BEA-090078 User ovowl in security realm myrealm has had 5 invalid login

Hi,
I created new domain for 10.3.4.0. there are two default users weblogic and OracleSystemUser. But in admin stdoutlog file, there are continuous below errors
<XXXXXXXXX> <Notice> <Security> <BEA-090078> <User ovowl in security realm myrealm has had 5 invalid login attempts, locking account for 30
minutes.>
can you pls let me know where can i find ovowl user in weblogic domain.
Thanks.

my guess is this user "ovowl" doesn't exist at all.
I have tried logging into the console for 5 times with a non existing username, and I got the same error:
<17-May-2011 16:10:32 o'clock CEST> <Notice> <Security> <BEA-090078> <User weblogic1 in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>
but there is no user "weblogic1"....

Similar Messages

User wlisystem in realm CompatibilityRealm has had 6 invalid login attempts

when a request is sent to wli
####<Jul 31, 2007 12:33:19 AM BST> <Notice> <Security> <hwmit08> <managed2_btrsg01> <ExecuteThread: '0' for queue: 'Multicast'> <kernel identity> <> <090078> <User wlisystem in realm CompatibilityRealm has had 6 invalid login attempts, locking account for 30 minutes.>
####<Jul 31, 2007 12:43:19 AM BST> <Notice> <Security> <hwmit08> <managed2_btrsg01> <ExecuteThread: '0' for queue: 'Multicast'> <kernel identity> <> <090078> <User wlisystem in realm CompatibilityRealm has had 5 invalid login attempts, locking account for 30 minutes.>
anyone has a solution for this

my guess is this user "ovowl" doesn't exist at all.
I have tried logging into the console for 5 times with a non existing username, and I got the same error:
<17-May-2011 16:10:32 o'clock CEST> <Notice> <Security> <BEA-090078> <User weblogic1 in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>
but there is no user "weblogic1"....

User locks out, due to 5 invalid login attempts after the server running

Hi ,
I HAC on WLS 10.3.2 (Oracle Solaris on x86-64 (64-bit)).
user locks out, due to 5 invalid login attempts just after the server comes into running state.
But the strange thing is Customer is not trying to login into it.
we unlocked the user, after logging into the console with a different user.
Customer knows the username and password
Still the issue appears after few minutes.
Below are the logs:
####<Oct 5, 2010 2:41:36 PM SGT> <Notice> <WebLogicServer> <STG-DS11> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-0000000000000005> <1286260896734> <BEA-000329> <Started WebLogic Admin Server "AdminServer" for domain "IDMDomain" running in Production Mode>
####<Oct 5, 2010 2:41:36 PM SGT> <Notice> <WebLogicServer> <STG-DS11> <AdminServer> <main> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-0000000000000003> <1286260896843> <BEA-000365> <Server state changed to RUNNING>
####<Oct 5, 2010 2:41:36 PM SGT> <Notice> <WebLogicServer> <STG-DS11> <AdminServer> <main> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-0000000000000003> <1286260896846> <BEA-000360> <Server started in RUNNING mode>
####<Oct 5, 2010 2:41:36 PM SGT> <Info> <J2EE> <STG-DS11> <AdminServer> <[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-0000000000000006> <1286260896848> <BEA-160151> <Registered library Extension-Name: bea_wls_async_response (JAR).>
####<Oct 5, 2010 2:41:37 PM SGT> <Info> <EJB> <STG-DS11> <AdminServer> <[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-0000000000000006> <1286260897879> <BEA-010008> <EJB Deploying file: mejb.jar>
####<Oct 5, 2010 2:41:39 PM SGT> <Info> <EJB> <STG-DS11> <AdminServer> <[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-0000000000000006> <1286260899932> <BEA-010009> <EJB Deployed EJB with JNDI name ejb.mgmt.MEJB.>
####<Oct 5, 2010 2:42:35 PM SGT> <Info> <Health> <STG-DS11> <AdminServer> <weblogic.GCMonitor> <<anonymous>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-000000000000000c> <1286260955961> <BEA-310002> <50% of the total memory in the server is free>
####<Oct 5, 2010 2:43:35 PM SGT> <Info> <Health> <STG-DS11> <AdminServer> <weblogic.GCMonitor> <<anonymous>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-000000000000000c> <1286261015987> <BEA-310002> <71% of the total memory in the server is free>
####<Oct 5, 2010 2:46:09 PM SGT> <Notice> <Security> <STG-DS11> <AdminServer> <ExecuteThread: '3' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-000000000000001b> <1286261169575> <BEA-090078> <User weblogic in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>
####<Oct 5, 2010 2:46:24 PM SGT> <Info> <Server> <STG-DS11> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <21524a931a3e4d99:45f2a2df:12b7b1fb09c:-8000-000000000000001d> <1286261184189> <BEA-002635> <The server "wls_ods1" connected to this server.>
Thanks,
Daniel

User weblogic in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.The customer knows the weblogic password?

