OPSS/JAAS and UCM roles

Similar Messages

• Authentication & Authorization with SSO, JAAS and Database Tables mix

  Hi,
  I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
  I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
  I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
  Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
  A lot of thanks in advanced.
  And sorry, excuse my so bad english.
  See you.

  Marcel,
  Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
  I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
  We currently plan to have the patch release available sometime in the second half of May.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• JAAS and JBOSS

  I'm trying to use JAAS to log in a user on a JBOSS app, but am running into a problem. I'm able to successfully authenticate the user, and retrieve a Subject from my LoginContext. However, once that request is done (i.e. the browser displays the "log in complete" page), the application seems to forget that the user was logged in. How does JAAS and JBOSS keep track of the logged in user? Is this done by keeping a singleton of LoginContext around in some scope? Right now I'm creating a new instance of LoginContext, and using it to load a new instance of my CallbackHandler. Note, when I used JBOSS default form based authentication, it kept the user logged in. However, I can't use their default auth because I have some custom things I need to do.
  Thanks in advance for any help you provide.

  Hi,
  I tested this on OC4J for you and here - after setting jbo.security.enforce to Must, the user principal name and the roles are displayed.
  So there are three possibilities why you don't see things working
  - JBoss doesn't add the role principals to the Subject so they become available in the session
  - You attempt accessing this information in a prepareSession() override without enforcing authentication to happen for the root page - URL pattern = /
  - ADF BC security doesn't recognize the custom role principal
  After briefly reviewing the security implementation code, it seems that ADF BC security is dependent on Oracle JAZN for authorization.
  Frank

• Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

  Hello,
  I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
  mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
  <security-role>
       <role-name>Admins</role-name>
  </security-role>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>default</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/badlogin.html</form-error-page>
       </form-login-config>
  </login-config>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>empower</web-resource-name>
            <description>These pages are only accessible by authorized users.</description>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
  <auth-constraint>
  <description>These are the roles who have access</description>
  <role-name>Administrators</role-name>
  </auth-constraint>
       <user-data-constraint>
       <description>This is how the user data must be transmitted</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  My weblogic.xml has:
  <?xml version="1.0" encoding="UTF-8"?>
  <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
  <wls:security-role-assignment>
  <wls:role-name>Admins</wls:role-name>
  <wls:principal-name>Administrators</wls:principal-name>
  <wls:principal-name>dashap</wls:principal-name>
  </wls:security-role-assignment>
  </wls:weblogic-web-app>
  With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• Semantics and its' role in Business Services

  Role and importance of semantics in the context of services and SOA:
  Semantics refer to interpretation of information and not the literal definition of information/ data. Applying semantics to information turns it into “knowledge”. Semantics is the act of applying references and drawing conclusions given a set of more scientific informational constructs. Typically semantics are derived using the context in which information is presented. Transposition on the other hand allows applies the rule of inference where in one can draw conclusions on the implication of truth based on some set of facts.
  Read more about this at <a href="http://entarch.blogspot.com/2007/10/semantics-and-its-role-in-business.html">Surekha Durvasula's</a> blog.
  Surekha is an Enterprise Architecture of a large retail company

  Hi shalini,
          Thanks for the reply and can you please say me the menu path for T.code BUSD
  And can u please say the difference between 4.0 and 5.0 versions
  Regards
  Narayana
  Message was edited by:
          manam narayana
  Message was edited by:
          manam narayana

• REST API: Create Deployment throwing error BadRequest (The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers.)

