| Author |
Reg: JAAS with Form based authentication for Websphere 5.1
|
|
|
| Hi All,
Is it possible to integrate JAAS with Websphere form based authentication? We have to use a declarative security model with form based authentication along with using a custom LDAP. One possible solution would be to override the CustomRegistry. However
I was wondering if it is possible to use a CustomLoginModule for the same purpose.
Any advice on this would be appreciated.
Regards
Barada Sahu
| |
| Paul Ilechko 2006-11-24, 1:22 pm |
| barada.sahu@capgemini.com wrote:
> Hi All, Is it possible to integrate JAAS with Websphere form based
> authentication? We have to use a declarative security model with form
> based authentication along with using a custom LDAP. One possible
> solution would be to override the CustomRegistry. However I was
> wondering if it is possible to use a CustomLoginModule for the same
> purpose.
I'm not sure why you think that you need either. You should be able to
configure WAS to talk to just about any LDAP server. Just turn on global
security and set the correct LDAP parameters.
| |
|
| Hi Paul,
Actually the users are located in two different repositories one for the administrative console and the other for the application. the administrative console users are stored in the LDAP configured with Websphere while the application users come from a
database.
In such a scenario we cannot use the aforementioned solution that you propose. Do you have any idea as to how we can achieve the same?
Without implementing the CustomRegistry.
Regards
Barada Sahu
| |
| Paul Ilechko 2006-11-27, 1:18 pm |
| barada.sahu@capgemini.com wrote:
> Hi Paul, Actually the users are located in two different repositories
> one for the administrative console and the other for the application.
> the administrative console users are stored in the LDAP configured
> with Websphere while the application users come from a database.
Can't you replicate the database users to the LDAP? It would make life a
lot easier. There are directory integration tools like IBM's IDI that
make this quite simple.
>
> In such a scenario we cannot use the aforementioned solution that you
> propose. Do you have any idea as to how we can achieve the same?
> Without implementing the CustomRegistry.
Well, you could authenticate using a custom JAAS login module, and
create a custom subject that contains all the necessary group
information for the authenticated users so that WAS doesn't need to go
to the registry to get it (assuming that you need this - you don't if
you are not doing any J2EE authorization).
There are a lot more details here:
http://www-128.ibm.com/developerwor...8_benantar.html
| |
|
| Hi Paul,
Well we do need J2EE authorization. I had gone through the aforementioned article but it seems that I am missing something that I either need to populate in the subject or in the shared state variables. Coz the uid(user id) always seems to be validated
against the user registry configured in Websphere .
Have you ever implemented a similar situation using a CustomLoginModule in JAAS?
In case you have any sample code that actualy works would appreciate the same.
Regards
Barada Sahu
| |
| Paul Ilechko 2006-11-27, 1:18 pm |
| barada.sahu@capgemini.com wrote:
> Hi Paul, Well we do need J2EE authorization. I had gone through the
> aforementioned article but it seems that I am missing something that
> I either need to populate in the subject or in the shared state
> variables. Coz the uid(user id) always seems to be validated against
> the user registry configured in Websphere . Have you ever implemented
> a similar situation using a CustomLoginModule in JAAS? In case you
> have any sample code that actualy works would appreciate the same.
There is sample code with the article ...
You need to make sure that WAS recognizes that you have created a custom
Subject by adding a custom cache key. Please read the article more
carefully.
| |
|
| I tried using the code described in the article. Plugged in our customLoginModule before the WAS login module for WEB_INBOUND requests. However inspite of the fact that I populate the subject with the hashtable of attributes in my CustomLoginModule the au
thentication still proceeds to the user registry defined in Websphere.
This happens irrespective of whether I prepopulate the subject credentials with the hashtable or put the same in the shared state.
My understanding of the issue is that we are either not populating the subject with some attributes correctly or some extra attribute needs to be set that would in turn tell the WAS login module not to go back to the user registry to fetch the information
but rather create/populate the subject using the existing information.
