Delete Authenticator Provider with WLST
Hi,
I need to change an authentication provider for a newer one with a WLST script. Both providers have the same name.
I found the createAuthenticationProvider method to add the new provider, but I find no way to delete the previous provider before adding the new. If I try to add new provider without removing the older returns an "alredy exists" error.
Is there a WLST method to delete an authentication provider?
Thank you.
Ok... I have found the solution myself...
There is a method called "destroyAuthenticationProvider".
name = 'Authenticator';
cd('/SecurityConfiguration/' + domainName + '/Realms/' + realmName);
auth = cmo.lookupAuthenticationProvider(name);
cmo.destroyAuthenticationProvider(auth);
Reference: http://docs.oracle.com/cd/E14571_01/apirefs.1111/e13945/weblogic/management/security/authentication/class-use/AuthenticationProviderMBean.html
Similar Messages
-
OpenLDAP authentication provider with CA LDAP server
Hi,
I am trying to get authentication to work using an OpenLDAP AP connecting to CA LDAP server (formerly eTrust LDAP server). I am at the point where the bind is successful, the user account is authenticated in LDAP, but I am unable to retrieve the group information.
Here is the error for the group lookup:
####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <[Security:090278]Error listing member groups myACID>
This is the final error, presumably because the group lookup failed:
####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User myACID denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:684)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
The CA LDAP server is pointed to a Top Secret database, so the attribute names are atypical as far as directory services objects are concerned. I've tried modifying the group and static group information to search both groups and profiles, but both fail. I've also tried omitting the static group information, and specifying dynamic group info, but that failed as well.
Here is the search it is running:
(&(memberOf=tssacid=myACID,tssadmingrp=acids,host=ourdevsysid,o=our.ORG)(objectclass=tssprofile))
Here the is the group based DN: tssadmingrp=profiles,host=ourdevsysid,o=our.org
The group search scope is subtree. I tried unlimited, and a limited of 2 levels.
If I execute the filtered search using a third party tool (JXplorer), I receive this error:
javax.naming.NamingException: [LDAP: error code 80 - LDP2900E Unknown attribute, , in filter string]; remaining name 'tssadmingrp=profiles,host=ourdevsysid,o=our.org'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3085)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
at com.ca.commons.jndi.JNDIOps.rawSearch(JNDIOps.java:1192)
at com.ca.commons.jndi.JNDIOps.rawSearchSubTree(JNDIOps.java:1039)
at com.ca.commons.naming.DXOps.rawSearchSubTree(DXOps.java:343)
at com.ca.commons.jndi.JNDIOps.searchSubTree(JNDIOps.java:1030)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.unthreadedSearch(JNDIDataBroker.java:772)
at com.ca.directory.jxplorer.broker.DataBroker.doSearchQuery(DataBroker.java:485)
at com.ca.directory.jxplorer.broker.DataBroker.processRequest(DataBroker.java:253)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:376)
at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Thread.java:662)
When I execute that same search in JXplorer directly on one of the profile objects (e.g. tssprofile=@oneofourprofiles,tssadmingrp=profiles,host=a12sysid,o=tgslc.org), it runs successfully.
Here is an old post. Seems the op encountered the same problem I did.
authentication provider for CA eTrust LDAP server
Anyone work with these technologies in a past life?
Thanks,
RobAre you able to see the users in weblogic?Not for this AP. I have a ReadOnly SQL authenticator as well. I am able to see users for that, and for the Default Authenticator.
Have you assigned admin roles to the user in weblogic?No. I do not intend to do that, and I don't believe I am required to do that.
is the group base dn properly configured?Yes. -
I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MyOwnADAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
<wls:host>10.20.150.4</wls:host>
<wls:port>5000</wls:port>
<wls:ssl-enabled>false</wls:ssl-enabled>
<wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
<wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
<wls:cache-enabled>false</wls:cache-enabled>
<wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject : CN=wl,DC=at,DC=com
# scope : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit : 1000
# timeLimit : 0
# typesOnly : False
# filter : (&(cn=tadmin)(objectclass=user))
# attributes : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> -
Problem with WLS LDAP Authentication Provider
We have configured WLS LDAP Authentication provider on an Oracle Service Bus domain, which is used to authenticate WS-Security Username Token and SAML Tokens against an external LDAP Directory (Sun Directory Server). After configuring this, we see that the "Users & Groups" page on the WLS Admin console is getting populated with all the user ids available in LDAP. The organization corporate directory has thousands of user ids, and WLS is executing a generic query against LDAP to fetch all the users. This query would have a major performance impact on the LDAP Directory? Is there any way to prevent this generic query from happening? Any suggestions would help.
Edited by: Ramakrishnan Venkataraman on Feb 1, 2011 11:46 AMYes, you can apply filters on the Providers configuration, also u can select the DN from where to feth the users, you can fetch users with special attributes.
Whole lot of things can be done, review the options under providers.
Let me know if you have any doubts.
HTH,
-Faisal
http://www.weblogic-wonders.com -
BPM Integration with SQL Authenticator Provider in WebLogic
Hi Gurus,
Related to the explanation from this blog : http://orasoa.blogspot.com/2010/06/sqlauthenticator-and-human-worklist.html
I have followed this review, I can see all user and groups from sql authenticator provider.
And also I can assign bpm application roles to users from sql authenticator provider.
But when I try to assign bpm application roles to groups from sql authenticator provider, the bpm application is not show from bpm workspace.
Is there any clue to solve this problem?
Cheers,
Agus WHi All,
Found the reason for the exception. I was implementing the generated the CustomAuthenticatorImpl class (generated through WebLogic MBeanMaker utility) as the provider class by implementing the AuthenticationProvider interface. Keeping them separate solved the issue.
