JAAS module with LTPA that bypasses the user registry - Websphere

This is a discussion on JAAS module with LTPA that bypasses the user registry - Websphere ; cmorris@novell.com wrote: >> Can you turn on security trace so that you can see >> exactly what the >> sequence of events is? > > Nothing was obvious to me. Here is the trace I got: > Nothing obvious to ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 25 of 25

Thread: JAAS module with LTPA that bypasses the user registry

  1. Re: Don't set your own WSPrincipal

    cmorris@novell.com wrote:
    >> Can you turn on security trace so that you can see
    >> exactly what the
    >> sequence of events is?

    >
    > Nothing was obvious to me. Here is the trace I got:
    >


    Nothing obvious to me either - did you look into my other idea, that you
    were not setting any groups when you asserted the Subject in your login
    module (by creating the Map in shared state)? I have a feeling that if
    there are no groups, WAS will try and get them from the registry. Try
    putting a group name in there, see if that helps.

  2. Re: Don't set your own WSPrincipal

    Paul Ilechko wrote:
    > cmorris@novell.com wrote:
    >>> Can you turn on security trace so that you can see
    >>> exactly what the sequence of events is?

    >>
    >> Nothing was obvious to me. Here is the trace I got:
    >>

    >
    > Nothing obvious to me either - did you look into my other idea, that you
    > were not setting any groups when you asserted the Subject in your login
    > module (by creating the Map in shared state)? I have a feeling that if
    > there are no groups, WAS will try and get them from the registry. Try
    > putting a group name in there, see if that helps.


    also, you can add :

    com.ibm.ws.wim.*=all=enabled:com.ibm.websphere.wim .*=all=enabled

    to the trace string to get VMM trace.

  3. Re: Don't set your own WSPrincipal

    Paul Ilechko wrote:

    > Another thought - are you adding any groups to the hashmap ? It looks to
    > me like you are sticking an empty array list in to WSCREDENTIAL_GROUPS.
    > I think if that is empty, WAS will try to read the user registry to get
    > groups, giving you an authentication error when it can't find the user.


    Never mind, I checked and it's legal to add an empty array of groups to
    the subject. WAS should not try to override that.


    The only other thing I can think of is, are you setting the UniqueID
    correctly? Does it have the correct realm name based on what is defined
    as the WAS realm?

  4. Better UserID and more debug

    The realm name did not match my user repository. So I changed that. I also added some bogus groups. Nothing seems to change.

    Here is the log output: Attached is the full thing. Its large.

    [9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 Create WebAttributes for this webApp.
    [9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 login page is: /login
    [9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 J2EEAuditEventFactory was not initialized
    [9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 login error page is: /error.jsp
    [9/21/07 13:34:52:026 MDT] 00000050 FormLoginExte > formLogin, WebAttributes:
    webAppName[PayrollWeb]
    isProtected[true]
    realm[null]
    challengeType[FORM]
    authMechanism[LTPA]
    SSLEnabled[false]
    SSOEnabled[true]
    secureSSO[false]
    defaultToBasic[false]
    LTPACookieName[LtpaToken]
    loginCookieName[null]
    CookieSuffix[null] Entry
    [9/21/07 13:34:52:027 MDT] 00000050 FormLoginExte 3 Form based login: userid/password present in the form. User is: cn=test,o=novell
    [9/21/07 13:34:52:027 MDT] 00000050 ContextManage > getDefaultRealm Entry
    [9/21/07 13:34:52:027 MDT] 00000050 ContextManage < getDefaultRealm Exit
    defaultWIMFileBasedRealm
    [9/21/07 13:34:52:027 MDT] 00000050 ContextManage > login(realm, user, password) -> login(defaultWIMFileBasedRealm, cn=test,o=novell, ************************************, system.WEB_INBOUND) Entry
    [9/21/07 13:34:52:027 MDT] 00000050 ContextManage 3 Looking for opaque token on the thread before Subject cache lookup.
    [9/21/07 13:34:52:028 MDT] 00000050 ContextManage > getSubjectFromTokenHolderCacheKey Entry


    [9/21/07 13:34:52:028 MDT] 00000050 ContextManage < getSubjectFromTokenHolderCacheKey Exit

    [9/21/07 13:34:52:028 MDT] 00000050 ContextManage 3 Looking for subject from cache using token as lookup.
    [9/21/07 13:34:52:028 MDT] 00000050 AuthCache > getSubject Entry
    defaultWIMFileBasedRealm
    cn=test,o=novell
    xxxxx
    [9/21/07 13:34:52:028 MDT] 00000050 AuthCache 3 One-way password hash using SHA is: 641235360270227624917054902848906975847867690344
    [9/21/07 13:34:52:028 MDT] 00000050 Cache > get Entry
    defaultWIMFileBasedRealm:cn=test,o=novell
    [9/21/07 13:34:52:029 MDT] 00000050 Cache < get Exit