Please advise if you feel that there is anything that needs to be configured / done otherwise.
Regards
Barada Sahu
| |
|
| Hello,
I'm trying to do the same, however in the Samples provided with the article there is mention of TAI with sample of WEB_INBOUND, sample of EJB / JAAS auth with RMI_INBOUND but not with WEB_INBOUND / JAAS authentication which is our concern.
Somebody got sample to do that ?
Regards,
Denis.
| |
| Paul Ilechko 2006-11-28, 1:18 pm |
| barada.sahu@capgemini.com wrote:
> I tried using the code described in the article. Plugged in our
> customLoginModule before the WAS login module for WEB_INBOUND
> requests. However inspite of the fact that I populate the subject
> with the hashtable of attributes in my CustomLoginModule the
> authentication still proceeds to the user registry defined in
> Websphere.
>
> This happens irrespective of whether I prepopulate the subject
> credentials with the hashtable or put the same in the shared state.
>
> My understanding of the issue is that we are either not populating
> the subject with some attributes correctly or some extra attribute
> needs to be set that would in turn tell the WAS login module not to
> go back to the user registry to fetch the information but rather
> create/populate the subject using the existing information.
Exactly which modules are in your web-inbound configuration, in which
sequence? Also, if you can post your login module code that would help.
| |
| Paul Ilechko 2006-11-28, 1:18 pm |
| dboutin@c-log.com wrote:
> Hello,
>
> I'm trying to do the same, however in the Samples provided with the
> article there is mention of TAI with sample of WEB_INBOUND, sample of
> EJB / JAAS auth with RMI_INBOUND but not with WEB_INBOUND / JAAS
> authentication which is our concern.
>
> Somebody got sample to do that ?
It should not be much different from the RMI one. The only issue is
which callback handlers you are using.
| |
|
| Hi Paul,
Am including the code for the login method of the Custom JAAS LoginModule that we are using.
public boolean login() throws LoginException {
Callback callbacks[] = new Callback[3];
try {
callbacks[0] = new WSTokenHolderCallback("");
callbacks[1] = new NameCallback("User:");
callbacks[2] = new PasswordCallback("Password:", false);
callbackHandler.handle(callbacks);
} catch (Exception e) {
e.printStackTrace(System.out);
throw new LoginException(e.getMessage());
}
boolean requiresLogin = ((WSTokenHolderCallback) callbacks[0])
.getRequiresLogin();
if (requiresLogin) {
String username = ((NameCallback) callbacks[1]).getName();
String password = new String(((PasswordCallback) callbacks[2]).getPassword());
((PasswordCallback) callbacks[2]).clearPassword();
Hashtable hashtable = new Hashtable();
String uniqueid = null;
try {
uniqueid="u0000002";
InitialContext ctx = new InitialContext();
UserRegistry reg = (UserRegistry) ctx.lookup("UserRegistry");
uniqueid = reg.getUniqueUserId("u0000002");
reg.checkPassword("u0000002", "pxxxxx02");
} catch (Exception e1) {
e1.printStackTrace(System.out);
throw new LoginException(e1.getMessage());
}
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,
uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,
"u0000002");
ArrayList groups = new ArrayList();
groups.add(0, "nomemb");
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,
uniqueid + "ExampleBeforeLTPALoginModule");
subject.getPublicCredentials().add(hashtable);
sharedState.put(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY, hashtable);
return true;
} else {
System.out
.println("MyBeforeLTPALoginModule: This is a repeat login, nothing to do.");
return true;
}
}
I have currently configured the order of the CustomLoginModule before the Websphere AuthenLoginModule in the LTPA_WEB in Websphere. Is there a difference in whether we do it for the WEB_INBOUND or under the LTPA_WEB? Am trying to login into the admin cons
ole.
As you can see even though the code has hardcoded values yet the login fails for the admin console.
Have also set the "useSharedState" attribute to "true" for each of the LoginModules.
