cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Creating Logon Tickets with the CreateTicketLoginModule

Former Member

on ‎04-28-2004 7:52 AM

0 Kudos

Hello All,

I've been trying to create the Logon Ticket MYSAPSSO2 by adding the login module CreateTicketLoginModule to my web app (the calculator) and the to example Hello app. I first tried setting it as SUFFICIENT then as REQUISITE but it hasn't made a difference.

The help.sap.com "Testing the Use of Lof Logon Tickets" says the logon ticket is a cookie with the name MYSAPSSO2. However, setting my browser to prompt for cookies and using ethereal to look at the traffic, I don't get this cookie.

I only get a JSESSIONID and a sapj2ee_<appname> cookie.

I'm not getting any information written into the security.log either.

I'm using the sneak preview version of sap web as 6.40

Thanks in advance for your help.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member122641
Associate
Associate
‎05-05-2004 8:08 AM
0 Kudos

Hi Joe,

1. If you have SUFFICIENT login module in the stack before CreateTicketLoginModule, then if this login module succeeds, the login modules that are after it (including CreateTicketLoginModule) will not be executed.

2. If you have REQUISITE login module in the stack and this login module fails, none of the login modules after it will be executed.

2. You must have in the authentication stack at least one login module that successfully authenticate the user. (For example BasicPasswordLoginModule or ClientCertLoginModule. If you are using custom login module, then it should put in the shared state the name of the authenticated user - under key AbstractLoginModule.NAME.).

This login module should be before CreateTicketLoginModule in the stack.

After the user is identified, CreateTicketLoginModule can create ticket for that user.

Regards,

Svetlana

Show replies
Show replies
Former Member
‎05-18-2004 7:12 AM
0 Kudos

thanks Svetlana, I wasn't putting the name in the shared state. I had used the old tech-ed login module which didn't use the abstract login module...

Is there a way to not extend the AbstractLoginModule and instead implement LoginModule and still add the name to the shared state?

Moving over to the AbstractLoginModule way of doing the login module, I need to add a jar to my library build path...having done a search in the C:\Program Files\SAP\JDT\eclipse\plugins, the three jars I have a choice out of are:

sapj2eeclient.jar

sapj2eenginedeploy.jar

security_api.jar

using any of these jars the deploy aborts.

which jar should I be using to use to extend AbstractLoginModule?

the info about the aborting is...

May 18, 2004 4:10:45 PM /userOut/deploy (com.sap.ide.eclipse.sdm.threading.DeployThreadManager) [Deploy Thread] ERROR:

CalculatorEar.ear -> Deployment aborted

DEPLOYMENT ...

==> SDM host : tfsapwas640

==> SDM port : 50018

==> URL : file:/C:/DOCUME1/ADMINI1/LOCALS~1/Temp/temp62807CalculatorEar.ear

... ABORTED

Execution of deployment action for "CalculatorEar" aborted:

Caught exception during application deployment from SAP J2EE Engine's deploy service:

java.rmi.RemoteException: Cannot deploy application sap.com/CalculatorEar.. Reason: Unexpected exception occurred during generation of components of application sap.com/CalculatorEar in container servlet_jsp.; nested exception is: com.sap.engine.services.deploy.exceptions.ServerDeploymentException: Unexpected exception occurred during generation of components of application sap.com/CalculatorEar in container servlet_jsp.

(message ID: com.sap.sdm.serverext.servertype.inqmy.extern.EngineApplOnlineDeployerImpl.performAction(DeploymentActionTypes).REMEXC)

Message was edited by: Joe Bloggs

Former Member
‎05-20-2004 6:23 AM
0 Kudos

Hello,

seen as I'm not using the abstract login module, what value does AbstractLoginModule.NAME represent? ie if I put in my code

sharedState.put(<key>, userID);

what is the name of the key?

If anyone has got the Abstract login module to work...ie found a jar that doesn't crash the deploy, could you please find out the name of this key for me by adding this code

Iterator it = sharedState.values().iterator();

while (it.hasNext()){

System.out.println("sharedState value is :" + it.next().toString());

}

Iterator i = sharedState.keySet().iterator();

while (i.hasNext()){

System.out.println("sharedState key is :" + i.next().toString());

}

Then if you look in the log "8:Default.trace.trc" in the J2ee engine, the system.outs will contain the info required.

Thanks

Former Member
‎05-20-2004 7:19 AM
0 Kudos

I think I'm close to being able to do this without being forced to use the AbstractLoginModule....

when I add

sharedState.put("javax.security.auth.login.principal", userID);

sharedState.put("javax.security.auth.login.name", userID);

To my code, the CreateTicketLoginModule creates a new SAP login ticket for my user...but then at the browser end I'm hit with

500 Internal Server Error

Unexpected error in parsing request for web mappings.

Details:

java.lang.ClassCastException

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:149)

at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:547)

at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:267)

at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:400)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:64)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:655)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:221)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:146)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:37)

at com.sap.engine.core.cluster.impl6.session.UnorderedChannel$MessageRunner.run(UnorderedChannel.java:71)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)

Does anyone know what else I need to set?

former_member122641
Associate
Associate
‎06-08-2004 3:09 PM
0 Kudos

Hi Joe,

In the following line:

sharedState.put("javax.security.auth.login.principal", userID);

you should use an object of type java.security.Principal.

In addition, I would say that you do not need to set this in the shared state to get a SAP Logon ticket.

The principal specified under this key is used as the principal that identifies the logged in user. (For example request.getUserPrincipal() returns that.)

If no principal is set in the shared state, an arbitrary principal from the subject is taken after commit phase.

Regards,

Svetlana

Former Member
‎06-09-2004 7:48 AM
0 Kudos

Howdy Svetlana,

thanks for the help.

I've made my login module and CreateTicketLoginModule "Requisite".

In the login method in my login module I've put

userPrincipal = new SimplePrincipal(userID);

sharedState.put("javax.security.auth.login.name", userPrincipal);

the userID comes from the http Callback.

Then in commit I've put

sharedState.put("javax.security.auth.login.principal", userPrincipal);

When I try to log in the log gives me this error

Exception com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:102)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:123)

at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:547)

at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:267)

at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:400)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:64)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:655)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:221)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:146)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:37)

at com.sap.engine.core.cluster.impl6.session.UnorderedChannel$MessageRunner.run(UnorderedChannel.java:71)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)

Caused by: java.lang.ClassCastException

at com.sap.security.core.server.jaas.CreateTicketLoginModule.login(CreateTicketLoginModule.java:249)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:54)

... 16 more

Have I put the items in the shared state properly?

From my understanding, to create the SAP login ticket I need an authenticated user...to make the SAP WAS acknowledge my authenticated user I need to add the name to the shared State and it will check that name against the User Store...and then make the MYSAPSS02 cookie. Is this correct?

Thanks,

Joe

Ask a Question