Custom Authentication Provider and User Manage like SQLAuthenticator, How?

Similar Messages

• Cannot Start Weblogic Server After adding  Custom Authentication Provider

  Hi,
  I implemented a Custom authentication provider and configured it wih Weblogic 10.3 application server. Although I successfully added Authentication provider, I couldn't restart my server. I used MBeanMaker utility to package my Authentication provider and login module. Although the MBean Utility signalled some warnings and severe messages, it successfully packaged the files. When I look at the config.xml file after adding he authenticator it just adds three lines
  ( <sec:authentication-provider>
  <sec:name>STOREDPROCEDURE</sec:name>
  </sec:authentication-provider>
  ) Although there are some other attributes of the authenticator.
  Please advice.
  Here is some stack trace.
  Best Regards,
  Salim
  com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  ####<Feb 3, 2009 12:22:42 AM EET> <Error> <Security> <localhost.localdomain> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1233613362036> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified..
  weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
  at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for STOREDPROCEDURE is not specified.
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)

  You need to make sure that you nuke the whole directory that you are specifying to the MBean marker generator. For example, I use the following command to generate the provider jar file.
  java -Dfiles=$PRJROOT/ERModel/classes -DMDF=$PRJROOT/ERModel/classes/MyCustomAuthenticator.xml -DMJF=$PRJROOT/ERModel/custom-auth-provider.jar -DtargetNameSpace=http://xmlns.oracle.com/oracleas/schema/11/adf/sampleapp/weblogic/providers -DpreserveStubs=true -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker1c
  I need to nuke the directory in the -Dfile option i.e. 'rm -rf $PRJROOT/ERModel/classes/' each time I generate the jar file. If you don't, the jar file generates without any error but you will get a runtime exception.

• How to remove custom authentication provider in weblogic server 11g

  Hi ,
  I am trying to remove the custom authentication provider in weblogic server 11g, It disappears when i delete it from list of authentication providers. But upon server restart it appears again.
  Documentation for 10g says delete it from service administration but i couldn't find one in 11g. Please help me in removing the custom authentication provider
  Thanks
  Sandeep

  You can try editing the config.xml file and removing it there. (Re: After provider reorder I cannot login admin server console
  If you are referring to a jar file - custom authenticators are usually placed in the <middleware-home>wlserver_10.3/server/lib/mbeantypes/ directory.

• Workshop 8.1 Calling EJB from Custom Authentication Provider

  I am writing a custom authentication provider that runs on Weblogic Server 8.1 and also on Workshop 8.1. Everything is packaged into a jar file that I put into the mbeantypes directory. From the authentication provider I want to get an EJB home that is on another Weblogic 8.1 server.
  Loading the home from the Weblogic server works great. But in Workshop I get a ClassCastException from the PortableRemoteObject.narrow() call.
  This happens in Workshop even if I remove all my application jar files, so I am left with nothing but the startup classpath and the files in the mbeantypes directory. That is, I don't have any classes in two directories.
  When I look at the class that I actually get back from the call to context.lookup( jndiName ), I get the same stub class back on the Weblogic Server and on the Workshop server. But only on Workshop do I have this casting problem.
  Any ideas?
  Thanks,
  Mark

  Issue has been resolved.
  The reason I've forgotten about Value Object that is being returned by Remoute method to put them into classpath of Authenticator Provider

• Doubt between RMAN and User Managed Backup

  Friends,
  OS: RHEL AS 3.0
  DB: 9iR2
  Currently we are taking user managed backup.
  rman is in testing(learning) process.
  Is it possible to take rman backup and user managed backup of a database one after another?
  what i mean is.....suppose, if we configure rman for auto backup at 9pm daily. can i take user managed backup before 8pm or after 10pm?
  Am i have to take any precaution's?
  suppose, rman is failed can i restore the db with user managed backup?
  thanks

  Yes, it is possible to perform both user managed backups and RMAN backups.
  It is a waste of resources, but it is possible.
  You would need to make sure both backups do not overlap each other.
  Whether you can restore your database with user managed backup depends completely on the quality of the user managed backup, and whether you have proper (and tested) restore procedures in place.
  Sybrand Bakker
  Senior Oracle DBA

