SecurityException (Invalid Subject) with custom database authentication provider WLS 7.0

Similar Messages

• Java.lang.SecurityException: Invalid Subject: principals on ic.lookup

            Weblogic 7.0.1
            I establish two initialContext objects with credential like so:
            InitialContext ic = getInitialContext("t3://<ip>:<port>", "<username>",
            "<password>");
            InitialContext ic2 = getInitialContext("t3://<sameip>:<differentport>",
            "<username>", "<differentpassword>");
            protected InitialContext getInitialContext(String url, String user, String
            password) throws NamingException
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
            env.put(Context.PROVIDER_URL, url);          
            env.put(Context.SECURITY_PRINCIPAL, user);
            env.put(Context.SECURITY_CREDENTIALS, password);
            return new InitialContext(env);
            Each of these servers has a jms queue I want to context to. When I try to do
            a lookup like this (ic):
            qconFactory = (QueueConnectionFactory) ic.lookup("my/Queue");
            I get this exception:
            java.lang.SecurityException: Invalid Subject: principals=[system2, Administrators]
            at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:943)
            at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:147)
            at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:309)
            at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:30)
            at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
            at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
            End server side stack trace
            Here is the bad issue. The second lookup works (ic2):
            qconFactory = (QueueConnectionFactory) ic2.lookup("my/Queue");
            As a matter of fact if I try to create more contexts the last context always seems
            to work. Also if I do each of these lookups in a separate application they both
            work. Any ideas?
            

  Hi John,
            There may be a bug, but the fact that some code works in a previous
            version does not necessarily make this a given. For example, a new
            release may restrict applications based on a refinement or clarification
            in a J2EE spec. (Although in general, we try to make such changes
            without breaking current customer code.) Another example is an
            application that unknowingly depends on a bug that was in the previous
            version. That said, this is unrelated to JMS, as the exception occurs
            on a jndi lookup before any JMS code is invoked - I suggest posting to
            the security newsgroup and perhaps raising the issue with customer
            support.
            Tom, BEA
            john hutchinson wrote:
            > The code below works with other versions of WebLogic. It just doesn't work with
            > WebLogic7.0. I don't understand what one context object has to do with another.
            > The code below indicates two different context object. I can also catch the
            > exception when it is thrown re-establish the first context after the second works
            > and use then use the first so that would be useless security. So either there
            > is a bug in WebLogic's use of contexts or there is a bug in there security model.
            > If it works I've attached a sample application that does this.
            >
            >
            > Tom Barnes <[email protected]> wrote:
            >
            >>As with all versions of WebLogic, the security context is
            >>associated with the thread. So establishing a new one
            >>will replace the previous context associated with
            >>the thread. For more detailed information
            >>post to the weblogic.developer.interest.security newsgroup.
            >>
            >>Tom, BEA
            >>
            >>john hutchinson wrote:
            >>
            >>>Weblogic 7.0.1
            >>>
            >>>I establish two initialContext objects with credential like so:
            >>>
            >>> InitialContext ic = getInitialContext("t3://<ip>:<port>",
            >>
            >>"<username>",
            >>
            >>>"<password>");
            >>> InitialContext ic2 = getInitialContext("t3://<sameip>:<differentport>",
            >>>"<username>", "<differentpassword>");
            >>>
            >>> protected InitialContext getInitialContext(String url, String user,
            >>
            >>String
            >>
            >>>password) throws NamingException
            >>> {
            >>> Hashtable env = new Hashtable();
            >>> env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
            >>> env.put(Context.PROVIDER_URL, url);          
            >>> env.put(Context.SECURITY_PRINCIPAL, user);
            >>> env.put(Context.SECURITY_CREDENTIALS, password);
            >>> return new InitialContext(env);
            >>> }
            >>>
            >>>Each of these servers has a jms queue I want to context to. When I
            >>
            >>try to do
            >>
            >>>a lookup like this (ic):
            >>>qconFactory = (QueueConnectionFactory) ic.lookup("my/Queue");
            >>>
            >>>I get this exception:
            >>>
            >>>java.lang.SecurityException: Invalid Subject: principals=[system2,
            >>
            >>Administrators]
            >>
            >>> at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:943)
            >>> at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:147)
            >>> at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:309)
            >>> at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:30)
            >>> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
            >>> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
            >>>End server side stack trace
            >>>
            >>>Here is the bad issue. The second lookup works (ic2):
            >>>qconFactory = (QueueConnectionFactory) ic2.lookup("my/Queue");
            >>>
            >>>As a matter of fact if I try to create more contexts the last context
            >>
            >>always seems
            >>
            >>>to work. Also if I do each of these lookups in a separate application
            >>
            >>they both
            >>
            >>>work. Any ideas?
            >>>
            >>
            

