Extending WebLogic policy agent
Hello all;
I am using AM policy agent for WebLogic portal server. Is there a way to extend the functionality of this policy agent. I need to make the agent do more than what it provides OOTB. Is there a way to do that? Any suggestions?
Thanks
Hi Aaron;
I am trying to see if I can force the policy agent to be invoked on non-protected resources. The agent is in J2EE mode. The scenario that I have is the whole site is open and nothing is protected so I have to make the policy agent recognize requests for both protected and non protected resources. The other issue I have is that even if I create a cookie the policy agent doesn't maintain the session state since the requests are for unprotected resources. It (PA) doesn't "touch" the cookie since the requests didn't go through it.
Thanks,
Similar Messages
-
Hi Everyone,
I have installed Weblogic Policy Agent in OpenAM. Followed the URL “http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/agent-install-guide/index/chap-weblogic.html” to install the policy Agent.
I am using Oracle Weblogic server 10.3.5.0 to use deploy the .war file. Same Weblogic server used for Oracle Identity Manager 11.1.1.5.0.
In Weblogic Policy Agent post-installation steps need to select Agent Authenticator for the security Realm.
I have doubt here. Whether i want to create the *"new realm"* or i can use the existing realm *"myrealm"*? But , "myrealm" is consists the details of OIM.
I am thinking to create the new realm for openAM Weblogic policy Agent, if so what are the things i need to do create new realm for OpenAM.
Please suggest me on this.
Thanks & Regards,
KarthickHi Aaron;
I am trying to see if I can force the policy agent to be invoked on non-protected resources. The agent is in J2EE mode. The scenario that I have is the whole site is open and nothing is protected so I have to make the policy agent recognize requests for both protected and non protected resources. The other issue I have is that even if I create a cookie the policy agent doesn't maintain the session state since the requests are for unprotected resources. It (PA) doesn't "touch" the cookie since the requests didn't go through it.
Thanks, -
Hi All,
I am using policy agnet in front of the app that is running on weblogic. I installed the policy agent created the agent profile and other necessary steps. Also, copied the following line in my startWebLogic.cmd file
call "%DOMAIN_HOME%\bin\setDomainEnv.cmd" %*
call "D:\bea\user_projects\domains\portalDomain\setAgentEnv_%SERVER_NAME%.cmd"
Below is my classpath info, this loads the sun policy agent jars.
java.class.path = ;D:\bea\patch_weblogic922\profiles\default\sys_manifest_classpath\weblogic_patch.jar;D:\bea\JDK150~1\lib\tools.jar;D:\bea\WEBLOG~1\server\lib\weblogic_sp.jar;D:\bea\WEBLOG~1\server\lib\weblogic.jar;D:\bea\WEBLOG~1\server\lib\webservices.jar;;D:\bea\WEBLOG~1\common\eval\pointbase\lib\pbembedded51.jar;D:\bea\WEBLOG~1\common\eval\pointbase\lib\pbupgrade51.jar;D:\bea\WEBLOG~1\common\eval\pointbase\lib\pbclient51.jar;D:\bea\WEBLOG~1\server\lib\xqrl.jar;D:\bea\WEBLOG~1\server\lib\xquery.jar;D:\bea\WEBLOG~1\server\lib\binxml.jar;D:/SunPolicyAgent/j2ee_agents/am_wl92_agent/lib/amauthprovider.jar;D:/SunPolicyAgent/j2ee_agents/am_wl92_agent/lib/agent.jar;D:/SunPolicyAgent/j2ee_agents/am_wl92_agent/lib/amclientsdk.jar;D:/SunPolicyAgent/j2ee_agents/am_wl92_agent/locale;D:/SunPolicyAgent/j2ee_agents/am_wl92_agent/agent_001/config;
Also, in the log file I found the following information
com.iplanet.security.encryptor = com.iplanet.services.util.JCEEncryption
which is different than what is in the error below.
When I run the agenadmin command to get the getUuid I get the following error.
