Dynamicaly manage role permissions using JAAS

Similar Messages

• How to map roles by using JAAS

  Dear all,
  i am implementing JAAS by using my own custom LoginModule, which will access to my database and get user login and password and do verification myself.
  and i know that i need to set the secruity roles, secruity constraint in web.xml, and i have set Login Configuration to Form-Based Authentication.
  here is part of my web.xml:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>LogonMain</web-resource-name>
  <url-pattern>*.do</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  <role-name>sales</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>LogonMain.jsp</form-login-page>
  <form-error-page>LogonMain.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>manager</role-name>
  </security-role>
  <security-role>
  <role-name>sales</role-name>
  </security-role>
  <security-role>
  <role-name>staff</role-name>
  </security-role>
  here is my question, it seems that all data action in my pages are protected, and i dont know how to map a particular user to the role that i define in web.xml.
  so even though i logged in, i still cannot perform data action.
  could anyone nice to tell me what could i do in this case for custom login module which accessing the database to get user login and password ?
  i am appreicated your help !
  thanks
  Kenny

  Hi Matthew,
  so the mapping is defined in orion-application.xml , right ?
  i have something like this
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE orion-application PUBLIC "-//Evermind//DTD J2EE Application runtime 1.2//EN" "http://xmlns.oracle.com/ias/dtds/orion-application.dtd">
  <orion-application>
  <web-module id="dbLoginModule" path="dbLoginModule.war"/>
  <library path="d:\oc4j904\jdbc\lib"/>
  <!-- mapping for DB Login Module -->
       <security-role-mapping name="manager">
            <user name="ITAH01" />
       </security-role-mapping>
  <jazn provider="XML">
  <property name="role.mapping.dynamic" value="true"/>
  </jazn>
  <log>
            <file path="application.log"/>
       </log>
  <data-sources path="./data-sources.xml"/>
       <namespace-access>
            <read-access>
                 <namespace-resource root="">
                      <security-role-mapping name="&lt;jndi-user-role>">
                           <group name="administrators"/>
                      </security-role-mapping>
                 </namespace-resource>
            </read-access>
            <write-access>
                 <namespace-resource root="">
                      <security-role-mapping name="&lt;jndi-user-role>">
                           <group name="administrators"/>
                      </security-role-mapping>
                 </namespace-resource>
            </write-access>
       </namespace-access>
  </orion-application>
  just wondering the library path should point to where ?
  <library path="d:\oc4j904\jdbc\lib"/> this is the default path

• Permissions When Using JAAS/JAAS with JHS

  Is it possible to keep ROLEs and PERMISSIONs in OID and still use JHS security? Or if we want to use JHS permission model, it is mandatory to use role-permission tables of JHS? If it is possible to use OID as the repository entirely, how? Is permission supported in OID and by Oracle Identity Management?
  Regards
  Farbod

  JHeadstart uses roles and permissions only for maintenance reasons (for example, to quickly assign a number of permissions to a user). In runtime, differences between roles and permissions are discarded and both are treated the same. So, it is then comparable to JAAS, which only distinguishes between users and roles (called groups in OID).
  The actual setup of the OID and JAAS is not part of JHeadstart. JHeadstart just uses the JAAS provider (when in JAAS mode) to check for the required roles (= permissions) for the current group.
  Paco van der Linden,
  JHeadstart Team.

