Weblogic security role
Hi,
I have a need to restrict access for certain users in WL will be OBIEE admins so they don't need access to the WL console but do need access to EM specifically coreapplication to deploy a new .rpd
Ive tried an tire but just cant get a role to allow such specific access can any one shed some light. Any role i have created or configured allows access to em but then doesn't allow access to coreapplication from what I can see only the administrator role has the privillage.
Chandramohan V <[email protected]> writes:
Hai,
I am chandramohan. I very new to Weblogic. I want some sample code for EJB Security(Basic level).There are samples in the kit and on dev2dev.bea.com
andy
Similar Messages
-
Using weblogic security roles in authentication: weblogic 9
Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
<j2ee:welcome-file>login.jsp</j2ee:welcome-file>
<j2ee:welcome-file>index.html</j2ee:welcome-file>
<j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
<j2ee:auth-method>FORM</j2ee:auth-method>
<j2ee:form-login-config>
<j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
<j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
</j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
<url-pattern>test.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
<role-name>LTVORole</role-name>
<externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
GireeshHi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
<j2ee:welcome-file>login.jsp</j2ee:welcome-file>
<j2ee:welcome-file>index.html</j2ee:welcome-file>
<j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
<j2ee:auth-method>FORM</j2ee:auth-method>
<j2ee:form-login-config>
<j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
<j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
</j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
<url-pattern>test.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
<role-name>LTVORole</role-name>
<externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh -
How to use security roles in Weblogic server?
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.You should read the security information in the Servlet 2.2 specification
that WL 5.1 implements:
http://java.sun.com/products/servlet/download.html
Chapter 11 deals with declarative and programmatic security, and includes a
section on roles:
11.4 Roles
A role is an abstract logical grouping of users that is defined by the
Application Developer or
Assembler. When the application is deployed, these roles are mapped by a
Deployer to security
identities, such as principals or groups, in the runtime environment.
A servlet container enforces declarative or programmatic security for the
principal associated with
an incoming request based on the security attributes of that calling
principal. For example,
1. When a deployer has mapped a security role to a user group in the
operational environment. The
user group to which the calling principal belongs is retrieved from its
security attributes. If the
principal's user group matches the user group in the operational environment
that the security
role has been mapped to, the principal is in the security role.
2. When a deployer has mapped a security role to a principal name in a
security policy domain, the
principal name of the calling principal is retrieved from its security
attributes. If the principal is
the same as the principal to which the security role was mapped, the calling
principal is in the
security role.
Cameron Purdy
http://www.tangosol.com
"Hari" <[email protected]> wrote in message
news:[email protected]..
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari. -
Create , delete "security roles" in weblogic console - sample Security providers
Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1. In
those sample Security Provider , the author of codes used property files as
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable Sample Authentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
Ming Qin"ming qin" <[email protected]> wrote in message news:[email protected]..
Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1.In
those sample Security Provider , the author of codes used property filesas
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable SampleAuthentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
I would ask in the weblogic.developer.interest.management.console newsgroup.
>
Ming Qin -
Weblogic security & EJB role based access
How does (or not) weblogic security tie into the EJB notion of role based
control ? Can we create a 'custom' security mechanism for EJB (which
basically uses the EJB facilities but extends it within the application) by
using custom weblogic realms ?
Thanks
RajuThanks !
"Terry" <[email protected]> wrote in message
news:[email protected]...
comments inline
r <[email protected]> wrote in message
news:[email protected]...
>>
Here are some more specific questions around an 'example' scenario:
The application has an entity bean 'Account' that can be accessed by the
roles 'Bank Employee' and 'Customer'
'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
methods on the 'Account' bean
'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
methods on the 'Account' bean
These permissions are set up through the deployment descriptor by
mapping
the 'Bank Employee' and 'Customer' roles
to the particular bean methods that the role should be given access to.
1. How does weblogic provide the facility to map the EJB deployment
descriptor
<security-role> to a particular weblogic principal (user orgroup)
Or, should I say, how do I map the user or group to a
deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
an application role (in your case it is probably best to create 2 security
roles - the bank employee role refering to the bank employee group (usethe
'in role' checkboxes, and the customer role refering to the customergroup -
there may at some point be use for an allUsers role, which includes both
groups, maybe not. What I am saying is that a role is made of a one ormore
of Principals - in our case groups)
In the Account Bean select the method permissions item, and create amethod
permission perm-0, select the perm-0 item that has just popped up in the
left hand window, tick the box for placeOnHold(), and the boxes for<remote>
and <home> one level deeper than this in the tree (as an aside, I have
absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
'bank employee' 'can invoke' tickbox
Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
methods, and the 'customer' tickbox
I believe the documents say you would have to set up another permission to
allow both groups access to the getBalance method, but in practive Ihaven't
found this the case.
