Extend WL Authentication Provider Password Validation
Hi folks
I'm looking for any advice on how to extend the OOB password validation that is available and documented here:
http://docs.oracle.com/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1212100
Specifically we'd like to test whether the desired password has been used in the last 8 they've used and also to enforce that it expire after x days. Any pointers would be much appreciated.
Thanks,
Paul
1- How can an authentication provider supports password validation providers ?
We decided to make our own authentication provider so I doubt we support it
Yes, your custom authentication provider will not support it.
2- How it is suppose to work ?
Now, when a user change his password (or any of his attributes), we call a stored procedure (DB) which updates the user table ...
The way I see it, the web application should call the password validation provider before (or instead and then the provider will call the stored procedure)
Have u configured the a databse authenticator? Looks like you are modifying the password in the database directly ( using stored procedures) so Password Validator will not come in picture at all.
Similar Messages
-
Security realm - Security:097533 - Developing own authentication provider
hi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thankshi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thanks -
Custom Authentication Provider and User Manage like SQLAuthenticator, How?
Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
Package = "orkit"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate">
<MBeanAttribute
Name = "ProviderClassName"
Type = "java.lang.String"
Writeable = "false"
Default = ""orkit.OrkitVASPortalProviderImpl""
/>
<MBeanAttribute
Name = "Description"
Type = "java.lang.String"
Writeable = "false"
Default = ""WebLogic Simple Sample Audit Provider""
/>
<MBeanAttribute
Name = "Version"
Type = "java.lang.String"
Writeable = "false"
Default = ""1.0""
/>
<MBeanAttribute
Name = "LogFileName"
Type = "java.lang.String"
Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
private String description;
private LoginModuleControlFlag controlFlag;
public OrkitVASPortalProviderImpl() {
System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
@Override
public IdentityAsserterV2 getIdentityAsserter() {
return null;
// Our mapping of users to passwords/groups, instead of being in LDAP or in a
// database, is represented by a HashMap of MyUserDetails objects..
public class MyUserDetails {
String pw;
String group;
// We use this to represent the user's groups and passwords
public MyUserDetails(String pw, String group) {
this.pw = pw;
this.group = group;
public String getPassword() {
return pw;
public String getGroup() {
return group;
// This is our database
private HashMap userGroupMapping = null;
public void initialize(ProviderMBean mbean, SecurityServices services) {
System.out.println("The Orkit VASPortal Provider is intializing......");
OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
// We would typically use the realm name to find the database
// we want to use for authentication. Here, we just create one.
userGroupMapping = new HashMap();
userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
userGroupMapping.put("system", new MyUserDetails("12341234",
"Administrators"));
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("Invalid control flag " + flag);
public AppConfigurationEntry getLoginModuleConfiguration() {
HashMap options = new HashMap();
options.put("usermap", userGroupMapping);
System.out.println("UserMap: " + options);
return new AppConfigurationEntry(
"orkit.OrkitVASPortalLoginModule",
controlFlag, options);
public String getDescription() {
return description;
public PrincipalValidator getPrincipalValidator() {
return new PrincipalValidatorImpl();
public AppConfigurationEntry getAssertionModuleConfiguration() {
return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private HashMap userMap;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsBeforeCommit = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
// Fetch user/password map that should be set by the authenticator
userMap = (HashMap) options.get("usermap");
* Called once after initialize to try and log the person in
public boolean login() throws LoginException {
// First thing we do is create an array of callbacks so that
// we can get the data from the user
Callback[] callbacks;
callbacks = new Callback[2];
callbacks[0] = new NameCallback("username: ");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException eio) {
throw new LoginException(eio.toString());
} catch (UnsupportedCallbackException eu) {
throw new LoginException(eu.toString());
String username = ((NameCallback) callbacks[0]).getName();
System.out.println("Username: " + username);
char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
String password = new String(pw);
System.out.println("PASSWORD: " + password);
if (username.length() > 0) {
if (!userMap.containsKey(username)) {
throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
}else{
System.out.println("Contstainded Username");
String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
if (realPassword == null || !realPassword.equals(password)) {
throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
}else{
System.out.println("Everyitng OKIE");
} else {
// No Username, so anonymous access is being attempted
loginSucceeded = true;
// We collect some principals that we would like to add to the user
// once this is committed.