Able to create the jar without any issues and also no error or exception after restart.
Thanks. -
Hello
I have implemented a custom authentication provider using a
database. The login module works fine. It check the username and
password, add the user as a WLSUser-principal and add the groups
relatated to the user as WLSGroup-principals to the subject. I
am able to start the WLS only using my authentication provider,
but if i want to login into the console i get following
SecurityException:
java.lang.SecurityException: Invalid Subject: principals=
[system, Administrators]
at weblogic.security.service.SecurityServiceManager.seal
(SecurityServiceManager.java:893)
at weblogic.security.service.RoleManager.getRoles
(RoleManager.java:269)
at
weblogic.security.service.AuthorizationManager.isAccessAllowed
(AuthorizationManager.java:608)
at
weblogic.servlet.security.internal.WebAppSecurity.hasPermission
(WebAppSecurity.java:370)
at
weblogic.servlet.security.internal.SecurityModule.checkPerm
(SecurityModule.java:125)
at
weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
rm(FormSecurityModule.java:328)
at
weblogic.servlet.security.internal.SecurityModule.beginCheck
(SecurityModule.java:179)
at
weblogic.servlet.security.internal.FormSecurityModule.checkA
(FormSecurityModule.java:167)
at
weblogic.servlet.security.internal.ServletSecurityManager.checkAc
cess(ServletSecurityManager.java:185)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet
(WebAppServletContext.java:2960)
at weblogic.servlet.internal.ServletRequestImpl.execute
(ServletRequestImpl.java:2466)
at weblogic.kernel.ExecuteThread.execute
(ExecuteThread.java:152)
at weblogic.kernel.ExecuteThread.run
(ExecuteThread.java:133)
Seems to me, that the default role manager does not map the
group Administrators to the role Admin, which is allowed to
access the resource console. So, what i do wrong? Must i set
additional credentials to the subject? Or must i use a special
Principal class? Who can help me?
Thanks in advance & greetings
Dirk FellensteinI have solved it. The Problem was that the two Principal implementations, one that
implements WLSGroup and one that implements WLSUser, need a common principal base
class. The principal validator class, method getPrincipalBaseClass() must then return
the common principal base class.
"Dirk Fellenstein" <[email protected]> wrote:
>
Hello
I have implemented a custom authentication provider using a
database. The login module works fine. It check the username and
password, add the user as a WLSUser-principal and add the groups
relatated to the user as WLSGroup-principals to the subject. I
am able to start the WLS only using my authentication provider,
but if i want to login into the console i get following
SecurityException:
java.lang.SecurityException: Invalid Subject: principals=
[system, Administrators]
at weblogic.security.service.SecurityServiceManager.seal
(SecurityServiceManager.java:893)
at weblogic.security.service.RoleManager.getRoles
(RoleManager.java:269)
at
weblogic.security.service.AuthorizationManager.isAccessAllowed
(AuthorizationManager.java:608)
at
weblogic.servlet.security.internal.WebAppSecurity.hasPermission
(WebAppSecurity.java:370)
at
weblogic.servlet.security.internal.SecurityModule.checkPerm
(SecurityModule.java:125)
at
weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
rm(FormSecurityModule.java:328)
at
weblogic.servlet.security.internal.SecurityModule.beginCheck
(SecurityModule.java:179)
at
weblogic.servlet.security.internal.FormSecurityModule.checkA
(FormSecurityModule.java:167)
at
weblogic.servlet.security.internal.ServletSecurityManager.checkAc
cess(ServletSecurityManager.java:185)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet
(WebAppServletContext.java:2960)
at weblogic.servlet.internal.ServletRequestImpl.execute
(ServletRequestImpl.java:2466)
at weblogic.kernel.ExecuteThread.execute
(ExecuteThread.java:152)
at weblogic.kernel.ExecuteThread.run
(ExecuteThread.java:133)
Seems to me, that the default role manager does not map the
group Administrators to the role Admin, which is allowed to
access the resource console. So, what i do wrong? Must i set
additional credentials to the subject? Or must i use a special
Principal class? Who can help me?
Thanks in advance & greetings
Dirk Fellenstein -
SQL Authentication provider - create tables script
Hi all!
I'd like to use SQL Authentication provider for my Web application. I cannot find the script for creating users/roles tables used by the provider.
Can you suggest me a link where I can download them ?
Thanks
FrankHi Frank,
Configure SQL authenticator:
Start Oracle XE DB and open SQL propmt to execute below commands:
CREATE TABLE USERS (
U_NAME VARCHAR(200) NOT NULL,
U_PASSWORD VARCHAR(50) NOT NULL,
U_DESCRIPTION VARCHAR(1000))
ALTER TABLE USERS
ADD CONSTRAINT PK_USERS
PRIMARY KEY (U_NAME)
CREATE TABLE GROUPS (
G_NAME VARCHAR(200) NOT NULL,
G_DESCRIPTION VARCHAR(1000) NULL)
ALTER TABLE GROUPS
ADD CONSTRAINT PK_GROUPS
PRIMARY KEY (G_NAME)
CREATE TABLE GROUPMEMBERS (
G_NAME VARCHAR(200) NOT NULL,
G_MEMBER VARCHAR(200) NOT NULL)
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT PK_GROUPMEMS
PRIMARY KEY (
G_NAME,
G_MEMBER
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT FK1_GROUPMEMBERS
FOREIGN KEY ( G_NAME )
REFERENCES GROUPS (G_NAME)
ON DELETE CASCADE
Generally customers can add users directly in DB with help below commands:
insert into USERS (U_NAME,U_PASSWORD,U_DESCRIPTION) values('system','weblogic','admin user');
insert into GROUPS (G_NAME,G_DESCRIPTION) values('Administrators','Administrators');
insert into GROUPMEMBERS (G_NAME,G_MEMBER) values('Administrators','system');
But in this case password is not encrypted so either you can add users via console or via WLST script to store them in encrypted form.
