Assign application roles after authentication

Hi,
It's been some time now I'm struggling with this issue...
I have a client application (not a web one) trying to access an EJB resource.
The EJB is first looked up through jndi and then asked to invoke a method, say test().
In ejb-jar.xml I have the following:
<security-role >
<role-name>AN_APP_ROLE</role-name>
</security-role>
<method-permission >
<role-name>AN_APP_ROLE</role-name>
<method >
<ejb-name>EJB NAME</ejb-name>
<method-intf>Remote</method-intf>
<method-name>test</method-name>
<method-params>
</method-params>
</method>
</method-permission>
I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
Nevertheless access is denied when the client tries to access the protected test() method.
It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
Any hint?!
cheers,
Francesco
p.s: in jazn.xml I have
<property name="role.mapping.dynamic" value="true"/>

Similar Messages

Assign Application Roles

Hi All,
I am new to SOA and I want to know how to assign application roles (Not global roles) through EM Console. As, I am unable to assign the roles through BPM workspace. I can go to the administrator tab and assign the roles to me. But in the task list I am unable to get the task.
Thanks and Regards,
Ram

Hi Ram,
Refer this doc:
http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#CJADDBGA
HTH
Mani

Assign application to user

I have a workspace with multiple applications.
How do i control which application a user logs into?
For example: i have an order entry application and an inventory control application. I want user A to go to the order entry app., and user B to go to the inventory app. whenever they log in.
Right now, after having created the users, when they log in, all they get is the htmlbd welcome page with out the
Application Builder, SQL Workshop, Data Workshop, and Administration buttons.
I guess somehow i need to direct them to my custom login page?
Christoph

Christoph,
Generally speaking, the applications you build for end users should be completely separate from the HTML DB development environment in terms of the authentication and authorization mechanisms they use. There is no need for end users to log in to the HTML DB development environment in order to run your applications.
Each application should have a home page URL that you communicate to users, e.g., the home page for Order entry might be ../f?p=ORDER-ENTRY:1, the home page for Inventory Control might be ../f?p=INV-CONTROL:1, etc., where you use application aliases as shown or numeric application IDs. You will have created an authentication scheme and a login page in each application (see http://otn.oracle.com/products/database/htmldb/howtos/how_to_change_auth_method.html and http://otn.oracle.com/products/database/htmldb/howtos/how_to_create_login_page.html), such that when a user visits the home URL of an application, the user is initially redirected to the login page in that application. After authentication, the user is shown the page originally requested. How your login page authenticates the user is a choice you must make (custom tables, LDAP, HTML DB developer accounts, SSO). Of course, applications that use a Single Sign-On method won't use internal login pages, but users would still access different applications by using URLs to each application's home page.
In a development/demonstration environment, it is often convenient to have small numbers of users authenticate to your applications (using login pages in those apps) using the HTML DB developer account repository. During this phase, account creation/maintenance chores are your problem. For production deployment, this is not recommended because of the numerous security and administrative issues attendant to user account management involving a local user repository within a larger IT environment.
Your application design should also address the problem of authorization, i.e., which authenticated users are allowed to use which applications and which components within each application.
Scott

Error assigning users to application Role in Obiee 11.1.1.7.0

Hello
I installed Obiee 11.1.1.7.0 both on Windows and Linux platform and after that, I successfully set Active Directory integration. I have a problem assigning users to Application Role in EM. When I'm trying to search a user on Display name, the Principal userName returned is blank and the error is : Java Null Pointer Exception
After that I install a fresh copy of 11.1.6.0. After AD Integration, I was able to assign users to Application Role. I made 11.1.1.7.0 upgrade and same error has come. I think this is a bug because same AD settings on 11.1.1.6.0 works.
The error:
ava.lang.NullPointerException
#{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException
Hide Additional Trace Information
javax.faces.FacesException: #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:103) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:1086) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:434) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.model.targetauth.EMLangPrefFilter.doFilter(EMLangPrefFilter.java:158) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:542) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119) at java.security.AccessController.doPrivileged(Native Method) at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324) at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460) at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103) at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171) at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: javax.faces.el.EvaluationException: java.lang.NullPointerException at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:51) at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) ... 67 more Caused by: java.lang.NullPointerException at oracle.sysman.emas.model.security.DialogAdminBean$1.compare(DialogAdminBean.java:567) at java.util.Arrays.mergeSort(Arrays.java:1270) at java.util.Arrays.mergeSort(Arrays.java:1281) at java.util.Arrays.sort(Arrays.java:1210) at java.util.Collections.sort(Collections.java:157) at oracle.sysman.emas.model.security.DialogAdminBean.fetchPrincipals(DialogAdminBean.java:563) at oracle.sysman.emas.pagemodel.security.identity.EditAppRolePageModel.searchPrincipal(EditAppRolePageModel.java:496) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(Unknown Source) at com.sun.el.MethodExpressionImpl.invoke(Unknown Source) at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46) ... 68 more
Any suggestion?
Thx
Gabriel
Edited by: Gabbriel on Apr 23, 2013 10:46 PM