Regards
Barada Sahu
| |
| Paul Ilechko 2006-11-28, 1:18 pm |
| barada.sahu@capgemini.com wrote:
>
> I have currently configured the order of the CustomLoginModule before the Websphere AuthenLoginModule in the LTPA_WEB in Websphere. Is there a difference in whether we do it for the WEB_INBOUND or under the LTPA_WEB? Am trying to login into the admin co
nsole.
> As you can see even though the code has hardcoded values yet the login fails for the admin console.
> Have also set the "useSharedState" attribute to "true" for each of the LoginModules.
LTPA_WEB is wrong, you should be putting your login module in
WEB_INBOUND. Is your code even executing? I suggest you add some trace
statements.
| |
|
| Hi Paul,
I configured the CustomLoginModule with the WEB_INBOUND realm instead of the LTPA_WEB and it seems to work now. However this has raised some questions as to when these realms are used ?
Initially I had the CustomLoginModule in the LTPA_WEB and this LoginModule was still getting invoked. However that Websphere instance did not have the WEB_INBOUND realm in it. It was probably modified or removed in that server.
Is there any documentation that actually details what each of the security realms defined are used for and when they are invoked?
As mentioned earlier we have users in two different repositories. One repository is for the application users which is a datastore that can be accessed via a custom API. The other is a LDAP that is used to store the admin console users. In such a scenario
is the solution via the JAAS CustomLoginModule a good way to resolve this issue?
Also would like to thank you for your inputs in resolving this issue that we have had.
| |
| Paul Ilechko 2006-11-29, 1:18 pm |
| barada.sahu@capgemini.com wrote:
> Hi Paul, I configured the CustomLoginModule with the WEB_INBOUND
> realm instead of the LTPA_WEB and it seems to work now. However this
> has raised some questions as to when these realms are used ?
> Initially I had the CustomLoginModule in the LTPA_WEB and this
> LoginModule was still getting invoked. However that Websphere
> instance did not have the WEB_INBOUND realm in it. It was probably
> modified or removed in that server. Is there any documentation that
> actually details what each of the security realms defined are used
> for and when they are invoked?
Yes, the JAAS login configuration usage is defined in my paper, the one
that I referenced earlier. Note: these are not security realms - there
is only one realm in WAS, defined by the user registry in use.
>
> As mentioned earlier we have users in two different repositories. One
> repository is for the application users which is a datastore that can
> be accessed via a custom API. The other is a LDAP that is used to
> store the admin console users. In such a scenario is the solution via
> the JAAS CustomLoginModule a good way to resolve this issue?
This is complicated, and depends on the specifics of your scenario. The
easy answer is to not do this, and to put all the users in the same
repository - either the LDAP, which is the simplest solution, or the
database and write a WAS Custom User Registry on top of it.
There are directory integration tools that can make this replication
process fairly simple.
Also, as mentioned earlier, you can authenticate using a custom JAAS
login module and you can add groups to the user's Subject. However,
those groups need to be defined in the WAS registry, even if the users
themselves are not, or you won't be able to do the role to group mapping
for deployment.
Another option would be to write a CUR that looks at both the LDAP and
the custom datastore.
I recommend also that you take a look at this link:
http://pokgsa.ibm.com/~keys/websphe...istry_Questions
In particular the section titled:
When does WAS contact the registry for user information
- it's important that you understand the implications of your users not
being in the WAS registry.
Paul.
| |
|
| Hi Paul,
The link regarding the Registry questions that you mentioned earlier seems to be an internal IBM link and is not accessible . Could you please forward the content of the same to my mail id?
It's barada_sahu@capgemini.com.
From my understanding implementing a CUR is a restrictive solution as no additional tokens other than the "user id" and "password" can be passed via it.
In our scenario we need an additional token from the login screen which we pass in through out request. However if we try to use a CUR then the problem arises that we do not have a handle to this request object.