// First, we add his username itself
principalsBeforeCommit.add(new WLSUserImpl(username));
// Now we add his group
principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
return loginSucceeded;
public boolean commit() throws LoginException {
if (loginSucceeded) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thanks in advance!Hi ,
SQLAuthenticator is not yet supported with UCM 11g due to some JPS Provider limitations .
Currently there is an Enhancement request for this .
Thanks
Srinath -
SecurityException (Invalid Subject) with custom database authentication provider WLS 7.0
Hello
I have implemented a custom authentication provider using a
database. The login module works fine. It check the username and
password, add the user as a WLSUser-principal and add the groups
relatated to the user as WLSGroup-principals to the subject. I
am able to start the WLS only using my authentication provider,
but if i want to login into the console i get following
SecurityException:
java.lang.SecurityException: Invalid Subject: principals=
[system, Administrators]
at weblogic.security.service.SecurityServiceManager.seal
(SecurityServiceManager.java:893)
at weblogic.security.service.RoleManager.getRoles
(RoleManager.java:269)
at
weblogic.security.service.AuthorizationManager.isAccessAllowed
(AuthorizationManager.java:608)
at
weblogic.servlet.security.internal.WebAppSecurity.hasPermission
(WebAppSecurity.java:370)
at
weblogic.servlet.security.internal.SecurityModule.checkPerm
(SecurityModule.java:125)
at
weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
rm(FormSecurityModule.java:328)
at
weblogic.servlet.security.internal.SecurityModule.beginCheck
(SecurityModule.java:179)
at
weblogic.servlet.security.internal.FormSecurityModule.checkA
(FormSecurityModule.java:167)
at
weblogic.servlet.security.internal.ServletSecurityManager.checkAc
cess(ServletSecurityManager.java:185)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet
(WebAppServletContext.java:2960)
at weblogic.servlet.internal.ServletRequestImpl.execute
(ServletRequestImpl.java:2466)
at weblogic.kernel.ExecuteThread.execute
(ExecuteThread.java:152)
at weblogic.kernel.ExecuteThread.run
(ExecuteThread.java:133)
Seems to me, that the default role manager does not map the
group Administrators to the role Admin, which is allowed to
access the resource console. So, what i do wrong? Must i set
additional credentials to the subject? Or must i use a special
Principal class? Who can help me?
Thanks in advance & greetings
Dirk FellensteinI have solved it. The Problem was that the two Principal implementations, one that
implements WLSGroup and one that implements WLSUser, need a common principal base
class. The principal validator class, method getPrincipalBaseClass() must then return
the common principal base class.
"Dirk Fellenstein" <[email protected]> wrote:
>
Hello
I have implemented a custom authentication provider using a
database. The login module works fine. It check the username and
password, add the user as a WLSUser-principal and add the groups
relatated to the user as WLSGroup-principals to the subject. I
am able to start the WLS only using my authentication provider,
but if i want to login into the console i get following
SecurityException:
java.lang.SecurityException: Invalid Subject: principals=
[system, Administrators]
at weblogic.security.service.SecurityServiceManager.seal
(SecurityServiceManager.java:893)
at weblogic.security.service.RoleManager.getRoles
(RoleManager.java:269)
at
weblogic.security.service.AuthorizationManager.isAccessAllowed
(AuthorizationManager.java:608)
at
weblogic.servlet.security.internal.WebAppSecurity.hasPermission
(WebAppSecurity.java:370)
at
weblogic.servlet.security.internal.SecurityModule.checkPerm
(SecurityModule.java:125)
at
weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
rm(FormSecurityModule.java:328)
at
weblogic.servlet.security.internal.SecurityModule.beginCheck
(SecurityModule.java:179)
at
weblogic.servlet.security.internal.FormSecurityModule.checkA
(FormSecurityModule.java:167)
at
weblogic.servlet.security.internal.ServletSecurityManager.checkAc
cess(ServletSecurityManager.java:185)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet
(WebAppServletContext.java:2960)
at weblogic.servlet.internal.ServletRequestImpl.execute
(ServletRequestImpl.java:2466)
at weblogic.kernel.ExecuteThread.execute
(ExecuteThread.java:152)
at weblogic.kernel.ExecuteThread.run
(ExecuteThread.java:133)
Seems to me, that the default role manager does not map the
group Administrators to the role Admin, which is allowed to
access the resource console. So, what i do wrong? Must i set
additional credentials to the subject? Or must i use a special
Principal class? Who can help me?
