Weblogic security role

Hi,
I have a need to restrict access for certain users in WL will be OBIEE admins so they don't need access to the WL console but do need access to EM specifically coreapplication to deploy a new .rpd
Ive tried an tire but just cant get a role to allow such specific access can any one shed some light. Any role i have created or configured allows access to em but then doesn't allow access to coreapplication from what I can see only the administrator role has the privillage.

Chandramohan V <[email protected]> writes:
Hai,
I am chandramohan. I very new to Weblogic. I want some sample code for EJB Security(Basic level).There are samples in the kit and on dev2dev.bea.com
andy

Similar Messages

  • Using weblogic security roles in authentication: weblogic 9

    Hi All,
    I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
    weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
    But I have defined the role LTVORole in weblogic using the administrator console.
    below are the details of what I have done:
    Web.xml:
    ========
    <?xml version='1.0' encoding='UTF-8'?>
    <j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
      <j2ee:welcome-file-list>
        <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
        <j2ee:welcome-file>index.html</j2ee:welcome-file>
        <j2ee:welcome-file>index.htm</j2ee:welcome-file>
      </j2ee:welcome-file-list>
      <j2ee:login-config>
        <j2ee:auth-method>FORM</j2ee:auth-method>
        <j2ee:form-login-config>
          <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
          <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
        </j2ee:form-login-config>
      </j2ee:login-config>
    <security-constraint>
      <display-name>checkAccountConstraint</display-name>
    <web-resource-collection>
      <web-resource-name>checkAccountCollection</web-resource-name>
            <url-pattern>test.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
            <role-name>LTVORole</role-name>
      </auth-constraint>
      </security-constraint>
    </j2ee:web-app>Weblogic.xml
    ===========
    <?xml version="1.0" encoding="UTF-8"?>
    <ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
      <security-role-assignment>
        <role-name>LTVORole</role-name>
       <externally-defined/>
      </security-role-assignment>
    </ns:weblogic-web-app>I have created the role in weblogic in the menu
    security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
    Is it the right way to define a role?
    Please help me find where I am going wrong.
    Thanking you all in advance,
    Gireesh

    Hi All,
    I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
    weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
    But I have defined the role LTVORole in weblogic using the administrator console.
    below are the details of what I have done:
    Web.xml:
    ========
    <?xml version='1.0' encoding='UTF-8'?>
    <j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
      <j2ee:welcome-file-list>
        <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
        <j2ee:welcome-file>index.html</j2ee:welcome-file>
        <j2ee:welcome-file>index.htm</j2ee:welcome-file>
      </j2ee:welcome-file-list>
      <j2ee:login-config>
        <j2ee:auth-method>FORM</j2ee:auth-method>
        <j2ee:form-login-config>
          <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
          <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
        </j2ee:form-login-config>
      </j2ee:login-config>
    <security-constraint>
      <display-name>checkAccountConstraint</display-name>
    <web-resource-collection>
      <web-resource-name>checkAccountCollection</web-resource-name>
            <url-pattern>test.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
            <role-name>LTVORole</role-name>
      </auth-constraint>
      </security-constraint>
    </j2ee:web-app>Weblogic.xml
    ===========
    <?xml version="1.0" encoding="UTF-8"?>
    <ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
      <security-role-assignment>
        <role-name>LTVORole</role-name>
       <externally-defined/>
      </security-role-assignment>
    </ns:weblogic-web-app>I have created the role in weblogic in the menu
    security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
    Is it the right way to define a role?
    Please help me find where I am going wrong.
    Thanking you all in advance,
    Gireesh

  • How to use security roles in Weblogic server?

    Hello Gurus,
    I am new to Weblogic server and I am trying to investigate how to make
    use of security roles in weblogic server (5.1.0). Can anyone point me
    to some documentation. Specifically, I am looking for instance level,
    and method level security and how to use it.
    Thanks for taking your time to read this e-mail.
    Thank You all in advance,
    Hari.