  Hi All,
  We are trying to access the Create Deployment method stated below
  http://msdn.microsoft.com/en-us/library/windowsazure/ee460813
  We have uploaded the Package in the blob and browsing the configuration file. We have checked trying to upload manually the package and config file in Azure portal and its working
  fine.
  Below is the code we have written for creating deployment where "AzureEcoystemCloudService" is our cloud service name where we want to deploy our package. I have also highlighted the XML creation
  part.
  byte[] bytes =
  new byte[fupldConfig.PostedFile.ContentLength + 1];
              fupldConfig.PostedFile.InputStream.Read(bytes, 0, bytes.Length);
  string a = Encoding.UTF8.GetString(bytes, 0, bytes.Length);
  string base64ConfigurationFile = a.ToBase64();
  X509Certificate2 certificate =
  CertificateUtility.GetStoreCertificate(ConfigurationManager.AppSettings["thumbprint"].ToString());
  HostedService.CreateNewDeployment(certificate,
  ConfigurationManager.AppSettings["SubscriptionId"].ToString(),
  "2012-03-01", "AzureEcoystemCloudService", Infosys.AzureEcosystem.Entities.Enums.DeploymentSlot.staging,
  "AzureEcoystemDeployment",
  "http://shubhendustorage.blob.core.windows.net/shubhendustorage/Infosys.AzureEcoystem.Web.cspkg",
  "AzureEcoystemDeployment", base64ConfigurationFile,
  true, false);   
  <summary>
  /// </summary>
  /// <param name="certificate"></param>
  /// <param name="subscriptionId"></param>
  /// <param name="version"></param>
  /// <param name="serviceName"></param>
  /// <param name="deploymentSlot"></param>
  /// <param name="name"></param>
  /// <param name="packageUrl"></param>
  /// <param name="label"></param>
  /// <param name="base64Configuration"></param>
  /// <param name="startDeployment"></param>
  /// <param name="treatWarningsAsError"></param>
  public static
  void CreateNewDeployment(X509Certificate2 certificate,
  string subscriptionId,
  string version, string serviceName, Infosys.AzureEcosystem.Entities.Enums.DeploymentSlot deploymentSlot,
  string name, string packageUrl,
  string label, string base64Configuration,
  bool startDeployment, bool treatWarningsAsError)
  Uri uri = new
  Uri(String.Format(Constants.CreateDeploymentUrlTemplate, subscriptionId, serviceName, deploymentSlot.ToString()));
  XNamespace wa = Constants.xmlNamespace;
  XDocument requestBody =
  new XDocument();
  String base64ConfigurationFile = base64Configuration;
  String base64Label = label.ToBase64();
  XElement xName = new
  XElement(wa + "Name", name);
  XElement xPackageUrl =
  new XElement(wa +
  "PackageUrl", packageUrl);
  XElement xLabel = new
  XElement(wa + "Label", base64Label);
  XElement xConfiguration =
  new XElement(wa +
  "Configuration", base64ConfigurationFile);
  XElement xStartDeployment =
  new XElement(wa +
  "StartDeployment", startDeployment.ToString().ToLower());
  XElement xTreatWarningsAsError =
  new XElement(wa +
  "TreatWarningsAsError", treatWarningsAsError.ToString().ToLower());
  XElement createDeployment =
  new XElement(wa +
  "CreateDeployment");
              createDeployment.Add(xName);
              createDeployment.Add(xPackageUrl);
              createDeployment.Add(xLabel);
              createDeployment.Add(xConfiguration);
              createDeployment.Add(xStartDeployment);
              createDeployment.Add(xTreatWarningsAsError);
              requestBody.Add(createDeployment);
              requestBody.Declaration =
  new XDeclaration("1.0",
  "UTF-8", "no");
  XDocument responseBody;
  RestApiUtility.InvokeRequest(
                  uri, Infosys.AzureEcosystem.Entities.Enums.RequestMethod.POST.ToString(),
  HttpStatusCode.Accepted, requestBody, certificate, version,
  out responseBody);
  <summary>
  /// A helper function to invoke a Service Management REST API operation.
  /// Throws an ApplicationException on unexpected status code results.
  /// </summary>
  /// <param name="uri">The URI of the operation to invoke using a web request.</param>
  /// <param name="method">The method of the web request, GET, PUT, POST, or DELETE.</param>
  /// <param name="expectedCode">The expected status code.</param>
  /// <param name="requestBody">The XML body to send with the web request. Use null to send no request body.</param>
  /// <param name="responseBody">The XML body returned by the request, if any.</param>
  /// <returns>The requestId returned by the operation.</returns>
  public static
  string InvokeRequest(
  Uri uri,
  string method,
  HttpStatusCode expectedCode,
  XDocument requestBody,
  X509Certificate2 certificate,
  string version,
  out XDocument responseBody)
              responseBody =
  null;
  string requestId = String.Empty;
  HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
              request.Method = method;
              request.Headers.Add("x-ms-Version", version);
              request.ClientCertificates.Add(certificate);
              request.ContentType =
  "application/xml";
  if (requestBody != null)
  using (Stream requestStream = request.GetRequestStream())
  using (StreamWriter streamWriter =
  new StreamWriter(
                          requestStream, System.Text.UTF8Encoding.UTF8))
                          requestBody.Save(streamWriter,
  SaveOptions.DisableFormatting);
  HttpWebResponse response;
  HttpStatusCode statusCode =
  HttpStatusCode.Unused;
  try
  response = (HttpWebResponse)request.GetResponse();
  catch (WebException ex)
  // GetResponse throws a WebException for 4XX and 5XX status codes
                  response = (HttpWebResponse)ex.Response;
  try
                  statusCode = response.StatusCode;
  if (response.ContentLength > 0)
  using (XmlReader reader =
  XmlReader.Create(response.GetResponseStream()))
                          responseBody =
  XDocument.Load(reader);
  if (response.Headers !=
  null)
                      requestId = response.Headers["x-ms-request-id"];
  finally
                  response.Close();
  if (!statusCode.Equals(expectedCode))
  throw new
  ApplicationException(string.Format(
  "Call to {0} returned an error:{1}Status Code: {2} ({3}):{1}{4}",
                      uri.ToString(),
  Environment.NewLine,
                      (int)statusCode,
                      statusCode,
                      responseBody.ToString(SaveOptions.OmitDuplicateNamespaces)));
  return requestId;
  But every time we are getting the below error from the line
   response = (HttpWebResponse)request.GetResponse();
  <Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <Code>BadRequest</Code>
    <Message>The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers.</Message>
  </Error>
   Any help is appreciated.
  Thanks,
  Shubhendu