• User and role permissions getting reset on managed server

            Hi..
            I am not sure whether this is really a clusteing problem. I have a clusted server
            with one admin server and one managed server. I have deployed the some of my own
            applications alongwith the Weblogic Integration application on the managed server.
            I have some users and roles defined in the BPM studio to access and execute the
            workflows.
            But every time I restart the managed server, the user and role permissions are
            reset and the workflows are not executed. I get the following error.
            ####<May 13, 2003 10:01:22 AM BST> <Error> <BPM> <hwdusa08> <managed1_eai2d2A>
            <ExecuteThread: '44' for queue: 'default'> <kernel identity> <11
            1:21ad542a0d3cc527> <000000> <<wlpirequest>
            <started>2003-05-13 10:01:22.230</started>
            <requestor>wlisystem</requestor>
            <templateid>1</templateid>
            <template-name> WLI Logging Framework V2.0 Installation test</template-name>
            <templatedefinitionid>1</templatedefinitionid>
            <instanceid>2001</instanceid>
            <actions>
            <error time="2003-05-13 10:01:22.427">WorkflowException: The server was unable
            to complete your request.
            The WebLogic Integration role "logging" is not mapped to a WebLogic
            Server security group.</error>
            </actions>
            <completed>2003-05-13 10:01:22.428</completed>
            </wlpirequest>
            >
            And the only remeady I need to do here is to delete the role and recreate it with
            specific permissions every time the managed server is bounced. The same thing
            also happens for the created user also where the user loses all the permissions.
            Can anyone please help me on this issue ?
            Thanks in advance
            Mandar
            

  are you using filerealm?
            This seems like a security related question - can you please post this
            question to the security newsgroup you may get a faster answer there.
            sree
            "Mandar Gandhe" <[email protected]> wrote in message
            news:[email protected]...
            >
            > Hi..
            >
            > I am not sure whether this is really a clusteing problem. I have a clusted
            server
            > with one admin server and one managed server. I have deployed the some of
            my own
            > applications alongwith the Weblogic Integration application on the managed
            server.
            > I have some users and roles defined in the BPM studio to access and
            execute the
            > workflows.
            >
            > But every time I restart the managed server, the user and role permissions
            are
            > reset and the workflows are not executed. I get the following error.
            >
            > ------
            > ####<May 13, 2003 10:01:22 AM BST> <Error> <BPM> <hwdusa08>
            <managed1_eai2d2A>
            > <ExecuteThread: '44' for queue: 'default'> <kernel identity> <11
            > 1:21ad542a0d3cc527> <000000> <<wlpirequest>
            > <started>2003-05-13 10:01:22.230</started>
            > <requestor>wlisystem</requestor>
            > <templateid>1</templateid>
            > <template-name> WLI Logging Framework V2.0 Installation
            test</template-name>
            > <templatedefinitionid>1</templatedefinitionid>
            > <instanceid>2001</instanceid>
            > <actions>
            > <error time="2003-05-13 10:01:22.427">WorkflowException: The server
            was unable
            > to complete your request.
            > The WebLogic Integration role "logging" is not mapped to a
            WebLogic
            > Server security group.</error>
            > </actions>
            > <completed>2003-05-13 10:01:22.428</completed>
            > </wlpirequest>
            > >
            >
            > ------
            >
            > And the only remeady I need to do here is to delete the role and recreate
            it with
            > specific permissions every time the managed server is bounced. The same
            thing
            > also happens for the created user also where the user loses all the
            permissions.
            >
            > Can anyone please help me on this issue ?
            >
            > Thanks in advance
            > Mandar
            >
            

• What BP Role is used for Loans Management in ECC6?

  Hi guys,
  Can someone help with the BP role to use for Loans Management in ECC6? The system shows that the old role TR0100 is now obsolete, so in ECC6, what is the role name for FS-CML? Is it FS0000 or something else?
  Any documentation on Loans Management in ECC6 will help.
  Regards
  Fisayo.

  Hi,
  You have to use BP Role TR0100 only. Please check which BP Role Category is assigned to BP Rle TR0100 in spro. There is no change in ECC6 as well. The role name should be "Main Loan Partner"
  Regards
  Prasad AV

• Role based menu using JAAS

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• Issue with Authentication using JAAS for coherence

