Customizing an Authenticator MBean

Similar Messages

• Updating a Property in my Custom Authenticator MBean

  I have created a custom AuthenticationProvider. It is configured through an
  MBean produced by WebLogicMBeanMaker from my XML file. I have a custom
  property in the XML file with a default value. My AuthenticationProvider is
  able to get the bean and read back the default value.
  Now, I wish to change that value to something else to allow uses to
  configure the provider. The documentation clearly says that I will be
  unable to use the Weblogic Console to do this and will have to use the
  command line "weblogic.Admin" application to do it. This is fine, but I
  cannot figure out how to access or modify my MBean.
  How do I know the MBeans name or type? The MBean generated is called
  WeblogicCarbonAuthenticatorMBean.java
  I have tried (I have not include username/password in this post for brevity)
  java weblogic.Admin GET -type WeblogicCarbonAuthenticator
  No MBeans found
  java weblogic.Admin GET -type Authenticator
  No MBeans found
  No success.
  I also deployed a pair of JSPs called listMBeans.jsp and showMBean.jsp,
  which claim to show me all the MBeans deployed. Searching through the list
  I see nothing with the world "Carbon" or "Authenticator" in it.
  How can I find/configure my Authenticator MBeans?
  Thanks
  -jordan

  Jordan Reed wrote:
  Getting there! I can now look at my bean, but I cannot seem to update it.
  There is a string property on the MBean called "UserManagerLocation" that I
  need the end user to be able to update to their appropriate location.
  I am able to use the weblogic.Admin utility to query the MBean, but not to
  update.
  So here is my query:
  java weblogic.Admin -pretty GET -mbean
  Security:Name=myrealmWeblogicCarbonAuthenticator
  MBeanName: "Security:Name=myrealmWeblogicCarbonAuthenticator"
  ControlFlag: REQUIRED
  Description: Carbon Authentication Provider adapts authentication
  behavior to the User Manager Service
  ProviderClassName:
  com.sapient.services.security.auth.weblogic7.WeblogicCarbonAuthenticationPro
  vider
  Realm: Security:Name=myrealm
  UserManagerLocation: /security/management/test/RdbmsUserManager
  Version: 4.2
  But here is my failing update:
  java weblogic.Admin SET -mbean
  Security:Name=myrealmWeblogicCarbonAuthenticator -property
  UserManagerLocation "/security/management/RdbmsUserManager"
  MBean not specified for setting of attributes. Value UserManagerLocation for
  parameter ["9"]Get rid of the "'s around the Value. If that does not work, try
  something like this,
  java weblogic.Admin SET -mbean
  Security:Name=myrealmWeblogicCarbonAuthenticator -commotype -property
  UserManagerLocation /security/management/RdbmsUserManager
  If that does not work, please open a support case with BEA.
  Thanks,
  -satya
  >
  >
  >
  But, inside my MBean descriptor I've got it set as writable:
  <MBeanType
  Name = "WeblogicCarbonAuthenticator"
  DisplayName = "WeblogicCarbonAuthenticator"
  Package = "com.sapient.services.security.auth.weblogic7"
  Extends =
  "weblogic.management.security.authentication.Authenticator"
  PersistPolicy = "OnUpdate"
  Writable = "true"
  >
  <MBeanAttribute
  Name = "UserManagerLocation"
  Type = "java.lang.String"
  PersistPolicy = "OnUpdate"
  Readable = "true"
  Writeable = "true"
  Default =
  ""/security/management/test/RdbmsUserManager""
  />
  </MBeanType>
  Any clue why I am unable to update the attribute from the command line?
  Thanks
  -Jordan
  "Satya Ghattu" <[email protected]> wrote in message
  news:[email protected]...
  Jordan,
  You can use weblogic.Admin utility to change values of your custom MBean
  if you know the object name of your MBean.
  Jordan Reed wrote:
  I have created a custom AuthenticationProvider. It is configured
  through an
  MBean produced by WebLogicMBeanMaker from my XML file. I have a custom
  property in the XML file with a default value. MyAuthenticationProvider is
  able to get the bean and read back the default value.
  Now, I wish to change that value to something else to allow uses to
  configure the provider. The documentation clearly says that I will be
  unable to use the Weblogic Console to do this and will have to use the
  command line "weblogic.Admin" application to do it. This is fine, but I
  cannot figure out how to access or modify my MBean.
  How do I know the MBeans name or type? The MBean generated is called
  WeblogicCarbonAuthenticatorMBean.java
  I have tried (I have not include username/password in this post forbrevity)
  java weblogic.Admin GET -type WeblogicCarbonAuthenticator
  No MBeans foundyou should use the fully qualified MBean name. i.e
  java weblogic.Admin GET -type foo.blah.WeblogicCarbonAuthenticator
  java weblogic.Admin GET -type Authenticator
  No MBeans found
  No success.
  I also deployed a pair of JSPs called listMBeans.jsp and showMBean.jsp,
  which claim to show me all the MBeans deployed. Searching through the
  list
  I see nothing with the world "Carbon" or "Authenticator" in it.
  How can I find/configure my Authenticator MBeans?I assume that you are using 7.0sp1, if not please upgrade to sp1. You
  should see a file called CommoConfig.xm.booted file under your domain
  directory, this file contains all the security MBeans that the server
  found. You should be able to get the object names of your custom mbeans
  from this file.
  Hope it helped,
  -satya
  Thanks
  -jordan

