Similar Messages

Role names with spaces (6.1 to 8.1)

Hi All
I'm working in an organization that has group and role names within their LDAP
repository such that the group and role names contain spaces. Hence, for example,
within a web.xml file lines like the following exist:
<role-name>Some Role Name</role-name>
This has worked without problem in Weblogic 6.1 but given some prelimanary work
within 8.1 we are noticing that Weblogic 8.1 does not appear to like spaces within
the <role-name> element.
Is this just the way it is with Weblogic 8.1? Or is there a way to continue to
use role names with embedded spaces within Weblogic 8.1?
Thanks,
Rob

"Peter" <PeterB> wrote:
>
"Rob" <[email protected]> wrote in message
news:3f57d329$[email protected]..
Hi All
I'm working in an organization that has group and role names withintheir
LDAP
repository such that the group and role names contain spaces. Hence,for
example,
within a web.xml file lines like the following exist:
<role-name>Some Role Name</role-name>
This has worked without problem in Weblogic 6.1 but given some prelimanarywork
within 8.1 we are noticing that Weblogic 8.1 does not appear to likespaces within
the <role-name> element.
Sounds like a bug. File a support case.
Hi,
A workaround exists :
1 - in web.xml, update your role-name element by replacing spaces with "_"
2 - in weblogic.xml, add :
<security-role-assignment>
 <role-name>Some_Role_Name</role-name>
 <principal-name>Some Role Name</principal-name>
 </security-role-assignment>
Regards
Christophe

Invalid Security role-name error in Web Project

Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN
This error directs me to the following code in web.xml
<security-constraint>
 <display-name>Default JSP Security Constraints</display-name>
 <web-resource-collection>
 <web-resource-name>Portlet Directory</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
I have tried out the following things to resolve this issue :
1) Remove the role manually(as suggested by various people in other J2EE forums), but then some other error came in to picture
2)Then I added the following code in web.xml
<security-role>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
 java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
 1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
3) I had also added the following code in web-j2ee-engine.xml
<security-role-map>
 <role-name>PEHNTAHO_ADMIN</role-name>
 <server-role-name>all</server-role-name>
 </security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
Sruti

Hi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============

[SOLVED] Cannot resolve role-Name UserRole

hello community,
while trying to deploy a j2ee-application to weblogic 10 i got following error message:
weblogic.management.DeploymentException: Cannot resolve role-Name UserRole
i guess that this deals with the ejb-jar.xml wherein is these beneath another role defined.
this is the content of the ejb-jar.xml:
<ejb-jar>
<assembly-descriptor>
<security-role>
<role-name>AdminRole</role-name>
</security-role>
<security-role>
<role-name>UserRole</role-name>
</security-role>
<method-permission>
<role-name>AdminRole</role-name>
<method>
<ejb-name>EJBClientInterfaceEJB</ejb-name>
<method-name>*</method-name>
</method>
<method>
</method>
</method-permission>
<method-permission>
<role-name>UserRole</role-name>
<method>
<ejb-name>EJBClientInterfaceEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
<enterprise-beans>
</enterprise-beans>
</ejb-jar>is there anything to insert in the weblogic-ejb-jar.xml?
thanks in advance,
maik
#edit 1:
FYI it uses ejb version 2.0
<!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN' 'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>
Edited by sqlworktask at 10/25/2007 6:38 AM

hello monduke,
yes, these lines of code are the same as in the weblogic-ejb-jar.xml
but the error remains...
a brief look in the log-file and the following was detected:
Caused by: weblogic.management.DeploymentException: Cannot resolve role-Name UserRole
 at weblogic.servlet.security.internal.WebAppSecurity.getRunAsPrincipalName(WebAppSecurity.java:413)
 at weblogic.servlet.internal.WebAppServletContext.registerServlets(WebAppServletContext.java:1403)
i do not know what to do next...
#edit 1:
the security-section of the weblogic-ejb-jar.xml:
<security-role-assignment>
 <role-name>AdminRole</role-name>
 <principal-name>Admins</principal-name>
</security-role-assignment>
<security-role-assignment>
 <role-name>UserRole</role-name>
 <principal-name>Users</principal-name>
</security-role-assignment>but as i mentioned... the error remains the same
Edited by sqlworktask at 10/24/2007 11:52 PM

