Off late I have been a bit regular on Portal Forums, One question which has been frequently asked and I haven't found any definitive answer is regarding the Logon Language. People (Including me), who are so used to R3 Logon, find it difficult to understand why there is no Logon Language option for Portal. Things get a bit messier, when you read about the property ume.logon.lcoale. If you set it as true through config-tool you get a Language Selection Drop down on Logon Page. But alas, nothing happens when you select the language from Drop down and login to portal.  Not good...Don't worry Not that Bad either. It's a valuable point learnt which can be used to simplify what we want to achieve.

While trying to dig in, I saw some suggestions that it can be achieved through Custom Logon Module. That sounds good, but unfortunately I didn't find any concrete idea on how to do it. I saw some words Like JAAS (Java Authentication and Authorization Service), Logon Stack etc, which didn't make much sense to me at that time (Even today I can just manage). The reason is partly due to the fact that I started my career with SAP and whatever JAVA I know, is based on need.

Let's come back to Logon Module :-).

Before continuing further, I strongly recommend you to go through these two very useful documents

1. JAAS Login Module Development on WebAS Java 640

2. Custom Login Module Tutorial

The second document will require access to Service Market Place.

We have a  possible solution and a broad guideline, but how do we implement it ?

I could see in the document and also in Visual Administrator that there is a login module with the name BasicPasswordLoginModule.

This was the Eureka moment. If I could get hold of the source code, it will not be difficult to write my own Logon Module.

JAR Class Finder and JAD Eclipse are two very useful tools. If you aren't already using them,  trust me your life will be much easier if you use them.

You can find some useful information regarding the Installation and configuration of JAD Eclipse and JAR Class finder in my earlier blog.

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/25225

Jar class finder tells me that the class com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule

is packaged in security.jar

After doing a JAD (I was not able to do it through NWDS directly, had to extract the class file through Winrar and decompile it through Command Line JAD), the result is quite pleasing. I will let you do that by yourself and decide.

Before going forward let's summarize how far we have reached

1. Our aim is to allow for Logon Language on Logon Page

2. This can be achieved through Custom Logon Module

3. We understand the basic of Logon module and theoretically how to do it

4. We have a template implementation in form of BasicPasswordLoginModule

After going through BasicPasswordLoginModule and above documents, I was certain that if I can get the Language in request parameter I can use HttpGetterCallback to retrieve this and using UM APIs I can update the User Profile.

In one of the threads I read that before a certain SP version it was possible to login with a specific locale using the URL

http://<host>:<port>/irj/portal?ume.logon.locale=<locale>

There was no way I could verify this, as I am on EP 7 and it doesn't work. However, it gave me a hope that the parameter is getting set in request.

Based on the above let's create our Custom Logon Module

Development

1. Create a Java Project (in my case it's CTSJAAS) and add the following jar files to project Build Path

• admin.jar
• com.sap.security.api.jar
• connector.jar
• exception.jar
• logging.jar
• security.jar
• security_api.jar

2. Create a Class which extends the class AbstractLoginModule. (In my case it's Ctsjaasimpl)

3. Look at the BasicPasswordLoginModule and implement the methods accordingly. Alternatively copy and paste the below, and make appropriate changes.