• How to use a custom database authentication with APEX_AUTHENTICATION??

  i have Custom user authentication method.
  create or replace function user_check(username varchar2,password varchar2) return boolem
  is
  check_out integer;
  begin
  select count(*) into check_out from "user" where USER_EMAIL=username and USER_PASS=password;
  if check_out >0 then
  return true;
  else
  return false;
  end if;
  end;
  apex_authentication.login() how to use. And how to make apex_authentication.login() use my method Verify User Login

  You can't mix custom authentication and the internal APEX authentication functions.. So either you use the pre-built user authentication in APEX or you can build your own CUSTOM authentication...
  Many examples of custom authentication are out there...
  Thank you,
  Tony Miller
  Ruckersville, VA

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• Database selection with invalid cursor with MaxDB database

  Hi Experts,
  I encountered the this error:
  "Database selection with invalid cursor
  The database interface was called by a cursor (in a FETCH or CLOSE
  cursor operation) that is not flagged as opened. This can occur if a
  COMMIT or ROLLBACK was executed within a SELECT loop (which closes all
  opened cursors), followed by another attempt to access the cursor (for
  example, the next time the loop is executed)."
  We are using bw support package 19 early this month. Previously is working fine but this problem occured from the last 2 days.
  We are using MaxDB database.
  Really appreciate any speedy responds.

  Hi,
  We finally resolved the issue.
  The solution:
  We check the RFC connection test in SM59. There are connection error.
  There is an error that related J2EE_ADMIN user.
  SO we reset the J2EE_ADMIN id in SU01.
  The problem goes away.
  Many thanks

• Configuring custom database authentication in Weblogic 10

  Hi,
  For my project I am trying to configure security/login module. It's an ADF based web application(ADF11g) and is deployed on Weblogic10. I have implemented the custom authentication with DB login module, created the jar and placed it inside %WL_HOME%/server/lib/mbeantypes. Now I have created one new Authenticator inside 'myrealm'. But after the successful deployment of the application when I am trying to access any secured page this custom authenticator is not being invoked. Can anyone please tell me the exact steps I have to follow for getting custom authenticator working properly.
  Thanks much!

  I had some minor implementation faults in code, after fixing those it is working fine

• Restful Web Services - First Party Authentication with custom authentication schemes

  Hi
  I've successfully enabled security using first party authentication on our Restful web services however these only work with the built in Apex accounts and not other authentication schemes.
  Ideally I'd like to authenticate against LDAP, however when I enable this authentication scheme the restful services don't work as they only support the Apex accounts. 
  Has anyone implemented LDAP authentication for Apex restful web services, either directly or using Glassfish ? Does anyone know if support for custom authentication schemes on the feature roadmap for a future Listener release ?
  I attempted to configure the glassfish application against LDAP but am still working on it.. glassfish never challenged the client to authenticate (it's only to be for the web service endpoints and nothing else), so any pointers on how to set that up for Apex would be appreciated.
  Thanks
  Kes

  Hi Gemma,
  unfortunately at the moment you are caught between a rock and a hard place:
  - As you point out there is no way in APEX for a user to self-register themselves, short of developing your own table to store users and configuring APEX custom auth to authenticate against that table
  - Listener can only authenticate against the the APEX user repository, it cannot integrate with custom APEX authentication.
  There may be other options though, by leveraging the authentication capabilities in the JRE and/or WebLogic/GlassFish application servers. We're interested in addressing this use case, so if you wish to investigate further please send me an email ( colm <dot> divilly <at> oracle <dot> com).
  Thanks,
  Colm Divilly

• Custom Authentication Provider and User Manage like SQLAuthenticator, How?