• Is the recovery techniques for RMAN and user managed are different

  Hi Gurus,
  I want to know the exact difference b/w RMAN and user managed recovery.
  Is the difference is too much or if we know the user managed recovery,can we do the recovery using the RMAN...
  Regards,
  pradeep

  user6738165 wrote:
  Hi Gurus,
  I want to know the exact difference b/w RMAN and user managed recovery.
  Is the difference is too much or if we know the user managed recovery,can we do the recovery using the RMAN...
  Regards,
  pradeepHi Pradeep and welcome to the forum
  I'd suggest you to check the Oracle Documentation to find out the difference by yourself
  RMAN Recovery Concepts
  http://download.oracle.com/docs/cd/B19306_01/backup.102/b14191/rcmconc2.htm#i1007882
  Performing User-Managed Recovery
  http://download.oracle.com/docs/cd/B19306_01/backup.102/b14191/osrecov.htm#BABBBBBB
  RMAN has great advantages over the User-Managed techniques. RMAN uses it's own RMAN commands to perform backup or recovery, while with user-managed backup and recovery you use SQL commands
  By knowing the main backup and recovery concepts, you can perform both

• Using Federated Security in BizTalk against custom Token Provider and Custom Token

  Hi,
  I as the topic states, I'm trying to get BizTalk to use a Custom Token Provider with custom tokens.
  So I thought this would be rather painless using ws2007FederationHttpBinding but got stuck. The problem is that the service expect soap action and a special structure (se example):
  Request:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsc="common.namespace" xmlns:ws="securitytoken.namespace">
     <soapenv:Header>
        <wsc:AutHeader>      
  Containing Custom Auth header information tags, about 20 or so
        </wsc:AutHeader>
     </soapenv:Header>
     <soapenv:Body>
        <ws:SECSSecurityTokenCreate_V1_0InputArgs>
           <ws:SecurityTokenCreateRequest>
              <ws:securityToken><!-- signed SAML assertion --></ws:securityToken>
           </ws:SecurityTokenCreateRequest>
        </ws:SECSSecurityTokenCreate_V1_0InputArgs>
     </soapenv:Body>
  </soapenv:Envelope>
  Response:
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
  <SECSSecurityTokenCreate_V1_0OutputArgs xmlns:ns2="common.namespace" xmlns="tokenservice,namespace">
  <SecurityTokenCreateResponse>
  <securityToken> <!-- THE Custom TOKEN --> </securityToken>
  </SecurityTokenCreateResponse>
  <ResponseState>
  <ns2:ErrorCode>0</ns2:ErrorCode>
  <ns2:Severity>0</ns2:Severity>
  <ns2:ComponentId>201</ns2:ComponentId>
  <ns2:StrErrorCode xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" />
  <ns2:Message>OK</ns2:Message>
  <ns2:NativeError xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" />
  <ns2:LogSequence xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" />
  </ResponseState>
  </SECSSecurityTokenCreate_V1_0OutputArgs>
  </soap:Body> </soap:Envelope>
  Error Message in BizTalk, when I send message via ws2007FederationHTTPBinding to the SOAP service, as expected the soap structure dosent match the expected one from the server, most obvisly is the missing SOAP action and incorrect BODY element.
  System.ServiceModel.ProtocolException: The content type text/html; charset=iso-8859-1 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 521 bytes of the response were: '<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Body>
  <soap:Fault>
  <soap:Code>
  <soap:Value>Server</soap:Value>
  </soap:Code>
  <soap:Reason>
  <!--1 or more repetitions:-->
  <soap:Text xml:lang="en">Missing operation for soapAction [null] and body element [{http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityToken] with SOAP Version [SOAP 1.2]</soap:Text>
  </soap:Reason>
  </soap:Fault>
  </soap:Body>
  </soap:Envelope>'. ---> System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
  at System.Net.HttpWebRequest.GetResponse()
  at System.Servi
  My plan to solve this is to try using beahviors added to the "inner" wcf binding that will help reconstruct the message from the standard form that I has, but I'm a bit vorried that I start to solve this and later on I'll have to add custom handling
  for token extraction and handling since the token should be placed in a custom header in the soap envelope with custom namespace =).
  So my question is, could this be solved via sw2007FederationHttpBinding or is an orchestration and some custom code for signing the path forward?
  Thanks in advance for any help or guidance!
  /Mattias

  It's a little tough to use sw2007FederationHttpBinding, I faced similar situation before. :(