We received from Oracle a work-around of this problem.
It seems to be related to the virtualize flag set to true. I f you set it to false the problem disappear (it works for me).
(rif. http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/privileges.htm#BABDCJBH)
There's an open BUG on this problem: Bug 16808088 - 11G JAVA.LANG.NULLPOINTEREXCEPTION ADDING USER TO ROLE AFTER UPGRADE TO 11.1.1.7.
Hope this works.
S.

OBIEE 11g issue - same user assigned to the multiple application role

Hi All,
We are facing an issue when assigning a user to the multiple application role and applying the data level filter on the different column of the same table.
For example, we have a table Department with three columns Department No, Department name, Department location.
Application Role A1 and A2 are created.
Data Level security Applied on the application role A1: Department Name='Finance'
Data Level Security Applied on the application role A2: Department location='US'
The user "User1" is created in LDAP and is assigned to both the Application roles A1 and A2.
When logged in with "User1", none of the filters of Role A1 or A2 is applied in the report. If this user is assigned to only one role, either A1 or A2, then the filter is applied. It seems the filter will not be applied if a user belongs to multiple roles with data filter applied on the same table across these roles.
Please reply if anyone has faced similar issue.

Hi All,
Regarding the above issue to update the analysis we came up that the user if assigned to the multiple group with the data filter applied on the same column of the table is getting an *"OR"* join.
We had a requirement to get an "AND" in the query condition. Please let us know if any one faced the issue and the resolution of the same.
Regards,
Jyotshna

Assigning App Builder and Application roles using Account Administration Tool

If you have a DPS Enterprise or Professional Account and need to assign App Builder or Application role to an id to in case you need to create a new id with these roles, refer to the following documentation:
Assigning App Builder and Application roles in your DPS Professional or Enterprise accounts

gnm,
Please refer to KnowledgeBase 2IDDCHB9: Using Remote Panels with a LabVIEW Applications (EXE) for the information you are looking for.
Randy Hoskin
Applications Engineer
National Instruments
http://www.ni.com/ask

Assigning user roles in my application in a programatic way

Hi,
How can I assign user roles in a programatic way when I am using the Sun One 7 server? Is that possible?
Thanks,
Wanderley.

Sorry, but I need to know HOW can I assign roles( RolesPrincipals) to the container Subject (using JAAS)?
When I am using, for instance Tomcat, I assign the roles to the container's Subject defining the Roles Principals in server.xml. Like this:
<Realm className="org.apache.catalina.realm.JAASRealm"
userClassNames="br.com.caf.security.auth.LoginPrincipal"
roleClassNames="br.com.caf.security.auth.RolesPrincipal"/>Doing that, Tomcat will know which Principal to return when I call "request.getUserPrincipal()".
In JBoss I implement a LoginModule (org.jboss.security.auth.spi.AbstractServerLoginModule) that defines who is my User (LoginPrincipal) and his Roles (RolesPrincipal).
How can I assign user and his roles to the container's subject in Sun One?
Thanks,
Wanderley.

Need help with data filtering on groups/application roles

Hello,
I have a situation where I have to apply security on objects (reports, prompts etc) and dimension members (Essbase cube). So the idea is like this:
Report 1: access to three users (U1, U2, U3), but for dimension Company they have separate rights:
U1: Company A, Companies A.1-A.7 (children of A) and Companies A.1.1-A.1.9 (children of A.1);
U2: Company A.1 and Companies A.1.1-A.1.9;
U3: Company A.1.1
same for Report 2, but users must have access to different companyes, like Company B, B1...
In WebLogic Console I created three groups (G1-G3) and placed each user to a group (U1-> G1, U2 ->G2, U3->G3). Then in WebLogic EM I created three application roles (R1-R3) and added for each, corresponding user (R1-> U1, R2->U2, R3-> U3).
My approach was to use application roles like this:
R1: include User1 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation2,Dimension"='Company A',"Data_Source_Name"."Dimension_Name"."Generation3,Dimension"='Company A.1', "Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1')
R2: include User2 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation3,Dimension"='Company A.1', "Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1')
R3: include User3 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1').
I've noticed that, by default, each role inherites BIConsumer and "localmachineusers" application roles, so I set in repository these both roles to filter data as the role 3 (the lowest level of acces), in order for my roles (Roles 1 to 3) to have the highest privileges.
In repository I cannot see any of my users (U1-U3), but just the application roles they are in.
For Report 1 I set the access to Roles 1-3 and when I am logged on as U3 this report should display only the data for Company A.1.1, but it doesn't (displays data also for Company A, Companies A.1-A.7).
In fact it seems, that the data isn't filtered at all, which drives me to the conclusion that my data filter is override by another role, maybe ?
Could you please give me a clue about what I am missing here ?
Thank you.

