Custom Policy vs. J2EE Security

Hi there, Java Security architecture gurus,
I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
Now, I have the following questions:
- Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
- Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
Thanks,
Christoph

Chris,
There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
Now, I have the following questions:
- Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
- Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
// If the permission is not found here then delegate it
// to the standard java Policy class instance.
java.security.Policy policy = java.security.Policy.getPolicy();
return policy.getPermissions(codeSource);
Hope this helps.

Similar Messages

Custom Policy Step and the WS-Security header attibute "mustUnderstand"

Hi there,
I have some issues testing the custom policy step that comes with OWSM (CustomAuthenticationStep), which i describe next.
I manage to compile/deploy the custom step successfully. I also restart the server and add the brand new step into the request pipeline. The pipeline only has two steps, a log step and a custom authentication step.
I develop a client for the gateway service which use the "Username to Authenticate" option of the Proxy Security. The other options (inbound/outbound integrity/encryption) are all unchecked.
When I test the client, the following SOAP message is produced:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns0="http://agesic.entidad/types/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
env:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<ns0:reverseElement>
<ns0:aString>Holas!</ns0:aString>
</ns0:reverseElement>
</env:Body>
</env:Envelope>
Which looks just fine. However I get the following exception:
javax.xml.rpc.soap.SOAPFaultException: SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
 at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
 at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
 at agesic.cliente.gateway.proxy.runtime.EchoReverseSoapHttp_Stub.reverse(EchoReverseSoapHttp_Stub.java:78)
 at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.reverse(EchoReverseSoapHttpPortClient.java:44)
 at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.main(EchoReverseSoapHttpPortClient.java:33)
If i look at the log produced by the custom step, it looks like the step was successfully passed.
********** Entering Custom Authentication execute method **********
Processing stage is Request
Request SOAP message is <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="h
ttp://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-ins
tance" xmlns:ns0="http://agesic.entidad/types/" xmlns:wsu="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><env:Header><wsse
:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004
/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.or
g/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://sche
mas.xmlsoap.org/soap/envelope/"><wsse:UsernameToken xmlns:wsse="http://docs.oasi
s-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http:/
/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ws
se:Username>test</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/
wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse
:Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body><ns0:rever
seElement><ns0:aString>Holas!</ns0:aString></ns0:reverseElement></env:Body></env
:Envelope>
User locale is English
Client ip address is rhel4.tecinfo.com.uy:7777
Verified user is test
The problems is with the mustUnderstand attribute. It looks like no step tells the OWSM that he understands the header, so the OWSM pass through the pipeline and when it ends it thinks that that header was not processed properly.
I try to find documentation on this issue but I didn't find any.
Any ideas? Is there any way to specify that the step actually understands the ws-security header?
Thanks!
Leo

Ok. Thanks. The problem here is a little bit different. At the client side, we have the following:
<?xml version="1.0" encoding="UTF-8"?>
<oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
<webservice-client>
<service-qname namespaceURI="http://agesic.entidad/" localpart="EchoReverse"/>
<port-info>
<wsdl-port namespaceURI="http://agesic.entidad/" localpart="EchoReverseSoapHttpPort"/>
<runtime enabled="security">
<security>
<inbound/>
<outbound>
<username-token password-type="PLAINTEXT" add-nonce="false" add-created="false"/>
</outbound>
</security>
</runtime>
<operations>
<operation name='reverse'>
</operation>
</operations>
</port-info>
</webservice-client>
</oracle-webservice-clients>
The <outbound> here is requered in order to use the WSS UserName token profile. I try to remove the <inbound/> to check if it was a problem like yours, but we still have the same exception.
The problem seems to be with the gateway at the server side.
Intercepting the communication between the client and the server, we are getting the following response:
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns0="http://agesic.entidad/types/">
<env:Body>
<env:Fault>
<faultcode>env:MustUnderstand</faultcode>
<faultstring>SOAP must understand error:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
We need a way to instruct the gateway that he actually understands the wss header.
Any ideas?
Thanks!
Leo

Error while invoking webservice attached with custom policy

I created a webservice in SOA 11g and attached a custom policy which is doing encryption(message protection) to its exposed service endpoint .This web service runs fine if i run it independently. Then i created a simple SOA process and call this web service.Then i am getting Fabric Invocation Exception.Can anyone tell me what can be the problem?

