Authorization failed with JAAS in JBOSS

Similar Messages

• Has anyone managed to get Authorization working with JAAS from CusLoginMod?

  Hi everybody,
  I am on a standalone oc4j 10.1.3.1.0
  I want to be able to access a private resource using form based authentication
  and I would like to use JAAS from with a custom login module.
  The authentication part works just fine but the authorization doesn't seem to happen.
  Both login() and commit() from my LoginModule are called and after authentication takes place, the subject is populated with the right Principals, in my case "testers".
  This Subject then it should be matched against the <security-role> defined in my application's web.xml
  This is the part from my application's web.xml which holds the security information.
  <security-role>
  <description>Online User</description>
  <role-name>testers</role-name>
  </security-role>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>access to the private application</web-resource-name>
  <url-pattern>/faces/user/*</url-pattern>
  </web-resource-collection>
  <!-- authorization -->
  <auth-constraint>
  <role-name>testers</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>protected.htm</form-login-page>
  <form-error-page>error.jspx</form-error-page>
  </form-login-config>
  </login-config>
  Has anyone faced this scenario before?
  Any advices much appreciated
  thank you.

  I can't see what am I missing if I'm missing something.
  This is my orion-application.xml
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
  <jazn provider="XML" jaas-mode="doAsPrivileged" location="">
  <property name="role.mapping.dynamic" value="true"></property>
  <property name="custom.loginmodule.provider" value="true"></property>
  </jazn>
  <jazn-loginconfig>
  <application>
  <name>JAAS</name>
  <login-modules>
  <login-module>
  <class>jaas.JAASLoginModule</class>
  <!-- <class>jaas.SampleLoginModule</class> -->
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  <option>
  <name>log_level</name>
  <value>ALL</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  </orion-application>

• Authorization fail with CATS Bapi's on InfoTypes

  Hello all -  when running BAPI_CATIMESHEETMGR_INSERT we are failing on Authorization  - for example our profile doesn't have access to InfoType 0002 - however we cannot assign it directly as the user may also have PA20 etc. and we can't permit them to see data via online transactions - any solution would be greatly appreciated

  If the BAPI is not..
  No, other way around: if your z-table is not respected by the BAPI then an enhancement point might be?
  Where did you add the z-table coding? It might be your own fault (just being honest).
  Cheers,
  Julius