• Slides for CCMS and User Management

  Hello,
  Can anyone recommend some helpful (SAP-owned, standard) .ppt-Slides or pdf.-Slides for the following points:
  <b>CCMS
  User Management und Disaster Recovery Mechanismen </b>
  Thank you very much!
  Regards
  A. Henke

  Hi,
  Take a look at service.sap.com/monitoring and service.sap.com/security
  /Jesper

• Rman And user Managed backup

  Hi,
  I have following question
  User Managed backup
  1)when i take user mananged backup i want to know whether DDL operation is permitted or not
  2) when i take user mananged backup i want to know whether WE ADD/REMOVE TABLESPACE ??
  Rman backup
  1)when i take RMAN backup i want to know whether DDL operation is permitted or not
  2) when i take Rman backup i want to know whether WE ADD/REMOVE TABLESPACE ??
  Regards

  Hi,
  Please go through the below links to get much familiar with user managed backup's and rman backup's.
  Oracle9i User-Managed Backup and Recovery Guide
  Release 2 (9.2)
  http://download.oracle.com/docs/cd/B10501_01/server.920/a96572/toc.htm
  Making User-Managed Backups
  http://download.oracle.com/docs/cd/B19306_01/backup.102/b14191/osbackup.htm
  Oracle9i Recovery Manager (RMAN)
  http://www.oracle-base.com/articles/9i/RecoveryManager9i.php
  RMAN Backup Concepts (11g R1)
  http://download.oracle.com/docs/cd/B28359_01/backup.111/b28270/rcmcncpt.htm
  Overview of RMAN Backups (10g R2)
  http://download.oracle.com/docs/cd/B19306_01/backup.102/b14192/bkup001.htm
  Oracle RMAN Backups: Pushing the "Easy" Button
  http://www.oracle.com/technetwork/articles/havewala-rman-grid-089150.html
  Hope this helps you understand clearly about both the user managed backups and rman backups. :)
  Thanks,
  Balaji K.

• I want to switch my emails back to my email provider and not use thunderbird. How do I do this?

  I need to be able to access my email on my iPhone. I doesn't seem like this is an option when using thunderbird. Therefore, I need to switch my emails back to my original email provider.
  I would like to know how to do that.
  Or if you have a solution for checking my thunderbird account via my iPhone, I would be happy to do that. I looked for a thunderbird app for the iPhone but couldn't find one.
  thank you

  Is your mail account set up as as POP account?
  When you set up Thunderbird to access your mail using the POP protocol, it has an option to keep mail on the server for access though other clients or to remove it (either immediately or after a period of time).
  ''To stop the damage:'' You can change this setting on your account within Thunderbird. In Account Settings (app menu button or classic Tools menu), check Server Settings.
  ''To restore the removed messages:'' POP is a one-way protocol, so there isn't a way within Thunderbird to upload the mail back to the server without setting up a different kind of connection.
  If your mail service allows an IMAP connection, that would create a new set of folders in Thunderbird, and by copying messages into the Inbox in Thunderbird you could sync them back to the server. (Not sure whether the dates will be 100% preserved in the process.)
  Volunteers can describe this in more detail if you want to try it.

• Delegated Admin and User Management in WLP 9.2

  Hi,
  I've made Delegated Administrator role and a user for it. The user is Delegated Admin for our users and groups. Still that user cannot create new users, only new groups.
  The error message that shows when creating new user is "The subject does not have access to the specified group".
  What should I do to make it work ?
  Regards,
  Tanja

  Unfortunately, you've run into a bug in the product. See CR282051 in the WLP 9.2 release notes.
  http://edocs.bea.com/wlp/docs92/relnotes/relnotes.html#wp1147925
  If you have a support contract, you might be able contact BEA Support to see if a patch might be available.

• Schema and user management.

  Hi,
  I am planning to create multiple users for a particular schema.
  Ex: I have a schema emp_db. will it be possible to create multiple users who access the same schema. I am planning to do an audit on the schema to know which user has done the modification.

  will it be possible to create multiple users who access the same schema. Yes, a schema objects can be accessed by several other users in the database. You need to grant privileges to the other users to have access to the objects from emp_db schema.