    [9/21/07 13:34:52:029 MDT] 00000050 AuthCache < getSubject Exit

    [9/21/07 13:34:52:029 MDT] 00000050 JaasLoginHelp > jaas_login(realm,user,password,auth_mech = system.WEB_INBOUND) for web Entry
    [9/21/07 13:34:52:029 MDT] 00000050 WSCallbackHan > WSCallbackHandler(userName = "cn=test,o=novell", password = "********") Entry
    [9/21/07 13:34:52:029 MDT] 00000050 WSCallbackHan < WsCallbackHandler(userName, password) Exit
    [9/21/07 13:34:52:029 MDT] 00000050 WSCallbackHan > WSCallbackHandler(userName, realmName = defaultWIMFileBasedRealm ,password, req, resp, appContext) Entry
    [9/21/07 13:34:52:029 MDT] 00000050 Configuration 3 com.ibm.ws.security.auth.login.Configuration :Entry: getAppConfigurationEntry(system.WEB_INBOUND)
    [9/21/07 13:34:52:037 MDT] 00000050 NidsLoginModu I 2007-09-21T13:34:52Z INFO J2EE Agent: AM#600602000: AMDEVICEID#agent-985EBEB0A4CF5A9D: initialize options={delegate=com.novell.nids.agent.auth.websp here.NidsWebSphereLoginModule}
    [9/21/07 13:34:52:039 MDT] 00000050 NidsWebSphere I PrincipalClass = com.novell.nids.agent.auth.websphere.WSPrincipalIm pl
    [9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ com.ibm.wsspi.security.auth.callback.WSTokenHolder Callback }") Entry
    [9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan < handle(callbacks) Exit
    [9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ javax.security.auth.callback.NameCallback }") Entry
    [9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan < handle(callbacks) Exit
    [9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ javax.security.auth.callback.PasswordCallback }") Entry
    [9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ javax.security.auth.callback.PasswordCallback }") Entry
    [9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan < handle(callbacks) Exit
    [9/21/07 13:34:52:042 MDT] 00000050 NidsLoginModu I 2007-09-21T13:34:52Z INFO J2EE Agent: AM#500602006: AMDEVICEID#agent-985EBEB0A4CF5A9D: AMAUTHID#null: AMEVENTID#NotImplemented: verifying the credentials for cn=test,o=novell
    [9/21/07 13:34:52:043 MDT] 00000050 NidsLoginModu I 2007-09-21T13:34:52Z INFO J2EE Agent: AM#500602006: AMDEVICEID#agent-985EBEB0A4CF5A9D: AMAUTHID#rGcrAy3kScDeJNwyNjs3lk2: AMEVENTID#NotImplemented: verifying the credentials for cn=test,o=novell
    [9/21/07 13:34:52:045 MDT] 0000005d ContextManage > getServerSubject Entry
    [9/21/07 13:34:52:045 MDT] 0000005d ContextManage > getServerSubjectInternal Entry
    [9/21/07 13:34:52:045 MDT] 0000005d ContextManage > getRegistryObject Entry
    [9/21/07 13:34:52:045 MDT] 0000005d ContextManage < getRegistryObject Exit
    com.ibm.ws.security.registry.UserReg....registry.WIMUserRegistry@2d202d20;realm=defaultWIMFileBasedReal m
    [9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI > isDestroyed Entry
    [9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI < isDestroyed Exit
    false
    [9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI > getExpiration Entry
    [9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI < getExpiration Exit
    1190410451325
    [9/21/07 13:34:52:045 MDT] 0000005d AuthCache > getCushion Entry
    [9/21/07 13:34:52:045 MDT] 0000005d AuthCache < getCushion Exit
    600000
    [9/21/07 13:34:52:045 MDT] 0000005d ContextManage 3 Is server subject valid? true
    [9/21/07 13:34:52:045 MDT] 0000005d ContextManage 3 Server Subject returned with sufficient time left.
    [9/21/07 13:34:52:045 MDT] 0000005d ContextManage < getServerSubject Exit
    Subject:
    Principal: defaultWIMFileBasedRealm/server:camvm1Node01Cell_camvm1Node01_server1
    Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@ac20ac2
    Private Credential: com.ibm.ws.security.token.SingleSignonTokenImpl@30 003000
    Private Credential: com.ibm.ws.security.token.AuthenticationTokenImpl@ 43784378
    Private Credential: com.ibm.ws.security.token.AuthorizationTokenImpl@7 9947994



  5. Re: JAAS module with LTPA that bypasses the user registry

    Hello,

    Please can you help me on this case?
    I knew that Ibm Maximo support single sign on (SSO). But I realized that although the security is enabled, we have to tape the loggin and password each time we want to connect to maximo application.

    I want to know if there's a way to activate this SSO. what are the steps and prerequisites to do?
    Thank you in advance.

    Kind regards, Fouad

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2