Custom Login Policy Configuratin and Login Module ...

Former Member · ‎03-02-2007

Hi,

I have created a custom component policy configuration called Test with a single Login Module in its Authentication Stack with a flag of SUFFICIENT. I always get the following error:

com.sap.engine.services.security.exceptions.BaseLoginException: Wrong username password combination.

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:206)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.GeneratedMethodAccessor108_10001.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

at turtle.common.security.auth.AuthenticatorBase.performContainerAuthentication(AuthenticatorBase.java:340)

at turtle.common.security.auth.AuthenticatorBase.performGuestAuthentication(AuthenticatorBase.java:265)

at turtle.registry.ProjectRegistrar$1.run(ProjectRegistrar.java:162)

at java.util.TimerThread.mainLoop(Timer.java:512)

at java.util.TimerThread.run(Timer.java:462)

Does anyone know why the SystemLoginModule is being called as part of my authentication stack and what it does? It must be responsible for the "Wrong username or password" message but I am not sure what username and password it is referring to. I don't have it setup as part of my authentication stack.

My LoginModule is very simple, it basically authenticates against constant values. I can see that my LoginModule is being called. First my login() method is called which returns true and sets a boolean loginSuccessful to true after my custom CallbackHandler handles the NameCallback and the PasswordCallback. Then my commit() method is called which also returns true (actually the value of the loginSuccessful variable). Then my abort() method is called and again I return true. It is interesting to note that I then see logging indicating some other LoginModule is using my callback handler with a TextOutputCallback (which prints the message "Wrong username password combination") and an AuthStateCallback. Then I get the error.

I also found the following in the security.0.log:

#00065B3FCBDD001100000A7A00001194FFFFFFFFFFFFFFFF#1172857192015#/System/Security/Authentication#mydomain.com/myProject#com.sap.engine.services.security.authentication.logincontext#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: usernameTBD

Authentication Stack: Test

Login Module Flag Initialize Login Commit Abort Details

turtle.common.security.auth.SapWasLoginModule SUFFICIENT ok true true true

Central Checks exception Wrong username password combination.#

Former Member · ‎09-05-2007

Stephen,

Does this not mean that we are making our application dependent on the OS. For instance if we develop and application to run on SAP and now want to migrate to other OS, what suggestion do you have, we will have a database to store our applications data and in addition UME datastore, so now we have to migrate both? This looks more of application specific logic for me. Though the authentication is programmatic, it totally is not, it is dependent on the container.

Viji

former_member293232 · ‎03-08-2007

The authentication and authorization is integrated with UME, so you cannot do authorization checks on users that are not known to UME. For example, the EJB methods you have granted to the system user will require that it - as the caller user - is known by the UME.

Thus it is not worthy, and possible, of being identified and authenticated to the server with an account that is not known to UME. This contradicts to the general concept followed in NWAS Java.

I would turn your attention to two things:

1. There is the possibility to use different user stores with UME in parallel. You can use a database store that maintains the system user ("usernameTBD") in parallel to the user datastore of the productive users. See http://help.sap.com/saphelp_nw04/helpdata/en/7e/a2d475e5384335a2b1b2d80e1a3a20/frameset.htm for more details. This approach has the advantage that you can maintain the system user as you do for your other users.

2. The system user does not really require authentication as it is used for internal system calls only. If this is correct I would suggest that you use a Java EE run-as identity role with a configured system user (without a password) and do not do JAAS at all. This will be better in terms of performance, as user impersonation handled by the application container is faster than authentication, and in terms of security, as no human agent will be able to authenticate as the system user and gain access to all system EJB methods.

I would challenge the security aspect of your approach. Deploying such a privileged user together with its password within a plain-text properties file is not a good idea. I will also ask you to consider the approach of employing the UME features to your benefit.

Please, let me know what you think about it.

former_member293232 · ‎03-08-2007

Hello Kyle Henderson,

The SystemLoginModule is a helper module that enables NWAS Java to support JAAS interaction with its class loaders. As you have experienced with your login module, and as visible in the logs and traces, all login modules are invoked according to JAAS specification. So far, you do not need to know anything specific to NWAS Java.