The documentation for this is at
http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
(or
search for 'Deploying EJBs with DeployerTool'
2. Are there any administrative tools provided by weblogic to do
this
mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
files
3. How much effort & complexity is involved in creating a custom
realm
Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
in half an hour or so (there is a problem with one of the RDBMSUser's
methods - getUserType or something like that - the solution can be foundin
the newsgroups if you search), the same is probably true of the LDAPRealm,
NTRealm etc (although I have never used these).
Which one you choose depends on what equipment you have available,although
I would say that the RDBMSRealm canuse a lot of optimisation
Thanks,Welcome
Raju
"Terry" <[email protected]> wrote in message
news:[email protected]...
The Principals (i.e. groups and users) from your custom realm are used
to
define application roles for the EJBs, but, as far as I am aware youcannot
use a custom implementation for the ACLs for EJBs
terry
r <[email protected]> wrote in message
news:[email protected]...
How does (or not) weblogic security tie into the EJB notion of rolebased
control ? Can we create a 'custom' security mechanism for EJB (which
basically uses the EJB facilities but extends it within the
application)
by
using custom weblogic realms ?
Thanks
Raju -
Invalid Security role-name error in Web Project
Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
<b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
This error directs me to the following code in web.xml
<security-constraint>
<display-name>Default JSP Security Constraints</display-name>
<web-resource-collection>
<web-resource-name>Portlet Directory</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<b><role-name>PEHNTAHO_ADMIN</role-name></b>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<b>I have tried out the following things to resolve this issue :</b>
<b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
<b>2)Then I added the following code in web.xml</b>
<security-role>
<role-name>PEHNTAHO_ADMIN</role-name>
</security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<!-- whole web.xml-->
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
<b>3) I had also added the following code in web-j2ee-engine.xml</b>
<security-role-map>
<role-name>PEHNTAHO_ADMIN</role-name>
<server-role-name>all</server-role-name>
</security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
SrutiHi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============ -
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
-
How to create default groups in Weblogic- Security Realms -- Groups
Hi Team,
Unfortunately I have deleted some default groups from Weblogic->Security Realms --> Groups. How to add the groups.
Regards,
Ravi.Hi Ravi,
These are the defaults groups present inside Security Realms ,you can manually create them by
Going inside Security Realms-->Users and Groups-->Groups-->New
Administrators----Administrators can view and modify all resource attributes and start and stop servers-----------------------DefaultAuthenticator
Deployers---------Deployers can view all resource attributes and deploy applications.---------------------------------------------DefaultAuthenticator
Monitors-----------Monitors can view and modify all resource attributes and perform operations not restricted by roles.------DefaultAuthenticator
Operators---------Operators can view and modify all resource attributes and perform server lifecycle operations.-------------DefaultAuthenticator
Restart the Admin Server
Regards
FAbian -
How to list principals in the security role?
Does anybody know how to list principals assigned to a security role programmatically?
The role assigment is specified in weblogic.xml files for web applications and
weblogic-ejb-jar.xml files for EJBs.
Any help would be much appreciated,
MargaretI think it's not possible. However, what you can do is to assign a role to a
group (this relationship being statically defined in weblogic.xml) and then
manipulate the group membership in order to assign users to the role on the
fly.
"Margaret Oberc" <[email protected]> wrote in message
news:3b127763$[email protected]..
>
Does anybody know how to list principals assigned to a security roleprogrammatically?
The role assigment is specified in weblogic.xml files for webapplications and
weblogic-ejb-jar.xml files for EJBs.
Any help would be much appreciated,
Margaret -
Hi,
I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
security-role>
<description>Authenticated</description>
<role-name>Authenticated</role-name>
</security-role>
This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
In weblogic, I have the following setting in weblogic.xml
<wls:security-role-assignment>
<wls:role-name>Authenticated</wls:role-name>
<wls:externally-defined />
</wls:security-role-assignment>
And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
I am wondering if this setting can be specified in for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
ThanksHi,
You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
Hope this will solve your problem.