Bug in WL5.1 Console

Server: WLS 5.1 SP9 Solaris
Console: WL5.1 SP9 swing console from Linux, connecting to WLS 5.1 SP9 on
Solaris
Using the console, under "Deployed Beans", clicking on the beans that you
have deployed shows you how many transactions have been committed,
rolled-back, and the sum of the two. These counter work fine.
However, if you update the deployed bean using "java weblogic.deploy
update", the counter no longer works ... it no longer increments despite
calling the methods repeatedly.
This also happens even if there were no actual changes in the deployed jar.
Just doing a "weblogic.deploy update", and the transaction counter on the
console no longer works.
These are for SLSBs, not sure if the same is true for other beans.

How Do I implement security constarints? If I've a users
like 5000 users with admin,customer,manger type using same user table with different previledge to see
jsp pages ,......
thnaks
raj
Sriram Narayan wrote:
Hi
The isUserInRole method in Weblogic seems to be responding to the role-link instead of the role-name.
specifics ...
for the web.xml below,
isUserInRole("ViewAllFields") is correct usage.
isUserInRole("boss") is wrong usage.
Right?
<servlet>
<security-role-ref>
<role-name>ViewALLFields</role-name>
<role-link>boss</role-link>
</security-role-ref>
</servlet>
<security-role>
<role-name>boss</role-name>
</security-role>
<security-role>
<role-name>subordinate</role-name>
</security-role>
Am i right?
But the weblogic implementation only seems to be responding to the wrong usage!!
Please help me out.
thanks
sriram

Security-role and security-role-assignment not working in WL7.0

Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

Below are the screen shots for PFCG:

Mapping security roles to other roles

I found the security newsgroup and posted the question there under the same topic. Kindly respond there.
Message was edited by:
jheinone

Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
 <role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
 <security-role-map>
 <role-name>test</role-name>
 <server-role-name>myUMErole</server-role-name>
 </security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question?

Cannot edit any roles in CUP5.2 due to "Enter a valid Role Name" error

We are running CUP 5.2.
I am having a problem with our Roles after they were uploaded into CUP; I cannot make any changes to the Role Details because CUP returns an error stating that our Role Names are invalid.
First I uploaded the roles (I continued to receive errors when trying to use the template, so I did them by uploading with the "Selected Roles" option).
Once they were uploaded, from the menu, I select: Roles --> Search Role and then I choose a role from the resulting list. When the next screen appears (the "Role Details" screen), I added all of the respective details (Business Process, Sub-Process, Detailed Description, Role Approver, Functional Area, etc.). When I pressed the SAVE button, I received the following error:
Please correct the following errors:
Please enter a valid "Role Name". Only Alpha-numeric, Space or Underscore characters are allowed
So I realize what the problem is - the "Role Name" field is automatically populated with our security role name as it exists in our SAP system ... and because our security roles all begin with Z:, it does not follow the CUP naming convention.
I'd like to just update the "Role Name" field but when you are in the "Role Details" screen, the "Role Name" field cannot be edited.
I saw the "Export" button and used that, in an attempt to edit the file to replace each occurence of Z: with Z_, and then upload it again.
So I updated the file accordingly, and then did an upload, selecting the "Overwrite Existing Roles" box.
It returned a successful message:
Import Status: 133 successfully imported out of 133 records found
Yet, when I go back to the list of roles, the roles still exist as Z: instead of Z_ so I still cannot edit any of the roles to add the required details ... has anyone had a similar issue and know how to work around this?
Thanks!