  Hi everyone,
  I faced a problem with login function of my portal (Webcenter Application). The Problem is:
  - Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
  - If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
  - View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
  Here are my work:
  - I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
  - I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
  Here are my Code:
  <?xml version="1.0" ?>
  <MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
             Package = "orkit"
             Extends = "weblogic.management.security.authentication.Authenticator"
             PersistPolicy = "OnUpdate">
      <MBeanAttribute
          Name        = "ProviderClassName"
          Type        = "java.lang.String"
          Writeable   = "false"
          Default     = "&quot;orkit.OrkitVASPortalProviderImpl&quot;"
  />
      <MBeanAttribute
          Name        = "Description"
          Type        = "java.lang.String"
          Writeable   = "false"
          Default     = "&quot;WebLogic Simple Sample Audit Provider&quot;"
  />
      <MBeanAttribute
          Name        = "Version"
          Type        = "java.lang.String"
          Writeable   = "false"
          Default     = "&quot;1.0&quot;"
  />
      <MBeanAttribute
          Name        = "LogFileName"
          Type        = "java.lang.String"
          Default     = "&quot;SimpleSampleAuditor.log&quot;"
  />
  </MBeanType>
  package orkit;
  import java.util.HashMap;
  import javax.security.auth.login.AppConfigurationEntry;
  import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
  import weblogic.management.security.ProviderMBean;
  import weblogic.security.provider.PrincipalValidatorImpl;
  import weblogic.security.spi.*;
  public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
      private String description;
      private LoginModuleControlFlag controlFlag;
      public OrkitVASPortalProviderImpl() {
          System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
      @Override
      public IdentityAsserterV2 getIdentityAsserter() {
          return null;
      // Our mapping of users to passwords/groups, instead of being in LDAP or in a
      // database, is represented by a HashMap of MyUserDetails objects..
      public class MyUserDetails {
          String pw;
          String group;
          // We use this to represent the user's groups and passwords
          public MyUserDetails(String pw, String group) {
              this.pw = pw;
              this.group = group;
          public String getPassword() {
              return pw;
          public String getGroup() {
              return group;
      // This is our database
      private HashMap userGroupMapping = null;
      public void initialize(ProviderMBean mbean, SecurityServices services) {
          System.out.println("The Orkit VASPortal Provider is intializing......");
          OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
          description = myMBean.getDescription() + "\n" + myMBean.getVersion();
          System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
          // We would typically use the realm name to find the database
          // we want to use for authentication. Here, we just create one.
          userGroupMapping = new HashMap();
          userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
          userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
          userGroupMapping.put("system", new MyUserDetails("12341234",
                  "Administrators"));
          String flag = myMBean.getControlFlag();
          if (flag.equalsIgnoreCase("REQUIRED")) {
              controlFlag = LoginModuleControlFlag.REQUIRED;
          } else if (flag.equalsIgnoreCase("OPTIONAL")) {
              controlFlag = LoginModuleControlFlag.OPTIONAL;
          } else if (flag.equalsIgnoreCase("REQUISITE")) {
              controlFlag = LoginModuleControlFlag.REQUISITE;
          } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
              controlFlag = LoginModuleControlFlag.SUFFICIENT;
          } else {
              throw new IllegalArgumentException("Invalid control flag " + flag);
      public AppConfigurationEntry getLoginModuleConfiguration() {
          HashMap options = new HashMap();
          options.put("usermap", userGroupMapping);
          System.out.println("UserMap: " + options);
          return new AppConfigurationEntry(
