on 01-02-2006 8:22 AM
Hi,
Due to some special requirements (SAP system uses employeeId as logon id, and a user might have more than one if he has moved to another country.
Portal and other system use a shortname to logon to), we need to be able to reissue a logonticket with a new secondary logon name.
I am doing some ProofOfConcept code which is based on the two classes:
com.sap.security.core.server.jaas.SAPLogonTicketHelper
Provides functionality for creating new SAP logon tickets
com.sap.security.core.server.jaas.CreateTicketLoginModule
JAAS login module used in the portal, which uses SAPLogonTicketHelper to issue the logon ticket when the user logs on.
I get two errors (depending if I use the SAPLogonTicketHelper or not) which I belived are linked to access control, but which I don't know how to configure for portal applications.
1. Get keystore directly without SAPLogonTicketHelper
public KeyStore getKeyStore(String keyStoreName)throws Exception{
InitialContext ctx = null;
ctx = new InitialContext();
Object o = ctx.lookup("keystore");
KeystoreManager m_manager = (KeystoreManager)o;
return m_manager.getKeystore(keyStoreName);
}
When called with parameter TicketKeystore, this results in the exception trace:
java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Remote call errored at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48) at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707) at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201) at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.getKeyStore(SimpleChangeEmployeeId.java:53) at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.getSSOLogonTicket(SimpleChangeEmployeeId.java:69) at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.doContent(SimpleChangeEmployeeId.java:35) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:646) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159) Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: Application is not authorized to execute keystore operation [] at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:712) at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:230) at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:35) at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46) ... 37 more <b>Caused by: java.security.AccessControlException: access denied </b> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:705) ... 40 more at com.sap.engine.services.keystore.exceptions.BaseRemoteException.writeReplace(BaseRemoteException.java:184) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:896) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1011) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:278) at com.sap.engine.services.rmi_p4.StubImpl.p4_initializeStreams(StubImpl.java:252) at com.sap.engine.services.rmi_p4.StubImpl.p4_replicate(StubImpl.java:245) at com.sap.engine.services.rmi_p4.StubBase.replicate(StubBase.java:125) at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:734) at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201) at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.getKeyStore(SimpleChangeEmployeeId.java:53) at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.getSSOLogonTicket(SimpleChangeEmployeeId.java:69) at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.doContent(SimpleChangeEmployeeId.java:35) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:646) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159)
2. When called using SAPLogonTicketHelper
Map m_option = new HashMap();
m_option.put("keystore", "TicketKeystore");
//TODO: Is this normal keystore password?
m_option.put("password", "xxx");
m_option.put("alias", "SAPLogonTicketKeypair");
m_option.put("client", "000");
//ticket valid for 8 hours
m_option.put("validity", "8");
m_options.put("mappeduser", secondaryUserName);
m_options.put("user", username);
KeyStore store = SAPLogonTicketHelper.getTicketKeyStore((String)m_options.get("keystore"),
(String)m_options.get("password"),
m_options);
This fails with the exception:
(note that the calling class SimpleChangeEmployeeId is in the same package as the SAPLogonTicketHelper; com.sap.security.core.server.jaas)
java.lang.IllegalAccessError: tried to access method com.sap.security.core.server.jaas.SAPLogonTicketHelper.getTicketKeyStore(Ljava/lang/String;Ljava/lang/String;Ljava/util/Map;)Ljava/security/KeyStore; from class com.sap.security.core.server.jaas.SimpleChangeEmployeeId at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.getSSOLogonTicket(SimpleChangeEmployeeId.java:70) at com.sap.security.core.server.jaas.SimpleChangeEmployeeId.doContent(SimpleChangeEmployeeId.java:35) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:646) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:159) Got exception:java.lang.IllegalAccessError:tried to access method com.sap.security.core.server.jaas.SAPLogonTicketHelper.getTicketKeyStore(Ljava/lang/String;Ljava/lang/String;Ljava/util/Map;)Ljava/security/KeyStore; from class com.sap.security.core.server.jaas.SimpleChangeEmployeeId
Since IllegalAccessError is often thrown when using incompatible versions of a jar file, I verified using reflection that the method static java.security.KeyStore com.sap.security.core.server.jaas.SAPLogonTicketHelper.getTicketKeyStore(java.lang.String,java.lang.String,java.util.Map) throws java.lang.Exception
existed.
I think nr 1 is the way to go, and therefore the question is how to assign rights for the keystore from a portal application (or portal service if that is easier).
Regards
Dagfinn
Hello Dagfinn,
I know its been a while since your post but I wonder if you resolved the problem and how?
Ive a similar problem, the difference is that I want to access keystore-view out of a XI java mapping program.
I think that I have to add granted domains in tab Security of service keystore (Key Storage, but I dont know which?
Can you help me out?
Thanks in advance.
Alexandre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As far as I know it worked when the code was running as a JAAS login module (since then it has a different context)
Code is
public static Certificate getCertificate(String keyStoreName, String certificateAlias){
try {
InitialContext ctx = new InitialContext();
Object o = ctx.lookup("keystore");
com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub manager = (com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub) o;
KeyStore keyStore = manager.getKeystore(keyStoreName);
Certificate certificate=keyStore.getCertificate(certificateAlias);
return certificate;
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.