on 2005 Feb 03 4:46 PM
Hi,
I'm sorry if this question might appear a little bit stupid, as I am new to the SAP-World. I have a J2EE-App, which uses JAAS to login. Unfortunately, this login fails. As I found out in SDN Forums this failure must be caused by the coupling of UME and JAAS. So I wanted to create my Testuser in SAP.
This User has a Name (ID), Pwsd and two assigned roles.
1. I tried to create it in User Mgmt Web App. This failed due to missing permissions (see below). So I assigned the SAP_BC_USER_ADMIN role to my J2EE ADMIN, but I still could not create a user as J2EE Admin.
2. I created the User in SAP System. Now, I can see him in the User Mgmt Web App, but the assigned roles are missing. And still, my application fails to login...
I can exclude any faults on the application side as I can see from the log-files, that everything works fine including the commit. But next, abort() is called and I get this "User not authorized." Error.
Thanks a lot for your help .... I was spending about 3 Days now on solving this *** logon problem.
Nadine
(WAS 6.40 SP9)
***************************
An exception was thrown in the UME/ABAP user management connector. Message: BAPI_USER_CHANGE@NK1CLNT100: ID=01, NUMBER=492, MESSAGE=Keine Berecht. zum Ändern Benutzer der Gruppe. --> com.sap.security.core.persistence.datasource.PersistenceException: BAPI_USER_CHANGE@NK1CLNT100: ID=01, NUMBER=492, MESSAGE=Keine Berecht. zum Ändern Benutzer der Gruppe
at com.sap.security.core.persistence.datasource.imp.R3PersistenceBase.handleBapiRet2Table(R3PersistenceBase.java:3136)
at com.sap.security.core.persistence.datasource.imp.R3Persistence.doBapiUserCreateChange(R3Persistence.java:5265)
Hi Nadine,
Can you describe a bit more your scenario, how are you going to use the security in your application?
Best regards,
Lyubomir
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Lyubomir,
We have a webapplication (with Struts) with underlying EJBs. The Webapp prompts the form and passes the logondata to a SecurityEJB, which starts the logon action (Creating LoginContext and calling login()).
In SAPWAS I configured two LoginModules, which are not deployed as libraries as they are part of the application. Then I built a module stack, where one loginmodule is optional and the other one is required.
This LoginStack is used to perform the logon.
Everything works fine, commits are successfully done. But suddenly - when the LoginContext should return the successful authenticated Subject to the EJB, abort() is called and my logfiles tell me "User not authorized".
In case that works, the Subject would be added to the session and a filter could check the authorizations.
Thanks a lot for help!
Nadine
Hello Nadine,
we had a stack with 2 custom built LoginModules running under the preview version of the WAS.
When we switched to the GA version I had the same problem you are facing now.
And then I searched the OSS and found after several days of testing and searching a note (711093), saying that custom built login modules are not supported .
Even though it might be inpolite to quote a german text in this forum, I guess it might help you:
Kundenspezifische Login-Module werden nicht unterstützt
That was not amusing and I felt mega super extra angry about that procedure. JEEE-compliant server ??? Lol
Best Regards, Astrid
Hello Lyubomir and Astrid,
thanks a lot for your replies!
@Lyubomir: I will test your suggestions on monday, as I can't do it before. Sounds good and I'll give you feedback about my (hopefully arising) success.
@Astrid: I absolutly agree with your optinion. I already knew about problems with JAAS in SAP Web AS, as I found the <u>JAAS</u> implementation being "unsupported" in one of our internal studies. Nevertheless, I could not succeed in finding any note on this topic in SAP Service Marketplace when searching for <b>all</b> notes relevant to BC-JAS-SEC. In exchange, I found an extensive documentation about developing, deploying, configuring and using custom login modules in the sap documentation of SP09! This really makes oneself feeling "mega super extra angry".
Nadine
Dear Nadine,
the message you receive from the backend system is issued because the communication user used for the communication between UME and backend system (usually SAPJSF) only has the role SAP_BC_JSF_COMMUNICATION_RO, which allows only reading access to the backend. This is the installation default (secure by default).
In order to perform updates from UME in the ABAP system please see SAP Note 748195.
PS: In future support packages the UME will recognize this situation and already visualize this situation in the UME WebConsole.
Kind regards,
Juergen Kremp
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Juergen,
I don't think that's completely correct.
We have faced the same problems Nadine had and we didn't try to make any updates un the ABAP system, just a plain login to a web application, nothing special.
It worked perfectly well with the preview. It didn't work at all with SP9. We used the same users, set up the UME identically.
I haven't tried with SP10 or 11 because meanwhile I have said good bye to the idea of custom login modules in WAS since my customers won't be willing to wait some month for the next SP.
Best Regards, Astrid
Hello Nadine,
I would say, that custom login modules are supported (for customers) since SP9 of the 6.40 J2EE Engine. The note is not correct and should be fixed.
For ensuring successful authentication it is enough to put such java.security.Principal into the subject, which name is a valid user account on the engine.
To facilitate the developers (customers) when creating custom login modules, the generic functionality from the login modules is shifted from the LoginMofule to the LoginContext.
The LoginContext checks if there is such a user, if its account is not expired, if the password is right and not expired, if the users account is not locked. These checks should be done in order to ensure the quality of the authentication and the consistence in the behavior of the engine. They are done after commit and if these checks do not pass, the abort method is called.
In this way the LoginModule should only perform tasks which are specific for the type of the authentication it implements.
Best regards,
Lyubomir
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nadine,
I hope that you could solve your problem in one of the next possibilities:
1) At least one of the principals (in your SUBJECT) should be an instance of com.sap.engine.lib.security.Principal
Else:
2) The first principle should have the same name as the name of the valid user from the UME (in your case Testuser)
I hope this helps.
Best regards,
Lyubomir
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
did you try to create this user, using the Visual Administrator tool of the J2EE Engine? Then there you can manage the mappings you talk about.
Did you see:
http://help.sap.com/saphelp_nw04/helpdata/en/49/e98876e9865b4e977b54fc090df4ed/frameset.htm
1. "Creating and Removing Users"
(Administration Manual -> Server Administration -> J2EE Engine Security -> Users and Authorizations on the J2EE Engine -> User and Authorization Administration -> J2EE Engine User Management Using the Visual Administrator -> Managing Users -> Creating and Removing Users),
2. "Security Roles Management"
(Administration Manual -> Server Administration -> J2EE Engine Security -> Users and Authorizations on the J2EE Engine -> User and Authorization Administration -> J2EE Engine User Management Using the Visual Administrator -> Security Roles Management => Mapping Users and Groups)
Does this helps?
Regards, Jordan
Message was edited by: Jordan Stanchev
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Jordan,
thanks a lot for your tip, which was really helpful. Now I've only one problem left: What about the mapping of JAAS Subject to a UME User - how are they mapped? We're using own Credentials and Principals, where our Principal implements the java.security.Principals Interface and consists of the attribute name and the usual getter/setter (and constructors). Our Credential consists of three attributes (password, system and user). For testing the application, there's a Testuser as follows:
SUBJECT
PRINCIPALS
[Principal1] name=IKSystem.User
[Principal2] name=IKSystem.Admin
CREDENTIALS
[Credential1] password=xyz
system=IKSystem
user=TUser
So, my question is: What users and related roles do I have to create in UME to map the subject and achieve a sucessful login?
Thanks a lot,
Nadine
User | Count |
---|---|
81 | |
11 | |
10 | |
10 | |
10 | |
8 | |
7 | |
7 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.