Configure security with principals.xml

Hello!
I'm trying to configure security in Oracle IAS 9.0.4. I have two applications into an OC4J instance. I've configured an admin user with RMI connection permission in the intance's principals.xml file. I've configured another admin user with RMI connection permission in each of the applications' principals.xml.
One of the applications is trying to connect via JMS to other's queue, but it can't. If I execute a Junit external test, I get an invalid username/password error, but from the first application I get an NameNotFoundException because it says it can't locate my ConnectionFactory class.
I've configured the ConnectionFactory class and queue properly in instance's jms.xml file.
I have two questions. First question is why I get different error messages depending from where I try to connect to? Second question is what's the better way to configure security with principals.xml if I want to share user's configuration across applications inside an OC4J instance?
I have to mention that with an OC4J standalone deployment I had no problem and all worked fine, so I suspect I've missconfigured something at IAS, but I didn't found any document explaining inheritance clearly neither principals.xml at instance - applications context.
Thank you in advance.
Eva.

We don't use principals.xml any more and have adopted the use of the JAAS, via our implementation which goes under the moniker of JAZN.
I'd have a peruse through the OC4J Security guide as a good starting point:
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/toc.htm
The general J2EE doc library is here:
http://download.oracle.com/docs/cd/B32110_01/web.htm
-steve-

Similar Messages

Configuring php5 with enable XML on OAS 10.1.3.x

My requirement is to enable XML on OAS 10.1.3.5.
I am not sure how to configure it, so I stated using separate PHP5.2 to configure with XML enable on the server. After installation, when I am starting the opmn services I am getting below error. I think the error with platform. Which means current OS version is 64bit and php5.2 stage is 32bit version I guess.
OAS_HOME=/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS
URL : http://nacisdell277.us.oracle.com:10330/phpinfo.php
I used below command to configure :
./configure prefix=$ORACLE_HOME/php with-config-file-path=$ORACLE_HOME/Apache/Apache/conf --with-apxs=$ORACLE_HOME/Apache/Apache/bin/apxs
with-oci8=instantclient,/u20/app/MSRV1P/apmsrv1p/oracle/product/instantclient_10_2 with-config-file-path=/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/php5--enable-sigchild enable-xml enable-simplexml enable-libxml enable-dom enable-simplexml enable-xml enable-xmlreader enable-xmlwriter enable-simplexml –with-xsl -with-zlib with-xml --with-libxml-dir
Error :
/u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/bin/apachectl startssl: execing httpd
Syntax error on line 247 of /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/conf/httpd.conf:
Cannot load /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/libexec/libphp5.so into server: /u20/app/MSRV1P/apmsrv1p/oracle/product/OAS/Apache/Apache/libexec/libphp5.so: wrong ELF class: ELFCLASS64
I checked in the Metalink for “configuring php5 with enable XML on OAS 10.1.3.x” but I couldn’t find anything.
Please advise me on this.
Thanks

Hello;
You can try installing glibc-devel to fix this.
However on my version :
Application Server Control Release 10.1.2.3.0 - PHP 5 does not seem to work. The conflict on mine is that PHP 4 came wrapped in the Oracle install and they don't play well together.
Make sure your httpd.conf does not have this in it :
LoadModule php4_module libexec/libphp4.soI'm NOT advising you to remove it if its there, I'm merely pointing to a possible conflict.
Best Regards
mseberg
Later
Glad you don't have the same version as me. Hard to find anything on this, found these ( Not exact matches )
http://php.net/manual/en/oci8.installation.php ( Search for ELF )
http://enlinea.creaelicita.cl/guia/oci8.setup.html
http://docs.oracle.com/cd/E17390_01/doc.650/e17370.pdf
Found this in the pdf : ( Similar )
If the following error is received:
*ERROR* - obssocookie: could not dlopen()
/opt/netpoint/AccessServerSDK//oblix/lib/libobaccess.so:
/opt/netpoint/AccessServerSDK//oblix/lib/libobaccess.so: wrong ELF class:
ELFCLASS32
This indicates that the 32-bit version of the Access Gate SDK was installed instead of
the required 64-bit version. Edited by: mseberg on Feb 4, 2012 5:53 AM
Still later
Another thought is the PHP forum :
PHP
Also you need the 32bit Instant Client to be able run PHP. See http://blogs.oracle.com/opal/entry/using_php_oci8_with_32-bit_php
Same OS message :
ORA-03106: fatal two-task communication protocol error
Edited by: mseberg on Feb 4, 2012 7:03 PM
Rogue Notes from my Fusion Middleware on Red Hat 5 64 bit
I downloaded php-5.3.5.tar.gz from http://www.php.net/downloads.php.
Download the OCI headers http://www.oracle.com/technetwork/middleware/ias/ociheaders-134541.tar
environment
export ORACLE_HOME=/u01/app/oracle/product/fmw/oracle_pfrd
export ORACLE_INSTANCE=/u01/app/oracle/product/fmw/fr_inst
export CONFIG_FILE_PATH=$ORACLE_INSTANCE/config/OHS/ohs1
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/ohs/lib:$LD_LIBRARY_PATH
Configure with Oracle Database (OCI8) support:
./configure with-apxs2=$ORACLE_HOME/ohs/bin/apxs prefix=$ORACLE_HOME with-config-file-path=$CONFIG_FILE_PATH with-oci8=$ORACLE_HOME --disable-rpath
httpd.conf
# And for PHP 5.x use:
AddType application/x-httpd-php .php .phtml
Edited by: mseberg on Feb 4, 2012 7:19 PM
Edited by: mseberg on Feb 5, 2012 11:48 AM