\

/* \  * Created on Nov 5, 2011 \  * \  * To change the template for this generated file go to \  * Window>Preferences>Java>Code Generation>Code and Comments \  */ \ package com.cts.jaas; \  \ import java.io.IOException; \ import java.util.Locale; \ import java.util.Map; \  \ import javax.resource.spi.security.PasswordCredential; \ import javax.security.auth.Subject; \ import javax.security.auth.callback.Callback; \ import javax.security.auth.callback.CallbackHandler; \ import javax.security.auth.callback.NameCallback; \ import javax.security.auth.callback.PasswordCallback; \ import javax.security.auth.callback.UnsupportedCallbackException; \ import javax.security.auth.login.LoginException; \  \  \  \ import com.sap.engine.interfaces.security.SecurityContext; \ import com.sap.engine.interfaces.security.auth.AbstractLoginModule; \ import com.sap.engine.interfaces.security.userstore.context.UserContext; \ import com.sap.engine.interfaces.security.userstore.context.UserInfo; \ import com.sap.engine.lib.security.PasswordPrincipal; \ import com.sap.engine.lib.security.Principal; \ import com.sap.engine.lib.security.http.HttpCallback; \ import com.sap.engine.lib.security.http.HttpGetterCallback; \ import com.sap.engine.services.security.exceptions.BaseLoginException; \ import com.sap.engine.services.security.exceptions.BaseSecurityException; \ import com.sap.engine.services.security.server.SecurityContextImpl; \  \ import com.sap.security.api.IUser; \ import com.sap.security.api.IUserFactory; \ import com.sap.security.api.IUserMaint; \ import com.sap.security.api.UMFactory; \  \ import com.sap.security.api.UMException; \  \ import com.sap.tc.logging.Location; \  \ /** \  * @author prashant \  * \  * To change the template for this generated type comment go to \  * Window>Preferences>Java>Code Generation>Code and Comments \  */ \ public class Ctsjaasimpl extends AbstractLoginModule { \  \ \     public Ctsjaasimpl() { \ \     \     callbackHandler = null; \ \     \     subject = null; \ \     \     name = null; \ \     \     password = null; \ \     \     sharedState = null; \ \     \     options = null; \ \     \     userContext = null; \ \     \     user = null; \ \     \     securityContext = null; \ \     \     isStrictLogin = false; \ \     \     // TODO Auto-generated constructor stub \ \     } \ \      \ \     public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) \ \     { \ \     \     super.initialize(subject, callbackHandler, sharedState, options); \ \     \     this.callbackHandler = callbackHandler; \ \     \     this.subject = subject; \ \     \     this.sharedState = sharedState; \ \     \     this.options = options; \ \     \     successful = false; \ \     \     shouldBeIgnored = false; \ \     \     securityContext = SecurityContextImpl.getRoot(); \ \     \     localeString = null; \ \     \     userFactory=null; \ \     \     userContext = securityContext.getUserStoreContext().getActiveUserStore().getUserContext(); \ \     \     if(userContext == null) \ \     \     \     throw new BaseSecurityException("security_4045"); \ \     \     else \ \     \     \     return; \ \     } \  \ \     public boolean login() \ \     \     throws LoginException \ \     { \ \     \     NameCallback nameCallback = new NameCallback("User name: "); \ \     \     PasswordCallback passwordCallback = new PasswordCallback("Password: ", true); \ \     \     HttpGetterCallback httpCallback = new HttpGetterCallback(); \ \     \     httpCallback.setName("ume.logon.locale"); \ \     \     httpCallback.setType(HttpCallback.REQUEST_PARAMETER); \ \     \     isStrictLogin = "true".equalsIgnoreCase((String)options.get("StrictLogin")); \ \     \     try \ \     \     { \ \     \     \     callbackHandler.handle(new Callback[] { \ \     \     \     \     nameCallback, passwordCallback, httpCallback \ \     \     \     }); \ \     \     } \ \     \     catch(UnsupportedCallbackException e) \ \     \     { \ \     \     \     shouldBeIgnored = true; \ \     \     \     if(isStrictLogin) \ \     \     \     \     throw new BaseLoginException("security_1018", e); \ \     \     \     else \ \     \     \     \     return false; \ \     \     } \ \     \     catch(IOException e) \ \     \     { \ \     \     \     throwUserLoginException(e, (byte)18); \ \     \     } \ \     \     name = nameCallback.getName(); \ \     \     password = passwordCallback.getPassword(); \ \     \     String requestParameters[]=(String[])httpCallback.getValue(); \ \     \     if((requestParameters!=null)&&requestParameters.length>0) \ \     \     { \ \     \     \     localeString=requestParameters[0]; \ \     \     } \ \     \     passwordCallback.clearPassword(); \ \     \     if(name == null || name.length() == 0) \ \     \     { \ \     \     \     if(LOCATION.beDebug()) \ \     \     \     \     LOCATION.debugT("No user name provided."); \ \     \     \     shouldBeIgnored = true; \ \     \     \     if(isStrictLogin) \ \     \     \     \     throw new BaseLoginException("security_1018"); \ \     \     \     else \ \     \     \     \     return false; \ \     \     } \ \      \  \  \ \     \      \ \     \     if("true".equalsIgnoreCase((String)options.get("LogonWithAlias"))) \ \     \     { \ \     \     \     if(LOCATION.beDebug()) \ \     \     \     \     LOCATION.debugT("User tries to authenticate with alias " + name); \ \     \     \     try \ \     \     \     { \ \     \     \     \     user = userContext.getUserInfoByLogonAlias(name); \ \     \     \     } \ \     \     \     catch(SecurityException e) \ \     \     \     { \ \     \     \     \     throwUserLoginException(e, (byte)0); \ \     \     \     } \ \     \     \     if(user != null) \ \     \     \     \     sharedState.put("sap.security.auth.refresh.done", user.getName()); \ \     \     } else \ \     \     { \ \     \     \     try \ \     \     \     { \ \     \     \     \     refreshUserInfo(name); \ \     \     \     \     user = userContext.getUserInfo(name); \ \     \     \     } \ \     \     \     catch(SecurityException e) \ \     \     \     { \ \     \     \     \     throwUserLoginException(e, (byte)0); \ \     \     \     } \ \     \     } \ \     \     if(user == null) \ \     \     \     throwNewLoginException("No such user " + name + " found in the userstore.", (byte)0); \ \     \     int passwordStatus = user.checkPasswordExtended(password); \ \     \     switch(passwordStatus) \ \     \     { \ \     \     default: \ \     \     \     break; \  \ \     \     case 0: // '\\0' \ \     \     \     if(LOCATION.beDebug()) \ \     \     \     \     LOCATION.debugT("Password check for user " + name + " successful."); \ \     \     \     break; \  \ \     \     case 128:  \ \     \     \     throwNewLoginException("Invalid password for user " + name + " .", (byte)0); \ \     \     \     break; \  \ \     \     case 129:  \ \     \     \     throwNewLoginException("User " + name + " has no password.", (byte)19); \ \     \     \     break; \  \ \     \     case 130:  \ \     \     \     throwNewLoginException("The password for user " + name + " is locked.", (byte)21); \ \     \     \     break; \  \ \     \     case 131:  \ \     \     \     throwNewLoginException("The password for user " + name + " is expired because it has not been used for quite long time.", (byte)20); \ \     \     \     break; \ \     \     } \ \     \     name = user.getName(); \ \     \     sharedState.put("javax.security.auth.login.name", name); \ \     \     sharedState.put("com.sap.engine.security.UserInfo", user); \ \     \      \ \     \     IUser portalUser=null; \ \     \     Locale newLocale =null; \ \     \     Locale oldLocale =null; \ \     \     if(localeString!=null) \ \     \     { \ \     \     \     newLocale = new Locale(localeString); \ \     \     } \ \     \      \ \     \     try { \ \     \     \     userFactory=UMFactory.getUserFactory(); \ \     \     \     portalUser = userFactory.getUserByLogonID(name); \ \     \     } catch (UMException e2) { \ \     \     \     // TODO Auto-generated catch block \ \     \     \     throwUserLoginException(e2); \ \     \     } \ \     \     if(portalUser!=null) \ \     \     { \ \     \     \      oldLocale= portalUser.getLocale(); \ \     \     \     //if((oldLocale!=null)&&() \ \     \     } \ \     \      \ \     \      \ \     \     if((oldLocale!=null)&&(newLocale!=null)&&(!(oldLocale.equals(newLocale)))) \ \     \     { \ \     \      \ \     \     try { \ \     \     \     mutableUser=userFactory.getMutableUser(portalUser.getUniqueID()); \ \     \     \     mutableUser.setLocale(newLocale); \ \     \     \     mutableUser.commit(); \ \     \     } catch (UMException e1) { \ \     \     \     // TODO Auto-generated catch block \ \     \     \     throwUserLoginException(e1,(byte)0); \ \     \     } \ \     \     } \ \     \      \ \     \     successful = true; \ \     \     return true; \ \     } \  \ \     public boolean commit() \ \     \     throws LoginException \ \     { \ \     \     if(!shouldBeIgnored) \ \     \     { \ \     \     \     if(successful) \ \     \     \     { \ \     \     \     \      \ \     \     \     \     Principal principal = new PasswordPrincipal(name); \ \     \     \     \     subject.getPrincipals().add(principal); \ \     \     \     \     subject.getPrivateCredentials().add(new PasswordCredential(name, password)); \ \     \     \     \     sharedState.put("javax.security.auth.login.principal", principal); \  \ \     \     \     } else \ \     \     \     { \ \     \     \     \     name = null; \ \     \     \     \     password = null; \ \     \     \     \     user = null; \ \     \     \     \     localeString =null; \ \     \     \     } \ \     \     \     return true; \ \     \     } else \ \     \     { \ \     \     \     shouldBeIgnored = false; \ \     \     \     return false; \ \     \     } \ \     } \  \ \     public boolean abort() \ \     \     throws LoginException \ \     { \ \     \     if(!shouldBeIgnored) \ \     \     { \ \     \     \     if(successful) \ \     \     \     { \ \     \     \     \     name = null; \ \     \     \     \     password = null; \ \     \     \     \     successful = false; \ \     \     \     \     user = null; \ \     \     \     } \ \     \     \     return true; \ \     \     } else \ \     \     { \ \     \     \     shouldBeIgnored = false; \ \     \     \     return false; \ \     \     } \ \     } \  \ \     public boolean logout() \ \     \     throws LoginException \ \     { \ \     \     if(!shouldBeIgnored) \ \     \     { \ \     \     \     if(successful) \ \     \     \     { \ \     \     \     \     userContext.emptySubject(subject); \ \     \     \     \     successful = false; \ \     \     \     } \ \     \     \     return true; \ \     \     } else \ \     \     { \ \     \     \     return false; \ \     \     } \ \     } \ \     private static final String ALIAS_LOGON_OPTION = "LogonWithAlias"; \ \     private static final String STRICT_LOGIN = "StrictLogin"; \ \     private static final String TRUE = "true"; \ \     private static final Location LOCATION = Location.getLocation("com.cts.jaas.Ctsjaasimpl"); \ \     private CallbackHandler callbackHandler; \ \     private Subject subject; \ \     private String name; \ \     private String localeString; \ \     private char password[]; \ \     private Map sharedState; \ \     private Map options; \ \     private UserContext userContext; \ \     private UserInfo user; \ \     private boolean successful; \ \     private boolean shouldBeIgnored; \ \     private SecurityContext securityContext; \ \     private boolean isStrictLogin; \ \     private IUserFactory userFactory; \ \     private IUserMaint mutableUser; \  \  \ } \  \