Regards
Barada Sahu
| |
|
| Hi Paul,
The mail id mentioned earlier is incorrect and has a typo error. Here is the correct one barada.sahu@capgemini.com.
Sorry about the mistake earlier.
Regards
Barada Sahu
| |
|
| Hi Paul,
We are now trying to deploy the CustomLoginModule across multiple application servers . Our action classes on the first application server is invoking another EJB on a different application server. However the second application server is unable to rece
ive the "subject" .
This works fine in a single server environment that is on my development machine.
I believe this is a downstream propagation problem. How can this be resolved? Do we need to configure something at the server end or is there some custom attribute that needs to be set to enable downstream propagation of authentication details?
Regards
Barada Sahu
| |
| Paul Ilechko 2006-11-29, 1:18 pm |
| barada.sahu@capgemini.com wrote:
> Hi Paul, We are now trying to deploy the CustomLoginModule across
> multiple application servers . Our action classes on the first
> application server is invoking another EJB on a different application
> server. However the second application server is unable to receive
> the "subject" . This works fine in a single server environment that
> is on my development machine. I believe this is a downstream
> propagation problem. How can this be resolved? Do we need to
> configure something at the server end or is there some custom
> attribute that needs to be set to enable downstream propagation of
> authentication details?
If these servers are not in the same cell you need to ensure that global
security is turned on for both servers (or cells, if they are in
separate ND cells), and that both have the same LTPA encryption key.
| |
|
| Hi Paul,
Both of my application servers are in a single cell. I am now able to downstream propagate the subject to the second application server by setting the CSIV inbound and outbound propagation attributes.
However there is now an additional issue that I am facing . My web application has multiple modules in it. Post login when I try to access any of these modules there appears to be a problem as the (WSTokenHolderCallback).getRequiresLogin() method still re
turns a "true" value. As such the callbacks are invoked and during this time an exception is thrown.
How is it that the (WSTokenHolderCallback).getRequiresLogin() still returns true? Isn't it supposed to return a "false" value once the Login modules are executed and the user is succesfully logged in into the application and the token is generated?
Is there any custom property that needs to be set in order to get this working?
Would also appreciate it if you could send the contents of the link.
http://pokgsa.ibm.com/~keys/websphe...istry_Questions
to my mail id as the link appears to be an internal one.
Regards
Barada Sahu
| |
| Paul Ilechko 2006-11-29, 1:18 pm |
| barada.sahu@capgemini.com wrote:
> Hi Paul, Both of my application servers are in a single cell. I am
> now able to downstream propagate the subject to the second
> application server by setting the CSIV inbound and outbound
> propagation attributes.
>
> However there is now an additional issue that I am facing . My web
> application has multiple modules in it. Post login when I try to
> access any of these modules there appears to be a problem as the
> (WSTokenHolderCallback).getRequiresLogin() method still returns a
> "true" value. As such the callbacks are invoked and during this time
> an exception is thrown. How is it that the
> (WSTokenHolderCallback).getRequiresLogin() still returns true? Isn't
> it supposed to return a "false" value once the Login modules are
> executed and the user is succesfully logged in into the application
> and the token is generated?
>
> Is there any custom property that needs to be set in order to get
> this working?
No, this should just work provided that you are getting a valid LTPA
cookie with the request.
I suggest you turn on security tracing to see what is happening -
com.ibm.wsspi.security.*=all=enabled:com.ibm.websphere.security.*=all=enabled
| |
|
| Hi Paul,
Was going through the security framework in Websphere and wondering how is it that upstream propagation is not supported in concept?
If i want to populate the Subject at the EJB end then how do I do that?
Regards
Barada Sahu
| |
| Paul Ilechko 2006-12-01, 1:20 pm |
| barada.sahu@capgemini.com wrote:
> Hi Paul, Was going through the security framework in Websphere and
> wondering how is it that upstream propagation is not supported in
> concept? If i want to populate the Subject at the EJB end then how do
> I do that?
