Authentication for a particular ACL

Hi,
I am trying to implement Authentication for a particular ACL on the ASA, i.e. whenever that particular ACL is matched, the ASA will authenticate the user with either local database or AAA server.
I have seen the document "Configuring AAA for cut-through proxy", but that says it works only for http, https and ftp etc, whereas in my case i m looking to authenticate the users trying to access my sql server, for which i need to match a particular ACL.
regards,
Mohsin

Mohsin,
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html#wp1063502
You will have to setup a virtual http, ftp portal so that when users hit the ACL setup for cut-through proxy for the sql ports, that they will have to fire up a telnet, ftp or http session, enter their credentials and then will be permitted access to the sql server.
Give this a shot and let us know if there is anything else that you need help with.
thanks,
Tarik

Similar Messages

RE: Acls for a particular users

Hi,
I want to get a list of Acls for a particular users. Can anyone tell me how
to achieve this. I am using the RDBMS Realm Implementation.
After user logs in, I want to present the user with a list of applications
that the user is authorized. To do this, I need to get a list of Acls for
this user. I tried to implement a method in the DefaultRealmExtender which
gets all the Acls and then checks for permission "execute". This works fine
when the jsp is displayed, but if I leave the browser for a while and then
refresh the page, the entire weblogic shuts down. After debugging, I found
out that it blows up when it tries to check the permission. Any help will be
appreciated.
Thanks,
Gajendra Sanil

Hi VB,
Thanks for your response. But the applicant is still active for some of the Vacancies. I can't delete that person.
We can do this from the applicant from. NAv: Vacancies--> Applicants--> select the rejected applicants--> In the application tab there is one field called " Reconsider Applicant" If you select the reason you will be able to consider that applicant for that same vacancy but in the applicant tab i am not finding the reason field only for this applicant. I think this applicant perform some different step while he is with drewn the applicantion.
Joshna.

Radius authentication for the browser-based webtop

Hiya all,
With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
SSGD version:
Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
Architecture code: i3so0510
This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
I have the radius-module running for authentication of a single directory with the apache-config-lines:
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch "/secure">
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthName "Radius authentication for SGD"
Authtype Basic
AuthRadiusAuthoritative on
AuthRadiusCookieValid 540
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
Changing the JkLogLevel to debug gives the following info in the JkLogFile:
Radius authentication:
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
With the password-authentication file:
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
Any help will be usefull since I am allready stuck on this problem for a couple of days :(
Thanks,
Remold | Everett

I got response from the Fat Bloke on the mailing list.
Adding the following line in the apache httpd.conf seams to help and resolved my problem:
Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
Thanks The Fat Bloke !!
- Remold
These instructions are for a 4.2 SGD installation using SGD's third
party web authentication with mod_auth_radius.so (www.freeradius.org).
With 4.2 Sun didn't distribute enough of the Apache configured tree
to enable the use of axps to build the mod_auth_radius module, 4.3 is
better - Sun now install a modified axps and include files, I haven't
tried this with 4.3 yet though.
I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
So, this is how we got this working with Radius (tested with SBR
server and freeradius.org server.)
Install SGD in the usual way.
Enable 3rd party authentication:
According to:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/
webauth_config_browser.html
Configure the Tomcat component of the Secure Global Desktop Web
Server to
trust the web server authentication. On each array member, edit the
/opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
following attribute to the connector element (<Connector>) for the
Coyote/JK2 AJP 1.3 Connector:
tomcatAuthentication="false"
# cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
conf/server.xml

<Connector port="8009" minProcessors="5" maxProcessors="75"
tomcatAuthentication="false"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="0"
useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
"By default, for security reasons, Secure Global Desktop
Administrators can't
log in to the browser-based webtop with web server authentication.
The standard
login page always displays for these users even if they have been
authenticated
by the web server. To change this behavior, run the following command:"
# tarantella config edit --tarantella-config-login-thirdparty-
allowadmins 1
Without this, after authenticating via webauth, the user will be
prompted for a
second username and password combination.
# /opt/tarantella/bin/tarantella objectmanager &
# /opt/tarantella/bin/tarantella arraymanager &
In Array Manager:
Select "Secure Global Desktop Login" on left side and click
"Properites" at bottom
Under "Secure Global Desktop Login Properties"
cd /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
edit httpd.conf:
### For SGD Apache based authentication
Include conf/httpd4radius.conf
at the end of httpd.conf add:
Alias /sgd "/opt/tarantella/webserver/tomcat/
5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
# cat httpd4radius.conf
LoadModule radius_auth_module libexec/mod_auth_radius.so
AddModule mod_auth_radius.c
# Add to the BOTTOM of httpd.conf
# If we're using mod_auth_radius, then add it's specific
# configuration options.
<IfModule mod_auth_radius.c>
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
# Use localhost, the old RADIUS port, secret 'testing123',
# time out after 5 seconds, and retry 3 times.
AddRadiusAuth radiusserver:1812 testing123 5:3
# AuthRadiusBindAddress <hostname/ip-address>
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
# the special value of 0 (zero) means the cookie is valid forever.
AddRadiusCookieValid 5
</IfModule>
<LocationMatch /radius >
Order Allow,Deny
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch /sgd >
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
Put appropriate mod_auth_radius.so into
/opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
# mkdir /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
# cat /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
<HTML>
<HEAD>
<TITLE> Test Page for RADIUS authentication </TITLE>
</HEAD>
<BODY>
 You have reached the test page for RADIUS authentication.
</BODY>
</HTML>
I hope this helps!
-FB