Hello Alpesh,
Thank you for replying!
I had already tried to export the roles and replaced the Z: with Z_ before creating this message, but the upload attempts failed due to the explanation above. But this time, I followed your (good) advice to delete the original Z: roles first, before uploading the corrected file.
Sadly, even after I deleted the original Z: roles prior to uploading the corrected file, I am still having no luck ... when I uploaded the file, again it (falsely) reports that the import was successful:
Import Status: 133 successfully imported out of 133 records found
After seeing that message, I quickly checked the roles, and none of the roles had uploaded. So now I have ZERO roles.
Any further ideas? I am thinking it may be something very small that is being overlooked ... perhaps certain buttons must be selected/not selected on the import screen? Or could it be an issue with the file itself?
When I do the import, I only select the button for "From File ..." and retrieve the file from my desktop via the Browse button. I do not select any other button, nor do I make a selection from the System or Role Source boxes. I have just selected that one button only ... I've tried it with and without checking the "Overwrite Existing Roles" box, but neither one works.
The part that bugs me the most is that I receive what I perceive to be an inaccurate/bogus "successful" status each time I attempt the upload of the file. At least if I had an error message, I might have something to work with to troubleshoot this.

How to obtain Role name in OIM 11g using API's

Hello,
I have a scenario in which I create Role/Group in OIM 11g & it gets provisioned in AD [=works fine] & other part is when i delete role in OIM 11g then it should
get deleted from AD.I have written postprocess event handler to achieve this.
In role creation part i get all parameters using "orchestration.getParameters();" , but when i delete role then "orchestration.getParameters();" is empty,so i am
not able to get role name.
Is there a way to get role name while deleting roles using API ?
Thanks,
Rahul Shah

Hi Raghav,
Following is my code :
tcRODetails = orgOpInterface.getObjects(organizationKey);
for(int i = 0;i < tcRODetails.getRowCount();i++){
tcRODetails.goToRow(i);
// resourceName=AD Group
if(resourceName.equalsIgnoreCase(tcRODetails.getStringValue("Objects.Name"))&&
tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Provisioned")||
tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Enabled")) {
System.out.println("<<<FOUND>>>");
processKey = tcRODetails.getLongValue("Process Instance.Key");
provisionObjectKey = tcRODetails.getLongValue("Objects.Key");
tcProcessSet = oimFormUtility.getProcessFormData(processKey);
for(int j=0;j<tcProcessSet.getRowCount();j++){
tcProcessSet.goToRow(j);
if(grpName.equalsIgnoreCase(tcProcessSet.getStringValue("UD_ADGRP_NAME"))){
System.out.println("MATCH FOUND!!!!!");
orgOpInterface.removeObjectAllowed(organizationKey,provisionObjectKey);
break;
& i get following error :
<Mar 22, 2012 1:54:43 PM IST> <Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcOrganizationOperationsBean/removeObjectAllowed encounter some problems: Object with key=7 is not already set as an allowed object for Organization with key=1>
Thanks
Rahul Shah

Display Icon/Image instead of Role name in top level navigation

Hi,
I want to display a image / icon instead of role name for a particular role. Can you please tell me how to achieve this ?
Thanks,
VP

Hi,
the thread is just for the background image (for all elements).
if you want to display icons instead of role names, you have to create your custom top level navigation using the
navigation taglib from SAP. There are lots of examples. make a blog search for Mr "Kannengiesser" from SAP.
In case you are using already an EHPx in your EP 7.0 the AJAX framework might have this feature.
Regards,
Kai

How to get the role name in which query is published ?

Hi Experts,
Is there any table where i can get the name of the role in which a particular query is published. I know that if i have a role , i can check in pfcg giving that role name and in menu tab i can see all the queries published under that role. But if i know query but not role how to get the role name . Is there any table or functon modules or programs to get the information.
Thanks & Regards
Vamsi Kiran

