Authorization for JMS resources
Hi,
consider the following use-case: we define a JMS topic to which certain, and only certain J2EE apps (probably running in different engines) should be allowed to report messages, but not for example a "malicious" standalone client. On the other side, clients should be allowed browse/read these messages without restrictions. In other words, distinct and selected producers, but broad audience of consumers.
How could this be achieved best?
In the online help I found a page suggesting to define a security policy. So I went to Visual Admin -> Security Provider -> Policy Configuration -> service.jms.default.authorization, selected "basic" as authentication method, removed group "Guest" from security role "clients" in "Security Roles", mapped it to a distinct user group (it's an UME user group to be precise, since my engine runs on an UME user store) and tried to publish a message to the topic --- to my surprise it worked! However, it shouldn't, since my client program does neither give user/password for the JNDI lockup nor for the creation of the topic connection.
In fact, it does not matter how the "client" role is mapped to a user or group, my "malicious" standalone client always is able to post a message.
What am I doing wrong?
Best Regards
Michael
By the way: what exactly is the purpose of the user/password entries for factories and destinations in the JMS connector? The docu says it is for access to the JMS provider, but at least the SAP JMS provider seems not to make any use of them. Is this for access to third-party JMS providers?
Hi
Here are the steps you should make in version 6.40 :
1. Create your own topic
JMS Provider -> "Runtime" tab -> "JMS Server instances" border ("default") -> "Topics" tab -> "Create" button.
Let's name this topic "MySecureTopic".
2. Create a user which will have the permissions to produce messages to "MySecureTopic".
Security Provider -> "Runtime" tab -> "User Management" tab -> "Create User" button.
Let's name this user "secureproducer" with password "securepasswd". In my test I put this
user in "Authenticated users" group, but maybe he can be in any other group.
3. Now create new Security Role:
Security Provider -> "Components" ("service.jms.default.authorization") -> "Runtime" tab -> "Policy Configuration" tab -> "Security Roles" tab -> "Security Roles" -> "Add" button.
Note: in "service.jms.<b>default</b>.authorization" 'default' is the name of JMS instance (JMS Provider -> "Runtime" tab -> "JMS Server instances" border). If you use another instance, you should use the respective component ("service.jms.<b>another</b>.authorization").
The name of my role is "SecureProdurerRole".
Also add "secureproducer" user in this role :
Select "SecureProdurerRole" and click on "Mappings" -> "Add" button.
Security Provider -> "Runtime" tab -> "Policy Configuration" tab -> "Security Roles" tab -> "Mappings" border -> "Users" border -> "Add" button
4. Now you should add a security rule that makes the required behaviour :
Security Provider -> "Runtime" tab -> "Policy Configuration" tab -> "Resources" tab ->
4.1. from "Resources" border choose "topic"
4.2. from "Instances" border choose "MySecureTopic"
4.3. from "Actions" border choose Action "produce"
4.4. in "Granted" border should be only "SecureProdurerRole" and in "Denied" border - "administrators" and "clients" roles.
Now in your Java code you must create your JMS connection with username and password provided:
// this is the producer connection
tc = tcf.createTopicConnection("secureproducer", "securepasswd");
Otherwise using
tc = tcf.createTopicConnection();
this exception will occur :
javax.jms.JMSSecurityException: You do not have permissions: action produce and instance MySecureTopic.
at ...
HTH
Best regards
Similar Messages
-
Dear Experts,
The scenario,in PA30 and also in PA40 HR end user should not have access to edit his own data but he/she can able to view his own data and he should have access to edit,create,copy for other employees. Kindly let me know authorization object for the same.
Regards,
Deepan
Message was edited by: Sikindar AHello
P_PERNR: will prevent or let a user to maintain/see its own data cfr: P_PERNR (HR: Master Data ? Personnel Number Check) (SAP Library - Authorizations for Human Resources)
then depending if you use Contextual Authorization or not
P_ORGIN or P_ORGINCON lets a user to maintain/display the employees' master data.
Cfr:
P_ORGIN (HR : données de base) - Autorisations pour HR (Gestion des Ressources Humaines) - SAP Library
https://help.sap.com/saphelp_erp60_sp/helpdata/en/4c/197c8fad6671459b9dde3e915336b8/content.htm
regards
Hadrien -
Ok, is there a quick/simple way to monitor a jms topic/queue. You know, just to see if any messages are in the topic/queue and how many are being sent, etc...
I check out the docs for montoring and snmp and OH MY GOD... you've got to be kidding, if this is the only way. Not that I think this is even a way, as I didn't see anything in there that would tell me how many messages may be in my topic.
This is related to another post I sent where I'm trying to figure out why my mdb ejb won't load. Unfortunetly I can't even tell if somthing is getting on the stupid topic, so I don't know if the mdb is loading and just not getting the message from the topic, or if the message is getting to the topic, but the mdb never loads to handle it.
