Question
Aegis
US
Last activity: 25 May 2022 4:58 EDT
PRExternal handler error
Hi
We use Pega verion 8.5.4. I have created a Data-Admin-AuthService and calling Code-Security.CustomAuthenticationExample (OOTB) from it.
While trying to log in from external portal I am getting below error in log
Authentication modification permitted if top-most activity is a PRExternal handler - invalid root activity: RULE-OBJ-ACTIVITY CODE-SECURITY CUSTOMAUTHENTICATIONEXAMPLE #20220322T211451.389 GMT 2022-03-22 17:16:08,859 [ WebContainer : 10] [ STANDARD] [ ] [ NGClaims:01.01.01] (hentication.AuthenticationUtil) ERROR uat.aegislink.com| Proprietary information hidden - Problem executing activity: Code-Security.CustomAuthenticationExample
I did put logger for this activity and saw that its failing at step 9 - Its a java step to which calls setUserSecurityProfile.
Has anyone encountered this error? Appreciate any help on this.
-
Like (0)
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Updated: 24 Mar 2022 9:15 EDT
Pegasystems Inc.
GB
@ShrutiM0986 can you please confirm that you have already logged a support ticket for this?
I was able to find INC-216840 which is currently being looked at....
Whilst the support team investigate, please could you take a look at the following support article 'SSO: Single Signon activity throwing error'.
The error you have listed is produced when the web.xml authentication type entry is defined as PRCustom, but the authentication activities are sending back information in a format that was compatible with the older PRExternal authentication type.
It seems you have built a custom version of the IACAuthentication from an earlier release where this previously worked in conjunction with the PRExternal authentication type. However, after upgrading this default authentication has now be changed to PRCustom. So the pre-upgrade authentication activity is failing.
setUserSecurityProfile function has been deprecated in the later versions of Pega and therefore will not work.
See article.
SetUserSecurityProfile, is deprecated in latest versions of PRPC as they are insecure – they do not validate passwords or identity, they merely configure the session using the specified operator profile or access group.
@ShrutiM0986 can you please confirm that you have already logged a support ticket for this?
I was able to find INC-216840 which is currently being looked at....
Whilst the support team investigate, please could you take a look at the following support article 'SSO: Single Signon activity throwing error'.
The error you have listed is produced when the web.xml authentication type entry is defined as PRCustom, but the authentication activities are sending back information in a format that was compatible with the older PRExternal authentication type.
It seems you have built a custom version of the IACAuthentication from an earlier release where this previously worked in conjunction with the PRExternal authentication type. However, after upgrading this default authentication has now be changed to PRCustom. So the pre-upgrade authentication activity is failing.
setUserSecurityProfile function has been deprecated in the later versions of Pega and therefore will not work.
See article.
SetUserSecurityProfile, is deprecated in latest versions of PRPC as they are insecure – they do not validate passwords or identity, they merely configure the session using the specified operator profile or access group.
Can you show us the configuration of 'CustomAuthenticationExample'? I'm not sure it is valid. My research shows that it is something left over from before PRExternal
---> Did you try to remove the call to the SetUserSecurityProfile activity?
We would recommend not to use the CustomAuthenticationExample to model your new auth activity as it is for an PRExternal which has been deprecated. The activity used was written for PRExternal not PRCustom. For PRCustom you can use AuthenticationLDAP as an example of the parameters and steps you will want in your activity.
The Data-Admin-AuthService CustomSample is mapped to servlet PRServletCustom and by default has an AuthType parameter of PRCustom. You can not use a PRExternal type activity with a servlet defined with an AuthType of PRCustom.
For custom authentication the basic concept is to create a page of class Data-Admin-Operator-ID. You will return this page in the pyOperPage JavaObject output parameter. This becomes the user record of the person logging in. The user record will get created if it doesn’t exist or updated if it does exist. For this you need a Data-Admin-AuthService .
If your activity is using PRExternal style you need to switch to using a servlet with a PRExternal AuthType parameter. This should be considered a short term fix. The better approach is to switch to using a PRCustom style.
Could you take a look at the available documentation to see if that helps?
Create single sign-on authentication services from App Studio (8.2)
Activating your SAML SSO authentication service
Creating a SAML SSO authentication service in App Studio
Configuring the identity provider for a SAML SSO authentication service
Mapping operator information for a SAML SSO authentication service
Configuring operator provisioning for a SAML SSO authentication service
Specifying preauthentication and postauthentication activities for a SAML SSO authentication service
Please liaise with the engineer dealing with your open support ticket and provide the final solution here on the forum, many thanks.
Aegis
US
Thank you so mush for responding. You got it right. I have opened an SR for the same.
It was working pre upgrade (7.1.5). web.xml contains below
<param-name>AuthenticationType</param-name> <param-value>PRCustom</param-value>
Do you suggest me not to call setUserSecurityProfile and rather use the java code mentioned in the article?