• Authorization with JAAS in JSF with facelets

  hi,
  can u please hint me where i did mistake.. i clearly mention what i did and what i getting ..i did this in jsf1.2,tomcat6.x
  i did JAAS authentication in jsf with facelets.but i am unable to do the authorization with JAAS in jsf
  after getting authentication i put the subject in session. if i print the values in suject i got the following out put
  Subject:
  Principal: TypedPrincipal: hari [USER] // user name
  Principal: TypedPrincipal: admin [GROUP] // user role.
  now i want to authorization based on the role.
  for this i wrote policy file --principal.policy like this
  grant Principal com.alw.reports.jaas.TypedPrincipal "admin" {
      permission com.alw.reports.jaas.ViewIdPermission "*";
  grant Principal com.alw.reports.jaas.TypedPrincipal "hari" {
      permission com.alw.reports.jaas.ViewIdPermission "*";
  grant Principal com.alw.reports.jaas.TypedPrincipal "user" {
      permission com.alw.reports.jaas.ViewIdPermission "/contents.jsp";
  };and i set the path for this policy file like
                System.setProperty("java.security.policy", "policy file location" );when i run my application i am getting login page after that i gave username and passwed. it is getting authentication .. but not able to displaying next page that is /pages/welcome.xhtml but directly it is showin /pages/error.xhtml
  i am getting following error
  java.security.AccessControlException: access denied (com.alw.reports.jaas.ViewIdPermission /pages/welcome.xhtml)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at com.alw.reports.jaas.JAASHelper$1.run(JAASHelper.java:87)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
       at com.alw.reports.jaas.JAASHelper.permitionToAccessViewId(JAASHelper.java:83)
       at com.alw.reports.jaas.JAASActionListener.processAction(JAASActionListener.java:65)
       at javax.faces.component.UICommand.broadcast(UICommand.java:106)
       at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
       at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
       at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
       at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
       at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
       at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Unknown Source)
  my faces-config.xml
  <navigation-rule>
            <display-name>pages/login</display-name>
            <from-view-id>/pages/login.xhtml</from-view-id>
            <navigation-case>
                 <from-outcome>loginSuccess</from-outcome>
                 <to-view-id>/pages/welcome.xhtml</to-view-id>
            </navigation-case>
       </navigation-rule>
  <navigation-case>
                 <from-outcome>errorpage</from-outcome>
                 <to-view-id>
                      /pages/error.xhtml
                 </to-view-id>
            </navigation-case>my command button in login.xhtml
                           <td align="center" colspan="2">
                                <h:commandButton value="Reset" type="reset"/>
                                <h:commandButton   action="loginSuccess"
                                     id="login" value="Login" />
                           </td>my actionlister
  package com.alw.reports.jaas;
  import javax.faces.component.UIOutput;
  import javax.faces.context.FacesContext;
  import javax.faces.event.AbortProcessingException;
  import javax.faces.event.ActionEvent;
  import javax.faces.event.ActionListener;
  import javax.security.auth.Subject;
  public class JAASActionListener implements ActionListener   {
       private ActionListener parent = null;
       public JAASActionListener(javax.faces.event.ActionListener parent) {
            System.out.println("-------------- in JAASActionListener ;");
         this.parent = parent;
       public void processAction(ActionEvent event)
         throws AbortProcessingException {
            System.out.println("-------------- in processAction ;");
         FacesContext context = FacesContext.getCurrentInstance();
         UIOutput comp = null;
         String userid = null, password = null;
         JAASHelper jaasHelper = new JAASHelper();
         // Check to see if they are on the login page.
         boolean onLoginPage = (-1 != context.getViewRoot().getViewId().lastIndexOf("login")) ? true : false;
         if (onLoginPage) {
           if (null != (comp = (UIOutput)
             context.getViewRoot().findComponent("helloForm:username"))) {
             userid = (String) comp.getValue();
           if (null != (comp = (UIOutput)
             context.getViewRoot().findComponent("helloForm:password"))) {
             password = (String) comp.getValue();
           // If JAAS authentication failed
           if (!jaasHelper.authenticate(userid, password)) {
             context.getApplication().getNavigationHandler().handleNavigation(context, null, "login");
             return;
           else {
             // Subject must not be null, since authentication succeeded
                System.out.println("----------- setting the subjects in context in  ActionListner ");
             assert(null != jaasHelper.getSubject());
             // Put the authenticated subject in the session.
             System.out.println("---- putting the authenicated subject in the seesion ");
             context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
         parent.processAction(event);
         Subject subject=(Subject)context.getExternalContext().getSessionMap().get("JAASSubject");
        System.out.println("subject after parent process action>>>>>>>>>>>>>>>>>>>>>"+subject);
        assert(null != subject);
        if(!jaasHelper.permitionToAccessViewId(subject,context,context.getViewRoot().getViewId())){
            context.getApplication().getNavigationHandler().handleNavigation(context, null, "errorpage");
  }can u please hint me where i did mistake
  thanks in advance

  gbabu wrote:
  My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
  For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
  1> if the logged in person is admin, then we want to display admin.xhtml
  2> if the loggend is person is user , then we want to display user.xhtml
  untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]).

• Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC

  Hello everybody,
  I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).
  The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.
  When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.
  The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .
  Here are details :
  Authentication Details
  Source Timestamp
  2015-04-30 18:43:13.179
  Received Timestamp
  2015-04-30 18:43:13.18
  Policy Server
  ISE-CISCO
  Event
  5417 Dynamic Authorization failed
  Failure Reason
  11213 No response received from Network Access Device after sending a Dynamic Authorization request
  Resolution
  Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
  Root cause
  No response received from Network Access Device after sending a Dynamic Authorization request
  Username
  User Type
  Endpoint Id
  E0:9D:31:07:**:**
  Endpoint Profile
  IP Address
  Identity Store
  Identity Group
  Audit Session Id
  ca0019ac00000003ae674255
  Authentication Method
  Authentication Protocol
  Service Type
  Network Device
  WLC-1
  Device Type
  Location
  NAS IP Address
  172.25.0.202
  NAS Port Id
  NAS Port Type
  Authorization Profile
  Posture Status
  Compliant
  Security Group
  Response Time
  15002
  Other Attributes
  ConfigVersionId
  4
  RadiusPacketType
  CoARequest
  Event-Timestamp
  1430415778
  AcsSessionID
  50149c2f-08fb-4f9d-b1b5-f655e71d039f
  StepLatency
  3=15001
  Device IP Address
  172.25.0.202
  CiscoAVPair
  subscriber:command=reauthenticate
  audit-session-id
  ca0019ac00000003ae674255
  Session Events
  2015-04-30 18:43:13.18
  Dynamic Authorization failed
  2015-04-30 18:41:44.159
  Dynamic Authorization failed
  2015-04-30 18:35:42.64
  Guest Authentication Passed
  2015-04-30 18:34:39.214
  RADIUS Accounting start request

  You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
  Refer to the following link for  configuration  example
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Creation of Space failes with the following error