  Hi,
  I have configured security frame work using JAAS for storage enabled node,
  I am using keystore for authenticating the users, Below is the code used for authentication,
      Subject subject;
          try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
          catch (Throwable t){
              subject = null;
              log("Authentication error:");
              log(t); }
          if (subject != null)
              for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                  Principal principal = (Principal) iter.next();
                  log("Principal: " + principal.getName());
          Security.runAs(subject, new PrivilegedAction()
              public Object run()
                  NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                  boolean flag = true;
                  while (flag) {}
                  return null;
              });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
          <security-config>
                  <enabled system-property="tangosol.coherence.security">true</enabled>
                  <login-module-name>TestCoherence</login-module-name>
                   <access-controller>
                  <class-name>com.tangosol.net.security.DefaultController</class-name>
                          <init-params>
                          <init-param id="1">
                          <param-type>java.io.File</param-type>
                          <param-value>config/keystore.jks</param-value>
                          </init-param>
                          <init-param id="2">
                          <param-type>java.io.File</param-type>
                          <param-value>config/permissions.xml</param-value>
                          </init-param>
                          </init-params>
                   </access-controller>
                   <callback-handler>
                          <class-name>Test</class-name>
                   </callback-handler>
           </security-config>I am using the following command line parameters for bringing up the storage enabled node.
  -Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml" 
  -Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks" 
  -Djava.security.auth.login.config="$CONFIG_PATH/login.config" 
  -Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
  Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
  at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
  at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
  at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
  at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
  at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
  at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
  at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
  Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
  Thanks in advance,
  Bhargav

  Bhargav,
  Rather than trying to loop forever in a callback handler try this
  import com.tangosol.net.CacheFactory;
  import com.tangosol.net.DefaultCacheServer;
  import com.tangosol.net.security.Security;
  import javax.security.auth.Subject;
  import java.security.PrivilegedExceptionAction;
  public class SecureCacheServer {
      public static void main(final String[] args) throws Exception {
          LoginContext lc = new LoginContext("Coherence");
          lc.login();      
          Subject subject = lc.getSubject();
          Security.runAs(subject, new PrivilegedExceptionAction() {
              public Object run() throws Exception {
                  DefaultCacheServer.main(args);
                  return null;
  }Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
  As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
  I hope the code above compiles OK as it is a modified version of the code I really use.
  Hope this helps
  JK

• Has anyone used JAAS with WebLogic?

  Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
  Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
  Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
  has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
  So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
  //THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
  public class BasicModule implements LoginModule
  private NameCallback strName;
  private PasswordCallback strPass;
  private CallbackHandler myCB;
  private Subject subj;
           //INITIALIZE THIS MODULE
             public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                    try
                         //SET SUBJECT
                           subj = subject;  //NOTE: THIS GIVES YOU REFERENCE
  TO LOGIN CONTEXT'S SUBJECT
                                                   // AND ALLOWS YOU TO PASS
  IT BACK TO THE LOGIN CONTEXT
                         //SET CALLBACKHANDLERS
                           strName = new NameCallback("Your Name: ");
                           strPass = new PasswordCallback("Password:", false);
                           Callback[] cb = { strName, strPass };
                         //HANDLE THE CALLBACKS
                           callbackHandler.handle(cb);
                    } catch (Exception e) { System.out.println(e); }
       //LOG THE USER IN
         public boolean login() throws LoginException
            //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
            System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
  subj.getPrincipals().size() + " Principals");
            //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
             MyPrincipal m = new MyPrincipal("Admin");
             subj.getPrincipals().add(m);
             return true;
           public boolean commit() throws LoginException
                 return true;
      }(Sorry for all that code)
  I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
  do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
  I think the key here is to understand JAAS's plug-in security model to mean:
  (Below are my words)
  The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
  In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
  That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
  checking code can be used regardless of whether a client connects through
  RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
  how they authenticate (except by choosing YOUR set ways).
  Before we even deal with a serialized subject, we need to see how JAAS can
  even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
  I think what needs to be done, is the client needs to have the stubs for our
  LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
  their info into those, and everything is handled server-side. So they may
  not even need to send a Subject across anyways (but they may want to as
  well).
  Please let me know if anyone sees this problem too, or if I am just completely
  off track with this one. I think figuring out how to do JAAS as though
  everything were local, and then putting RMI (or whatever) on top is the
  first thing to tackle.