Not sure how to configure Weblogic with log4j.xml

I tried something VERY similar to this. I wasn't sure where to put this code below. I figured in a Servlet environment, it should probably go in a Listener. I found an existing class inside of Spring that does exactly that: org.springframework.web.util.Log4jConfigListener
I put my log4j configuration file into an entry in the classpath and configured web.xml as follows:

        <context-param>
            <param-name>log4jConfigLocation</param-name>
            <param-value>classpath:gov/pa/dep/formu/resources/log4j.properties</param-value>
        </context-param>
        <context-param>
            <param-name>log4jRefreshInterval</param-name>
            <param-value>30000</param-value>
        </context-param>
        
     <listener>
          <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
     </listener>The server admin placed the actual log4j.properties file into an AppFileOverrides folder instead of under WEB-INF\classes. I don't know if this caused the problem or not. Since I also was using the DailyRollingFileAppender and running into problems LOSING my log entries each day because he file didn't get renamed, I followed Metalink BUG# 8459807, and used the datedFileAppender available at http://minaret.biz/tips/datedFileAppender.html.
When the application started, the server log showed that log4j was being configured but none of my logging statements were going into the logs. It wasn't until the server admin placed a copy of log4j.properties (a different log4j.properties with a rolling file appender) that the log statements started going into the file that was configured based on web.xml.
Surely, things can't be this difficult with log4j, and commons logging under WebLogic.
All I want is APPLICATION LEVEL LOGS that are specific to the day.
Can someone else elaborate on how they got this working?
thanks a bunch,
Eric

Hi,
The configuration wizard (config.sh) lets you create a WebLogic Domain, however and depending on others "Oracle Middleware" products installed on the same "Oracle Home" (directory where weblogic has been installed) the configuration wizard allows you create the new weblogic domain to support the others middleware products such as WebCenter.
When I say support It means that Configuration Wizard allows you to create the weblogic resources like JDBC connections, JMS services, and deploys all applications that integrates another product such as WebCenter.
I suggest create your domain with support for WebCenter and then from Admin Console create the JDBC resource to connect to other database such as JD Edwards database.
I hope this help.

Configuring Security With 11g

Hi,
I have just started with the 11g version and couldn't find the Web service manager component.
So how are the security policies to be defined which were earlier handled by the gateway and the agents?
Moreover earlier there was the application server console from where the datasources,jms destination,adapters etc were configured?Which console do we use with the present installation?
There was also a convenient way to see and test the webservices from this application server console,how all these can be accessed with the newer version?
Other than the developer's guide for the soa suite 10g are there any other documents and sample codes to be released for the bpel,mediator and the bam components?
Thanks.

Hello, I guess security will be done with the Oracle Policy Manager. Check the developer guide (section 1.3.1.6) and take a look at the http://www.oracle.com/technology/products/ias/bpel/techpreview/s291362-whats-new-in-oracle-soa-suite.pdf slide 27. The AS isn't available yet so that's why soa development is done against an integrated oc4j (I guess?). In the presentation you can also see (slide 30) that monitoring will be available through the Fusion Middleware Contol.