Error Security BEA-090870 The realm "myrealm" failed to be loaded:

Hi, I am setting up Identity Manager on centos 4.7 with weblogic 10.3. I've followed "Installation and Configuration Guide for BEA WebLogic Server Release 9.1.0.pdf" document. After increasing the memory and setting up the java option, it required post installation tasks. My weblogic domain was unable to start. Please see the error logs below. Thanks in advance.
JAVA Memory arguments: -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=48m -XX:MaxPermSize=128m
WLS Start Mode=Development
CLASSPATH=:/u01/app/oracle/bea/patch_wlw1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/bea/patch_wls1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/bea/patch_cie660/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/bea/jdk160_05/lib/tools.jar:/u01/app/oracle/bea/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/app/oracle/bea/wlserver_10.3/server/lib/weblogic.jar:/u01/app/oracle/bea/modules/features/weblogic.server.modules_10.3.0.0.jar:/u01/app/oracle/bea/wlserver_10.3/server/lib/webservices.jar:/u01/app/oracle/bea/modules/org.apache.ant_1.6.5/lib/ant-all.jar:/u01/app/oracle/bea/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar::/u01/app/oracle/bea/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar:/u01/app/oracle/bea/wlserver_10.3/server/lib/xqrl.jar::
PATH=/u01/app/oracle/bea/wlserver_10.3/server/bin:/u01/app/oracle/bea/modules/org.apache.ant_1.6.5/bin:/u01/app/oracle/bea/jdk160_05/jre/bin:/u01/app/oracle/bea/jdk160_05/bin:/u01/app/oracle/product/10.2.0/db_1/bin:/usr/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://hostname:port/console *
starting weblogic with Java version:
java version "1.6.0_05"
Java(TM) SE Runtime Environment (build 1.6.0_05-b13)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode)
Starting WLS with line:
/u01/app/oracle/bea/jdk160_05/bin/java -client -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=48m -XX:MaxPermSize=128m -Xverify:none -da -Dplatform.home=/u01/app/oracle/bea/wlserver_10.3 -Dwls.home=/u01/app/oracle/bea/wlserver_10.3/server -Dweblogic.home=/u01/app/oracle/bea/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/u01/app/oracle/bea/patch_wlw1030/profiles/default/sysext_manifest_classpath:/u01/app/oracle/bea/patch_wls1030/profiles/default/sysext_manifest_classpath:/u01/app/oracle/bea/patch_cie660/profiles/default/sysext_manifest_classpath -Dweblogic.Name=AdminServer -Djava.security.policy=/u01/app/oracle/bea/wlserver_10.3/server/lib/weblogic.policy weblogic.Server
<May 25, 2009 2:23:51 PM PHT> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
/u01/app/oracle/bea/user_projects/domains/identitymanager/lib/log4j-1.2.8.jar:/u01/app/oracle/bea/user_projects/domains/identitymanager/lib/mbeantypes/XL10SecurityProviders.jar:/u01/app/oracle/bea/user_projects/domains/identitymanager/lib/nexaweb-common.jar>
<May 25, 2009 2:23:51 PM PHT> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) Client VM Version 10.0-b19 from Sun Microsystems Inc.>
<May 25, 2009 2:23:51 PM PHT> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 >
<May 25, 2009 2:23:52 PM PHT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<May 25, 2009 2:23:52 PM PHT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<May 25, 2009 2:23:52 PM PHT> <Notice> <Log Management> <BEA-170019> <The server log file /u01/app/oracle/bea/user_projects/domains/identitymanager/servers/AdminServer/logs/AdminServer.log is opened. All server side log events will be written to this file.>
<May 25, 2009 2:23:58 PM PHT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: java.lang.NoClassDefFoundError: com/thortech/util/logging/Logger.
weblogic.security.service.SecurityServiceException: java.lang.NoClassDefFoundError: com/thortech/util/logging/Logger
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
Truncated. see log file for complete stacktrace
java.lang.NoClassDefFoundError: com/thortech/util/logging/Logger
at com.thortech.xl.security.wl.XellerateAuthenticationProviderImpl.<clinit>(XellerateAuthenticationProviderImpl.java:73)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:247)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:51)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
Truncated. see log file for complete stacktrace
java.lang.ClassNotFoundException: com.thortech.util.logging.Logger
at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
Truncated. see log file for complete stacktrace
>
<May 25, 2009 2:23:58 PM PHT> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<May 25, 2009 2:23:58 PM PHT> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<May 25, 2009 2:23:58 PM PHT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<May 25, 2009 2:23:58 PM PHT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<May 25, 2009 2:23:58 PM PHT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