    You should read the security information in the Servlet 2.2 specification
    that WL 5.1 implements:
    http://java.sun.com/products/servlet/download.html
    Chapter 11 deals with declarative and programmatic security, and includes a
    section on roles:
    11.4 Roles
    A role is an abstract logical grouping of users that is defined by the
    Application Developer or
    Assembler. When the application is deployed, these roles are mapped by a
    Deployer to security
    identities, such as principals or groups, in the runtime environment.
    A servlet container enforces declarative or programmatic security for the
    principal associated with
    an incoming request based on the security attributes of that calling
    principal. For example,
    1. When a deployer has mapped a security role to a user group in the
    operational environment. The
    user group to which the calling principal belongs is retrieved from its
    security attributes. If the
    principal's user group matches the user group in the operational environment
    that the security
    role has been mapped to, the principal is in the security role.
    2. When a deployer has mapped a security role to a principal name in a
    security policy domain, the
    principal name of the calling principal is retrieved from its security
    attributes. If the principal is
    the same as the principal to which the security role was mapped, the calling
    principal is in the
    security role.
    Cameron Purdy
    http://www.tangosol.com
    "Hari" <[email protected]> wrote in message
    news:[email protected]..
    Hello Gurus,
    I am new to Weblogic server and I am trying to investigate how to make
    use of security roles in weblogic server (5.1.0). Can anyone point me
    to some documentation. Specifically, I am looking for instance level,
    and method level security and how to use it.
    Thanks for taking your time to read this e-mail.
    Thank You all in advance,
    Hari.

  • Create , delete "security roles" in weblogic console - sample Security providers

    Hi Everyone:
    Weblogic gave out sample Security Providers for version 7.0 and 8.1. In
    those sample Security Provider , the author of codes used property files as
    Security Providers Database, however he/she didn't show how to create a
    Manageable Sample Role Mapping Provider or Manageable Sample Authentication
    Provider, so Administrator of weblogic console can create and delete
    "security roles" in weblogic console.
    Have anyone known how to do that?
    Ming Qin

    "ming qin" <[email protected]> wrote in message news:[email protected]..
    Hi Everyone:
    Weblogic gave out sample Security Providers for version 7.0 and 8.1.In
    those sample Security Provider , the author of codes used property filesas
    Security Providers Database, however he/she didn't show how to create a
    Manageable Sample Role Mapping Provider or Manageable SampleAuthentication
    Provider, so Administrator of weblogic console can create and delete
    "security roles" in weblogic console.
    Have anyone known how to do that?
    I would ask in the weblogic.developer.interest.management.console newsgroup.
    >
    Ming Qin

  • Weblogic security & EJB role based access

    How does (or not) weblogic security tie into the EJB notion of role based
    control ? Can we create a 'custom' security mechanism for EJB (which
    basically uses the EJB facilities but extends it within the application) by
    using custom weblogic realms ?
    Thanks
    Raju

    Thanks !
    "Terry" <[email protected]> wrote in message
    news:[email protected]...
    comments inline
    r <[email protected]> wrote in message
    news:[email protected]...
    >>
    Here are some more specific questions around an 'example' scenario:
    The application has an entity bean 'Account' that can be accessed by the
    roles 'Bank Employee' and 'Customer'
    'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
    methods on the 'Account' bean
    'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
    methods on the 'Account' bean
    These permissions are set up through the deployment descriptor by
    mapping
    the 'Bank Employee' and 'Customer' roles
    to the particular bean methods that the role should be given access to.
    1. How does weblogic provide the facility to map the EJB deployment
    descriptor
    <security-role> to a particular weblogic principal (user orgroup)
    Or, should I say, how do I map the user or group to a
    deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
    an application role (in your case it is probably best to create 2 security
    roles - the bank employee role refering to the bank employee group (usethe
    'in role' checkboxes, and the customer role refering to the customergroup -
    there may at some point be use for an allUsers role, which includes both
    groups, maybe not. What I am saying is that a role is made of a one ormore
    of Principals - in our case groups)
    In the Account Bean select the method permissions item, and create amethod
    permission perm-0, select the perm-0 item that has just popped up in the
    left hand window, tick the box for placeOnHold(), and the boxes for<remote>
    and <home> one level deeper than this in the tree (as an aside, I have
    absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
    'bank employee' 'can invoke' tickbox
    Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
    methods, and the 'customer' tickbox
    I believe the documents say you would have to set up another permission to
    allow both groups access to the getBalance method, but in practive Ihaven't
    found this the case.
    The documentation for this is at
    http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
    (or
    search for 'Deploying EJBs with DeployerTool'
    2. Are there any administrative tools provided by weblogic to do
    this
    mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
    files
    3. How much effort & complexity is involved in creating a custom
    realm
    Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
    in half an hour or so (there is a problem with one of the RDBMSUser's
    methods - getUserType or something like that - the solution can be foundin
    the newsgroups if you search), the same is probably true of the LDAPRealm,
    NTRealm etc (although I have never used these).
    Which one you choose depends on what equipment you have available,although
    I would say that the RDBMSRealm canuse a lot of optimisation
    Thanks,Welcome
    Raju
    "Terry" <[email protected]> wrote in message
    news:[email protected]...
    The Principals (i.e. groups and users) from your custom realm are used
    to
    define application roles for the EJBs, but, as far as I am aware youcannot
    use a custom implementation for the ACLs for EJBs
    terry
    r <[email protected]> wrote in message
    news:[email protected]...
    How does (or not) weblogic security tie into the EJB notion of rolebased
    control ? Can we create a 'custom' security mechanism for EJB (which
    basically uses the EJB facilities but extends it within the
    application)
    by
    using custom weblogic realms ?
    Thanks
    Raju

  • Invalid Security role-name error in Web Project

    Hi All,
    I have imported a J2EE application project built in JBOSS into NWDS 7.1.
    While building the project i get the following error
    <b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
    This error directs me to the following code in web.xml
    <security-constraint>
              <display-name>Default JSP Security Constraints</display-name>
              <web-resource-collection>
                   <web-resource-name>Portlet Directory</web-resource-name>
                   <url-pattern>/jsp/*</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
                   <b><role-name>PEHNTAHO_ADMIN</role-name></b>
              </auth-constraint>
              <user-data-constraint>
                   <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
    <b>I have tried out the following things to resolve this issue :</b>
    <b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
    <b>2)Then I added the following code in web.xml</b>
    <security-role>
              <role-name>PEHNTAHO_ADMIN</role-name>
         </security-role>
    Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
    Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
         java.rmi.RemoteException:  class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
    sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
    version status: HIGHER
    deployment status: Admitted
    description:
              1. Error:
    Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
    ERRORS:
    Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
    <web-app>
         <!-- whole web.xml-->
    </web-app>
    " is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
    WARNINGS:
    Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
    <b>3) I had also added the following code in web-j2ee-engine.xml</b>
    <security-role-map>
              <role-name>PEHNTAHO_ADMIN</role-name>
              <server-role-name>all</server-role-name>
         </security-role-map>
    but still i get the same deployment error.
    Please help me in resolving this problem.
    Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
    Thanks and Regards,
    Sruti

    Hi Malathy,
    Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
    Could you please let us know you created a roles named users in WLS ?
    Thanks & Regards,
    Murali.
    ============

  • Security-role and security-role-assignment not working in WL7.0

    Hello all..
    Some EJB components that worked fine in WebLogic 6.1 no longer work in
    WL7.0. It has to do with the security-role and security-role-assignment
    descriptor elements no longer allowing anonymous users to be included in the
    authorization for a bean.
    For example, in WL6.1 placing these items in ejb-jar.xml:
    <assembly-descriptor>
    <security-role>
    <role-name>Employees</role-name>
    </security-role>
    <method-permission>
    <role-name>Employees</role-name>
    <method>
    <ejb-name>CustomerEJB</ejb-name>
    <method-name>*</method-name>
    </method>
    </method-permission>
    and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
    <security-role-assignment>
    <role-name>Employees</role-name>
    <principal-name>guest</principal-name>
    <principal-name>system</principal-name>
    </security-role-assignment>
    worked fine for clients creating their context using a simple
    InitialContext() constructor without specifying SECURITY_PRINCIPAL or
    SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
    the security-role-assignment element above told WebLogic that "guest" was in
    the Employees role for purposes of this EJB archive.
    Worked in WL6.1, no longer works in WL7.0. Client receives typical
    permission exception:
    java.rmi.AccessException: Security violation: insufficient permission to
    access method 'create'
    If I explicity connect as "system" things are fine, or I can create a new
    user in the default realm in WebLogic, put a matching <principal-name>
    element in the section above, and connect as that user. Note that if I leave
    off the <security-role> section completely, or set the required role name to
    "everyone", the anonymous access works fine. Apparently the anonymous user
    is a member of "everyone" behind the scenes even though "everyone" does not
    appear in the realm list of groups or roles.
    So, my question boils down to this: Is there a "magic" username in WL7 like
    "guest" was in WL6.1 that can be mapped to the required role name, or must
    every client connection use a true weblogic-created user with appropriate
    role assignments used to map it to the required role name.
    -Greg
    P.S. Note that none of the EJB examples provided with WL used
    <security-role>..
    Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
    www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

    Below are the screen shots for PFCG:

  • How to create default groups in Weblogic- Security Realms -- Groups

    Hi Team,
    Unfortunately I have deleted some default groups from Weblogic->Security Realms --> Groups. How to add the groups.
    Regards,
    Ravi.

    Hi Ravi,
    These are the defaults groups present inside Security Realms ,you can manually create them by
    Going inside Security Realms-->Users and Groups-->Groups-->New
    Administrators----Administrators can view and modify all resource attributes and start and stop servers-----------------------DefaultAuthenticator
    Deployers---------Deployers can view all resource attributes and deploy applications.---------------------------------------------DefaultAuthenticator
    Monitors-----------Monitors can view and modify all resource attributes and perform operations not restricted by roles.------DefaultAuthenticator
    Operators---------Operators can view and modify all resource attributes and perform server lifecycle operations.-------------DefaultAuthenticator
    Restart the Admin Server
    Regards
    FAbian

  • How to list principals in the security role?

    Does anybody know how to list principals assigned to a security role programmatically?
    The role assigment is specified in weblogic.xml files for web applications and
    weblogic-ejb-jar.xml files for EJBs.
    Any help would be much appreciated,
    Margaret

    I think it's not possible. However, what you can do is to assign a role to a
    group (this relationship being statically defined in weblogic.xml) and then
    manipulate the group membership in order to assign users to the role on the
    fly.
    "Margaret Oberc" <[email protected]> wrote in message
    news:3b127763$[email protected]..
    >
    Does anybody know how to list principals assigned to a security roleprogrammatically?
    The role assigment is specified in weblogic.xml files for webapplications and
    weblogic-ejb-jar.xml files for EJBs.
    Any help would be much appreciated,
    Margaret

  • How to specify the security policy "Allow access to everyone" for security role in Deployment descriptor

    Hi,
    I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
    security-role>
            <description>Authenticated</description>
            <role-name>Authenticated</role-name>
        </security-role>
    This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
    In weblogic, I have the following setting in weblogic.xml
    <wls:security-role-assignment>
            <wls:role-name>Authenticated</wls:role-name>
            <wls:externally-defined />
        </wls:security-role-assignment>
    And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
    I am wondering if this setting can be specified in  for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
    Thanks

    Hi,
    You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
    And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
    Hope this will solve your problem.
    Regards
    MuRam

  • Weblogic Security Queries

    Hi All,
    My requirements are as follows:
    1) Have a central repository like the iplanet Directory server to store the information
    of users,groups etc
    2)Perform identity management to manage roles and permissions This includes the
    ability to define users, resources, and abstract concepts such as a user role
    or a group
    3)The final requirement is access management. This is the enforcement of which
    users have access to what information. It includes authentication and authorization
    mechanisms to make sure someone is who they claim to be and that they have the
    authority to get the information they requested, and access management to enforce
    the permissions
    I need to achieve these requirements for my Portal application. My queries for
    the same are as follows
    1)The default Weblogic authetication providers can be used to authenticate users
    located on iplanet Directory server.
    2)But my doubt is with the authorization provider, Role Mapper providers etc they
    seem to be tightly coupled to the embedded LDAP. In order to solve my requirements
    on 2 and 3 what are the approaches that are available.
    3)I also have tried to create a new Realm that the Iplanet authentication provider
    configured to authenticate against iPlanet LDAP and also the other default providers
    that come along with
    weblogic to do authorization checks. When I try to start my server I get the following
    errror and the server does not start.
    <Nov 28, 2003 4:58:31 PM GMT+05:30> <Critical> <Security> <BEA-090404> <User weblogic
    is not permitted to boot the server; The
    server policy may have changed in such a way that the user is no longer able to
    boot the server.Reboot the server with the administrative user account or contact
    the system administrator to update the server policy definitions.>
    The WebLogic Server did not start up properly.
    Reason: weblogic.security.SecurityInitializationException: User weblogic is not
    permitted to boot the server; The server policy
    may have changed in such a way that the user is no longer able to boot the server.Reboot
    the server with the administrative us
    er account or contact the system administrator to update the server policy definitions.
    Can anyone suggest me any ways to solve my queries and if you could provide some
    input on how to solve my requirements that will be very useful and we are WLS
    shop so the solution should be within the reach of weblogic server security

    Hi,
    This is w.r.t the same query.
    1)Where do you want your role and policy information stored? How is your role
    and policy information defined? The WLS framework is limited to WLS resources
    (ejbs,
    webapps,jdbc connection pools, etc.)
    Ans) The Roles and Policies are defined in the External LDAP.
    "Anand" <[email protected]> wrote:
    >
    Hi,
    Thanks for your replies. I have a couple of other queries which are as
    follows:
    1. How do we decouple the Embeded LDAP and connect to External LDAP Server
    for
    Authentication and Authorization( I prefer iPlanet LDAP Server)
    2. Is Portal WLS resource ? If so I want to build a Access Control List.
    3. Can you point me to any resource which guides me how to configure
    iPlanet server
    for authentication and Authorization. I am a novice. This tutorial/sample
    should
    include all necessary codes.
    "Peter" <PeterB> wrote:
    "Anand" <[email protected]> wrote in message
    news:[email protected]...
    Hi All,
    My requirements are as follows:
    1) Have a central repository like the iplanet Directory server to
    store
    the information
    of users,groups etc
    2)Perform identity management to manage roles and permissions Thisincludes the
    ability to define users, resources, and abstract concepts such as
    a
    user
    role
    or a group
    3)The final requirement is access management. This is the enforcementof
    which
    users have access to what information. It includes authentication
    and
    authorization
    mechanisms to make sure someone is who they claim to be and that theyhave
    the
    authority to get the information they requested, and access managementto
    enforce
    the permissions
    I need to achieve these requirements for my Portal application. Myqueries
    for
    the same are as follows
    1)The default Weblogic authetication providers can be used to authenticateusers
    located on iplanet Directory server.
    2)But my doubt is with the authorization provider, Role Mapper providersetc they
    seem to be tightly coupled to the embedded LDAP. In order to solvemy
    requirements
    on 2 and 3 what are the approaches that are available.The role mapper and authorization providers do store roles and policies
    in
    embedded
    ldap server.
    Where do you want your role and policy information stored? How is your
    role
    and policy
    information defined? The WLS framework is limited to WLS resources (ejbs,
    webapps,
    jdbc connection pools, etc.)
    3)I also have tried to create a new Realm that the Iplanet authenticationprovider
    configured to authenticate against iPlanet LDAP and also the otherdefault providers
    that come along with
    weblogic to do authorization checks. When I try to start my serverI get
    the following
    errror and the server does not start.
    WLS uses the server resource to determine if you can boot the server.
    There
    is a policy
    that allows users with admin or operator role. The default for thatrole
    is
    member
    of the administrators or operators group. You can change this role
    expression with
    the console.
    Therefore, check to see if your boot user is a member of the administrators
    group.
    >

  • [Weblogic Security In Action]

    摘要
    本文将探讨Weblogic Platform中的安全框架以及在该框架下如何实现企业安全(Weblogic Enterprise Security,简称WLES)。
    本文分为上中下三篇。
    上篇主要阐述WLES的概念,将按照如下的思路,让读者对Weblogic安全框架有一个明晰的理解,并在此基础上明白Weblogic基本安全要素如User,Group,Role,Resource。并探讨在WLES下实现认证和授权的方法。
    中篇主要阐述WLES的配置,重点讲述如何在WLS中配置SSL和证书,如何配置LDAP和数据库,如何实现Windows集成安全,如何在开源技术如CAS,SAML,SPNEGO等基础上实现单点登陆(Single Sign on,即SSO)。
    下篇主要解释Weblogic Mbean机制,讲述如何实现自己的Custom Security Provider,并解释如何使用Weblogic Security Provider构造一个强大稳健的安全体系。
    [上篇]
    1, Weblogic Platform安全框架概述
    2, Security Realm下的用户、组、角色、资源和安全策略
    3, 认证与授权
    [中篇]
    4, 配置SSL与数字证书
    5, Windows集成安全
    6, 单点登陆(SSO)
    [下篇]
    7, 实现自己的Security Provider
    8, 在Security Provider上构造灵活的安全体系
    目前只写好
    Weblogic Security In Action 上篇
    http://www.matrix.org.cn/blog/cas/archives/WeblogicSecurityInAction(1).swf
    原来写文章是这么累的。
    中篇,下篇正在撰写中,请密切关注。
    希望各位指出文章的纰漏,然后发邮件给我,因为我实在没时间很仔细去审阅。

    为了方便Weblogic用户管理JKS证书,我发布了一个Eclipse插件,代号SecureX,该插件将集成Keytool, Axis数字签名,加密,和SSO/SSL向导,目前版本为1.0.0,改自于KeytoolGUI1.6版本。
    作了不少的增强,原来的版本已经停止开发并被作者商业化,开源版本以后将由我提供:)
    SecureX 的URL: http://www.blogjava.net/openssl/archive/2006/03/17/35781.html
    关于SecureX,请参看http://www.blogjava.net/openssl/archive/2006/02/08/29886.aspx
    该Project遵循GPL,参见https://sourceforge.net/projects/securex/
    源代码将在2.0发布到SF。
    代替Keytool的图形化界面,增加了数字签名功能,原来的版本来自于Keytool Gui 1.6(基于SWing),我重写了SWT界面,集成到SecureX并以SecureX为基础,不断扩展Java Security功能,包括加密,签名,SSO向导,SSL向导之类的功能。
    下载:
    http://www.blogjava.net/Files/openssl/plugins.part1.rar
    http://www.blogjava.net/Files/openssl/plugins.part2.rar
    http://www.blogjava.net/Files/openssl/plugins.part3.rar
    http://www.blogjava.net/Files/openssl/plugins.part4.rar
    http://www.blogjava.net/Files/openssl/plugins.part5.rar
    http://www.blogjava.net/Files/openssl/plugins.part6.rar
    http://www.blogjava.net/Files/openssl/plugins.part7.rar
    下载完毕后,解压到plugins目录,然后找到
    其子目录SecureX_1.0.0
    然后,将其整个Copy到Eclipse目录下的Plugin目录下,重启Eclipse,
    然后点击菜单项Securex下KeyTool,就可以运行。
    如对SecureX有兴趣,请加入SecuritySite群(14966586)或者email给我:openssl(at)163.com

  • Weblogic security realm mapping to DB

    I have one question about Weblogic 7.01 security.
    I have created USER, GROUP and ROLES table in my RDBMS.
    Can I use the RDBMS realm if my users are in a database
    table already? Can I tune Weblogic security realm to my database tables?
    Any advice or links will be very appreciate.
    Thanks a lot for any help, Volodymyr Shram.

    Thanks, criokeeper for your fast answer.
    Woould you so kind to explain me one moment.
    At http://e-docs.bea.com/wls/docs70/ConsoleHelp/domain_rdbmsrealm_config_general.html I found that "To use the RDBMS security realm, you need to use Compatibility security. The use of the RDBMS security realm is deprecated in WebLogic Server 7.0."
    What does that means? Have I use the Compatibility security or it's jaust for ver. 6.x to ver.7.0 migration?
    Thanks a lot for your answer.
    Regards, Volodymyr.

  • Warning: EJB  referenced an unknown security role?

    Hello,
    I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
    In the EJB I have the following check:
    if (ctx.isCallerInRole("ConspiratorRole"))
    System.out.println ("the user is in the ConspiratorRole role");
    At run time, I get the following warning in the WL window:
    Fri Nov 10 12:56:58 EST 2000:<I>
    <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
    Warning: EJB "unu" referenced an unknown security role
    However:
    - the role IS defined (see ejb-jar.xml)
    - has an associated principal (see weblogic-ejb-jar.xml)
    - there is a principal defined in weblogic.properties
    - this principal (and this role) is actually used in practice to access the
    bean. Which works.
    So why the warning?
    Any hint appreciated,
    Thanks.
    ejb-jar.xml:
    <assembly-descriptor>
    <security-role>
    <description>description of the ConspiratorRole</description>
    <role-name>ConspiratorRole</role-name>
    </security-role>
    </assembly-descriptor>
    weblogic-ejb-jar.xml:
    <weblogic-ejb-jar>
    <security-role-assignment>
    <role-name>ConspiratorRole</role-name>
    <principal-name>Conspirator</principal-name>
    </security-role-assignment>
    </weblogic-ejb-jar>