Principals.xml with OC4J1013 server for authentication n authorization

Hi
I am using OC4J10.1.3 standalone server.
How to configure server and the web application to authenticate and authorize users and groups that attempt to access a web application. Please provide a solution asap
Thanks
Swathi J

We don't use principals.xml any more and have adopted the use of the JAAS, via our implementation which goes under the moniker of JAZN.
I'd have a peruse through the OC4J Security guide as a good starting point:
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/toc.htm
The general J2EE doc library is here:
http://download.oracle.com/docs/cd/B32110_01/web.htm
-steve-

Web Service Security with SAML - Invalid XML signature

Hello together,
we want to build a scenario where we want to use Web Service Security with SAML.
The scenario will be
WS Client (Java Application) -> WS Adapter -> Integration Engine -> WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
SAP PI release is 7.11 (SP Level 4)
We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
But we get following error at calling the CRM system when we want to communicate with SAML:
<E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
Has somebody an idea of the possible reason for the error.
Thanks in advance
Stefan

Error Messages in the Trace/Log Viewer:
CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48 with internal error id 1001 and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1 ).
Invalid XML signature

Wireless security with zero client configuration

Dears,
i have a client that needs to have 802.1x based wireless security with zero configuration at his smart-phone devices , just needs to select the ssid prompt for authentication ,login by his domain account and that's it .
is it possible ?

You can find examples on the Internet depending on what Radius server your using.
Here are some:
http://www.labminutes.com/sec0095_acs_wireless_dot1x_peap_eap_tls_machine_authentication_2
http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

JSSO configuration issue with Mircrosoft AD

We are trying to configure the Windows Native Authentication for Webcenter 10.3.4.
We have configured JSSO to use a ldap login module, which is configured to interact with Microsoft Active Directory.
While using the JSSO login page we ecountered the following behavior:
If the user does not exist, the JSSO login page will reject the fake credential. We can find the following message in the log file:
JAAS-LDAP LoginModule: User with name samhain does not exist.
JAAS-LDAP LoginModule: Authentication failed: undable to find user sam hain.
That shows the loginmodule did manage to query the active directory success fully.
However even if the user exists in Active directory, we were still not able to log in through the JSSO login page. We got the following error in the log file as shown below:
java.lang.NullPointerException
at oracle.security.jazn.realm.LDAPPrincipal.equals(LDAPPrincipal.java:93)
at java.util.LinkedList.indexOf(LinkedList.java:406)
at java.util.LinkedList.contains(LinkedList.java:176)
at javax.security.auth.Subject$SecureSet.add(Subject.java:1086)
at java.util.Collections$SynchronizedCollection.add(Collections.java:1581)
at oracle.security.jazn.login.module.LDAPLoginModule.commit(LDAPLoginModule.java:475)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:580)
at oracle.security.jazn.oc4j.OC4JUtil.doJAASLogin(OC4JUtil.java:241)
at oracle.security.jazn.oc4j.GenericUser$1.run(JAZNUserManager.java:818)
at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(OC4JUtil.java:173)
at oracle.security.jazn.oc4j.GenericUser.authenticate(JAZNUserManager.java:814)
at oracle.security.jazn.oc4j.FilterUser.authenticate(JAZNUserManager.java:1143)
at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3659)
at com.evermind.server.http.AJPHttpServletRequest.getUserPrincipalInternal(AJPHttpServletRequest.java:260)
at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6332)
at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3009)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:735)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:447)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
javax.security.auth.login.LoginException: java.lang.NullPointerException
at oracle.security.jazn.realm.LDAPPrincipal.equals(LDAPPrincipal.java:93)
at java.util.LinkedList.indexOf(LinkedList.java:406)
at java.util.LinkedList.contains(LinkedList.java:176)
at javax.security.auth.Subject$SecureSet.add(Subject.java:1086)
at java.util.Collections$SynchronizedCollection.add(Collections.java:1581)
at oracle.security.jazn.login.module.LDAPLoginModule.commit(LDAPLoginModule.java:475)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:580)
at oracle.security.jazn.oc4j.OC4JUtil.doJAASLogin(OC4JUtil.java:241)
at oracle.security.jazn.oc4j.GenericUser$1.run(JAZNUserManager.java:818)
at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(OC4JUtil.java:173)
at oracle.security.jazn.oc4j.GenericUser.authenticate(JAZNUserManager.java:814)
at oracle.security.jazn.oc4j.FilterUser.authenticate(JAZNUserManager.java:1143)
at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3659)
at com.evermind.server.http.AJPHttpServletRequest.getUserPrincipalInternal(AJPHttpServletRequest.java:260)
at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6332)
at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3009)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:735)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:447)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:580)
at oracle.security.jazn.oc4j.OC4JUtil.doJAASLogin(OC4JUtil.java:241)
at oracle.security.jazn.oc4j.GenericUser$1.run(JAZNUserManager.java:818)
at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(OC4JUtil.java:173)
at oracle.security.jazn.oc4j.GenericUser.authenticate(JAZNUserManager.java:814)
at oracle.security.jazn.oc4j.FilterUser.authenticate(JAZNUserManager.java:1143)
at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3659)
at com.evermind.server.http.AJPHttpServletRequest.getUserPrincipalInternal(AJPHttpServletRequest.java:260)
at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6332)
at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3009)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:735)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:447)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
Here is our systme-jazn-data.xml:
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<jazn-data
xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"
xsi:noNamespaceSchemaLocation="<a href="http://xmlns.oracle.com/oracleas/schema/jazn-data-10_0.xsd">http://xmlns.oracle.com/oracleas/schema/jazn-data-10_0.xsd</a>"
schema-major-version="10"
schema-minor-version="0"
>