• Custom DB authentication to an application from Oracle Portal not working.

  Hi All,
  We have a Portal customized and integrated to LDAP for SSO.
  From the portal, we have a link that takes to another custom application that requires another level of authentication. We have implemented this authentication as custom Database based authentication.
  When user login to the portal and access this link, he will be directed for authentication again. This custom application has been installed on a different OC4J instance while Oracle Portal is running in a different OC4J instance.
  Issue is though user details are being propagated to the custom application page, we are receiving an error saying authentication failed.
  In the OC4J instance specific for this custom application, we have configured jazn.xml to use custom authentication.
  Below is the code:
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.dtd">
  <jazn provider="XML" location="./jazn-data.xml" default-realm="jazn.com">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="custom.loginmodule.provider" value="true"/>
  </jazn>
  and in jazn-data.xml, we gave the role mapping.
  But the problem is when the link to the custom application is accessed, it seems like the custom autentication mechanism is not working.
  Can anyone throw light on this?
  Do we need to give the same configuration in the j2ee/home/config directory files also?
  Can we use both LDAP and custom DB authentication with in the same OAS setup. Remember as of now, Portal and custom application are running in different OC4J instances but within the same OAS.
  Any help in this regard will be highely appreciated.
  Thanks,
  Sasi Bhushan

  Hi All,
  We have a Portal customized and integrated to LDAP for SSO.
  From the portal, we have a link that takes to another custom application that requires another level of authentication. We have implemented this authentication as custom Database based authentication.
  When user login to the portal and access this link, he will be directed for authentication again. This custom application has been installed on a different OC4J instance while Oracle Portal is running in a different OC4J instance.
  Issue is though user details are being propagated to the custom application page, we are receiving an error saying authentication failed.
  In the OC4J instance specific for this custom application, we have configured jazn.xml to use custom authentication.
  Below is the code:
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.dtd">
  <jazn provider="XML" location="./jazn-data.xml" default-realm="jazn.com">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="custom.loginmodule.provider" value="true"/>
  </jazn>
  and in jazn-data.xml, we gave the role mapping.
  But the problem is when the link to the custom application is accessed, it seems like the custom autentication mechanism is not working.
  Can anyone throw light on this?
  Do we need to give the same configuration in the j2ee/home/config directory files also?
  Can we use both LDAP and custom DB authentication with in the same OAS setup. Remember as of now, Portal and custom application are running in different OC4J instances but within the same OAS.
  Any help in this regard will be highely appreciated.
  Thanks,
  Sasi Bhushan

• How to use a custom database authentication with APEX_AUTHENTICATION??