  SR- 3-6660108191
  Ver-11.1.1.6
  In customer production environment when they attempting to creat a space from WebCenter, they receive the following:
  Creation of space SteveSpace4_11January2013 failed with errors : WCS#2013.01.11.08.47.28: Errors were encountered in creating space. The main error is - Unable to grant permission SteveSpace4_11January2013. You may want to delete the current space if it is visible in your lists. Contact the administrator if the problem persists.
  In Spaces logs-
  <Jan 11, 2013 9:44:37 AM CST> <Warning> <oracle.webcenter.spaces> <BEA-000000> <Ignorable Exception in Create GS
  oracle.webcenter.spaces.operations.GroupSpaceOpsIgnorableException: Granting of Role Moderator partially succeeded for identity MCCORMICK.STEPHEN.J.1251888201-0001. Granting permissions for Discussions failed.
       at oracle.webcenter.spaces.internal.model.operations.GroupSpaceOpsSecurityRoleMappingHandlerPlugin.duringCreateGroupSpace(GroupSpaceOpsSecurityRoleMappingHandlerPlugin.java:631)
       at oracle.webcenter.spaces.internal.model.SpacesManagerImpl$2.run(SpacesManagerImpl.java:1414)
       at oracle.webcenter.concurrent.RunnableTask.call(RunnableTask.java:44)
       at oracle.webcenter.concurrent.Submission$2.run(Submission.java:484)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
       at oracle.webcenter.concurrent.Submission.runAsPrivileged(Submission.java:498)
       at oracle.webcenter.concurrent.Submission.run(Submission.java:424)
       at oracle.webcenter.concurrent.Submission$SubmissionFutureTask.run(Submission.java:888)
       at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
       at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
       at java.util.concurrent.FutureTask.run(FutureTask.java:138)
       at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.runTask(ModifiedThreadPoolExecutor.java:657)
       at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.run(ModifiedThreadPoolExecutor.java:682)
       at java.lang.Thread.run(Thread.java:662)
  Caused By: oracle.webcenter.webcenterapp.security.WCSecurityRoleMappingException: Granting of Role Moderator partially succeeded for identity MCCORMICK.STEPHEN.J.1251888201-0001. Granting permissions for Discussions failed.
       at oracle.webcenter.security.rolemapping.RoleManager.processServiceUsers(RoleManager.java:757)
       at oracle.webcenter.security.rolemapping.RoleManager.processUsers(RoleManager.java:378)
  Jan 11, 2013 9:44:37 AM CST> <Warning> <oracle.webcenter.spaces> <BEA-000000> <Exiting createGroupSpaceInternal>
  <Jan 11, 2013 9:44:37 AM CST> <Error> <oracle.webcenter.spaces> <BEA-000000> <Creation of space SteveSpace7_11January2013 completed with warnings : WCS#2013.01.11.09.44.37: Space created with the following warning(s) : Issues were faced
  while provisioning the service(s) - Announcements. Check the space services settings page if these services have been provisioned.>
  <Jan 11, 2013 9:44:37 AM CST> <Error> <oracle.webcenter.spaces> <BEA-000000> <The exception occured during space creation for spaceName = SteveSpace7_11January2013due to =>
  <Jan 11, 2013 9:44:37 AM CST> <Error> <oracle.webcenter.spaces> <BEA-000000> <
  oracle.webcenter.spaces.SpacesException: Space created with the following warning(s) : Issues were faced while provisioning the service(s) - Announcements. Check the space services settings page if these services have been provisioned.
       at oracle.webcenter.spaces.internal.model.SpacesManagerImpl.createGroupSpaceInternal(SpacesManagerImpl.java:1865)
       at oracle.webcenter.spaces.internal.model.SpacesManagerImpl.access$200(SpacesManagerImpl.java:225)
       at oracle.webcenter.spaces.internal.model.SpacesManagerImpl$1.run(SpacesManagerImpl.java:553)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:259)
       at oracle.security.jps.internal.jaas.AccActionExecutor.execute(AccActionExecutor.java:65)
       at oracle.security.jps.internal.jaas.CascadeActionExecutor$SubjectPrivilegedAction.run(Cascade
  In Diagnostic logs:
  [2013-01-11T09:44:06.053-06:00] [WC_Spaces2] [WARNING] [] [oracle.webcenter.webcenterapp] [tid: pool-1-daemon-thread-4] [userId: MCCORMICK.STEPHEN.J.1251888201-0001] [ecid: 0000mii9Zr1Bt1G5uz4EyX00051O0005OU,0:1:3:290:26] [APP: webcenter#11.1.1.4.0] [URI: /webcenter/faces/oracle/webcenter/webcenterapp/view/pages/admin/WebCenterAdmin-Communities.jspx] grantRoleForRoleMappedServices : warning : serviceId :oracle.webcenter.collab.forum
  [2013-01-11T09:44:06.058-06:00] [WC_Spaces2] [WARNING] [] [oracle.webcenter.webcenterapp] [tid: pool-1-daemon-thread-4] [userId: MCCORMICK.STEPHEN.J.1251888201-0001] [ecid: 0000mii9Zr1Bt1G5uz4EyX00051O0005OU,0:1:3:290:26] [APP: webcenter#11.1.1.4.0] [URI: /webcenter/faces/oracle/webcenter/webcenterapp/view/pages/admin/WebCenterAdmin-Communities.jspx] [[
  oracle.webcenter.security.rolemapping.RoleMappingException: The Role Mapping provider encountered an exception while performing security role mapping for service oracle.webcenter.collab.forum.
       at oracle.webcenter.security.rolemapping.RoleManager.processServiceUsers(RoleManager.java:757)
       at oracle.webcenter.security.rolemapping.RoleManager.processUsers(RoleManager.java:378)
       at oracle.webcenter.security.rolemapping.RoleManager.addUsers(RoleManager.java:243)
       at oracle.webcenter.webcenterapp.internal.model.security.WCSecurityManagerImpl$5.run(WCSecurityManagerImpl.java:1313)
       at oracle.webcenter.concurrent.RunnableTask.call(RunnableTask.java:44)
       at oracle.webcenter.concurrent.Submission$2.run(Submission.java:484)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
       at oracle.webcenter.concurrent.Submission.runAsPrivileged(Submission.java:498)
       at oracle.webcenter.concurrent.Submission.run(Submission.java:424)
       at oracle.webcenter.concurrent.Submission$SubmissionFutureTask.run(Submission.java:888)
       at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
       at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
       at java.util.concurrent.FutureTask.run(FutureTask.java:138)
       at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.runTask(ModifiedThreadPoolExecutor.java:657)
       at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.run(ModifiedThreadPoolExecutor.java:682)
       at java.lang.Thread.run(Thread.java:662)
  Caused by: oracle.webcenter.security.rolemapping.spi.RoleMappingSPIException: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Bad response: 400 Bad Request
       at oracle.webcenter.collab.share.security.DefaultRoleMapper.addUsers(DefaultRoleMapper.java:78)
  This looks like the user dont have permissions to create the space, but even Admin user weblogic also geting the same error.
  Please may I know how to debug this and where to see for the permissions.
  Thanks!!