Search for a particular user

I have configured LDAP authentication and mapped few LDAP user groups to BOXI. When an user group is added all the user will also be mapped to BOXI. For the users mapped the distinguished name is added as one of the alias.
The requirement is to search for a particular user in the BOXI using the distinguished name(DN), hence need to query on the alias name or ID. I tried the query something like but didn't worked.
SELECT * FROM CI_SYSTEMOBJECTS WHERE SI_KIND='User' AND SI_ALIASES.1.SI_NAME like '%DISTINGUISHED_NAME%'
IF the DN is like cn=userName,ou=users,ou=group1, dc=myorg, dc=com and the query is written as it works.
SELECT * FROM CI_SYSTEMOBJECTS WHERE SI_KIND='User' AND SI_ALIASES like '%userName%'
Could you help in writing a query on the user alias.
Thanks in advance.

Here is yours for all posts, sorted chronologically from oldest to newest in descending order and showing 100 entries per page...
http://forums.sdn.sap.com/search.jspa?userID=3743484&rankBy=1&threadID=&q=&objID=&dateRange=all&numResults=100
You can play around with the available parameters a bit to tune it further.
Cheers,
Julius

Server-side authentication for web services

I was hoping to use Azure's server-side authentication for a HTML/JS web app. Some things are a bit unclear. For example, if a new user authenticates via Facebook, I want to create an associated record on the server-side and associate extra data with the
user, irrespective of the service used to log in. If they log in again, I want the client to be able to get this extra data (eg preferences) from the server. On the back-end, I also want to be able to update particular fields of this record that the user cannot
change themselves. I know how to go about this in a plain Node.js backend, but not sure how some of these basic things map to using Azure's services.

Once the user logs in, you will have their information available to your server scripts. So one option is to use a custom API (or a Mobile Services Table) to insert/read/update the user data. You would protect this endpoint so that only logged-in users can
access it, and then access the
user object to obtain an ID an associate it in a table row. Lookups could be performed by similarly querying for the ID.
In terms of some fields being restricted, you could remove these from the update request itself.
Some pointers that might be helpful:
http://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-get-started-data/
http://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-call-custom-api/
http://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-authorize-users-in-scripts/

Authentication for Webservice

Hi All,
I have exposed my outbound interface as a webservice sucessfully
But the problem is I need to provide a User Id to contact XI SOAP adapter. I dont require any authentication for this webservice client. How can I disable the authentication check for this particular webservice.
I have seen some forum posts, which suggested me to make some modification in web.xml which will disable auth for all webservices. Is it possible for me to disable the authentication check only for this particular webservice?
Regards,
Jai Shankar

Jai,
>How can I disable the authentication check for this particular webservice.
Check this thread. But this will turn of Authentication for all SOAP Sender Adapters.
User Names and Passwords in SOAP adapter
>I have seen some forum posts, which suggested me to make some modification in web.xml which will disable auth for all webservices. Is it possible for me to disable the authentication check only for this particular webservice?
Its either for all SOAP adapters or for none . there is no middle ground.
Better way is to use Access Control List.
Regards
Bhavesh

Java.lang.SecurityException: Authentication for user system denied in realm wl_realm Error.

 Getting this security exception when trying to pull a message from one weblogic
 instance JMS queue, and sending the message (via a MDB) to another machine's JMS
 queue.
 Ex. Here's the scenario.
 Two Windows2000Server machines,
 one at ip ... xxx.xxx.x.16,
 second machine at ... xxx.xxx.x.17.
 MDB pulls message off of a JMS queue on 16. MDB sends the message to .17 box.
 ON the .17 machine (the receiver) I get the following exception
 weblogic.transaction.internal.CoordinatorImpl@31406b>
 java.lang.SecurityException: Authentication for user system denied in realm wl_realm
 at weblogic.security.acl.Realm.authenticate(Realm.java:212)
 at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
 at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
 at weblogic.security.acl.internal.Security.verify(Security.java:87)
 at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:76)
 at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
 ON the sending maching .16, I get the following exception.
 ####<Apr 3, 2002 9:46:24 AM CST> <Error> <RJVM> <testweblogic> <OptiSoftAppServer>
 <ExecuteThread: '96' for queue: 'default'> <> <> <000000> <Unsolicited error response
 for: '-1'>
 The messages appear to show up on the destination machine, but are these error
 messages valid, or just bogus?
 Thanks,
 Eric.


