on 04-28-2004 7:52 AM
Hello All,
I've been trying to create the Logon Ticket MYSAPSSO2 by adding the login module CreateTicketLoginModule to my web app (the calculator) and the to example Hello app. I first tried setting it as SUFFICIENT then as REQUISITE but it hasn't made a difference.
The help.sap.com "Testing the Use of Lof Logon Tickets" says the logon ticket is a cookie with the name MYSAPSSO2. However, setting my browser to prompt for cookies and using ethereal to look at the traffic, I don't get this cookie.
I only get a JSESSIONID and a sapj2ee_<appname> cookie.
I'm not getting any information written into the security.log either.
I'm using the sneak preview version of sap web as 6.40
Thanks in advance for your help.
Hi Joe,
1. If you have SUFFICIENT login module in the stack before CreateTicketLoginModule, then if this login module succeeds, the login modules that are after it (including CreateTicketLoginModule) will not be executed.
2. If you have REQUISITE login module in the stack and this login module fails, none of the login modules after it will be executed.
2. You must have in the authentication stack at least one login module that successfully authenticate the user. (For example BasicPasswordLoginModule or ClientCertLoginModule. If you are using custom login module, then it should put in the shared state the name of the authenticated user - under key AbstractLoginModule.NAME.).
This login module should be before CreateTicketLoginModule in the stack.
After the user is identified, CreateTicketLoginModule can create ticket for that user.
Regards,
Svetlana
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
thanks Svetlana, I wasn't putting the name in the shared state. I had used the old tech-ed login module which didn't use the abstract login module...
Is there a way to not extend the AbstractLoginModule and instead implement LoginModule and still add the name to the shared state?
Moving over to the AbstractLoginModule way of doing the login module, I need to add a jar to my library build path...having done a search in the C:\Program Files\SAP\JDT\eclipse\plugins, the three jars I have a choice out of are:
sapj2eeclient.jar
sapj2eenginedeploy.jar
security_api.jar
using any of these jars the deploy aborts.
which jar should I be using to use to extend AbstractLoginModule?
the info about the aborting is...
May 18, 2004 4:10:45 PM /userOut/deploy (com.sap.ide.eclipse.sdm.threading.DeployThreadManager) [Deploy Thread] ERROR:
CalculatorEar.ear -> Deployment aborted
DEPLOYMENT ...
==> SDM host : tfsapwas640
==> SDM port : 50018
==> URL : file:/C:/DOCUME1/ADMINI1/LOCALS~1/Temp/temp62807CalculatorEar.ear
... ABORTED
Execution of deployment action for "CalculatorEar" aborted:
Caught exception during application deployment from SAP J2EE Engine's deploy service:
java.rmi.RemoteException: Cannot deploy application sap.com/CalculatorEar.. Reason: Unexpected exception occurred during generation of components of application sap.com/CalculatorEar in container servlet_jsp.; nested exception is: com.sap.engine.services.deploy.exceptions.ServerDeploymentException: Unexpected exception occurred during generation of components of application sap.com/CalculatorEar in container servlet_jsp.
(message ID: com.sap.sdm.serverext.servertype.inqmy.extern.EngineApplOnlineDeployerImpl.performAction(DeploymentActionTypes).REMEXC)
Message was edited by: Joe Bloggs
Hello,
seen as I'm not using the abstract login module, what value does AbstractLoginModule.NAME represent? ie if I put in my code
sharedState.put(<key>, userID);
what is the name of the key?
If anyone has got the Abstract login module to work...ie found a jar that doesn't crash the deploy, could you please find out the name of this key for me by adding this code
Iterator it = sharedState.values().iterator();
while (it.hasNext()){
System.out.println("sharedState value is :" + it.next().toString());
}
Iterator i = sharedState.keySet().iterator();
while (i.hasNext()){
System.out.println("sharedState key is :" + i.next().toString());
}
Then if you look in the log "8:Default.trace.trc" in the J2ee engine, the system.outs will contain the info required.
Thanks
I think I'm close to being able to do this without being forced to use the AbstractLoginModule....
when I add
sharedState.put("javax.security.auth.login.principal", userID);
sharedState.put("javax.security.auth.login.name", userID);
To my code, the CreateTicketLoginModule creates a new SAP login ticket for my user...but then at the browser end I'm hit with
500 Internal Server Error
Unexpected error in parsing request for web mappings.
Details:
java.lang.ClassCastException
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:149)
at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:547)
at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:267)
at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:400)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:64)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:655)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:221)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:146)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:37)
at com.sap.engine.core.cluster.impl6.session.UnorderedChannel$MessageRunner.run(UnorderedChannel.java:71)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)
Does anyone know what else I need to set?
Hi Joe,
In the following line:
sharedState.put("javax.security.auth.login.principal", userID);
you should use an object of type java.security.Principal.
In addition, I would say that you do not need to set this in the shared state to get a SAP Logon ticket.
The principal specified under this key is used as the principal that identifies the logged in user. (For example request.getUserPrincipal() returns that.)
If no principal is set in the shared state, an arbitrary principal from the subject is taken after commit phase.
Regards,
Svetlana
Howdy Svetlana,
thanks for the help.
I've made my login module and CreateTicketLoginModule "Requisite".
In the login method in my login module I've put
userPrincipal = new SimplePrincipal(userID);
sharedState.put("javax.security.auth.login.name", userPrincipal);
the userID comes from the http Callback.
Then in commit I've put
sharedState.put("javax.security.auth.login.principal", userPrincipal);
When I try to log in the log gives me this error
Exception com.sap.engine.services.security.exceptions.BaseLoginException: Error in some of the login modules.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:123)
at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:547)
at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:267)
at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:400)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:64)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:655)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:221)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:146)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:37)
at com.sap.engine.core.cluster.impl6.session.UnorderedChannel$MessageRunner.run(UnorderedChannel.java:71)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)
Caused by: java.lang.ClassCastException
at com.sap.security.core.server.jaas.CreateTicketLoginModule.login(CreateTicketLoginModule.java:249)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:54)
... 16 more
Have I put the items in the shared state properly?
From my understanding, to create the SAP login ticket I need an authenticated user...to make the SAP WAS acknowledge my authenticated user I need to add the name to the shared State and it will check that name against the User Store...and then make the MYSAPSS02 cookie. Is this correct?
Thanks,
Joe
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.