  i have Custom user authentication method.
  create or replace function user_check(username varchar2,password varchar2) return boolem
  is
  check_out integer;
  begin
  select count(*) into check_out from "user" where USER_EMAIL=username and USER_PASS=password;
  if check_out >0 then
  return true;
  else
  return false;
  end if;
  end;
  apex_authentication.login() how to use. And how to make apex_authentication.login() use my method Verify User Login

  You can't mix custom authentication and the internal APEX authentication functions.. So either you use the pre-built user authentication in APEX or you can build your own CUSTOM authentication...
  Many examples of custom authentication are out there...
  Thank you,
  Tony Miller
  Ruckersville, VA

• Example of custom external authentication

  Where can I find the example of custom external authentication
  which Paul Encarnation has written since most of the links on
  the discussion forum mails seem to be outdated.
  Thanks

  Where can I find the example of custom external authentication
  which Paul Encarnation has written since most of the links on
  the discussion forum mails seem to be outdated.
  Thanks

• Custom ldap authenticator to retrieve user bean ldap profile

  Hi,
  Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
  This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
  Any input on this ?
  Thank you

  Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

• Error in custom OAM authentication plugin

  Hi All
  I am trying to build a custom OAM authentication plugin using JDeveloper. Here are the version information:
  OAM - 11.1.1.5 BP04
  WLS - 10.3.5
  Issue:
  I get the following error in the OAM logs when I try to activate the plugin.
  [2012-11-14T09:39:17.996-08:00] [oam_server1] [WARNING] [] [oracle.oam.extensibility.lifecycle] [tid: DistributedCache:DistributionCache:EventDispatcher] [userId: <anonymous>] [ecid: 0000Jfzyiy6EgKI5qrH7iY1GcxMc000002,0] [APP: oam_server] Activation failed due to felix bundle exception while installing and starting the bundle.Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)[[
  org.osgi.framework.BundleException: Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)
  at org.apache.felix.framework.Felix.resolveBundle(Felix.java:3404)
  The names of jar file, class file, plugin xml file etc are all same. My plugin code is very generic and I have the following values in the plugin's manifest and xml file
  Plugin xml file [oamCustomAuthPlugin.xml]:
  <Plugin name="oamCustomAuthPlugin" type="Authentication">
  <author>uid</author>
  <email>[email protected]</email>
  <creationDate>09:32:20, 2011-11-13</creationDate>
  <version>4</version>
  <description>OAM Custom Authentication plugin</description>
  <interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
  <implementation>com.company.oam.oamCustomAuthPlugin</implementation>
  <configuration>
  <AttributeValuePair>
  <Attribute type="string" length="20">INPUT_PARAM1</Attribute>
  <mandatory>true</mandatory>
  <instanceOverride>false</instanceOverride>
  <globalUIOverride>true</globalUIOverride>
  <value>Param1</value>
  </AttributeValuePair>
  <AttributeValuePair>
  <Attribute type="string" length="20">INPUT_PARAM2</Attribute>
  <mandatory>true</mandatory>
  <instanceOverride>false</instanceOverride>
  <globalUIOverride>true</globalUIOverride>
  <value>Param2</value>
  </AttributeValuePair>
  </configuration>
  </Plugin>
  Manifest File [MANIFEST.MF]:
  Ant-Version: Apache Ant 1.7.1
  Bundle-Version: 1.0.0.4
  Bundle-Name: oamCustomAuthPlugin
  Bundle-Activator: oamCustomAuthPlugin
  Bundle-ManifestVersion: 2
  Created-By: 17.0-b17 (Sun Microsystems Inc.)
  Import-Package: oracle.security.am.plugin,oracle.security.am.plugin.authn
  Bundle-SymbolicName: oamCustomAuthPlugin
  Bundle-RequiredExecutionEnvironment: JavaSE-1.6
  Please let me know if you have faced a sinilar issues in the past. Please help !!

