Custom Realm with WLS 6.1
We are attempting to write a custom security realm for an application we will be deploying on WLS 6.1 so that we can integrate security data scattered across LDAP and database servers.
The documentation describing obtaining configuration for the security store (http://e-docs.bea.com/wls/docs61/security/prog.html#1041025) has the following snippet of code:
BasicRealmMBean basicRealmMBean =
Server.getSecurityConfig(). getRealm().getCachingRealm.
getBasicRealm();
However, I can not find the Server class they reference. I tried searching in the javadocs for the WLS 6.1 classes, and can't find a class named Server. Perhaps it's an interface, but I can't find the package it belongs to, if that's the case.
Can somebody please point me in the right direction?
Thank you.
-chris
Thanks very much, Utpal.
I still can't find the class (or even the package for that matter) at
http://e-docs.beasys.com/wls/docs61/javadocs/index.html
And that sort of mystifies me. Still, your answer solves my current problem.
I still don't fully understand the ConfigurationMBean
stuff as a whole, and how they get bound to a particular realm; i.e. Do I need
to write a MyRealmConfigurationMBean, and if so, how do
I bind it to MyRealm?
Note that the code I originally cited casted a BasicRealm return type to a BasicRealmMBean;
It's not immediately apparent why one is
even castable to the other, since they are two interfaces that
are not on the same inheritance line (I don't think).
Thanks for your time. I appreciate your help.
-chris
Finally,
"Utpal" <[email protected]> wrote:
Check this out
C:\opt\bea\wls61sp2\config\mydomain>javap weblogic.server.Server
Compiled from Server.java
public final class weblogic.server.Server extends java.lang.Object {
public static final java.lang.String DEFAULT_PROTOCOL;
public static final int DEFAULT_PORT;
public static weblogic.management.configuration.ServerMBean getConfig();
public static weblogic.management.configuration.ServerDebugMBean
getDebug();
public static weblogic.management.configuration.SecurityMBean
getSecurityCon
fig();
public static void initialize();
It's weblogic.server.Server class.
-utpal
Similar Messages
-
Debugging a custom realm in WLS 6.1
Hi all. I'm trying to find out how to debug my custom realm. I first implemented
the DebuggableRealm and put log.debug calls in my realm. I then set the realm.debug
property to "true" when I start the server. Is that it? The javadocs on debugging
are very sparse. I wasn't able to find a javadoc for weblogic.logging.LogOutputStream.
I also found a DebugSecurityRealm attribute in the ServerDebug element in config.xml
but am thinking this is old (from 5.X?).
Are there any other documents I should be looking at? Thanks!
jeffThanks very much, Utpal.
I still can't find the class (or even the package for that matter) at
http://e-docs.beasys.com/wls/docs61/javadocs/index.html
And that sort of mystifies me. Still, your answer solves my current problem.
I still don't fully understand the ConfigurationMBean
stuff as a whole, and how they get bound to a particular realm; i.e. Do I need
to write a MyRealmConfigurationMBean, and if so, how do
I bind it to MyRealm?
Note that the code I originally cited casted a BasicRealm return type to a BasicRealmMBean;
It's not immediately apparent why one is
even castable to the other, since they are two interfaces that
are not on the same inheritance line (I don't think).
Thanks for your time. I appreciate your help.
-chris
Finally,
"Utpal" <[email protected]> wrote:
Check this out
C:\opt\bea\wls61sp2\config\mydomain>javap weblogic.server.Server
Compiled from Server.java
public final class weblogic.server.Server extends java.lang.Object {
public static final java.lang.String DEFAULT_PROTOCOL;
public static final int DEFAULT_PORT;
public static weblogic.management.configuration.ServerMBean getConfig();
public static weblogic.management.configuration.ServerDebugMBean
getDebug();
public static weblogic.management.configuration.SecurityMBean
getSecurityCon
fig();
public static void initialize();
It's weblogic.server.Server class.