  Send this to:
  newsgroups.bea.com / security-group.

• Managed Role Scope

  I learned that roles in DS are scoped to where they are created. Meaning if I create a managed role called role1 in ou=Roles,dc=sun,dc=com only entries (ie users and groups) under the ou=Roles branch will have visibility to role1. But since all my users are created underneath a different ou (ie ou=People), how do I get role1 to be visible to the users under ou=People? From a day's worth of reading, this doesn't seem possible. The only way around is to create the role under the ou=People branch. In this approach, all the member searches are behaving correctly. My concern is we will have thousands of roles, what's the scalability of having that many roles mingled with all 750,000 user entries under ou=People...
  Any help is appreciated!

  The problem with that is the nsRole virtual attribute never gets >calculated. While, the nsRoleDN will allow me to find all the roles for a >given user with a search filter like this:
  uid=user1 nsRoleDN
  I need the nsRole virtual attribute to find role members (all members >with a particular role)
  for example, using this search filter
  nsRole=cn=role1,ou=roles,dc=sun,dc=com
  to retrieve all members of role1. and this does not work unless role1 >was in the same scope as the user or aboveWhat about using
  nsRoleDN=cn=role1,ou=roles,dc=sun,dc=com
  It should return all members of role1. In the same time usage of on-the-fly computed nsRole attribute in searches isn't supported - please see Note 2 in the same link:
  http://docs.sun.com/source/816-5606-10/roles.htm#1117631

• Client remote Authentication using JAAS and EJB Access

  Hi,
  I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
  I have implemented an EJB who's methods are protected through the deployment descriptor:
          <assembly-descriptor>
               <security-role>
                  <description>role for clients outside of the server </description>
                  <role-name>sedna</role-name>
                </security-role>
              <method-permission>
                <role-name>sedna</role-name>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-intf>Remote</method-intf>
                  <method-name>*</method-name>
                </method>
              </method-permission>
              <method-permission>
                <unchecked/>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>getVersion</method-name>
                </method>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>create</method-name>
                </method>
              </method-permission>
          </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
  I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
  But then I try to access another method which is protected and then I get this exception
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
          at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
          at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
          at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
  ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
  After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
  After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
  Am I doing something wrong?
  Need help! Thx,
  Stephan

  Hi.
  I understand correctly that you call Subject.doAs on
  the client to call the remote EJB. I guess It isn't
  right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
  >
  >
  Subject contextSubject =
  Subject.getSubject(AccessController.getContext());
  contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
  But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
  Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
  Again, thanks for your effort,
  Stephan

• "Discovery Manager" role cannot place a mailbox on hold

  My Company is testing Exchange 2013 and Exchange Online. We would like to have all discovery functions managed by our legal team.  We have assigned test users the “Discovery Manager” role.  That role should allow them rights to search all mailboxes
  and put search results on hold. Additionally, the discovery manager role should allow them to select a user mailbox in EAC, open the "Mailbox Features" page and enable litigation hold on the mailbox (no searching required). 
  We have found the second feature, enabling litigation hold without searching, is unavailable to discovery managers when using EAC. The "Mailbox Features" page is not exposed to discovery mangers using EAC.  The discovery manager can place a mailbox
  on hold using PowerShell but that would not be a reasonable option for our legal team.
  Please confirm if my understanding is correct, discovery manager should be able to place a mailbox on hold as well as in-place hold using EAC.
  Thanks in advance,
  Ron

  Does "Get-RoleGroup "discovery Management" | FL *role*" show that the Legal Hold role is assigned to the Discovery Mgmt role Group? If so, then  you may need to assign the "Recipient Management" or "Help Desk" role to those users as well or if you wish
  to security trim their access, create a customized RBAC role for them.
  Alternatively, see if they can simply set litigation hold via Powershell with set-mailbox
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• Using JAAS in a BC4J Client