                  "orkit.OrkitVASPortalLoginModule",
                  controlFlag, options);
      public String getDescription() {
          return description;
      public PrincipalValidator getPrincipalValidator() {
          return new PrincipalValidatorImpl();
      public AppConfigurationEntry getAssertionModuleConfiguration() {
          return null;
  //    public IdentityAsserter getIdentityAsserter() {
  //        return null;
      public void shutdown() {
  * To change this template, choose Tools | Templates
  * and open the template in the editor.
  package orkit;
  import orkit.OrkitVASPortalProviderImpl;
  import java.io.IOException;
  import java.util.*;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.spi.LoginModule;
  import weblogic.security.principal.WLSGroupImpl;
  import weblogic.security.principal.WLSUserImpl;
  * This login module will be called by our Authentication Provider. It assumes
  * that the option, usermap, will be passed which contains the map of users to
  * passwords and groups.
  public class OrkitVASPortalLoginModule implements LoginModule {
      private Subject subject;
      private CallbackHandler callbackHandler;
      private HashMap userMap;
      // Authentication status
      private boolean loginSucceeded;
      private boolean principalsInSubject;
      private Vector principalsBeforeCommit = new Vector();
      public void initialize(Subject subject, CallbackHandler callbackHandler,
              Map sharedState, Map options) {
          this.subject = subject;
          this.callbackHandler = callbackHandler;
          // Fetch user/password map that should be set by the authenticator
          userMap = (HashMap) options.get("usermap");
       * Called once after initialize to try and log the person in
      public boolean login() throws LoginException {
          // First thing we do is create an array of callbacks so that
          // we can get the data from the user
          Callback[] callbacks;
          callbacks = new Callback[2];
          callbacks[0] = new NameCallback("username: ");
          callbacks[1] = new PasswordCallback("password: ", false);
          try {
              callbackHandler.handle(callbacks);
          } catch (IOException eio) {
              throw new LoginException(eio.toString());
          } catch (UnsupportedCallbackException eu) {
              throw new LoginException(eu.toString());
          String username = ((NameCallback) callbacks[0]).getName();
          System.out.println("Username: " + username);
          char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
          String password = new String(pw);
          System.out.println("PASSWORD: " + password);
          if (username.length() > 0) {
              if (!userMap.containsKey(username)) {
                  throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
              }else{
                  System.out.println("Contstainded Username");
              String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
              if (realPassword == null || !realPassword.equals(password)) {
                  throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
              }else{
                  System.out.println("Everyitng OKIE");
          } else {
              // No Username, so anonymous access is being attempted
          loginSucceeded = true;
          // We collect some principals that we would like to add to the user
          // once this is committed.
          // First, we add his username itself
          principalsBeforeCommit.add(new WLSUserImpl(username));
          // Now we add his group
          principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
          return loginSucceeded;
      public boolean commit() throws LoginException {
          if (loginSucceeded) {
              subject.getPrincipals().removeAll(principalsBeforeCommit);
              principalsInSubject = true;
              return true;
          } else {
              return false;
      public boolean abort() throws LoginException {
          if (principalsInSubject) {
              subject.getPrincipals().removeAll(principalsBeforeCommit);
              principalsInSubject = false;
          return true;
      public boolean logout() throws LoginException {
          return true;
  }and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
  Can someome help.
  Thanks in advance!

