I'm using Oracle Internet Directory (OID) for authentication and authorization of the users of mine applications J2EE. However, I have some difficulties to make the authentication when I need to make a communication RMI between two applications in differents OC4J instances. I configured a properties file ('jndi.properties') in an "client application" to make a call RMI for a SessionBean of a "server application". <!-- jndi.properties --> java.naming.factory.initial=com.evermind.server.rmi.RMIInitialContextFactory java.naming.provider.url=ormi://server/app java.naming.security.principal=<user> java.naming.security.credentials=<password> dedicated.connection=true <!-- end --> When the "Server Application" makes the authentication in a XML file (jazn-data.xml or principals.xml), this communication (authentication) works, and "client application" obtains to recoup the information of the OID through the "server application". But, when I configure the "server application" to make the authentication in the OID (changing the orion-application.xml with 'jazn provider=ldap'), I receive the following error: "error Lookup: javax.naming.AuthenticationException: Invalid username/password ". <!-- orion-application.xml > ... <jazn provider="LDAP" location="ldap://<server>:<porta>" default-realm="jazn.com"> <jazn-web-app auth-method="SSO"/> </jazn--> ... <!-- end --> I believe problem still around the permission that I need to grant to User in the OID, that reflect the jazn-policy following: <!-- jazn-data.xml --> ... <jazn-policy> <grant> <grantee> <principals> <principal> <realm-name>jazn.com</realm-name> <type>user</type> <class>oracle.security.jazn.spi.xml.XMLRealmRole</class> <name>jazn.com/myUser</name> </principal> </principals> </grantee> <permissions> <permission> <class>com.evermind.server.rmi.RMIPermission</class> <name>login</name> </permission> </permissions> </grant> </jazn-policy> ...
Observe that the User/Password specified in the properties file (jndi.properties) exists in the OID and that this problem ONLY happens when I need to make communication RMI between two applications. Can anybody help me ? Mauricio Silva.
The problem is that RMI cannot authenticate against form or SSO based authentication mechanisms (the same holds true for SOAP). What you need is basic HTTP authentication using LDAP. Oracle says that this is not supported in this release (10.1.2) of JAZN/iAS, however, I don't see why someone couldn't develop a custom authentication module similiar to a Third Party Authentication Module (TPAM).
When you deploy your web app to OC4J, the working copy of orion-application.xml under (.../application-deployments) is updated with <jazn-web-app auth-method="SSO"/> The unsupported mehtod for accomlishing this is to remove this line from the deployed orion-application.xml. This will enable JAZN-LDAP to operate with BASIC HTTP Authentication. As stated above, this type of authentication is required for SOAP, Web Services, RMI..