• I have source and target structures like thais how to map

  source structure: name
                            id
                            addr
                            description
                            details
                            dept
  target structure:   name
                            id
                            addr
                            dept

  source structure:                 target structure:
                         1...1
  name        _____________     name
                         1...1
  id              _____________     id
                        1...1
  addr          _____________    addr
  description        <no mapping>
  details              <no mapping>
                       1.....1
  dept        _____________       dept
  Thanks,
  Varun

• Administration Portal user and group managent performace issue

  Hi
  I have implemented a custom IPlanet LDAP authentication provider which provides
  a realization for the needed authentication, group and user management interfaces
  (UserReader, UserEditor, GroupReader, GroupEditor).
  The authentication provider itself seems to work fine, but I think I found a possible
  performance problem in the WebLogic Administration Portal, when I studied the
  authentication framework by remote debugging. Response times (with just one simultaneous
  user) are quite long (over 8 seconds) with 40 groups on the same hierarchy level
  on the Users, Groups and Roles tree. I'm developing with P4 processor and 1 Gb
  ram (512 Mb allocated for WLS)
  After little debugging I found out that every time a node in the group tree is
  dlicked isMember() method of the authentication provider gets called n * (n -1)
  times, where n is the number of visible groups in the hierachy tree. '
  What happens is that for each group, the membership of all the other visible groups
  is checked by the isMember(group, member, recursive), method call. Even the usage
  of a membership cache in this point didn't speed up the rendering noticeably.
  By placing a break point in the isMember() method and studying the call stack,
  one can see that all the isMember() calls are made during the rendering performed
  by the ControlTreeWalker. For example if there is 40 groups visible in the tree,
  the isMember() method gets called 1600 times. This seems quite heavy. With a
  small number of groups per hierarchy level this problem might not be serious,
  but in case where there would be over 30 000 customer companies using the portal
  and each having their own user groups, it could be an issue.
  The problem does not occur with WebLogic console and browsing of groups and users
  (using the same authentication provider) is fast with it. When a user is selected
  from the user list and the Groups tab is checked, the Possible Groups and Current
  Groups list boxes will get populated. When debugging this sequence, one can see
  that only the listGroups() method of the authentication provider is called once
  per list box and the order of method calls is of order n (rather than n^2 which
  is the case with the Administrator Portal).
  Has anyone had similar problems with Administrator Portal's performance?
  Ville

  Ville,
  You're correct about the performance degradation issue. This is being
  addressed in SP2.
  Thanks,
  Phil
  "Ville" <[email protected]> wrote in message
  news:[email protected]...
  >
  Hi
  I have implemented a custom IPlanet LDAP authentication provider whichprovides
  a realization for the needed authentication, group and user managementinterfaces
  (UserReader, UserEditor, GroupReader, GroupEditor).
  The authentication provider itself seems to work fine, but I think I founda possible
  performance problem in the WebLogic Administration Portal, when I studiedthe
  authentication framework by remote debugging. Response times (with justone simultaneous
  user) are quite long (over 8 seconds) with 40 groups on the same hierarchylevel
  on the Users, Groups and Roles tree. I'm developing with P4 processor and1 Gb
  ram (512 Mb allocated for WLS)
  After little debugging I found out that every time a node in the grouptree is
  dlicked isMember() method of the authentication provider gets called n *(n -1)
  times, where n is the number of visible groups in the hierachy tree. '
  What happens is that for each group, the membership of all the othervisible groups
  is checked by the isMember(group, member, recursive), method call. Eventhe usage
  of a membership cache in this point didn't speed up the renderingnoticeably.
  >
  By placing a break point in the isMember() method and studying the callstack,
  one can see that all the isMember() calls are made during the renderingperformed
  by the ControlTreeWalker. For example if there is 40 groups visible inthe tree,
  the isMember() method gets called 1600 times. This seems quite heavy.With a
  small number of groups per hierarchy level this problem might not beserious,
  but in case where there would be over 30 000 customer companies using theportal
  and each having their own user groups, it could be an issue.
  The problem does not occur with WebLogic console and browsing of groupsand users
  (using the same authentication provider) is fast with it. When a user isselected
  from the user list and the Groups tab is checked, the Possible Groups andCurrent
  Groups list boxes will get populated. When debugging this sequence, onecan see
  that only the listGroups() method of the authentication provider is calledonce
  per list box and the order of method calls is of order n (rather than n^2which
  is the case with the Administrator Portal).
  Has anyone had similar problems with Administrator Portal's performance?
  Ville