  Hi ,
  SQLAuthenticator is not yet supported with UCM 11g due to some JPS Provider limitations .
  Currently there is an Enhancement request for this .
  Thanks
  Srinath

• Java.lang.SecurityException: Security: Invalid Subject: principals

  I am getting the following exception intermittently:
  java.lang.SecurityException: Security: Invalid Subject: principals=[XXX, Administrators]
  What i am doing is, i have two weblogic servers both running Weblogic 10.0 and running on different domains, a war is deployed on one server (server A) which sends a message to queue on another server (Server B), now everything works but if i restart B then A throws the above Security Exception while looking up the queue on Server B?? Any ideas why, i haven't configured any security credentials.
  If i restart A after restarting B then everything works again but restarting all the servers each time one gets restarted is cumbersome,so does someone knows answer to the question above?
  Edited by: user4828945 on Feb 11, 2009 5:41 PM

  If you dont require authentication, then enable the global trust between the domains.
  When this feature is enabled, identity is passed between WebLogic Server domains over an RMI connection without requiring authentication in the second domain. When inter-domain trust is enabled, transactions can commit across domains. A trust relationship is established when the Domain Credential for one domain matches the Domain Credential for another domain.
  By default, the Domain Credential is randomly generated and therefore, no two domains will have the same Domain Credential. If you want two WebLogic Server domains to interoperate, you need to replace the generated credential with a credential you select, and set the same credential in each of the domains.
  Link :[http://e-docs.bea.com/wls/docs100/ConsoleHelp/taskhelp/security/EnableGlobalTrustBetweenDomains.html]

• Java.lang.SecurityException: [Security:090398]Invalid Subject - multithre..

  Hi
  I am getting java.lang.SecurityException: [Security:090398]Invalid Subject ... under the following scenario:
  - I have a simple dispatcher class which is starting a number of threads, every one of them sending messages to different Weblogic server.
  - The dispatcher class is a simple Java class, running from outside of Weblogic server; the authentication is done using the JNDI login.
  - The message sender threads create an InitialContext for each message being sent and the context is closed after succesfully sending the message.
  With just one message sender thread running, everything is OK.
  The problems appear when at least two threads run at the same time. What happens is that one of the threads sends messages successfully while the other ones fail with:
  java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[user1, role1, role2, role3, role4]
  at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
  at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
  at weblogic.jms.dispatcher.DispatcherImpl_812_WLStub.dispatchSyncFuture(Unknown Source)
  at weblogic.jms.dispatcher.DispatcherWrapperState.dispatchSync(DispatcherWrapperState.java:339)
  at weblogic.jms.client.JMSConnection.createSessionInternal(JMSConnection.java:400)
  at weblogic.jms.client.JMSConnection.createTopicSession(JMSConnection.java:359)
  at com.delta.parser.test.TestMessageThread.sendMessage(TestMessageThread.java:54)
  at com.delta.parser.test.TestMessageThread.run(TestMessageThread.java:34)
  Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[user1, role1, role2, role3, role4]
  at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:682)
  at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:182)
  at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:825)
  at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:300)
  at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:923)
  at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:844)
  at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:222)
  at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
  at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:570)
  at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
  at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  The environment is Weblogic 8.1 (WebLogic Platform Developer license) running on Windows XP Professional.
  In the classpath I have the following weblogic jar files: weblogic.jar, wlclient.jar, wljmsclient.jar.
  The code that is generating the exceptions is:
  /****************** Dispatcher ************************/
  package test;
  public class TestThreadDispatcher {
  public TestThreadDispatcher() {
  public static void main(String[] args) {
  TestThreadDispatcher instance = new TestThreadDispatcher();
  instance.doTest();
  private void doTest() {
  TestMessageThread t1 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
  "t3://pc10:7001",
  "user1",
  "passwd");
  t1.start();
  TestMessageThread t2 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
  "t3://sjn:7001",
  "user1",
  "passwd");
  t2.start();
  TestMessageThread t3 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
  "t3://pc99:7001",
  "user1",
  "passwd");
  t3.start();
  /****************** Message sender thread **************/
  package test;
  import java.util.*;
  import javax.jms.*;
  import javax.naming.*;
  import com.delta.parser.util.*;
  public class TestMessageThread extends Thread implements ParserConstants {
  private Hashtable environment;
  public TestMessageThread(String initialFactory,
  String url,
  String principal,
  String credentials) {
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  initialFactory);
  env.put(Context.PROVIDER_URL,
  url);
  env.put(Context.SECURITY_PRINCIPAL,
  principal);
  env.put(Context.SECURITY_CREDENTIALS,
  credentials);
  environment = env;
  public void run() {
  int cnt = 0;
  while(true) {
  sendMessage("" + cnt++);
  try {
  sleep(500);
  } catch (InterruptedException iex) {
  private void sendMessage(String text) {
  try {
  Context ctx = new InitialContext(environment);
  TopicConnectionFactory factory = (TopicConnectionFactory)
  ctx.lookup("javax.jms.TopicConnectionFactory");
  TopicConnection connection = factory.createTopicConnection();
  TopicSession session = connection.createTopicSession(false,
  javax.jms.Session.AUTO_ACKNOWLEDGE);
  Topic topic = (Topic)ctx.lookup("FileTopic");
  TopicPublisher publisher = session.createPublisher(topic);
  TextMessage message = session.createTextMessage(text);
  publisher.publish(message);
  System.out.println("Message " + text + " sent to " +
  environment.get(Context.PROVIDER_URL));
  ctx.close();
  catch (JMSException jmsex) {
  jmsex.printStackTrace();
  catch (NamingException nex) {
  nex.printStackTrace();
  catch (SecurityException scex) {
  scex.printStackTrace();
  Any workarounds for this?
  BTW, I also tried using weblogic.jndi.Environment to obtain an InitialContext and wrapping the code inside thread's run() into Security.runAs(subject, new PrivilegedAction() { ....}, without success.
  Thanks in advance
  Mirel Rata

