Authorization failed with JAAS in JBOSS
Hi all,
I write my own login module class (WusLdapLoginModule) for my web app. I can authenticate my user with username and password. But I failed in authorizing my user with roles.
I believe that I missed something, please help me.
My web application run on WinXP, Jboss 4.2.3 GA, OpenLdap 2.0.2.9
Here is my login module class:
package wus.identity.security;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.security.auth.Subject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import wus.identity.Role;
import wus.identity.User;
import wus.identity.dao.UserDAO;
public class WusLdapLoginModule implements LoginModule
//properties
private Subject subject;
private CallbackHandler callbackHandler;
private Map<String,?> sharedStates;
private Map<String,?> options;
private boolean loginOk;
private User m_user;
//====== DAO ====================
private UserDAO m_userDao = new UserDAO();
private static final Log log = LogFactory.getLog(WusLdapLoginModule.class);
@Override
public boolean commit() throws LoginException
int i;
if(loginOk)
if(!subject.getPrincipals().contains(this.m_user))
this.subject.getPrincipals().add(this.m_user);
for(i=0;i<m_user.getRoles().size();i++)
this.subject.getPrincipals().add(m_user.getRoles().get(i));
AuthenticatedUser.setAuthenticatedUser(m_user);
return loginOk;
}Here is my Role class
package wus.identity;
import java.io.Serializable;
import java.security.Principal;
public class Role implements Principal, Serializable
private static final long serialVersionUID = 10797L;
//Properties
private String name;
private String note;
public Role()
name = "";
@Override
public String getName()
// TODO Auto-generated method stub
return name;
}Here is a part of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/sa/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<!-- <role-name>user</role-name> -->
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<!-- end security constraints -->
<!-- Example Login page - lists user names -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/ua/login-example.jsf</form-login-page>
<form-error-page>/ua/login-example.jsf?error=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>Thank in advance,
Vu
How is this question related to JSF?
Try a forum devoted to JAAS or JBoss, depending on the root cause of the problem.
Similar Messages
-
Has anyone managed to get Authorization working with JAAS from CusLoginMod?
Hi everybody,
I am on a standalone oc4j 10.1.3.1.0
I want to be able to access a private resource using form based authentication
and I would like to use JAAS from with a custom login module.
The authentication part works just fine but the authorization doesn't seem to happen.
Both login() and commit() from my LoginModule are called and after authentication takes place, the subject is populated with the right Principals, in my case "testers".
This Subject then it should be matched against the <security-role> defined in my application's web.xml
This is the part from my application's web.xml which holds the security information.
<security-role>
<description>Online User</description>
<role-name>testers</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>access to the private application</web-resource-name>
<url-pattern>/faces/user/*</url-pattern>
</web-resource-collection>
<!-- authorization -->
<auth-constraint>
<role-name>testers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>protected.htm</form-login-page>
<form-error-page>error.jspx</form-error-page>
</form-login-config>
</login-config>
Has anyone faced this scenario before?
Any advices much appreciated
thank you.I can't see what am I missing if I'm missing something.
This is my orion-application.xml
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
<jazn provider="XML" jaas-mode="doAsPrivileged" location="">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<jazn-loginconfig>
<application>
<name>JAAS</name>
<login-modules>
<login-module>
<class>jaas.JAASLoginModule</class>
<!-- <class>jaas.SampleLoginModule</class> -->
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
<option>
<name>log_level</name>
<value>ALL</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</orion-application> -
Authorization fail with CATS Bapi's on InfoTypes
Hello all - when running BAPI_CATIMESHEETMGR_INSERT we are failing on Authorization - for example our profile doesn't have access to InfoType 0002 - however we cannot assign it directly as the user may also have PA20 etc. and we can't permit them to see data via online transactions - any solution would be greatly appreciated
If the BAPI is not..
No, other way around: if your z-table is not respected by the BAPI then an enhancement point might be?
Where did you add the z-table coding? It might be your own fault (just being honest).
