Custom Authorization Logic Using request.isUserInRole(role) in Weblogic 11g

Similar Messages

• How to create a DBA role in weblogic 11g

  Hi,
  How can I create a role that will have permissions to create, delete, test and configure Data sources and won't be able to do/touch anything else?
  Thanks,
  Vitaly

  Hi Vitaly
  No. This is NOT possible. Basically you want Edit/Modify prvileges only for DataSources section. In high level, you can get like full access to all the areas which is Adminstrators. Or get Read Only access to all the areas like Monitors Group. Or just get Deployers who can only deploy. But you can get like access to only few areas in weblogic console. Below is just high level 3 important groups.
  Login into Weblogic Console -> Security Realms -> myrealm -> Groups tab and you can see list of groups that you can assign to any users.
  Administrators - Administrators can view and modify all resource attributes and start and stop servers.
  Deployers - Deployers can view all resource attributes and deploy applications.
  Monitors - Monitors can view and modify all resource attributes and perform operations not restricted by roles.
  Thanks
  Ravi Jegga

• How to use security roles in Weblogic server?

  Hello Gurus,
  I am new to Weblogic server and I am trying to investigate how to make
  use of security roles in weblogic server (5.1.0). Can anyone point me
  to some documentation. Specifically, I am looking for instance level,
  and method level security and how to use it.
  Thanks for taking your time to read this e-mail.
  Thank You all in advance,
  Hari.

  You should read the security information in the Servlet 2.2 specification
  that WL 5.1 implements:
  http://java.sun.com/products/servlet/download.html
  Chapter 11 deals with declarative and programmatic security, and includes a
  section on roles:
  11.4 Roles
  A role is an abstract logical grouping of users that is defined by the
  Application Developer or
  Assembler. When the application is deployed, these roles are mapped by a
  Deployer to security
  identities, such as principals or groups, in the runtime environment.
  A servlet container enforces declarative or programmatic security for the
  principal associated with
  an incoming request based on the security attributes of that calling
  principal. For example,
  1. When a deployer has mapped a security role to a user group in the
  operational environment. The
  user group to which the calling principal belongs is retrieved from its
  security attributes. If the
  principal's user group matches the user group in the operational environment
  that the security
  role has been mapped to, the principal is in the security role.
  2. When a deployer has mapped a security role to a principal name in a
  security policy domain, the
  principal name of the calling principal is retrieved from its security
  attributes. If the principal is
  the same as the principal to which the security role was mapped, the calling
  principal is in the
  security role.
  Cameron Purdy
  http://www.tangosol.com
  "Hari" <[email protected]> wrote in message
  news:[email protected]..
  Hello Gurus,
  I am new to Weblogic server and I am trying to investigate how to make
  use of security roles in weblogic server (5.1.0). Can anyone point me
  to some documentation. Specifically, I am looking for instance level,
  and method level security and how to use it.
  Thanks for taking your time to read this e-mail.
  Thank You all in advance,
  Hari.

• Custom authorization for MDB in WLS 7.0

  Hi,
  Does anyone know how to authorize MDB using a Custom Authorization
  Provider while the Weblogic Container registers the MDB as a listener
  to JMS queue? My Custom Authorization Provider uses an oracle database
  to store user roles and access control lists to allow a certain role
  to access specific weblogic resources.
  Any assistance is highly appreciated.
  Thanks
  Siva

  The main reason is that JMS topics do not work well with HTTP clients. A topic cannot
  initiate an HTTP call to the subscriber, so we have to store the message in memory
  outside of JMS waiting for the subscriber to call us. Reliability is lost (if anyone
  cared). The lifecycle of the outbound message is controled by the HTTP session timeout
  (yuck!). This did not look like a solid feature that we should support.
  If you like it, you can implement it yourself. I would recommend using JAX-RPC
  handlers for that.
  Thanks,
  -ruslan
  Michael Poulin wrote:
  The deprication note is in "Creating JMS-Implemented WebLogic Web Services, section
  Overview of JMS ...