Thanks in advance & greetings
Dirk Fellenstein -
Weblogic with Active Directory Authentication provider problem: DN for user ....: null
I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MyOwnADAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
<wls:host>10.20.150.4</wls:host>
<wls:port>5000</wls:port>
<wls:ssl-enabled>false</wls:ssl-enabled>
<wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
<wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
<wls:cache-enabled>false</wls:cache-enabled>
<wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject : CN=wl,DC=at,DC=com
# scope : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit : 1000
# timeLimit : 0
# typesOnly : False
# filter : (&(cn=tadmin)(objectclass=user))
# attributes : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> -
Aironet 1240AG error - "Previous authentication no longer valid" Help!
Greetings!
I am an IT professional that is installing my first extended range wireless AP in my companies warehouse. I am very excited!
Now I have set up many a linksys and repeater wireless networks, so when I was looking into the Aironet 1240AG I thought ?No Problem!?
And at first, it is not!
I have the AP and antenna set up here in my office before I take it out and mount it in the warehouse. And I can get connected to it, no security for now, no filters, I just want to connect and make it work.
I stay connected for maybe 3 minutes, I can get to the internet, I can ping all my servers. Full connectivity. But then for no reason the connection fails and I cannot reconnect.
The error I get in the log is
Interface Dot11Radio0, Deauthenticating Station 0006.2510.bbe3 Reason: Previous authentication no longer valid
So strange! So I have reset the AP to factory defaults and then set the SSID, and I can connect, again for a second, then nothing.
I have tried with multiple wireless cards, even laptops. Thinking maybe the problem was on the computer side.
But now I believe I must have some setting wrong.
Could someone please shed some light on this situation for me! I searched the forums but could not find this error message in this context.
Thanks!
Nate YorkInteresting...I am experiencing the same problem, but when adding another laptop to the existing 5 Aironet 1100's. The existing laptops work fine, but when trying to add another node, I see the problem. I get the following error message in the error log as well as the activity screen;
Interface Dot11Radio0, Deauthenticating Station 0002.2d34.a0fe Reason:
Previous authentication no longer valid
Unit - 6 units
Cisco Aironet 1100 version 12.3.(07)JA
The error takes place with no other units online, or when other units are in use. Also the laptop in question "shows" connected to the AP (yes I have tried other APs all with negative results). The settings on the laptops are all the same, so i am at a loss.
Any suggestions greatly appreciated,
Ralph -
LDAP Authenticator and Password Digest
Hi All,
I am implementing proxy services uisng OSB 11g . The security requirement is to enforce authentication using password digest. Users & passwords are stored in a central external LDAP server.
OSB supports password digest in SOAP messages , but all the dcoumentation suggest enabling the password digest flag in Default Authenticator . When I configure the external LDAP server in security realm it does not provide any option to enable Password Digest.
Is it possible to have passwordDigest based authentication agiant a external LDAP server ?
If yes can some one please suggest how its done ?
Thanks !Got the answer
Out of the box Password Digest is only supported with DefaultAuthenticator . For PasswordDigest authentication with external LDAP , custom authenticators need to be developed and used. -
Serial number you provided is valid, but a qualifying could not be found on this computer
I want to install Encore from the Adobe CS6 Production Premium that I own but when I enter my password, it says "Serial number you provided is valid, but a qualifying could not be found on this computer". Another user had this problem but it was resolved privatly. How can I use my software?
You are trying to install Production Premium CS6 upgrade version which is asking for previous version of this production.
Fortunately you have the production premium CS5 full version also purchased & registered.
You need to install that serial number ir resrespective of the fact whether it is installed on this system or not.
You can get the serial number in your account of www.adobe.com.
Regards
Rajshree -
Grouping config params of Authentication Provider on WLS admin console
Hi,
I am working on an Authentication provider which talks to a Identity provider to authenticate users. The MJF file contains the configuration parameters such as the Identity Provider host, port and other information.
The Authentication provider is configurable through WebLogic Admin console. I want to re-order the display of the Provider specific configuration parameters. Currently the configuration parameters are displayed randomly.
Please let me know if somebody have any pointers.Hi
Unfortunately this is NOT possible. If you configured AD using out of box AD Providers, you get READ ONLY access to that AD means you can only Read data. BUT you cannot update the data in AD like password or any other property of the user who exists in AD. All the out of box providers you see for configuring external security providers implement only Read Only APIs and Read only MBeans etc.
