Configuring J2EE Appl to obtain security roles from authentication Subject

http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm says
"Oracle JDeveloper can be used to add the orion-application.xml file to a web project, choosing orion-application.xml from the list of Deployment Descriptors in the JDeveloper New Gallery."
The wizard asks me to select the deployment description version I want to use, either 1.2 or 10.0. What's the difference and which is the preferred choice?
Regards,
Al Malin

Al Malin.
don't see a difference and usually use what is the default selected.
Frank

Similar Messages

Receiving an error when trying to remove P00 Security role from the user

Hi All,
I am receiving an error when trying to remove P00 Security role from the user.
After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
I click on Select Roles/Groups
On the next screen,
I click on Existing Roles/Groups
ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
Regards,
Vineet

Hi Vineet,
My be your selection is incorrect
Try this
in Applicaiton Area -- Select ALL
Functional Area -
Select ALL
Company -
Select ALL
Role/Profile/Group Names --- Give p00* and execute the report
if you give only p00 it wont give any result
Hope this helps
Thank you,
Kishore

Using weblogic security roles in authentication: weblogic 9

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
 <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
 <j2ee:welcome-file>index.html</j2ee:welcome-file>
 <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
 <j2ee:auth-method>FORM</j2ee:auth-method>
 <j2ee:form-login-config>
 <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
 <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
 </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
 <url-pattern>test.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
 <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
 <role-name>LTVORole</role-name>
 <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
 <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
 <j2ee:welcome-file>index.html</j2ee:welcome-file>
 <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
 <j2ee:auth-method>FORM</j2ee:auth-method>
 <j2ee:form-login-config>
 <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
 <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
 </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
 <url-pattern>test.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
 <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
 <role-name>LTVORole</role-name>
 <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

Creating/Mapping security roles without authentication

Hello all, I am new to WebLogic 9.1, and I appreciate your help in advance.
I have an HTTP header pre-populated with the roles a logged-in user has (these roles are defined outside websphere), and the user has already been authenticated.
I want to map each role from my header to a URI configured in weblogic, so it can authorize/deny access to that page within the container, based on the role in the header.
What would be a good approach to doing this? I have been looking through the security documentation, and I am a bit overwhelmed, I'm not sure where to begin.
Thanks

Hi,
1) as said, nothing prevents you from building a JAAS LoginModule that does what you need - e.g. authenticate a user against LDAP, then connect to the database and query for his/her user roles. You can't have container managed authorization without authentication though.
There will be a change in API in JDeveloper 11 (and most likely in JDeveloper 10.1.3.4 - upcoming) that allows you to set a Subject into the OC4J context, in which case you don't need container managed autehntication. However, I don't have it tested yet and can't tell to what extend this would be useful
3) Sure, you can build a JAAS LoginModule that doesn't care for authentication. However, this doesn't work with container managed security. As far as I am aware, the only option to not show a login dialog is to use certificates. And certificates are not yet to use with custom LoginModules. So the above mentioned API - that is available as a backported patch for 10.1.3.1 - might do the trick
Frank

NWA 7.3 : Looking for "security roles" (Policy Configuration) ...

Hi guys,
We deployed a simple application in our new SAP NW 7.3 JAVA instance; by calling the application, we receive "error 403 : Error: You are not authorized to view the requested resource."; this was fixed wihtin NW 7.x by adding a user/group within security roles of the selected component ( Visual Admin => Security Provider => Policy Configurations => select component and than security roles );
where to do this within NWA 7.3 ?
any ideas;
Thanks
Oliver

Hi Oliver,
Procedure
Start SAP NetWeaver Administrator with the quick link /nwa/auth.
Choose Components.
Select a policy configuration.
On the Authentication Stack tab, choose the Edit pushbutton.
Determine if you want to use an existing template or if you want to change the policy configuration of the current component.
To use an existing template, select a template from the Used Template field.
For authscheme references, select a template from Used Authscheme.
The component uses the settings and authentication stack from the template. To edit these settings, edit the settings of the policy configuration template. To create a new template, see Creating Authentication Stack Templates for Policy Configurations.
To change the policy configuration of the current component, do the following:
Add and remove login modules as required.
The system applies the login modules in the order they appear in the list.
Set a processing flag for each login module.
For more information about login module flags, see Policy Configurations and Authentication Stacks.
Add and remove any options to the login modules.
Set the authentication stack parameters according to the type of policy configuration.
Please,go through below help file
http://help.sap.com/saphelp_nw73/helpdata/en/4a/734e26fa92731fe10000000a42189c/frameset.htm
Cheers
Revanth Pasupuleti

Invalid Security role-name error in Web Project

Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN
This error directs me to the following code in web.xml
<security-constraint>
 <display-name>Default JSP Security Constraints</display-name>
 <web-resource-collection>
 <web-resource-name>Portlet Directory</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
I have tried out the following things to resolve this issue :
1) Remove the role manually(as suggested by various people in other J2EE forums), but then some other error came in to picture
2)Then I added the following code in web.xml
<security-role>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
 java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
 1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
3) I had also added the following code in web-j2ee-engine.xml
<security-role-map>
 <role-name>PEHNTAHO_ADMIN</role-name>
 <server-role-name>all</server-role-name>
 </security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
Sruti