I want to do the encyrpton only in secured webservice. I just want to invoke that web service from another process. In this case which policy can i attach in the reference of the SOA process which is calling secured web service?

Retrieve Client IP Address in a Oracle WebServices Manager Custom Policy

Hi everybody,
For some reasons i had to implement a custom policy in the OWSM, to restrict the access to webservices by Client IP Addresses. I´ve been following the examples for custom policies mentioned in the books: "Oracle Web Services Manager, Oracle Web Services Manager" by Sitaraman Lakshminarayanan, and the "Oracle® Web Services Manager Extensibility Guide 10g (10.1.3.3.0)" by Oracle. I followed the examples mentioned in those books to implement my Custom policy, the policy is successfully deployed to OWSM and it works, only by the issue that when i want to retrieve the Client Ip address it returns null, and following the example by the Oracle Guide, the HttpServletRequest its also returns null, im desperated because in every site that i finally find some info about it, quotes any of these 2 examples in those books, and mine doesnt work! this is the code of the custom policy, i´ve combined the 2 aproaches:
package project1;
import com.cfluent.ccore.util.logging.ILogger;
import com.cfluent.ccore.util.logging.Level;
import com.cfluent.ccore.util.logging.LogManager;
import com.cfluent.pipelineengine.container.MessageContext;
import com.cfluent.policysteps.sdk.AbstractStep;
import com.cfluent.policysteps.sdk.Fault;
import com.cfluent.policysteps.sdk.IMessageContext;
import com.cfluent.policysteps.sdk.IResult;
import com.cfluent.policysteps.sdk.InvocationStatus;
import com.cfluent.policysteps.sdk.Result;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
public class CustomPolicy extends AbstractStep {
private static String CLASSNAME = CustomPolicy.class.getName();
private static ILogger LOGGER = LogManager.getLogger(CLASSNAME);
private String allowedIpAddress = null;
private String allowedRoleName = null;
private String protectedServiceMethodName = null;
public CustomPolicy() {
public void init() throws IllegalStateException {
// nothing to initialize
public void destroy() {
* This is the main method which will validate that the request is coming from
* the correct IP Address and has permission to access the specified metod.
public IResult execute(IMessageContext messageContext) throws Fault {
LOGGER.entering(CLASSNAME, "execute");
Result result = new Result();
result.setStatus(IResult.FAILED); //initialize result
String processingStage = messageContext.getProcessingStage();
LOGGER.log(Level.INFO, "Processing stage is " + processingStage);
HttpServletRequest httpServletRequest = (HttpServletRequest)
messageContext.getProperty("javax.servlet.request");
String remoteAddr = httpServletRequest.getHeader("Host");
LOGGER.log(Level.SEVERE, "Dir IP:"+remoteAddr);
String remoteHost = httpServletRequest.getRemoteHost();
LOGGER.log(Level.INFO, "ADDR" + remoteAddr+ "HOST"+remoteHost);
boolean isRequest =
(IMessageContext.STAGE_REQUEST.equals(messageContext.getProcessingStage()) ||
IMessageContext.STAGE_PREREQUEST.equals(messageContext.getProcessingStage()));
//Execute the step Only when its a Request pipeline else return success
if (!isRequest) {
result.setStatus(IResult.SUCCEEDED);
return result;
MessageContext msgCtxt = (MessageContext)messageContext;
String _MethodName = msgCtxt.getRequest().getMethodName();
LOGGER.log(Level.INFO,
"Writing Allowed IP Addr before creating SOAP header " +
