Everyone group in an alternate RDBMS Security Realm

We have implemented an alternate Oracle RDBMS security realm. The problem we have is that users added to the RDBMS realm do not show up in the console display of the Everyone group. Only users in the file realm show. Has anybody else experienced this behaviour? We have been able to confirm that users added to the RDBMS realm are indeed members of the Everyone group, they just don't show up as such in the console display.

Rick Hendricks wrote:
We have implemented an alternate Oracle RDBMS security realm. The problem we have is that users added to the RDBMS realm do not show up in the console display of the Everyone group. Only users in the file realm show. Has anybody else experienced this behaviour? We have been able to confirm that users added to the RDBMS realm are indeed members of the Everyone group, they just don't show up as such in the console display.Without looking at the code my guess would be that this is an artifact of an implementation where group "everyone" is backed by a class that always answers true to isMember() message and does not keep track of group members.
Cheers,
Alex

Similar Messages

RDBMS Security realm 6.1-8.1 migration

I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
Security' node appearing in the left-hand console pane. The contents of the Users
and Groups nodes visible under this node look correct (ie as defined in the underlying
database).
However, to get to this point I had to initially hardwire the values for the database
driver, url, user and password as these were null when obtained from the associated
RDBMSRealmMBean object, causing the server to fail to start. This enabled me
to bootstrap the process so that I could use the console to enter these values
on the Database tab for the Realm I had defined for Compatibility Security. I
see no mention of this step in the instructions referred to above and therefore
missed out this vital step.
When WLS8.1 starts it displays:
<date&time> <Notice> <Security> <BEA-090082> <Security initializing using security
realm myrealm.>
myrealm is a Realm listed under Security but I would have expected the realm to
be the specially-defined realm associated with Compatibility Security. So, question
number 1 - does this output from WLS indicate that it is using the Compatibility
Security realm or the default realm?
Although the console displays the expected set of users and groups , my application
is failing to associate a user with a 'role' - the Groups node shows that user
U is in group G but when the application invokes the SessionContext method isCallerInRole(String
role) where the caller is U and the role is G the result of the invocation is
false. Question number 2 - why does this not return true in this case?
Note, this code (that I have inherited) worked fine in WLS6.1 and the only significant
change I needed to make for WLS8.1 is in the wrapper classes, in particular the
code to get the required RDBMSRealmMBean. Having now successfully got hold of
this object I would have expected the rest of the code to work fine (ok, 'expected'
is a bit optimisitic - but I'm not aware that there are any functional differences
beyond obtaining the RDBMSRealmMBean object).
Many thanks in advance for any assistance with this.
David

Mehrshad
I wasn't involved in the original WL6.1 code development but this is based on
the example code that BEA provide with the WLS6.1 installation - it should therefore
be visible at ~bea/wlserver6.1/samples/examples/security/rdbmsrealm
HTH
David
"Mehrshad Setayesh" <[email protected]> wrote:
>
David:
I am trying to do the same thing and can not find which RealmClassName
to use
in 8.1. In our previous version, 6.1, I was using com.bea.wlpi.rdbmsrealm.RDBMSRealm.
What is the mapping
Java class in 8.1? Thanks.
Regards
Mehrshad
"David Franklin" <[email protected]> wrote:
I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
Security' node appearing in the left-hand console pane. The contents
of the Users
and Groups nodes visible under this node look correct (ie as defined
in the underlying
database).
However, to get to this point I had to initially hardwire the values
for the database
driver, url, user and password as these were null when obtained from
the associated
RDBMSRealmMBean object, causing the server to fail to start. This enabled
me
to bootstrap the process so that I could use the console to enter these
values
on the Database tab for the Realm I had defined for Compatibility Security.
I
see no mention of this step in the instructions referred to above and
therefore
missed out this vital step.
When WLS8.1 starts it displays:
<date&time> <Notice> <Security> <BEA-090082> <Security initializingusing
security
realm myrealm.>
myrealm is a Realm listed under Security but I would have expected the
realm to
be the specially-defined realm associated with Compatibility Security.
So, question
number 1 - does this output from WLS indicate that it is using the Compatibility
Security realm or the default realm?
Although the console displays the expected set of users and groups ,
my application
is failing to associate a user with a 'role' - the Groups node shows
that user
U is in group G but when the application invokes the SessionContextmethod
isCallerInRole(String
role) where the caller is U and the role is G the result of the invocation
is
false. Question number 2 - why does this not return true in this case?
Note, this code (that I have inherited) worked fine in WLS6.1 and the
only significant
change I needed to make for WLS8.1 is in the wrapper classes, in particular
the
code to get the required RDBMSRealmMBean. Having now successfully got
hold of
this object I would have expected the rest of the code to work fine(ok,
'expected'
is a bit optimisitic - but I'm not aware that there are any functional
differences
beyond obtaining the RDBMSRealmMBean object).
Many thanks in advance for any assistance with this.
David