Why is that? Your suggestion worked but I don't understand why.
 When our MDB on machineA did the JNDI lookup to MachineB we set the
 credentials to a valid user/password on MachineB.
 My speculation: Since the MDB on machineA is already in a transaction
 any other JNDI calls use the credentials for the MDB's transactions,
 ignoring any other credentials we might try to set explicitly. If my
 speculation is correct then that would explain by the passwords for the
 user "system" would have to be the same between servers.
 Is there a good place to read up on this?
 Thanks
 Tom
 Rajesh Mirchandani wrote:
 > Make sure you have the same system password for the 2 instances of WLS on seperate boxes.
 >
 > Tom Barnes wrote:
 >
 >
 >>Or post to the EJB newsgroup (which "owns" MDBs).
 >>
 >>Tom Barnes wrote:
 >>
 >>
 >>>I think there is a username/password field configurable in the MDB descriptor that
 >>>might help here??? Other than that, I suggest posting to the security newsgroup.
 >>>
 >>>Tom
 >>>
 >>>Eric Babin wrote:
 >>>
 >>>
 >>>>Getting this security exception when trying to pull a message from one weblogic
 >>>>instance JMS queue, and sending the message (via a MDB) to another machine's JMS
 >>>>queue.
 >>>>
 >>>>Ex. Here's the scenario.
 >>>>
 >>>> Two Windows2000Server machines,
 >>>> one at ip ... xxx.xxx.x.16,
 >>>> second machine at ... xxx.xxx.x.17.
 >>>>
 >>>> MDB pulls message off of a JMS queue on 16. MDB sends the message to .17 box.
 >>>>
 >>>>
 >>>>ON the .17 machine (the receiver) I get the following exception
 >>>>
 >>>>weblogic.transaction.internal.CoordinatorImpl@31406b>
 >>>>java.lang.SecurityException: Authentication for user system denied in realm wl_realm
 >>>> at weblogic.security.acl.Realm.authenticate(Realm.java:212)
 >>>> at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
 >>>> at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
 >>>> at weblogic.security.acl.internal.Security.verify(Security.java:87)
 >>>> at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:76)
 >>>> at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
 >>>> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
 >>>> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
 >>>>
 >>>>ON the sending maching .16, I get the following exception.
 >>>>
 >>>>####<Apr 3, 2002 9:46:24 AM CST> <Error> <RJVM> <testweblogic> <OptiSoftAppServer>
 >>>><ExecuteThread: '96' for queue: 'default'> <> <> <000000> <Unsolicited error response
 >>>>for: '-1'>
 >>>>
 >>>>The messages appear to show up on the destination machine, but are these error
 >>>>messages valid, or just bogus?
 >>>>
 >>>>Thanks,
 >>>>
 >>>>Eric.
 >>>>
 >
 > --
 > Rajesh Mirchandani
 > Developer Relations Engineer
 > BEA Support
 >
 >
 >

Java.lang.SecurityException: Authentication for user null denied in realm

Hello,
We have the following exceptionj on WLS 6.1 SP3 on Win2K:
javax.naming.AuthenticationException. Root exception is
java.lang.SecurityException: Authentication for user null denied in realm
weblogic
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:135)
at
weblogic.jndi.WLInitialContextFactoryDelegate.pushUser(WLInitialContextFactoryDelegate.java:518)
at
weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:362)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:334)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:211)
at
weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:149)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:660)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:241)
at javax.naming.InitialContext.init(InitialContext.java:217)
at javax.naming.InitialContext.<init>(InitialContext.java:173)
at
And it seems that this exception happens after the introduction of a JAAS module
for an external call.
What strikes me is that the WLS samples use System.setProperty... and I was wondering
if this could be the cause of our problem, because the rest of the application
does not use JAAS, and that may be it screws up the realm with WLS....
Any idea?
Cheers,
Thierry

Hello,
We have the following exceptionj on WLS 6.1 SP3 on Win2K:
javax.naming.AuthenticationException. Root exception is
java.lang.SecurityException: Authentication for user null denied in realm
weblogic
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:135)
at
weblogic.jndi.WLInitialContextFactoryDelegate.pushUser(WLInitialContextFactoryDelegate.java:518)
at
weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:362)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:334)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:211)
at
weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:149)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:660)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:241)
at javax.naming.InitialContext.init(InitialContext.java:217)
at javax.naming.InitialContext.<init>(InitialContext.java:173)
at
And it seems that this exception happens after the introduction of a JAAS module
for an external call.
What strikes me is that the WLS samples use System.setProperty... and I was wondering
if this could be the cause of our problem, because the rest of the application
does not use JAAS, and that may be it screws up the realm with WLS....
Any idea?
Cheers,
Thierry

Java.lang.SecurityException: Authentication for user test1 denied in realm wl_realm