Cheers,
Julius -
Authorization with JAAS in JSF with facelets
hi,
can u please hint me where i did mistake.. i clearly mention what i did and what i getting ..i did this in jsf1.2,tomcat6.x
i did JAAS authentication in jsf with facelets.but i am unable to do the authorization with JAAS in jsf
after getting authentication i put the subject in session. if i print the values in suject i got the following out put
Subject:
Principal: TypedPrincipal: hari [USER] // user name
Principal: TypedPrincipal: admin [GROUP] // user role.
now i want to authorization based on the role.
for this i wrote policy file --principal.policy like this
grant Principal com.alw.reports.jaas.TypedPrincipal "admin" {
permission com.alw.reports.jaas.ViewIdPermission "*";
grant Principal com.alw.reports.jaas.TypedPrincipal "hari" {
permission com.alw.reports.jaas.ViewIdPermission "*";
grant Principal com.alw.reports.jaas.TypedPrincipal "user" {
permission com.alw.reports.jaas.ViewIdPermission "/contents.jsp";
};and i set the path for this policy file like
System.setProperty("java.security.policy", "policy file location" );when i run my application i am getting login page after that i gave username and passwed. it is getting authentication .. but not able to displaying next page that is /pages/welcome.xhtml but directly it is showin /pages/error.xhtml
i am getting following error
java.security.AccessControlException: access denied (com.alw.reports.jaas.ViewIdPermission /pages/welcome.xhtml)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at com.alw.reports.jaas.JAASHelper$1.run(JAASHelper.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
at com.alw.reports.jaas.JAASHelper.permitionToAccessViewId(JAASHelper.java:83)
at com.alw.reports.jaas.JAASActionListener.processAction(JAASActionListener.java:65)
at javax.faces.component.UICommand.broadcast(UICommand.java:106)
at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
my faces-config.xml
<navigation-rule>
<display-name>pages/login</display-name>
<from-view-id>/pages/login.xhtml</from-view-id>
<navigation-case>
<from-outcome>loginSuccess</from-outcome>
<to-view-id>/pages/welcome.xhtml</to-view-id>
</navigation-case>
</navigation-rule>
<navigation-case>
<from-outcome>errorpage</from-outcome>
<to-view-id>
/pages/error.xhtml
</to-view-id>
</navigation-case>my command button in login.xhtml
<td align="center" colspan="2">
<h:commandButton value="Reset" type="reset"/>
<h:commandButton action="loginSuccess"
id="login" value="Login" />
</td>my actionlister
package com.alw.reports.jaas;
import javax.faces.component.UIOutput;
import javax.faces.context.FacesContext;
import javax.faces.event.AbortProcessingException;
import javax.faces.event.ActionEvent;
import javax.faces.event.ActionListener;
import javax.security.auth.Subject;
public class JAASActionListener implements ActionListener {
private ActionListener parent = null;
public JAASActionListener(javax.faces.event.ActionListener parent) {
System.out.println("-------------- in JAASActionListener ;");
this.parent = parent;
public void processAction(ActionEvent event)
throws AbortProcessingException {
System.out.println("-------------- in processAction ;");
FacesContext context = FacesContext.getCurrentInstance();
UIOutput comp = null;
String userid = null, password = null;
JAASHelper jaasHelper = new JAASHelper();
// Check to see if they are on the login page.
boolean onLoginPage = (-1 != context.getViewRoot().getViewId().lastIndexOf("login")) ? true : false;
if (onLoginPage) {
if (null != (comp = (UIOutput)
context.getViewRoot().findComponent("helloForm:username"))) {
userid = (String) comp.getValue();
if (null != (comp = (UIOutput)
context.getViewRoot().findComponent("helloForm:password"))) {
password = (String) comp.getValue();
// If JAAS authentication failed
if (!jaasHelper.authenticate(userid, password)) {
context.getApplication().getNavigationHandler().handleNavigation(context, null, "login");
return;
else {
// Subject must not be null, since authentication succeeded
System.out.println("----------- setting the subjects in context in ActionListner ");
assert(null != jaasHelper.getSubject());
// Put the authenticated subject in the session.