Using RDBMS Security Realm in production?

Hi,
In the BEA documentation it is stated that 'The RDBMS Security Realm is an
example and is not ment to be used in a production environment.'
However, of the Realms that are available this one seems to be best suited
for our needs, so I'm wondering if there is any specific reason why this
Realm should not be used in production. Has anyone had any experience using
it in a live environment?
I would be thankful for any information on this.
/Mattias Arthursson

Hi.
Try posting this on the security newsgroup.
Regards,
Michael
Mattias Arthursson wrote:
Hi,
In the BEA documentation it is stated that 'The RDBMS Security Realm is an
example and is not ment to be used in a production environment.'
However, of the Realms that are available this one seems to be best suited
for our needs, so I'm wondering if there is any specific reason why this
Realm should not be used in production. Has anyone had any experience using
it in a live environment?
I would be thankful for any information on this.
/Mattias Arthursson--
Michael Young
Developer Relations Engineer
BEA Support

RDBMSRealm - Cloudscape rdbms security realm

Have a bit of a problem with the cloudscape rdbms security realm shipped with weblogic
6.1
I am trying the sample rdbmsrealm secuirty example in WLS6.1 SP2.
I changed the class RDBMSRealm.java to add a public method say
display();
From my jsp page I have
RDBMSRealm realm = new RDBMSRealm();
realm.display();
realm.getUser("jason").getName();
When I run this I am able to access the display method, but
the call to getUser fails with
<Feb 27, 2002 12:58:11 PM PST> <Error> <HTTP> <[WebAppServletContext(5278096,for
mauth,/formauth)] Servlet failed with Exception
ERROR 40XL1: A lock could not be obtained within the time requested
at c8e.c_.b.newException(Unknown Source)
at c8e._g.g.lockObject(Unknown Source)
at c8e._g.f.zeroDurationlockObject(Unknown Source)
at c8e.as.r.lockRecordForRead(Unknown Source)
at c8e.s.h.lockPositionForRead(Unknown Source)
at c8e.s.d.fetchRows(Unknown Source)
at c8e.w.g.fetchNextGroup(Unknown Source)
at c8e.h.h.e(Unknown Source)
at c8e.h.h.getNextRowCore(Unknown Source)
at c8e.h.z_.getNextRow(Unknown Source)
at c8e.k.n.movePosition(Unknown Source)
at c8e.k.n.movePosition(Unknown Source)
at c8e.k.n.next(Unknown Source)
at examples.security.rdbmsrealm.RDBMSDelegate.getUser(RDBMSDelegate.java
:270)
In my JSP page when I
weblogic.security.acl.CachingRealm realm =
(weblogic.security.acl.CachingRealm) weblogic.security.acl.Security.getRealm();
realm.getUser() works, But I am not able to access/find display()
realm.display();
Any suggestions would help. Thanks
Seshadri
<CachingRealm BasicRealm="defaultRDBMSRealmForCloudscape" Name="defaultCachingRealm"/>
<Realm CachingRealm="defaultCachingRealm" FileRealm="wl_default_file_realm" Name="wl_default_file_realm"/>