The only solution is, to create your own Custom Authentication Provider that access your external AD using standard JAVA APIs and do operations like read or update. Java APIs can do pretty much all the things. Then configure this custom authentication provider in the console. NOW, this logic is really complex and you may find some examples if you google around. So if you really need this requirement there is no other alternative.
Thanks
Ravi Jegga -
X.509 callback from an authentication provider
Hi all,
I need to configure X.509 callback for authentication provider in weblogic server. Anyone can guide me regarding this?
Thanks in advance.here is log file
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548155> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548155> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548155> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <PrincipalAuthenticator.authenticate>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <PrincipalAuthenticator.authenticate will use common security service>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.constructor>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASAuthenticationConfigurationServiceImpl.getJAASAuthenticationConfigurationName()>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login ClassLoader=sun.misc.Launcher$AppClassLoader@df6ccd>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login ThreadContext ClassLoader Original=sun.misc.Launcher$AppClassLoader@df6ccd>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(OracleDefaultLoginConfiguration)>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASAuthenticationConfigurationServiceImpl.getAppConfigurationEntry(OracleDefaultLoginConfiguration)>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASAuthenticationConfigurationServiceImpl.getAppConfigurationEntry>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.legacy.service.JAASAuthenticationProviderImpl$V1Wrapper.getLoginModuleConfiguration>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASAuthenticationConfigurationServiceImpl$JAASProviderImpl.getProviderAppConfigurationEntry returning LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl, ControlFlag=LoginModuleControlFlag: required>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.legacy.service.JAASAuthenticationProviderImpl$V1Wrapper.getClassLoader>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.wrap LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.wrap ClassLoader=java.net.URLClassLoader@adae91>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.wrap ControlFlag=LoginModuleControlFlag: required>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login created LoginContext>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login ThreadContext ClassLoader Current=sun.misc.Launcher$AppClassLoader@df6ccd>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@adae91>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <LDAP ATN LoginModule initialized>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <LDAP Atn Login>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <LDAP Atn Login username: weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <authenticate user:weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <DN for user weblogic: uid=weblogic,ou=people,ou=myrealm,dc=soa_domain1>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <authenticate user:weblogic with DN:uid=weblogic,ou=people,ou=myrealm,dc=soa_domain1>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <authentication succeeded>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <Retrieved username from LDAP :weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <LDAP Atn Authenticated User weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <DN for group Administrators: cn=Administrators,ou=groups,ou=myrealm,dc=soa_domain1>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <Retrieved dn:cn=Administrators,ou=groups,ou=myrealm,dc=soa_domain1 for group:Administrators>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <LDAP Atn added group Administrators to user weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <Cached group membership for Administrators : []>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <DN for user weblogic: uid=weblogic,ou=people,ou=myrealm,dc=soa_domain1>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <Retrieved dn:uid=weblogic,ou=people,ou=myrealm,dc=soa_domain1 for user:weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <login succeeded for username weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <LDAP Atn Commit>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <LDAP Atn Principals Added>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: weblogic
Principal: Administrators
>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 2
Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <Signed WLS principal weblogic>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=Administrators>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSGroupImpl>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <Signed WLS principal Administrators>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 2
Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
>
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user weblogic, Identity=Subject: 2
Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
####<Apr 8, 2010 8:42:28 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739548170> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and weblogic was not previously locked out>
####<Apr 8, 2010 8:42:33 PM GMT+05:30> <Debug> <SecurityAtn> <CTSINCALESX1AF> <soa_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1270739553545> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
Edited by: Shomit Sahdev on ८ अप्रैल, २०१० ८:२६ पूर्वाह्न
Edited by: Shomit Sahdev on ८ अप्रैल, २०१० ८:२७ पूर्वाह्न -
CSS Authentication Provider has stopped
I have a Lenovo T61 which has Client Security Software v8.2 on it. Everything was working fine until one bootup brought up a window saying my password had been changed (it hadn't) and to type in the correct password. I typed in the old password and it was happy but the next thing that showed up was a window saying "CSS Authentication Provider has stopped." Now my password manager is not working. Anyone have a fix for this?
I got the same message half years ago on my T61 (Vista). I have tried all the possible solutions I can find on the Internet, but the problem is still there. Just wondering if any Lenovo guy can give some suggestions.