System.out.println("---- putting the authenicated subject in the seesion ");
context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
parent.processAction(event);
Subject subject=(Subject)context.getExternalContext().getSessionMap().get("JAASSubject");
System.out.println("subject after parent process action>>>>>>>>>>>>>>>>>>>>>"+subject);
assert(null != subject);
if(!jaasHelper.permitionToAccessViewId(subject,context,context.getViewRoot().getViewId())){
context.getApplication().getNavigationHandler().handleNavigation(context, null, "errorpage");
}can u please hint me where i did mistake
thanks in advancegbabu wrote:
My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
1> if the logged in person is admin, then we want to display admin.xhtml
2> if the loggend is person is user , then we want to display user.xhtml
untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]). -
Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC
Hello everybody,
I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).
The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.
When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.
The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .
Here are details :
Authentication Details
Source Timestamp
2015-04-30 18:43:13.179
Received Timestamp
2015-04-30 18:43:13.18
Policy Server
ISE-CISCO
Event
5417 Dynamic Authorization failed
Failure Reason
11213 No response received from Network Access Device after sending a Dynamic Authorization request
Resolution
Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
Root cause
No response received from Network Access Device after sending a Dynamic Authorization request
Username
User Type
Endpoint Id
E0:9D:31:07:**:**
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
ca0019ac00000003ae674255
Authentication Method
Authentication Protocol
Service Type
Network Device
WLC-1
Device Type
Location
NAS IP Address
172.25.0.202
NAS Port Id
NAS Port Type
Authorization Profile
Posture Status
Compliant
Security Group
Response Time
15002
Other Attributes
ConfigVersionId
4
RadiusPacketType
CoARequest
Event-Timestamp
1430415778
AcsSessionID
50149c2f-08fb-4f9d-b1b5-f655e71d039f
StepLatency
3=15001
Device IP Address
172.25.0.202
CiscoAVPair
subscriber:command=reauthenticate
audit-session-id
ca0019ac00000003ae674255
Session Events
2015-04-30 18:43:13.18
Dynamic Authorization failed
2015-04-30 18:41:44.159
Dynamic Authorization failed
2015-04-30 18:35:42.64
Guest Authentication Passed
2015-04-30 18:34:39.214
RADIUS Accounting start requestYou can use LWA for this . he WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Service Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning.
Refer to the following link for configuration example
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Creation of Space failes with the following error
SR- 3-6660108191
Ver-11.1.1.6
In customer production environment when they attempting to creat a space from WebCenter, they receive the following:
Creation of space SteveSpace4_11January2013 failed with errors : WCS#2013.01.11.08.47.28: Errors were encountered in creating space. The main error is - Unable to grant permission SteveSpace4_11January2013. You may want to delete the current space if it is visible in your lists. Contact the administrator if the problem persists.
In Spaces logs-
<Jan 11, 2013 9:44:37 AM CST> <Warning> <oracle.webcenter.spaces> <BEA-000000> <Ignorable Exception in Create GS
oracle.webcenter.spaces.operations.GroupSpaceOpsIgnorableException: Granting of Role Moderator partially succeeded for identity MCCORMICK.STEPHEN.J.1251888201-0001. Granting permissions for Discussions failed.
at oracle.webcenter.spaces.internal.model.operations.GroupSpaceOpsSecurityRoleMappingHandlerPlugin.duringCreateGroupSpace(GroupSpaceOpsSecurityRoleMappingHandlerPlugin.java:631)
at oracle.webcenter.spaces.internal.model.SpacesManagerImpl$2.run(SpacesManagerImpl.java:1414)
at oracle.webcenter.concurrent.RunnableTask.call(RunnableTask.java:44)
at oracle.webcenter.concurrent.Submission$2.run(Submission.java:484)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.webcenter.concurrent.Submission.runAsPrivileged(Submission.java:498)
at oracle.webcenter.concurrent.Submission.run(Submission.java:424)
at oracle.webcenter.concurrent.Submission$SubmissionFutureTask.run(Submission.java:888)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.runTask(ModifiedThreadPoolExecutor.java:657)
at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.run(ModifiedThreadPoolExecutor.java:682)
at java.lang.Thread.run(Thread.java:662)
Caused By: oracle.webcenter.webcenterapp.security.WCSecurityRoleMappingException: Granting of Role Moderator partially succeeded for identity MCCORMICK.STEPHEN.J.1251888201-0001. Granting permissions for Discussions failed.