<jazn-realm>
<realm>
<name>jazn.com</name>
<users>
<user deactivated="true">
<name>anonymous</name>
<guid>9D73EAA19FCB11DD9F715971021579B9</guid>
<description>The default guest/anonymous user</description>
</user>
<user>
<name>oc4jadmin</name>
<display-name>OC4J Administrator</display-name>
<guid>9D765BA09FCB11DD9F715971021579B9</guid>
<description>OC4J Administrator</description>
<credentials>{903}Vs5eBtwbaZJysFzhHW/zRKyHB7AjqjF1XZu/rYwML/Q=</credentials>
</user>
<user>
<name>JtaAdmin</name>
<display-name>JTA Recovery User</display-name>
<guid>9D765BA19FCB11DD9F715971021579B9</guid>
<description>Used to recover propagated OC4J transactions</description>
<credentials>{903}zT2YASAir+Q22xC6S3lq9LbxDxeb3X9IxjXIWVkOdDE=</credentials>
</user>
</users>
<roles>
<role>
<name>ascontrol_admin</name>
<display-name>ASControl Admin Role</display-name>
<description>Administrative role for ASControl</description>
<guid>9D765BA59FCB11DD9F715971021579B9</guid>
<members>
<member>
<type>user</type>
<name>oc4jadmin</name>
</member>
</members>
</role>
<role>
<name>oc4j-administrators</name>
<display-name>OC4J Admin Role</display-name>
<description>Administrative role for OC4J</description>
<guid>9D765BA29FCB11DD9F715971021579B9</guid>
<members>
<member>
<type>user</type>
<name>oc4jadmin</name>
</member>
<member>
<type>user</type>
<name>JtaAdmin</name>
</member>
</members>
</role>
<role>
<name>ascontrol_monitor</name>
<display-name>ASControl Monitor Role</display-name>
<description>Monitor role for ASControl</description>
<guid>9D765BA79FCB11DD9F715971021579B9</guid>
<members>
</members>
</role>
<role>
<name>ascontrol_appadmin</name>
<display-name>ASControl App Admin Role</display-name>
<description>Application Administrative role for ASControl</description>
<guid>9D765BA69FCB11DD9F715971021579B9</guid>
<members>
</members>
</role>
<role>
<name>oc4j-app-administrators</name>
<display-name>OC4J Application Administrators</display-name>
<description>OC4J application-level administrators</description>
<guid>9D765BA39FCB11DD9F715971021579B9</guid>
<members>
</members>
</role>
<role>
<name>users</name>
<display-name>users</display-name>
<description>users role for rmi/ejb access</description>
<guid>9D765BA49FCB11DD9F715971021579B9</guid>
<members>
</members>
</role>
</roles>
</realm>
</jazn-realm>

<jacc-repository>
</jacc-repository>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/oc4j-administrators</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrole</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>subject.propagation</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.RoleAdminPermission</class>
<name>jazn.com/*</name>
</permission>
<permission>
<class>com.evermind.server.AdministrationPermission</class>
<name>administration</name>
<actions>administration</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>modifyrealmmetadata</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>createrealm</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>dropuser</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>droprealm</actions>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/ascontrol_admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrole</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>subject.propagation</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.RoleAdminPermission</class>
<name>jazn.com/*</name>
</permission>
<permission>
<class>com.evermind.server.AdministrationPermission</class>
<name>administration</name>
<actions>administration</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>modifyrealmmetadata</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>createrealm</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>dropuser</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>droprealm</actions>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/oc4j-app-administrators</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/users</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>user</type>
<class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
<name>jazn.com/anonymous</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<class>oracle.security.jazn.realm.LDAPPrincipal</class>
<name>oracleSESsvc</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
</jazn-policy>