-utpal -
Hello,
Has anyone implemented authentication & authorization with a Custome realm
in WLS 6.1.I need to implement a custom realm which accesses a policy director
to grant access to resources.Can anyone please help with some ideas?
btw,i went through the documentation of how to write a custom realm.i have a
question on the following code snippet
String userInfoFileName =
configData.getProperty("UserInfoFileName");
String groupInfoFileName =
configData.getProperty("GroupInfoFileName");
Where in the config do u need to specify values for the above mentioned properties.If
anyone has implemented Authentication and Authorization with a custom realm,can
u please help me with more explanation and a code snippet?
Thanks,
Kalyannope..
"Viswadas Leher" <[email protected]> wrote in message
news:3cebb4e1$[email protected]..
>
>
I have two web applications running in the same weblogic domain. Can Ispecify two
different custom realms to the web apps. If yes how?.
The only way i could get the custom realm class called by the server if ispecify
it as
<Realm CachingRealm="LeherCacheRealm"
FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
in the config.xml. This causes the weblogic users, such as "system" etc toget invalidated.
>
>
I tried using the following tags to specify it on a per application basis,which
doesnot seem to work . Am i missing something?
<CustomRealm Name="LeherRealm"RealmClassName="com.leher.security.weblogic.KinectaRealm"/>
<CachingRealm BasicRealm="LeherRealm" CacheCaseSensitive="true"Name="LeherCacheRealm"/>
<Application Deployed="true" Name="DummyApp" Path="F:\leher">
<WebAppComponent AuthRealmName="LeherCacheRealm"
Name="DummyApp" Targets="myserver" URI="dummyapp"/>
</Application>
Is it not possible to define different realms to different webapplications in the
same domain.? -
Authorization with custom realm
Hello,
I have created a custom realm to access user and role information stored in a database. It is working fine for authentication. However, the Subject, Principal, and roles/groups do not seem to be used for later authorization steps. How should this information be stored so that the containers can access it?
In particular, when enabling security constraints in web.xml to limit the access of a particular url to a particular role, that url can never be accessed. The server generates messages implying that the user is not logged in:
Checking Web Permission with Principals : null
Checking with Principal : nonlogin-principal
Any suggestions on how to appropriately store the login information would be appreciated.
Thanks!I have had a custom realm that handles ACLs since 5.1. My question is I want to
mix it with the out-of-the box ldaprealm v2. I was hoping for a failover mechanism
where I can supply a custom realm that knows how to authorize and leave it up
to the canned ldaprealm to authenticate. The filerealm behaves in such a manner,
does it not.
I will try your idea about extending the ldaprealm. But, the challenge will be
in dealing with the delegate.
"Utpal" <[email protected]> wrote:
If you extend the weblogic.security.ldaprealmv2.LDAPRealm and implements
newAcl, deleteAcl, newPermission,
setPermission etc, I think it's doable.
=========
public class weblogic.security.ldaprealmv2.LDAPRealm extends
weblogic.security.a
cl.AbstractListableRealm implements weblogic.security.acl.DebuggableRealm
=========
-utpal
"Utpal" <[email protected]> wrote in message
news:[email protected]..
Why don't you use the Custom Security Realm? You can construct an ACLin a
custom seecurity realm.
http://edocs.beasys.com/wls/docs61/security/prog.html#1042361
-utpal
"Ziad Kurdi" <[email protected]> wrote in message
news:3c9b4c80$[email protected]..
Is there a way in 6.1 to use the supplied LDAP Realm V2 for
authentication
and
managing groups, but enhance it with ACL's (stored in a database)
for
authorization?
Obviously, I would like to take advantage of the server's caching
realm
capabilities.
I currently running a custom realm (from 5.1 which works in 6.1)
that
mixes LDAP
authentication, group management, and DB ACL's for authorization,
but I
no
longer
wish to capture the user's password (due to sorporate policies) and
would
like
to avoid maitaining the authentication code.
Thanks in advance for any assistance. -
Help with Weblogic 6 sp1 Custom Realm !!!!