Environment: WLS61 SP2
Two WLS61 servers on different machines. User test1 is authenticated against LDAP
on server_1, then tries
to execute a class (from JSP) that calls EJB on server_2. The environment properties
for the call to EJB on server_2 to are setup as follows (Note that user test2 is
used to call EJB on server_2. User test2 exists in the wl_realm on server2):
env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
env.put(Context.PROVIDER_URL, "t3://server2:7001");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "test2");
env.put(Context.SECURITY_CREDENTIALS, "somepass");
The call results in the following exception raised on server_2. Why is test1 id used
if test2 is explicitly specified for the call? User test1 does not exist on server_2.
<Jul 13, 2002 11:37:31 AM EDT> <Warning> <Dispatcher> <RuntimeException thrown by
rmi server: 'weblo
gic.rmi.cluster.ClusterableServerRef@111 - jvmid: '4783591120128354231S:xxx.xxx.xxx.xxx:[7001,7001,7002,7
002,7001,7002,-1]:mydomain:myserver', oid: '271', implementation: '[BaseEJBObject]
home: c
om.test.TestEJB_jvjalv_HomeImpl@7583b9''
java.lang.SecurityException: Authentication for user test1 denied in realm wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.security.acl.internal.Security.verify(Security.java:87)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:237)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:22)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)

If you are using JNDI authentication, make sure you close the context before
you get another context.
In WLS, stack of authenticated users will be maintained per thread. Now when
user is authenticated, it will be pushed into the stack. When you close the
context it will be popped out. In your case it seems like somehow test1 user's
idenitity is set on the thread which is calling the EJB on server2.
use weblogic.security.acl.Security.getCurrentUser() to get the current
user associated with the thread.
I hope this helps.
-utpal

Java.lang.SecurityException: Authentication for user system denied in realm weblogic

I am looking for some help to deploy the application in weblogic6.0.
This is what i did during the application deployment.
Create a new directory under config as a new application.
D:\bea\wlserver6.0\config\test
under test created two other directories applications and logs.
Under the applications directory copied .ear and .war files.
Under the test i copied config.xml, all the *.pem starttest.cmd, fileRealam.properties
files. Modified the config.xml with my application, domain and the server. Modified
the settest.cmd with the new domain and server name.
when i do startup, it is prompting for the password and i entered what ever i mentioned
during the installation.
And getting the following error.
Thanks alot for any suggestions.
D:\bea\wlserver6.0\config\test>startTest.cmd
D:\bea\wlserver6.0>set PATH=.\bin;D:\bea\jdk130\bin;C:\RATIONAL\RATION~1\NUTCROO
T\bin;C:\RATIONAL\RATION~1\NUTCROOT\bin\x11;C:\RATIONAL\RATION~1\NUTCROOT\mksnt;
C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Dell\Resoluti
on Assistant\Common\bin;C:\PROGRA~1\MICROS~4\Office;C:\PROGRA~1\ULTRAE~1;C:\Rati
onal\common;C:\Rational\Rational Test;C:\jdk1.3\bin;C:\Ant\bin;
D:\bea\wlserver6.0>set CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar
D:\bea\wlserver6.0>D:\bea\jdk130\bin\java -hotspot -ms64m -mx64m -classpath .;.\
lib\weblogic_sp.jar;.\lib\weblogic.jar -Dweblogic.Domain=test -Dweblogic.Name=te
stServer -Dbea.home=D:\bea -Dcloudscape.system.home=./samples/eval/cloudscape/da
ta -Djava.security.policy==D:\bea\wlserver6.0/lib/weblogic.policy weblogic.Serve
r
Enter password to boot weblogic server:password
Starting WebLogic Server ....
<Feb 14, 2001 12:13:04 PM EST> <Notice> <Management> <Loading configuration file
.\config\test\config.xml ...>
<Feb 14, 2001 12:13:06 PM EST> <Info> <Logging> <Only log messages of severity "
Error" or worse will be displayed in this window. This can be changed at Admin C
onsole> test> Servers> testServer> Logging> Debugging> Stdout severity threshold
>
<Feb 14, 2001 12:13:08 PM EST> <Emergency> <Server> <Unable to initialize the se
rver: 'Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user system denied in
realm weblogic
java.lang.SecurityException: Authentication for user system denied in realm webl
ogic
at weblogic.security.acl.Realm.authenticate(Realm.java:209)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:229)
at weblogic.security.acl.internal.Security.authenticate(Security.java:11
3)
at weblogic.security.SecurityService.initializeSuid(SecurityService.java
:293)
at weblogic.security.SecurityService.initialize(SecurityService.java:123
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:343)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
'>
The WebLogic Server did not start up properly.
Exception raised: java.lang.SecurityException: Authentication for user system de
nied in realm weblogic
java.lang.SecurityException: Authentication for user system denied in realm webl
ogic
at weblogic.security.acl.Realm.authenticate(Realm.java:209)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:229)
at weblogic.security.acl.internal.Security.authenticate(Security.java:11
3)
at weblogic.security.SecurityService.initializeSuid(SecurityService.java
:293)
at weblogic.security.SecurityService.initialize(SecurityService.java:123
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:343)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
D:\bea\wlserver6.0>goto finish
D:\bea\wlserver6.0>cd config\test
D:\bea\wlserver6.0\config\test>ENDLOCAL
D:\bea\wlserver6.0\config\test>