<jazn-loginconfig>
<application>
<name>oracle.security.jazn.oc4j.CertificateAuthenticator</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.X509LoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>javasso</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>oracle.security.jaas.ldap.connect.pool.prefsize</name>
<value>10</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.connect.pool</name>
<value>true</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.type</name>
<value>Active Directory</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.credential</name>
<value>{903}mAp2dqk8DOnyffj5FSDpqNBw1AUWkrS1ZXyxsSGyRQA=</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.maxsize</name>
<value>25</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.membership.searchscope</name>
<value>direct</value>
</option>
<option>
<name>oracle.security.jaas.ldap.member.attribute</name>
<value>member</value>
</option>
<option>
<name>oracle.security.jaas.ldap.lm.cache_enabled</name>
<value>true</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.initsize</name>
<value>2</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.object.class</name>
<value>user</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.timeout</name>
<b

Tried pointing directly to a single internal ADFS server (no NLB) and still receiving the same problem. The Remote Connectivity Analyser returns the following error for the Outlook AutoDiscover test -
A Web exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown
And the Remote Connectivity Analyser SSO test sometimes succeeds and sometimes fails.
I notice if I go to https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml and login with the
[email protected] account it returns "The service is unavailable."
What generally causes this? What particular URL is it trying to get to?

How to configure sso with SSL step by step

Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1.     How to configure OHS support SSL
2.     How to Register SSO with SSL
3.     Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1.     Oracle AS 10g infrastructure installed (10.1.2)
2.     OCA installed
Note:
1.     “When you install Oracle infrastructure, please make sure you have select OCA.
2.     How Certificate-Enabled Authentication Works:
a.     The user tries to access a partner application.
b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l     You must configure SSL on the computer where the single sign-on middle tier is running.
l     You are configuring one-way SSL.
l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4.     Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7.     Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8.     Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1.     Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
     3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
·     HTTPMachine—the server host name
·     HTTPPort—the server port number
·     HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6.     Reload the OracleAS console:
     ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
     -oracle_home_path $ORACLE_HOME
     -config_mod_osso TRUE
     -mod_osso_url https://myhost.mydomain.com:4443
2.     Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1.     Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2.     Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.