Amith,
Please bear this with me - see my comments below (search for petresion_Comments):
So, we have three users who have access to a report called Report1. But the data that they see in the report needs to be different. The report has a dimension company, and each user needs to see different companies data. So the filtering needs to be done on company dimension.
petresion_Comment: That's my case to solve.
Now the groups in weblogic has no purpose in OBIEE 11g unless you are using an LDAP authenticator who has groups defined in the active directory. By this I mean the network people are maintaining the users and group relation necessary for OBIEE. So keeping the weblogic groups apart for a minute, lets deal with users and roles only.
The three users are assigned to three different roles R1, R2 and R3. By default, all the roles inherit the BIconsumer role, and localmachineusers role you mentioned is not an OTB role. This is something that is probably causing the data filtering to fail. Do a test like create a user in weblogic, assign him only to the localmachineusers role, and go to analytics, and check your roles and groups by going under my account. Make sure this role is not inheriting any other roles like BIAdministrator, BIauthor etc. So in conclusion, when one of your users login, they should inherit only their custom Role (R1 for instance), BIConsumer, Authenticated User, and your custom role localmachineusers.
petresion_Comment: That is what I checked on the first time (few days ago) and is exactly as you say (BIConsumer, localmachinerole and Role1).
Do not apply any data filters on the BIConsumer role. This is not a good practice because the filters get applied to every single user that logs into the system.
petresion_Comment: I know that, but appliyng filters on BIConsumer role I tried to make sure that its privileges doesn't overrides any of my Roles (1,2 or 3). I will remove the filter on BIConsumer.
Now create the data filters on your custom roles (R1, R2, R3). Save the RPD. Deploy the Rpd through Enterprise Manager.
petresion_Comment: Only difference in my case is that I stopped BI services, applied changes to rpd in Offline mode and then restarted BI services.But also tried as you mentioned (by the book in fact) and same result. The problem is the same, my roles(1,2,3) don't filter the companies at all.
Once you are done with all the work above, you should login into analytics as user1. After logging in go to my account, roles and groups, and make sure you see the R1 in the list of groups. Now run the report, and your filters should get applied no matter what. If they are still not getting applied, grab the physical sql and see if the filters are existing in the where condition.
petresion_Comment: Where can I capture the physical SQL (probably an MDX sent to the Essbase cube ?) ?
One other reason could be, one of the roles that are assigned to the user1 by default, is overriding the filters. Like for example, if a user is assigned to BIAdmin role, and no matter if you assign him to a different role that has 100's of filters, he will still see all of the data.
petresion_Comment: As I said before, each of my users are members of their roles, BIComsumer and localmachinerole, so no other privileges (no BIAdmin role).
Thank you for the patience.
John

Redirecting user to acustom page depending on security role after glassfish

Hi,
I have a JSF application using glassfish authentication mechanism. I'm planning to use a jdbc realm and form based authentication (I'm using a jsp page to get username and password) . I have 3 different user roles (student, admin and staff)
However I cannot find how to redirect a user to a different page (Ex: staff report page if the logged in user is in the security role staff). I have configured sun-web.xml and web.xml to map the roles and groups. The problem is after authentication the user is always redirected back to the home page, which is the login page. I understand this is how the glassfish authentication works by default. But is there a way to navigate the user to a different page depending on his role.
I'm new to EJB security. Please help me on this subject. Thanks a lot in advance.

Check this blog post, which provides an alternate solution (You can choose the best possible solution based on your use-case).
http://andrejusb.blogspot.com/2007/10/security-in-oracle-adf-and-automatic.html
Thanks,
Navaneeth

Approver for the application role not working out

Hi,
I have created a role with type application and Approver A, then created a business role with the Approver B and included application role into the business role.
When i assign this business role to a user the only request for approval goes to Approver B and after approval the both application and business roles are assigned. Strangely it seem to skip the Approver A. I did even remove the approver in business role, leaving only approver in application role, still same result - it skips Approver A.
I'm using IDM 8.0.0.1, any ideas why it would skip the approver in the included role?
Thanks!