  Hello
  We are building a BC4J application.
  We would like to use JAAS on the client side (Swing Client), to do some authorization.
  I made a test, authentication a user trough JAAS on the client as follow:
  // Auhorization
  CallbackHandler handler = new InfoCallbackHandler();
  String s = "oracle.security.jazn.tools.Admintool";
  LoginContext loginContext = new LoginContext(s, handler);
  loginContext.login();
  Subject subject = loginContext.getSubject();
  // authenticated action
  Subject.doAs(subject, this);
  This works, as long as the client has access to the jazn.xml file.
  As far as I understand, this loads the RealmLoginModule.
  The RealmLoginModule uses either a jazn.xml file, or LDAP for authentication.
  Now I'm curios about where the RealmLoginModule gets its information from, when the client is running on an other machine than the OC4J Server.
  Where does the RealmLoginModule get the connection information for the OC4J or LDAP- server from?
  Do I have to deliver the security information (jazn.xml file) to the client (I dont want to expose all this information to the Hackers on the client side)?
  Is there a way to delegate the JAAS calls to the middle tier (a security provider , LoginModule, that does RMI-calls to an EJB-component)?
  Is there a way to do authorization with the BC4J interfaces on the client (something like boolean ApplikacitonModule.isUserInRole(Role) or javax.security.auth.Subject ApplikacitonModule.getSubject() or java.util.Set ApplikacitonModule.getPrincipalsForSubject())?
  I would like to get a javax.security.auth.Subject representing the user (and password)
  that is authenticated in the middle tier. This is the Subject (defined by username & password)),
  used for the JNDI lookup, and by the whole J2EE (EJB) security, when creating a root ApplicationModule.
  Is this possible?
  Regards
  Matthais Gerber

  Hi,
  In JDeveloper 9.0.3, BC4J has JAAS support in the middle-tier. You could set jbo.security.enforce to "Test" or "Must" on the application module using "Configuration...", "Edit" in JDev. If you are using the default Oracle 9iAS JAAS you will also need to include BC4J Security library in the project. The jdk\jre\lib\securtiy\java.security should have login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider.
  You do not need to create LoginContext, CallbackHandler, etc. in either your client app or business objects.
  If you are not using OC4J, you need to have another loginmodule that implement javax.security.auth.spi.LoginModule. You need to set the jbo.security.loginmodule with you loginmodule name, include the class or jar in your library, specify the jaas config file on the java runtime option.
  Please refer to 9.0.3 online help "Working with Security in BC4J" for more information.
  Thanks,
  Yvonn

• DPM 2012 Failed to update permissions used in end-user recovery

  Hello everyone,
  I'm going to try the clearest way possible to describe the problem.
  Our test server is Windows Server 2012 with DPM 2012 SP1 CU2 (BKP-SRV01) with a Remote SQL server 2012 (PBASC)
  I protected a share folder on a DC on Windows Server 2008 R2 (PAD)
  When I activate End-User Recovery I get a warning in the monitor tab that say this
  Failed to update permissions used for end-user recovery on pad. Permissions update failed for the following reason: (ID 3123)
  DPM is unable to enumerate contents in pad_PartageTest on the protected computer BKP-SRV01. Recycle Bin, System Volume Information folder, non-NTFS volumes, DFS links, CDs, Quorum Disk (for cluster) and other removable media cannot be protected. (ID 38 Details:
  the end user recovery is working, but i do not know if it affect other things. I also get that message when i try to browse on the DPM server when creating a protection group
  When I go see the DPM Server / File and Storage Services / Shares on Server Manager i get  "Failed to retrieve folder permission" in the properties of the Protected server share.
  I tried to search for almost 2 days without finding anything about that particular issue.
  Is there a way (clean way) to fix the issue?
  Thanks in advance for the help!

  Closing for housekeeping.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's not very helpful. I've got the same issue :(
  Comes up for servers where a protection group related to it errors out (recovery point failure usually).