I don't want to be a broken record here, but have you guys at sun looked at how this all works in weblogic? It's so intuitive, the web console interface allows you to examine the status of any deployed ejbs, and also the status and statistics for jms resources. Perhaps by Sun Appserver 10 or 11 you guys will finally get it.
Tony FLook,
Sorry to "needlessly flame the product", but so far my experience with it is that nothing matches exactly the documentation, nothing really works (except thier sample apps, but no example of anything other then thier sample apps), and the only way to get answers to simple questions is to post on forums, because the documantion that comes with the installation doesn't help.
The link you sent me had instructions on using the Admin console of IMQ. Of course, no documentation that came with the installation mentioned it. So, right off the bat I get the part of Adding a broker, and instead of seeing the screen shown in the tutorial, I get the Add Broker screen , but the textboxes are missing - you can't enter anything. So right away it doesn't work. Just another example of how evertime I try to do somthing with this product I run into a wall.
Anyway, as far as flaming the product before I fully investigate the options, I guess my answer is I shouldn't have to spend 3 weeks pouring thru documenation, samples, and newgroups just to figure out how to do somthing simple, like monitor messages in a queue. And when I finally get an answer, it simple doesn't work.
However, I will curb my frustration with this product and refrain from commenting on it. On the positive side, the sun employees seem to actually monitor this topic and respond frequently and quickly, which is more then I could say for other vendors such as bea. -
JMS authorization for default user
Hi All,
I need to configure the JMS authorization for WLS 9.2. I succeed to do it for specific user that determined with access control to JMS Topic resource:
TopicConnection _topicConnection = topicConnectionFactory.createTopicConnection(_user, _password);
Along with it I succeed to create topic connection without sending the user/password:
TopicConnection _topicConnection = topicConnectionFactory.createTopicConnection();
I can't understand why I succeed if I configured the access to a JMS Topic Connection for specific user only. How I can close this access for default user?
Thanks,
Igor.
Edited by igorkh at 10/07/2007 8:30 AMHi,
The user/pass arguments supplied for the createConnection call in WebLogic is only checked for the createConnection call itself, and there's no ACL check -- the call only checks that the user is a valid user. As far as I know there's no direct way to restrict the ability to create a JMS Connection to a particular JMS user (no way to specify an ACL directly). What you can do instead is configure an ACL on the JNDI name of the connection factory. You can also configure ACLs on your destinations (not just the JNDI name for the destination).
For pretty much all API calls (not just JMS API calls), WebLogic generally obtains the implicit security credentials stored in the current thread. The current thread's credentials are initialized either by the user/pass that was passed in the most recent time a Context was created by the application using that same thread, or, if on the server and no context was created, the credential can be supplied as part of the EJB's or servlet's configuration.
These implicit thread credentials are checked in various places when accessing a particular destination, as well as during JNDI lookups (applies if you've configured ACLs in your JNDI tree).
Tom -
Error on executing See Also search - no authorization for resource
Hi there,
i have installed TREX 6.1 SP 13.
It searching fine but only two bugs - 1)when i'm clicking on "See also" link in search result page - i'm getting error:
"Search Failure
Error on executing See Also search - no authorization for resource
An unexpected severe error occurred during the search call. If the situation persists, inform your system administrator."
2) when i'm clicking on "HTML version" - sometimes i'm getting "No valid content found in store" error message, but it depends on index.
Any ideas?Hello Kwong,
thanks for responce. Only that i have in log is:
#1.5#000F20F6A8BD006D000000060000253400040016981EA972#1125996948354#com.sapporta
ls.wcm.control.util.search.SearchSessionBuilder#sap.com/irj#com.sapportals.wcm.c
ontrol.util.search.SearchSessionBuilder#Administrator#41230####04c0c6201eb411dab
6f0000f20f6a8bd#SAPEngine_Application_Thread[impl:3]_0##0#0#Error##Plain###Error
on executing See Also search - no authorization for resource#
Moreover, i'm working under administartor with all rights. -
No authorization for the creation of resource WG10 00_1000_001
Dear All,
While checking SMQ1(Outbound queue), we found 2 displayed , pls check below details.
Queue Informationen
Number of Entries Displayed: 11
Number of Queues Displayed: 2
Cl. Queue Name Destination Entries
100 CFLDZ31CLNT100_0034 E06CLNT100 4
100 MCEX03 NONE 7
While Double clicking queue (CFLDZ31CLNT100_0034), Its shows Status SYSFAIL .
Please check details log.
Cl. Queue Name Destination Entries Status Date 1 Time 1 NxtDate NxtTim Wait for queue
100 CFLDZ31CLNT100_0034 E06CLNT100 4 SYSFAIL 22.09.2011 12:57:11 22.09.2011 13:16:32
Note : E06CLNT100 (SCM System).
While double clicking SYSFAIL Its shows No authorization for the creation of resource
00_1000_001.
Kindly Suggest.And also User not able to do activate Integration Model using Transaction CFM2 , it is giving error as below .