I'm not sure I understand what you are saying. If you call an EJB from
within the web container, it inherits caller credentials unless you
override that using runAs mode. If you call a remote EJB you can put
your own custom JAAS login module in the RMI Inbound configuration. What
is missing ?
| |
|
| Hi Paul,
There is this problem that I keep facing while configuring the CustomLoginModule.
My environment as follows -
Web Apps - Server 1
EJB's - Server 2
Web Apps on server 1 invoke the EJB's on server 2.
Now to propagate the security attributes I have turned on the "CSIv2 Outbound Security Propagation" . The "Web Inbound and CSIv2 Inbound Security Propagation" are also enabled.
However now the server on which the EJB's lie fail to start up initially.
There is a missing credentials exception that gets thrown. This is an inconsistent exception as after a couple of tries it does manage to get the credentials and the server starts up. I have attached an error log that details the same.
However if I turn off the "CSIv2 Outbound Security Propagation" the server kickstarts well. The problem though that occurs now is that whenever I make an EJB call after login, server 2 (on which the EJB's are deployed) is unable to retrieve the credential
s from the LTPA token.
Find below the error log :
Could not get the uniqueId of the user user:USER1.
[3-12-06 15:00:46:547 CET] 42366d45 LdapRegistryI E SECJ0351E: Could not get the uniqueId of the user user:USER1 due to the following exception .
[3-12-06 15:00:46:547 CET] 42366d45 LTPAServerObj E SECJ0373E: Cannot create credential for the user <null> due to failed validation of the LTPA token. The exception is .
[3-12-06 15:00:46:562 CET] 42366d45 JaasLoginHelp A SECJ0222E: An unexpected exception occurred when trying to create a LoginContext. The LoginModule alias is system.RMI_INBOUND and the exception is .
I tried raising an ESR with IBM but the partnerworld ID required is an issue.
Hope you can provide some insight into the issue.
Regards
Barada Sahu
| |
| Paul Ilechko 2006-12-05, 7:22 pm |
| barada.sahu@capgemini.com wrote:
> However now the server on which the EJB's lie fail to start up
> initially. There is a missing credentials exception that gets thrown.
> This is an inconsistent exception as after a couple of tries it does
> manage to get the credentials and the server starts up. I have
> attached an error log that details the same.
My news server has the good sense to delete attachments. Try posting the
_relevant_ section as text
>
> However if I turn off the "CSIv2 Outbound Security Propagation" the
> server kickstarts well. The problem though that occurs now is that
> whenever I make an EJB call after login, server 2 (on which the EJB's
> are deployed) is unable to retrieve the credentials from the LTPA
> token.
>
> Find below the error log :
>
> Could not get the uniqueId of the user user:USER1. [3-12-06
> 15:00:46:547 CET] 42366d45 LdapRegistryI E SECJ0351E: Could not get
> the uniqueId of the user user:USER1 due to the following exception .
> [3-12-06 15:00:46:547 CET] 42366d45 LTPAServerObj E SECJ0373E: Cannot
> create credential for the user <null> due to failed validation of the
> LTPA token. The exception is . [3-12-06 15:00:46:562 CET] 42366d45
> JaasLoginHelp A SECJ0222E: An unexpected exception occurred when
> trying to create a LoginContext. The LoginModule alias is
> system.RMI_INBOUND and the exception is .
The only reason that I'm aware of why the LTPA token validation would
fail as that the second server has different LTPA keys.
| |
|
| Hi Paul,
Find below the error that I get during server start up.
[4-12-06 11:09:37:969 CET] 3a51fc6d WSCredentialT E SECJ5013E: Could not create default SingleSignonToken during propagation login. The following exception occurred:
[4-12-06 11:09:38:172 CET] 629e7c6d DRSLaunch A DRSW0006I: WebSphere internal replication client launched: Dynacache-DRSWSSecureMap
[4-12-06 11:09:38:406 CET] 73ad7c6c ContextManage E SECJ0270E: Failed to get actual credentials. The exception is .
[4-12-06 11:09:39:797 CET] 73ad7c6c SecurityCompo E SECJ0007E: Error during security initialization. The exception is .
[4-12-06 11:09:47:219 CET] 73ad7c6c WsServer E WSVR0003E: Server AUT_BL_Server_1 failed to start
com.ibm.ws.exception.RuntimeError: Credential is destroyed, can not be used.
at com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:204)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:536)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:413)
at com.ibm.ws.runtime.component.ApplicationServerImpl.start(ApplicationServerImpl.java:152)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:536)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:413)
at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:243)
at com.ibm.ws.runtime.WsServer.start(WsServer.java:128)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:225)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.ibm.ws.bootstrap.WSLauncher.main(WSLauncher.java:189)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.ibm.ws.bootstrap.WSLauncher.runMain(WSLauncher.java:295)
at com.ibm.ws.bootstrap.WSLauncher.main(WSLauncher.java:197)
Caused by: com.ibm.websphere.security.WSSecurityException: Credential is destroyed, can not be used.
at com.ibm.ws.security.auth.ContextManagerImpl.initialize(ContextManagerImpl.java:284)
at com.ibm.ws.security.core.SecurityContext.enable(SecurityContext.java:79)
at com.ibm.ws.security.core.SecurityComponentImpl.initialize(SecurityComponentImpl.java:643)
at com.ibm.ws.security.core.SecurityComponentImpl.startSecurity(SecurityComponentImpl.java:609)
at com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:183)
... 21 more
Caused by: com.ibm.websphere.security.WSSecurityException: Credential is destroyed, can not be used.
at com.ibm.ws.security.auth.ContextManagerImpl.getServerSubject(ContextManagerImpl.java:1796)
at com.ibm.ws.security.auth.ContextManagerImpl.initialize(ContextManagerImpl.java:271)
... 25 more
Caused by: com.ibm.websphere.security.WSSecurityException: Credential is destroyed, can not be used.
at com.ibm.ws.security.auth.WSCredentialImpl.refreshCred(WSCredentialImpl.java:1425)
at com.ibm.ws.security.auth.ContextManagerImpl.getServerSubject(ContextManagerImpl.java:1736)
... 26 more
Caused by: com.ibm.websphere.security.auth.CredentialDestroyedException: Credential is destroyed, can not be used.
at com.ibm.ws.security.auth.WSCredentialImpl._assert(WSCredentialImpl.java:1231)
at com.ibm.ws.security.auth.WSCredentialImpl.getCredentialToken(WSCredentialImpl.java:463)
at com.ibm.ws.security.auth.WSCredentialImpl.refreshCred(WSCredentialImpl.java:1375)
... 27 more
Regards
Barada Sahu
| |
| Paul Ilechko 2006-12-06, 3:07 pm |
| I suggest you open a PMR. I don't have any bandwidth to continue with this.
barada.sahu@capgemini.com wrote:
> Hi Paul,
> Find below the error that I get during server start up.
>
> [4-12-06 11:09:37:969 CET] 3a51fc6d WSCredentialT E SECJ5013E: Could not create default SingleSignonToken during propagation login. The following exception occurred:
> [4-12-06 11:09:38:172 CET] 629e7c6d DRSLaunch A DRSW0006I: WebSphere internal replication client launched: Dynacache-DRSWSSecureMap
> [4-12-06 11:09:38:406 CET] 73ad7c6c ContextManage E SECJ0270E: Failed to get actual credentials. The exception is .
> [4-12-06 11:09:39:797 CET] 73ad7c6c SecurityCompo E SECJ0007E: Error during security initialization. The exception is .
> [4-12-06 11:09:47:219 CET] 73ad7c6c WsServer E WSVR0003E: Server AUT_BL_Server_1 failed to start
> com.ibm.ws.exception.RuntimeError: Credential is destroyed, can not be used.
> at com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:204)
> at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:536)
> at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:413)
> at com.ibm.ws.runtime.component.ApplicationServerImpl.start(ApplicationServerImpl.java:152)
> at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:536)
> at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:413)
> at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:243)
> at com.ibm.ws.runtime.WsServer.start(WsServer.java:128)
> at com.ibm.ws.runtime.WsServer.main(WsServer.java:225)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
> at java.lang.reflect.Method.invoke(Method.java:391)
> at com.ibm.ws.bootstrap.WSLauncher.main(WSLauncher.java:189)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
> at java.lang.reflect.Method.invoke(Method.java:391)
> at com.ibm.ws.bootstrap.WSLauncher.runMain(WSLauncher.java:295)
> at com.ibm.ws.bootstrap.WSLauncher.main(WSLauncher.java:197)
> Caused by: com.ibm.websphere.security.WSSecurityException: Credential is destroyed, can not be used.
> at com.ibm.ws.security.auth.ContextManagerImpl.initialize(ContextManagerImpl.java:284)
> at com.ibm.ws.security.core.SecurityContext.enable(SecurityContext.java:79)
> at com.ibm.ws.security.core.SecurityComponentImpl.initialize(SecurityComponentImpl.java:643)
> at com.ibm.ws.security.core.SecurityComponentImpl.startSecurity(SecurityComponentImpl.java:609)
> at com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:183)
> ... 21 more
> Caused by: com.ibm.websphere.security.WSSecurityException: Credential is destroyed, can not be used.
> at com.ibm.ws.security.auth.ContextManagerImpl.getServerSubject(ContextManagerImpl.java:1796)
> at com.ibm.ws.security.auth.ContextManagerImpl.initialize(ContextManagerImpl.java:271)
> ... 25 more
> Caused by: com.ibm.websphere.security.WSSecurityException: Credential is destroyed, can not be used.
> at com.ibm.ws.security.auth.WSCredentialImpl.refreshCred(WSCredentialImpl.java:1425)
> at com.ibm.ws.security.auth.ContextManagerImpl.getServerSubject(ContextManagerImpl.java:1736)
> ... 26 more
> Caused by: com.ibm.websphere.security.auth.CredentialDestroyedException: Credential is destroyed, can not be used.
> at com.ibm.ws.security.auth.WSCredentialImpl._assert(WSCredentialImpl.java:1231)
> at com.ibm.ws.security.auth.WSCredentialImpl.getCredentialToken(WSCredentialImpl.java:463)
> at com.ibm.ws.security.auth.WSCredentialImpl.refreshCred(WSCredentialImpl.java:1375)
> ... 27 more
>
>
> Regards
> Barada Sahu
| |
| Paul Ilechko 2006-12-07, 1:31 pm |
| barada.sahu@capgemini.com wrote:
> Hi Paul,
> Find below the error that I get during server start up.
>
> [4-12-06 11:09:37:969 CET] 3a51fc6d WSCredentialT E SECJ5013E: Could not create default SingleSignonToken during propagation login. The following exception occurred:
> [4-12-06 11:09:38:172 CET] 629e7c6d DRSLaunch A DRSW0006I: WebSphere internal replication client launched: Dynacache-DRSWSSecureMap
> [4-12-06 11:09:38:406 CET] 73ad7c6c ContextManage E SECJ0270E: Failed to get actual credentials. The exception is .
> [4-12-06 11:09:39:797 CET] 73ad7c6c SecurityCompo E SECJ0007E: Error during security initialization. The exception is .
> [4-12-06 11:09:47:219 CET] 73ad7c6c WsServer E WSVR0003E: Server AUT_BL_Server_1 failed to start
> com.ibm.ws.exception.RuntimeError: Credential is destroyed, can not be used.
>
It makes no sense that you would see this during server startup. You get
a propagation login when an already logged in user goes to another
server. As the credential is not cached locally it attempts to retrieve,
either from dynacache or using JMX.
|
|
|
|