  Hi,
  Please follow steps, may be your issue will be resolved.
  Steps:
  1.Create the Discussions administrator user using the DefaultAuthenticator provider as indicated here:
  Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter
  11g Release 1 (11.1.1)
  23 Managing Security
  23.3.4.1 Migrating the WebCenter Discussions Server to use an External LDAP
  The Discussions Administrator user must exist in the external LDAP and also you need to create the user using the DefaultAuthenticator provider in the embedded LDAP.The username in the embedded LDAP must match the username in the External LDAP.
  Review all steps from the above section of the documentation to be sure you performed all the steps.
  2.Grant WebCenter Spaces Administrator Role to the Discussions Administrator user as indicated here:
  Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter
  23.3 Configuring the Identity Store
  23.3.5 Granting the WebCenter Spaces Administrator Role to a WebCenter Spaces User
  23.3.5.1 Granting the WebCenter Spaces Administrator Role Using Fusion Middleware Control
  3.Restart the WLS_Spaces and WLS_Services Managed Servers.
  If this helps please mark.
  Regards,
  Kishore

• ISE 1.2 - Dynamic Authorization Failed

  Hello!
  In my design network I use the ISE for CWA with a WLC, but when a client entrer his credentials, the CoA failed with this error : "11213 No response received from Network Access Device after sending a Dynamic Authorization request"
  This error is really strange because I can contact the ISE from the WLC. My ISE, and my broadcasted network are in the same VLAN, is it possible that this error come from this network architecture?
  My is is patched with the cumulative patch 7 and for information, I can do a "manual CoA" by disconnect/reconnect the client manually and after that the client has a network access.
  Used configuration for ISE and WLC : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  Thanks in advance if you have the least clue to resolve this issue.
  Kévin

  I will perform some additional testing and let you know my results.  I have this setup in the lab now with ISE 1.2 Patch 7 as well.... Since I only have a couple of PC's in the lab, I've noticed that I am unable to terminate the users session manually.  So I usually end up stopping and restarting the services. This is how i clear my live sessions.
  Is your setup in a Lab or Production?  If its in a lab can you restart ISE and your WLC.   I know when I first did my "debug client <mac>" My airespace ACL was showing the incorrect ACL ID.  After a reboot of ISE and recreating my WLC ACL it went away.   I haven't noticed my service IP ever showing up in ISE.  I usually see the users MAC address then a [email protected] "User Authentication" with his IP.  Next its the WLC MNGT Interface and finally the User Authorization again show Authz Internet-Only.
  My lab does not always function 100% so I am hoping after we go Live this weekend,  these flaky issues go away.  One of my problems is I don't have internet access.  Just a web server hosting a web page. I'll keep notes on anything I find that hopefully assist you.