  Hi Kiran,
  Thank you for replying.
  Unfortunately the fix you suggested did not solve the problem. The server version I'm using is 8.1.
  The application I'm sending messages from is a standalone Java application, does not run from inside Weblogic server.
  Any thoughts?
  Regards,
  Mirel Rata

• OBIEE 11.1.1.1.6.0 Configuring a Database as the Authentication Provider

  Hi Experts,
  In oracle DB, we have created Users table which store whole users' information, and we want to display related information derived from DB in weblogc console according to the following link: http://docs.tpu.ru/docs/oracle/en/fmw/11.1.1.6.0/bi.1111/e10543/privileges.htm#CHDFHDBE
  (Note: use '3.4.3 Configuring a Database as the Authentication Provider')
  After all steps, restart all services, we can see all user in db who showed in console and author user can login EM and Console page, However,we can not open presentation sevices
  Log message as below:
  Are you facing the same issue?
  2012-08-29T23:19:18.000+08:00] [OBIPS] [ERROR:10] [] [saw.security.odbcuserpopulationimpl.searchidentities] [ecid: ] [tid: ] Odbc driver returned an error (SQLExecDirectW).
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13049] User 'author' with 'empty' permission can not query user population. (HY000)
  SQL Issued: {call NQSSearchIdentities('BOTH','GUID=0198E2F1D34011E1BF5F4B3F7C7118D6')}[[
  File:odbcuserpoploaderimpl.cpp
  Line:708
  Location:
  saw.security.odbcuserpopulationimpl.searchidentities
  saw.security.userpopulationmanagerimpl.getaccountdetailsbyid
  saw.subsystem.catalog.repaircatalogsecurity
  saw.subsystem.catalog.initialize
  saw.subsystems.catalogbootstrapper.loadcatalog
  saw.webextensionbase.init
  saw.sawserver
  saw.sawserver.initializesawserver
  saw.sawserver
  ecid:
  [2012-08-29T23:19:18.000+08:00] [OBIPS] [ERROR:10] [] [saw.security.odbcuserpopulationimpl.searchidentities] [ecid: ] [tid: ] {call NQSSearchIdentities('BOTH','GUID=0198E2F1D34011E1BF5F4B3F7C7118D6')}[[
  File:odbcuserpoploaderimpl.cpp
  Line:709
  Location:
  saw.security.odbcuserpopulationimpl.searchidentities
  saw.security.userpopulationmanagerimpl.getaccountdetailsbyid
  saw.subsystem.catalog.repaircatalogsecurity
  saw.subsystem.catalog.initialize
  saw.subsystems.catalogbootstrapper.loadcatalog
  saw.webextensionbase.init
  saw.sawserver
  saw.sawserver.initializesawserver
  saw.sawserver
  ecid:
  ]]

  You most probably haven't set Application Roles in EM for external users.
  Users belonging to application roles are only allowed to access OBI.
  Check the existing BIConsumer application role, see if you can add external users, and if not, use 'Create Like'.