allowedIpAddress);
LOGGER.log(Level.INFO,
"Writing Remote IP Addr before creating SOAP header " +
msgCtxt.getRemoteAddr());
/*LOGGER.log(Level.INFO,
"Writing Remote IP Addr before creating SOAP header " +
remoteAddr);*/
String cadTempo = allowedIpAddress;
Vector vect = new Vector();
for (int i = 0; i < allowedIpAddress.length(); i++) {
if (cadTempo.indexOf(",") != -1) {
//vect.add(cadTempo.substring(0, cadTempo.indexOf(",") - 1));
vect.add(cadTempo.substring(0, cadTempo.indexOf(",")));
cadTempo =
cadTempo.substring(cadTempo.indexOf(",") + 1, cadTempo.length());
LOGGER.log(Level.INFO,
"AQUI111");
} else {
if (!cadTempo.equalsIgnoreCase("")) {
vect.add(cadTempo);
LOGGER.log(Level.INFO,
"AQUI222");
break;
for(int i=0;i<vect.size();i++){
String temp = (String)vect.get(i);
if (temp.equals(msgCtxt.getRemoteAddr()) &&
_MethodName.equals(protectedServiceMethodName)) {
LOGGER.log(Level.INFO,
"AQUI333");
result.setStatus(IResult.SUCCEEDED);
break;
} else {
msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
LOGGER.log(Level.INFO,
"AQUI444");
/*if(allowedIpAddress!=null){
result.setStatus(IResult.SUCCEEDED);
/*if (allowedIpAddress.equals(msgCtxt.getRemoteAddr()) &&
_MethodName.equals(protectedServiceMethodName)) {
result.setStatus(IResult.SUCCEEDED);
} else {
msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
// Set the result to SUCCESS
//result.setStatus(IResult.SUCCEEDED);
return result;
public String getIpAddress() {
return allowedIpAddress;
public void setIpAddress(String IpAddress) {
this.allowedIpAddress = IpAddress;
LOGGER.log(Level.INFO, "IP Address is.. " + allowedIpAddress);
public String getServiceMethodName() {
return protectedServiceMethodName;
public void setServiceMethodName(String serviceMethodName) {
this.protectedServiceMethodName = serviceMethodName;
public String getRoleName() {
return allowedRoleName;
public void setRoleName(String roleName) {
this.allowedRoleName = roleName;
And the xml:
<csw:StepTemplate xmlns:csw="http://schemas.confluentsw.com/ws/2004/07/policy"
name="Custom authenticate step" package="project1"
timestamp="Oct 31, 2005 05:00:00 PM" version="1"
id="0102030405">
<csw:Description>Custom step that authenticates the user against the
credentials entered here. This step requires Extract
credentials to be present before it in the request pipeline.</csw:Description>
<csw:Implementation>project1.CustomPolicy</csw:Implementation>
<csw:PropertyDefinitions>
<csw:PropertyDefinitionSet name="Basic Properties">
<csw:PropertyDefinition name="Enabled" type="boolean">
<csw:Description>If set to true, this step is enabled</csw:Description>
<csw:DefaultValue>
<csw:Absolute>true</csw:Absolute>
</csw:DefaultValue>
</csw:PropertyDefinition>
</csw:PropertyDefinitionSet>
<csw:PropertyDefinitionSet name="Custom Access Rules">
<csw:PropertyDefinition name="IpAddress" type="string" isRequired="true">
<csw:DisplayName>IpAddress</csw:DisplayName>
<csw:Description>IP Address that is allowed access</csw:Description>
<csw:DefaultValue>
<csw:Absolute>192.168.0.1</csw:Absolute>
</csw:DefaultValue>
</csw:PropertyDefinition>
<csw:PropertyDefinition name="ServiceMethodName" type="string"
isRequired="true">
<csw:DisplayName>ServiceMethodName</csw:DisplayName>
<csw:Description>Service Method Name that is Protected (Secured)</csw:Description>
<csw:DefaultValue>
<csw:Absolute>getTime</csw:Absolute>
</csw:DefaultValue>
</csw:PropertyDefinition>
</csw:PropertyDefinitionSet>
</csw:PropertyDefinitions>
</csw:StepTemplate>
Please any tip or idea is welcome, thanks in advance for the help.
Carlos.