• Java Applet in a HTML page: failing with PLS-00306: wrong number of args

  We are trying to use a Java Applet in a HTML page. as our system needs to be able to retrieve a predefined set of data from a third party system that uses Dynamic Data Exchange Protocol (DDE) and are encountering errors from APEX and in IE itself.
  We are using JavaDde from www.nevaobject.com that enables our Java applet to interact with Windows applications (Third Party System) using DDE.
  This functionality is currently used in our Web Form 6i application and we are trying to use the same in the new ApEx application.
  We are using ApEx version : 2.1 and actually aer encountering 2 problems:
  Problem 1: ApEx failing with PLS-00306: wrong number or types of arguments in call to 'ACCEPT'
  Problem 2: IE crashes if Applet used in a complex page with several regions (1 Context, 4 Report Regions, 2 level Tabs, Links)
  This problem does not occur in the page where there is only applet and one region. In the case of complex page the IE crashes if the page is reloaded
  Test scenario:
  1- Create a simple page with the HTML region.
  2- Define the Source of the above region as follows
  <OBJECT CLASSID="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
  CODEBASE="http://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab#version=1,4,0,0"
  WIDTH="1"
  HEIGHT="1"
  ID="simpleApplet"
  NAME="simpleApplet">
  <PARAM NAME="code" VALUE="simpleApplet.class" >
  <PARAM NAME="archive" VALUE="simpleApplet.jar" />
  <PARAM NAME="type" VALUE="application/x-java-applet;version=1.4">
  </OBJECT>
  3- Create a simple Java applet "simpleApplet" - for the test its enough if the applet will have just the init method printing out the mesage to the console
  4- Create a Submit Button (not redirect) in Region Header and create unconditional (do not set When Button Pressed property) Page Branch to navigate to another page (the page without the applet)
  6- Run the page and Submit -
  The error below is returned by the engine:
  In our case our applet is called ddeApplet - I do not know why is ApEx passing the Applet's ID down to the wwv_flow.accept method as a parameter
  Tue, 24 Jul 2007 08:15:39 GMT
  ORA-06550: line 7, column 2:
  PLS-00306: wrong number or types of arguments in call to 'ACCEPT'
  ORA-06550: line 7, column 2:
  PL/SQL: Statement ignored
  DAD name: rbdev2_ax
  PROCEDURE : wwv_flow.accept
  URL : http://castor:7778/pls/rbdev2_ax/wwv_flow.accept
  PARAMETERS :
  ============
  P_FLOW_ID:
  147
  P_FLOW_STEP_ID:
  500
  P_INSTANCE:
  6986070096861669560
  P_PAGE_SUBMISSION_ID:
  1005758
  P_REQUEST:
  CRASH
  P_ARG_NAMES:
  100380029717786501
  P_T01:
  147
  P_T02:
  101
  P_T03:
  5000044
  P_T04:
  1
  P_T05:
  S
  DDEAPPLET:
  Ddeapplet[panel0,0,0,1x1,layout=java.awt.BorderLayout,rootPane=javax.swing.JRootPane[,0,0,1x1,layout=javax.swing.JRootPane$RootLayout,alignmentX=null,alignmentY=null,border=,flags=385,maximumSize=,minimumSize=,preferredSize=],rootPaneCheckingEnabled=true]
  P_MD5_CHECKSUM:
  ENVIRONMENT:
  ============
  PLSQL_GATEWAY=WebDb
  GATEWAY_IVERSION=2
  SERVER_SOFTWARE=Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_fastcgi/2.2.10 mod_perl/1.25 mod_oprocmgr/1.0
  GATEWAY_INTERFACE=CGI/1.1
  SERVER_PORT=7778
  SERVER_NAME=castor
  REQUEST_METHOD=POST
  QUERY_STRING=
  PATH_INFO=/pls/rbdev2_ax/wwv_flow.accept
  SCRIPT_NAME=/pls
  REMOTE_HOST=
  REMOTE_ADDR=192.168.66.169
  SERVER_PROTOCOL=HTTP/1.1
  REQUEST_PROTOCOL=HTTP
  REMOTE_USER=
  HTTP_CONTENT_LENGTH=661
  HTTP_CONTENT_TYPE=application/x-www-form-urlencoded
  HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
  HTTP_HOST=castor:7778
  HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
  HTTP_ACCEPT_ENCODING=gzip, deflate
  HTTP_ACCEPT_LANGUAGE=en-us
  HTTP_ACCEPT_CHARSET=
  HTTP_COOKIE=ISCOOKIE=true; LOGIN_USERNAME_COOKIE=rdanko; ORACLE_PLATFORM_REMEMBER_UN=RDANKO:ngrb; WWV_FLOW_USER2=70FBB00945FE46B9; V6_AUTHENTICATION_COOKIE=70FBB00945FE46B9
  Authorization=
  HTTP_IF_MODIFIED_SINCE=
  HTTP_REFERER=http://castor:7778/pls/rbdev2_ax/f?p=147:500:6986070096861669560:::::
  HTTP_SOAPACTION=