at oracle.webcenter.security.rolemapping.RoleManager.processServiceUsers(RoleManager.java:757)
at oracle.webcenter.security.rolemapping.RoleManager.processUsers(RoleManager.java:378)
Jan 11, 2013 9:44:37 AM CST> <Warning> <oracle.webcenter.spaces> <BEA-000000> <Exiting createGroupSpaceInternal>
<Jan 11, 2013 9:44:37 AM CST> <Error> <oracle.webcenter.spaces> <BEA-000000> <Creation of space SteveSpace7_11January2013 completed with warnings : WCS#2013.01.11.09.44.37: Space created with the following warning(s) : Issues were faced
while provisioning the service(s) - Announcements. Check the space services settings page if these services have been provisioned.>
<Jan 11, 2013 9:44:37 AM CST> <Error> <oracle.webcenter.spaces> <BEA-000000> <The exception occured during space creation for spaceName = SteveSpace7_11January2013due to =>
<Jan 11, 2013 9:44:37 AM CST> <Error> <oracle.webcenter.spaces> <BEA-000000> <
oracle.webcenter.spaces.SpacesException: Space created with the following warning(s) : Issues were faced while provisioning the service(s) - Announcements. Check the space services settings page if these services have been provisioned.
at oracle.webcenter.spaces.internal.model.SpacesManagerImpl.createGroupSpaceInternal(SpacesManagerImpl.java:1865)
at oracle.webcenter.spaces.internal.model.SpacesManagerImpl.access$200(SpacesManagerImpl.java:225)
at oracle.webcenter.spaces.internal.model.SpacesManagerImpl$1.run(SpacesManagerImpl.java:553)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:259)
at oracle.security.jps.internal.jaas.AccActionExecutor.execute(AccActionExecutor.java:65)
at oracle.security.jps.internal.jaas.CascadeActionExecutor$SubjectPrivilegedAction.run(Cascade
In Diagnostic logs:
[2013-01-11T09:44:06.053-06:00] [WC_Spaces2] [WARNING] [] [oracle.webcenter.webcenterapp] [tid: pool-1-daemon-thread-4] [userId: MCCORMICK.STEPHEN.J.1251888201-0001] [ecid: 0000mii9Zr1Bt1G5uz4EyX00051O0005OU,0:1:3:290:26] [APP: webcenter#11.1.1.4.0] [URI: /webcenter/faces/oracle/webcenter/webcenterapp/view/pages/admin/WebCenterAdmin-Communities.jspx] grantRoleForRoleMappedServices : warning : serviceId :oracle.webcenter.collab.forum
[2013-01-11T09:44:06.058-06:00] [WC_Spaces2] [WARNING] [] [oracle.webcenter.webcenterapp] [tid: pool-1-daemon-thread-4] [userId: MCCORMICK.STEPHEN.J.1251888201-0001] [ecid: 0000mii9Zr1Bt1G5uz4EyX00051O0005OU,0:1:3:290:26] [APP: webcenter#11.1.1.4.0] [URI: /webcenter/faces/oracle/webcenter/webcenterapp/view/pages/admin/WebCenterAdmin-Communities.jspx] [[
oracle.webcenter.security.rolemapping.RoleMappingException: The Role Mapping provider encountered an exception while performing security role mapping for service oracle.webcenter.collab.forum.
at oracle.webcenter.security.rolemapping.RoleManager.processServiceUsers(RoleManager.java:757)
at oracle.webcenter.security.rolemapping.RoleManager.processUsers(RoleManager.java:378)
at oracle.webcenter.security.rolemapping.RoleManager.addUsers(RoleManager.java:243)
at oracle.webcenter.webcenterapp.internal.model.security.WCSecurityManagerImpl$5.run(WCSecurityManagerImpl.java:1313)
at oracle.webcenter.concurrent.RunnableTask.call(RunnableTask.java:44)
at oracle.webcenter.concurrent.Submission$2.run(Submission.java:484)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.webcenter.concurrent.Submission.runAsPrivileged(Submission.java:498)
at oracle.webcenter.concurrent.Submission.run(Submission.java:424)
at oracle.webcenter.concurrent.Submission$SubmissionFutureTask.run(Submission.java:888)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.runTask(ModifiedThreadPoolExecutor.java:657)
at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.run(ModifiedThreadPoolExecutor.java:682)
at java.lang.Thread.run(Thread.java:662)
Caused by: oracle.webcenter.security.rolemapping.spi.RoleMappingSPIException: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Bad response: 400 Bad Request
at oracle.webcenter.collab.share.security.DefaultRoleMapper.addUsers(DefaultRoleMapper.java:78)
This looks like the user dont have permissions to create the space, but even Admin user weblogic also geting the same error.