Hi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============

Issue with generating a security role in program CRMD_UI_ROLE_PREPARE

Hello -
We have recently upgrade from CRM 2007 from CRM 4.0. We are working with the Business Roles and generating the security role from the business role using CRMD_UI_ROLE_PREPARE. We first create a simple test Business Role, a Z* copying from TPM_ROLE. Then we generated the security using CRMD_UI_ROLE_PREPARE. This was fine. Now was have copied a Business Role from TPM_ROLE that is one we want to use. We have created our own Z* Nav Bar and Role Config Key. This is working fine, but now when we try to generate using CRMD_UI_ROLE_PREPARE, the txt file is not generated, though there are no errors in the log. We can still generate the security role from our simple test. We have looked on line, and read the article in CRM Expert in June on Business Roles, but have not found the solution yet. Has anyone run into this?
thanks
 George

This is how I used this program:
A. Generate required authorization objects
1. T-Code: SA38
2. Enter report CRMD_UI_ROLE_PREPARE and choose Execute.
3. Select your Business Role.
4. Choose language EN.
5. Choose Execute.
Result: A file is created for each Business Role and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\<User ID>\SapWorkDir\.
B. Assign authorization objects
1. T-Code: PFCG
2. Enter your Role and choose Change.
3. On the Menu tab choose Import from file and upload the file previously created.
4. Choose Save.
Then adapt the authorizations if needed and choose Generate.
Stephanie.

How to specify the security policy "Allow access to everyone" for security role in Deployment descriptor

Hi,
I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
security-role>
 <description>Authenticated</description>
 <role-name>Authenticated</role-name>
 </security-role>
This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
In weblogic, I have the following setting in weblogic.xml
<wls:security-role-assignment>
 <wls:role-name>Authenticated</wls:role-name>
 <wls:externally-defined />
 </wls:security-role-assignment>
And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
I am wondering if this setting can be specified in for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
Thanks

Hi,
You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
Hope this will solve your problem.
Regards
MuRam

How reusable is a security role

Can I copy one from one org to another? More specifically, since the set of custom entities don't match, am I creating a problem or opportunity for collision by copying a security role from one org to another? Are custom entities managed by
guid or entityTypeCode within the security role?

I've just done a test and managed to import a role that was controlling access to an entity present on the origin CRM but not present on the destination CRM. the import went though without errors. the role was created on the destination, but the role's
settings for the custom entity disappear. So, even if that may not break the system, it Can cause confusion. Specially if you are moving across DEV, TEAST and PROD systems. Not a good practice.
I Hope I could help. If I have answered please mark as 'Answer'. If was just helpful, please vote. Thanks and happy coding! Bruno Lucas, http://dynamicday.wordpress.com/

Problem while loading security information (users/roles) from repository

Iview have stopped connecting to our MDM, All repositories, all IViews Very strange
Here is what I see in the logs.... Any ideas? Please if you have seen this before only
Marty
com.sap.mdm.extension.MetadataException: Problem while loading security information (users/roles) from repository 'PORTAL_CUSTOMERS'
at com.sap.mdm.extension.MetadataManager.loadRoleCache(MetadataManager.java:559)
at com.sap.mdm.extension.MetadataManager.internalGetRoleSet(MetadataManager.java:502)
at com.sap.mdm.extension.MetadataManager.getRoleSet(MetadataManager.java:471)
at com.sap.mdm.extension.MetadataManager.createMetadataKey(MetadataManager.java:464)
at com.sap.mdm.extension.MetadataManager.getRepositorySchema(MetadataManager.java:197)
at com.sap.mdm.uwl.MdmUwlConnector.createUserSessionContext(MdmUwlConnector.java:1463)
at com.sap.mdm.uwl.MdmUwlConnector.new_retrieveItems(MdmUwlConnector.java:546)
at com.sap.mdm.uwl.MdmUwlConnector.getItems(MdmUwlConnector.java:129)
Caused by: com.sap.mdm.commands.CommandException: com.sap.mdm.net.ConnectionException: java.io.IOException: Unexpected socket read. Result is -1.
at com.sap.mdm.security.commands.GetUserListCommand.execute(GetUserListCommand.java:72)
at com.sap.mdm.extension.MetadataManager.loadRoleCache(MetadataManager.java:526)
Caused by: com.sap.mdm.net.ConnectionException: java.io.IOException: Unexpected socket read. Result is -1.
at com.sap.mdm.internal.protocol.manual.AbstractProtocolCommand.execute(AbstractProtocolCommand.java:102)
at com.sap.mdm.security.commands.GetUserListCommand.execute(GetUserListCommand.java:69)
at com.sap.mdm.internal.net.DataSocket.receiveData(DataSocket.java:62)
at com.sap.mdm.internal.net.ConnectionImpl.readInt(ConnectionImpl.java:497)
at com.sap.mdm.internal.net.ConnectionImpl.readInt(ConnectionImpl.java:490)
at com.sap.mdm.internal.net.ConnectionImpl.nextMessage(ConnectionImpl.java:629)
at com.sap.mdm.internal.net.ConnectionImpl.receiveMessage(ConnectionImpl.java:572)
at com.sap.mdm.internal.net.ConnectionImpl.send(ConnectionImpl.java:233)
at com.sap.mdm.internal.protocol.manual.AbstractProtocolCommand.execute(AbstractProtocolCommand.java:99)
com.sap.mdm.commands.CommandException: com.sap.mdm.net.ConnectionException: java.net.SocketException: There is no process to read data written to a pipe.