We had executed above commands just to verify user which is directly stored in DB gets authenticated properly or not from SQL authenticator configured as below
Now start weblogic admin server and access console to create Data source by navigating Services ->JDBC -> Data sources
Create Data source named SqlDS
JNDI: SqlDS
DB type: Oracle
DB Driver: Oracle Thin XA driver
DB name: XE
DB host: <hostname>
Port: 1521
DB user: <username>
DB password: <password>
Keep rest of the configuration same and click on test Configuration. If its successful click on next and target it to "AdminServer"
Click on Finish and activate chnages
Now navigate to Security Realms -> myrealm -> Providers
Click on New and provide Name as SqlAuthenticator and select Type as SQLAuthenticator
Now click on newly created provider and make Control Flag as "Sufficient"
Navigate to provider specific page:
1. Check on Plaintext Passwords Enabled.
2. Provide Data source Name: SqlDS
Keep rest of the parameters as it is and Save this configuration. It will ask you to restart Admin server.
Now again navigate Security Realms -> myrealm -> Users & groups
Check user which was created directly in DB is listed in table with SqlAuthenticator, Once its listed go ahead and add users as below
B. Cretae users using Admin console:
Login to Admin console
Navigate to Security Realms -> myrealm -> Users & groups
Click on users tab and try creating new user
User name: <user name>
Select Authentication provider: SqlAuthenticator
User Password: <password>
Once user is created check DB table, this user musted be added with encypted password
C. Create multiple users using WLST script:
Navigave to $DOMAIN_HOME/bin folder and execute setDomainEnv file as below:
Unix: . ./setDomainEnv.sh (Do not forget to put two dots before / )
Windows: setDomainEnv.cmd
Now change below script as per your environment and execute as suggested in step 3:
connect('weblogic','weblogic123','t3://localhost:7001')
edit()
startEdit(-1,-1,'false')
serverConfig()
cd('/SecurityConfiguration/base_domain/Realms/myrealm/AuthenticationProviders')
ls()
cd('SqlAuthenticator')
cmo.createUser('vaishali','weblogic123','SQLuser')
cmo.createUser('pavashe','weblogic123','SQLuser')
edit()
stopEdit('y')
NOTE: Change user,password and ADMIN_URL in 1st line.
Replace domain name " base_domain' with your domain name in line no: 5
Chnage SQL authenticator name in line no: 6 as per your authenticator name
Next lines create users. You need to add however users you need to create programatically.
Syntax : cmo.createUser('user_name','user_password','user_description')
Now save these commands in a file with extention .py and execute as below:
# java weblogic.WLST create_user.py
If your script fails the try executing each command separately. For this start WLST session as below:
# java weblogic.WLST
Now execute commands specified in above script. You will be able to debug if anything went wrong while executing script.
Regards,
Kal -
OSB - ALSB / WLST / Security / add entry with WLST in Access Control
Hello,
I try to reproduce with WLST script the input from the consol to declare user on Access Control proxy (security).
sbconsol->$Proxy Service->Security->General Confiruration->Access Control->Transport Access Control->Add Conditions
* First implementation without success with the com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean : accessControlSecurity1()
* Second try with the service definition of the proxy service but cannot parse with Xpath accessControl Security2()
any idee ???
test case :
prerequisit
create an ALSB domain 10.3 (admin one with username='weblogic' password='weblogic' url='t3://localhost:7001') and create a proxy service on the default project
conf/setEnv.cmd
@CLS
@echo ON
@set BEA_HOME=D:\PRODUCT\MIDDLEWARE\SOA\OSB_10.3
@set WL_HOME=%BEA_HOME%\wlserver_10.3
@set OSB_HOME=%BEA_HOME%\osb_10.3
@set SCRIPTING_HOME=E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security
@set OSB_LIB=%OSB_HOME%/lib/sb-kernel-api.jar;%BEA_HOME%/modules/com.bea.alsb.statistics_1.0.1.0.jar;%OSB_HOME%/lib/sb-kernel-resources.jar;%OSB_HOME%/lib/sb-kernel-common.jar;%OSB_HOME%/lib/sb-kernel-impl.jar;%OSB_HOME%\lib\sb-security.jar;%OSB_HOME%/modules/com.bea.common.configfwk_1.3.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.1.0.jar;%OSB_HOME%/lib/modules/com.bea.alsb.resources.archive.jar;
@set TOOL_LIB=%SCRIPTING_HOME%\lib\log4j-1.2.15.jar;%SCRIPTING_HOME%\lib\jsch-0.1.43.jar;%SCRIPTING_HOME%\lib\db2jcc.jar
@set CLASSPATH=%OSB_LIB%;%TOOL_LIB%;%CLASSPATH%
@set CLASSPATH=%SCRIPTING_HOME%\lib\db2jcc.jar;%TOOL_LIB%;%CLASSPATH%
@set MODULE_LIB=%SCRIPTING_HOME%\lib
@call %WL_HOME%\server\bin\setWLSEnv.cmd > nul 2<&1
launch.cmd
@CLS
@echo OFF
@SETLOCAL
@call "conf\setEnv.cmd" > nul 2<&1
set PWD=%~dp0
%JAVA_HOME%\bin\java -Dmodule.lib=%MODULE_LIB% weblogic.WLST -skipWLSModuleScanning lib/security.py
lib/security.py
from com.bea.wli.monitoring import StatisticType
from java.util import HashMap
from java.util import HashSet
from java.util import ArrayList
from java.util import Collections
from java.io import FileInputStream
from java.io import FileOutputStream
from java.lang import String
from java.lang import Boolean
from com.bea.wli.sb.util import EnvValueTypes
from com.bea.wli.config.env import EnvValueQuery;
from com.bea.wli.config import Ref
from com.bea.wli.config.customization import Customization
from com.bea.wli.config.customization import EnvValueCustomization
from com.bea.wli.config.customization import FindAndReplaceCustomization
from com.bea.wli.sb.management.configuration import SessionManagementMBean
from com.bea.wli.sb.management.configuration import ALSBConfigurationMBean
from com.bea.wli.sb.management.query import BusinessServiceQuery
from com.bea.wli.sb.management.query import ProxyServiceQuery
from com.bea.wli.sb.management.configuration import ServiceConfigurationMBean
import os