Seen this, may give a clue?
Server Known Problems Change Request Number Description
042556
The weblogic.Admin command now requires the user and password options. For example:
java weblogic.Admin -username system -password gumby1234
The username "system" is required for most functions (for example: VERSION). If
you do not specify -username system, you will get the following error:
Exception in thread "main" java.lang.SecurityException: Authentication for user
system denied in realm weblogic
<<no stack trace available>>
"lazar" <[email protected]> wrote:
>
I would also like to know, if there is a fix for it.
Thanks
Lazar
Greg Layton <[email protected]> wrote:
Did you ever get an answer to this. If so could you share it with me.ThanksGreg

Java.lang.SecurityException: Authentication for user system denied in realm wl_realm

I am experiencing this error when a servlet or JSP is preloaded on the web
server and the init method of the preloaded item results in a call to the
app server. If I don't preload and then manually invoke the JSP or servlet
after the web server completely loads the call to the app server does not
produce the exception. The only security differences between the web and
app servers are the console and system passwords. I can fix the problem by
making the passwords (system and console) the same across the board, but
find it hard to believe that this is the true solution. I would prefer
sticking with the default security settings.
I've poured through hundreds of messages. I can find similar problems but
not this exact problem.
Any ideas would truly be appreciated!
More information:...
App and Web server are both wls 6.1.1.0 running on the same SUN Solaris box.
Both are using the basic, out of the box, security.
The App server has SSL disabled.
The exception reported in the app server's log is:
java.lang.SecurityException: Authentication for user system denied in realm
wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.security.acl.internal.Security.verify(Security.java:87)
at
weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:235)
at
weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:2
2)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The exception reported in the web server's log is:
java.lang.SecurityException: Authentication for user system denied in realm
wl_realm
at
weblogic.rmi.internal.BasicOutboundRequest.sendReceive(BasicOutboundRequest.
java:85)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:255)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:222)
at weblogic.rmi.internal.ProxyStub.invoke(ProxyStub.java:35)
at $Proxy54.lookup(Unknown Source)
at
weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at
com.qwest.tmmt.manager.client.MDMAdapter.getEJBHome(MDMAdapter.java:197)
at
com.qwest.tmmt.manager.client.MDMAdapter.<init>(MDMAdapter.java:64)
at
com.qwest.tmmt.manager.client.ManagerFactory.createMetaDataManager(ManagerFa
ctory.java:305)
at
com.qwest.insite.util.ClientMetaDataCache.<init>(ClientMetaDataCache.java:53
at
com.qwest.insite.util.ClientMetaDataCache.getInstance(ClientMetaDataCache.ja
va:106)
at
com.qwest.insite.metadata.startup.MetaDataServlet.init(MetaDataServlet.java:
30)
at
weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:700)
at
weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:643)
at
weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:588)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletC
ontext.java:2203)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlets(WebAppServlet
Context.java:2147)
at
weblogic.servlet.internal.WebAppServletContext.init(WebAppServletContext.jav
a:884)
at
weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletContext.j
ava:807)
at
weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:421)
at weblogic.j2ee.WebAppComponent.deploy(WebAppComponent.java:74)
at weblogic.j2ee.Application.addComponent(Application.java:160)
at weblogic.j2ee.J2EEService.addDeployment(J2EEService.java:117)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:329)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:144)
at
weblogic.management.mbeans.custom.WebServer.addWebDeployment(WebServer.java:
76)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy33.addWebDeployment(Unknown Source)
at
weblogic.management.configuration.WebServerMBean_CachingStub.addWebDeploymen
t(WebServerMBean_CachingStub.java:1094)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:315)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(Deployment
Target.java:279)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(D
eploymentTarget.java:233)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deploym
entTarget.java:193)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy32.updateDeployments(Unknown Source)
at
weblogic.management.configuration.ServerMBean_CachingStub.updateDeployments(
ServerMBean_CachingStub.java:2734)
at
weblogic.management.mbeans.custom.ApplicationManager.startConfigManager(Appl
icationManager.java:362)
at
weblogic.management.mbeans.custom.ApplicationManager.start(ApplicationManage
r.java:154)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy45.start(Unknown Source)
at
weblogic.management.configuration.ApplicationManagerMBean_CachingStub.start(
ApplicationManagerMBean_CachingStub.java:480)
at
weblogic.management.Admin.startApplicationManager(Admin.java:1151)
at weblogic.management.Admin.finish(Admin.java:570)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:506)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:203)
at weblogic.Server.main(Server.java:35)
Thanks,
Jed Zimmer