Thanks. -
Email authentication failure, password/server settings NOT changed
Scenario: I've been using Thunderbird for years now to connect to Verizon and download my email. Server settings have always been:
POP3
incoming.verizon.net port 110
connection security none
authentication method encrypted password
SMTP
outgoing.verizon.net port 25
connection security none
authentication method password, transmitted insecurely (oops)
Suddenly when I try to get my email, it stops and tells me there's an authentication failure. I've seen this happen before with Verizon when a server is down or messed up or whatever (pretty poor message for a service interruption, but whatev). So I decided to wait it out, but when it didn't clear up after several hours, went to the website where I was able to log in (huh?) and decided to change my password for the hell of it. Guess what? New password doesn't work in the email client. Quelle surprise.
Sooo, I find THIS page (https://www22.verizon.com/Support/Residential/internet/highspeed/email/setup+and+use/questionsone/86...) which tells me a lot of malarkey about server settings. I tried changing the incoming to their recommended settings, and it looks like there's no server communications a-tall.
Can someone tell me what's amiss, and while you're at it, tell me where in a just and well-ordered universe a service provider changes server settings without notifying users well in advance? Extra points for creativity.These are the new settings and they do work in Thunderbird.
Mail server settings
Incoming mail server (POP3) pop.verizon.net
Incoming Server Port Numbers: 995
Outgoing mail server (SMTP) smtp.verizon.net
Outgoing Server Port Numbers: 465
Connection security: SSL/TLS for POP & SMTP
The change you are probably missing as it wasn't on that page:
Make sure your Authentication method is set to "Normal password" for POP & SMTP -
Calling authentication provider without login screen
How i can call my authentication provider without any login screen. Actually my authentication provider does not need username / pwd to authenticate the user but i am not finding any way with which i can stop login window to appear
Hi,
1. set the authentication provider to "sufficient" so WLS knows that it can stop
2. make sure your authentication provider is the first in the list of authentication providers
2. In your code, use a modified version of the code you find in step 7 "Add a doLogin() method to this Java class to handle user" of http://download.oracle.com/docs/cd/E15523_01/web.1111/b31974/adding_security.htm#BABDEICH . The modified version just sends some dummy username/password to satisfy the API. Because your authentication provider is the first to test and also set to sufficent, authentication will stop there. Instead of showing a login screen you execute this code in a public area of your app
Frank -
SQL Authentication provider - create tables script
Hi all!
I'd like to use SQL Authentication provider for my Web application. I cannot find the script for creating users/roles tables used by the provider.
Can you suggest me a link where I can download them ?
Thanks
FrankHi Frank,
Configure SQL authenticator:
Start Oracle XE DB and open SQL propmt to execute below commands:
CREATE TABLE USERS (
U_NAME VARCHAR(200) NOT NULL,
U_PASSWORD VARCHAR(50) NOT NULL,
U_DESCRIPTION VARCHAR(1000))
ALTER TABLE USERS
ADD CONSTRAINT PK_USERS
PRIMARY KEY (U_NAME)
CREATE TABLE GROUPS (
G_NAME VARCHAR(200) NOT NULL,
G_DESCRIPTION VARCHAR(1000) NULL)
ALTER TABLE GROUPS
ADD CONSTRAINT PK_GROUPS
PRIMARY KEY (G_NAME)
CREATE TABLE GROUPMEMBERS (
G_NAME VARCHAR(200) NOT NULL,
G_MEMBER VARCHAR(200) NOT NULL)
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT PK_GROUPMEMS
PRIMARY KEY (
G_NAME,
G_MEMBER
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT FK1_GROUPMEMBERS
FOREIGN KEY ( G_NAME )
REFERENCES GROUPS (G_NAME)
ON DELETE CASCADE
Generally customers can add users directly in DB with help below commands:
insert into USERS (U_NAME,U_PASSWORD,U_DESCRIPTION) values('system','weblogic','admin user');
insert into GROUPS (G_NAME,G_DESCRIPTION) values('Administrators','Administrators');
insert into GROUPMEMBERS (G_NAME,G_MEMBER) values('Administrators','system');
But in this case password is not encrypted so either you can add users via console or via WLST script to store them in encrypted form.
