SSO Help

An Online Community for Identity & Access Management Professionals

ava mell

Siteminder Active Expression custom java class being called

Hi,

I decided to create another thread instead of continuing the last because it may not be related to the original thread.

anyway, Here's my problem:

I am using Active Expression to do some LDAP update upon authorization. Ive implemented it in a custom class to do the LDAP update. Ive set is as an Active Rule tied
up to the OnAuthAccept. where :

Library Name : smjavaapi
Function Name : JavaActiveExpression
Function Parameter : customclass.java

Ive deployed the jar, updated the the jvmoptions.txt and restarted the
server. Running the app, it seem that the customclass doesnt get
called. There are no exception in smps.log (is this the right file to
look at?). Though it does say :

[SmJavaAPI.cpp:1018][INFO] SmJavaAPI: Successfully initialized Java active expressions

To test, I put a non existing class in the Function Parameter, SM
doesnt even complain so Im not really sure if SM is doing the call.

Ive followed the developers guide so I'm not quite sure what else Im missing.

appreciate your help.

Views: 156

Reply to This

Replies to This Discussion

Todd ClaytonPermalink Reply by Todd Clayton on March 10, 2010 at 1:23am
I can never remember the rules for which rules can appear in the same policy. Is you OnAuthAccept rule in the same policy as your GET/POST/PUT rules? If so, you could try moving the OnAuthAccept rule to a separate policy. I don't think that is the problem, but it's worth the shot.

What does your active response return? Have you tried turning on the profiler to see if there are any additional messages?

I have not done a lot personally with Java active expressions. So, I'll have to do some research for a better answer...
ava mellPermalink Reply by ava mell on March 10, 2010 at 6:24pm
Hi Todd,

Moving the rule to a separate policy doesnt seem to help. I suspect that the custom class never gets called. I put some debug lines in the class but never see them in the logs.

Now I also tried a go with creating simple custom authentication. Again I deployed it in a jar, updated the jvmoption. I configured the Policy server as per instruction in the guide (created authentication scheme and set it to my realm). When I tried accessing the application, it gave me a 500 error. Looking at the smps.log, it has the

[SmAuthServer.cpp:233][ERROR] Failed to query authentication scheme 'Custom Scheme'

and I also saw in the profiler log

[** Status: Error. Reject s65/r3 : internal error - failed to obtain scheme credentials for scheme 'Custom Scheme'

Again, my guess is still the class not being loaded properly. If so, is there anything else I need to do to to load it?do you thing flushing the cache help?

My next guess is that the Java version of the custom class I created is not compatible with the JRE that SM is using. True enough, SM is using jre1.4 and Im using 1.5. Now just to make sure, I tried re-compiling an old custom jar (to use 1.5) that seem to be sitting in the server and is used by another app which is working fine. After restart, I tried accessing the app that uses that old custom class and it seems that it still works ok even if its now compiled in 1.5. So my guess is inconclusive but it might be that it is cached again.

going in circle is frustrating. really appreciate your help!
Todd ClaytonPermalink Reply by Todd Clayton on March 10, 2010 at 7:10pm
The cache shouldn't come into play here. One thing I noticed above is that you list the parameter as being set to "customclass.java". Is the what you tried in the different scenarios as well? I believe that the parameter should be a reference to the actual class and not the Java file. So, I would expect to see something like:

com.org.sdk.ActiveResponse

Have you tried this format for the Parameter?

Todd
ava mellPermalink Reply by ava mell on March 10, 2010 at 8:12pm
oh yeah. typo error. I entered the full class name. Same problem.
ava mellPermalink Reply by ava mell on March 15, 2010 at 10:30pm
Got the active expression working. I deployed on a fresh environment and everything worked fine. I still think it was the conflicting java versions used.

Todd, thanks for the help!
Todd ClaytonPermalink Reply by Todd Clayton on March 15, 2010 at 10:52pm
Thanks for the update. I'm glad it's working.

Todd

RSS

CoreBlox Blog

Configuring OpenLDAP as a SiteMinder Policy Store

Setting the Windows Security Context with SiteMinder

Radiant Logic Blog

Matt Flynn's IDM Blog

Access Governance Continuum

Identity Solutions and Unstructured Data

The Most Powerful Voices in Security

IdentityStuff

Don' Mess with Texas, unless you are the FBI...

Backstopp - The Morning After Pill for Identity Management?

Ash's IdM Rantings

Identropy Reviews Cutting Identity Management Operating Costs

Regarding a Potential Way Forward for SPML

IAM Failures...Product or Services?

Burton Group: Identity Mgt Blog

This Thing is OFF (in a good way). BONUS: Catalyst SPML SIG

Catalyst Europe is Coming Up Fast!

SPML: Life Support Redux

IdM Thoughtplace

Calling all Dispatchers

Tutorial Follow up

Cutting the Gordian Provisioning Knot

Identity Thought Stream

F*** it, I'm lighting 100 candles - Entitlement Management 2012

Book Review - Grouped

IBM Dropping Tivoli Brand from IAM Suite

Jackson's Identity Management & Active Directory Reality Tour Travelblog

Multifactor Authentication for Dummies

SCIM, PEX and what the parrot saw

Sudo video

Discovering Identity

How Many iPhone Apps Do You Use?

Oracle Street in Mesa, Arizona

Identity Services for Cloud Computing

© 2012   Created by CoreBlox

Badges  |  Report an Issue  |  Terms of Service