D:\SunPolicyAgent\j2ee_agents\am_wl92_agent\bin>agentadmin --getUuid bkrishna us
er dc=ad,dc=nsf,dc=gov
Failed to create debug directory
Failed to create debug directory
Failed to create debug directory
Failed to create debug directory
Failed to create debug directory
10/12/2007 12:16:38:662 PM EDT: Thread[main,5,main]
DataLayer: number of retry = 3
10/12/2007 12:16:38:662 PM EDT: Thread[main,5,main]
DataLayer: retry interval = 1000
10/12/2007 12:16:38:662 PM EDT: Thread[main,5,main]
DataLayer: retry error codes = []
Failed to create debug directory
10/12/2007 12:16:38:662 PM EDT: Thread[main,5,main]
AdminUtils: Could not initialize admin info message: Got LDAPServiceException c
ode=19
10/12/2007 12:16:38:662 PM EDT: Thread[main,5,main]
Crypt.static{}: Encryptor class= com.iplanet.services.util.JSSEncryption
Exception in thread "main" java.lang.NoClassDefFoundError: org/mozilla/jss/Crypt
oManager$NotInitializedException
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:164)
at com.iplanet.services.util.Crypt.createInstance(Crypt.java:133)
at com.iplanet.services.util.Crypt.<clinit>(Crypt.java:103)
at com.iplanet.am.util.AdminUtils.getAdminDN(AdminUtils.java:106)
at com.sun.identity.sm.SMSEntry.<clinit>(SMSEntry.java:166)
at com.sun.identity.sm.DNMapper.<clinit>(DNMapper.java:59)
at com.sun.identity.idm.AMIdentity.<init>(AMIdentity.java:135)
at com.sun.identity.agents.tools.handler.GetUniversalIdHandler.handleReq
uest(GetUniversalIdHandler.java:120)
at com.sun.identity.agents.tools.admin.AgentAdmin.dispatch(AgentAdmin.ja
va:251)
at com.sun.identity.agents.tools.admin.AgentAdmin.run(AgentAdmin.java:15
2)
at com.sun.identity.agents.tools.launch.AgentAdminLauncher.launchAdminTo
ol(AgentAdminLauncher.java:204)
at com.sun.identity.agents.tools.launch.AgentAdminLauncher.main(AgentAdm
inLauncher.java:308)
I would appreciate if someone coule throw some light here to fix this issue.
Thanks,
bala.Hi Aaron;
I am trying to see if I can force the policy agent to be invoked on non-protected resources. The agent is in J2EE mode. The scenario that I have is the whole site is open and nothing is protected so I have to make the policy agent recognize requests for both protected and non protected resources. The other issue I have is that even if I create a cookie the policy agent doesn't maintain the session state since the requests are for unprotected resources. It (PA) doesn't "touch" the cookie since the requests didn't go through it.
Thanks, -
Urgent :Authentication fails for Policy Agent on weblogic 8 SP3
Hi
I am using policy agent for perimeter authentication for an application deployed on weblogic.When i try and access the application using any user which exists on Identity server i get the following exception in the amRealm log.
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:07:379 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()
09/20/2005 06:17:12:505 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.authenticate() Initialized callback handler for Subject:
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login()
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login() : User name from Callback amAdmin
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: SSOTokenValidator failed with exception
[AgentException Stack]
com.sun.identity.agents.arch.AgentException: Invalid transport string version
at com.sun.identity.agents.util.TransportToken.initializeFromString(Unknown Source)
at com.sun.identity.agents.util.TransportToken.<init>(Unknown Source)
at com.sun.identity.agents.common.SSOTokenValidator.validate(Unknown Source)
at com.sun.identity.agents.realm.AmMappingRealm.authenticateAndFetchAllRoles(Unknown Source)
at com.sun.identity.agents.weblogic.AmLoginModule.login(Unknown Source)
at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:71)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at weblogic.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:326)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:279)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:389)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:296)
at weblogic.servlet.security.internal.BasicSecurityModule.checkUserPerm(BasicSecurityModule.java:125)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSecurityModule.java:47)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3568)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()Hi,
I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
I suggest you try it out and start the bea server as a service and see if it works - if not try again.