I had the same error while trying to start the weblogic admin server for my IDM domain to allow me configure OIM server and OIM Design Console on my Window 7 box. What I did were the following steps.
1. I changed to the IDM domain bin directory <MiddlewareHome>\user_projects\domains\idm1_domain\bin
2. I ran the secureWeblogic.bat file as administrator
3. I ran the setDomainEnv.cmd file as administrator
4. I ran the setSOADomainEnv.cmd file as administrator
5. Started my weblogic admin server and it worked.

SOA EM down after password change - OracleSystemUser is not a valid user principal in the current security realm

Hello,
I've got a SOA Suite development environment set up and whilst trying to change the weblogic password using this tutorial a problem arose with my soa managed server.
Firstly I was unable to start the Managed SOA server due to mismatching passwords, and after I modified the boot.properties file, now I cant start the usermessagingserver and soa_infra applications due to the following error:
Error 1
Getting weblogic deployment manager.
Got weblogic deployment manager.
Invoking Start Up operation.
Start Up operation for application usermessagingserver on target soa_server1 RUNNING.
Start Up operation for application usermessagingserver on target soa_server1 FAILED.
weblogic.application.ModuleException: Exception preparing module: EJBModule(sdpmessagingclient-ejb-parlayx.jar)
Unable to deploy EJB: MessagingClientParlayX from sdpmessagingclient-ejb-parlayx.jar:
The run-as security principal, 'OracleSystemUser', chosen for the EJB 'MessagingClientParlayX(Application: usermessagingserver, EJBComponent: sdpmessagingclient-ejb-parlayx.jar)' is not a valid user principal in the current security realm. Please specify a valid user principal for the EJB to use.
Getting weblogic deployment manager.
Got weblogic deployment manager.
Invoking Start Up operation.
Start Up operation for application soa-infra on target soa_server1 RUNNING.
Start Up operation for application soa-infra on target soa_server1 FAILED.
weblogic.application.ModuleException: Exception preparing module: EJBModule(hw_services_wls_ejb.jar)
Unable to deploy EJB: ASNSInteraction from hw_services_wls_ejb.jar:
The run-as security principal, 'OracleSystemUser', chosen for the EJB 'ASNSInteraction(Application: soa-infra, EJBComponent: hw_services_wls_ejb.jar)' is not a valid user principal in the current security realm. Please specify a valid user principal for the EJB to use.
I've checked both weblogic and OracleSystemUser users and their groups are (respectfully) Administrators and OracleSystemGroup.
I've searched for an answer to this problem and found this other support article but couldn't resolve the issue.
The weblogic server version is 10.3.2.0 and it's running on RedHat Linux.

@Sri_Sonti
In the Admin Console, I can see both users in the security realm with the following configs:
weblogic:
all atributes with the "value" column blank
groups: Administrators
OracleSystemUser
all atributes with the "value" column blank
groups: OracleSystemGroup
Also I have not found the system-jazn-data.xml file you mentioned. In that folder there's only a readme.txt file.
Best Regards,
luismcs
Enter Cookie as format:
(ex: name=val;) separate with ';'
OKCancel