  Please find the request XML I have found it in debug mode
  <CreateDeployment xmlns="http://schemas.microsoft.com/windowsazure">
    <Name>742d0a5e-2a5d-4bd0-b4ac-dc9fa0d69610</Name>
    <PackageUrl>http://shubhendustorage.blob.core.windows.net/shubhendustorage/WindowsAzure1.cspkg</PackageUrl>
    <Label>QXp1cmVFY295c3RlbURlcGxveW1lbnQ=</Label>
    <Configuration>77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0NCiAgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg0KDQogIFRoaXMgZmlsZSB3YXMgZ2VuZXJhdGVkIGJ5IGEgdG9vbCBmcm9tIHRoZSBwcm9qZWN0IGZpbGU6IFNlcnZpY2VDb25maWd1cmF0aW9uLkNsb3VkLmNzY2ZnDQoNCiAgQ2hhbmdlcyB0byB0aGlzIGZpbGUgbWF5IGNhdXNlIGluY29ycmVjdCBiZWhhdmlvciBhbmQgd2lsbCBiZSBsb3N0IGlmIHRoZSBmaWxlIGlzIHJlZ2VuZXJhdGVkLg0KDQogICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCi0tPg0KPFNlcnZpY2VDb25maWd1cmF0aW9uIHNlcnZpY2VOYW1lPSJXaW5kb3dzQXp1cmUxIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS9TZXJ2aWNlSG9zdGluZy8yMDA4LzEwL1NlcnZpY2VDb25maWd1cmF0aW9uIiBvc0ZhbWlseT0iMSIgb3NWZXJzaW9uPSIqIiBzY2hlbWFWZXJzaW9uPSIyMDEyLTA1LjEuNyI+DQogIDxSb2xlIG5hbWU9IldlYlJvbGUxIj4NCiAgICA8SW5zdGFuY2VzIGNvdW50PSIyIiAvPg0KICAgIDxDb25maWd1cmF0aW9uU2V0dGluZ3M+DQogICAgICA8U2V0dGluZyBuYW1lPSJNaWNyb3NvZnQuV2luZG93c0F6dXJlLlBsdWdpbnMuRGlhZ25vc3RpY3MuQ29ubmVjdGlvblN0cmluZyIgdmFsdWU9IkRlZmF1bHRFbmRwb2ludHNQcm90b2NvbD1odHRwcztBY2NvdW50TmFtZT1zaHViaGVuZHVzdG9yYWdlO0FjY291bnRLZXk9WHIzZ3o2aUxFSkdMRHJBd1dTV3VIaUt3UklXbkFrYWo0MkFEcU5saGRKTTJwUnhnSzl4TWZEcTQ1ZHI3aDJXWUYvYUxObENnZ0FiZnhONWVBZ2lTWGc9PSIgLz4NCiAgICA8L0NvbmZpZ3VyYXRpb25TZXR0aW5ncz4NCiAgPC9Sb2xlPg0KPC9TZXJ2aWNlQ29uZmlndXJhdGlvbj4=</Configuration>
    <StartDeployment>true</StartDeployment>
    <TreatWarningsAsError>false</TreatWarningsAsError>
  </CreateDeployment>
  Shubhendu G

• What are Azure limitations for Websockets in Cloud Services (web and worker role)?

  A WebSocket Server should be built on Azure platform with OnPrem connections and have questions regarding limitations for Websockets in Azure Cloud Services - web and worker roles.
  Websockets can be configured for Web Sites and limitations are understood, but Azure Websites is not an option. 
  Nevertheless it is planned to run a web service (without UI - no web site) as a Cloud service which has secure websocket (WSS) connections to OnPrem machines. Websocket protocol is enabled for IIS8 on Cloud services web and worker roles. Azure Service Bus Relay
  is not an option.
  Questions:
  1) Are Websockets supported for Azure Cloud services web and worker roles? we assume yes
  2) What are potential limitations from Azure side to support concurrent Websocket connections? We are aware that CPU, memory etc are limitations, but are there additional limitations from MS Azure side? 
   

  Hi,
  As I know, azure cloud service web and worker role support Websockets, users can connect to the role via the special endpoint, if we use Azure cloud service, I think we can monitor the metrics such as CPU, memory, etc... and scale our cloud service via these
  metrics to keep the websockets working, refer to
  http://azure.microsoft.com/en-us/documentation/articles/cloud-services-how-to-scale/ for more information about how to scale a cloud service.
  Regards

• Business Role and PFCG Role

  Hi all,
      I am new to CRM 7.0 Can someone explain  What is a Business Role in CRM 7.0 and what is the relationship between Business role and PFCG role. What is the transaction Code to create a Business role.
     And also I heard that there is no PCUI in CRM 7.0. Is it true and if so what is used in place of the PCUI
  Thanks.
  Neha.

  Neha,
  Next time please do a search in this forum on business roles, and you would find many topics discussing this information more completely.  I'm locking this thread due to it fact that this question has been asked many times before by many different people.
  These threads explain the topic in more detail:
  Re: Reg: Business Role
  Assignment pfcg-role to user and assignment pfcg-role to business role
  Thank you,
  Stephen

• [jsr82] can a j2me app be a Bluetooth server and client role in parallel?

  I want to make my j2me app register a special service channel and listen to it, meanwhile, I also want to start a client to connect to other handset which has the same services. In Bluetooth protocol side, this is obviously OK, but in J2me is this design possible? some people said that in jsr82, the Bluetooth device is exclusive for J2me app, app cannot be both server role and client role at the same time. Can anybody give me a definite answer?

  No this design is not possible with JSR 82. Because when the device acts as a server it can't be used as a client as whenever you will run the client code the server mode will disappear.
  But what maximum you can do is when you need the client to run close the server and switch into the client mode but I think you don't need this solution.
  Shan!!!

• Confusing definition of My and Partner Role in PartnerLinks

  Assume I create two BPEL processes: One producer and one consumer
  Each of them needs a JMS adapter as partner services.
  When I click in the producer BPEL process on the JMS adapter definition
  then I have to specify:
  Partner Link Type=Produce_Message_plt
  Partner Role=Produce_Message_role
  My role=not specified
  When I click in the consumer BPEL process on the JMS adapter definition
  then I have to specify:
  Partner Link Type=Consume_Message_plt
  Partner Role=not specified
  My role=Consume_Message_role
  The relationship between "My role" and "Partner role" is somehow asymetric and confusing.
  at a first glance I would have said before: The view is always from the BPEL process side.
  But why do I have to specify NO "My role" in the producer ?
  When I try to specify "My role" as "Produce_Message_role" and leave
  "Partner role" as not specified then I get errors.
  Can somehow explain me what the logic behind should be ?
  Peter