I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance

Intermittent oracle.security.jazn.spi.xml.XMLJAZNPolicy null pointer excep

hi,
in my application I am using container and ADF security. Sometimes I get following exception but not always!? What could be the cause?
(I added a new role with three members - 1 user and two sub-roles. I configured these sub-roles in web.xml as regular roles and also configured ADF security for the role and its subroles)
java.lang.NullPointerException
     at oracle.security.jazn.spi.xml.XMLJAZNPolicy.getPermissions(XMLJAZNPolicy.java:593)
     at oracle.security.jazn.spi.xml.XMLJAZNPolicy.getPermissions(XMLJAZNPolicy.java:574)
     at oracle.security.jazn.spi.Java2PolicyProvider.getPermissions(Java2PolicyProvider.java:313)
     at oracle.security.jazn.spi.PolicyProvider.getPermissions(PolicyProvider.java:202)
     at javax.security.auth.SubjectDomainCombiner$3.run(SubjectDomainCombiner.java:357)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.SubjectDomainCombiner.combineJavaxPolicy(SubjectDomainCombiner.java:353)
     at javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:191)
     at java.security.AccessControlContext.goCombiner(AccessControlContext.java:390)
     at java.security.AccessControlContext.optimize(AccessControlContext.java:304)
     at java.security.AccessController.getContext(AccessController.java:385)
     at java.lang.Thread.init(Thread.java:332)
     at java.lang.Thread.<init>(Thread.java:416)
     at oracle.webcache.adf.cache.basiccache.BasicCacheImpl$VGCThread.<init>(BasicCacheImpl.java:1439)
     at oracle.webcache.adf.cache.basiccache.BasicCacheImpl.<init>(BasicCacheImpl.java:121)
     at oracle.webcache.adf.cache.basiccache.BasicCacheManager.createBasicCacheInstance(BasicCacheManager.java:71)
     at oracle.webcache.adf.cache.httpcache.HTTPCacheImpl.<init>(HTTPCacheImpl.java:96)
     at oracle.webcache.adf.cache.httpcache.HTTPCacheFactory.createHTTPCache(HTTPCacheFactory.java:66)
     at oracle.webcache.adf.cache.httpcache.HTTPCacheFactory.createHTTPCache(HTTPCacheFactory.java:47)
     at oracle.webcache.adf.filter.PageCache.<init>(PageCache.java:218)
     at oracle.webcache.adf.filter.PageCache.getInstance(PageCache.java:255)
     at oracle.webcache.adf.filter.PageCache.getInstance(PageCache.java:276)
     at oracle.adf.view.faces.webcache.component.UICache.getFragmentFromCache(UICache.java:514)
     at oracle.adf.view.faces.webcache.component.UICache.encodeBegin(UICache.java:170)
     at oracle.adfinternal.view.faces.uinode.UIComponentUINode._renderComponent(UIComponentUINode.java:297)
     at oracle.adfinternal.view.faces.uinode.UIComponentUINode.render(UIComponentUINode.java:262)
     at oracle.adfinternal.view.faces.uinode.UIComponentUINode.render(UIComponentUINode.java:239)
     at oracle.adfinternal.view.faces.ui.composite.ContextPoppingUINode$ContextPoppingRenderer.render(ContextPoppingUINode.java:224)
     at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:346)
     at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:301)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.renderChild(BaseRenderer.java:412)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.renderNamedChild(BaseRenderer.java:384)
     at oracle.adfinternal.view.faces.ui.laf.base.desktop.PageHeaderLayoutRenderer.renderContent(PageHeaderLayoutRenderer.java:404)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.render(BaseRenderer.java:81)
     at oracle.adfinternal.view.faces.ui.laf.base.xhtml.XhtmlLafRenderer.render(XhtmlLafRenderer.java:69)
     at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:346)
     at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:301)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.renderChild(BaseRenderer.java:412)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.renderIndexedChild(BaseRenderer.java:330)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.renderIndexedChild(BaseRenderer.java:222)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.renderContent(BaseRenderer.java:129)
     at oracle.adfinternal.view.faces.ui.BaseRenderer.render(BaseRenderer.java:81)
     at oracle.adfinternal.view.faces.ui.laf.base.xhtml.XhtmlLafRenderer.render(XhtmlLafRenderer.java:69)
     at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:346)
     at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:301)
     at oracle.adfinternal.view.faces.ui.composite.UINodeRenderer.renderWithNode(UINodeRenderer.java:90)
     at oracle.adfinternal.view.faces.ui.composite.UINodeRenderer.render(UINodeRenderer.java:36)
     at oracle.adfinternal.view.faces.ui.laf.oracle.desktop.PageLayoutRenderer.render(PageLayoutRenderer.java:76)
     at oracle.adfinternal.view.faces.uinode.UIXComponentUINode.renderInternal(UIXComponentUINode.java:177)
     at oracle.adfinternal.view.faces.uinode.UINodeRendererBase.encodeEnd(UINodeRendererBase.java:53)
     at oracle.adf.view.faces.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:624)
     at oracle.adfinternal.view.faces.renderkit.RenderUtils.encodeRecursive(RenderUtils.java:54)
     at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.encodeChild(CoreRenderer.java:242)
     at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.encodeAllChildren(CoreRenderer.java:265)
     at oracle.adfinternal.view.faces.renderkit.core.xhtml.PanelPartialRootRenderer.renderContent(PanelPartialRootRenderer.java:65)
     at oracle.adfinternal.view.faces.renderkit.core.xhtml.BodyRenderer.renderContent(BodyRenderer.java:117)
     at oracle.adfinternal.view.faces.renderkit.core.xhtml.PanelPartialRootRenderer.encodeAll(PanelPartialRootRenderer.java:147)
     at oracle.adfinternal.view.faces.renderkit.core.xhtml.BodyRenderer.encodeAll(BodyRenderer.java:60)
     at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.delegateRenderer(CoreRenderer.java:281)
     at oracle.adfinternal.view.faces.renderkit.core.xhtml.DocumentRenderer.encodeAll(DocumentRenderer.java:60)
     at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.encodeEnd(CoreRenderer.java:169)
     at oracle.adf.view.faces.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:624)
     at javax.faces.webapp.UIComponentTag.encodeEnd(UIComponentTag.java:645)
     at javax.faces.webapp.UIComponentTag.doEndTag(UIComponentTag.java:568)
     at oracle.adf.view.faces.webapp.UIXComponentTag.doEndTag(UIXComponentTag.java:100)
...

Hi,
ADF Security configures with permissions and thus doesn't need the roles to be available in web.xml (unless the roles are used for container managed authorization as well). Note that the default behavior of OC4J is that changes in the configuration files are picked up upon restart (for performance reasons you don' want to change this setting). So just make sure OC4J is stopped before re-running an application.
Frank

Error installation when configure OAM with FORMS 11Gr2 (SSO)