RDBMS Security realm 6.1-8.1 migration

I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
Security' node appearing in the left-hand console pane. The contents of the Users
and Groups nodes visible under this node look correct (ie as defined in the underlying
database).
However, to get to this point I had to initially hardwire the values for the database
driver, url, user and password as these were null when obtained from the associated
RDBMSRealmMBean object, causing the server to fail to start. This enabled me
to bootstrap the process so that I could use the console to enter these values
on the Database tab for the Realm I had defined for Compatibility Security. I
see no mention of this step in the instructions referred to above and therefore
missed out this vital step.
When WLS8.1 starts it displays:
<date&time> <Notice> <Security> <BEA-090082> <Security initializing using security
realm myrealm.>
myrealm is a Realm listed under Security but I would have expected the realm to
be the specially-defined realm associated with Compatibility Security. So, question
number 1 - does this output from WLS indicate that it is using the Compatibility
Security realm or the default realm?
Although the console displays the expected set of users and groups , my application
is failing to associate a user with a 'role' - the Groups node shows that user
U is in group G but when the application invokes the SessionContext method isCallerInRole(String
role) where the caller is U and the role is G the result of the invocation is
false. Question number 2 - why does this not return true in this case?
Note, this code (that I have inherited) worked fine in WLS6.1 and the only significant
change I needed to make for WLS8.1 is in the wrapper classes, in particular the
code to get the required RDBMSRealmMBean. Having now successfully got hold of
this object I would have expected the rest of the code to work fine (ok, 'expected'
is a bit optimisitic - but I'm not aware that there are any functional differences
beyond obtaining the RDBMSRealmMBean object).
Many thanks in advance for any assistance with this.
David

Mehrshad
I wasn't involved in the original WL6.1 code development but this is based on
the example code that BEA provide with the WLS6.1 installation - it should therefore
be visible at ~bea/wlserver6.1/samples/examples/security/rdbmsrealm
HTH
David
"Mehrshad Setayesh" <[email protected]> wrote:
>
David:
I am trying to do the same thing and can not find which RealmClassName
to use
in 8.1. In our previous version, 6.1, I was using com.bea.wlpi.rdbmsrealm.RDBMSRealm.
What is the mapping
Java class in 8.1? Thanks.
Regards
Mehrshad
"David Franklin" <[email protected]> wrote:
I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
Security' node appearing in the left-hand console pane. The contents
of the Users
and Groups nodes visible under this node look correct (ie as defined
in the underlying
database).
However, to get to this point I had to initially hardwire the values
for the database
driver, url, user and password as these were null when obtained from
the associated
RDBMSRealmMBean object, causing the server to fail to start. This enabled
me
to bootstrap the process so that I could use the console to enter these
values
on the Database tab for the Realm I had defined for Compatibility Security.
I
see no mention of this step in the instructions referred to above and
therefore
missed out this vital step.
When WLS8.1 starts it displays:
<date&time> <Notice> <Security> <BEA-090082> <Security initializingusing
security
realm myrealm.>
myrealm is a Realm listed under Security but I would have expected the
realm to
be the specially-defined realm associated with Compatibility Security.
So, question
number 1 - does this output from WLS indicate that it is using the Compatibility
Security realm or the default realm?
Although the console displays the expected set of users and groups ,
my application
is failing to associate a user with a 'role' - the Groups node shows
that user
U is in group G but when the application invokes the SessionContextmethod
isCallerInRole(String
role) where the caller is U and the role is G the result of the invocation
is
false. Question number 2 - why does this not return true in this case?
Note, this code (that I have inherited) worked fine in WLS6.1 and the
only significant
change I needed to make for WLS8.1 is in the wrapper classes, in particular
the
code to get the required RDBMSRealmMBean. Having now successfully got
hold of
this object I would have expected the rest of the code to work fine(ok,
'expected'
is a bit optimisitic - but I'm not aware that there are any functional
differences
beyond obtaining the RDBMSRealmMBean object).
Many thanks in advance for any assistance with this.
David

Security realms - provider - LDAP (OID) - error: autentication denied

I follow the link http://www.oracle.com/technology/products/jdev/tips/fnimphius/oidconfig/index.html to configure OID authentication in weblogic server. I am able to see all the OID user in the security realms (users and groups page). I change the control flag to SUFFICIENT. however, I still could not login as orcladmin. I got "The username and password has been refused by WebLogic Server". Could someone assist further on troubleshooting this issue?