Hi again
copied your code for testing. And it works fine.
So both the code and policy-step definition is fine, log output below.
What is your log output?
Using soapui to send the request will give the ip of my localhost, using the test client will give the ip of the server, because that is the actual client.
I guess the server ip is 192.168.0.1 in your case, as you are testing from test console.
anyway, results from SOAPUI:
2009-05-19 09:52:15,096 FINE [HTTPThreadGroup-4] CSWComponent - Executing policy step. Policy='SID0003004', Step Name='Custom Policy Step', Step Class='com.*.soa.wsm.CustomPolicy'
2009-05-19 09:52:15,096 FINER [HTTPThreadGroup-4] wsm.CustomPolicy - com.*.soa.wsm.CustomPolicy execute:ENTERING
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Processing stage is Request
2009-05-19 09:52:15,096 SEVERE [HTTPThreadGroup-4] wsm.CustomPolicy - Dir IP:hostname.domain:8890
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - ADDRhostname.domain:8890HOST10.47.89.116
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - MethodName=getHostNameElement
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.89.116
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
2009-05-19 09:52:15,097 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI333
2009-05-19 09:52:15,097 FINER [HTTPThreadGroup-4] agent.Agent - com.cfluent.agent.Agent intercept:ENTERING
But if I use the test client the remote IP would be 10.47.137.50 and execution fails, as code is written

2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.137.50
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
2009-05-19 09:54:12,267 FINE [HTTPThreadGroup-4] CSWComponent - Step execution failed: Policy=[SID0003004] Pipeline=[Request] Step Name=[Custom Policy Step] Step Class=[com.tandberg.soa.wsm.CustomPolicy]
2009-05-19 09:54:12,267 FINER [HTTPThreadGroup-4] common.PrepareForServiceStep - Step PrepareForServiceStep called

Custom Policy Step calling EJB

Hi there,
I'm a newby to OC4J and need some help in regards to some library issues. I've created an EJB using spring and deployed it to the oc4j container. Then I created an owsm custom policy step which retrieves the EJB bean using spring and retrieves the custom security header, which I then add to the current SOAP header. I wasn't quite sure how to create the custom policy step jar as it contains my spring jar as well as my ejb jar, so I used maven to create the jar with all my dependent jars as well. Everything works great, as in, it retrieves the EJB calls the method on the EJB which will retrieve a value from LDAP and then uses that value to query our data store and then return the object, but when it returns the object it throws the following exception:
java.lang.LinkageError: Class com/cochlear/erpsecurity/domain/ErpSoapHeader violates loader constraints
Which is due to the fact that I have the ErpSoapHeader in my custom policy step jar as well as my ejb jar. When I don't include the ejb jar in my custom policy step jar however then it give a class not found exception when trying to load the ejb with spring. Then I tried something dodgy and added the ejb jar to my server.xml in oracle.wsm.gateway shared library, but this caused the linkage error as well.
Any help on how I can resolve this library issue will be great appreciated.
Thanks so much,
Ida

Here's an example on how to add a custom SOAP header to the request message inside a custom step.
public IResult execute(IMessageContext messageContext) throws Fault {
MessageContext msgCtxt = (MessageContext) messageContext;
SOAPEnvelope senv = msgCtxt.getRequest().getAxisMessage().getSOAPEnvelope();
((org.apache.axis.message.SOAPEnvelope)senv).setDirty(true);
Name header = factory.createName("CustomHeader", "http://foo.com/custom/header");
SOAPHeaderElement headerElement = senv.getHeader().addHeaderElement(header);
headerElement.addTextNode("My custom header data");
OWSM uses AXIS implementation internally to represent the SOAP message.
Cheers,
Vikas Jain

OWSM 11g: Custom policy implementation

Hi all,
I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
2. Creation of the policy-config.xml file (same as Step 2)
3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
5. Updation of classpath (same as Step 5)
6. Creation of oracle/ip_assertion_policy file (same as Step 2)
7. Importing the Custom Policy File (same as Step 6)
8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
I shall be obliged if someone can help me.
Thanks in advance

In the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.