• Writing Custom Tax Logic

  I wrote some custom tax logic (using .cs include file linked from verify.aspx) and I can calculate the new tax but how to I set the shopping cart tax to my new value so it shows on the screen (and into the database)?  I have looked at the nptax class and nporderexpensetax class help files but I am not sure how exactly which command to use?  Thanks,

  Actually it's very dependant on the situation.
  Example 1: Not creating a BP for B2C accounts created in B1
  Customer A places an order and wants it shipped to Nebraska
  Customer A creates an account in Web tools
  The Item is warehoused in Alabama, so anyone shipping to Alabama has to pay Alabama sales tax
  The tax is not applied to Customer A's order in Web tools
  The tax is also not applied to Customer A's order in B1
  Example 2: Not creating a BP for B2C accounts created in B1
  Shopper places an order and wants it shipped to Alabama
  Shopper creates an account in Web tools
  The Item is warehoused in Alabama, so anyone shipping to Alabama has to pay Alabama sales tax
  Shopper pays tax in Wt
  The merchant adds Alabama to list of shipping addresses in B1 on the "B2C Website" BP and tax assigned to the address, during implementation
  Tax is applied in B1 with the same amount charged in Wt
  Example 3: Creating a BP for B2C accounts created in B1, Setting in Synchmanager for Default Website Tax Code set to Alabama
  Shopper places an order and wants it shipped to Alabama
  Shopper creates an account in Web tools
  The Item is warehoused in Alabama, so anyone shipping to Alabama has to pay Alabama sales tax
  Shopper pays tax in Wt
  Sync creates BP for B2C account with the address, but the tax field on the address is blank
  Order is correct in B1 as the correct tax code is set on the order(based on the Default Website Tax code selection)
  Example 4: Creating a BP for B2C accounts created in B1, Setting in Synchmanager for Default Website Tax Code set to Alabama
  Shopper places an order and wants it shipped to Nebraska
  Shopper creates an account in Web tools
  The Item is warehoused in Nebraska, so anyone shipping to Nebraska will pay state sales tax
  Shopper pays tax in Wt
  Sync creates BP for B2C account with the address, but the tax field on the address is blank
  Negative percentage discount shows on order as the Default Website Tax Code is set to Alabama but Nebraska tax was calculated in Wt
  So Wt is doing things correctly, and within B1 the adjustment needs to be made.
  This is a limitation of the solution that has a simple workaround(manually add correct tax), and it is a best practice to monitor all orders coming from the web for fraud detection, errors made by shopper, etc anyways.

• CHARM:Urgnt Corr. type of doc isnt created using Custom "Authorize" Action

  Hi Experts,
  I have copied SDCR Action profile to YDCR and defined all scheduled conditions as default. I have assigned YDCR action profile to my Txn Type YDCR. However, when I am trying to create Urngt type of correction using custom "Authorize" action from the action button, system is changing the status to "Authorized" However, the followup document of urgnt correction is not being corrected though I have selected the "Urgnt Correction (Maintenance)" from the Subject line.
  I have properly copied all the copy rules and working fine if I use SDCR action profile instead of YDCR.
  May any one please help me diagnose and solve this problem?
  Regards,
  Faisal

  Hi All,
  I want to share the latest on this.
  I had basically created new schedule conditions by copying the original ones. Below are mentioned schedule conditions I copied from original:
  Original schedule condition name : Only Status 'To be approved' (Assigned to Authorize and Reject Change Request)
  Custom schedule condition name: YOnly Status 'To be approved'
  The above YOnly Status 'To be approved'  was assigned to "Authorize Change Request" and "Reject Change Request" actions in my YDCR Action Profile.
  But When I changed it to Only Status 'To be approved' and created the urgnt correction, this type is created.
  Can any one tell me what could have happened?
  Regards

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• HR custom authorization issues/BADI to be used for some customization

  We can develop custom authorization object in HR and run RPUACG00 to generate include MPAUTCON.Is it possible to include some customizations to the MPAUTCON program to accomplish some of our requirements.
  If not can you please suggest me a BADI/User exit which can be used to develop some customization on a specific field, which can be called at the times the HR Master data is being changed/displayed/created.
  Thanks in adavnce for the answers.

