Forum Home » Application Server » OC4J

Thread: OC4J 11g and JAZN

Reply to this Thread Reply to this Thread Search Forum Search Forum Back to Thread List Back to Thread List

Permlink Replies: 24 - Pages: 2 [ 1 2 | Next ] - Last Post: Jan 22, 2009 3:01 AM Last Post By: user496333
igiboy@pobox.sk

Posts: 6
Registered: 11/13/03
OC4J 11g and JAZN
Posted: Jul 26, 2007 8:13 AM
Click to report abuse...   Click to reply to this thread Reply
It is still possible to configure custom login module (DBTableOraDataSourceLoginModule) in 11g ?
Because I did try to use steps written in document on http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
but it doesn't work. No error, no warning, nothing. It seams to me that <login-module> was simply ignored.

Is there any document for 11g as is for 10.1.3 ?
Frank Nimphius

Posts: 19,779
Registered: 01/10/01
Re: OC4J 11g and JAZN
Posted: Aug 2, 2007 8:02 AM   in response to: igiboy@pobox.sk in response to: igiboy@pobox.sk
Click to report abuse...   Click to reply to this thread Reply
Hi,

yes, you can have this. However, the configuration in 11 has changed and the custom LogiNModule is configured in jps-config.xml and no longer on system-jazn-data.xml. I have it working on my machine but must admit that there is no good document available yet.

Frank
Yannick Majoros

Posts: 103
Registered: 10/31/06
Re: OC4J 11g and JAZN
Posted: Aug 6, 2007 9:18 AM   in response to: igiboy@pobox.sk in response to: igiboy@pobox.sk
Click to report abuse...   Click to reply to this thread Reply
Any link to some documentation?
Yannick Majoros

Posts: 103
Registered: 10/31/06
Re: OC4J 11g and JAZN
Posted: Aug 7, 2007 8:39 AM   in response to: Yannick Majoros in response to: Yannick Majoros
Click to report abuse...   Click to reply to this thread Reply
More specifically, how should I make my login module respond to all usernames? This could sound simple, but I only can get to it if the user is "oc4jadmin" (I guess it should work with the other I defines in jazn.com realm).
Frank Nimphius

Posts: 19,779
Registered: 01/10/01
Re: OC4J 11g and JAZN
Posted: Aug 7, 2007 9:34 AM   in response to: Frank Nimphius in response to: Frank Nimphius
Click to report abuse...   Click to reply to this thread Reply
Hi,

here's an unfinished sample from the whitepaper I writing

In Oracle JAAS, which is the JAAS implementation in OC4J 11, the login module is configured in the jps-config.xml file, where jps stands for Java Platform Security. If you worked with security in previous versions of Oracle OC4J then you will notice a change in configuration, which mainly is that JAAS LoginModule configuration is taken out of jazn-data.xml and orion-application.xml and put into the new jps-config.xml file.

For the embedded OC4J server in Oracle JDeveloper 11 on Microsoft Windows, the jps-config.xml file is located in the C:\Documents and Settings\<username>\Application Data\JDeveloper\system11.1.1.0.18.<version>\o.j2ee\embedded-oc4j\config directory. The jps-config.xml file is structured in three major sections:

Service Provider

Service Instances

LoginModule Context


Service Provider

Security configuration in OC4J 11 is very granular and allows administrators to define custom providers for credential store, policy and login. The default configuration in OC4J uses the Oracle JAAS provider, which by default stores the user accounts and application roles in jazn-data.xml, a XML formatted ASCII file. The Service provider section is used to register a provider with a type, a name and a reference to the implementation class called by the Oracle Java Platform Security framework.

Service Instances

The service instance is used to configure instances of the declared service providers. For the use of JAAS login modules, the service instances configure a specific LoginModule and its required initialization properties for a specific security provider, like oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider. The Oracle JaasLoginServiceProvider is the default security provider used also for container managed security.

<serviceProvider type="LOGIN" name="jaas.login.provider" class="oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider">
<description>This is Jaas Login Service Provider and is used to configure login module service instances</description>
</serviceProvider>

Custom LoginModules that are used for OC4J container managed security or direct JAAS authentication need to be configured as a named instance in the jps-config.xml configuration file.

<serviceInstance name="adf.demo.sample.auth" provider="jaas.login.provider">
<description>Sample LoginModule</description>
<property name="loginModuleClassName" value="<the login module package and class name>"/>
<property name="jaas.login.controlFlag" value="REQUIRED"/>
</serviceInstance>

In this example, the JAAS LoginModule instance is referencable through its name - adf.demo.sample.auth - an arbitrary string chosen as the name. The provider attribute references the Oracle JAAS security provider by its given registration name. The two mandatory properties configured for this login module are the LoginModule class name and the control flag, which is set to REQUIRED. If the custom LoginModule requires custom properties to be passed upon initialization then this needs to be added here as well.