Early this month we upgraded the MDM server to:
MDM Server version: 5.5.63.57
And the portal components:
MDM 5.5 SP06 Technology Patch 3 (Build 5.5.63.57)
MDM 5.5 SP06 Application Patch 3 (Build 5.5.63.57)
MDM 5.5 SP06 Java API Patch 3 (Build 5.5.63.57)
However the issue just began 2 days ago?
We started intgrating MDM Workflow with UWL and assigned Roles and Iviews to the Universal Worklist Configuration
It seems the Iviews work for a while and then after some time everything gives up? Very confounding
And yes we are using standard Iviews (search, Result and detail)
Thanks
Edited by: Marty Monroe on Oct 31, 2008 3:07 PM

Error :Authorization check for caller assignment to J2EE security role whil

Hi Experts,
i m working as a portal resource .
after the deployment of standered Sap e-rec package .
i m getting some error. i have assigned the recruiter role to one test user.
Now i m getting two issue:
1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
2) I m able to see few iview for the test user but those are also in detailed navigation view.
And few ivews are giving following error :
i)Internal error
ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
/System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
Full Message Text
ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
please suggest what can be done or what is pending from my side.

Prajakta2602 wrote:
Hi Experts,
>
> the previous issue got solved..
> it was due to servies pack miss match and applying notes
> the Basis guy checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
> notes 1445294 and 1175239 were applied.
> now the issue is:
>
>
> After implemetation and i assigning the standerd sap roles
> 1)Recruiter Administrator
> 2)Recruiter
> to the test user .
> but for few iview it is showing error as in
> 1) you are not a authorized user
> 2) internal error
>
> please help experts.
>
> i m working on portal side have i to assign any role to that test user..
>
>
> Thnaks & Regards,
> Prajakta
You can run a quick check using the below steps:
1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
Regards,
Mahesh

Obtaining roles from desktop

Hi,
In my project there is a need to obtain all roles entiltled to any desktop.
There are 100s desktops created in the portal and I need to know roles of a specific desktop.I did not find any method of any class in the portal API.
Please help me to findout correct class/api. Thanks in advance.
Nitin

com.bea.p13n.security.management.rolemapper.RoleManagerProxy
contains a method to findout roles from any resource. But I dont know how to get resource Id of any Desktop this is the problem with me.
public String[] listRolesForResource(String resourceId)Lists all role names for this provider associated with the given resource id.
Parameters:
resourceId - the resource the role is scoped to
Returns:
String array of role names

J2EE, get all security roles

On a J2EE application server (preferable from in a Servlet, but EJB is also fine), how do I get an array or list of all security roles?
I want to present the user who creates for example a forum topic to define which roles can view it.

On a J2EE application server (preferable from in a
Servlet, but EJB is also fine), how do I get an array
or list of all security roles?
I want to present the user who creates for example a
forum topic to define which roles can view it.Short answer: You cant, because there is no such functionality mandated by either the servlet or the ejb specs.
Long answer: You can, but it will be particular to the registry implementation you use, and will also mandate some naming scheme to map between for example ldap groups and authentication roles.
Br - J

ITunes movies no longer sync from Dell laptop or MacBook Pros (both authorized devices) to iPhone 6s or iPad Air 2s after configured at Apple store yesterday. In the past I could see the movies in iTunes with the cover photo and sync.

iTunes movies no longer sync from Dell laptop or MacBook Pros (both authorized devices) to iPhone 6s or iPad Air 2s after configured at Apple store yesterday. In the past I could see the movies in iTunes with the cover photo and sync to the other devices but now there is a listing a movies with no cover photos and in fact if I try to view the movie on the MacBook Pro it cannot be found unless I download it.

All I had to do was complain. I synced my iPhone to the Windows machine, checked the other account at iTunes prompting (where no apps had shown up previously), reconnected the iPad, and 140 apps downloaded including the App Store. I have no idea why.

I'll ask this again. I'm running Yosemite, LR 4.4 everything was running fine and I'm not sure if this is connected but when I loaded the last security update from Apple I started getting the "no content" box when I tried to publish to LR (Facebook OK),

I'll ask this again. I'm running Yosemite, LR 4.4 everything was running fine and I'm not sure if this is connected but when I loaded the last security update from Apple I started getting the "no content" box when I tried to publish to Flickr (Facebook OK), now I can't get it to authorize, I loaded 3rd party JR plug in and still get can't authorize. Can anybody help? Basically LR is useless, it has been nothing but problems.

It would probably be better to continue your previous thread on the same question than to start a new one.

Configuring J2EE Appl to obtain security roles from authentication Subject

Similar Messages

Maybe you are looking for