We are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
security realm)
We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
move to ejb2.0 once we can get our custom security working.
The JDBC connection pools are fine.
Our custom security realm uses LDAP for user authentication and an Oracle table
for authorization (acls).
Earlier, I wrote to the board and received the below following instructions to
use our existing custom realm in wl 60. You can read below, but I followed these
instructions on Solaris 5.6.
1. I ensured the SunOS patches were up to date.
2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
the 5.1 classes over to wl6.
3. We copied our custom realm properties file to the weblogic root and/or the
config subdirectory (tried them both).
4. We ensured the security realm class we wrote is in the classpath (we bunch
all our serverside classes in a jar file anyway).
5. Then we created a custom realm via the console – name BFXRealm and it’s
class name <package>.BFXRealm, left configuration box blank.
6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
as the custom realm, BFXRealm. All of the enable caches are checked to true.
7. Then we set the default realm to the BFXCachingRealm.
Now, when we perform a query, the everyone group should be implied. We don’t
implement LDAP lookup on queries. If I try to run a query from a client, I see
the client box connecting with the server:
Last line - you can see the client box connecting to the server -
<May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
<May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
on port 7001>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
on port 7002>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
descriptor limits of - soft: '1024', hard: '1024'>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
file descriptor limit of: '1024' open sockets/files.>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
POSIX reader threads>
<May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
/opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
<May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
The client receives the error:
javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
Authentication
for user aws4270 denied in realm weblogic
It’s as if the fileRealm.properties is only being looked at. We do not
use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
For “fun”, I added a user to the fileRealm.properties file via the
console and ran a client query. It worked.
But when I tried to call an ejbCreate from the client, I received these errors
from the server:
BFXSecurityRealmException is a custom exception we have written. A query works
but a create does not - obviously cannot get to acl in database (?)
and why the ejb20 errors? We just want to start with ejb 1.1
In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
= bioseq, project = HIPPI, permission = create
<May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The client receives the error:
java.rmi.RemoteException: EJB Exception:; nested exception is:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
o
ccurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
Thanks,
Anne
Subject: Re: Do Custom Security Realms have to use Mbeans?
Date: 17 May 2001 06:38:23 -0800
From: "Tom Moreau" <[email protected]>
Newsgroup: weblogic.developer.interest.security
Yes this can be done. Here's how:
1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
2) I'll assume that your custom realm has some kind of properties file from which
it reads its configuration data. Let's call this file "YourCustomRealm.properties"
3) Copy YourCustomRealm.properties to every machine that you're running wls on
(you are probably already doing this today).
4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
start wls (you should already be doing this today)
5) In 5.1, there used to be some utility classes that customers used for their
custom realms - something about Pools & Factories. These have been renamed in
6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
pull out these classes and add them to your classpath for 6.0.
6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
Leave the configuration data section blank.
7) In the console, configure your custom realm as the alternate realm. That is,
create a caching realm and set it's basic realm to your custom realm, then set
the realm's caching realm to the caching realm you just created.
I'm pretty sure this should work for you. We did this to provide a patch that
let 6.0 users uses the LDAPRealm rewrite from 5.1.
The downside is that you don't get single point of administration - that is, you
have to make your custom realm's configuration data (YourCustomRealm.properties)
available on all the machines you're running WLS on. If you rework your custom
realm, then the configuration data gets put in the custom realm configuration
you create via the console and automatically copied to other machines for you.
- TomWe are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
security realm)
We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
move to ejb2.0 once we can get our custom security working.
The JDBC connection pools are fine.
Our custom security realm uses LDAP for user authentication and an Oracle table
for authorization (acls).
Earlier, I wrote to the board and received the below following instructions to
use our existing custom realm in wl 60. You can read below, but I followed these
instructions on Solaris 5.6.
1. I ensured the SunOS patches were up to date.
2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
the 5.1 classes over to wl6.