LoginModule Context

The LoginContext is used in JAAS to reference the JAAS LoginModule configuration from an application for authentication. In the application code, the LoginContext is created with a name identifying the LoginModule configuration defined in the security policy and a CallbackHandler to be used for user interaction. In the jps-config.xml file the context is created as follows:

<jpsContexts>
...
<jpsContext name="how-to-auth-sample-ctx">
<serviceInstanceRef ref="adf.demo.sample.auth"/>
</jpsContext>
...
</jpsContexts>

This is how you setup the JAAS context. The rest should be the same as before

Frank
Yannick Majoros

Posts: 103
Registered: 10/31/06
Re: OC4J 11g and JAZN
Posted: Aug 7, 2007 4:30 PM   in response to: Frank Nimphius in response to: Frank Nimphius
Click to report abuse...   Click to reply to this thread Reply
Thank you.

I now have a working login module... except that it doesn't accept names besides "oc4jadmin" or user names from system-jazn-data.xml (e.g.: fmwadmin). Other user names throw an exception even before getting to the login module. Any clue?
Selina

Posts: 5
Registered: 08/24/06
Re: OC4J 11g and JAZN
Posted: Aug 10, 2007 2:11 AM   in response to: Yannick Majoros in response to: Yannick Majoros
Click to report abuse...   Click to reply to this thread Reply
Hi Frank,

I have modified jps-config.xml in jdev embbed oc4j, as below

in <serviceInstances> section, add
<serviceInstances>
<serviceInstance name="testlogin" provider="jaas.login.provider">
<description>Sample LoginModule</description>
<property name="loginModuleClassName" value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"/>
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="table" value="ovs_user"/>
<property name="data_source_name" value="jdbc/OVSDS"/>
<property name="groupMembershipGroupFieldName" value="role_name"/>
<property name="passwordField" value="password"/>
<property name="groupMembershipTableName" value="ovs_user_role_view"/>
<property name="usernameField" value="role_name"/>
<property name="pw_encoding_class" value="role_name"/>
<property name="groupMembershipGroupFieldName" value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder"/>
</serviceInstance>

in <jpsContexts> section add
<jpsContext name="testlogin">
<serviceInstanceRef ref="testlogin"/>
</jpsContext>

And I have removed the configuration about custom login module from system-jazn-data.xml.

But the custom login module is still ignored.
Yannick Majoros

Posts: 103
Registered: 10/31/06
Re: OC4J 11g and JAZN
Posted: Aug 10, 2007 2:21 AM   in response to: Selina in response to: Selina
Click to report abuse...   Click to reply to this thread Reply
What I did was changing the default login module. This kind of worked, although I still had to include the users (not passwords) in jaas config.

<jpsContext name="default">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="idstore.xml"/>
<serviceInstanceRef ref="policystore.xml"/>
<!--serviceInstanceRef ref="idstore.loginmodule"/-->
<serviceInstanceRef ref="doctorats.loginmodule"/>
<serviceInstanceRef ref="idm"/>
</jpsContext>

That's actually the next things I need to fix: allowing dynamic roles to work, and telling oc4j I only need this module for my application.

Oh, and no luck in trying to remove any other line, it's complaining.
user625398

Posts: 4
Registered: 03/13/08
Re: OC4J 11g and JAZN
Posted: Mar 16, 2008 12:24 PM   in response to: Frank Nimphius in response to: Frank Nimphius
Click to report abuse...   Click to reply to this thread Reply
Is there a setting that controls where jps-config.xml can be found? I am running on Technology Preview 3 (3.11.1.1.0.0) and would like to deploy on Tomcat. The problem is jps libs don't seem to be able to find jps-config.xml... I tried putting it in META-INF/.. and WEB-INF/classes/META-INF with no luck.

Thanks in advance
romulus

Posts: 62
Registered: 03/04/08
Re: OC4J 11g and JAZN
Posted: Mar 16, 2008 7:10 PM   in response to: Frank Nimphius in response to: Frank Nimphius
Click to report abuse...   Click to reply to this thread Reply
<jpsContext name="default">
<serviceInstanceRef ref="idstore.xml"/>
<serviceInstanceRef ref="test.login"/>
</jpsContext>
can go right,but
<jpsContext name="default">
<serviceInstanceRef ref="test.login"/>
</jpsContext>
go wrong,why?
if i use above , the user must be in th jazn-data.xml,i want to store user in db,how can i do?
Frank Nimphius

Posts: 19,779
Registered: 01/10/01
Re: OC4J 11g and JAZN
Posted: Apr 25, 2008 1:03 AM   in response to: romulus in response to: romulus
Click to report abuse...   Click to reply to this thread Reply
Hi,

JPS is the Oracle implementation of the security provider platform that is used within OC4J only. There are plans to make JPS portable to other application servers to replace their default security provider. However, until then you need to configure Tomcat etc. for what they provide as security providers

To have users in the database instead of jazn-data.xml, you need to configure a custom LoginModule for this (in jps-config.xml)