  Try with Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api If it doesn't work try with - Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api ,oracle.security.am.plugin.ExecutionStatus

• Error in Custom Ldap Authentication

  Hi All,
  I was trying to use the custom LDAP authentication( [Earlier Post|http://forums.oracle.com/forums/thread.jspa?threadID=2251976&stqc=true] ) but was not successful in making it work with our AD LDAP server. Thats when I came across post [ http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185|http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185]
  I used the same function
  create or replace function authenticate_aduser(
  p_username in varchar2,
  p_password in varchar2)
  return boolean
  is
  l_user varchar2(256);
  l_ldap_server varchar2(256) := '<Hostname>';
  l_domain varchar2(256) := '<Domain Name>';
  l_ldap_port number := 389;
  l_retval pls_integer;
  l_session dbms_ldap.session;
  l_cnt number;
  begin
  l_user := p_username||'@'||l_domain;
  l_session := dbms_ldap.init( l_ldap_server, l_ldap_port ); -- start session
  l_retval := dbms_ldap.simple_bind_s( l_session, l_user, p_password ); -- auth as user
  l_retval := dbms_ldap.unbind_s( l_session ); -- unbind
  return true;
  exception when others then
  l_retval := dbms_ldap.unbind_s( l_session );
  return false;
  end;Test it by giving correct password
       SQL> declare
  begin
  if authenticate_aduser('<username>','<correct password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Successful
  PL/SQL procedure successfully completed.Tested it by giving wrong password
  SQL> declare
  begin
  if authenticate_aduser('<user name>','<wrong password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Failed
  PL/SQL procedure successfully completed.So the fundtion is working perfectly with LDAP server.
  I am trying to create a custom authentication scheme with the above function.
  Shared Components -> Authentication Schemes -> create ->From Scratch ->
  In Autentication Function -> return authenticate_aduser(:P101_USERNAME,:P101_PASSWORD);
  In Logout URL -> wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&amp;p_next_flow_page_sess=4155:PUBLIC_PAGE
  Then after setting this as the current authentication scheme. Whenever I try to login with correct credentials it is giving me error
  Invalid Login Credentials
  Kindly let me know were I am going wrong here.
  Thanks & Regards,
  Vikas Krishna

  I was able to fix this.
  I used the same function authenticate_aduser
  and then followed blog http://www.talkapex.com/2009/03/custom-authentication-status.html to create a custom authentication. It worked finally.
  Thanks to Martin for his wonderful post.
  Thanks & Regards,
  Vikas Krishna

• Custom SPNEGO Authenticator

  I'm working on developing a custom spnego authenticator to JBoss. I saw a client example in Advanced JGSS Security Programming. But I haven't found if it's possible to develop a program that accepts a browser's token spnego in the server side. Is it possible in Java 6?
  Thanks a lot!!

  http://dev2dev.bea.com/utilitiestools/security.html

• Authentication MBean

  I am trying to implement my own authentication MBean, and got some questions:
  1. how do you tell the weblogic console to show the control flag choices when
  you create the authentication provider?
  2. if I have other authenticator attributes, how can I ask the weblogic console
  to provide the UIs for filling those? it's like the OpenLDAPAuthenticator where
  there is a Details tab for filling out the port, hostname, etc. How can I tell
  weblogic to show me those UIs?
  3. I read that it might not be possible to tell the weblogic console to show UIs
  for optional attributes. They said to use weblogic.Admin instead. How do I specify
  the mbean type of my authentication mbean? For example, if I used the SampleAutenticator
  as found at http://developer.bea.com/code/codedirect.jsp, how can I use weblogic.Admin
  to get its value? I tried java weblogic.Admin -username system -password weblogic
  -type SampleAuthenticator GET -property Version and it gave me back "No MBeans
  found".
  -hoki

  I've seen this error before and the way around I found was to reset the BISystemUser credentials. To do this:
  1) In WL Console. Find the user BISystemUser in the security realm and enter a new password.
  2) In Enterprise Manager look on left hand side Weblogic Domain > bifoundation_domain > right click > Security > Credentials. Expand oracle.bi.system > system.user > Edit. Enter the same password as in 1)
  3) Restart all the services.
  Paul

• How do I use my own Custom Auth/Authentication/Entitlement (Token)?

  [ Background ]
  Adobe Access DRM provides for 3 authentication mechanisms:
  Anonymous - Licenses are issued irregardless on if there is/isn't a valid authentication token attached to the license request.
  UsernamePassword - Licenses are ONLY issued if the license request has a valid Adobe-Access-Server-Issued authentication token.
  Custom - Licenses are ONLY issued if there is a valid cusom authentication token attached to the license request.
  Typically, customers already have some authentication scheme in place and choose to re-use that system, instead of leveraging Adobe Access' built-in usernamePassword support.  For this to succeed, accomodations must be made during packaging time, on the client device, and at the Adobe Access license server endpoint.
  [ More Background ]
  Here's a forum thread that prompted this thread: http://forums.adobe.com/message/5085330#5085330
  [ Recipe ]
  1. Adobe Access DRM Policy is created that specifies a "custom" authentication token.  As of Adobe Access 4.0, the tools that ship with the Java SDK cannot create a DRM policy with "custom" authentication out the box; a small Java application will have to be written to do this, which is covered in the thread posted above.
  2. Content is packaged using this custom_auth policy.
  3. Client device performs authentication via whatever channel already exists for you to perform authentication (e.g. SAML tokens, etc...)
  4. Client device sets the authentication token: DRMManager.setAuthenticationToken()
  5. Client device attempts to acquire a license for the content created in step #2: DRMManager.loadVoucher();
  5a) Because step #4 set the authentication, all license requests going forward will automatically have this custom auth token appended to it
  6. License server receives request & extracts custom auth token to parse & perform additional entitlement checks
  7. Licnese server generates a license to return to client device.
  [ Server Code Snippet (RefImplLicenseReqHandler.java) ]
  try {
    ServletInputStream in = request.getInputStream();
    ServletOutputStream out = response.getOutputStream();
    HandlerConfiguration context = super.getHandlerContext();
    ServerCredential licenseServerCred = getLicenseParams().getLicenseServerCred();
    licenseHandler = new LicenseHandler(context, in, out, licenseServerCred);
    licenseHandler.parseRequest();
    List<? extends LicenseRequestMessage> requests = licenseHandler.getRequests();
    // Multiple request in one message is not supported in FAXS 2.0 or 3.0 client.
    for (LicenseRequestMessage licenseReq : requests) {
       try {
    // TODO: If custom authentication is specified in the DRM policy, here is where
    // you can retrieve the custom authentication token and perform custom parsing to
    // determine further business rules and entitlement before issuing a license.
    // The "Custom Authentication" will look like:
    // 1. Client device obtains auth token using some other channel
    // 2. Client device sets auth token by calling DRMManager.setAuthenticationToken()
    // 3. Client makes a license request by calling DRMManager.loadVoucher()
    // 4. Adobe Access Server receives request and:
    // 4a) Determines Custom Auth is required by DRM Policy: licenseReq.getContentInfo().getContentMetadata().getPolicies()[0].getLicenseServerInfo(). getAuthenticationType();
    // 4b) Retrieves Custom Auth token for custom parsing/handling: licenseReq.getRawAuthenticationToken()
    // 5. If there are no errors when parsing the custom token, Adobe Access Server generates a license.
                                                    V2ContentMetaData metadata = licenseReq.getContentInfo().getContentMetadata();
                                                    ApplicationProperties applicationProperties = null;
                                                    String usageModelString = null;
                                                    if (metadata != null) {
                                                              applicationProperties = metadata.getCustomProperties();
                                                              if (applicationProperties != null) {
                                                                        usageModelString = applicationProperties.getSingleValueAsUTF8String(DEMOMODE);
  cheers,
  /Eric.

  Google Search: '''firefox create a persona'''
  * '''Personas for Firefox''' | How to Create Personas<br>https://www.getpersonas.com/en-US/demo_create
  * '''Personas for Firefox''' | Frequent Questions<br>http://www.getpersonas.com/en-US/faq
  * '''Personas for Firefox''' | Getting Started<br>http://www.getpersonas.com/en-US/getting_started
  '''I think you'd have a lot more fun with Styles though''', personas tend to hide things on toolbars, styles can be more helpful (or just as bad)
  * '''Stylish''' :: Add-ons for Firefox<br>https://addons.mozilla.org/en-US/firefox/addon/stylish/
  * '''Restyle the web with Stylish!''' - userstyles.org<br>http://userstyles.org/
  * '''Scrollbar Context Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/54
  * '''Scrollbar Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/52
  * '''Link Warning''' - Themes and Skins for Mozilla - userstyles.org<br>http://userstyles.org/styles/1301
  * '''Tabs, Enlarge list-all-tabs button''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/18553
  * '''Tabs Bar Minimal Size''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/9043
  * '''Tab Color Underscoring active/read/unread (Fx3.6)''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/24728

• Configuring custom database authentication in Weblogic 10

  Hi,
  For my project I am trying to configure security/login module. It's an ADF based web application(ADF11g) and is deployed on Weblogic10. I have implemented the custom authentication with DB login module, created the jar and placed it inside %WL_HOME%/server/lib/mbeantypes. Now I have created one new Authenticator inside 'myrealm'. But after the successful deployment of the application when I am trying to access any secured page this custom authenticator is not being invoked. Can anyone please tell me the exact steps I have to follow for getting custom authenticator working properly.
  Thanks much!

  I had some minor implementation faults in code, after fixing those it is working fine

• Custom mix Authentication

  Hi ,
  I have two kind of Users, one type users are Oracle Users(their authentication could be checked through -DBACCOUNT-) and another type users are detailed in a database table(,say auth).
  Now, what I want is that if User logs in then following operation gets happen
  If username/password is correct according to Oracle Users(i.e -DBACCOUNT-) then returns to the main page(,say 1,as successful login)
  elsif <check the table auth tabel,containing the list of Users with respective passwords> if user exists in the table then returns to main page 1(as successful login)
  else return to the login page(,say 101,as unsuccessful login).
  To build this piece ,what should I do?
  I have created an on demand function in Apex,authCheck, which checks if the username and password exits in the auth table or not and returns the respective boolean.
  create or replace function authCheck(p_username in varchar2, p_password in varchar2) return boolean is
  Result boolean:=FALSE;
  ln_verify number(15);
  begin
  select count(*) into ln_verify from auth
  where upper(user_id)=upper(p_username)
  and upper(password)=upper(p_password);
  if sql%notfound then
  Result := FALSE;
  else
  Result := TRUE;
  end if;
  return(Result);
  Exception
  when NO_DATA_FOUND then
  return FALSE;
  end authCheck;
  ******************************************************************************************************************************************************

  Please tell us your first name and show it in your forum profile to help us. Thanks.
  See Re: Database account and custom authentication mix .
  Scott

• SecurityException (Invalid Subject) with custom database authentication provider WLS 7.0

  Hello
  I have implemented a custom authentication provider using a
  database. The login module works fine. It check the username and
  password, add the user as a WLSUser-principal and add the groups
  relatated to the user as WLSGroup-principals to the subject. I
  am able to start the WLS only using my authentication provider,
  but if i want to login into the console i get following
  SecurityException:
  java.lang.SecurityException: Invalid Subject: principals=
  [system, Administrators]
  at weblogic.security.service.SecurityServiceManager.seal
  (SecurityServiceManager.java:893)
  at weblogic.security.service.RoleManager.getRoles
  (RoleManager.java:269)
  at
  weblogic.security.service.AuthorizationManager.isAccessAllowed
  (AuthorizationManager.java:608)
  at
  weblogic.servlet.security.internal.WebAppSecurity.hasPermission
  (WebAppSecurity.java:370)
  at
  weblogic.servlet.security.internal.SecurityModule.checkPerm
  (SecurityModule.java:125)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
  rm(FormSecurityModule.java:328)
  at
  weblogic.servlet.security.internal.SecurityModule.beginCheck
  (SecurityModule.java:179)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkA
  (FormSecurityModule.java:167)
  at
  weblogic.servlet.security.internal.ServletSecurityManager.checkAc
  cess(ServletSecurityManager.java:185)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet
  (WebAppServletContext.java:2960)
  at weblogic.servlet.internal.ServletRequestImpl.execute
  (ServletRequestImpl.java:2466)
  at weblogic.kernel.ExecuteThread.execute
  (ExecuteThread.java:152)
  at weblogic.kernel.ExecuteThread.run
  (ExecuteThread.java:133)
  Seems to me, that the default role manager does not map the
  group Administrators to the role Admin, which is allowed to
  access the resource console. So, what i do wrong? Must i set
  additional credentials to the subject? Or must i use a special
  Principal class? Who can help me?
  Thanks in advance & greetings
  Dirk Fellenstein