Hi
I try configure SSO with Forms 11gR2 (windows 2008).
1. Install RCU 11.1.1.5.0
2. Install and configure OID (ofm_idm_win_11.1.1.2 & patch ofm_idm_win_11.1.1.5)
3. Install OAM (ofm_iam_generic_11.1.1.5 & Patch 11.1.1.5.3 (13473393))
4. Integrate OAM & OID - After that i can logon to my oamconsole using OID (LDAP) identifier
5. Try install Forms 11gr2 ( ofm_frmrpts_win_11.1.2.0.0_64)
During installation, i complete information about my OID, then i put connect information to OAM and i get error.
OAMAdminServer - console
<2012-07-17 08:44:32 CEST> <Error> <oracle.oam.engine.remotereg> <OAM-30046> <agent validate mode failed. Agent does not exist. >
InstallLog
Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: agentvalidate
Agent name: 120717084429_RREG_OSSO_VALIDATE
Enter your server address (http(s)://FQDN:port):Server Address: http://weblogic:7002
Enter admin username:Username: weblogic
Enter admin password: Enter admin password:Your validate request is being sent to the Admin server at: http://weblogic:7002
2012-07-17 08:44:33 oracle.security.am.engines.rreg.common.XMLValidationEventHandler handleEvent
SEVERE: Error occurred while parsing the XML file.Error message is: cvc-complex-type.2.4.d: Invalid content was found starting with element 'managedServerUrl'. No child element is expected at this point.
At Column:421
and At line number: 1
Error message is: cvc-complex-type.2.4.d: Invalid content was found starting with element 'managedServerUrl'. No child element is expected at this point.
At Column:421
and At line number: 1
The remote registration process did not succeed! Please find the specific error message below.
Error in unmarshal2012-07-17 08:44:34 oracle.security.am.engines.rreg.common.RequestResponseParser parseFromXMLString
SEVERE: Exception encountered: RemoteAgentRegistrationException. Specific exception:JAXBException.nulljavax.xml.bind.UnmarshalException
- with linked exception:
[org.xml.sax.SAXParseException: cvc-complex-type.2.4.d: Invalid content was found starting with element 'managedServerUrl'. No child element is expected at this point.]
2012-07-17 08:44:34 oracle.security.am.engines.rreg.client.RegClient main
SEVERE: Exception encountered: RemoteAgentRegistrationException. Specific exception:Error in unmarshalling operation! Please try again.oracle.security.am.engines.rreg.common.RemoteAgentRegistrationException: Error in unmarshalling operation! Please try again.
ling operation! Please try again.
resultset.getStatus() : false
Thanks in advice.
Oscar

Hi,
This is a bug with OAM 11.1.1.5.x
The fix is to use OAM 11.1.2.x and you should be able to configure FR 11.1.2.x and connect to OID and OAM.
Regards,
noveaux_life

OC4J security with certificates

Hi,
I'm trying to develop OC4J (with JDeveloper 10g) application that has to use certificates X509 for authentication.
Can someone help me with links to demos or tutorials? Or some ideas how to build this?
Regards,
Niko

OK, I'll make an assumption. You see, you could want to do message-layer level security for web services. That is, use WS-Security. Since this thread started with SSL-enabling OC4J, I guess I should assume you want to just do transport-layer security. I got a little thrown off by your mention of optionally encrypting your SOAP message.
Anyway, it is a matter of obtaining certs, building and loading up the keystore with the appropriate certs and informing OC4J about the keystore and whether or not you will authenticate the client with a cert. You will need to modify server.xml, and modify your default-web-site.xml (or perhaps better, create a secure-web-site.xml from the default-web-site.xml base).
You know, Oracle has changed OC4J quite a bit from the Orion base. But you might try this out to see if it works.
http://www.orionserver.com/docs/ssl.html#configuring
If you try, please post back with your results.
regards,
tt

Security with jsf

Hello,
my website has 5 roles groups and each one can access to differents pages.
How can i forbid the access to pages of the role group 1 to the others?
In fact, a bean has a "level" variable which contain the role group of the user.
I would like to test this value and if it is the good one, give access.
Otherwise, i would like to redirect the user to the login page
Thx u in advance !
PS: All is made with JSF