  Hi Kiranm,
  the MPPAUTCON program (or MPPAUTZZ in non-contextual mode) is automatically generated by the RPUACG00 report.
  But you can modify it to add custom controls.
  Best regards.

• Customizing Request Application Flows in OIM 11g?

  To all:
  I'm trying to work through a scenario using Request Templates - I'm not sure that this approach is possible using configuration approaches and wanted to see if anyone has any useful feedback. First, let me describe the problem I'm attempting to solve:
  - The users who will be using self-service will be somewhat restricted on what they can do: basically, once they have an account in OIM (this is 'automatic' from a reconciliation - there's no self-registration or user creation) they can request access to a small number of applications.
  The ideal flow that we would like to follow is:
  Step 1: Log in to OIM.
  Step 2: Create Request
  Step 3: Select the Application for requested access and the requested role.
  Step 4: Enter an effective date and justification.
  Step 5: Submit
  ... something 'application focused', not 'resource focused' as the end user community is not particularly aware (nor do they really need to be) about the details of how a user is authenticated.
  I can get 'close' to this using a request template, with this flow:
  Step 1: Log in to OIM
  Step 2: Create a request.
  Step 3: Select a Request Template. (I named the template after the application - "Select App Account")
  Step 4: Select Your Resource (only one in this case - restricted to "AD User")
  Step 5: Enter information about the AD account. (I can restrict this down to only allow for group selection, which is great.)
  Step 6: Enter effective date, justification
  Step 7: Submit
  So the only thing I'd really like to 'skip' (or somehow default) is the selection of a resource and skip that step - because the template only allows for a single selection anyway, and having an extra step with a single selection that may only muddle the process would be detrimental to the usability of the request.
  Is this a modification that we can make to the request flow ("If only one resource, default and move on") - or will we need to create some form of customized request process using the APIs?
  I've dug into the JSF navigation in the iam-console-faces WAR file; it seems that navigation is tied up in the backing beans - has anyone else used Request Templates to meet this type of need?
  My thanks in advance for any insight you can provide!

  Dewan.Rajiv wrote:
  It's a new flow which Oracle has introduced in OIM 11g. You can't skip that selection until you do modification in OOTB UI.
  RO is mandatory thing to raise request so you can go for custom UI (Need ADF Knowledge) in which you'll ask end user to select other things except that Resource and you'll fetch RO name from some configuration file for using in request APIs.Thanks - it looks like customizing the OOTB UI might not be possible - rather than using ADF/Faces configuration files, most of the navigation redirects seem to be 'hidden away' in compiled class files. (My original thought: add some kind of filter and/or extension to an ADF Task Flow that governs the request application flow - but there are not task flow files to modify?)

• Step-by-step custom Credential Mapping using weblogic 10.3 SSPI

  Folks,
  I am trying to implement custom Credential Mapping using weblogic 10.3 SSPI. Am sure that few of you have already implemented the same. But here my questions in reagrds with the implementation
  Right now, I have below
  1.MyCredentialMapperImpl implements CredentialMapperV2
  1.Overridden getCredential and gerCredentials method.But I am not sure what are all the other methods , I should implement here.
  2.MyCredentialMapperProviderImpl implements CredentialProviderV2
  Questions.
  1.How to get ContextHandler to pass as param in MyCredentialMapperImpl -->gerCredentials method.
  2.Should I need set up a database after deploying the MBean ?
  3.How do I execute above implementation ?
  4.Can I see the SAML Token in my client ?
  If possible Please send me the step-by-step custom Credential Mapping implementation.
  Thanks in advance.
  Ravi

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• SRM PO layout : Abode custom form logic and config