"Seshadri" <[email protected]> wrote:
>
Have a bit of a problem with the cloudscape rdbms security realm shipped
with weblogic
6.1
I am trying the sample rdbmsrealm secuirty example in WLS6.1 SP2.
I changed the class RDBMSRealm.java to add a public method say
display();
From my jsp page I have
RDBMSRealm realm = new RDBMSRealm();
realm.display();
realm.getUser("jason").getName();
When I run this I am able to access the display method, but
the call to getUser fails with
<Feb 27, 2002 12:58:11 PM PST> <Error> <HTTP> <[WebAppServletContext(5278096,for
mauth,/formauth)] Servlet failed with Exception
ERROR 40XL1: A lock could not be obtained within the time requested
at c8e.c_.b.newException(Unknown Source)
at c8e._g.g.lockObject(Unknown Source)
at c8e._g.f.zeroDurationlockObject(Unknown Source)
at c8e.as.r.lockRecordForRead(Unknown Source)
at c8e.s.h.lockPositionForRead(Unknown Source)
at c8e.s.d.fetchRows(Unknown Source)
at c8e.w.g.fetchNextGroup(Unknown Source)
at c8e.h.h.e(Unknown Source)
at c8e.h.h.getNextRowCore(Unknown Source)
at c8e.h.z_.getNextRow(Unknown Source)
at c8e.k.n.movePosition(Unknown Source)
at c8e.k.n.movePosition(Unknown Source)
at c8e.k.n.next(Unknown Source)
at examples.security.rdbmsrealm.RDBMSDelegate.getUser(RDBMSDelegate.java
:270)
In my JSP page when I
weblogic.security.acl.CachingRealm realm =
(weblogic.security.acl.CachingRealm) weblogic.security.acl.Security.getRealm();
realm.getUser() works, But I am not able to access/find display()
realm.display();
Any suggestions would help. Thanks
Seshadri
<CachingRealm BasicRealm="defaultRDBMSRealmForCloudscape" Name="defaultCachingRealm"/>
<Realm CachingRealm="defaultCachingRealm" FileRealm="wl_default_file_realm"
Name="wl_default_file_realm"/>

Weblogic security realm mapping to DB

I have one question about Weblogic 7.01 security.
I have created USER, GROUP and ROLES table in my RDBMS.
Can I use the RDBMS realm if my users are in a database
table already? Can I tune Weblogic security realm to my database tables?
Any advice or links will be very appreciate.
Thanks a lot for any help, Volodymyr Shram.

Thanks, criokeeper for your fast answer.
Woould you so kind to explain me one moment.
At http://e-docs.bea.com/wls/docs70/ConsoleHelp/domain_rdbmsrealm_config_general.html I found that "To use the RDBMS security realm, you need to use Compatibility security. The use of the RDBMS security realm is deprecated in WebLogic Server 7.0."
What does that means? Have I use the Compatibility security or it's jaust for ver. 6.x to ver.7.0 migration?
Thanks a lot for your answer.
Regards, Volodymyr.

How to create default groups in Weblogic- Security Realms -- Groups

Hi Team,
Unfortunately I have deleted some default groups from Weblogic->Security Realms --> Groups. How to add the groups.
Regards,
Ravi.

Hi Ravi,
These are the defaults groups present inside Security Realms ,you can manually create them by
Going inside Security Realms-->Users and Groups-->Groups-->New
Administrators----Administrators can view and modify all resource attributes and start and stop servers-----------------------DefaultAuthenticator
Deployers---------Deployers can view all resource attributes and deploy applications.---------------------------------------------DefaultAuthenticator
Monitors-----------Monitors can view and modify all resource attributes and perform operations not restricted by roles.------DefaultAuthenticator
Operators---------Operators can view and modify all resource attributes and perform server lifecycle operations.-------------DefaultAuthenticator
Restart the Admin Server
Regards
FAbian

Webcenter spaces user and group and WLS security realm

I want to configure external ORACLE DB,
I configed the security realm in WLS, and I can see the user and group list in WLS page, But I cant find any of them in webcenter spaces,
and also can not login with those users.
I added a user with WLS, it works well.
do I need to do other configrations?

First you need to create a Administrator for this new identity stores. Weblogic user is not identified now because its not mapped by first authenticator. See Oracle WebCenter Admin Guide, section 28.4.1.1 Granting the WebCenter Spaces Administrator Role Using FusionMiddleware Control. Once you have done this step, do the same steps for other application user. For this you have to give Application role to other user so that they can login and use WebCenter Space.See Oracle WebCenter Admin Guide, Section 28.4.2.1 Granting Application Roles Using Fusion Middleware Control.
After doing above steps, restart WC_Spaces managed server.