System: E06CLNT100 User: KAPGATEG 22.09.2011 12:57:11
Function/Q/SAPAPO/CIF_RES_INBOUND4
Text: No authorization for the creation of resource WG10
Kindly advise. -
OIM Authorization policy for specific resource
Hi gurus,
Can we create an authorization policy in OIM 11.1.1.5 for allowing resource administrators to add/modify a specific resource only?
Example: For all users, Admin user-A should be able to add/modify AD resource only.
Admin User-B should be able to add/Modify iPlanet resource only
Thanks in advance.
-JOIM 11.1.1.5 authorization policies do not extend to resource operations, only operations on OIM users and roles. For restricting operations on resources you can set data object permissions on the resource objects themselves. An alternative approach in OIM 11.1.1.5 is to provision resources via requests, where you can limit requests to work with specific allowed resources and be accessible to specific administrators.
-
Transport-Cockpit: No authorization for using the vehicle-resource
Hi everyone
In my planning profile I determined a sprinter as vehicle resource. As soon as I start the Transport Cockpit the freight orders appear, indeed, but TM claims that there's no authorization for my sprinter. The sprinter does not appear in the frame "resource". Selecting this vehicle manually TM post the message: vehicle not found. As far as I can estimate my master data are correct assigned.
Does anyone of you has been confronted with this problem?
Thank's for your help.
MichaelHello Mike
I created the vehicle under Master Data / Resources / Define Resource.
Resource Category: T
Time Zone: CET
Means of Transport: 4 (the same number as I choosed in the freight order)
Planning Parameters: Finite Scheduling
Owner: the carrier of my freight order
Auth. Resource: the same carrier above mentioned
Template: Resource Template, Means of Transport: 4
Resource Validity: 1.1.1970 to 31.12.9999
Physical Properties: Mass = 1.000 kg, Volume = 4,5 m3
Time-cont. Capacity = 3 Pal (it does not make sense but I have not opportunity to change this value)
The other fields don't have any values.
In the forwarding order or rather freight order I determined the vehicle which is suitable to the selected carrier. I assume that there is a connection between the error message and the planning profile. I define in my planning profile the sprinter as vehicle:
Planning Profile / Capacity
VEHICLERES_ID inclusive = [and my vehicle]
I tried, too:
OWNER inclusive = [and my carrier]
What Transportation Cockpit is doing now, is EXCLUDING exact that vehicle (or rather carrier) I want to dispatch. It seems to work vice versa.
A sprinter is just another name for a small bus. I linked you to a photo of mercedes. Sprinter or long truck - regardless of which of them I use: the error remains.
Regards,
Michael -
Error initializing the Oracle JMS Resource provider for Topics
Getting this error when starting OC4J 9.0.3 standlone on Windows2000.
Resource provider config'd as
<resource-provider class="oracle.jms.OjmsContext" name="ojms">
<description> OJMS/AQ </description>
<property name="datasource" value="jdbc/ProlianceDS"></property>
</resource-provider>
Datasource config'd as
<data-source
class="com.evermind.sql.OrionCMTDataSource"
name="ProlianceDS"
location="jdbc/ProlianceDS"
xa-location="jdbc/xa/ProlianceDS"
ejb-location="jdbc/ProlianceDS"
connection-driver="oracle.jdbc.driver.OracleDriver"
username="proliance"
password="******"
url="jdbc:oracle:thin:@aps67.ere.com:1538:ifstst"
inactivity-timeout="30"
/>
ejb-jar config'd as
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
<ejb-jar>
<enterprise-beans>
<message-driven>
<description>Proliance Message Driven Bean</description>
<display-name>ProlianceMDB</display-name>
<ejb-name>ProlianceMDB</ejb-name>
<ejb-class>com.lendlease.bll.ProlianceMDB</ejb-class>
<transaction-type>Container</transaction-type>
<message-selector>
<method>
<ejb-name>ProlianceMDB</ejb-name>
<method-name>onMessage</method-name>
</method>
</message-selector>
<message-driven-destination>
<destination-type>javax.jms.Topic</destination-type>
<subscription-durability>Durable</subscription-durability>
</message-driven-destination>
<resource-ref>
<res-ref-name>java:comp/resource/ojms/Topics/PROLIANCE.OUT_AQ</res-ref-name>
<res-type>javax.jms.Topic</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<resource-env-ref>
<resource-env-ref-name>java:comp/resource/ojms/TopicConnectionFactories/aqTcf</resource-env-ref-name>
<resource-env-ref-type>javax.jms.TopicConnectionFactory</resource-env-ref-type>
</resource-env-ref>
</message-driven>
</enterprise-beans>
<assembly-descriptor>
<container-transaction>
<method>
<ejb-name>ProlianceMDB</ejb-name>
<method-name>onMessage</method-name>
</method>
<trans-attribute>Required</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
orion-ejb-jar config'd as:
<?xml version = '1.0'?>
<!DOCTYPE orion-ejb-jar PUBLIC "-//Evermind//DTD Enterprise JavaBeans 1.1 runtime//EN" "http://xmlns.oracle.com/ias/dtds/orion-ejb-jar.dtd">
<orion-ejb-jar deployment-time="e7f1ce76f6" deployment-version="1.0.2.2">
<enterprise-beans>
<message-driven-deployment
name="ProlianceMDB"
connection-factory-location="java:comp/resource/ojms/TopicConnectionFactories/aqTcf"
destination-location="java:comp/resource/ojms/Topics/PROLIANCE.OUT_AQ"
subscription-name="PROLIANCE_SUBSCRIBER">
</message-driven-deployment>
</enterprise-beans>
</orion-ejb-jar>
Full startup trace is:
C:\ora\oc4j_9.0.3\j2ee\home>java -Djdbc.connection.debug=true -jar oc4j.jar
Node started with id=-2143203582
Auto-unpacking C:\ora\oc4j_9.0.3\j2ee\home\applications\ProlianceMDB.ear... done.
Auto-unpacking C:\ora\oc4j_9.0.3\j2ee\home\applications\ProlianceMDB\ProlianceMDB.war... done.
Auto-deploying ProlianceMDB (New server version detected)...
Copying default deployment descriptor from archive at C:\ora\oc4j_9.0.3\j2ee\home\applications\ProlianceMDB/ProlianceMDB
.jar/META-INF/orion-ejb-jar.xml to deployment directory C:\ora\oc4j_9.0.3\j2ee\home\application-deployments\ProlianceMDB
\ProlianceMDB.jar...
Auto-deploying ProlianceMDB.jar (New server version detected)... done.
Error initializing the Oracle JMS Resource provider for Topics: Not an OracleConnection
Error deploying file:/C:/ora/oc4j_9.0.3/j2ee/home/applications/ProlianceMDB/ProlianceMDB.jar homes: No javax.jms.Destina
tion found at the specified destination-location (java:comp/resource/ojms/Topics/PROLIANCE.OUT_AQ) for MessageDrivenBean
ProlianceMDB
OrionCMTConnection not closed, check your code!
Logical connection not closed, check your code!
Created at:
java.lang.Throwable: OrionCMTConnection created
at com.evermind.sql.OrionCMTConnection.<init>(OrionCMTConnection.java:42)
at com.evermind.sql.OrionCMTDataSource.getConnection(OrionCMTDataSource.java:82)
at oracle.jms.AQjmsConnection.newDBConnection(AQjmsConnection.java:1681)
at oracle.jms.AQjmsConnection.<init>(AQjmsConnection.java:537)
at oracle.jms.AQjmsTopicConnectionFactory.createTopicConnection(AQjmsTopicConnectionFactory.java:232)
at oracle.jms.OjmsResource.initT(OjmsResource.java:512)
at oracle.jms.OjmsResource.initAQ(OjmsResource.java:411)
at oracle.jms.OjmsResource.init(OjmsResource.java:214)
at oracle.jms.OjmsContextFactory.getObjectInstance(OjmsContextFactory.java:103)
at oracle.jms.OjmsContext.getResource(OjmsContext.java:328)
at com.evermind.server.Application.lookupResource(Application.java:2548)
at com.evermind.server.Application.lookupResource(Application.java:2563)
at com.evermind.server.ApplicationContext.handleResourceLookup(ApplicationContext.java:639)
at com.evermind.server.ApplicationContext.lookup(ApplicationContext.java:162)
at com.evermind.server.ApplicationContext.lookup(ApplicationContext.java:66)
at com.evermind.server.ejb.MessageDrivenHome.<init>(MessageDrivenHome.java:236)
at com.evermind.server.ejb.EJBPackageDeployment.bindHomes(EJBPackageDeployment.java:304)
at com.evermind.server.ejb.EJBContainer.postInit(EJBContainer.java:595)
at com.evermind.server.Application.postInit(Application.java:431)
at com.evermind.server.Application.setConfig(Application.java:136)
at com.evermind.server.ApplicationServer.addApplication(ApplicationServer.java:1635)
at com.evermind.server.ApplicationServer.initializeApplications(ApplicationServer.java:1585)
at com.evermind.server.ApplicationServer.setConfig(ApplicationServer.java:1240)
at com.evermind.server.ApplicationServerLauncher.run(ApplicationServerLauncher.java:93)
at java.lang.Thread.run(Thread.java:484)
Auto-deploying ProlianceMDB Poster (New server version detected)...
Oracle9iAS (9.0.3.0.0) Containers for J2EE initialized
Using native aqapi.jar with OC4J -didn't copy from 9.2.0.2 DB. 9.2.0.2 patchset ran fully, completed fine. What's going wrong?
BrianShouldn't I be getting a com.evermind.sql.OrclCMTConnection created instead of a com.evermind.sql.OrionCMTConnection (per the stack trace)? OJMS is complaining that it doesn't have an OracleCOnnection but how do I tell it to use the "OrclCMTConnection" class instead?
Brian -
Display authorization for resource planning missing
Hi,
while open the Resource planner with log in service manager.it is showing following error
Display authorization for resource planning missing
i am not getting this error why it is showing.any one help me to solve this issue
Thanks & Regards
Kishore KumarMaintain the authorization Objects for the PFCG role assigned to the user
Authorization Object
Description
Authorization Field
Value
Value: System
Relevance
WFDS_RPA
Authorization Object Transaction
ACTVT
3
WFD server
Service resource planning application (RPA)
WFDS_RPA
Authorization Object Transaction
ACTVT
2
WFD server
RPA
B_BUPA_GRP
Business Partner: Authorization Groups
ACTVT
3
SAP CRM
RPA
Appointment scheduling
B_BUPA_RLT
Business Partner: BP Roles
ACTVT
3
SAP CRM
RPA
Appointment scheduling
B_BUPA_RLT
Business Partner: BP Roles
ACTVT
3
SAP CRM
RPA
Appointment scheduling
WFDS_JFUNC
Authorization Object Resource (Type of WFD Resource)
WFDS_RTYPE
WFD server
RPA
Appointment scheduling
WFDS_JFUNC
Authorization Object Resource (Job Function)
WFDS_JFUNC
WFD server
RPA
Appointment scheduling
WFDS_JFUNC
Authorization Object Resource (Job Level)
WFDS_JLEVE
WFD server
RPA
Appointment scheduling
WFDS_SAREA
Authorization Object Resource (Type of WFD Resource)
WFDS_RTYPE
WFD server
RPA
Appointment scheduling
WFDS_SAREA
Authorization Object Resource (Service Area)
WFDS_SAREA
WFD server
RPA
Appointment scheduling
S_TCODE
Transaction Code
TCD
/SAPAPO/LRP_ACCESS
WFD server
RPA
Appointment scheduling
UIU_COMP
Authorization UI
COMP_NAME
WCC_SRV_RPA
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_WIN
WCC_SRV_RPA/MainWindow
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_PLUG
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_NAME
WFDRPA
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_WIN
MainWindow
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_PLUG
DEFAULT
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_NAME
WFDRPA
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_PLUG
DEFAULT
SAP CRM
RPA
UIU_COMP
Authorization UI
COMP_WIN
WFDRPA/MainWindow
SAP CRM
RPA -
What's the best way to do authorization for my app?
The authorization situation is somewhat complicated for my app.
Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM.
From what I've seen so far, there are two different options of setting the authorization for the component:
1. Set its Condition
2. Set its Security Authorization Scheme
Here is my understanding for each (from my limited experience with APEX):
1. Set its Condition
+ Can pass in parameters such as :APP_USER, page numebr, P0_ITEM. So I can just create one function that does all the authorization
- Have to combine the SQL query with the component's non-authorization display conditions, if any.
2. Set its Security Authorization Scheme
+ By name, it seems like it should be used for authorization
- Cannot take in parameters relating to the page, such as the page number --> therefore I will need to create many different schemes, for all the different pages.
#2 will end up with a long list of schemes (each with its own SQL queries) for different pages, which doesn't seem as efficient as #1 with far fewer SQL queries and just take in parameters.
Which one should I pick?
Thanks!953006 wrote:
Thanks fac586 for the detailed response, and also everyone else who replied. You guys are very helpful and respond promptly. And we'd appreciate it if you changed "953006" into a real handle promptly.
Andre mentioned using conditions:
The way I work around this is to have two functions, one which is used at the page level as a normal authorization scheme and one which can be passed variables which is called as a Condition and the name of the item is one of the variables, in effect giving it "self awareness".But fac586 said:
You can't pass "parameters" to authorization schemes. Use application items, APEX collections or application contexts to set current context before the authorization scheme is evaluated, and access these values in the functions.Does this mean, fac586, that we can avoid conditions altogether? No, it means that I prefer to use Authorization Schemes to control access to resources based on user privileges and security, and Conditions to control rendering and processing for functional reasons. Using the approach described above I have found it possible to maintain this separation.
Say if a page has two buttons, Button_A and Button_B. Button_A has a set of requirements for displaying and Button_B has its own set of requirements (some of which are shared with Button_A). So far, the only way that I can see of using pure authorization is to write 2 different authorization schemes, and set the authorization schemes for the two buttons respectively.What's the problem with that? Consider a more concrete example using a standard APEX report/form pattern for customer maintenance. Page 6 contains the report, and page 7 is the maintenance form with P7_CREATE and P7_SAVE buttons. Only users entitled to create new customers should have access to P7_CREATE, and only users able to edit customers access to P7_SAVE. This would be controlled by the CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes respectively. Functionally, conditions are used to show P7_CREATE if the P7_CUSTOMER_ID is null, and P7_SAVE if it's not null. We don't mix non-functional security considerations with functional requirements.
The CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes are of type PL/SQL Function Returning Boolean. These are implemented using package functions. Exactly how a user has create/edit customer privilege is determined in the package. Determinants that are shared by multiple schemes can be combined at this level. These implementations can be changed as necessary without requiring changes to the application.
The authorization schemes are reusable across pages and components. On page 6, CREATE_CUSTOMER can be used on the "Create New Customer..." button; EDIT_CUSTOMER on the report column containing the "Edit" links.
Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM. So I guess this goes back to my original concern with Authorizations:
[Using purely authorizations] will end up with a long list of schemes (each with its own SQL queries) for different pages [and page items] ....
Re: VPD policies. Note that in the example above there's no need for the authorization schemes to "know" which pages/items are being evaluated. The P7_SAVE button and the page 6 link column are involved with the EDIT_CUSTOMER operation, so that authorization scheme is applied to them. -
@Resource annotation does not work for XA resource?
Okay, sounds absurd that it works for everything except XA, but that is all I have to go with for now. We are moving from EJB2.x to EJB3 and I am encountering an issue when using the @Resource annotation for an XA connection factory. See deployment exception at bottom of post.
First, I deploy my-aqjms-jms.xml which contains two connection factories (sorry, I do not know the equivalent "pre" tag for this board so all formatting is lost):
<weblogic-jms>
<foreign-server name="MY-AQJMS-JMS">
<foreign-connection-factory name="ForeignConnectionFactory-0">
<local-jndi-name>my/jms/QCF</local-jndi-name>
<remote-jndi-name>QueueConnectionFactory</remote-jndi-name>
</foreign-connection-factory>
<foreign-connection-factory name="ForeignConnectionFactory-1">
<local-jndi-name>my/jms/XAQCF</local-jndi-name>
<remote-jndi-name>XAQueueConnectionFactory</remote-jndi-name>
</foreign-connection-factory>
<initial-context-factory>oracle.jms.AQjmsInitialContextFactory</initial-context-factory>
<jndi-property>
</jndi-property>
</foreign-server>
</weblogic-jms>
Next, I look at my ejb-jar.xml:
<session>
<description>My EJB</description>
<ejb-name>MyEJB</ejb-name>
<ejb-class>demo.MyEJB</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<resource-ref>
<description>connection factory</description>
<res-ref-name>jms/myQCF</res-ref-name>
<res-type>javax.jms.QueueConnectionFactory</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<resource-ref>
<res-ref-name>jms/myXAQCF</res-ref-name>
<res-type>javax.jms.XAQueueConnectionFactory</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
</session>
These are the resource tags I want to move into annotations. (There are matching tags in weblogic-ejb-jar.xml which map "jms/myQCF" to "my/jms/QCF" and same for XAQCF). So, I open demo.MyEJB and add the annotation for the first one:
@Stateless(name="MyEJB")
@Resources({
@Resource(description="connection factory",
name="jms/myQCF",
type=javax.jms.QueueConnectionFactory.class,
authenticationType=Resource.AuthenticationType.CONTAINER,
shareable=true,
mappedName = "my/jms/QCF"),
I remove the resource-ref tag for "jms/myQCF" in ejb-jar and weblogic-ejb-jar.xml but keep the one for "jms/myXAQCF", re-compile, re-package, re-deploy, and test. Everything seems to work fine. So, I open demo.MyEJB and add the annotation for the second connection factory:
@Resource(description="XA connection factory",
name="jms/myXAQCF",
type=javax.jms.XAQueueConnectionFactory.class,
authenticationType=Resource.AuthenticationType.CONTAINER,
shareable=true,
mappedName="my/jms/XAQCF"),
I also remove the resource-ref tag for "jms/myXAQCF" in both *ejb-jar.xml's. But now when I try to redeploy, I get the following exception:
[EJB:011026]The EJB container failed while creating the java:/comp/env namespace for this EJB deployment.
weblogic.deployment.EnvironmentException: [EJB:010176]The resource-env-ref 'jms/myXAQCF' declared in the ejb-jar.xml descriptor or annotation has no JNDI name mapped to it. The resource-ref must be mapped to a JNDI name using the resource-description element of the weblogic-ejb-jar.xml descriptor or corresponding annotation.
If I comment the XAQCF annotation it will deploy again. I have since done the same annotation replacement for jms queues and jdbc resources. However, only this one XA connection factory is giving me trouble. Is this an issue in weblogic or is there something I am missing from the annotation?
Thanks!Look like a bug in Appserver. XAResourceWrapper is
used only for debugging. May be you want to reducethe
log level to INFO and try it.Yeah, that worked.
But this is a bug in the app server because a switch
in the log level shouldn't influence transaction
behavior.Yes. There is a bug when log level in FINEST. All other log levels should be fine. Please see the bug report at
http://developer.java.sun.com/developer/bugParade/bugs/4973434.html
>
The only big issue I still have is that recovery
doesn't work. See my other message in this forum. Do
you have a solution for this?I have asked someone who knows that area well to answer your query.
- Binod
>
-- Andreas -
Is there any tutorial for jms development with jdeveloper out there ?
Hi
Thank you for reading my post
is there any tutorial which show us how to use jdeveloper +oc4j for JMS stuff ?
I mean an end 2 end tutorial to build mdb+jms resources in oc4j + client
it will be far better if the tutorial shows how we can use jdeveloper features for this task (if it provide any wizard...)This is an example of a client:
public String listeningJMS (Context context) throws Exception
String topicName = "jms/demoTopic";
String topicConnectionFactoryName = "jms/TopicConnectionFactory";
TopicConnectionFactory topicConnectionFactory = null;
TopicConnection topicConnection = null;
TopicSession topicSession = null;
Topic topic = null;
TopicSubscriber topicSubscriber = null;
TextMessage message = null;
String fileName = null;
* Look up connection factory and topic. If either does
* not exist, exit.
try
topicConnectionFactory = (TopicConnectionFactory)
context.lookup(topicConnectionFactoryName);
topic = (Topic) context.lookup(topicName);
* Create connection.
* Create session from connection; false means session is
* not transacted.
* Create subscriber.
* Register message listener (TextListener).
* Receive text messages from topic.
* When all messages have been received, enter Q to quit.
* Close connection.
topicConnection =
topicConnectionFactory.createTopicConnection();
topicSession =
topicConnection.createTopicSession(false,
Session.AUTO_ACKNOWLEDGE);
topicSubscriber =
topicSession.createSubscriber(topic);
topicConnection.start();
System.out.println("Receiving: ");
TextMessage msg = (TextMessage) topicSubscriber.receive();
String xmlString =msg.getText();
topicConnection.close();
System.err.println("Received: "+xmlString);
fileName = this.getFileName(msg.getText());
} catch (Exception e) {
throw e;
} finally {
if (topicConnection != null) {
try {
topicConnection.close();
} catch (JMSException e) {throw e;}
return fileName;
public static Context getInitialContext() throws NamingException {
Hashtable env = new Hashtable();
// Standalone OC4J connection details
env.put( Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory" );
env.put( Context.SECURITY_PRINCIPAL, "oc4jadmin" );
env.put( Context.SECURITY_CREDENTIALS, "welcome1" );
env.put(Context.PROVIDER_URL, "ormi://localhost:12401");
//env.put(Context.PROVIDER_URL, "ormi://localhost:23791");
return new InitialContext( env );
} -
MDB deployement error in Glassfish - "JMS resource not created"
Hi,
I'm tring to deploy a J2EE application which has couple of MDBs in Glassfish 2.1. I get the following error when I deploy the EAR file to the app server. I've cofigured JMS resources using admin console but still getting this error. I've no experience of JMS, I'm not sure if I've configured it correctly. Any step-by-step guide with screenshots would be very useful, but can't find any. Please help me if you have any idea what I'm doing wrong. Thanks in advance.
<br />
[#|2009-03-05T13:09:10.143+0000|SEVERE|sun-appserver2.1|javax.enterprise.system.container.ejb|_ThreadID=35;_ThreadName=Thread-3757;com.sun.enterprise.connectors.ConnectorRuntimeException: JMS resource not created : ;_RequestID=075ba53a-1835-482d-9db7-fe79fe1f1eb3;|EJB5090: Exception in creating EJB container <a href="http://forums.sun.com/#" class="jive-link-anchor"></a><br />
<br />
[#|2009-03-05T13:09:10.143+0000|SEVERE|sun-appserver2.1|javax.enterprise.system.container.ejb|_ThreadID=35;_ThreadName=Thread-3757;_RequestID=075ba53a-1835-482d-9db7-fe79fe1f1eb3;|appId=cdm moduleName=cdm-ejb_jar ejbName=SupplierEJB|#]<br />
<br />
[#|2009-03-05T13:09:10.143+0000|SEVERE|sun-appserver2.1|javax.enterprise.system.core.classloading|_ThreadID=35;_ThreadName=Thread-3757;_RequestID=075ba53a-1835-482d-9db7-fe79fe1f1eb3;|LDR5004: UnExpected error occured while creating ejb container<br />
com.sun.enterprise.connectors.ConnectorRuntimeException: JMS resource not created : <br />
at com.sun.enterprise.connectors.system.ActiveJmsResourceAdapter.getPhysicalDestinationFromConfiguration(ActiveJmsResourceAdapter.java:1591)<br />
at com.sun.enterprise.connectors.system.ActiveJmsResourceAdapter.updateMDBRuntimeInfo(ActiveJmsResourceAdapter.java:1421)<br />
at com.sun.enterprise.connectors.inflow.ConnectorMessageBeanClient.setup(ConnectorMessageBeanClient.java:170)<br />
at com.sun.ejb.containers.MessageBeanContainer.<init>(MessageBeanContainer.java:209)<br />
at com.sun.ejb.containers.ContainerFactoryImpl.createContainer(ContainerFactoryImpl.java:524)<br />