Thanks for the quick reply. I've tried optional with approval and here is what I found.
It seems I need a combination of the two. My end goal is to have a second level approval, one group would be responsible for approving the business role and the system owners would be responsible for approving the nested application roles. When a user requests the business role, they must have approvals for the business role and all of the nested application roles for their request to be completed.
If the app. roles are required, the workflow automatically incorporate the nested appl. roles in the request but does not require approval for them. If they are conditional with approval, the user would have to submit a second request to get all of the nested application roles. It looks like I need a combination of the two, required with approval.
I need it to behave like it does when you have a role with approver that includes resources with an approver. The role and resources must all be approved before the request can be completed successfully.
I'm trying to see if this is possible through the GUI before I customize the workflow.

Application role

I create application roles and assign them to an enterprise role at jazn-data.xml in jdeveloper.
However, after deployment I cannot find these application roles. But I can find the enterprise role.

Thanks for your reply. I can see application roles in EM.
I have 2 adf applications. Application A has application role A and B. Application B has application role C and D.
How to set the security in Jdevloper, weblogic admin console or EM that :
users in application role A and B can only login to Application A.
users in application role C and D can only login to Application B.
I deploy the sample application of 048. XML Menu Model site menus protected with ADF Security and JAAS of Oracle ADF Code Corner. However, in the EM, I cannot see application roles.

Map wls roles to application roles

how can i map weblogic roles to my application roles ?
already, i config db authentication in wls
but how can i map it to jazen-data.xml file ?

Hi,
either you create the same roles in jazn-data.xml in which case they are automatically used after deployment or you have a look at how to map user groups (not application roles) created in jazn-data.xml to WLS groups using the weblogic.xml file
Frank

Error while trying to assign a role via CUP in Portal

Hello Experts,
I am trying to create a request to assign a role in EP via CUP ( 5.3)
EP Connector is working fine as I have imported Portal roles etc
SPML service is working fine
I have done the mapping in the Provisioning tab for Portal system
logonname in portal is email address of an employee
So the I have done the following mapping
AC Field Application field
email addres-Stndard logonname
And I have the following error while trying to create a request which I grabbed form the log
ERROR Exception during EJB call, Ignoring and trying Webservice Call
LinkageError: loader constraints violated when linking com/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO class
ERROR com.virsa.ae.core.BOException: Exception from the service : Invalid System
com.virsa.ae.core.BOException: Exception from the service : Invalid System
ERROR : BO Exception in Save request
Any suggestions would be really appreciated
Regards
Kev

Kevin,
I was able to replicate your issue and there is a setting in the CUP that you have to disable, Goto the config tab in the CUP and select NO for the "Risk Analysis On Request Submission " under risk analysis.
Issue here is you did not create a connector for your EP in the RAR, I believe you have the above mentioned parameter to yes and so when you are submitting a request CUP is trying to do the risk analysis but RAR was not able to find any System, so it is thowing an error.
You can resolve this issue in two ways, one is to create a connector in RAR or the other is to disable the setting in the CUP.
Hope this helps.
Naveen

LDAP user to application role mapping

Hi All,
OBIEE 11.1.1.5
I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
Or, In simple words,
How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
Anyone can help? All documents are not giving this simple picture to me.
It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

Hi,
1. Create block to initialize USER variable with user name from LDAP
2. Create block to initialize GROUP variable with role name from external table
3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
4. If one user can have few roles you should check row-wise-initialization oprion
Hope it's helpful

J_security_check not redirecting after authentication - in one environment

Hi all,
I have a J2EE web application developed in JDeveloper 10.1.3 which uses JAAS security with a custom authentication provider class. I can configure this is both a windows and unix based OC4J. The windows OC4J is stand alone, the unix one is part of a managed instance (OPMN).
When I deploy to windows, attempts to access a protected resource cause the authentication to fire off perfectly and redirect to the appropriate url after login is successful. Absolutely no problems.
When I deploy to unix with the same configuration, the authentication fires off perfectly but after authentication the redirect attempts to go to Base URL/j_security_check which results in a 404 not found as j_security_check is a logical name and not a real url.
I have tried setting the ocfj.formauth.redirect flag in the oc4j startup options and this did not seen to help. I still got the 404 error.
Can anyone advise me on whether there are any switches or parameters I need to set for the j_security_check redirection to work correctly, or is there something else I need to do in a unix (Solaris) environment to cause the redirections to work?
thanks for any suggestions
Ben

Hi,
you are always seeing the j_security_check in the URL. It seems that this problem is OC4J rekated and I suggest to post the question on the Application Server or the J2EE forum here on OTN
Frank

Assign application roles after authentication

Similar Messages

Maybe you are looking for