cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Datasource Usermanager

Go to solution
Former Member

on ‎11-09-2006 11:35 AM

0 Kudos

Hello @all,

I have a little Problem again. the application I have to move over to NetWeaver has its Users stored in the Oracle Database.

My question is: How can I tell NetWeaver to look for users in its UME Database and my Oracle Database?

My idea is to implement a Login Module for that, but I am not sure if this works. If it will,please tell what I have to that NetWeaver uses my Login Module.

Are there any other options to use the Oracle Database as Userstore?

Best regards

Matthias Reizammer

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-09-2006 1:57 PM
0 Kudos

Hello Peter,

thanks for your answer and the posted links. I think, I will give you some more details about my Application:

The Users are stored in a table of the Database. It is very simple without LDAP and so on. Username, Password an some attributes.

My application is divided into to Parts:

An Eclipse RCP Application and a set of stateless session beans which pass data from the application to the database and back.

If I implement a login module, I have some questions about the placement of the components: For my Case I need a CustomLoginModule, a CallbackHandler which has a Constructor which has username and password as parameters, because I have a login dialog on client side.

My concrete Questions are:

where do I place the LoginModule class und the CallbackHandler class? EJB or Client side

I have found the document with the guide yesterday, but in this preview is no Visual Administrator, so how can I configure my application to use the deployed LoginModule?

thanks in advance

Matthias Reizammer

Show replies
Show replies
Former Member
‎11-09-2006 2:36 PM
0 Kudos

Hi Matthias,

The LoginModule should be definitely on the server so that it can be classloaded by the security service. The CallbackHandler should be able to interact with it. The most basic approach would be to be again on the server. Theoretically you can put it on the client and make it remote object, however I don't see any point in that.

How to configure the application in the absence of Visual Administrator - the tools that you can use to perform basic administration tasks are the Telnet Console Administrator and the Config Tool. For more advanced administration capabilities, you also need to install the SAP NetWeaver Administrator. For more information, see the Administration Guide from the server documentation. I am giving a link to the PDF file for you convenience :

<a href="http://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/806e75a0-0e01-0010-2587-fc518de8ac1a">Administration Guide</a>

Especially the section "Managing Login Modules" and the pages around it seems to be relevant.

Best Regards

Peter

Former Member
‎11-09-2006 2:43 PM
0 Kudos

Hi Peter,

thank you very much for your quick answers. Now I know what to do. Tomorrow I am going to look for the relavant options in NWA or config tool. I frequently use these tools to change some settings but I have not found the described Option.

I will post my experiences here as soon I have successfully done

Have a nice Day

Matthias Reizammer

Former Member
‎11-13-2006 12:33 PM
0 Kudos

Hello,

I downloaded an older Version of NWDS, created my LoginModule as described in the Guide Peter posted me.

After that, I tried to deploy it, but this doesn't work with Version 7.10 of the AS Java. So I searched the Help contents of the current NWDS and found a step by step tutorial to reuse libraries created with an older version of NWDS. It worked fine, but NWDS deploys my LoginModule as Application? Is this correct?

But one Problem still exists. How can I configure my Application to use my LoginModule? I have looked verywhere in ConfigTool and NWA and did not find any Option.

Can anyone help me?

Best regards

Matthias Reizammer

Former Member
‎11-14-2006 8:22 AM
0 Kudos

Hi Matthias,

How to configure them in NWA - on the first page of the NWA click the tab "Configuration Management", then the tab "Security Management", then click the link "Authentication" in the bottom.

You should see two tabs "Components" and "Login Modules". Declare you module in the second tab, afterwards go to the first tab, navigate to your application, click the edit button and configure the login module in the below pane.

In addition you would have to make a reference from your application to the one with the loginmodule (otherwise the classloading would not be possible).

HTH

Peter

Former Member
‎11-14-2006 3:07 PM
0 Kudos

Hello Peter,

thank you very much for your detailed Description.

But in the Componenttab, I can not find my Application. I searched the whole component tab but my application is not listed.

Best regards

Matthias

Former Member
‎11-15-2006 8:18 AM
0 Kudos

Hi Matthias,

There are listed the applications that have web part so you can easily plugin your LoginModule without manual coding, since if there is web part the interraction with the user is clear. However if your application is not such (for example only EJB-s residing on the server), it will not be listed. You will need to insert manual call with the JAAS API to the "entry points" of your application whenever you want to perform the login. Declare in the ComponentTab new entry called "MatthiasTest" and put the loginmodule classname in the lower pane, do not forget to press the save button.

Then in your application, introduce the following code :


    LoginContext lc = new LoginContext("MatthiasTest", myCallbackHandler);
    try {

        lc.login();

        .....
        lc.logout();
    } catch (LoginException le) {
         //log it
    }

Check out also the<a href="http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html">javadoc for LoginContext</a> from the standard java package.

HTH

Peter

Former Member
‎11-15-2006 9:17 AM
0 Kudos

Hi Peter,

it is an application which consists only of EJBs.

I will try this as soon as possible.

Thank you very much for your detailed answers. Its great to have such a support in her.

Best regards Matthias

Answers (2)

Answers (2)

Former Member
‎11-20-2006 12:25 PM
0 Kudos

Hi Peter,

I followed your instructions but a new Problem came up.

I did the Reference in application-j2ee-engine.xml.

Code:

<application-j2ee-engine>

<reference reference-type="hard">

<reference-target target-type="application">XavoLoginModuleLibrary</reference-target>

</reference>

<provider-name>sap.com</provider-name>

</application-j2ee-engine>

When I execute the following code:

LoginContext lc = new LoginContext("MatthiasTest", myCallbackHandler);

try {

lc.login();

a JAAS-Config File is needed. In this File I specify the Package of the deployed LoginModule.

But the Applicationclient can not find the LoginMoulde-Class.

Do you have any ideas?

Best regards

Matthias

Show replies
Show replies
Former Member
‎11-20-2006 2:51 PM
0 Kudos

Hi Matthias,

The JAAS config file modification is used whenever you are launching a standalone application i.e.

java -Djava.security.auth.login.config== ...

whenever you want to call your login module from your ejb that runs on the server, you need to declare the login module in the NWA, follow the instructions above.

If you experience any exception while invoking your ejb, please post it with the stacktrace

HTH

Peter

Former Member
‎11-23-2006 8:41 AM
0 Kudos

Hello Peter,

I am now a bit confused, so I am going to describe the application, my current status and my thoughts and open questions:

1) The Application

The Application consists of three parts:

- A Rich Client Application

- EJB Backend on SAP NetWeaver AS EE 5 Edition

- Oracle Database 10g

At Startup, the Rich Client needs to get the Homeinterface of the DelegateBean to secure the session. The Rich Client builds an InitialContext with JNDI Props. At this point, I have to integrate the login module to secure the context.

2) Current Status

I created a LoginModule and deployed it on NetWeaver as described above. I declared the LoginModule in NWA and in the application-j2ee-engine.xml of my EJBs I put a reference to the deployed LoginModule.

But my Richclient does not reach the deployed LoginModule, so I put it in ths EJBs Project and created a jaas.config file on Richclientside.

The Result: My Richclient envokes the loginmodule, the loginmodule works correct but the client can not get the homeinterface of the EJB because of an EJBAccessException.

3) Open Questions

- Is it correct, that my LoginModule is deployed as Application? I have some doubts about that because I cannot find the Modules shipped with Netweaver Java EE 5 edition on the filesystem. Are there any Options/Settings in NWDS I have not found to get this Module into the Security Context of SAP Netweaver Java EE 5 Edition?

- Do I have to specify specific Options on my Richclient or in jaas.config to envoke the LoginModule?

- Is it possible with this preview Edition to use a custom LoginModule in conjunction with a Rich client? ´

- How can I tell NetWeaver to use my LoginModule if the user cannot be found in the UME. The above described way via a separate Logincontext will not work.

- I think for Webapplication I can declare a loginmodule in NWA, but not for EJB Applications. Is there a chance to declare a loginmodule in NWA for EJB Applications?

Best regards

Matthias

Message was edited by:

Matthias Reizammer at 3:30 PM

Former Member
‎11-23-2006 2:13 PM
0 Kudos

Hi Matthias,

Sorry for confusing you, all of the documentation and the postings above are based on the assumption that you wish to invoke the custom LoginModule from within the server - typically from a servlet, or from an EJB in you case. I was thinking that you wanted to provide the info to a stateless EJB, and inside its business logic it performs manually the call to the login. Which is a possible solution to implement, but not the one you are looking for as it seems from your last posting.

You could potentially perform the login if you plugin in the authentication stack used by the JNDI. Since you are using EJB-s, you are creating an InitialContext and then performing lookup. If you plugin there your login module and whenever you perform getting the initial context by providing user/pass in the properties, that will invoke your plugged login module that will check against the Oracle datasource. In order to implement that solution however, some advanced configurations have to be made so that your specific loginModule could be classloaded and it's not advisable to go in that way.

About what you are asking - calling a custom LoginModule from within an Eclipse plugin, I am not sure if that is possible due to some technical issues. I will consult some developers and give you an update in short time.

HTH

Peter

Former Member
‎11-23-2006 2:30 PM
0 Kudos

Hello Peter,

thank you for your answer but I think there is still one missunderstanding.

I want to setup an InitialContext between eclipse plugin an Application Server.

For now this checks against the UME Database from the AS. If the user does not exist in the UME Database, the Applicationserver should lookup the Oracle database.

What options do I have to look up users in the Oracle Database?

Best regards,

Matthias

Former Member
‎11-23-2006 5:52 PM
0 Kudos

Hi Matthias,

How to plugin the login module in the JNDI lookup, instead of making manual calls - that's functionality subject to change in future versions. In addition some misconfiguration could be hard to repair and lead to stop of many functionalities, use it at your own risk.

In more details - when you look at the tab "components" (on the same page as the LoginModules) definition you will see an entry "sap.naming" which is using the template SAP-J2EE-Engine. When you scroll up to this template you will see that it contains only one module "BasicPasswordLoginModule". Edit the template SAP-J2EE-ENGINE, add another already defined LoginModule "MatthiasTest" with flag Sufficient, that will mean - try the first loginModule (BasicPasswordLoginModule which will look in the UME database), then try the second (MatthiasTest - your implementation looking in the Oracle Database). If the second one succeeds (flag SUFFICIENT) then the whole authentication succeeds

Once again, be advised if misconfigure something, you won't be able to even get InitialContext and a lot of things would stop working.

The only thing left is to how to make the server classload your implementation. In the NWA go to the pages Configuration Management - Infrastructrure Management - Java System Properties - Services - Security Provider. In the lower pane you should see a property LoginModuleClassLoaders. Put there a value so that your LoginModule can be classloaded.

That is the equivalent modification as the one using the Visual Administrator and updating the service property called “LoginModuleClassLoaders” in the Netweaver 2004 documentation.

If you are not sure what is your classloader name (or you want to double check if it is present), go to NWA – Problem Management (the last tab) – Java Class Loader Viewer and search the table there.

After configuring everything - reboot the server. Again, like said before, you can damage the server very effectively if you are not sure what you are doing.

HTH

Peter

Former Member
‎11-24-2006 7:20 AM
0 Kudos

Hi Peter,

thank you for answer. I will try the things you described and I'll let you know if it worked.

Have a nice day

Best regards

Matthias

Former Member
‎11-09-2006 1:12 PM
0 Kudos

Hi Matthias,

If the Oracle userstore is in standard LDAP format, you could potentially plugin LDAP adapter and make the UME look for the user information in the Oracle. That will make all applications (including the administration tools and the telnet login) to use the Oracle userstore.

Here is a link to the documentation :

<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/74/642441cd87a12be10000000a1550b0/frameset.htm">LDAP Directory with J2EE Engine(s)</a>

The other alternative (you already came with that) would be to develop and deploy a custom LoginModule and then configure your application to use it.

I don't think there is specific document for the SAP NetWeaver Application Server, Java EE 5 Edition, however there is a very detailed step by step guide about earlier versions. Here it is :

<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm">Create and Configure a Login Module</a>

If you decide to go in that way and experience any problems, please post them here, there are many security experts reading that forum.

HTH

Peter

Show replies
Show replies
Ask a Question