    You should not reference the role link in you code.The role link is used to
    connect the role name in you code to the
    role name in your deployment descripment. Only if this link is set up as you
    have done below, will the isCallerInRole return true.
    - Sri
    Alf wrote:
    I reviewed older postings and found indications of what appears to be a bug
    in WL: that isCallerInRole always return false for role names but returns
    correct values if the role names are linked with a reference in
    <security-role-ref>. So, according to the DTD at
    http://edocs.bea.com/wle/dd/ddref.htm#1038338 I added the following in
    ejb-jar.xml:
    <ejb-jar>
    <enterprise-beans>
    <session>
    <security-role-ref>
    <role-name>ConspiratorRole</role-name>
    <role-link>ConspiratorRoleLink</role-link>
    </security-role-ref>
    and added 2 lines in the bean to test the both the role and the reference
    if (ctx.isCallerInRole("ConspiratorRole"))
    System.out.println ("the user is in the ConspiratorRole role");
    if (ctx.isCallerInRole("ConspiratorRoleLink"))
    System.out.println ("the user is in the ConspiratorRoleLink
    role");
    The unexpected result was a NullPointerException at
    weblogic.ejb.internal.BaseEJBContext.isCallerInRole(BaseEJBContext.java:665)
    Can anyone shed some light? Thanks.
    "Alf" <alf> wrote in message news:[email protected]...
    Hello,
    I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
    In the EJB I have the following check:
    if (ctx.isCallerInRole("ConspiratorRole"))
    System.out.println ("the user is in the ConspiratorRole role");
    At run time, I get the following warning in the WL window:
    Fri Nov 10 12:56:58 EST 2000:<I>
    <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
    Warning: EJB "unu" referenced an unknown security role
    However:
    - the role IS defined (see ejb-jar.xml)
    - has an associated principal (see weblogic-ejb-jar.xml)
    - there is a principal defined in weblogic.properties
    - this principal (and this role) is actually used in practice to accessthe
    bean. Which works.
    So why the warning?
    Any hint appreciated,
    Thanks.
    ejb-jar.xml:
    <assembly-descriptor>
    <security-role>
    <description>description of the ConspiratorRole</description>
    <role-name>ConspiratorRole</role-name>
    </security-role>
    </assembly-descriptor>
    weblogic-ejb-jar.xml:
    <weblogic-ejb-jar>
    <security-role-assignment>
    <role-name>ConspiratorRole</role-name>
    <principal-name>Conspirator</principal-name>
    </security-role-assignment>
    </weblogic-ejb-jar>

  • The security-role-assignment references an invalid security-role: Certifica

    In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
    weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
         at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
         at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
         at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
         at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
         at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
         at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
         at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
         at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
         at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
         at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
         at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
         at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
         at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
         at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
         at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
         at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
         at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
         at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
         at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
         at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
         at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
         at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
         at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
         at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
         at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
         at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
         at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
         at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
         at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
         at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
         at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
    <wls:security-role-assignment>
    <wls:role-name>Certificate</wls:role-name>
    <wls:externally-defined/>
    </wls:security-role-assignment>
    I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
    If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.

    Hi,
    I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
    DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
    Hope it helps,
    Luis

Maybe you are looking for

  • IPC in CRM 7.0: New customer field in item communication structure

    Hi Experts, I tried to enhance the IPC according to the known manual. I created a new item related z-field in the item communication structure which I fill in the BadI IF_EX_CRM_COND_COM_BADI with a Char(1) value:     IF cs_acs_i_com-zfield IS INITIA

  • Formula - Row - Formatting Issue - Please Help

    Hi, I am currently writting a report in Business Objects (Web Intelligence Document) to reflect Incentives gained by our call centre staff. I have written the report and all the data is correct and it gives me the info i need, however for cosmetics r

  • Can I still purchase Dreamweaver CS6 as a Student?

    When visiting Student/Teacher purchase page, I see the only version available is the Creative Cloud. I can't afford the monthly payments for Dreamweaver and Photoshop.  I used to be able to purchase Adobe Creative Suite as a student and save a lot of

  • Dragging file on desktop

    Hello, When I try to duplicate a file on the desktop and I am dragging it on the desktop while holding the Option key, I am facing a strange behavior. If, at that time a Safari window, or a Mail window, is opened, it is closed, but the software is no

  • Deputy for Shopping Cart Initiator

    Hello SRM experts, the deputy functionality currently implemented only allows the deputy to see the person's worklist. Since shopping cart is an ITS functionality, when the initiator of the shopping cart is on leave, and if during this time shopping