You're correct. I meant the DOMAIN_SYSTEM_PASSWORD password in my
<domain-name>domain.ksh file. The DOMAIN_SYSTEM_PASSWORD value (if
specified) has to match the system user's password or else the server will
not start/stop.
I have determined more since my post. A startup class also produces the
same error. I have minimized my environments as follows and still receive
the exception, and a soon as I synchronize the system users' passwords on
the app/web server the problem goes away. Or, I can keep the passwords
different and just not access the app server EJBs until after the web server
finished loading, which also causes the error to go away. I'm just confused
about what I might be doing wrong.
Steps to produce the error:
App server:
- Installed from 6.1.1.0 from scratch and started it up.
- Changed the system user's password from the admin console, persisting the
changes.
- Modified logging settings to see more info in the log files.
- Disabled instrument stack traces.
- Stopped/Started the app server
Web server:
- Installed from 6.1.1.0 from scratch and started it up.
- Modified logging settings to see more info in the log files.
- Disabled instrument stack traces.
- Added a servlet to the DefaultWebApp_insiteserver application
- specified name and class
- the load on startup setting defaulted to zero, which will cause the
preloading
- Added 3 jar files to the classpath to support the EJB call
- Stopped/Started the web server
When the web server loads the servlet loads and tries to locate the EJB on
the app server. The app server throws the security exception. The app/web
servers are both running on the same SUN box, have the same IP address
(different ports) and I'm using non-SSL. Each server is it's own WLS
environment. The only installed file that is shared it the
weblogic_domain_registry.dat file in the root directory. As for security,
I'm doing nothing except changing one password (system user on the app
server).
I then tried to manually upgrade the app/web servers to 6.1.2.0 by updating
the WEBLOGIC_ROOT in the respective xxxxdomain.ksh files. Same problem.
I then cleanly reinstalled the app/web servers using version 6.1.2.0 and
configured as above. Same problem.
Let me know if I need to provide additional details.
Thanks,
Jed Zimmer
"Joseph Nguyen" <[email protected]> wrote in message
news:[email protected]...
>
"Jed Zimmer" <[email protected]> wrote in message
news:[email protected]...
I am experiencing this error when a servlet or JSP is preloaded on the
web
server and the init method of the preloaded item results in a call tothe
app server. If I don't preload and then manually invoke the JSP orservlet
after the web server completely loads the call to the app server does
not
produce the exception. The only security differences between the weband
app servers are the console and system passwords. I can fix the problemby
making the passwords (system and console) the same across the board, but
find it hard to believe that this is the true solutionI don't quite understand what you mean by "console" password? Are you
talking about the admin console? If so then it's confusing because youhave
to log into the console using the system user. If you can clarify morehere
it would great.
Joseph Nguyen
BEA Support
. I would prefer
sticking with the default security settings.
I've poured through hundreds of messages. I can find similar problems
but
not this exact problem.
Any ideas would truly be appreciated!
More information:...
App and Web server are both wls 6.1.1.0 running on the same SUN Solarisbox.
Both are using the basic, out of the box, security.
The App server has SSL disabled.
The exception reported in the app server's log is:
java.lang.SecurityException: Authentication for user system denied inrealm
wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
atweblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:125)
atweblogic.security.acl.internal.Security.verify(Security.java:87)
at
weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:235)
at
weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:2
2)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The exception reported in the web server's log is:
java.lang.SecurityException: Authentication for user system denied inrealm
wl_realm
at
weblogic.rmi.internal.BasicOutboundRequest.sendReceive(BasicOutboundRequest.
java:85)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:255)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:222)
at weblogic.rmi.internal.ProxyStub.invoke(ProxyStub.java:35)
at $Proxy54.lookup(Unknown Source)
at
weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at
com.qwest.tmmt.manager.client.MDMAdapter.getEJBHome(MDMAdapter.java:197)
at
com.qwest.tmmt.manager.client.MDMAdapter.<init>(MDMAdapter.java:64)
at
com.qwest.tmmt.manager.client.ManagerFactory.createMetaDataManager(ManagerFa
ctory.java:305)
at
com.qwest.insite.util.ClientMetaDataCache.<init>(ClientMetaDataCache.java:53
at
com.qwest.insite.util.ClientMetaDataCache.getInstance(ClientMetaDataCache.ja
va:106)
at
com.qwest.insite.metadata.startup.MetaDataServlet.init(MetaDataServlet.java:
30)
at
weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:700)
at
weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:643)
at
weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:588)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletC
ontext.java:2203)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlets(WebAppServlet
Context.java:2147)
at
weblogic.servlet.internal.WebAppServletContext.init(WebAppServletContext.jav
a:884)
at
weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletContext.j
ava:807)
at
weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:421)
at weblogic.j2ee.WebAppComponent.deploy(WebAppComponent.java:74)
at weblogic.j2ee.Application.addComponent(Application.java:160)
at weblogic.j2ee.J2EEService.addDeployment(J2EEService.java:117)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:329)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:144)
at
weblogic.management.mbeans.custom.WebServer.addWebDeployment(WebServer.java:
76)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy33.addWebDeployment(Unknown Source)
at
weblogic.management.configuration.WebServerMBean_CachingStub.addWebDeploymen
t(WebServerMBean_CachingStub.java:1094)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:315)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(Deployment
Target.java:279)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(D
eploymentTarget.java:233)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deploym
entTarget.java:193)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy32.updateDeployments(Unknown Source)
at
weblogic.management.configuration.ServerMBean_CachingStub.updateDeployments(
ServerMBean_CachingStub.java:2734)
at
weblogic.management.mbeans.custom.ApplicationManager.startConfigManager(Appl
icationManager.java:362)
at
weblogic.management.mbeans.custom.ApplicationManager.start(ApplicationManage
r.java:154)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy45.start(Unknown Source)
at
weblogic.management.configuration.ApplicationManagerMBean_CachingStub.start(
ApplicationManagerMBean_CachingStub.java:480)
at
weblogic.management.Admin.startApplicationManager(Admin.java:1151)
at weblogic.management.Admin.finish(Admin.java:570)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:506)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:203)
at weblogic.Server.main(Server.java:35)
Thanks,
Jed Zimmer