  Dear SRM Guru,
  I have a requirement in SRM PO layout.
  I need to create custom PO layout using Abode form instead of Smartform.
  u2022     I have proposed that, copy the standard Adobe form interface IF_BBP_PO_ADB and made it ZIF_BBP_PO_ADB and included my logic for custom form .
  u2022     Created an adobe form and refer the interface as ZIF_BBP_PO_ADB and designed the layout.
  I would be great if you could let me know below my quires.
  u2022     Am I copied correct interface program IF_BBP_PO_ADB for PO layout ?
  u2022     How to define the custom layout into SPRO out put ? do I need to define both Abode form interface and form layout in SPRO?
  Please share me your experience.
  Thanks.
  Regards,
  Preethi.

  Thanks Denis. That was very helpful.
  I put a HTTP breakpoint in LBBP_PO_APPF35. But I was not able to debug. Till sometime back the SRM portal was working fine, but all of a sudden I am getting the error
  "Error when processing your request "
  "The URL http://usushpdba387.nbcuni.ge.com:8000/sap/bc/gui/sap/its/bbpstart was not called due to an error"
  "The termination type was: RABAX_STATE
  In ST22 the error is:
  The termination occurred in the ABAP program "CL_HTTP_EXT_ITS===============CP" 
    in "IF_HTTP_EXTENSION~HANDLE_REQUEST".                                         
  The main program was "SAPMHTTP ".                                               
  Thanks and Regards,
  Jayesh

• Making Customer Pricing procedure mandatory in BP Role-CRM 5.0

  Hi
  Our requirement is to make Customer Pricing procedure mandatory in BP Role "Sold to Party"-CRM 5.0. I have configured for the same in IMG Field Grouping. Now when a end user goes for BP creation & goes to Sales area maintenance then an error message is displayed for the same.
  But if only general data is maintained then this message is not displayed. Now requirement is to display an error message if a person leaves without maintaining sales data.
  Please help me in resolving this.
  Thanx in advance.
  Cheers
  Hits

  In the completeness procedure detail, use the object Pricing and field Customer pricing procedure. relevance header / item or both, message category - Error
  Hope this helps
  <b> <i> IceCube </i> </b>

• How to polulate data from lookup using request dataset in OIM 11g

  Hi,
  Using Request dataset in OIM 11g, I need to display one dropdown with the roles those need to come from Lookup.
  For Ex; I have 2 resources,i.e Resource A and Resource B. Resource A has 5 roles and Resource B has 3 Roles.
  While creating a request, If I select Resource A, then I should be able to get 5 Roles and if I select Resource B then I should be able to see corresponding 3 roles.
  Pls. note I have only one Look up definition , where I have roles for both Resource A and B.
  I have done simillar thing in OIM 10g , however I am unable to do it using OIM 11g Request dataset.
  Pls suggest.

  Hi BB,
  I am trying to follow up your response.
  You are suggestng to use prepopulate adapter for to populate respource object name, that means We have to just use an sql query from obj tabke to get the resource object name. right ?? it could be like below, what should I have entity-type value here ??
  <AttributeReference name="Field1" attr-ref="act_key"
  available-in-bulk="false" type="Long" length="20" widget="ENTITY" required="true"
  entity-type="????"/>
  <PrePopulationAdapter name="prepopulateResurceObject"
  classname="my.sample.package.prepopulateResurceObject" />
  </AttributeReference>
  <AttributeReference name="Field2" attr-ref="Field2" type="String" length="256" widget="lookup-query"
  available-in-bulk="true" required="true">
  <lookupQuery lookup-query="select lkv_encoded as Value,lkv_decoded as Description from lkv lkv,lku lku
  where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.xxx.BO.Field2'
  and instr(lkv_encoded,concat('$Form data.Field1', '~'))>0" display-field="Description" save-field="Value" />
  </AttributeReference>
  Then I need think about the 'Lookup.xxx.BO.Field2' format.
  Could you please let me know if my understanding is correct?? What is the entity-type value of the first attribute reference value?
  Thanks for your all help.

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan