cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom LoginModule and FORM based authentication on J2EE Engine 6.20

Former Member

on ‎01-15-2004 11:12 AM

0 Kudos

i am using the SAP J2EE Engine 6.20. it is a somewhat stripped down version, for partners to test deployment of their j2ee application. for my web application's user authentication, i'd like to do two things:

#1 use FORM based mechanism.

for this, i have a logon.jsp file that contains a form, with action name "j_security_check" and two input fields, "j_username" and "j_password". then via the Deploy Tool, i specify FORM as the Authentication method and logon.jsp as the Login page and the Error page.

as i understand, this is standard J2EE stuff. and it appears to be working on SAP J2EE engine as well.

#2 use my custom LoginModule to do the actual user name and password verification.

for this, i wrote a java class that implements the javax.security.auth.spi.LoginModule interface.

now the confusion begins. somewhere in the sap documentation, it says i can enter my custom login module in the web-j2ee-engine.xml descriptor file for my web app. i did that, following the dtd for the file. after deploying the web app, my login module class doesn't seem to be called.

another place in the documentation, it says i need to register the custom login module with the security service provider. how do i perform the registration? i tried using the Visual Administrator tool, under Services/security/JAAS tab, i see two applications, InQMyLoginSystem and other. so i added a new one with the same name as my web app and then specified my custom login module for it. again, after reployment, my login module is not called.

i feel that i am missing a link somewhere. could you pls point me to the right direction?

another place in the documentation, it says in order to use the custom login module, i have to utilize the LoginContext interface in my servlet or jsp code. does this mean that in my logon.jsp file, i have to explicitly call the custom login module via LoginContext? in other words, a simple j_security_check form won't work in case of custom login module?

thanks a lot. i can send the ear file if that helps.

wentao

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎01-20-2004 9:54 AM
0 Kudos

hello again, i've made some progress but it is probably not the "correct" solution.

in Visual Administrator, open Services / security / JAAS tab. under Available Applications, the first entry is InQMyLoginSystem. it is configured to use login module "com.inqmy.services.security.jaas.InqmyLoginModule", with flag "Required".

i change its flag to "Sufficient". then i add my custom login module to the same application, with flag set to "Sufficient" as well. so now the application "InQMyLoginSystem" has two login modules in the stack, both as "Sufficient". the ordering of the two doesn't matter.

now, when i try to access my web application (with security roles and contraint etc defined), it enters my custom login module code.

but the problem is, access ANY protected web applications will now enter my login module code. i am sure this is NOT the correct behavior. i should be able to only designate my login module for my app only.

thanks for any hints on how to accomplish this.

wentao

Show replies
Show replies
former_member293232
Explorer
‎01-21-2004 11:26 AM
0 Kudos

Hello Mr. Wentao Pan,

SAP J2EE Engine 6.20 has limited options to use JAAS login modules for authentication of your application. Indeed, if you change configuration of "InQMyLoginSystem" all components that use it (for example the Web Container) will call your login module on authentication. This means that access to all protected areas will go through your login module on authentication.

You have two options to proceed:

1. Modify your login module so that it works correctly when called for all protected areas. This may not be possible if the login module is and must be specific for the application.

2. Create a different configuration (as you did) with your login module. After this modify the application so that entrance of protected area result in an application page (jsp or servlet) which asks for the authentication tokens (username/password). This jsp or servlet has to then use JAAS API to make the authentication. Note that then the authentication is done by the application itself and not by the Web Container!

Sample code would be:

  LoginContext login = new LoginContext("<your-configuration-name>", callbackhandler);

  login.login();

Compared to 6.20 version, SAP J2EE Engine 6.30/6.40 is pretty versatile. Web Container is better integrated with JAAS so you can configure different configurations of login module stacks for the application and the Web Container will use it only for this application. You can also deploy with the application the configuration of the login module stack to be used and the login modules to be used.

So if it is possible for you to switch to 6.30/6.40 version you will benefit greatly in this area.

best regards,

stephan

Former Member
‎01-22-2004 3:56 PM
0 Kudos

hello Stephan,

many thanks to your detailed response. no, i don't have the option to use J2EE Engine 6.30 or 6.40. i am seeking certification from sap labs, and they require using 6.20 as of now.

to test out what you suggested in option #2, i modified my logon.jsp such that, instead of calling the default j_security_check, it calls a servlet that i implement, say MyLoginServlet.

in MyLoginServlet.doGet() and doPost(), i do exactly as you said:

  handler = new MyCallbackHandler(request.getParameter("j_username"), request.getParameter("j_password"));

  LoginContext lc = new LoginContext("myLoginModule", handler);

  lc.login();

MyCallbackHandler is the class that passes the username and password to the login module.

when i test MyLoginServlet itself (by removing all security contraints and invoke the servlet through url), it appears to be working. in other words, it is able to enter my custom login module. but when i add the security contraints back, and set my logon.jsp as the login page (in web.xml). the logon.jsp shows up when accessing protected resources, but clicking the button does nothing!

it seems as if sap j2ee engine ignores the specified login page (when using FORM based login) if the action is different from the default "j_security_check". is this understanding correct? if so, there is still no way to call my custom login module even through LoginContext.

shall i simply forget about doing this in 6.20 engine?

sad wentao

Former Member
‎04-01-2009 2:08 PM
0 Kudos

Hai wentano Pan !

i seen u r post in forum. Now iam faced same requirement .

That is login into portal as form based authentication. I want to login portal From JSP page.

can u guide me , how to approach this ?

Ask a Question