  I have solved it. The Problem was that the two Principal implementations, one that
  implements WLSGroup and one that implements WLSUser, need a common principal base
  class. The principal validator class, method getPrincipalBaseClass() must then return
  the common principal base class.
  "Dirk Fellenstein" <[email protected]> wrote:
  >
  Hello
  I have implemented a custom authentication provider using a
  database. The login module works fine. It check the username and
  password, add the user as a WLSUser-principal and add the groups
  relatated to the user as WLSGroup-principals to the subject. I
  am able to start the WLS only using my authentication provider,
  but if i want to login into the console i get following
  SecurityException:
  java.lang.SecurityException: Invalid Subject: principals=
  [system, Administrators]
  at weblogic.security.service.SecurityServiceManager.seal
  (SecurityServiceManager.java:893)
  at weblogic.security.service.RoleManager.getRoles
  (RoleManager.java:269)
  at
  weblogic.security.service.AuthorizationManager.isAccessAllowed
  (AuthorizationManager.java:608)
  at
  weblogic.servlet.security.internal.WebAppSecurity.hasPermission
  (WebAppSecurity.java:370)
  at
  weblogic.servlet.security.internal.SecurityModule.checkPerm
  (SecurityModule.java:125)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
  rm(FormSecurityModule.java:328)
  at
  weblogic.servlet.security.internal.SecurityModule.beginCheck
  (SecurityModule.java:179)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkA
  (FormSecurityModule.java:167)
  at
  weblogic.servlet.security.internal.ServletSecurityManager.checkAc
  cess(ServletSecurityManager.java:185)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet
  (WebAppServletContext.java:2960)
  at weblogic.servlet.internal.ServletRequestImpl.execute
  (ServletRequestImpl.java:2466)
  at weblogic.kernel.ExecuteThread.execute
  (ExecuteThread.java:152)
  at weblogic.kernel.ExecuteThread.run
  (ExecuteThread.java:133)
  Seems to me, that the default role manager does not map the
  group Administrators to the role Admin, which is allowed to
  access the resource console. So, what i do wrong? Must i set
  additional credentials to the subject? Or must i use a special
  Principal class? Who can help me?
  Thanks in advance & greetings
  Dirk Fellenstein

• Authentication MBean optional attribute

  I read on http://e-docs.bea.com/wls/docs70/dvspisec/atn.html in the section "Optional
  SSPI MBeans or Custom Operations" that
  4. If you included any custom attributes/operations in your MDF, implement the
  methods using the method stubs.
  Suppose I have this (I copied it from DefaultAuthenticator.xml inside of wlSecurityProviders.jar
  that comes with weblogic7.0) in my MyAuthenticator.xml:
  <MBeanAttribute
  Name = "MinimumPasswordLength"
  Type = "java.lang.Integer"
  InterfaceType = "int"
  Default = "new Integer(8)"
  Min = "0"
  Description = "The minimum number of characters required in a password."
  />
  Do I need to do anything with the generated class?
  Even if I have that, the weblogic console won't show me a text box for entering
  the length. How does DefaultAuthenticator do it?
  Are there more examples other than SampleAuthenticator which has some optional
  attributes?

  Hi, did you find a solution? If yes, I would be thankfull if you could tell me...
  /Marc