3. We copied our custom realm properties file to the weblogic root and/or the
config subdirectory (tried them both).
4. We ensured the security realm class we wrote is in the classpath (we bunch
all our serverside classes in a jar file anyway).
5. Then we created a custom realm via the console – name BFXRealm and it’s
class name <package>.BFXRealm, left configuration box blank.
6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
as the custom realm, BFXRealm. All of the enable caches are checked to true.
7. Then we set the default realm to the BFXCachingRealm.
Now, when we perform a query, the everyone group should be implied. We don’t
implement LDAP lookup on queries. If I try to run a query from a client, I see
the client box connecting with the server:
Last line - you can see the client box connecting to the server -
<May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
<May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
on port 7001>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
on port 7002>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
descriptor limits of - soft: '1024', hard: '1024'>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
file descriptor limit of: '1024' open sockets/files.>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
POSIX reader threads>
<May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
/opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
<May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
The client receives the error:
javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
Authentication
for user aws4270 denied in realm weblogic
It’s as if the fileRealm.properties is only being looked at. We do not
use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
For “fun”, I added a user to the fileRealm.properties file via the
console and ran a client query. It worked.
But when I tried to call an ejbCreate from the client, I received these errors
from the server:
BFXSecurityRealmException is a custom exception we have written. A query works
but a create does not - obviously cannot get to acl in database (?)
and why the ejb20 errors? We just want to start with ejb 1.1
In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
= bioseq, project = HIPPI, permission = create
<May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The client receives the error:
java.rmi.RemoteException: EJB Exception:; nested exception is:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
o
ccurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
Thanks,
Anne
Subject: Re: Do Custom Security Realms have to use Mbeans?
Date: 17 May 2001 06:38:23 -0800
From: "Tom Moreau" <[email protected]>
Newsgroup: weblogic.developer.interest.security
Yes this can be done. Here's how:
1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
2) I'll assume that your custom realm has some kind of properties file from which
it reads its configuration data. Let's call this file "YourCustomRealm.properties"
3) Copy YourCustomRealm.properties to every machine that you're running wls on
(you are probably already doing this today).
4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
start wls (you should already be doing this today)
5) In 5.1, there used to be some utility classes that customers used for their
custom realms - something about Pools & Factories. These have been renamed in
6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
pull out these classes and add them to your classpath for 6.0.
6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
Leave the configuration data section blank.
7) In the console, configure your custom realm as the alternate realm. That is,
create a caching realm and set it's basic realm to your custom realm, then set
the realm's caching realm to the caching realm you just created.
I'm pretty sure this should work for you. We did this to provide a patch that
let 6.0 users uses the LDAPRealm rewrite from 5.1.
The downside is that you don't get single point of administration - that is, you
have to make your custom realm's configuration data (YourCustomRealm.properties)
available on all the machines you're running WLS on. If you rework your custom
realm, then the configuration data gets put in the custom realm configuration
you create via the console and automatically copied to other machines for you.
- Tom -
Unable to use a custom security realm with Netscape Directory Server in WebLogic 7
I have all users and groups stored in a Netscape LDAP server (version 4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic 7 (also run
on Solaris 8) which uses my LDAP server as the Authenticator. I tried this by
using the Admin Console and followed exactly the steps in Chapter 3 of the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged into the
Admin Console again and clicked the Users node under my custom realm, I saw this
message in the right-hand pane: "There are no Authentication providers available
that support the creation of Users". Also, I don't see my custom realm in the
dropdown list under mydomain -> Security tab -> General tab -> Default Realm.
What did I do wrong? Also, where does WebLogic store the custom security realm
info? It is definitely not in config.xml.
Thanks,
Eric MaThanks for the info.
I wonder when they will fix it.
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
>
According to BEA Tech Support, a known bug prevents the WLS 7 AdminConsole from
displying users and groups defined in Netscape Directory Server.
Eric Ma
"Jakub Wroniszewski" <[email protected]> wrote:
I have the same problem.
Any new ideas?
Rgds,
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
Now I doubt my custom security realm is actually using the NetscapeDirectory Server
as the authenticator. Unlike in WebLogic 6.1 Admin Console, whereclicking on
the Users node displays all users in the LDAP server, in WebLogic 7I keep
getting
the message "There are no Authentication providers available that
support
the
creation of Users." Any suggestions?
"Eric Ma" <[email protected]> wrote:
Never mind. I tried again by following the steps outlined at
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.deve
l
oper.interest.security&item=8463&utag=
and it seemed to have worked for me.
"Eric Ma" <[email protected]> wrote:
I have all users and groups stored in a Netscape LDAP server (version
4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic7
(also run
on Solaris 8) which uses my LDAP server as the Authenticator. I
tried
this by
using the Admin Console and followed exactly the steps in Chapter3
of
the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged
into the
Admin Console again and clicked the Users node under my custom realm,
I saw this
message in the right-hand pane: "There are no Authentication
providers
available
that support the creation of Users". Also, I don't see my customrealm
in the
dropdown list under mydomain -> Security tab -> General tab ->
Default
Realm.
What did I do wrong? Also, where does WebLogic store the customsecurity
realm
info? It is definitely not in config.xml.
Thanks,
Eric Ma -
auth-method BASIC with custom realm
I've set up my web.xml with <auth-method>BASIC, and I've defined a custom realm
for authentication. When I enter a valid userid/password at login, I can trace
authUserPassword() in my custom realm, and I can see that it is returning an object
which is a subclass of weblogic.security.acl.User, as it should. However, rather
than acknowledging a successful login and moving on, the login dialog is redisplayed,
(minus password). Further attempts to enter the same userid/password don't invoke
authUserPassword(), presumably since the "failed" login is still cached. What
am I missing?Have a look in the web server log to see under what account the failed
accesses took place, that will help in identifying the cause.
"Bill Welch" <[email protected]> wrote in message
news:3b2a6431$[email protected]..
>
I've set up my web.xml with <auth-method>BASIC, and I've defined a customrealm
for authentication. When I enter a valid userid/password at login, I cantrace
authUserPassword() in my custom realm, and I can see that it is returningan object
which is a subclass of weblogic.security.acl.User, as it should. However,rather
than acknowledging a successful login and moving on, the login dialog isredisplayed,
(minus password). Further attempts to enter the same userid/passworddon't invoke
authUserPassword(), presumably since the "failed" login is still cached.What
am I missing? -
Urgent-------ACLs with Custom Realm.
Can anyone list acls that have to define in my Custom Realm to start default server
successfully?
Thanks.Have a look in the web server log to see under what account the failed
accesses took place, that will help in identifying the cause.
"Bill Welch" <[email protected]> wrote in message
news:3b2a6431$[email protected]..
>
I've set up my web.xml with <auth-method>BASIC, and I've defined a customrealm
for authentication. When I enter a valid userid/password at login, I cantrace
authUserPassword() in my custom realm, and I can see that it is returningan object
which is a subclass of weblogic.security.acl.User, as it should. However,rather
than acknowledging a successful login and moving on, the login dialog isredisplayed,
(minus password). Further attempts to enter the same userid/passworddon't invoke
authUserPassword(), presumably since the "failed" login is still cached.What
am I missing? -
Java ftp server which can use LDAP, how to integrate with WLS' implementation of LDAP?
Howdy.
I'm setting up a java ftp server
(http://www.mycgiserver.com/~ranab/ftp/index.html) which is capable of using
LDAP for it's user security. I would like to integrate this ftp server with
wls' implementation of LDAP so I only have to admin one user list.
Does wls put it's user list in the LDAP or in it's own proprietary setup? I
tried playing around with it, but the users don't seem to appear in the JNDI
tree. Is this where the LDAP stuff is located? I thought it was in there?
If it's in it's own setup, is there a way to propagate the users to LDAP?
If these look like newbie Q&A, I guess they kind of are, I'm new to LDAP.
Thanks for any input you might have.Peter,
If you are talking about using the embedded LDAP server in WLS 7.0 for this purpose
I think you are going done the wrong path.
Look at the following URL on how to use an external LDAP server for your custom
application
http://e-docs.bea.com/wls/docs70/secmanage/realm.html#1172008
Chuck Nelson
DRE
BEA Technical Support -
Required methods in custom realms
Can anyone help.Being very new to this topic I have a few questions.I have been tasked to the job of constructing a custom security realm. All I want to do in this realm is to authenticated users, all the other tasks are to be passed to the caching realm, and therefore the WLSRealm.My questions are, What methods as an absolute minimum would I need to implement to supply the WLS with what It needs?What is the calling sequence of events made by the WLS against the realm?Were can I find more information regarding custom realms?RegardsPaul.
Hi,
Thank you for your question.
We are currently looking into this issue and will give you an update as soon as possible.
Thank you for your understanding and support.
Linda Li
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Linda Li
TechNet Community Support -
Creating LDAP v2 realm in WLS 6.1sp2
The docs say you shoud go to realm in console and it will give you a choice of
different defaultLDAPRealmfor* (see http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872).
When I do that I get only deprecated v1.
The question is do I have to manually modify config.xml and change name of realm
class, etc. or I'm doing something wrong and need to left-shift-alt-click?
Regards,
Michael ElizarovStill can't see it on my console. See attached screenshot...
"Utpal" <[email protected]> wrote:
You do not have to modify the config.xml that comes with the installation.
Please,
After list of Realm as follows,
Configure a new LDAP Realm V1 (Deprecated)...
Configure a new NTRealm...
Configure a new Unix Realm...
Configure a new RDBMS Realm...
Configure a new Custom Realm...
You will see ,
defaultLDAPRealmForNovellDirectoryServices CustomRealm
weblogic.security.ldaprealmv2.LDAPRealm
defaultLDAPRealmForMicrosoftSiteServer CustomRealm
weblogic.security.ldaprealmv2.LDAPRealm
defaultLDAPRealmForNetscapeDirectoryServer CustomRealm
weblogic.security.ldaprealmv2.LDAPRealm
defaultLDAPRealmForOpenLDAPDirectoryServices CustomRealm
weblogic.security.ldaprealmv2.LDAPRealm
I hope this page takes HTML format.....
-utpal
"mike" <[email protected]> wrote in message
news:[email protected]..
The docs say you shoud go to realm in console and it will give youa
choice of
different defaultLDAPRealmfor* (see
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872).
When I do that I get only deprecated v1.
The question is do I have to manually modify config.xml and changename of
realm
class, etc. or I'm doing something wrong and need to left-shift-alt-click?
Regards,
Michael Elizarov
begin 666 create.gif
M1TE&.#EA$@`-`(,+`/_____,S/_,,\S,S,QF`,P``)D``````/XT_IF9F69F
M,_\S_P```````````````"'Y! $```L`+ `````2``T```1)<,E)ZSFCZGF*
MN6!H%>0%G&=R)%Q %,=RH.@E'8$PQ#*@_#] #*?C]6BUW(XR`RI.Q"43*50:
5.;Y@](JE'8J;(W3'988NF? B`@`[
`
end
begin 666 delete.gif
M1TE&.#EA$ `0`*(``````/___\S,S)F9F69F9C,S,____P```"'Y! $```8`
M+ `````0`! ```,^:+K0O9!%$)6[%P(AAO]$2%E8.5H#D:8%49Q6)Z\$;&S#
?K-;3W.TVG"X5]-&*N22PE_P1F4.>YD/UV&ZF4P(`.P``
`
end
begin 666 clone.gif
M1TE&.#EA$ `0`*(``````/______S,S,S)F9F?___P```````"'Y! $```4`
M+ `````0`! ```,^6 K<WJJ 0:L=(+[-= B$((YBMGPAH:X"QY73=0&AN\$H
?2=(MD*\L``ZD&SU^P)J'6&PM4TGGB5DT26P010(`.P``
`
end
[console.jpg] -
I would want to write a Custom Security Realm, that uses
- NT domain for authentication and
- RDBMS realm for authorization
I do not see any API to access NT Domain users, should I use JCOM
Kindly Suggest. Thank youAseem,
Did you configure the Caching and file realms with your custom realm?
See also:
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1069864
Hope this helps,
Bart
Aseem Rastogi wrote:
Hi All,
I wrote a Custom Realm, according to the specification given on the
Weblogic WebSite. Now i have a problem testing it, It seems that My
Custom Realm is not being called. Any pointers on How to test Custom
realm.
thanx
aseem -
My own Realm instead of Custom Realm extends IASRealm ?
I understand that the custom realm the sun app 7 offers is an extension of ISARealm where authenticate() is overloaded.
But authenticate() does only return a list of groups.
I want to return my own User class with interface Principle.
May I implement my own Realm implementation as a substitute for IASRealm, LdapRealm etc. ?
I know how to implement a JAASRealm for Tomcat because I did it and I want to use it on sun app 7 too.
Thanks,
FrerkI don't know for sure, but I would suggest changing the user.dn
attribute. For example, I had o= yyy, ou=xxx, ou =xyz in LDAPV1 and in
LDAPV2 I have ou=xxx, o=yyy. So, I had to drop one 'ou' and put the ou
first.
Brynjar Glesnes wrote:
>
Hi,
When migrating from Weblogic 6.0 to Weblogic 6.1sp1 I want to use a
Custom Realm instead of the deprecated LDAP Realm. We are using
Netscape Directory Server 4.1. So I modify the Netscape template. I
get no warnings or errors when starting WLS and my groups are listed
in Groups in the Console. But when I try to authenticate a user
authentication fails. When I set up a LDAP Realm as before it succeeds
for the same user and operation.
I have browsed this usenet group without finding the solution. Do
anybody have a clue?
Here is the entry in config.xml for the Custom Realm:
<CustomRealm
ConfigurationData="user.filter=(&(uid=%u)(objectclass=person));user.dn=ou=People,
o=entraoslo.entra.no;membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames));server.principal=uid=admin,
ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot;group.filter=(&(cn=%g)(objectclass=groupofuniquenames));group.dn=ou=Groups,
o=entraoslo.entra.no;server.host=xxx.xxx.xxx.xxx"
Name="TakeCargoRealm"
Password="{3DES}ptTZvPU0y3CR76DZQZ8pqw=="
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
The entry in config.xml for the LDAP Realm:
<LDAPRealm AuthProtocol="simple"
Credential="{3DES}ptTZvPU0y3CR76DZQZ8pqw=="
GroupDN="o=entraoslo.entra.no, ou=Groups"
GroupIsContext="false"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://xxx.xxx.xxx.xxx:389"
Name="TakeCargoDeprecatedRealm"
Principal="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="local"
UserDN="o=entraoslo.entra.no, ou=People"
UserNameAttribute="uid"/>
Any help would be appreciated.
Regards,
Brynjar Glesnes -
How to access "Alternative Realm" or "Custom Realm" from components like Servlet ?
Hello,
Says if I have alternative realm or my custom realm which implement
"ManageableRealm" interface. How can I access the realm from other
component, like Servlet or EJB in same WLS ? I tried using code like this
BasicRealm realm =
Realm.getRealm("XmlRealm","weblogic","myclass.DebugRealm");
if (realm != null) {
Class realmClass = realm.getClass();
out.println("Realm is " + realmClass.getName());
Which "myclass.DebugRealm" is classname of my own realm. This realm works
fine when using for authentication and authorization. But when I run this
code on servlet, it seems that it doesn't return the realm it created when
starting WLS, I mean the one that served authentication and authorization.
But it create a new instance of this class (I knew it 'cos I put debug
message in its constructor). So how can I get reference to the realm
instance which is created when starting WLS ?
Thank you in an advance,
SirosHello again,
Sorry to say that now I've got the way. I post here again for someone who
may face that same problem.
So strange that, I just changed the realm name in below code to "custom" and
then it works !! My realm is extended from "AbstractListableRealm" class and
I think I named my realm as "XmlRealm" in it constructor by call
super("XmlRealm");
But seems like its "getName()" method always return "custom", so in servlet
code, it' rather be.
BasicRealm realm = Realm.getRealm("custom");
if (realm != null) {
Class realmClass = realm.getClass();
out.println("Realm is " + realmClass.getName());
This works fine and no instance of realm is created. Anyway I saw that
constructor of "AbstractListableRealm" take String argument for "name" of
the realm. So why it's always "custom" ???
Comments are welcome,
Siros
"Siros Supavita" <[email protected]> wrote in message
news:[email protected]..
Hello,
Says if I have alternative realm or my custom realm which implement
"ManageableRealm" interface. How can I access the realm from other
component, like Servlet or EJB in same WLS ? I tried using code like this
BasicRealm realm =
Realm.getRealm("XmlRealm","weblogic","myclass.DebugRealm");
if (realm != null) {
Class realmClass = realm.getClass();
out.println("Realm is " + realmClass.getName());
Which "myclass.DebugRealm" is classname of my own realm. This realm works
fine when using for authentication and authorization. But when I run this
code on servlet, it seems that it doesn't return the realm it created when
starting WLS, I mean the one that served authentication and authorization.
But it create a new instance of this class (I knew it 'cos I put debug
message in its constructor). So how can I get reference to the realm
instance which is created when starting WLS ?
Thank you in an advance,
Siros -
Custom Realm Bug in WebLogic SP3?
I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
receiving a ClassCastException when invoking the checkPermission
method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
This code worked fine in SP1. It seems that other developers
have experienced this problem when applying service packs to
WebLogic 5. Any one else encountering this problem with
WebLogic 6 and what is the workaround? (Stack trace attached)
TIA
[aclimplexception.txt]I was unable to determine the cause of the problem, but I was
able to identify that AclImpl was changed between SP1 and SP3.
I updated SP3's weblogic.jar with the weblogic.security.acl.AclImpl
class in the weblogic.jar from SP1 and the exception went away.
I did not see anything in the release notes for SP2 and SP3
that indicate what may have changed. Does anyone know?
"Jason Southern" <[email protected]> wrote:
>
>
>
I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
receiving a ClassCastException when invoking the checkPermission
method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
This code worked fine in SP1. It seems that other developers
have experienced this problem when applying service packs to
WebLogic 5. Any one else encountering this problem with
WebLogic 6 and what is the workaround? (Stack trace attached)
TIA
Maybe you are looking for
-
Need help on how to a user can control a video clip using their mouse
I need help. I've got a video clip of a rotating 3D object(left to right) and i would like the user to be able to control the rotation of the object using their mouse. I've looked everywhere and i'm at a lost. Can anyone help me Here is a link to wha
-
Confused about extending the Sprite class
Howdy -- I'm learning object oriented programming with ActionScript and am confused about the Sprite class and OO in general. My understanding is that the Sprite class allows you to group a set of objects together so that you can manipulate all of th
-
DV NTSC 48 kHz 23.98 - anamorphic?
With reference to my previous question regarding PAL TO NTSC standards conversions, if you look at the last paragraph in this article the writer refers to a sequence set to DV NTSC 48 kHz 23.98. However, I need to do this to an anamorphic film clip -
-
HTML/CSS animation clipped on iPad
Hi list... When inserting html into an inDesign document intended to be published as an iPad app, I'm running into issues with seeing the entire html. The bounding box that holds the html collapses down to the size of the "This is arbitrary html" me
-
Error Message concern......
Hello, I received an error, "The listener returned the following message 404 Not Found." Would someone assist me with what this error means and what would cause it to occur?