J2EE Security Provider Service in NWA on 7.10?

Hi,
In versions up to 7.0, there was a J2EE Security Provider Service which could be configured in Visual Administrator to control fine-grained security between deployed components on the system. I cannot find anything similar in NetWeaver Administrator in 7.1. Has this become obsolete or am I overlooking something?
Thanks,
Thorsten

Hi,
NWA -> Configuration Management -> security -> authentication
here you can find the required policy configurations
regards,
Jozsef

How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

HI All,
We are using Oc4j version 10g 10.1.3 , and while starting conatiner getting below warning , let me know if anyone have solution for this,.
14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
Please take the appropriate actions to migrate to an alternative strategy! **********
2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
of this product!

I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
Anyhoo, while I was in the BIOS I found two things which I had questions about :
1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

Jaas + custom policy

I want to source my JAAS policy files from a database.
I extended java.security.Policy and I can dynamically assign permissions to a codesource. I also have JAAS authorization running without any problems. What I can't figure out is how I can associate a dynamic principal with a protection domain so that getPermissions(ProtectionDomain) will magically work with Subject.doAs without re-writing half of sun.security. Has anyone accomplished something like this? I'm concentrating on 1.4, altho I'm not above using a 1.3 specific solution.

I think I've worked it out (I don't think anyone cares anymore though). This post is just up here so people hit it when they search.
If you subclass Policy and set it (e.g. using Policy.setPolicy or with properties files), then you implment the
boolean implies(ProtectionDomain dom, Permission perm)Method, then it pretty much works!
Whenever you do some action with Subject.doAsPrivileged, for example, an array or principals is given you your implies method available in the ProtectionDomain, i.e. with
boolean implies(ProtectionDomain dom, Permission perm)
Principal[] prins = dom.getPrincipals();
for (int i = 0; i < prins.length; i++)
 if (prins[i] instanceof MyPrincipal) {
 MyPrincipal p = (MyPrincipal) prins;
return UserPermissions.getPermissionSetFor(p).contains(perm); // or something. Havn't worked out exactly what happens here
return false;
I think that's how it works.
Here's some code I wrote to test these ideas out. When you run it, you notice that none of the other Policy methods (getPermissions() in particular) are ever called.
import javax.security.auth.Subject;
import java.security.Policy;
import java.security.PrivilegedAction;
import java.io.FileInputStream;
import java.io.File;
import java.io.IOException;
import java.util.Set;
import java.util.HashSet;
import java.util.logging.Logger;
public class JaasExperiment {
 public static void main(String args[])
 Policy.setPolicy(new MyPolicy());
 Set pubcred = new HashSet();
 Set privcred = new HashSet();
 Set princips = new HashSet();
 princips.add(new MyPrincipal("keith"));
 Subject keith = new Subject(false, princips, pubcred, privcred);
 Subject.doAsPrivileged(keith, new MyAction(), null);
 Set mprincips = new HashSet();
 mprincips.add(new MyPrincipal("michelle"));
 Subject michelle = new Subject(false, mprincips, pubcred, privcred);
 Subject.doAsPrivileged(michelle, new MyAction(), null);
 Logger.global.info("Finished");
 private static class MyAction implements PrivilegedAction
 public Object run() {
 try {
 FileInputStream in = new FileInputStream(new File("src/JaasExperiment.java"));
 int ch;
 while ((ch = in.read()) != -1)
 System.out.print((char)ch);
 in.close();
 } catch (IOException e) {
 e.printStackTrace();
 return null;
import java.security.*;
import java.util.logging.Logger;
public class MyPolicy extends Policy
 boolean checking = true;
 private static Logger log = Logger.getLogger("MyPolicy");
 static {
 log.info("MyPolicy loaded");
 public PermissionCollection getPermissions(ProtectionDomain domain) {
 log.info("getPermissions domain:"+domain.toString());
 return null;
 public PermissionCollection getPermissions(CodeSource codesource)
 log.info("getPermissions codewsource:"+codesource);
 return null;
 public boolean implies(ProtectionDomain domain, Permission permission) {
 //log.entering("MyPolicy", "implies");
 log.finest("Domain codsource is:"+domain.getCodeSource().toString());
 log.fine("Permission "+ permission.getClass().getName() +":"+permission.getName() + " Requested");
 if (domain instanceof Object) {
 Object o = (Object) domain;
 Principal[] ppls= domain.getPrincipals();
 for (int i=0; i < ppls.length; i++)
 log.info("Principal "+i+" is " + ppls.getName());
if (checking)
checking = false;
//log.info("Domain:"+domain.toString());
//log.info("permission:"+permission.toString());
//log.exiting("MyPolicy", "implies");
return true;
public void refresh()
import java.security.Principal;
public class MyPrincipal implements Principal{
private final String name;
public MyPrincipal(String name)
this.name = name;
public String getName() {
return name;