Regards
MuRam -
Hi All,
My requirements are as follows:
1) Have a central repository like the iplanet Directory server to store the information
of users,groups etc
2)Perform identity management to manage roles and permissions This includes the
ability to define users, resources, and abstract concepts such as a user role
or a group
3)The final requirement is access management. This is the enforcement of which
users have access to what information. It includes authentication and authorization
mechanisms to make sure someone is who they claim to be and that they have the
authority to get the information they requested, and access management to enforce
the permissions
I need to achieve these requirements for my Portal application. My queries for
the same are as follows
1)The default Weblogic authetication providers can be used to authenticate users
located on iplanet Directory server.
2)But my doubt is with the authorization provider, Role Mapper providers etc they
seem to be tightly coupled to the embedded LDAP. In order to solve my requirements
on 2 and 3 what are the approaches that are available.
3)I also have tried to create a new Realm that the Iplanet authentication provider
configured to authenticate against iPlanet LDAP and also the other default providers
that come along with
weblogic to do authorization checks. When I try to start my server I get the following
errror and the server does not start.
<Nov 28, 2003 4:58:31 PM GMT+05:30> <Critical> <Security> <BEA-090404> <User weblogic
is not permitted to boot the server; The
server policy may have changed in such a way that the user is no longer able to
boot the server.Reboot the server with the administrative user account or contact
the system administrator to update the server policy definitions.>
The WebLogic Server did not start up properly.
Reason: weblogic.security.SecurityInitializationException: User weblogic is not
permitted to boot the server; The server policy
may have changed in such a way that the user is no longer able to boot the server.Reboot
the server with the administrative us
er account or contact the system administrator to update the server policy definitions.
Can anyone suggest me any ways to solve my queries and if you could provide some
input on how to solve my requirements that will be very useful and we are WLS
shop so the solution should be within the reach of weblogic server securityHi,
This is w.r.t the same query.
1)Where do you want your role and policy information stored? How is your role
and policy information defined? The WLS framework is limited to WLS resources
(ejbs,
webapps,jdbc connection pools, etc.)
Ans) The Roles and Policies are defined in the External LDAP.
"Anand" <[email protected]> wrote:
>
Hi,
Thanks for your replies. I have a couple of other queries which are as
follows:
1. How do we decouple the Embeded LDAP and connect to External LDAP Server
for
Authentication and Authorization( I prefer iPlanet LDAP Server)
2. Is Portal WLS resource ? If so I want to build a Access Control List.
3. Can you point me to any resource which guides me how to configure
iPlanet server
for authentication and Authorization. I am a novice. This tutorial/sample
should
include all necessary codes.
"Peter" <PeterB> wrote:
"Anand" <[email protected]> wrote in message
news:[email protected]...
Hi All,
My requirements are as follows:
1) Have a central repository like the iplanet Directory server to
store
the information
of users,groups etc
2)Perform identity management to manage roles and permissions Thisincludes the
ability to define users, resources, and abstract concepts such as
a
user
role
or a group
3)The final requirement is access management. This is the enforcementof
which
users have access to what information. It includes authentication
and
authorization
mechanisms to make sure someone is who they claim to be and that theyhave
the
authority to get the information they requested, and access managementto
enforce
the permissions
I need to achieve these requirements for my Portal application. Myqueries
for
the same are as follows
1)The default Weblogic authetication providers can be used to authenticateusers
located on iplanet Directory server.
2)But my doubt is with the authorization provider, Role Mapper providersetc they
seem to be tightly coupled to the embedded LDAP. In order to solvemy
requirements
on 2 and 3 what are the approaches that are available.The role mapper and authorization providers do store roles and policies
in
embedded
ldap server.
Where do you want your role and policy information stored? How is your
role
and policy
information defined? The WLS framework is limited to WLS resources (ejbs,
webapps,
jdbc connection pools, etc.)
3)I also have tried to create a new Realm that the Iplanet authenticationprovider
configured to authenticate against iPlanet LDAP and also the otherdefault providers
that come along with
weblogic to do authorization checks. When I try to start my serverI get
the following
errror and the server does not start.
WLS uses the server resource to determine if you can boot the server.
There
is a policy
that allows users with admin or operator role. The default for thatrole
is
member
of the administrators or operators group. You can change this role
expression with
the console.
Therefore, check to see if your boot user is a member of the administrators
group.
> -
[Weblogic Security In Action]
摘要
本文将探讨Weblogic Platform中的安全框架以及在该框架下如何实现企业安全(Weblogic Enterprise Security,简称WLES)。
本文分为上中下三篇。
上篇主要阐述WLES的概念,将按照如下的思路,让读者对Weblogic安全框架有一个明晰的理解,并在此基础上明白Weblogic基本安全要素如User,Group,Role,Resource。并探讨在WLES下实现认证和授权的方法。
中篇主要阐述WLES的配置,重点讲述如何在WLS中配置SSL和证书,如何配置LDAP和数据库,如何实现Windows集成安全,如何在开源技术如CAS,SAML,SPNEGO等基础上实现单点登陆(Single Sign on,即SSO)。
下篇主要解释Weblogic Mbean机制,讲述如何实现自己的Custom Security Provider,并解释如何使用Weblogic Security Provider构造一个强大稳健的安全体系。
[上篇]
1, Weblogic Platform安全框架概述
2, Security Realm下的用户、组、角色、资源和安全策略
3, 认证与授权
[中篇]
4, 配置SSL与数字证书
5, Windows集成安全
6, 单点登陆(SSO)
[下篇]
7, 实现自己的Security Provider
8, 在Security Provider上构造灵活的安全体系
目前只写好
Weblogic Security In Action 上篇
http://www.matrix.org.cn/blog/cas/archives/WeblogicSecurityInAction(1).swf
原来写文章是这么累的。
中篇,下篇正在撰写中,请密切关注。
希望各位指出文章的纰漏,然后发邮件给我,因为我实在没时间很仔细去审阅。为了方便Weblogic用户管理JKS证书,我发布了一个Eclipse插件,代号SecureX,该插件将集成Keytool, Axis数字签名,加密,和SSO/SSL向导,目前版本为1.0.0,改自于KeytoolGUI1.6版本。
作了不少的增强,原来的版本已经停止开发并被作者商业化,开源版本以后将由我提供:)
SecureX 的URL: http://www.blogjava.net/openssl/archive/2006/03/17/35781.html
关于SecureX,请参看http://www.blogjava.net/openssl/archive/2006/02/08/29886.aspx
该Project遵循GPL,参见https://sourceforge.net/projects/securex/
源代码将在2.0发布到SF。
代替Keytool的图形化界面,增加了数字签名功能,原来的版本来自于Keytool Gui 1.6(基于SWing),我重写了SWT界面,集成到SecureX并以SecureX为基础,不断扩展Java Security功能,包括加密,签名,SSO向导,SSL向导之类的功能。
下载:
http://www.blogjava.net/Files/openssl/plugins.part1.rar
http://www.blogjava.net/Files/openssl/plugins.part2.rar
http://www.blogjava.net/Files/openssl/plugins.part3.rar
http://www.blogjava.net/Files/openssl/plugins.part4.rar
http://www.blogjava.net/Files/openssl/plugins.part5.rar
http://www.blogjava.net/Files/openssl/plugins.part6.rar
http://www.blogjava.net/Files/openssl/plugins.part7.rar
下载完毕后,解压到plugins目录,然后找到
其子目录SecureX_1.0.0
然后,将其整个Copy到Eclipse目录下的Plugin目录下,重启Eclipse,
然后点击菜单项Securex下KeyTool,就可以运行。
如对SecureX有兴趣,请加入SecuritySite群(14966586)或者email给我:openssl(at)163.com -
Weblogic security realm mapping to DB
I have one question about Weblogic 7.01 security.
I have created USER, GROUP and ROLES table in my RDBMS.
Can I use the RDBMS realm if my users are in a database
table already? Can I tune Weblogic security realm to my database tables?
Any advice or links will be very appreciate.
Thanks a lot for any help, Volodymyr Shram.Thanks, criokeeper for your fast answer.
Woould you so kind to explain me one moment.
At http://e-docs.bea.com/wls/docs70/ConsoleHelp/domain_rdbmsrealm_config_general.html I found that "To use the RDBMS security realm, you need to use Compatibility security. The use of the RDBMS security realm is deprecated in WebLogic Server 7.0."
What does that means? Have I use the Compatibility security or it's jaust for ver. 6.x to ver.7.0 migration?
Thanks a lot for your answer.
Regards, Volodymyr. -
Warning: EJB referenced an unknown security role?
Hello,
I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
In the EJB I have the following check:
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
At run time, I get the following warning in the WL window:
Fri Nov 10 12:56:58 EST 2000:<I>
<EJB JAR deployment D:/weblogic/myserver/myBean.jar>
Warning: EJB "unu" referenced an unknown security role
However:
- the role IS defined (see ejb-jar.xml)
- has an associated principal (see weblogic-ejb-jar.xml)
- there is a principal defined in weblogic.properties
- this principal (and this role) is actually used in practice to access the
bean. Which works.