# before, create an ALSB domain 10.3 with a proxy service in the default project and add an Acces Control Policy in the consol
# sbconsol->Project Explorer->default->${proxy service}->Security->Access Control->Create Session->Add Conditions->User->USR_1->Add
# when we try to modify the Acces Control Policy of the proxy service with the ServiceSecurityConfigurationMBean
def accessControlSecurity1( domain_name ):
# connection
print "\n\n\n***********************************************************************************************"
connect( 'weblogic', 'weblogic', 't3://localhost:7001')
domainRuntime()
# create a session
sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
SessionMBean.createSession(sessionName)
# get the ServiceSecurityConfigurationMBean
serviceSecurityConfigurationMBean = findService(String("ServiceSecurityConfiguration.").concat(sessionName), "com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean")
# get the XACMLAuthorizer
working_directory=pwd()
serverConfig()
xacmlAuthorizer = cd('/SecurityConfiguration/%s/Realms/myrealm/Authorizers/XACMLAuthorizer' % domain_name )
cd(working_directory)
domainRuntime()
# get service ref
ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
bsQuery = ProxyServiceQuery()
bsQuery.setPath("default/*")
refs = ConfigurationMBean.getRefs(bsQuery)
for ref in refs:
print 'ref=%s'%ref
# use the security Mbean to add : USER_A,USER_B,USER_C to the policy
policyHolder = serviceSecurityConfigurationMBean.newAccessControlPolicyHolderInstance(xacmlAuthorizer)
policyHolder.setPolicyExpression("Usr(USER_A,USER_B,USER_C)")
policyScope = serviceSecurityConfigurationMBean.newDefaultMessagePolicyScope(ref)
serviceSecurityConfigurationMBean.setAccessControlPolicy(policyScope,policyHolder)
# print the service definition
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
print serviceDefinition
# we can see the security entry in the service definition has follow
# <xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
# <ser:coreEntry isProxy="true" isEnabled="true" isAutoPublish="false">
# <ser:description/>
# <ser:security>
# <con:access-control-policies xmlns:con="http://www.bea.com/wli/sb/services/security/config">
# <con:message-level-policies>
# <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config">
# <con:policy provider-id="XACMLAuthorizer">
# <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
# </con:policy>
# </con1:default-policy>
# </con:message-level-policies>
# </con:access-control-policies>
# </ser:security>
# but when we commit
SessionMBean.activateSession(sessionName, "description for session activation")
# we got the following exception
# Unexpected error: com.bea.wli.config.session.SessionConflictException
# No stack trace available.
# Problem invoking WLST - Traceback (innermost last):
# File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 246, in ?
# File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 105, in accessControlSecurity1
# com.bea.wli.config.session.SessionConflictException: Conflicts for session SessionScript1363339726764
# [Non-Critical] Concurrent Modification Conflicts
# NONE
# [Critical] Resources with validation errors
# 1 - ProxyService test/PS_TEST_bis CannotCommit
# + CannotCommit [OSB Security:386836]Unnecessary proxy wide message access control policy found for service "test/PS_TEST_bis". Hint: The service is neither an active security
# intermediary nor has custom authentication enabled. ServiceDiagnosticLocation[SECURITY_TAB]:DiagnosticLocation:<con:message-level-policies xmlns:ser="http://www.bea.com/wli/sb/services" xml
# ns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:con="http://www.bea.com/wli/sb/services/security/config">
# <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/
# config">
# <con:policy provider-id="XACMLAuthorizer">
# <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
# </con:policy>
# </con1:default-policy>
# </con:message-level-policies>
# [Info] Informational messages
# NONE
# at com.bea.wli.config.session.SessionManager.commitSessionUnlocked(SessionManager.java:358)
# at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:339)
# at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:297)
# at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:306)
disconnect()
# when we try to modify the Acces Control Policy of the proxy service whith the service XML definition
def accessControlSecurity2( domain_name ):
# connection
print "\n\n\n***********************************************************************************************"
connect( 'weblogic', 'weblogic', 't3://localhost:7001')
domainRuntime()
# create a session
sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
SessionMBean.createSession(sessionName)
# get service ref
ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
bsQuery = ProxyServiceQuery()
bsQuery.setPath("default/*")
refs = ConfigurationMBean.getRefs(bsQuery)
for ref in refs:
print 'ref=%s'%ref
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
# parsing the proxy definition
nsSer = "declare namespace ser='http://www.bea.com/wli/sb/services'"
nsXsi = "declare namespace xsi='http://www.w3.org/2001/XMLSchema-instance'"
nsTran = "declare namespace tran='http://www.bea.com/wli/sb/transports'"
nsEnv = "declare namespace env='http://www.bea.com/wli/config/env'"
nsCon = "declare namespace con='http://www.bea.com/wli/sb/services/security/config'"
nsCon1 = "declare namespace con1='http://www.bea.com/wli/sb/services/security/config'"
# when we try to parse the following Xpath Expression, it' working but not sufficent to access the <con:policy-expression> element
confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy"
confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
print "WORKING{%s}" % confElem
# get the result
# <xml-fragment xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config" xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
# <con:policy provider-id="XACMLAuthorizer">
# <con:policy-expression>Usr(USER_1,USER_2,USER_3)</con:policy-expression>
# </con:policy>
# </xml-fragment>
# and when we try to acces the <con:policy> element whith the following Xpath expression we got an empty result
confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy/con:policy"
confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
print "DON'T WORKING{%s}" % confElem
# get empty result
# array([], org.apache.xmlbeans.XmlObject)
# want to modify the value like this on the <con:policy-expression> but cannot reach it ...
#confValue="Usr(USER_A,USER_B,USER_C)"
#confElem.setStringValue(confValue)
# commit
SessionMBean.activateSession(sessionName, "description for session activation")
disconnect
# print the service definition
def printServiceDefinition( domain_name ):
# connection
connect( 'weblogic', 'weblogic', 't3://localhost:7001')
domainRuntime()
# create a session
sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
SessionMBean.createSession(sessionName)
# get service ref
ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
bsQuery = ProxyServiceQuery()
bsQuery.setPath("default/*")
refs = ConfigurationMBean.getRefs(bsQuery)
for ref in refs:
print 'ref=%s'%ref
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
print serviceDefinition
# commit
SessionMBean.activateSession(sessionName, "description for session activation")
disconnect
#accessControlSecurity1('cluster_domain')
accessControlSecurity2('cluster_domain')Hello,
I try to reproduce with WLST script the input from the consol to declare user on Access Control proxy (security).
sbconsol->$Proxy Service->Security->General Confiruration->Access Control->Transport Access Control->Add Conditions
* First implementation without success with the com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean : accessControlSecurity1()
* Second try with the service definition of the proxy service but cannot parse with Xpath accessControl Security2()
any idee ???
test case :
prerequisit
create an ALSB domain 10.3 (admin one with username='weblogic' password='weblogic' url='t3://localhost:7001') and create a proxy service on the default project
conf/setEnv.cmd
@CLS
@echo ON
@set BEA_HOME=D:\PRODUCT\MIDDLEWARE\SOA\OSB_10.3
@set WL_HOME=%BEA_HOME%\wlserver_10.3
@set OSB_HOME=%BEA_HOME%\osb_10.3
@set SCRIPTING_HOME=E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security
@set OSB_LIB=%OSB_HOME%/lib/sb-kernel-api.jar;%BEA_HOME%/modules/com.bea.alsb.statistics_1.0.1.0.jar;%OSB_HOME%/lib/sb-kernel-resources.jar;%OSB_HOME%/lib/sb-kernel-common.jar;%OSB_HOME%/lib/sb-kernel-impl.jar;%OSB_HOME%\lib\sb-security.jar;%OSB_HOME%/modules/com.bea.common.configfwk_1.3.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.1.0.jar;%OSB_HOME%/lib/modules/com.bea.alsb.resources.archive.jar;
@set TOOL_LIB=%SCRIPTING_HOME%\lib\log4j-1.2.15.jar;%SCRIPTING_HOME%\lib\jsch-0.1.43.jar;%SCRIPTING_HOME%\lib\db2jcc.jar
@set CLASSPATH=%OSB_LIB%;%TOOL_LIB%;%CLASSPATH%
@set CLASSPATH=%SCRIPTING_HOME%\lib\db2jcc.jar;%TOOL_LIB%;%CLASSPATH%
@set MODULE_LIB=%SCRIPTING_HOME%\lib
@call %WL_HOME%\server\bin\setWLSEnv.cmd > nul 2<&1
launch.cmd
@CLS
@echo OFF
@SETLOCAL
@call "conf\setEnv.cmd" > nul 2<&1
set PWD=%~dp0
%JAVA_HOME%\bin\java -Dmodule.lib=%MODULE_LIB% weblogic.WLST -skipWLSModuleScanning lib/security.py
lib/security.py
from com.bea.wli.monitoring import StatisticType
from java.util import HashMap
from java.util import HashSet
from java.util import ArrayList
from java.util import Collections
from java.io import FileInputStream
from java.io import FileOutputStream
from java.lang import String
from java.lang import Boolean
from com.bea.wli.sb.util import EnvValueTypes
from com.bea.wli.config.env import EnvValueQuery;
from com.bea.wli.config import Ref
from com.bea.wli.config.customization import Customization
from com.bea.wli.config.customization import EnvValueCustomization
from com.bea.wli.config.customization import FindAndReplaceCustomization
from com.bea.wli.sb.management.configuration import SessionManagementMBean
from com.bea.wli.sb.management.configuration import ALSBConfigurationMBean
from com.bea.wli.sb.management.query import BusinessServiceQuery
from com.bea.wli.sb.management.query import ProxyServiceQuery
from com.bea.wli.sb.management.configuration import ServiceConfigurationMBean
import os
# before, create an ALSB domain 10.3 with a proxy service in the default project and add an Acces Control Policy in the consol
# sbconsol->Project Explorer->default->${proxy service}->Security->Access Control->Create Session->Add Conditions->User->USR_1->Add
# when we try to modify the Acces Control Policy of the proxy service with the ServiceSecurityConfigurationMBean
def accessControlSecurity1( domain_name ):
# connection
print "\n\n\n***********************************************************************************************"
connect( 'weblogic', 'weblogic', 't3://localhost:7001')
domainRuntime()
# create a session
sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
SessionMBean.createSession(sessionName)
# get the ServiceSecurityConfigurationMBean
serviceSecurityConfigurationMBean = findService(String("ServiceSecurityConfiguration.").concat(sessionName), "com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean")
# get the XACMLAuthorizer
working_directory=pwd()
serverConfig()
xacmlAuthorizer = cd('/SecurityConfiguration/%s/Realms/myrealm/Authorizers/XACMLAuthorizer' % domain_name )
cd(working_directory)
domainRuntime()
# get service ref
ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
bsQuery = ProxyServiceQuery()
bsQuery.setPath("default/*")
refs = ConfigurationMBean.getRefs(bsQuery)
for ref in refs:
print 'ref=%s'%ref
# use the security Mbean to add : USER_A,USER_B,USER_C to the policy
policyHolder = serviceSecurityConfigurationMBean.newAccessControlPolicyHolderInstance(xacmlAuthorizer)
policyHolder.setPolicyExpression("Usr(USER_A,USER_B,USER_C)")
policyScope = serviceSecurityConfigurationMBean.newDefaultMessagePolicyScope(ref)
serviceSecurityConfigurationMBean.setAccessControlPolicy(policyScope,policyHolder)
# print the service definition
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