• Can Actions Menu of Interactive Reports work with Custom Authentication?

  My testing is leading my to believe that Actions Menu do not work with Custom Authentication (but only work with APEX Authentication) in APEX 3.1.2? If that's true then is there a work around to this?
  Just to clarify, I've posted/asked this question twice before:
  1) Re: Actions Menu in Interactive Reports does not sort, filter, select cols etc
  2) Interactive Report actions don't work for users (i.e. for non-developers)
  But I've come to believe this is the main problem. I just don't know how to resolve/work around this?
  Thanks for any help.

  I haven't setup a sample because my custom authentication is using LDAP authentication. I'm not sure how I can replicate that on the samples server?
  I'm using LDAP authentication with a Page Sentry function. My further testing reveals that the Page Sentry function is setting the APEX variable user to NULL (ie blank) whenever there's any code in the Page Sentry function box. PL/SQL code as simple as
  BEGIN return TRUE; END;
  in the Page Sentry function box sets the "user" is set to <null>. When the Page sentry function box is left empty (no code specified) it sets the "user" properly after authentication against the specified LDAP directory.
  What all this has to do with Interactive Reports...
  It seems like when the user is NULL it messes-up Interactive Reports that are stored in the flows database. Although it shows the default report properly, but no runtime interactive actions (filtering, sorting, column break, etc.) work.
  Can someone please correct or confirm this?
  Thanks.

• Java.lang.SecurityException: [Security:090398]Invalid Subject: WEBLOGIC 9.1

  Hi
  I am getting this error when I am making an EJB method which resides in a different weblogic 9.1 server.
  I have enaled the trust between my two domains. Set the required class path settings.
  My client call is from a JSP , say client.jsp.
  Here I get remote object of the EJB and calls the required method
  Now
  1) My EJB calls are succesful when I DO NOT secure it
  2) but when I make it is secured , ie when I
  include the jsp in secured URL ie. under <security-constraint><url-pattern>client.jsp</> in web.xml
  , it gives me the follwing error
  The stack trace is given below
  java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[com.ebreviate.security.wl9realm.EBRUser@a09a08, ess, everyone]
  at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:191)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:315)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:250)
  at weblogic.jndi.internal.ServerNamingNode_910_WLStub.lookup(Unknown Source)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:374)
  Truncated. see log file for complete stacktrace
  Any idea why it is ?
  Please let me know
  Thanks
  Binu
  Edited by binurajkr at 01/25/2008 4:36 AM

  Hi. Contact official BEA Support. This is likely
  to be a known issue with a patch available to fix it.
  Joe
  binu raj wrote:
  Hi
  I am getting this error when I am making an EJB method which resides in a different weblogic 9.1 server.
  I have enaled the trust between my two domains. Set the required class path settings.
  My client call is from a JSP , say client.jsp.
  Here I get remote object of the EJB and calls the required method
  Now
  1) My EJB calls are succesful when I DO NOT secure it
  2) but when I make it is secured , ie when I
  include the jsp in secured URL ie. under <security-constraint><url-pattern>client.jsp</> in web.xml
  , it gives me the follwing error
  The stack trace is given below
  java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[com.ebreviate.security.wl9realm.EBRUser@a09a08, ess, everyone]
  at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:191)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:315)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:250)
  at weblogic.jndi.internal.ServerNamingNode_910_WLStub.lookup(Unknown Source)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:374)
  Truncated. see log file for complete stacktrace
  Any idea why it is ?
  Please let me know
  Thanks
  Binu
  Edited by binurajkr at 01/25/2008 4:36 AM