• SecurityException (Invalid Subject) with custom database authentication provider WLS 7.0

  Hello
  I have implemented a custom authentication provider using a
  database. The login module works fine. It check the username and
  password, add the user as a WLSUser-principal and add the groups
  relatated to the user as WLSGroup-principals to the subject. I
  am able to start the WLS only using my authentication provider,
  but if i want to login into the console i get following
  SecurityException:
  java.lang.SecurityException: Invalid Subject: principals=
  [system, Administrators]
  at weblogic.security.service.SecurityServiceManager.seal
  (SecurityServiceManager.java:893)
  at weblogic.security.service.RoleManager.getRoles
  (RoleManager.java:269)
  at
  weblogic.security.service.AuthorizationManager.isAccessAllowed
  (AuthorizationManager.java:608)
  at
  weblogic.servlet.security.internal.WebAppSecurity.hasPermission
  (WebAppSecurity.java:370)
  at
  weblogic.servlet.security.internal.SecurityModule.checkPerm
  (SecurityModule.java:125)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
  rm(FormSecurityModule.java:328)
  at
  weblogic.servlet.security.internal.SecurityModule.beginCheck
  (SecurityModule.java:179)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkA
  (FormSecurityModule.java:167)
  at
  weblogic.servlet.security.internal.ServletSecurityManager.checkAc
  cess(ServletSecurityManager.java:185)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet
  (WebAppServletContext.java:2960)
  at weblogic.servlet.internal.ServletRequestImpl.execute
  (ServletRequestImpl.java:2466)
  at weblogic.kernel.ExecuteThread.execute
  (ExecuteThread.java:152)
  at weblogic.kernel.ExecuteThread.run
  (ExecuteThread.java:133)
  Seems to me, that the default role manager does not map the
  group Administrators to the role Admin, which is allowed to
  access the resource console. So, what i do wrong? Must i set
  additional credentials to the subject? Or must i use a special
  Principal class? Who can help me?
  Thanks in advance & greetings
  Dirk Fellenstein

  I have solved it. The Problem was that the two Principal implementations, one that
  implements WLSGroup and one that implements WLSUser, need a common principal base
  class. The principal validator class, method getPrincipalBaseClass() must then return
  the common principal base class.
  "Dirk Fellenstein" <[email protected]> wrote:
  >
  Hello
  I have implemented a custom authentication provider using a
  database. The login module works fine. It check the username and
  password, add the user as a WLSUser-principal and add the groups
  relatated to the user as WLSGroup-principals to the subject. I
  am able to start the WLS only using my authentication provider,
  but if i want to login into the console i get following
  SecurityException:
  java.lang.SecurityException: Invalid Subject: principals=
  [system, Administrators]
  at weblogic.security.service.SecurityServiceManager.seal
  (SecurityServiceManager.java:893)
  at weblogic.security.service.RoleManager.getRoles
  (RoleManager.java:269)
  at
  weblogic.security.service.AuthorizationManager.isAccessAllowed
  (AuthorizationManager.java:608)
  at
  weblogic.servlet.security.internal.WebAppSecurity.hasPermission
  (WebAppSecurity.java:370)
  at
  weblogic.servlet.security.internal.SecurityModule.checkPerm
  (SecurityModule.java:125)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
  rm(FormSecurityModule.java:328)
  at
  weblogic.servlet.security.internal.SecurityModule.beginCheck
  (SecurityModule.java:179)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkA
  (FormSecurityModule.java:167)
  at
  weblogic.servlet.security.internal.ServletSecurityManager.checkAc
  cess(ServletSecurityManager.java:185)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet
  (WebAppServletContext.java:2960)
  at weblogic.servlet.internal.ServletRequestImpl.execute
  (ServletRequestImpl.java:2466)
  at weblogic.kernel.ExecuteThread.execute
  (ExecuteThread.java:152)
  at weblogic.kernel.ExecuteThread.run
  (ExecuteThread.java:133)
  Seems to me, that the default role manager does not map the
  group Administrators to the role Admin, which is allowed to
  access the resource console. So, what i do wrong? Must i set
  additional credentials to the subject? Or must i use a special
  Principal class? Who can help me?
  Thanks in advance & greetings
  Dirk Fellenstein