print serviceDefinition
# we can see the security entry in the service definition has follow
# <xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
# <ser:coreEntry isProxy="true" isEnabled="true" isAutoPublish="false">
# <ser:description/>
# <ser:security>
# <con:access-control-policies xmlns:con="http://www.bea.com/wli/sb/services/security/config">
# <con:message-level-policies>
# <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config">
# <con:policy provider-id="XACMLAuthorizer">
# <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
# </con:policy>
# </con1:default-policy>
# </con:message-level-policies>
# </con:access-control-policies>
# </ser:security>
# but when we commit
SessionMBean.activateSession(sessionName, "description for session activation")
# we got the following exception
# Unexpected error: com.bea.wli.config.session.SessionConflictException
# No stack trace available.
# Problem invoking WLST - Traceback (innermost last):
# File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 246, in ?
# File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 105, in accessControlSecurity1
# com.bea.wli.config.session.SessionConflictException: Conflicts for session SessionScript1363339726764
# [Non-Critical] Concurrent Modification Conflicts
# NONE
# [Critical] Resources with validation errors
# 1 - ProxyService test/PS_TEST_bis CannotCommit
# + CannotCommit [OSB Security:386836]Unnecessary proxy wide message access control policy found for service "test/PS_TEST_bis". Hint: The service is neither an active security
# intermediary nor has custom authentication enabled. ServiceDiagnosticLocation[SECURITY_TAB]:DiagnosticLocation:<con:message-level-policies xmlns:ser="http://www.bea.com/wli/sb/services" xml
# ns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:con="http://www.bea.com/wli/sb/services/security/config">
# <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/
# config">
# <con:policy provider-id="XACMLAuthorizer">
# <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
# </con:policy>
# </con1:default-policy>
# </con:message-level-policies>
# [Info] Informational messages
# NONE
# at com.bea.wli.config.session.SessionManager.commitSessionUnlocked(SessionManager.java:358)
# at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:339)
# at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:297)
# at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:306)
disconnect()
# when we try to modify the Acces Control Policy of the proxy service whith the service XML definition
def accessControlSecurity2( domain_name ):
# connection
print "\n\n\n***********************************************************************************************"
connect( 'weblogic', 'weblogic', 't3://localhost:7001')
domainRuntime()
# create a session
sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
SessionMBean.createSession(sessionName)
# get service ref
ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
bsQuery = ProxyServiceQuery()
bsQuery.setPath("default/*")
refs = ConfigurationMBean.getRefs(bsQuery)
for ref in refs:
print 'ref=%s'%ref
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
# parsing the proxy definition
nsSer = "declare namespace ser='http://www.bea.com/wli/sb/services'"
nsXsi = "declare namespace xsi='http://www.w3.org/2001/XMLSchema-instance'"
nsTran = "declare namespace tran='http://www.bea.com/wli/sb/transports'"
nsEnv = "declare namespace env='http://www.bea.com/wli/config/env'"
nsCon = "declare namespace con='http://www.bea.com/wli/sb/services/security/config'"
nsCon1 = "declare namespace con1='http://www.bea.com/wli/sb/services/security/config'"
# when we try to parse the following Xpath Expression, it' working but not sufficent to access the <con:policy-expression> element
confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy"
confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
print "WORKING{%s}" % confElem
# get the result
# <xml-fragment xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config" xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
# <con:policy provider-id="XACMLAuthorizer">
# <con:policy-expression>Usr(USER_1,USER_2,USER_3)</con:policy-expression>
# </con:policy>
# </xml-fragment>
# and when we try to acces the <con:policy> element whith the following Xpath expression we got an empty result
confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy/con:policy"
confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
print "DON'T WORKING{%s}" % confElem
# get empty result
# array([], org.apache.xmlbeans.XmlObject)
# want to modify the value like this on the <con:policy-expression> but cannot reach it ...
#confValue="Usr(USER_A,USER_B,USER_C)"
#confElem.setStringValue(confValue)
# commit
SessionMBean.activateSession(sessionName, "description for session activation")
disconnect
# print the service definition
def printServiceDefinition( domain_name ):
# connection
connect( 'weblogic', 'weblogic', 't3://localhost:7001')
domainRuntime()
# create a session
sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
SessionMBean.createSession(sessionName)
# get service ref
ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
bsQuery = ProxyServiceQuery()
bsQuery.setPath("default/*")
refs = ConfigurationMBean.getRefs(bsQuery)
for ref in refs:
print 'ref=%s'%ref
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
serviceDefinition = servConfMBean.getServiceDefinition(ref)
print serviceDefinition
# commit
SessionMBean.activateSession(sessionName, "description for session activation")
disconnect
#accessControlSecurity1('cluster_domain')
accessControlSecurity2('cluster_domain') -
Setup SAML 2.0 Service Provider using WLST Offline
Is this possible http://weblogic.sys-con.com/node/1455841 to do using WLST offline?