The authentication framework of the server, however, does some additional things to ease the development of new login modules. These include:

- verification that the authenticated user exists and is known to UME;

- verification that the authenticated user is not locked by an administrator;

- password change if required for the authenticated user;

In your setup, it is obvious that user "usernameTBD" is not known to UME. Therefore the server cannot let him in in order to protect the applications that work with its user management.

One option to solve the problem is to maintain the user within UME. Then the authentication will be successful.

If this does not fit your needs, I would ask you to describe the use case you want to fulfil.

Former Member · ‎03-05-2007

I have turned on more logging and it does appear that for some reason SAP is trying to authenticate against the UME datastore even though my authentication stack only contains my custom module. Is there any way to have it not authenticate against the UME datastore. I have included my source code below as well as more logging that is occurring. I apologize for the huge post but I wasn't sure how to attach a text file with the relevant information.

My source code:

package turtle.common.security.auth;

import java.rmi.RemoteException;

import java.util.ArrayList;

import java.util.Hashtable;

import java.util.Iterator;

import java.util.Map;

import javax.naming.InitialContext;

import javax.naming.NamingException;

import javax.security.auth.Subject;

import javax.security.auth.callback.Callback;

import javax.security.auth.callback.CallbackHandler;

import javax.security.auth.callback.NameCallback;

import javax.security.auth.callback.PasswordCallback;

import javax.security.auth.login.LoginException;

import javax.security.auth.spi.LoginModule;

import com.sap.engine.lib.security.Principal;

import com.sap.engine.interfaces.security.auth.AbstractLoginModule;

import turtle.common.util.security.MySecurity;

public class SapWasLoginModule extends AbstractLoginModule {

private Subject subject;

private CallbackHandler callbackHandler;

private Map sharedState;

private Map options;

private boolean loginSuccessful;

private String user;

private Principal principal;

private static final String MY_USER_GROUP = "MyUser";

public SapWasLoginModule() {

super();

}

public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {

this.subject = subject;

this.callbackHandler = callbackHandler;

this.sharedState = sharedState;

this.options = options;

return;

}

public boolean login() throws LoginException {

Callback callbacks[] = new Callback[2];

callbacks[0] = new NameCallback("Name: ");

callbacks[1] = new PasswordCallback("Password: ", false);

char password[] = null;

try {

callbackHandler.handle(callbacks);

user = ((NameCallback) callbacks[0]).getName();

char[] tmpPswd = ((PasswordCallback) callbacks[1]).getPassword();

if (tmpPswd != null) {

password = new char[tmpPswd.length];

System.arraycopy(tmpPswd, 0, password, 0, tmpPswd.length);

System.out.println("password = " + new String(password));

((PasswordCallback) callbacks[1]).clearPassword();

tmpPswd = null;

}

System.out.println("My shared user name: " + MySecurity.getSharedUserName());

System.out.println("My shared password: " + MySecurity.getSharedCredentials());

if (user != null && user.equals(MySecurity.getSharedUserName())) {

if(password != null && new String(password).equals(MySecurity.getSharedCredentials())){

loginSuccessful = true;

if (sharedState.get(AbstractLoginModule.NAME) == null) {

sharedState.put(AbstractLoginModule.NAME, user);

}

System.out.println("MyLoginModule Login successful!");

} else {

System.out.println("MyLoginModule failed.");

throw new Exception("Invalid password!");

}

}else{

throw new Exception("Invalid user!");

}

} catch (Exception exc) {

throw new LoginException(exc.getMessage());

} finally {

password = null;

}

return loginSuccessful;

}

public boolean commit() throws LoginException {

System.out.println("Exited JaasLoginModule.commit() with " + loginSuccessful);

if (loginSuccessful) {

principal = new Principal(user);

subject.getPrincipals().add(principal);

sharedState.put(AbstractLoginModule.PRINCIPAL, principal);

}

return loginSuccessful;

}

public boolean abort() throws LoginException {

System.out.println("Entered JaasLoginModule.abort() with " + loginSuccessful);

cleanup();

return loginSuccessful;

}

public boolean logout() throws LoginException {

System.out.println("Entered JaasLoginModule.logout()");

cleanup();

return true;

}

private void cleanup() {

System.out.println("Entered JaasLoginModule.cleanup()");

user = null;

subject.getPrincipals().remove(principal);

principal = null;

return;

}

Here is the log file with more logging turned on:

#00065B3FCBDD001300001EFD00001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyOutput: 1Config: Test#

#1.5 #00065B3FCBDD001300001EFE00001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyOutput: Handling callbacks...#

#1.5 #00065B3FCBDD001300001EFF00001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyOutput: Callback [javax.security.auth.callback.NameCallback#

#1.5 #00065B3FCBDD001300001F0000001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyOutput: Setting name on NameCallback - usernameTBD#

#1.5 #00065B3FCBDD001300001F0100001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyOutput: Callback [javax.security.auth.callback.PasswordCallback#

#1.5 #00065B3FCBDD001300001F0200001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyOutput: Setting password on PasswordCallback - 4bfqi529nu4v7j0mc00naz2syj1omj#

#1.5 #00065B3FCBDD001300001F0300001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyOutput: Done handling callbacks.#

#1.5 #00065B3FCBDD001300001F0400001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###password = 4bfqi529nu4v7j0mc00naz2syj1omj#

#1.5 #00065B3FCBDD001300001F0500001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###shared user name: usernameTBD#

#1.5 #00065B3FCBDD001300001F0600001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###shared password: 4bfqi529nu4v7j0mc00naz2syj1omj#

#1.5 #00065B3FCBDD001300001F0700001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###MyLoginModule Login successful!#

#1.5 #00065B3FCBDD001300001F0800001570FFFFFFFFFFFFFFFF#1173120048633#System.out#mysoftware.com/MyProject#System.out#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Info##Plain###Exited JaasLoginModule.commit() with true#

#1.5 #00065B3FCBDD001300001F0900001570FFFFFFFFFFFFFFFF#1173120048633#com.sap.security.core.server.userstore.UserContextUME#mysoftware.com/MyProject#com.sap.security.core.server.userstore.UserContextUME.engineRefresh()#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Path##Plain###Entering method#

#1.5 #00065B3FCBDD001300001F0A00001570FFFFFFFFFFFFFFFF#1173120048633#com.sap.security.core.performance#mysoftware.com/MyProject#com.sap.security.core.performance.performanceTrace#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Debug##Java###get(Object) called for key "" on region "". Result is ""#3#USERNAMETBD#UME_Cache_com.sap.security.core.imp.UserAccountFactory_mMappingCaches(ALL_DATASOURCES_)#<null># #1.5 #00065B3FCBDD001300001F0B00001570FFFFFFFFFFFFFFFF#1173120048633#com.sap.security.core.performance#mysoftware.com/MyProject#com.sap.security.core.performance.performanceTrace#Guest#0#####Thread[Timer-6,5,ApplicationThreadGroup]##0#0#Debug##Java###NO ERROR: CALLER TRACE EXCEPTION [EXCEPTION] #1#java.lang.Exception: NO ERROR: CALLER TRACE EXCEPTION

at com.sap.security.core.tools.PerformanceTracer.log(PerformanceTracer.java:103)

at com.sap.security.core.tools.PerformanceTracer.log(PerformanceTracer.java:129)

at com.sap.security.core.util.cache.CMLCache.get(CMLCache.java:68)

at com.sap.security.core.imp.UserAccountFactory.getLogonIDMapping(UserAccountFactory.java:103)

at com.sap.security.core.imp.UserAccountFactory.invalidateCacheEntryByLogonId(UserAccountFactory.java:1764)

at com.sap.security.core.imp.UserFactory.invalidateCacheEntryByLogonId(UserFactory.java:1833)

at com.sap.security.core.server.userstore.UserContextUME.engineRefresh(UserContextUME.java:889)

at com.sap.engine.services.security.userstore.context.UserContext.refresh(UserContext.java:358)

at com.sap.engine.services.security.server.jaas.CheckAction.refreshUserInfo(CheckAction.java:393)

at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:73)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.refreshUserInfo(LoginModuleHelperImpl.java:304)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:200)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.GeneratedMethodAccessor110_10001.invoke(Unknown Source)