  "theArrow",
  It looks like whatever HTML you're including on your page is creating HTML input form elements inside the HTML form "wwv_flow". This form is posted to wwv_flow.accept, and of course, the PL/SQL procedure wwv_flow.accept doesn't know anything these additional arguments/form elements you're attempting to POST.
  Joel

• Authorization failed when trying to connect Hyperion to BW 7.0

  Hello gurus,
  Using Hyperion interactive Reporting Studio, I try to access BW cubes.
  I select OLE DB as connection type and SAP BW OLE DB provider, I am prompted for a BW system to connect to.
  I then get the following error message:
  OLE Error: 80040e4d
  Error Source: MDrmSAP.2
  Error Desciption: Authorization failed.
  Using the same BW provider and the same BW user, I am able to connect form Excel.
  So I wonder what the problem is.
  Help really appreciated.
  Alex-

  Hi Ingo,
  I do not get any error while using the Universe Designer, I get this error when trying to connect a SAP BW related universe in Crystal Reports. There is no problem at all with WebIntelligence by the way. It is possible to connect a SAP BW related universe in WebIntelligence.
  I use BO XI 3.0 with Crystal Reports 2008 and the SAP Integrations Kit client components are installed on the client machine.
  Nevertheless the BO Enterprise system is not configured with SAP Authentification, but with an own authentification.
  Best Regards,
  Thomas

• Error http the request failed with http status 401: unauthorized

  Hi,<o:p></o:p>
  We are currently developing a Web Part for a
  dashboard that connects from SharePoint 2010 to Project Server, we are trying
  to connect via the PSI web service and fetch the project data but it is giving
  the same error "The request failed with HTTP
  status 401: Unauthorized". We are having a huge
  issue with gaining authorization through the PSI and cannot figure out what the
  problem is. We are using Project Server 2010, SharePoint 2010 and Visual Studio
  2010.<o:p></o:p>
  The person developing this has administrative
  rights on both servers and it is running on his account. However, this is his
  first experience with Project Server. Could some provide some guidance?<o:p></o:p>
  Does anyone have any suggestions?<o:p></o:p>
  Thanks,<o:p></o:p>
  Aba
  <o:p></o:p>

  Hi,
  Have the credentials been set for the web service? Or are you trying to pass the credentials of the user accessing the webpart? In the second case, the user must have permissions in project server
  It would be useful if you can share the part of the code that fails
  Paul

• Fusion Apps web service call fails with error access denied (oracle.wsm.security.WSFunctionPermission)

  Hello Guru,
  I am trying to call a supplier service from SOA/OSB.
  But while calling the service it is failing with the below error message
  access denied (oracle.wsm.security.WSFunctionPermission http://xmlns.oracle.com/apps/prc/poz/suppliers/supplierService/SupplierService#getSupplierVO invoke)
  As per OER cookbook i have attached the "oracle/wss_username_token_client_policy" to the Fusion  apps web service.
  I am trying to pass security credentials to the service by using all the methods... through composite ..through bpel through wsse header but in all cases i am getting similar error.
  Please let me know if some one has called the fusion apps web service to create a supplier of solution to my problem  as mentioned above.

  Hi Sai,
      Thanks for the quick and correct response. Yes, after doing the research, I'm also came to same conclusion. But what stops me here is that where exactly I need to check for this permission.
  I mean the theory what I built on this Authorization/Permission is that:
     For the resource - WebService (SupplierService), there is an assigned application role for which the Entitlement/Permission is provided.
  Pls. help me in the below items:
  a. What is the application role(in role hierarchy) assigned to this resource(Webservice). Which page I need to check(navigation) this and the required credentials..
  b. What is the Entitlement provided for this application role for this operation (getSupplierVO) invoke.. Which page I need to check(navigation) this and the required credentials..
  Thanks in Advance.
  Thanks & Regards
  Madhu

• FusionApps web service call fails with error access denied (oracle.wsm.security.WSFunctionPermission)