We had executed above commands just to verify user which is directly stored in DB gets authenticated properly or not from SQL authenticator configured as below
Now start weblogic admin server and access console to create Data source by navigating Services ->JDBC -> Data sources
Create Data source named SqlDS
JNDI: SqlDS
DB type: Oracle
DB Driver: Oracle Thin XA driver
DB name: XE
DB host: <hostname>
Port: 1521
DB user: <username>
DB password: <password>
Keep rest of the configuration same and click on test Configuration. If its successful click on next and target it to "AdminServer"
Click on Finish and activate chnages
Now navigate to Security Realms -> myrealm -> Providers
Click on New and provide Name as SqlAuthenticator and select Type as SQLAuthenticator
Now click on newly created provider and make Control Flag as "Sufficient"
Navigate to provider specific page:
1. Check on Plaintext Passwords Enabled.
2. Provide Data source Name: SqlDS
Keep rest of the parameters as it is and Save this configuration. It will ask you to restart Admin server.
Now again navigate Security Realms -> myrealm -> Users & groups
Check user which was created directly in DB is listed in table with SqlAuthenticator, Once its listed go ahead and add users as below
B. Cretae users using Admin console:
Login to Admin console
Navigate to Security Realms -> myrealm -> Users & groups
Click on users tab and try creating new user
User name: <user name>
Select Authentication provider: SqlAuthenticator
User Password: <password>
Once user is created check DB table, this user musted be added with encypted password
C. Create multiple users using WLST script:
Navigave to $DOMAIN_HOME/bin folder and execute setDomainEnv file as below:
Unix: . ./setDomainEnv.sh (Do not forget to put two dots before / )
Windows: setDomainEnv.cmd
Now change below script as per your environment and execute as suggested in step 3:
connect('weblogic','weblogic123','t3://localhost:7001')
edit()
startEdit(-1,-1,'false')
serverConfig()
cd('/SecurityConfiguration/base_domain/Realms/myrealm/AuthenticationProviders')
ls()
cd('SqlAuthenticator')
cmo.createUser('vaishali','weblogic123','SQLuser')
cmo.createUser('pavashe','weblogic123','SQLuser')
edit()
stopEdit('y')
NOTE: Change user,password and ADMIN_URL in 1st line.
Replace domain name " base_domain' with your domain name in line no: 5
Chnage SQL authenticator name in line no: 6 as per your authenticator name
Next lines create users. You need to add however users you need to create programatically.
Syntax : cmo.createUser('user_name','user_password','user_description')
Now save these commands in a file with extention .py and execute as below:
# java weblogic.WLST create_user.py
If your script fails the try executing each command separately. For this start WLST session as below:
# java weblogic.WLST
Now execute commands specified in above script. You will be able to debug if anything went wrong while executing script.
Regards,
Kal -
How to remove custom authentication provider in weblogic server 11g
Hi ,
I am trying to remove the custom authentication provider in weblogic server 11g, It disappears when i delete it from list of authentication providers. But upon server restart it appears again.
Documentation for 10g says delete it from service administration but i couldn't find one in 11g. Please help me in removing the custom authentication provider
Thanks
SandeepYou can try editing the config.xml file and removing it there. (Re: After provider reorder I cannot login admin server console
If you are referring to a jar file - custom authenticators are usually placed in the <middleware-home>wlserver_10.3/server/lib/mbeantypes/ directory.
Maybe you are looking for
-
Have a HP C6180 all-in-one and I can never really do printing on bot sides of paper, even when it is selected in my i Mac all in one
-
How to set a favicon in portal
Hi, could anybody tell me where to set the small icon beside a URL or beside Portal favorites? Where can I set this favicon? In the Theme Editor? Thanks and best regards Markus Armbruster
-
Linking automatically between Keynote presentations
I understand how to create and click a hyperlink to launch another Keynote presentation, but how do I get the link to trigger automatically at the end of one presentation so that it goes seamlessly into the next presentation. I have several presentat
-
Nov 2 13:38:03 localhost com.apple.autofsd[39]: automount: Mount for UUID=FCB********_info removed_************ has no path for the directory to mount MacBook-Pro WacomTabletDriver[159]: 3891612: (CGSLookupServerRootPort) Untrusted apps are not allow
-
When does Apple get out of the stoneage and allow Adobe flashplayer ?
I find it extremely stupid that i Can not open a lot of services because Apple does not allow Adobe flashplayer, when Will this be possible ? Next time i Will find another device that allows Adobe flashplayer if it does not change very soon.