I had a cheat sheet that got me through this topic which seems to have disappeared since Oracle has taken over BEA... maybe someone can help us find it again (or a similar reference) but this was the old link:
Link: [https://support.bea.com/application_content/product_portlets/support_patterns/wls/UnderstandingLDAPGroupMembershipSearchPattern.html]
In short, there are three patterns for authentication that are recognized as the defacto standards for implementation and your directory structure must conform to one of these three patterns into order for the authentication schemes to work. You have not provided enough information in your post for me to say whether or not you have met the criteria. If you can find these three patterns, you can determine if you meet them. If you fail, you will need to write a custom security authenticatio module (documented in the Weblogic documentation somewhere) to enable WL use your setup.
Hope it gets you in the right direction at least....
Keith

BEA public API (WLS6.1)for programatically updating default security realm?

Hi,
Does anyone know how to use BEA's public API to programmatically add/update WLS
6.1 user credentials in the default security realm? The API would of course
automatically persist the updates to $WLS/config/mydomain/fileRealm.properties.
Is there a way to do such updates by programmatically engaging the WLS security
realm related Mbeans? I basically need to do (from a deployed application component)
what is easily done from the WLS Console's [security->User->Add User/Change
Password] screen. Ideally, I could use the same API that the weblogic.security.acl.internal.FileRealm
command line utility (or wlshell also) uses to make updates. But I doubt that
the classes used by these tools are in BEA's public API for WLS 6.1. Especially
important to me would be the BEA API mechanism that takes a clear-text password
and hashes it to the encrypted format written in fileRealm.properties (and synchronized
w/ SerializedSystemIni.dat). Ultimately, I am trying to replicate a large
Oracle table of (*user, clear-text -password, group) records into the default
WLS security realm. Thanks for any insights.
Ben

Thanks to another's post, I have found the answer to my problem in the Girdley/Woollen/Emerson
book "J2EE Applications and BEA WebLogic Server" pp. 496-498:
Note: this code segment is for WLS 6.1 and this API is said to be deprecated
in WLS 7+
//Roughly outlined, assuming session w/ userName, groupName, password Strings
in HTTP Post request
weblogic.security.acl.CachingRealm realm = (weblogic.security.acl.CachingRealm)
weblogic.security.acl.Security.getRealm();
weblogic.security.acl.User u;
weblogic.security.acl.Group g;
u = realm.newUser(userName, password, null);
g = realm.getGroup(groupName); // use g = realm.newGroup(groupName) if groupName
does not exist in realm
g.addMember(u);
//log in the new user
int rc = weblogic..servlet.security.ServletAuthentication.weak(userName, password,
httpSession);
// use realm.deleteUser(u), realm.deleteGroup(g) as appropriate, etc.
"Ben Cotton" <[email protected]> wrote:
>
>
Hi,
Does anyone know how to use BEA's public API to programmatically add/update
WLS
6.1 user credentials in the default security realm? The API would of
course
automatically persist the updates to $WLS/config/mydomain/fileRealm.properties.
Is there a way to do such updates by programmatically engaging the
WLS security
realm related Mbeans? I basically need to do (from a deployed application
component)
what is easily done from the WLS Console's [security->User->Add User/Change
Password] screen. Ideally, I could use the same API that the weblogic.security.acl.internal.FileRealm
command line utility (or wlshell also) uses to make updates. But I
doubt that
the classes used by these tools are in BEA's public API for WLS 6.1.
Especially
important to me would be the BEA API mechanism that takes a clear-text
password
and hashes it to the encrypted format written in fileRealm.properties
(and synchronized
w/ SerializedSystemIni.dat). Ultimately, I am trying to replicate
a large
Oracle table of (*user, clear-text -password, group) records into the
default
WLS security realm. Thanks for any insights.
Ben

Proper security realm for ecommerce user

I would like to use j2ee security on our ecommerce site (isUserInRole, getUserPrincipal,
web.xml declarative functionality to protect resources), but my problem is not
knowing what security realm to I use to manage the user. The site has thousands
of users and they need the ability to create an account which will determine their
"role" based on what membership fee they paid. After they have an account they
can login an have access to sections of the site that are permitted to them based
on role. All the examples I've seen about weblogic security is using LDAPs or
their internal RDMS. How can I have weblogic use our own database or is there
a best practice to accomplish the task I need? Any information would be helpful!!