Hi
Put this in Ur web.xml
<filter>
          <filter-name>SecurityFilter</filter-name>
          <filter-class>adjuvant.poa.util.SecurityFilter</filter-class>
     </filter>
     <filter-mapping>
          <filter-name>SecurityFilter</filter-name>
          <url-pattern>*.jsf</url-pattern>
     </filter-mapping>
here is ur security class
adjuvant.poa.util.SecurityFilter
* [email protected]
package adjuvant.poa.util;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Iterator;
import java.util.Set;
import java.util.HashSet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import adjuvant.poa.jsf.backingbeans.UserBean;
* This Filter class handle the security of the application.
* <p>
* It should be configured inside the web.xml.
public class SecurityFilter implements Filter {
     //the login page uri
     private static final String LOGIN_PAGE_URI = "login.jsf";
     private static final String ADMIN_LOGIN_PAGE_URI = "../login.jsf";
     private static final String USER_BEAN = "nurse";
     //the logger object
     private Log logger = LogFactory.getLog(this.getClass());
     //a set of restricted resources
     private Set restrictedResources;
     * Initializes the Filter.
     public void init(FilterConfig filterConfig) throws ServletException {
          this.restrictedResources = new HashSet();
          this.restrictedResources.add("/assessment.jsf");
          this.restrictedResources.add("/patients.jsf");
          this.restrictedResources.add("/anesthetic.jsf");
          this.restrictedResources.add("/baseline.jsf");
          this.restrictedResources.add("/drugs.jsf");
          this.restrictedResources.add("/endocrine.jsf");
          this.restrictedResources.add("/haematological.jsf");
          this.restrictedResources.add("/labwork.jsf");
          this.restrictedResources.add("/medication.jsf");
          this.restrictedResources.add("/neurologocal.jsf");
          this.restrictedResources.add("/newpatient.jsf");
          this.restrictedResources.add("/patientdetails.jsf");
          this.restrictedResources.add("/renal.jsf");
          this.restrictedResources.add("/respiratory.jsf");
          this.restrictedResources.add("/riskassessment.jsf");
          this.restrictedResources.add("/summary.jsf");
          this.restrictedResources.add("/minimalquestions.jsf");
          //admin Pages
          this.restrictedResources.add("/admin/admin.jsf");
          this.restrictedResources.add("/admin/drugs.jsf");
          this.restrictedResources.add("/admin/drugs.jsf");
          this.restrictedResources.add("/admin/editdrugs.jsf");
          this.restrictedResources.add("/admin/nurses.jsf");
          this.restrictedResources.add("/admin/newnurse.jsf");
          this.restrictedResources.add("/admin/transaction.jsf");
     * Standard doFilter object.
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
               throws IOException, ServletException {
          this.logger.debug("doFilter");
          String contextPath = ((HttpServletRequest)req).getContextPath();
          String requestUri = ((HttpServletRequest)req).getRequestURI();
          this.logger.debug("contextPath = " + contextPath);
          this.logger.debug("requestUri = " + requestUri);
          if (this.contains(requestUri, contextPath) && !(requestUri.contains("admin") ? this.authorizeAdmin((HttpServletRequest)req) : this.authorize((HttpServletRequest)req))) {
               this.logger.debug("authorization failed");
               ((HttpServletRequest)req).getRequestDispatcher(LOGIN_PAGE_URI).forward(req, res);
          else {
               this.logger.debug("authorization succeeded");
               chain.doFilter(req, res);
     public void destroy() {}
     private boolean contains(String value, String contextPath) {
          Iterator ite = this.restrictedResources.iterator();
          while (ite.hasNext()) {
               String restrictedResource = (String)ite.next();
               if ((contextPath + restrictedResource).equalsIgnoreCase(value)) {
                    return true;
          return false;
     private boolean authorize(HttpServletRequest req) {
          UserBean user = (UserBean)req.getSession().getAttribute(USER_BEAN);
          if (user != null ) {
               //user logged in
               return true;
          else {
               return false;
     private boolean authorizeAdmin(HttpServletRequest request) {
          UserBean user = (UserBean)request.getSession().getAttribute(USER_BEAN);
          if (user != null && user.getUserId() != null && user.getUserId().equals("admin") ) {
               //user logged in
               return true;
          else {
               return false;
}

10g - how to configure sso with iis-

hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?

hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
     saw.odbc.connection.open
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
---------------------------------------

Single Sign On and user security with IS

We have installed Information Steward 4.1 SP1 Patch 1 with Data Services 4.1 SP1 Patch 2 on Information Platform Services 4.0 SP 5 patch 6. The Information Steward system is installed on it's own server. We are connecting IS to our SAP Netweaver 7.3 system.
I have set up Single Sign On using Windows AD authentication. The connection to the SAP system uses a service account.
Because the SAP system has our payroll information on it, we want to restrict Information Steward users based on their SAP security profiles. We don't want to have to maintain security settings in both SAP and Information Steward.
Does anyone know if there's a way to set up Single Sign On so it passes the user credentials from SAP to Information Steward? Then restrict the users on Information Steward based on their SAP security settings?
Any advice would be appreciated!

Hi,
You can use Windows AD or SAP Authentication and configure it with SSO. However this should be done in the BI/IPS plaftorm and not IS. See the BI admin guide (http://help.sap.com/bobip40) section "Authentication options in BI platform". Please let me know if that's what you wanted.
thanks

Configure security with principals.xml

Similar Messages

Maybe you are looking for