Frank
cp

Posts: 36
Registered: 09/09/05
Re: OC4J 11g and JAZN
Posted: Jun 27, 2008 3:47 AM   in response to: Frank Nimphius in response to: Frank Nimphius
Click to report abuse...   Click to reply to this thread Reply
I configured as per the steps given above but the settings are ignored. I tried giving a dummy class name (for login module) but still there was no exception. The settiongs are ignored by OC4J.
Is there a different method to configure it.
cp

Posts: 36
Registered: 09/09/05
Re: OC4J 11g and JAZN
Posted: Jul 7, 2008 8:55 PM   in response to: Frank Nimphius in response to: Frank Nimphius
Click to report abuse...   Click to reply to this thread Reply
In embedded oc4j for JDev 11g TP4 where to configure the jps provider.
Where do I specify in the aplication which jpsContext should be used by the application.
hofespet

Posts: 515
Registered: 03/27/08
Re: OC4J 11g and JAZN
Posted: Jul 8, 2008 1:46 PM   in response to: igiboy@pobox.sk in response to: igiboy@pobox.sk
Click to report abuse...   Click to reply to this thread Reply
Hi,

My user accounts and roles are stored in the database.

content of jps-config.xml:
===================
<serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
<property value="jdbc/TLS-BOBDS" name="data_source_name"/>
<property value="passwort" name="passwordField"/>
<property value="rol_rolle" name="groupMembershipGroupFieldName"/>
<property value="bediener_rollen" name="groupMembershipTableName"/>
<property value="user_kennung" name="usernameField"/>
<property value="bediener" name="table"/>
<property value="persnr" name="user_pk_column"/>
<property value="bed_persnr" name="roles_fk_column"/>
<property value="toupper" name="casing"/>
<property value="true" name="debug"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="true" name="addAllRoles"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="FINE" name="log.level"/>
</serviceInstance>

....
....

<jpsContexts default="TLS-BOB-JAAZ">
<jpsContext name="TLS-BOB">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="idstore.loginmodule"/>
</jpsContext>
<jpsContext name="TLS-BOB-JAAZ">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="oracledb.loginmodule"/>
</jpsContext>

<jpsContext name="default">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="oracledb.loginmodule"/>
</jpsContext>

<jpsContext name="adf.j2se">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="oracledb.loginmodule"/>
</jpsContext>
<jpsContext name="oracle.wsm.security.default">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="oracledb.loginmodule"/>
</jpsContext>
<jpsContext name="anonymous">
<serviceInstanceRef ref="anonymous"/>
<serviceInstanceRef ref="anonymous.loginmodule"/>
</jpsContext>
</jpsContexts>

I have created as default HTML-Login Page with ADF security wizard.
When starting application I can enter username and password to login page.
But after submit the following error occures in OC4J-log:
===================================
WARNUNG: TLS-BOB-ViewController-webapp: error encountered during authentication
java.util.MissingResourceException: Can't find resource for bundle oracle.security.jps.internal.common.resources.common.CommonResources, key JPS-02575
at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
at java.util.ResourceBundle.getString(ResourceBundle.java:285)
at oracle.security.jps.util.JpsBundle.getString(JpsBundle.java:133)
at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:424)
at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:401)
at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:99)
at oracle.security.jps.fmw.JpsUserManager.getUserFromIdmStore(JpsUserManager.java:1109)
at oracle.security.jps.fmw.JpsUserManager.getUser(JpsUserManager.java:1022)
at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3927)
at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6965)
at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3350)
at com.evermind.server.http.HttpRequestHandler.doResolveRequestDispatcher(HttpRequestHandler.java:1005)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:822)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:658)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:626)
at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:417)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:189)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:163)
at oracle.oc4j.network.ServerSocketReadHandler$ClientRunnable.run(ServerSocketReadHandler.java:275)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:237)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:29)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:877)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
at java.lang.Thread.run(Thread.java:595)

Any ideas what may be wrong?

regards
Peter
cp

Posts: 36
Registered: 09/09/05
Re: OC4J 11g and JAZN
Posted: Jul 9, 2008 9:33 PM   in response to: hofespet in response to: hofespet
Click to report abuse...   Click to reply to this thread Reply
I believe it is due to the fact that the application is not mapped to the jpsContext.

The OC4J needs to be configured to call a jpsContext for a particular web application.

Does any one know how to do that.

Thanx
Pages: 2 [ 1 2 | Next ]
Back to Thread List Back to Thread List
Legend
Guru Guru : 2500 - 1000000 pts
Expert Expert : 1000 - 2499 pts
Pro Pro : 500 - 999 pts
Journeyman Journeyman : 200 - 499 pts
Newbie Newbie : 0 - 199 pts
Oracle ACE Director
Oracle ACE Member
Oracle Employee ACE
Helpful Answer (5 pts)
Correct Answer (10 pts)

Point your RSS reader here for a feed of the latest messages in all forums