Please may I know how to debug this and where to see for the permissions.
Thanks!!Hi,
Please follow steps, may be your issue will be resolved.
Steps:
1.Create the Discussions administrator user using the DefaultAuthenticator provider as indicated here:
Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter
11g Release 1 (11.1.1)
23 Managing Security
23.3.4.1 Migrating the WebCenter Discussions Server to use an External LDAP
The Discussions Administrator user must exist in the external LDAP and also you need to create the user using the DefaultAuthenticator provider in the embedded LDAP.The username in the embedded LDAP must match the username in the External LDAP.
Review all steps from the above section of the documentation to be sure you performed all the steps.
2.Grant WebCenter Spaces Administrator Role to the Discussions Administrator user as indicated here:
Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter
23.3 Configuring the Identity Store
23.3.5 Granting the WebCenter Spaces Administrator Role to a WebCenter Spaces User
23.3.5.1 Granting the WebCenter Spaces Administrator Role Using Fusion Middleware Control
3.Restart the WLS_Spaces and WLS_Services Managed Servers.
If this helps please mark.
Regards,
Kishore -
ISE 1.2 - Dynamic Authorization Failed
Hello!
In my design network I use the ISE for CWA with a WLC, but when a client entrer his credentials, the CoA failed with this error : "11213 No response received from Network Access Device after sending a Dynamic Authorization request"
This error is really strange because I can contact the ISE from the WLC. My ISE, and my broadcasted network are in the same VLAN, is it possible that this error come from this network architecture?
My is is patched with the cumulative patch 7 and for information, I can do a "manual CoA" by disconnect/reconnect the client manually and after that the client has a network access.
Used configuration for ISE and WLC : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
Thanks in advance if you have the least clue to resolve this issue.
KévinI will perform some additional testing and let you know my results. I have this setup in the lab now with ISE 1.2 Patch 7 as well.... Since I only have a couple of PC's in the lab, I've noticed that I am unable to terminate the users session manually. So I usually end up stopping and restarting the services. This is how i clear my live sessions.
Is your setup in a Lab or Production? If its in a lab can you restart ISE and your WLC. I know when I first did my "debug client <mac>" My airespace ACL was showing the incorrect ACL ID. After a reboot of ISE and recreating my WLC ACL it went away. I haven't noticed my service IP ever showing up in ISE. I usually see the users MAC address then a [email protected] "User Authentication" with his IP. Next its the WLC MNGT Interface and finally the User Authorization again show Authz Internet-Only.
My lab does not always function 100% so I am hoping after we go Live this weekend, these flaky issues go away. One of my problems is I don't have internet access. Just a web server hosting a web page. I'll keep notes on anything I find that hopefully assist you. -
Java Applet in a HTML page: failing with PLS-00306: wrong number of args
We are trying to use a Java Applet in a HTML page. as our system needs to be able to retrieve a predefined set of data from a third party system that uses Dynamic Data Exchange Protocol (DDE) and are encountering errors from APEX and in IE itself.
We are using JavaDde from www.nevaobject.com that enables our Java applet to interact with Windows applications (Third Party System) using DDE.
This functionality is currently used in our Web Form 6i application and we are trying to use the same in the new ApEx application.
We are using ApEx version : 2.1 and actually aer encountering 2 problems:
Problem 1: ApEx failing with PLS-00306: wrong number or types of arguments in call to 'ACCEPT'
Problem 2: IE crashes if Applet used in a complex page with several regions (1 Context, 4 Report Regions, 2 level Tabs, Links)
This problem does not occur in the page where there is only applet and one region. In the case of complex page the IE crashes if the page is reloaded
Test scenario:
1- Create a simple page with the HTML region.