  Hi Gurus,
  I started test this webservice from EM (Test Web Service)
  But while calling the service it is failing with the below error message
  access denied (oracle.wsm.security.WSFunctionPermission http://xmlns.oracle.com/apps/prc/poz/suppliers/supplierService/SupplierService#getSupplierVO invoke)
  As per OER cookbook i have attached the "oracle/wss_username_token_client_policy" to the Fusion  apps web service.
  I am trying to pass security credentials to the service by using all the methods... through composite ..through bpel through wsse header but in all cases i am getting similar error.
  Please let me know if some one has called the fusion apps web service to create a supplier of solution to my problem  as mentioned above.
  Is it any policy error or the authorization error ...
  Are there any navigation steps I can check the existed permission on this resource etc..,
  Thanks in Advance

  Hi Sai,
      Thanks for the quick and correct response. Yes, after doing the research, I'm also came to same conclusion. But what stops me here is that where exactly I need to check for this permission.
  I mean the theory what I built on this Authorization/Permission is that:
     For the resource - WebService (SupplierService), there is an assigned application role for which the Entitlement/Permission is provided.
  Pls. help me in the below items:
  a. What is the application role(in role hierarchy) assigned to this resource(Webservice). Which page I need to check(navigation) this and the required credentials..
  b. What is the Entitlement provided for this application role for this operation (getSupplierVO) invoke.. Which page I need to check(navigation) this and the required credentials..
  Thanks in Advance.
  Thanks & Regards
  Madhu

• ISE Alarm (WARNING): Dynamic Authorization Failed for Device

  Hi all,
  I am posting this discussion as previous posts that I have found in this forum have never been resolved or the resolution is not applicable to me.
  I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
  About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
  The device it is reffering to is my NAD, a WLC 5508 running 7.2.111.3
  I have looked at the logs and I cannot see anything in the logs which correcponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
  Can someone suggest the components and the logging level that I should set to get some more detail about this error?
  At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Runtime AAA & prrt-JNI.
  I do not want to enable too much debug logs, so I was wondering whether anyone can help with a specific element that I should be debugging.
  I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
  Can anyone help?
  thanks
  Mario

  Firstly, I wouldn't run a production deployment of ISE on 1.1.1.... 1.1.3 Patch 1 or 1.1.4 is the way to go.
  Secondly, this error happen a lot, especially with Wireless, and it's not worth worrying about.  I've had a couple of TAC cases opened for this and some similar errors, generally they're caused by a Client going to sleep, leaving the coverage area or otherwise leaving the WLC while ISE is trying to do something with it.
  Only worry if you actually have a Client-impacting problem, which by the sounds of it, you don't.

• 5417 Dynamic Authorization failed

  Hi guys,
  Does anyone meet this Radius Error in Cisco ISE 1.2 and the switch 2960 12.2(55)SE7 ?
  When i reauthentication the guest profile to the other profile using Radius CoA on the Self-Service Guest Workflow.
  The error is :
  Event
  5417 Dynamic Authorization failed
  Failure Reason
  11103 RADIUS-Client encountered error during processing flow
  Resolution
  Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
  Root cause
  RADIUS-Client encountered an error during processing flow
  I checked all the resolution steps but the error sitll exsit.
  I would greatly appreciate any help you can give me in working this problem

  An internal error has been detected during the processing of an incoming RADIUS packet. Make sure that the client device is compatible with AD Agent, has been configured properly, and is functioning properly. Make sure that the same RADIUS shared secret has been properly configured, both in the client device and in AD Agent.
  http://www.cisco.com/c/en/us/td/docs/security/ibf/setup_guide/ad_agent_setup_guide/ibf10_log_msgs.html

• Dynamic Authorization Failed: DiconnectNAK

  I have WLC 7.6 and ISE 1.2 Patch 6.
  My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.
  But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).
  Here the corresponding Log-Entry:
  0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,
  Has anybody ever had the same expirence, or is this a know issue?
  Thanks for feedback!

  Please go through the link below for best practice.
  http://www.redelijkheid.com/blog/2013/4/2/cisco-ise-change-of-authorization-coa-not-working