I enabled "DebugSecurityAtn" as suggested - and "DebugHttpSessions" as well.
Unfortunately, I'm still not sure what's happening though.
Here are all my "Authentication Providers" in the order listed in the Console:
- DefaultAuthenticator : Control Flags=SUFFICIENT
- DefaultIdentityAsserter : No "Active Type"
- saml2IA (SAML 2.0 Identity Assertion Provider)
- samlauth (SAML Authentication Provider): SUFFICIENT
This is an except of the updated server log:
<SecuritySAMLAtn> <SAMLIALoginModule: commit(): SAML IA LoginModule Group Added>
<SecurityAtn> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myuser was not previously locked out>
<SecurityAtn> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.cachedIdentity(Subject: 3
Principal = class weblogic.security.principal.WLSUserImpl("myuser")
Principal = class weblogic.security.principal.WLSGroupImpl("grp_a")
Principal = class weblogic.security.principal.WLSGroupImpl("grp_b")
)>
<HttpSessions> <[HTTP Session:100046]Creating new session with ID: nVm... for Web application: /saml2.>
<SecuritySAML2Service> <Using redirect URL from request cache: 'https://localhost:1234/MyApp/secure/index.html'>
<SecuritySAML2Service> <Redirecting to URL: https://localhost:1234/MyApp/secure/index.html>
<HttpSessions> <[HTTP Session:100078]HTTPSession with id: "nVm..." is of size 84 bytes.>
<SecuritySAML2Service> <SAML2Filter: Processing request on URI '/MyApp/secure/index.html;jsessionid=nVm...'>
<SecuritySAML2Service> <getServiceTypeFromURI(): request URI is not a service URI>
<SecuritySAML2Service> <getServiceTypeFromURI(): returning service type 'SPinitiator'>
Thank you,
Patrick -
NoSuchMethodException thrown when creating new authentication provider via console
I am trying to implement a custom authentication provider in WLS 7.0. I have started
with the
SimpleSampleAuthenticationProvider from the BEA code samples and followed the
instructions
to create an MBean type. When I try to create the new authentication provider
(MyAuthenticator) from the console, I get a NoSuchMethodException with the following
message:
[java.lang.NoSuchMethodException: couldn't find getter for 'Name' on com.ba.security.authentication.MyAuthenticatorMBean].
Sure enough, there is no "getName"
method in this interface, but the documentation doesn't say anything about creating
a "Name"
attribute in the MDF, only the ProviderClassName, Description and Version.
Despite the exception the provider is created; however, the console doesn't display
any information for the Name, Description or Version. In fact "Name" doesn't even
appear as a label (just a colon). Also, it can't be deleted by clicking on the
trash can icon. It says it has been deleted, but it hasn't. The platform is Solaris
2.7.
Thanks for any help,
DavidDavid,
We had a similar issues initially and although nobody could tell us why
(and we didn't have the time to investigate further) it was resolved
when the classes from the M-Bean JAR were removed from the server
classpath (just the JAR file is in lib/mbeantypes directory of the server).
I have a support case and BEA support should have opened a documentation
CR to correct the documentation to inform for this issue (the CR is
094803 and the support case number is 376218)
HTH,
Dejan
David wrote:
I am trying to implement a custom authentication provider in WLS 7.0. I have started
with the
SimpleSampleAuthenticationProvider from the BEA code samples and followed the
instructions
to create an MBean type. When I try to create the new authentication provider
(MyAuthenticator) from the console, I get a NoSuchMethodException with the following
message:
[java.lang.NoSuchMethodException: couldn't find getter for 'Name' on com.ba.security.authentication.MyAuthenticatorMBean].
Sure enough, there is no "getName"
method in this interface, but the documentation doesn't say anything about creating
a "Name"
attribute in the MDF, only the ProviderClassName, Description and Version.
Despite the exception the provider is created; however, the console doesn't display
any information for the Name, Description or Version. In fact "Name" doesn't even
appear as a label (just a colon). Also, it can't be deleted by clicking on the
trash can icon. It says it has been deleted, but it hasn't. The platform is Solaris
2.7.
Thanks for any help,
David -
I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL> -
I would like to be provided with a download for the older version of adobe shape 1.2.0 please!
If you've been backing up to your local iTunes library, check your APPS pane to see if you have an older version of Shape stored locally. If you do, you can delete Shape from your phone, connect your phone to your computer, and drag the older version from your iTunes library onto your device. That's what I did to go back to the older version, which produced shapes that work much better for my purposes.
Adobe, it seems like with the newest version of Shape, you made DRASTIC changes to the way the app processes images into shapes. Is there any way for us to opt for the older version of processing? Or to toggle between the two? -
Custom Authentication Provider and User Manage like SQLAuthenticator, How?
Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
Package = "orkit"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate">
<MBeanAttribute
Name = "ProviderClassName"
Type = "java.lang.String"
Writeable = "false"
Default = ""orkit.OrkitVASPortalProviderImpl""
/>
<MBeanAttribute
Name = "Description"
Type = "java.lang.String"
Writeable = "false"
Default = ""WebLogic Simple Sample Audit Provider""
/>
<MBeanAttribute
Name = "Version"
Type = "java.lang.String"
Writeable = "false"
Default = ""1.0""
/>
<MBeanAttribute
Name = "LogFileName"
Type = "java.lang.String"
Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
private String description;
private LoginModuleControlFlag controlFlag;
public OrkitVASPortalProviderImpl() {
System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
@Override
public IdentityAsserterV2 getIdentityAsserter() {
return null;
// Our mapping of users to passwords/groups, instead of being in LDAP or in a
// database, is represented by a HashMap of MyUserDetails objects..
public class MyUserDetails {
String pw;
String group;
// We use this to represent the user's groups and passwords
public MyUserDetails(String pw, String group) {
this.pw = pw;
this.group = group;
public String getPassword() {
return pw;
public String getGroup() {
return group;
// This is our database
private HashMap userGroupMapping = null;
public void initialize(ProviderMBean mbean, SecurityServices services) {
System.out.println("The Orkit VASPortal Provider is intializing......");
OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
// We would typically use the realm name to find the database
// we want to use for authentication. Here, we just create one.
userGroupMapping = new HashMap();
userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
userGroupMapping.put("system", new MyUserDetails("12341234",
"Administrators"));
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("Invalid control flag " + flag);
public AppConfigurationEntry getLoginModuleConfiguration() {
HashMap options = new HashMap();
options.put("usermap", userGroupMapping);
System.out.println("UserMap: " + options);
return new AppConfigurationEntry(
"orkit.OrkitVASPortalLoginModule",
controlFlag, options);
public String getDescription() {
return description;
public PrincipalValidator getPrincipalValidator() {
return new PrincipalValidatorImpl();
public AppConfigurationEntry getAssertionModuleConfiguration() {
return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private HashMap userMap;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsBeforeCommit = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
// Fetch user/password map that should be set by the authenticator
userMap = (HashMap) options.get("usermap");
* Called once after initialize to try and log the person in
public boolean login() throws LoginException {
// First thing we do is create an array of callbacks so that
// we can get the data from the user
Callback[] callbacks;
callbacks = new Callback[2];
callbacks[0] = new NameCallback("username: ");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException eio) {
throw new LoginException(eio.toString());
} catch (UnsupportedCallbackException eu) {
throw new LoginException(eu.toString());
String username = ((NameCallback) callbacks[0]).getName();
System.out.println("Username: " + username);
char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
String password = new String(pw);
System.out.println("PASSWORD: " + password);
if (username.length() > 0) {
if (!userMap.containsKey(username)) {
throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
}else{
System.out.println("Contstainded Username");
String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
if (realPassword == null || !realPassword.equals(password)) {
throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
}else{
System.out.println("Everyitng OKIE");
} else {
// No Username, so anonymous access is being attempted
loginSucceeded = true;
// We collect some principals that we would like to add to the user
// once this is committed.
// First, we add his username itself
principalsBeforeCommit.add(new WLSUserImpl(username));
// Now we add his group
principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
return loginSucceeded;
public boolean commit() throws LoginException {
if (loginSucceeded) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thanks in advance!Hi ,
SQLAuthenticator is not yet supported with UCM 11g due to some JPS Provider limitations .
Currently there is an Enhancement request for this .
Thanks
Srinath -
How to remove custom authentication provider in weblogic server 11g
Hi ,
I am trying to remove the custom authentication provider in weblogic server 11g, It disappears when i delete it from list of authentication providers. But upon server restart it appears again.
Documentation for 10g says delete it from service administration but i couldn't find one in 11g. Please help me in removing the custom authentication provider
Thanks
SandeepYou can try editing the config.xml file and removing it there. (Re: After provider reorder I cannot login admin server console
If you are referring to a jar file - custom authenticators are usually placed in the <middleware-home>wlserver_10.3/server/lib/mbeantypes/ directory. -
Hi,
I've managed to configure my farm so that Microsoft Online Directory Services (Office 365 etc.) can be used for STS authentication, but what I'm actually trying to do is allow user authentication - that is, I'm hoping to be able to use the user's
O365 credentials to authenticate them in my own farm so they can view certain parts of it. If I need to write my own login form or authentication provider or whatever that's fine, as long as the user doesn't need to enter anything when they access my farm
(provided they already have cached O365 credentials in their browser session).
FWIW I actually need to be able to support the possibility that users are coming from multiple O365 tenancies, whereby each site collection will be configured to allow users from a different O365 tenancy (more or less).
If it's not possible to do with my own development farm on a PC, it is possible if the farm is hosted in Azure?
Thanks
DylanHi Dylan,
According to your description, my understanding is that you want to use Microsoft Online Directory Services as a user authentication provider for your SharePoint farm.
For your demand, you can configure a hybrid topology for your SharePoint farm:
http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx
http://technet.microsoft.com/en-us/library/dn197168(v=office.15).aspx
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
contact [email protected]
Eric Tao
TechNet Community Support
Maybe you are looking for
-
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations before ver 8.3 and after version 8.3 ...8.4.. 9 versions..
-
Payload Structure when composite invoked from java
Can any one please let me know how the payload structure should be when composite is invoked from java program. Any sample would be of great help thanks Naga
-
I have a 16gb iPhone 3G, since yesterday my speaker makes no sounds whatsoever. When I get a call, play music, or when my alarm goes off it only vibrates. I am 100% sure my phone isn't in silent mode and I know my phone doesn't think my headphones ar
-
Is there a way to calculate the area of a shape?
I work in toy packaging and the size of the warning we have to use is dictated by the size of the package. On most items, it's pretty straight forward, LxW... But that doesn't always work, as the packaging isn't always that simple. Is there a way to
-
Mass output printing problem " VF31"
Hi I am unable to do the mass printing of my ZCMR & ZDMR output type. Whn processing it giving me the error message "No messages for initial processing exist" Please suggest Best Rgds VK