2- Define the Source of the above region as follows
<OBJECT CLASSID="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
CODEBASE="http://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab#version=1,4,0,0"
WIDTH="1"
HEIGHT="1"
ID="simpleApplet"
NAME="simpleApplet">
<PARAM NAME="code" VALUE="simpleApplet.class" >
<PARAM NAME="archive" VALUE="simpleApplet.jar" />
<PARAM NAME="type" VALUE="application/x-java-applet;version=1.4">
</OBJECT>
3- Create a simple Java applet "simpleApplet" - for the test its enough if the applet will have just the init method printing out the mesage to the console
4- Create a Submit Button (not redirect) in Region Header and create unconditional (do not set When Button Pressed property) Page Branch to navigate to another page (the page without the applet)
6- Run the page and Submit -
The error below is returned by the engine:
In our case our applet is called ddeApplet - I do not know why is ApEx passing the Applet's ID down to the wwv_flow.accept method as a parameter
Tue, 24 Jul 2007 08:15:39 GMT
ORA-06550: line 7, column 2:
PLS-00306: wrong number or types of arguments in call to 'ACCEPT'
ORA-06550: line 7, column 2:
PL/SQL: Statement ignored
DAD name: rbdev2_ax
PROCEDURE : wwv_flow.accept
URL : http://castor:7778/pls/rbdev2_ax/wwv_flow.accept
PARAMETERS :
============
P_FLOW_ID:
147
P_FLOW_STEP_ID:
500
P_INSTANCE:
6986070096861669560
P_PAGE_SUBMISSION_ID:
1005758
P_REQUEST:
CRASH
P_ARG_NAMES:
100380029717786501
P_T01:
147
P_T02:
101
P_T03:
5000044
P_T04:
1
P_T05:
S
DDEAPPLET:
Ddeapplet[panel0,0,0,1x1,layout=java.awt.BorderLayout,rootPane=javax.swing.JRootPane[,0,0,1x1,layout=javax.swing.JRootPane$RootLayout,alignmentX=null,alignmentY=null,border=,flags=385,maximumSize=,minimumSize=,preferredSize=],rootPaneCheckingEnabled=true]
P_MD5_CHECKSUM:
ENVIRONMENT:
============
PLSQL_GATEWAY=WebDb
GATEWAY_IVERSION=2
SERVER_SOFTWARE=Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_fastcgi/2.2.10 mod_perl/1.25 mod_oprocmgr/1.0
GATEWAY_INTERFACE=CGI/1.1
SERVER_PORT=7778
SERVER_NAME=castor
REQUEST_METHOD=POST
QUERY_STRING=
PATH_INFO=/pls/rbdev2_ax/wwv_flow.accept
SCRIPT_NAME=/pls
REMOTE_HOST=
REMOTE_ADDR=192.168.66.169
SERVER_PROTOCOL=HTTP/1.1
REQUEST_PROTOCOL=HTTP
REMOTE_USER=
HTTP_CONTENT_LENGTH=661
HTTP_CONTENT_TYPE=application/x-www-form-urlencoded
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP_HOST=castor:7778
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT_LANGUAGE=en-us
HTTP_ACCEPT_CHARSET=
HTTP_COOKIE=ISCOOKIE=true; LOGIN_USERNAME_COOKIE=rdanko; ORACLE_PLATFORM_REMEMBER_UN=RDANKO:ngrb; WWV_FLOW_USER2=70FBB00945FE46B9; V6_AUTHENTICATION_COOKIE=70FBB00945FE46B9
Authorization=
HTTP_IF_MODIFIED_SINCE=
HTTP_REFERER=http://castor:7778/pls/rbdev2_ax/f?p=147:500:6986070096861669560:::::
HTTP_SOAPACTION="theArrow",
It looks like whatever HTML you're including on your page is creating HTML input form elements inside the HTML form "wwv_flow". This form is posted to wwv_flow.accept, and of course, the PL/SQL procedure wwv_flow.accept doesn't know anything these additional arguments/form elements you're attempting to POST.