\

4. Export the jar file.

5. Create a J2EE Library Project

6. Configure provider.xml General Tab, as shown (Change the provider name)

7. On Jars tab add the Jar file which contains your Custom Logon Module (Please note that, to be able to add the jar file it should be available in current Workspace)

8. On References tab, you need to add the Reference to the Library, interfaces, services for the jar file which you have used in your project. This can be tricky and it took me lot of time to figure out what to add here. I will suggest you to directly go to the source tab and copy and paste the references section at appropriate place.

\

\     <references> \ \     \     <reference  \ \     \     \     provider-name="sap.com"  \ \     \     \     strength="weak"  \ \     \     \     type="interface">security_api</reference> \ \     \     <reference  \ \     \     \     provider-name="sap.com"  \ \     \     \     strength="weak"  \ \     \     \     type="library">com.sap.tc.Logging</reference> \ \     \     <reference  \ \     \     \     provider-name="sap.com"  \ \     \     \     strength="weak"  \ \     \     \     type="library">com.sap.exception</reference> \ \     \     <reference  \ \     \     \     provider-name="sap.com"  \ \     \     \     strength="weak"  \ \     \     \     type="library">com.sap.security.api.sda</reference> \ \     \     <reference  \ \     \     \     provider-name="sap.com"  \ \     \     \     strength="weak"  \ \     \     \     type="library">com.sap.security.core.sda</reference> \ \     \     <reference  \ \     \     \     provider-name="engine.sap.com"  \ \     \     \     strength="weak"  \ \     \     \     type="library">j2eeca</reference> \ \     </references> \  \

9. Configure sda-dd.xml and set Software type as library

10. Build Library Archive, it will generate a .sda file. Right click on the .sda file and deploy it.

We are done with the Development. Now we can move to configuration.

Configuration

1. Login to Visual Administrator (go.bat). Expand the node Server -> Libraries, and confirm that the Library Project has been Deployed Successfully. See below

2. Open the node Server->Services->Security Provider

3. Go to User Management Tab. Switch to Edit Mode. Click on Manage Security Stores.

4. Select UME User Store, and click Add Login Module

5. Provide the class name for your Login Module. (In my case it's com.cts.jaas.Ctsjaasimpl)

6. Now we need to add this Login Module to Login Module Stack

Note: If you haven't done already, please read the above two documents carefully to understand the Login Module Authentication Process. It's vital to understand what you are doing, as any misconfiguration will mean, no one will be able to login to portal. Of course you can login through Visual admin and Rollback.

Navigate to Policy Configurations -> ticket and click on Add New

7. Select your logon module and click Modify. Adjust the Position and flag. Look at the below screen shot for help.

8. Click on the Properties tab and modify the property LoginModuleClassLoaders, so that it points to your library project. Take help of step1 to know the exact value.

We are done with the login module configuration. At this point I saved my changes and restarted my server. I was able to successfully test it by using the URL http://<host:<port>/irj/portal?ume.logon.locale=de

This will set the locale in User Profile to de.

However, now I have the benefit of hindsight and I don't want you to come back to configuration and restart your server again. We will finish the configuration for the missing bit. The Drop down on the logon screen.

9. Start the Configtool (configtool.bat) and navigate to cluster-data ->Global Server Configuration->Services.

10. Select com.sap.security.core.ume.service.

11. Locate the property ume.logon.locale and set it as true.

12. Save your changes and restart the cluster.

13. After restart access the Portal logon URL. You will notice the Drop Down for Language Selection. Provide the Credentials, Select the Language and hit logon.

14. If everything is fine, you will see something similar to below.

Conclusion

Custom login module opens up lots of interesting possibilities. In one of the forums, I read that the logical attribute mapping doesn't work for UME using Java Database. Fellow SDNer wanted to configure the portal so that it allows for login using e-mail address instead of User ID. This can easily be achieved through Custom Logon Module. Also in the above document there is an interesting scenario, where you can filter the IPs. Either allow certain IP ranges or block certain IP ranges, Easy, with your own logon module.