Updated: 24 Mar 2022 11:03 EDT
Pegasystems Inc.
GB
@Shruti Mishra yes you could try that but as it was written for 7.1.7 it may not work in your version.
Can you use the steps listed in the up to date documentation?
Let me know how you get on!
Aegis
US
Hello
I did look for another V8 activity with below java step. I Used it. I am getting past this step. But getting error at later steps where I am calling my application specific activities whose "Requires Authentication to run" checkbox is checked at security tab.
Hello
I did look for another V8 activity with below java step. I Used it. I am getting past this step. But getting error at later steps where I am calling my application specific activities whose "Requires Authentication to run" checkbox is checked at security tab.
PRThread thisThread = (PRThread)ThreadContainer.get(); if(thisThread!=null){ ClipboardPage threadPage = tools.findPage("pxThread",true); ClipboardPage pyPreferences = tools.findPage("OperatorID.pyPreferences",true); if(threadPage != null && pyPreferences != null){ try{ if(("Developer".equals(threadPage.getStringIfPresent("pxPortal"))) && ("true".equals(pyPreferences.getStringIfPresent("pyIgnoreLocale")))){ thisThread.setLocaleName(1, "en_US"); }else{ ClipboardPage pxRequestorPage = tools.findPage("pxRequestor", true); if(pxRequestorPage != null){ String useLocale = pxRequestorPage.getStringIfPresent("pyUseLocale"); if(useLocale != null && !"".equals(useLocale)){ thisThread.setLocaleName(1, useLocale); } } } }catch(InvalidLocaleException ile){ oLog.error("",ile); } } }
Error in log is -
Error: You lack access required to execute RULE-OBJ-ACTIVITY - "my application activity"
Does this mean that pega could not authenticate the request? Is the java step above looks good to you?
Updated: 24 Mar 2022 12:06 EDT
Aegis
US
Hello
I did look for another V8 activity with below java step. I Used it. I am getting past this step. But getting error at later steps where I am calling my application specific activities whose "Requires Authentication to run" checkbox is checked at security tab.
Hello
I did look for another V8 activity with below java step. I Used it. I am getting past this step. But getting error at later steps where I am calling my application specific activities whose "Requires Authentication to run" checkbox is checked at security tab.
PRThread thisThread = (PRThread)ThreadContainer.get(); if(thisThread!=null){ ClipboardPage threadPage = tools.findPage("pxThread",true); ClipboardPage pyPreferences = tools.findPage("OperatorID.pyPreferences",true); if(threadPage != null && pyPreferences != null){ try{ if(("Developer".equals(threadPage.getStringIfPresent("pxPortal"))) && ("true".equals(pyPreferences.getStringIfPresent("pyIgnoreLocale")))){ thisThread.setLocaleName(1, "en_US"); }else{ ClipboardPage pxRequestorPage = tools.findPage("pxRequestor", true); if(pxRequestorPage != null){ String useLocale = pxRequestorPage.getStringIfPresent("pyUseLocale"); if(useLocale != null && !"".equals(useLocale)){ thisThread.setLocaleName(1, useLocale); } } } }catch(InvalidLocaleException ile){ oLog.error("",ile); } } }
Error in log is -
Error: You lack access required to execute RULE-OBJ-ACTIVITY - "my application activity"
Does this mean that pega could not authenticate the request? Does the java step above look good to you?
Pegasystems Inc.
GB
@ShrutiM0986 Please make sure 'Require authentication' is unchecked in security tab of your activity
Please have a look at this article SSO Login : Runtime exception, when custom authentication called.
This post and this post may also help you.
I am worried you have a mismatch between a PRCustom style servlet definition defined in the web.xml but a PRExternal style activity.
At this point I suggest that we wait for the support engineer who will have more insight into this to help you look at your authentication activity.
Aegis
US
So i have a series of activities which are called within. Every activity has this "requires authentication" checkbox checked. I am able to proceed with the activities for which I uncheck the authentication checkbox. But the question is, is this what we should do?Or is there some other problem?
Thanks a ton for all the insight you have given on this issue. I will keep you posted on what I hear from the Support Engineer.
-
Marije Schillern
Pegasystems Inc.
GB
@Shruti Mishra I have checked the progress on the support incident and can see that it has been resolved.
The question was that since your activities and the called OOTB Pega activities (like createnewcoveredworkobject) have authentication required you were not able to use PRCustom and were forced to use PRExternal.
The advice was as follows:
From 8.x if you're using SAML/OpenID for SSO authentication it is advised to use PRAuth.
If you're using LDAP for SSO you'll need to use PRExternal.
Are you happy to mark the forum question Accept Solution now that the question has been answered?