Authentication for user system denied in realm weblogic

hi,am using Web Logic 6.1 on hp and all works fine, I've a cron which kicks off
every morn.
This cron stops the web logic app server (admin server), then starts it. The stopping
is done with a shutdown.sh script. I've noticed all the posts here about "Authentication
for user system denied in realm weblogic" seem to be in code. This is diff as
it's on shutdown.
My shutdown script does the below:
#!/bin/sh
JAVA_HOME=/opt/weblogic6.1/jdk131
WL_HOME=/opt/weblogic6.1/wlserver6.1
CLASSPATH=$WL_HOME/lib/weblogic_sp.jar:$WL_HOME/lib/weblogic.jar
JAVA_RUN="${JAVA_HOME}/bin/java -classpath ${CLASSPATH}"
WLS_PW=try_abc
RUNCMD="${JAVA_RUN} weblogic.Admin -url localhost:9100 SHUTDOWN -username system
-password $WLS_PW"
echo $RUNCMD
$RUNCMD
When it's run the below is printed. Any help appreciated on this!!
/opt/weblogic6.1/jdk131/bin/java -classpath /opt/weblogic6.1/wlserver6.1/lib/weblogic_sp.jar:/opt/weblogic6.1/wlserver6.1/lib/webl
ogic.jar weblogic.Admin -url localhost:9100 SHUTDOWN -username system -password
admin2001
Authentication for user system denied in realm weblogic
Start server side stack trace:
java.lang.SecurityException: Authentication for user system denied in realm weblogic
at weblogic.security.acl.Realm.authenticate(Realm.java:195)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.kernel.BootServicesImpl.authenticate(BootServicesImpl.java:119)
at weblogic.kernel.BootServicesImpl.findOrCreateClientContext(BootServicesImpl.java:203)
at weblogic.kernel.BootServicesImpl.invoke(BootServicesImpl.java:148)
at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:620)
at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:581)
at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:164)
at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:640)
at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:454)
at weblogic.socket.PosixSocketMuxer.deliverGoodNews(PosixSocketMuxer.java:456)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:385)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:24)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
End server side stack trace

This is the way it should be. You should not be able to call from one server into
another using the system user without having to provide a password.
Yeshwant <[email protected]> wrote:
>
Hi Jose
What version of the server are you using . In 6.x this is a known issue
The workaround as you mention is to have the same password for the system
user.
Jose Perez wrote:
Hi all,
I'm having problems when communicating 2 EJBs in different weblogic Serverinstances,
one acts as a "client" and the other as a "server".
The exception is "Authentication for user system denied in realm weblogic".This
only happens if the user system has different password in each server.
Any idea?
Thanks in advance

Authentication for user denied in realm weblogic

Hi,
I was testing distributing EJB's to different server with their client and kept
hitting my head to the wall with the following problem almost the whole day:
Stacktrace = javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
Authentication for user masters2 denied in realm weblogic at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233) at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.jndi.WLInitialContextFactoryDelegate.pushUser(WLInitialContextFactoryDelegate.java:522)
at weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:366)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:338)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:211)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:149)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662) at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243) at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.(InitialContext.java:195) at jsp_servlet._distributed_ejb.__recordList.getInitialContext(__recordList.java:99)
at jsp_servlet._distributed_ejb.__recordList.getRemoteContext(__recordList.java:90)
at jsp_servlet._distributed_ejb.__recordList._jspService(__recordList.java:183)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2495)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
It seems that the problem was with an error with weblogic documentation about
getting InitialContext. The example code from bea was:
Context ctx = getInitialContext("t3://localhost:7001", "user1", "user1Password");
static Context getInitialContext(String url, String user, String password) {
Properties h = new Properties();
h.put(Context.INITIAL_CONTEXT_FACTORY,
"weblogic.jndi.WLInitialContextFactory");
h.put(Context.PROVIDER_URL, url);
h.put(Context.SECURITY_PRINCIPAL, user);
return new InitialContext(h);
Funnily, password is not used....after realising that I added line
h.put(Context.SECURITY_CREDENTIALS, password);
and the code works. Is it possible that this was the problem (and documentation
has been incorrect for years now) or was there something that I missed?