  You need to look at it from a message type perspective. Is the message you are calling async, or sync
  If the process is sync you need to specify both, this is calling a sync partner link.
  PartnerRole=Invoke
  MyRole=Receive
  Async can be tricky. When you call a async Partner Link, e.g. JMS Adpater you typically only one operation exists.
  PartnerRole=Invoke
  You are telling the partner to use the Invoke operation.
  Async can be fire and forget or you may want to wait for a response so you have to implement a Receive activity. In this case you are the consumer and there is no Partner Role operation
  MyRole=Receive
  So to keep it simple
  Sync Invoke activity = Both
  Async Invoke activity = PartnerRole
  Async Receive activity = MyRole
  cheers
  James

• BP created with category Person and BP Role Consumer is not replicated

  Hello Gurus,
  I have created a BP with Category Person and BP Role Consumer but after saving my BP is not getting
  replicated to ERP, though in the Clasification Tab i could see consumer is being selected and the Account
  group 0170 - Consumer showing up. 
  I have also checked in PIDE transaction in ERP system this Account group has clasification E which is Consumer.person,and as numbe range is assigned to this Account group 
  i have checked in middleware there is an error message which says "BP XXXX doesnt not exist as customer,change not possible" and aslo one more message which says "no classification is assigned to BP"
  any customizing is missing in CRM system, or only customiaing required is in ERP only?
  Thanks and Regards
  chandu

  Hi,
  With respect to your question on below link.
  Re: BP created with category Person and BP Role Consumer is not replicated
  Please find the below path in ECC
  SPRO>Logistic General>Business Partner>Customer>Define Account Groups and Field Selection for Customers.
  Select 0170 Consumer account grp and click on details. You will see the Number range in General Data.
  Copy that number range and goto below path and check if the number range is internal or external.
  SPRO>Logistic General>Business Partner>Customer>Define and Assign Customer Number ranges. The popup will appear and select Define Number ranges for customer master. Click on display intervals. You will see the number range is mainatined internal or external.
  Hope this helps.
  Regards,
  Chandrakant
  Edited by: Chandrakant A on Dec 15, 2009 7:41 PM

• Is it possible to modify the tag structure tree and the role map via scripting?

  We use unstructured FrameMaker to produce training materials which we distribute as tagged PDF to meet accessibility requirements.
  When FrameMaker creates a tagged PDF, it does a fairly good job of populating the structure based on the PDF setup information for the paragraph formats in the FrameMaker documents. However, there are some limitations in the support that FrameMaker provides. For example, almost all paragraphs are assigned to the P role even if they are headings and should be mapped to H1-H6.
  We want to be able to easily post-process a PDF that has been generated from FrameMaker to fix some of the tag structure issues (including tag names and the role map) so that the PDF will provide the optimum experience for a user of the JAWS screen reader.
  I spent some time reading the SDK documentation but didn't find much information about manipulating a tagged PDF via the API, especially via scripting.
  Does anyone have any examples or references which explain how to do it?

  AFAIK, it's not possible with a script. You might want to ask in the SDK forum, as it could be possible with a plugin.

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG:

• Webserver and UCM in different machines

  As the title said.. how do I do this? in the installation guide it's just for both in one machine but how do i install webserver in a windows server and UCM in a unix server?
  Is this even possible? please some advice or redirect to some solution,
  Thanks

  Hi
  Look at Note : 885983.1 on metalink . This gives the steps to configure Cs when webserver is on a different machine altogether.
  Srinath

• Weblogic portal 10.3.1 framework and  UCM 10gR3 code works in Jdeveloper

  Hi All,
  We are using weblogic portal 10.3.1 framework and UCM 10gR3. Now we want to use Jdeveloper (because we can integrate site studio using plugin) instead of weblogic workshop.
  So my question is does the existing code works in Jdeveloper (because it supports Webcenter portal)?.
  Thanks,
  Venkata Sarvabatla

  No. Eclipse/Worskhop is the development IDE for WLP. While you can probably edit many of the WLP artifacts in JDeveloper, since they're mostly XML files, JDeveloper won't understand the WLP project structure, understand many of the libraries or know how to deploy to a WLP domain.
  Brad