm working on the redirect of expired password user and would like some pointers from you.

1. What is your changepasswordurl? Is this the URL in portal? I tried this URL but whenever I redirect to this URL; I got access denied exception.

irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.ChangePassword

2. If the redirect works, how do I intercept the old password, newpassword value to make a custom change in my user repository?

I would really appreciate your inputs.

Thanks,

Former Member · ‎05-01-2006

Cory,

I just started working on a similar thing. Is there some document that you found that was helpful?

If yes, can you please share with us all?

Thanks,

Kiran

Authentication failure messages not showing in custom logon module

Accepted Solutions (0)

Answers (5)

Answers (5)

Re: How can assign in Identity Authentication Serv...

Re: Are there plans to update the Spring framework...

Vendor Invoice Screen 'Payment' tab screen field '...

I have data like Date, Net, Gross. I want to deriv...

Re: Re Generate Co files and data files