Using an alternate security realm

Hi,
I'm trying to configure the Weblogic Personalization & Personalization
Server v3.5 to use NT or LDAP as a security realm.
With LDAP, the server reboots properly but when I try to goto
http://localhost:7501/tools, it prompts me for password/userid and none of
the user accounts(including for weblogic and those in the LDAP) work.
When I try to configure for NT security realm and then I try to reboot the
server, I get the error message below.
Any help would be greatly appreciate. Thanks!
Asim
[email protected]
NT error message:
U n a b l e t o a d j u s t t o k e n p r i v i l e g e s
U n a b l e t o a d j u s t t o k e n p r i v i l e
g e
s
java.lang.SecurityException: Unable to assert all required
priviledges
at weblogic.security.ntrealm.NTDelegate.initFields(Native Method)
at weblogic.security.ntrealm.NTDelegate.loadlib(NTDelegate.java:218)
at weblogic.security.ntrealm.NTDelegate.<init>(NTDelegate.java:84)
at weblogic.security.ntrealm.NTRealm.<init>(NTRealm.java:42)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:237)
at weblogic.security.acl.Realm.getRealm(Realm.java:84)
at weblogic.security.acl.Realm.getRealm(Realm.java:62)
at
weblogic.security.SecurityService.initializeRealm(SecurityService.jav
a:265)
at
weblogic.security.SecurityService.initialize(SecurityService.java:123
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:343)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
<Jun 19, 2001 1:58:10 PM EDT> <Emergency> <Server> <Unable to initialize the
ser
ver: 'Fatal initialization exception
Throwable: java.lang.IllegalAccessError: java.lang.SecurityException: Unable
to
assert all required priviledges -- bad domain name
java.lang.IllegalAccessError: java.lang.SecurityException: Unable to assert
all
required priviledges -- bad domain name

Hi,
I'm trying to configure the Weblogic Personalization & Personalization
Server v3.5 to use NT or LDAP as a security realm.
With LDAP, the server reboots properly but when I try to goto
http://localhost:7501/tools, it prompts me for password/userid and none of
the user accounts(including for weblogic and those in the LDAP) work.
When I try to configure for NT security realm and then I try to reboot the
server, I get the error message below.
Any help would be greatly appreciate. Thanks!
Asim
[email protected]
NT error message:
U n a b l e t o a d j u s t t o k e n p r i v i l e g e s
U n a b l e t o a d j u s t t o k e n p r i v i l e
g e
s
java.lang.SecurityException: Unable to assert all required
priviledges
at weblogic.security.ntrealm.NTDelegate.initFields(Native Method)
at weblogic.security.ntrealm.NTDelegate.loadlib(NTDelegate.java:218)
at weblogic.security.ntrealm.NTDelegate.<init>(NTDelegate.java:84)
at weblogic.security.ntrealm.NTRealm.<init>(NTRealm.java:42)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:237)
at weblogic.security.acl.Realm.getRealm(Realm.java:84)
at weblogic.security.acl.Realm.getRealm(Realm.java:62)
at
weblogic.security.SecurityService.initializeRealm(SecurityService.jav
a:265)
at
weblogic.security.SecurityService.initialize(SecurityService.java:123
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:343)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
<Jun 19, 2001 1:58:10 PM EDT> <Emergency> <Server> <Unable to initialize the
ser
ver: 'Fatal initialization exception
Throwable: java.lang.IllegalAccessError: java.lang.SecurityException: Unable
to
assert all required priviledges -- bad domain name
java.lang.IllegalAccessError: java.lang.SecurityException: Unable to assert
all
required priviledges -- bad domain name

RDBMSRealm, everyone group, guest user

Hi folks, I'm having some fun with the rdbms realm lately and have a few
questions.
We're using the RDBMSRealm example with form based auth under WLS 5.1 SP 9 and
have the following in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
     <description>These pages are only accessible by all authorised xyz users.</description>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>These are the roles that have access</description>
<role-name>
xyz
</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>All application users</description>
<role-name>
xyz
</role-name>
</security-role>
which basically says that every page in the web-app requires a user to be in the
xyz role and does seem to work fine.
Now, what I'd like to do is to allow everyone to access one particular page
within the application (that is, this page does not require the xyz role). So
something like the following would be great.
<security-constraint>
<web-resource-collection>
<web-resource-name>Some Particular Page</web-resource-name>
     <description>This page is accessible to everyeone.</description>
<url-pattern>/particular/page.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>everyone can get at this page.</description>
<role-name>everyone</role-name>
</auth-constraint>
</security-constraint>
However, this doesn't seem to work, I get redirected to the form based login
page and once I've logged in can get to the page that I'm hoping shouldn't
require a logged in user.
So I'm wondering about the xml syntax and semantics.
- What are the rules around specific and general mappings, like will a
more specific mapping be used before falling back to the general mapping?
- Are the mappings applied in order (first to last) and the first match
taken?
- Are the rules according to section 10 of the servlet spec applicable here?
Now my problem might also be the RDBMSRealm its self -- I'm also having some
problems with the everyone group and the guest user. If I remove the first
constraint above and only include the /particular/page.jsp constraint to the
everyone group things still don't seem to work right.
I can see the realm call getGroup("everyone") and getUser("guest) but both
calls return null, since these principals are not in our database
tables. However, if I hit http://localhost:7001/AdminRealm I do see a list of
all groups that our RDBMSRealm knows about and I also see the everyone group
which contains system and guest users and so I have more questions.
- Does CachingRealm fall back to the standard properties realm if it gets nulls
from the RDBMSDelegate?
- Does the everyone group include unauthenticated users (i.e. guest) as I'm
hoping?
I've tried adding an instance of weblogic.security.acl.Everyone to my
RDBMSDelegate class and checking if the call to getGroup is looking for
"everyone" in which case I return this instance but this doesn't seem to do
anything either. I also tried adding this everyone group to the list returned
by getGroups but that didn't help and I carried the idea through to getUser and
getUsers with a guest user but again no luck. I'm always forced to authenticate
before I can get to the page that should allow anyone (everyone) to see it.
Any help, ideas, advice, beer, etc. would be much appreciated!
Thanks,
Derek

THorner <[email protected]> writes:
RDBMSRealm, everyone group, guest user
Update-I've got it working.
AS well as the isMember change mentioned below I altered getPrincipal
for both the RDBMSRealm class
if(name.equals("guest")){return createUser("guest","guest");}
if(name.equals("everyone")){return new Everyone(this);}
and RDBMSDelegate
if(name.equals("guest")){return realm.createUser("guest","guest");}
if(name.equals("everyone")){return new
weblogic.security.acl.Everyone(realm);}
did something to RDBMSUser so that guest always authenticates
(alternatively you could put the guest user on the database, surely?)I did see various examples of the guest and everyone additions to the realm
code, but I also read some stuff that indicated that if the rdbms realm returns
null for these requests then the caching realm should fall back to the standard
properties realm which does have the guest user and everyone group defined.
With the debugging turned on this does seem to be what it does and the
guest/everyone code doesn't seem to be needed. I also checked the
http://localhost:7001/AdminRealm servlet and did see the everyone group with
system and guest users as part of it.
>
Allow guest access to the file servlet (otherwise they can't be sent any
HTML pages - my best guess would be that this is your problem).This was probably part of the problem, judging by the messages from the realm
debugging.
Also I altered weblogicURL.policy to allow 'everyone' access to the page
that was to be unrestricted - so I guess you should set
I hope this helps, if not (and you haven't already) turn on RDBMSRealm
debugging - eventually I found the information useful (in that it tends
to tell you what it has last been looking for, and the methods used)In the end, I found that specifying that the everyone group is required for a
particular resource didn't seem to work. Instead I protected the majority of my
application with a set of rules and left all other pages without any matching
rules and the guest user then seems to work ok.
The servlet 2.3 spec has an addition to the <role-name> tag which allows a * to
indicate all roles but this isn't in the 2.2 spec.
Thanks for the help!
Cheers,
Derek
>
terry
-----Original Message-----
From: THorner
I am working on something similar (although not in a war),
which isn't working yet, but I can tell you a couple of
things that I have come across.
-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Derek
Scherger
Posted At: Mon 04 June 2001 22:13
Posted To: weblogic.developer.interest.security
Conversation: RDBMSRealm, everyone group, guest user
Subject: RDBMSRealm, everyone group, guest user
Hi folks, I'm having some fun with the rdbms realm lately and
have a few
questions.
We're using the RDBMSRealm example with form based auth under
WLS 5.1 SP 9 and
have the following in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
     <description>These pages are only accessible by all
authorised xyz users.</description>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>These are the roles that have
access</description>
<role-name>
xyz
</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>All application users</description>
<role-name>
xyz
</role-name>
</security-role>
which basically says that every page in the web-app requires
a user to be in the
xyz role and does seem to work fine.
Now, what I'd like to do is to allow everyone to access one
particular page
within the application (that is, this page does not require
the xyz role). So
something like the following would be great.
<security-constraint>
<web-resource-collection>
<web-resource-name>Some Particular Page</web-resource-name>
     <description>This page is accessible to
everyeone.</description>
<url-pattern>/particular/page.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>everyone can get at this page.</description>
<role-name>everyone</role-name>
</auth-constraint>
</security-constraint>
However, this doesn't seem to work, I get redirected to the
form based login
page and once I've logged in can get to the page that I'm
hoping shouldn't
require a logged in user.
So I'm wondering about the xml syntax and semantics.
- What are the rules around specific and general mappings, like will a
more specific mapping be used before falling back to the
general mapping?
- Are the mappings applied in order (first to last) and the
first match
taken?
- Are the rules according to section 10 of the servlet spec
applicable here?
Now my problem might also be the RDBMSRealm its self -- I'm
also having some
problems with the everyone group and the guest user. If I
remove the first
constraint above and only include the /particular/page.jsp
constraint to the
everyone group things still don't seem to work right.
I can see the realm call getGroup("everyone") and
getUser("guest) but both
calls return null, since these principals are not in our database
tables. However, if I hit http://localhost:7001/AdminRealm I
do see a list of
all groups that our RDBMSRealm knows about and I also see the
everyone group
which contains system and guest users and so I have more questions.
- Does CachingRealm fall back to the standard properties
realm if it gets nulls
from the RDBMSDelegate?
- Does the everyone group include unauthenticated users (i.e.
guest) as I'm
hoping?
I've tried adding an instance of weblogic.security.acl.Everyone to my
RDBMSDelegate class and checking if the call to getGroup is
looking for
"everyone" in which case I return this instance but this
doesn't seem to do
anything either. I also tried adding this everyone group to
the list returned
by getGroups but that didn't help and I carried the idea
through to getUser and
getUsers with a guest user but again no luck. I'm always
forced to authenticate
before I can get to the page that should allow anyone
(everyone) to see it.
Any help, ideas, advice, beer, etc. would be much appreciated!
Thanks,
Derek

Can we share one single RDBMS security store across multiple domains ?

Can we share one single RDBMS security store across multiple weblogic domains? The idea is to utilize the same set of users and group defined in Weblogic Security Realms across multiple weblogic domains. Is it possible ? are there any risk ?
i am using Oracle WebLogicServer11gR1 (10.3.6) Generic with Coherence.

Hi,
The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
It is just the replacement for Embedded LDAP.
Thanks & Regards,
Murali.
============

How to implement a tree like security realm?

hi all:
i am working on a project . it's a very complex one and most importantly there's
so many
functions( 1000 or more) and every fuction should be protected resources. so i have
to define many roles and map the roles to the many functions. it's a very tiring
job and
i am not sure the role to function mapping is stable one. because the mapping is
saved in
a xml file and this file is depolyed with the application, so if there s any changes
we have to redeploy all the application and restart the server.
there s still another problem. we want security realm to be a tree instead of
a flat one( weblogic's group is a flat one ) . if we assign a node to a role all
its children
belong to the same role.
so is there way to do this. any solution?
regards
daniel wang

maybe you could exploit the way ACLs have dotted names to reflect your tree
structure, so the acl root applies to all functions, root.branch1 only
applies to functions on branch branch1, and root.branch1.branch2 applies to
functions on branch2 of branch1. there´s an api that gets the most specific
acl given a path to a node.
i'm not it´s acls that you want to correspond to nodes, but maybe you can
work out some kind of scheme that gives you what you want.
andrew
"daniel" <[email protected]> escribió en el mensaje
news:3d16efc7$[email protected]..
>
hi all:
i am working on a project . it's a very complex one and mostimportantly there's
so many
functions( 1000 or more) and every fuction should be protected resources.so i have
to define many roles and map the roles to the many functions. it's a verytiring
job and
i am not sure the role to function mapping is stable one. because themapping is
saved in
a xml file and this file is depolyed with the application, so if there sany changes
we have to redeploy all the application and restart the server.
there s still another problem. we want security realm to be a treeinstead of
a flat one( weblogic's group is a flat one ) . if we assign a node to arole all
its children
belong to the same role.
so is there way to do this. any solution?
regards
daniel wang

Difference between Domain\Domain Users and Everyone Group in SharePoint

Hi,
In SharePoint 2013, is Everyone Group an AD group ? Please help with details.
Thanks
srabon

Hi All,
Domain Users, Authenticated Users, or Everyone
Domain Users
The Domain Users is the only real group of the 3 listed above. By that I mean you can add and remove members from this group. Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain
Users group resides in. By default all users created in the domain are automatically members of this group. However, the default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group.
Because Domain Users is generally considered the most secure group of the three listed above.
Authenticated Users
Authenticated Users was first introduced in Windows NT 4.0 SP3. This is a built-in group and cannot be modified. The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain.
Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not. Authenticated Users specifically does not contain the built-in Guest account, but will contain
other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account.
Everyone group
The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. NULL session connections (aka
anonymous logon) used to be included in this group but were removed in Windows 2003. This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE,
LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.
Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group
-Ivan

RDBMS Security Store supporting multiple domains

Can one instance of the RDBMS Security Store be utilized to support multiple WLS 10.3.2 domains?
I have several 10.3.2 domains, all of which have clusters and role requirements? The documentation 'suggests' one Store per domain, but all of the tables in the schema contain DOMN (domain) and REALMN (realm) columns that would seem to indicate domain independence. It would be nice to be able to manage one Store schema that supports several Domains.

Hi,
The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
It is just the replacement for Embedded LDAP.
Thanks & Regards,
Murali.
============

How to retrieve Global Roles in a the current security realm?

Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
Thanks all...
Message was edited by:
raymondng

You can refer to the api
http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
-Ramkumar

Using LDAP as security realm

Hi,
Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
for Weblogic Personalization and Commerce 3.5.
Using the WLCS console, I've modified the config.xml file and following
elements are added:
<LDAPRealm AuthProtocol='simple' Credential='admin'
GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
GroupUsernameAttribute='uniquemember'
LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
UserNameAttribute='uid'/>
<CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
Name='wlcsCachingRealm'/>
But when we try to restart the WLCS, it throws java exceptions that context
is not initialized and I get the following error
<Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
ser
ver: 'Fatal initialization exception
Throwable: weblogic.security.ldaprealm.LDAPException: could not get
context - wi
th nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
Credential
s]]]
weblogic.security.ldaprealm.LDAPException: could not get context - with
nested e
xception:
I tried using Windows NT as a security realm but that gave me errors too.
Does anyone has any experience using anything other than the default Realm?
Any help would be appreciated. Thanks!
Asim Raja
[email protected]

I'm not sure, but I suspect you can't
since this would create a circular dependency -
your realm would rely on the upper level security
checking calls but those calls would rely on your
realm.
My suggestion is to give it a try and see what
happens.
-Tom
Ozcan ADIYAMAN <[email protected]> wrote:
Hi ,
I am implementing a simple custom security realm using LDAP as the
security store and I can see the users, groups and acls from the admin
console.
My question is (a custom realm newbie question) ;
Is it possible to use weblogic.security.acl.Security with my custom
realm to check permissions, get the current user,etc.,
OR
is this class ONLY used with default realms (when ACL is stored in a
file) ?
Thanks
Ozcan

Everyone group in an alternate RDBMS Security Realm

Similar Messages

Maybe you are looking for