Check this table
AGR_HIER

External Authentication won't correctly set USER name or Role

I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
Here is a little of the java on the back end (I removed my shared secret):
public String getRoomToken(String roomID, String userName, String userID, int userRole) {
 try {
 Session session = am.getSession(roomID);
 return session.getAuthenticationToken(..., "Bob", "TestID", 100);
 //return session.getAuthenticationToken(..., userName, userID, userRole);
 } catch (Exception e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 return null;
getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
/** * get an external authentication token */
public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
 if (role < UserRole.NONE || role > UserRole.OWNER)
 throw new Error("invalid-role");
 String token = "x:" + name + "::" + this.account
 + ":" + id + ":" + this.room + ":"+ Integer.toString(role);
 String signed = token + ":" + sign(accountSecret, token);
 // unencoded
 //String ext = "ext=" + signed;
 // encoded
 String ext = "exx=" + Utils.base64(signed);
 return ext;
This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly. Any help would be great, this has caused me a great deal of grief for days now...
Thanks guys...
Ves

Well this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
to
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
and adding a preinitialize function of:
protected function preInit():void
 templateID = Application.application.parameters['room'];
 token = Application.application.parameters['token'];
oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
Ves

How to hide name of Role from the top level navigation of the portal

Hi Experts,
In my project, I have created 2 roles Role A and Role B. These roles have been assigned to User X.
When user X logs in, he is able to see name of role that is 'A' in the top level navigation.
As per the requirement, user X should not see the 'A'.
Rather user X should see following:
Top Level Navigation: 'My Work'
When user clicks on 'My Work', he should see
'My Sub Work1' and 'My Sub Work2'.
After that under 'My Sub Work1' user should see following
All Objects of Role A
All Objects of Role B
Name of role i.e. 'A' or 'B' should not be displayed at all at any place in navigation.
Only whatever objects has been assigned to Role A and B should be displayed in detailed navigation area.
Can you please let me know how to achieve this?
Pictorial Diagram:
                  My Work       (In top level navigation)
My Sub Work1    My Sub Work2    (In top level navigation)
_________Objects of role
A
       |
       |_________Objects of role
                               B
Please note that 'My Work' and 'My Sub Work1' and 'My Sub Work2) are not roles. They are just the name of folders.
Can you please let me know how to achieve it?
Regards,
Brian

Hi Brian,
Try the following steps.
1. Change the 'Entry Point' property of Roles A and B to 'No'.
2. Create a role folder called 'My Work' under A and B.
3. Set the 'Entry point' property of this folder to 'Yes'.
4. Set the 'merge id' property of the folder as "mywork" (or any other string) under both roles A and B.
5. Under 'My Work' in Role A,
a. Set the 'Merge Priority' property to 50.
b. create subfolder 'My sub work1' and create all your objects.
6. Under 'My Work' in Role B,
a. Set the 'Merge Priority' property to 100.
b. create subfolder 'My sub work2' and create all your objects.
7. Make sure the user is assigned both the roles A and B. Only then he/she can see objects of both the roles.
8. One thing to remember while merging folders is that, all the entities that are being merged should be at the same level. For eg: in our case, you cannot merge 'my subwork1' in role A, with 'my work' in role B.
Reward points if helpful.
Regards,
Priya

Tables for Role Name created through Tcode pfcg

User would Input Role Name and to that what users are attach and what value they are authorized to u2026?? Is there function module to this..

Hi,
Use this table AGR_USERS Assignment of roles to users
or try this FMs
CNV_GET_USER_ROLE
ROLE_ANALYSE_FOR_USER
Regards,
Jyothi CH.

Search Users by Group(Role) Name

In OIM 9g, I can search users by group name like below:
searchFor.put("Groups.Group Name", "my group");
tcResultSet users = userOp.findUsers(searchFor);
But it does not work in 11g, change "Groups.Group Name" to ""Groups.Role Name", don't work neither.
Does anyone know how to search users by Role name in 11g?

Use RoleManager Class and the following API
criteria = new SearchCriteria(RoleManagerConstants.ROLE_NAME, "*", SearchCriteria.Operator.EQUAL);
roles = roleManager.search(criteria, attrNames, mapParams);http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e17334/oracle/iam/identity/rolemgmt/api/RoleManager.html#getRoleMembers_java_lang_String__boolean_
HTH,
BB

Bug in WL5.1 - isUserInRole( "role-name" or "role-link")

Similar Messages

Maybe you are looking for