Joel -
Authorization failed when trying to connect Hyperion to BW 7.0
Hello gurus,
Using Hyperion interactive Reporting Studio, I try to access BW cubes.
I select OLE DB as connection type and SAP BW OLE DB provider, I am prompted for a BW system to connect to.
I then get the following error message:
OLE Error: 80040e4d
Error Source: MDrmSAP.2
Error Desciption: Authorization failed.
Using the same BW provider and the same BW user, I am able to connect form Excel.
So I wonder what the problem is.
Help really appreciated.
Alex-Hi Ingo,
I do not get any error while using the Universe Designer, I get this error when trying to connect a SAP BW related universe in Crystal Reports. There is no problem at all with WebIntelligence by the way. It is possible to connect a SAP BW related universe in WebIntelligence.
I use BO XI 3.0 with Crystal Reports 2008 and the SAP Integrations Kit client components are installed on the client machine.
Nevertheless the BO Enterprise system is not configured with SAP Authentification, but with an own authentification.
Best Regards,
Thomas -
Error http the request failed with http status 401: unauthorized
Hi,<o:p></o:p>
We are currently developing a Web Part for a
dashboard that connects from SharePoint 2010 to Project Server, we are trying
to connect via the PSI web service and fetch the project data but it is giving
the same error "The request failed with HTTP
status 401: Unauthorized". We are having a huge
issue with gaining authorization through the PSI and cannot figure out what the
problem is. We are using Project Server 2010, SharePoint 2010 and Visual Studio
2010.<o:p></o:p>
The person developing this has administrative
rights on both servers and it is running on his account. However, this is his
first experience with Project Server. Could some provide some guidance?<o:p></o:p>
Does anyone have any suggestions?<o:p></o:p>
Thanks,<o:p></o:p>
Aba
<o:p></o:p>Hi,
Have the credentials been set for the web service? Or are you trying to pass the credentials of the user accessing the webpart? In the second case, the user must have permissions in project server
It would be useful if you can share the part of the code that fails
Paul -
Hello Guru,
I am trying to call a supplier service from SOA/OSB.
But while calling the service it is failing with the below error message
access denied (oracle.wsm.security.WSFunctionPermission http://xmlns.oracle.com/apps/prc/poz/suppliers/supplierService/SupplierService#getSupplierVO invoke)
As per OER cookbook i have attached the "oracle/wss_username_token_client_policy" to the Fusion apps web service.
I am trying to pass security credentials to the service by using all the methods... through composite ..through bpel through wsse header but in all cases i am getting similar error.
Please let me know if some one has called the fusion apps web service to create a supplier of solution to my problem as mentioned above.Hi Sai,
Thanks for the quick and correct response. Yes, after doing the research, I'm also came to same conclusion. But what stops me here is that where exactly I need to check for this permission.
I mean the theory what I built on this Authorization/Permission is that:
For the resource - WebService (SupplierService), there is an assigned application role for which the Entitlement/Permission is provided.
Pls. help me in the below items:
a. What is the application role(in role hierarchy) assigned to this resource(Webservice). Which page I need to check(navigation) this and the required credentials..
b. What is the Entitlement provided for this application role for this operation (getSupplierVO) invoke.. Which page I need to check(navigation) this and the required credentials..
Thanks in Advance.
Thanks & Regards
Madhu -
Hi Gurus,
I started test this webservice from EM (Test Web Service)
But while calling the service it is failing with the below error message
access denied (oracle.wsm.security.WSFunctionPermission http://xmlns.oracle.com/apps/prc/poz/suppliers/supplierService/SupplierService#getSupplierVO invoke)
As per OER cookbook i have attached the "oracle/wss_username_token_client_policy" to the Fusion apps web service.
I am trying to pass security credentials to the service by using all the methods... through composite ..through bpel through wsse header but in all cases i am getting similar error.
Please let me know if some one has called the fusion apps web service to create a supplier of solution to my problem as mentioned above.
Is it any policy error or the authorization error ...
Are there any navigation steps I can check the existed permission on this resource etc..,
Thanks in AdvanceHi Sai,
Thanks for the quick and correct response. Yes, after doing the research, I'm also came to same conclusion. But what stops me here is that where exactly I need to check for this permission.