It sounds like you have many users in your database, but not that many roles
& policies.
Probably you can use the DefaultRoleMapper and DefaultAuthorizer for your
roles & policies.
You need a database based authentication provider. Check out the sample
dbms authentication provider on the dev2dev center:
http://dev2dev.bea.com/codelibrary/code/sec_rdbms.jsp
-tm
"fed " <[email protected]> wrote in message
news:4010111d$[email protected]..
>
I would like to use j2ee security on our ecommerce site (isUserInRole,getUserPrincipal,
web.xml declarative functionality to protect resources), but my problem isnot
knowing what security realm to I use to manage the user. The site hasthousands
of users and they need the ability to create an account which willdetermine their
"role" based on what membership fee they paid. After they have an accountthey
can login an have access to sections of the site that are permitted tothem based
on role. All the examples I've seen about weblogic security is usingLDAPs or
their internal RDMS. How can I have weblogic use our own database or isthere
a best practice to accomplish the task I need? Any information would behelpful!!

Adding a user to the File Security Realm

Hello,
When I attempt to add a new user to the file realm with Application Server->Security-Realms->file-> Manage Users, I get the error:
A "com.sun.enterprise.tools.guiframework.exception.FrameworkError" was caught. The message from the exception: "Unable to get View for ViewDescriptor 'fileUsers'"
The root cause is "java.lang.ArrayIndexOutOfBoundsException: 0"
See the HTML source for more detailed (stack trace) information.
When I look at the file C:\Sun\AppServer\domains\samples/config/keyfile I see the new user added, but the Admin Console is not happy...
Please advise.
-- POC

There are some issues in admin gui for managing security service in beta.
I have verified that this has been fixed in FCS branch.
Since the user and password has been written to keyfile in your scenario, it may be OK.
You can try to use the user. If this is not working, then restarting the server should work.
Another way is to create user by using asadmin command. This is working fine in beta.

BEA WebLogic 8.1 server not booting after adding a security realm

Hi,
I have added my own security realm for BEA WebLogic Server 8.1.
However, when I try to boot the server using this realm, it simply hangs. I cannot
take thread dumps as the server java process does not respond to "kill -3 PID"
(after the server has hung).
When I looked at the server log file, I observed that the server had hung after
initializing the IIOP subsystem.
I have attached herewith the following 3 files:
1. config.xml (the server config file after adding entry for my security realm)
2. default_realm.log (the server log file when booted through the default realm)
3. netpoint_realm.log (the server log file when booted through my realm).
Is there any way, I can debug where the server is exactly hanging?
Thanks and Regards,
Abhinay
[BEA_Files.zip]

is it admin server or Managed server which isnot starting?
Mir

How to list all users present in Default Autheticator in WebLogic Security Realm

Hi All,
I need to get a list of all the users in my Weblogic server--> security realm--> Default Authenticator
There are more than 1000 users present in my security realm for different different Authentication Providers. So I can not get these details from WebLogic Admin Console.
Can anyone please help me in getting this list of all users in Default Authenticator? Please let me know how can I get these details.
My WebLogic version is 10.3.4.0
Thanks in Advance!

You can use JMX to list users
http://weblogic-wonders.com/weblogic/2010/11/10/list-users-and-groups-in-weblogic-using-jmx/

Webcenter spaces user and group and WLS security realm

I want to configure external ORACLE DB,
I configed the security realm in WLS, and I can see the user and group list in WLS page, But I cant find any of them in webcenter spaces,
and also can not login with those users.
I added a user with WLS, it works well.
do I need to do other configrations?

First you need to create a Administrator for this new identity stores. Weblogic user is not identified now because its not mapped by first authenticator. See Oracle WebCenter Admin Guide, section 28.4.1.1 Granting the WebCenter Spaces Administrator Role Using FusionMiddleware Control. Once you have done this step, do the same steps for other application user. For this you have to give Application role to other user so that they can login and use WebCenter Space.See Oracle WebCenter Admin Guide, Section 28.4.2.1 Granting Application Roles Using Fusion Middleware Control.
After doing above steps, restart WC_Spaces managed server.

Security realm - Security:097533 - Developing own authentication provider

hi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thanks

hi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thanks

Authentication via weblogic security realm

          My servlet needs to access a session bean. The action in the session bean requires
          that a user has been authorized, i.e. at some point the session been calls
          String name = d_ctx.getCallerPrincipal().getName()
          This name may not be null at this time.
          What I would like to have is that the user executing the URL gets authenticated
          by my server realm 'myrealm' and that the associated prinicpal gets passed to
          the session bean. Is this possible. If so, how can the user pass along the username
          and password as this query is executed programmatically?
          markus


http://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff

BEA-090078 User ovowl in security realm myrealm has had 5 invalid login

Similar Messages

Maybe you are looking for