SOAP and J2EE security

We have deployed several SOAP services (Apache SOAP) on a WLS6.1
server. Since there are more and more services are being deployed
people are getting worried about security. I was wondering what the
best solution was to to authentication and authorization on EJB and
method level for SOAP clients ? I was thinking about the following
solution: use the standard J2EE security by defining security
constrainst in the ejb-jar.xml file. Therefor every client needs to
provide credentials to use the EJB's (this should work for both
RMI/IIOP and SOAP clients).
What are your ideas and opinions about this solution ?
If you post a reply please CC to [email protected]

Hi,
Let me know if you find answer of your question.
thanks

Struts/servlet page flow problem due to j2ee security

Whe I type url such as http://localhost:7777/myapp/action.do, I want to see the execution result page from this action. However the result page will always be index.jsp because j2ee security which I have a loginaction.do and its result page is index.jsp. How can I have overcome this problem.
Thanks,

To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
cheers.

Using dynamic groups for j2ee security

Hi all,
I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
How do I configure my realm in my server.xml to get this working?

Hi,
I got an official answer from SUN.
"Dynamic Groups" are not (longer) supported with SJS AS 7!
It will probably be supported with SJS AS 8 SE.
If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate.

OWSM - Logging in Custom Policy Step

I'm trying to implement a custom policy step for Oracle Web Service Management.
For debugging purposes, I need to write a diagnostic log file (like gateway.log, policymanager.log, ccore.log...) with the behavior of my step. I have to use log4j library...
Could you help me with OWSM log configuration?
Thanks!

I have been reading more about this issue but I have doubts yet...
Now, I know that I must use the package "com.cfluent.ccore.util.logging" in my code. For example:
ILogger logger = LogManager.getLogger(...);
logger.log(Level.INFO, "..");
In which owsm log file does this information appear?
Thanks!

Custom Policy Issue 10G

Hi All,
I have created a custom policy in OWSM 10g for WS-Header Insertion, that inserts user credentials(username/password) in UserToken of SOAP Headers.
But I am getting following error while testing my web service on OWSM.
SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode
xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults"
xmlns="">p:Client.PolicyInitializationFailure</faultcode>
<faultstring
xmlns="">Failed to initialize pipeline 'Request' in policy 'testCustom(1.0)'</faultstring>
null</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Kindly help

Hi All,
Pls help

J2ee Security methods in JSF

Is it possible to bind to J2ee Security methods in JSF pages, like request.getUserPrincipal() or request.isUserInRole("rolename)?

Hi,
actually you can use EL if you create a method in a managed bean to check for a specific role membership. Reference the method - which returns true or false - from EL. Note that EL cannot have arguments and for this reason you cannot directly pass in role names as argumens
Frank

Custom Policy vs. J2EE Security

Similar Messages

Maybe you are looking for