I mean the theory what I built on this Authorization/Permission is that:
For the resource - WebService (SupplierService), there is an assigned application role for which the Entitlement/Permission is provided.
Pls. help me in the below items:
a. What is the application role(in role hierarchy) assigned to this resource(Webservice). Which page I need to check(navigation) this and the required credentials..
b. What is the Entitlement provided for this application role for this operation (getSupplierVO) invoke.. Which page I need to check(navigation) this and the required credentials..
Thanks in Advance.
Thanks & Regards
Madhu -
ISE Alarm (WARNING): Dynamic Authorization Failed for Device
Hi all,
I am posting this discussion as previous posts that I have found in this forum have never been resolved or the resolution is not applicable to me.
I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
The device it is reffering to is my NAD, a WLC 5508 running 7.2.111.3
I have looked at the logs and I cannot see anything in the logs which correcponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
Can someone suggest the components and the logging level that I should set to get some more detail about this error?
At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Runtime AAA & prrt-JNI.
I do not want to enable too much debug logs, so I was wondering whether anyone can help with a specific element that I should be debugging.
I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
Can anyone help?
thanks
MarioFirstly, I wouldn't run a production deployment of ISE on 1.1.1.... 1.1.3 Patch 1 or 1.1.4 is the way to go.
Secondly, this error happen a lot, especially with Wireless, and it's not worth worrying about. I've had a couple of TAC cases opened for this and some similar errors, generally they're caused by a Client going to sleep, leaving the coverage area or otherwise leaving the WLC while ISE is trying to do something with it.
Only worry if you actually have a Client-impacting problem, which by the sounds of it, you don't. -
5417 Dynamic Authorization failed
Hi guys,
Does anyone meet this Radius Error in Cisco ISE 1.2 and the switch 2960 12.2(55)SE7 ?
When i reauthentication the guest profile to the other profile using Radius CoA on the Self-Service Guest Workflow.
The error is :
Event
5417 Dynamic Authorization failed
Failure Reason
11103 RADIUS-Client encountered error during processing flow
Resolution
Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
Root cause
RADIUS-Client encountered an error during processing flow
I checked all the resolution steps but the error sitll exsit.
I would greatly appreciate any help you can give me in working this problemAn internal error has been detected during the processing of an incoming RADIUS packet. Make sure that the client device is compatible with AD Agent, has been configured properly, and is functioning properly. Make sure that the same RADIUS shared secret has been properly configured, both in the client device and in AD Agent.
http://www.cisco.com/c/en/us/td/docs/security/ibf/setup_guide/ad_agent_setup_guide/ibf10_log_msgs.html -
Dynamic Authorization Failed: DiconnectNAK
I have WLC 7.6 and ISE 1.2 Patch 6.
My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.
But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).
Here the corresponding Log-Entry:
0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,
Has anybody ever had the same expirence, or is this a know issue?
Thanks for feedback!Please go through the link below for best practice.
http://www.redelijkheid.com/blog/2013/4/2/cisco-ise-change-of-authorization-coa-not-working
Maybe you are looking for
-
Media Encoder CC specify file output location doesn't work?
Hello everybody! When i render a video from Media Encoder CC the "specify output file location" only works if i go to preferences then select the folder,then when i reboot the PC it still says it's going to that location but doesn't. Does this happen
-
Hi, I have created a page in which I have two different LOVs. My requirement is to default some value in the First LOV i.e. "ALL" and the second LOV which is dependent on the first LOV will gets populated with the values based on the first one on the
-
I have the new iPod Touch but I'm having trouble syncing videos to my PC.
I got the iPod Touch 5. I recorded some videos and plugged my iTouch into my PC. When I try to download it, it let's me, but it can't play it. It is making me so mad. I tried on my laptop but it did the same thing. It apparently needs to know what I
-
The .prel files will not load into premiere elements 13 and says that there is a missing codec. This is a school's site llicense that we've used in our lab for more than a month.
-
Hi, I have a requirment is basically to piece together a URL string in a message and encode it in the following way. You would have a user authentication string that is made up of key/value pairs, for example: "date=2007-05-27&userid=ID12345" (string