static Context getInitialContext(String url, String user, String password){>
Properties h = new Properties();
h.put(Context.INITIAL_CONTEXT_FACTORY,
"weblogic.jndi.WLInitialContextFactory");
h.put(Context.PROVIDER_URL, url);
h.put(Context.SECURITY_PRINCIPAL, user);
return new InitialContext(h);
Funnily, password is not used....after realising that I added line
h.put(Context.SECURITY_CREDENTIALS, password);
and the code works. Is it possible that this was the problem (anddocumentation
has been incorrect for years now) or was there something that I missed?ya, that was the problem if you refering to:
http://e-docs.bea.com/wls/docs70/ejb/EJB_design.html#1035574
we will get that corrected.
cheers,
mihir

Providing authentication for standard MDM we bservice.

Hi,
We are calling mdm web service from portal. Can any one tell me how to authenticate user when calling standard web service.
Regards,
Sandeep Reddy.

Hi Sandeep,
For a particular user to use a particular webservice say for eg Search Webservice.You need to provide that particular MDM user authentication to the webservice i the Visual Administrator configurations.
The MDM user must be defined in MDM Console with proper Roles and Authorizations.When you give this MDM user access to the Search Webservice for eg then this user can login and run the search webservice.
To know about the configuration required to work with MDM 5.5 Webservices then view the below link;
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20e06073-f485-2910-adb1-9a197bf98994(MDM webservice webinar)
If you are working with MDM 7.1 then the features are little more advanced, you can view the below link to know more on MDM 7.1 webservice
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a04e6281-b9d4-2b10-f1b3-ee7884e720c3 (Webservice 7.1)
Hope It Helpes
Thanks & Regards
Simona Pinto

Reg Re-authentication for Tcode access

Dear All,
 I want to enable Re-authentication for certain tcode access in my SAP ABAP system. The SAP as such supports this with the SSF settings. I have the SSF working but am not sure how to enable the particular tcode for Re-authentication.For example i have created a z code zAl08 out of Al08 for test purpose.When an user tries to access zAL08 he should be asked to give his credentials for authentication and then should be able to access the tcode.
1.Is this possible. (am already using a Security product working properly in my environment)
2.How to configure(Steps) the zcode for enabling Re-authentication?
Regards,
Karthik

Basically, what I said was:
function auth_check_tcode.
""Lokale Schnittstelle:
*" IMPORTING
*" VALUE(TCODE) LIKE TSTC-TCODE
*" EXCEPTIONS
*" PARAMETER_ERROR
*" TRANSACTION_NOT_FOUND
*" TRANSACTION_LOCKED
*" TRANSACTION_IS_MENU
*" MENU_VIA_PARAMETER_TRANSACTION
*" NOT_AUTHORIZED
Dieser Funktionsbaustein dient als reine Kapsel für den C-Call
auth_check_tcode und ist daher im Gegensatz zu authority_check_tcode
nicht für die Prüfung vor dem Call Transaction gedacht, sondern für
die Fälle, in denen ein Start Transaction geprüft werden soll,
z.B. in der SE93.
authority_check_tcode berücksichtigt wie der Kernel die per SE97
pflegbaren Einträge in der Tabelle tcdcouples.
Berechtigungsprüfung
call 'AUTH_CHECK_TCODE'
 id 'TCODE' field tcode.
if sy-subrc = 0.
auth_check_tcode enthält die Prüfungen von tcode_executable,
daher im OK-Fall keine Aufruf nötig.
else.
 perform tcode_executable using tcode.
Keine Berechtigung für Transaktion &
 message i077(s#) with tcode raising not_authorized.
endif.
endfunction.
 FORM tcode_executable *
--> TCODE *
form tcode_executable using tcode.
call 'DY_CHECK_TRANSACTION'
 id 'TX' field tcode.
case sy-subrc.
 when 0. " Alles ok, return
 when 1. " Parameter Error
 message i274(00) raising parameter_error.
 when 2. " Transaktion nicht gefunden
 message i343(s#) with tcode raising transaction_not_found.
 when 3. " Transaktion gesperrt
 message i348(s#) with tcode raising transaction_locked.
 when 4. " Transaktion ist Bereichsmenü
 message i037(oz) with tcode raising transaction_is_menu.
 when 5. " Bereichsmenü via Parameter-Transaktion
 message i350(s#) with tcode
 raising menu_via_parameter_transaction.
 when 6. " Nicht berechtigt; vorgesehen, aber nicht implementiert
 message i077(s#) with tcode raising not_authorized.
endcase.
endform. "tcode_executable
</pre>
Sorry, the comments are in German. But as you can see, there is no exit and the checks are in the kernel only.
My hat is safe...
Cheers,
Julius
Edited by: Julius Bussche on Jul 29, 2009 5:55 PM

Authentication for a particular ACL

Similar Messages

Maybe you are looking for