So why the warning?
Any hint appreciated,
Thanks.
ejb-jar.xml:
<assembly-descriptor>
<security-role>
<description>description of the ConspiratorRole</description>
<role-name>ConspiratorRole</role-name>
</security-role>
</assembly-descriptor>
weblogic-ejb-jar.xml:
<weblogic-ejb-jar>
<security-role-assignment>
<role-name>ConspiratorRole</role-name>
<principal-name>Conspirator</principal-name>
</security-role-assignment>
</weblogic-ejb-jar>You should not reference the role link in you code.The role link is used to
connect the role name in you code to the
role name in your deployment descripment. Only if this link is set up as you
have done below, will the isCallerInRole return true.
- Sri
Alf wrote:
I reviewed older postings and found indications of what appears to be a bug
in WL: that isCallerInRole always return false for role names but returns
correct values if the role names are linked with a reference in
<security-role-ref>. So, according to the DTD at
http://edocs.bea.com/wle/dd/ddref.htm#1038338 I added the following in
ejb-jar.xml:
<ejb-jar>
<enterprise-beans>
<session>
<security-role-ref>
<role-name>ConspiratorRole</role-name>
<role-link>ConspiratorRoleLink</role-link>
</security-role-ref>
and added 2 lines in the bean to test the both the role and the reference
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
if (ctx.isCallerInRole("ConspiratorRoleLink"))
System.out.println ("the user is in the ConspiratorRoleLink
role");
The unexpected result was a NullPointerException at
weblogic.ejb.internal.BaseEJBContext.isCallerInRole(BaseEJBContext.java:665)
Can anyone shed some light? Thanks.
"Alf" <alf> wrote in message news:[email protected]...
Hello,
I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
In the EJB I have the following check:
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
At run time, I get the following warning in the WL window:
Fri Nov 10 12:56:58 EST 2000:<I>
<EJB JAR deployment D:/weblogic/myserver/myBean.jar>
Warning: EJB "unu" referenced an unknown security role
However:
- the role IS defined (see ejb-jar.xml)
- has an associated principal (see weblogic-ejb-jar.xml)
- there is a principal defined in weblogic.properties
- this principal (and this role) is actually used in practice to accessthe
bean. Which works.
So why the warning?
Any hint appreciated,
Thanks.
ejb-jar.xml:
<assembly-descriptor>
<security-role>
<description>description of the ConspiratorRole</description>
<role-name>ConspiratorRole</role-name>
</security-role>
</assembly-descriptor>
weblogic-ejb-jar.xml:
<weblogic-ejb-jar>
<security-role-assignment>
<role-name>ConspiratorRole</role-name>
<principal-name>Conspirator</principal-name>
</security-role-assignment>
</weblogic-ejb-jar> -
The security-role-assignment references an invalid security-role: Certifica
In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
<wls:security-role-assignment>
<wls:role-name>Certificate</wls:role-name>
<wls:externally-defined/>
</wls:security-role-assignment>
I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.Hi,
I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
Hope it helps,
Luis
Maybe you are looking for
-
IPC in CRM 7.0: New customer field in item communication structure
Hi Experts, I tried to enhance the IPC according to the known manual. I created a new item related z-field in the item communication structure which I fill in the BadI IF_EX_CRM_COND_COM_BADI with a Char(1) value: IF cs_acs_i_com-zfield IS INITIA
-
Formula - Row - Formatting Issue - Please Help
Hi, I am currently writting a report in Business Objects (Web Intelligence Document) to reflect Incentives gained by our call centre staff. I have written the report and all the data is correct and it gives me the info i need, however for cosmetics r
-
Can I still purchase Dreamweaver CS6 as a Student?
When visiting Student/Teacher purchase page, I see the only version available is the Creative Cloud. I can't afford the monthly payments for Dreamweaver and Photoshop. I used to be able to purchase Adobe Creative Suite as a student and save a lot of
-
Hello, When I try to duplicate a file on the desktop and I am dragging it on the desktop while holding the Option key, I am facing a strange behavior. If, at that time a Safari window, or a Mail window, is opened, it is closed, but the software is no
-
Deputy for Shopping Cart Initiator
Hello SRM experts, the deputy functionality currently implemented only allows the deputy to see the person's worklist. Since shopping cart is an ITS functionality, when the initiator of the shopping cart is on leave, and if during this time shopping