at com.sun.enterprise.server.AbstractLoader.loadEjbs(AbstractLoader.java:527)<br />
at com.sun.enterprise.server.ApplicationLoader.doLoad(ApplicationLoader.java:191)<br />
at com.sun.enterprise.server.TomcatApplicationLoader.doLoad(TomcatApplicationLoader.java:126)<br />
at com.sun.enterprise.server.ExtendedApplicationLoader.doLoad(ExtendedApplicationLoader.java:134)<br />
at com.sun.enterprise.server.AbstractLoader.load(AbstractLoader.java:238)<br />
at com.sun.enterprise.admin.server.core.jmx.SunoneInterceptor.invoke(SunoneInterceptor.java:304)<br />
at com.sun.enterprise.interceptor.DynamicInterceptor.invoke(DynamicInterceptor.java:174)<br />
at com.sun.enterprise.deployment.client.DeploymentClientUtils.startApplication(DeploymentClientUtils.java:159)<br />
at com.sun.enterprise.deployment.client.DeployAction.run(DeployAction.java:538)<br />
at java.lang.Thread.run(Thread.java:619)<br />Hi Nigel,
Thanks for ur reply. In my ejb-jar.xml I have
<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved. -->
<ejb-jar version="2.1" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd">
<display-name>myJARName</display-name>
<enterprise-beans>
<message-driven>
<display-name>myEJB</display-name>
<ejb-name>myEJB</ejb-name>
<ejb-class>com.mycompany.app.mdb.MyMessageBean</ejb-class>
<messaging-type>javax.jms.MessageListener</messaging-type>
<transaction-type>Container</transaction-type>
<message-destination-type>javax.jms.Queue</message-destination-type>
<message-destination-link>MyQueue</message-destination-link>
<activation-config>
<activation-config-property>
<activation-config-property-name>destinationType</activation-config-property-name>
<activation-config-property-value>javax.jms.Queue</activation-config-property-value>
</activation-config-property>
</activation-config>
.......So I've created JMS resource with same JNDI name and Physical destination name (both are MyQueue). I don't see any different JNDI name in ejb-jar.xml. Is it nor right? -
JMS Resource Adapter and JDeveloper 10g
Hello,
I an trying to use the OC4J JMS Resource Adapter for WebSphere MQ with Jdeveloper 10g (OC4J 9.0.4). The program is just a servlet that sends a message to a JMS Queue. My orion-web.xml looks like:
<?xml version = '1.0' encoding = 'windows-1252'?>
<!DOCTYPE orion-web-app PUBLIC "-//Evermind//DTD Orion Web Application 2.3//EN" "http://xmlns.oracle.com/ias/dtds/orion-web.dtd">
<orion-web-app servlet-webdir="/servlet/">
<resource-ref-mapping name="jms/QCF" location="mqjms/MyQCF" />
<resource-env-ref-mapping name="jms/QUEUE1" location="mqjms/MyQ" />
</orion-web-app>
The problem is that when I try to start the server I get the following Jdeveloper error:
java.lang.IllegalArgumentException: Unrecognized parent-elem combination: interface oracle.jdeveloper.xml.oc4j.war.OrionWebApp - resource-env-ref-mapping
at oracle.javatools.xml.bind.XMLBinding.throwUnrecognizedElem(XMLBinding.java:127)
at oracle.jdeveloper.xml.j2ee.war.WebAppBinding.elem2intImpl(WebAppBinding.java:637)
at oracle.javatools.xml.bind.XMLBinding.elem2int(XMLBinding.java:104)â¦.
Any ideas?
Thanks in advanceDid you find a fix for this? I'm experiencing the same problem.
Maybe you are looking for
-
Quicktime, Lion and Multiple Monitors
I just updated to 10.7 Lion, and I love it so far. My issue, however, is, sometime I hook my Aluminum MacBook up to my external monitor, and watch a video on there using Quicktime. When I try to go full screen in 10.7, it always brings the video to
-
Doubt in sql loader regarding TOM's reply
Hi, My question is at the last line. But u need to go through this to understand my problem. Hi Tom, I want to load some input files delimited by Text into Oracle database. Can you please help me out in this. I know one way of doing it is using SQLLO
-
Trying to get started with Lr 5 and already in trouble
I just downloaded LR 5 and when asked if I wanted to use the default for Catelog I choose to brouse and direct it to my Cateloge of Pictures on the harddrive when my pictures are stored.... I did this thinnking that it would link me to the pictures..
-
Can't Purchase Unless Using iTunes v6.0??
I just discovered I can no longer make an ITMS purchase unless I use "...at least iTunes version 6.0..." When (and why) did this absurd restriction get imposed? I'm especially upset because now the only version I apparently can get is 6.0.2, about wh
-
I have downloaded adobe editions on my mac I would like to authorize it I get the message I can't because I have it installed on another computer my dell laptop i deauthorized it on that computer