• OpenLDAP authentication provider with CA LDAP server

  Hi,
  I am trying to get authentication to work using an OpenLDAP AP connecting to CA LDAP server (formerly eTrust LDAP server). I am at the point where the bind is successful, the user account is authenticated in LDAP, but I am unable to retrieve the group information.
  Here is the error for the group lookup:
  ####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <[Security:090278]Error listing member groups myACID>
  This is the final error, presumably because the group lookup failed:
  ####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User myACID denied
       at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
       at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
       at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:684)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
  The CA LDAP server is pointed to a Top Secret database, so the attribute names are atypical as far as directory services objects are concerned. I've tried modifying the group and static group information to search both groups and profiles, but both fail. I've also tried omitting the static group information, and specifying dynamic group info, but that failed as well.
  Here is the search it is running:
  (&(memberOf=tssacid=myACID,tssadmingrp=acids,host=ourdevsysid,o=our.ORG)(objectclass=tssprofile))
  Here the is the group based DN: tssadmingrp=profiles,host=ourdevsysid,o=our.org
  The group search scope is subtree. I tried unlimited, and a limited of 2 levels.
  If I execute the filtered search using a third party tool (JXplorer), I receive this error:
  javax.naming.NamingException: [LDAP: error code 80 - LDP2900E Unknown attribute, , in filter string]; remaining name 'tssadmingrp=profiles,host=ourdevsysid,o=our.org'
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3085)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
       at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
       at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
       at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
       at com.ca.commons.jndi.JNDIOps.rawSearch(JNDIOps.java:1192)
       at com.ca.commons.jndi.JNDIOps.rawSearchSubTree(JNDIOps.java:1039)
       at com.ca.commons.naming.DXOps.rawSearchSubTree(DXOps.java:343)
       at com.ca.commons.jndi.JNDIOps.searchSubTree(JNDIOps.java:1030)
       at com.ca.directory.jxplorer.broker.JNDIDataBroker.unthreadedSearch(JNDIDataBroker.java:772)
       at com.ca.directory.jxplorer.broker.DataBroker.doSearchQuery(DataBroker.java:485)
       at com.ca.directory.jxplorer.broker.DataBroker.processRequest(DataBroker.java:253)
       at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:376)
       at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
       at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
       at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
       at java.lang.Thread.run(Thread.java:662)
  When I execute that same search in JXplorer directly on one of the profile objects (e.g. tssprofile=@oneofourprofiles,tssadmingrp=profiles,host=a12sysid,o=tgslc.org), it runs successfully.
  Here is an old post. Seems the op encountered the same problem I did.
  authentication provider for CA eTrust LDAP server
  Anyone work with these technologies in a past life?
  Thanks,
  Rob

  Are you able to see the users in weblogic?Not for this AP. I have a ReadOnly SQL authenticator as well. I am able to see users for that, and for the Default Authenticator.
  Have you assigned admin roles to the user in weblogic?No. I do not intend to do that, and I don't believe I am required to do that.
  is the group base dn properly configured?Yes.

• Workshop 8.1 Calling EJB from Custom Authentication Provider

  I am writing a custom authentication provider that runs on Weblogic Server 8.1 and also on Workshop 8.1. Everything is packaged into a jar file that I put into the mbeantypes directory. From the authentication provider I want to get an EJB home that is on another Weblogic 8.1 server.
  Loading the home from the Weblogic server works great. But in Workshop I get a ClassCastException from the PortableRemoteObject.narrow() call.
  This happens in Workshop even if I remove all my application jar files, so I am left with nothing but the startup classpath and the files in the mbeantypes directory. That is, I don't have any classes in two directories.
  When I look at the class that I actually get back from the call to context.lookup( jndiName ), I get the same stub class back on the Weblogic Server and on the Workshop server. But only on Workshop do I have this casting problem.
  Any ideas?
  Thanks,
  Mark

  Issue has been resolved.
  The reason I've forgotten about Value Object that is being returned by Remoute method to put them into classpath of Authenticator Provider