Skip to Content
avatar image
Former Member

Login stack of J2EE application not performed on some systems

Hi,

I have a very strange problem which seems to happen on 2 out of 6 NW04s SPS09 systems. Only the two systems where we have Kerberos against our primary windows domain seem to have the problem, but this doesn't seem to be the root cause (as I've deleted central part of the kerberos config and the same problem exist)

I have a custom J2EE application named FormLoginEar which should provide an alternate to login method to the Kerberos login which happens against the irj/portal alias.

The solution is basically an index.jsp which is covered by a root constraint against the Users role and two jsp for the form login pages. The authentication should be handled by the Web container.

From web.xml:

<servlet>

<servlet-name>index.jsp</servlet-name>

<jsp-file>/index.jsp</jsp-file>

</servlet>

<welcome-file-list>

<welcome-file>index.jsp</welcome-file>

</welcome-file-list>

<security-constraint>

<display-name>RootConstraint</display-name>

<web-resource-collection>

<web-resource-name>WebResource</web-resource-name>

<url-pattern>*.jsp</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>Users</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>FORM</auth-method>

<form-login-config>

<form-login-page>loginPage.jsp</form-login-page>

<form-error-page>loginPageError.jsp</form-error-page>

</form-login-config>

</login-config>

<security-role>

<role-name>Users</role-name>

</security-role>

The web-j2ee-engine.xml contains a mapping against a server-role-name and also the setup of a login module stack

<security-role-map>

<role-name>Users</role-name>

<server-role-name>authenticated</server-role-name>

</security-role-map>

<login-module-configuration>

<login-module-stack>

<! If they have a ticket, let them directly in >

<login-module>

<login-module-name>EvaluateTicketLoginModule</login-module-name>

<flag>sufficient</flag>

<options>

<option>

<name>ume.configuration.active</name>

<value>true</value>

</option>

</options>

</login-module>.... a few more login modules

The authenticated server-role-name is only done to make sure guests are not included (I though for a long time that that was the problem), and this role is created in the securityprovider service and mapped against the Authenticated users internal UME group.

When I look at the setup in the SecurityProvider service in the troublesome systems, everything look ok and identical to the system which are working. The login module authentication stack is correct, the Users role is mapped correctly to the authenticated server role, which again maps to the Authenticated Users group.

When I access the troublesome system, I am automatically redirect to the index.jsp page and no authentication is performed before it does it response. On the working systems, I get redirect correctly to the loginPage.jsp when I access the index.jsp without credentials.

I changed the code so that I could get the current prinicpal in the index.jsp from the servlet request, but this was null. (for the OK system I get the prinicpal as expected).

I have a feeling that the problem is related to guest users, but in the troublesome systems the guest user is locked.

The logs tell me nothing unfortunately, even on the highest log level for com.sap.security

Any ideas at all ? ? I am loosing sleep over this one..

Cheers

Dagfinn

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Nov 29, 2006 at 04:58 PM

    Managed to get around it by using auth-method basic instead.

    Not the ideal solution, but good enough.

    Add comment
    10|10000 characters needed characters exceeded