I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
hth,
Sean -
Is WebLogic 9 supported by Policy Agent ?
Hi,
We are planning to use WebLogic 9. I�m wondering if this version 9 of WebLogic is supported by the Policy Agent (or only the version 8.1) ?
Thanks,
AdelPlease read this User Tip..
Latest OS X & Logic Pro Compatibility Information -
SUn Policy Agent 2.2 for Weblogic 92
We are using SUN POlicy agent 2.2. (for Weblogic) for Access Manager 6.3
For this particular application I intermittantly get SSOToken invald message
Its a sporadic behavior (sometimes work sometime does not)
error -
02/02/2007 12:22:41:057 PM EST: Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
SSOTokenValidator.validate(): Exception caught
com.iplanet.sso.SSOException: AQIC5wM2LY4Sfcw k8CIsj Jujq92ltM5fNZJxh2qFYpAyw=@AAJTSQACMDE=# Invalid session ID.AQIC5wM2LY4Sfcw k8CIsj Jujq92ltM5fNZJxh2qFYpAyw=@AAJTSQACMDE=#check the patch level of AM 6.3, it should be higher than 1
-
AM policy agents for Weblogic help
I installed a Policy Agent for Weblogic Server 8.1 When I try to start the Weblogic server after modifications, the portal server throws an exception....
com.sun.identity.agents.AmAgentFilter not found
When u enter the URL for that application running on Weblogic , it is supposed to be forwarded to the Identity Management page ...but this does not happen..
It is apparently able to read the web.xml file in the Weblogic application but is not able to find the particular class above....nor is it able to contact the IDM.
Any suggestions?
AnandI am trying to install a PA with a Weblogic server. The installation works fine and I have also configured the necessary config files...and the concerned Weblogic server starts up successfully.
But when I enter the URL , I see the following error in the Logs....
<Jan 3, 2006 3:54:12 PM CST> <Error> <HTTP> <BEA-101020> <[ServletContext(id=20772999,name=sbm,context-path=/sbm)] Servlet failed with Exception
java.lang.ExceptionInInitializerError
at com.sun.identity.agents.filter.AmFilter.<init>(Unknown Source)
at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
at com.sun.identity.agents.filter.AmFilterManager.getAmFilterInstanceForModeConfigured(Unknown Source)
at com.sun.identity.agents.filter.AmAgentFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6724)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.RuntimeException: Exception caught in AmAgentLogManager initializer: Unable to initialize Local Log Handler
at com.sun.identity.agents.log.AmAgentLogManager.<clinit>(Unknown Source)
Can someone help me taclke this problem??
Thanks!
anand -
Policy Agent on BEA WebLogic when server instance runs as windows service
hi.
my environment is: win2k3, bea weblogic server 8.1sp4, access manager 7.1 and policy agent 2.2. installation process of policy agent asks for server startup script (startWebLogic.cmd) which i found under my server instance catalogue. the only issue is that my server instance is installed as a windows service and should not be started in a command window.
am i safe with just specifying the path to the startup script or is there another way of dealing with this issue?
might be a dumb question, but it would be nice to be sure that i'm doing the right thing before i go ahead and install policy agent. :)
thanks,
tbHi,
I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
I suggest you try it out and start the bea server as a service and see if it works - if not try again.
I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
hth,
Sean -
Identity Server Policy agent for BEA Weblogic Server 8.0
Hi all,
I donot find policy agents for BEA weblogic 8.X.
Is the 6.1SP2 version forward compatible?
ThanksYou didn't specified the OS. Please find the PA support with different platforms & softwares..
http://docs.sun.com/source/816-6884-10/chapter1.html#wp21986 -
Sun Policy Agent 2.2 for BEA WebLogic Server/Portal 9.2
Do you know where can I download this agent? I've searched a lot but no chance. The only available one in the download index page is the 9.0/9.1 agent. Any idea?
Best regardsAll this time later, and the download for this agent isn't showing up in the right place.
For now, my blog might be the easiest place to go for Policy Agent 2.2 docs and downloads:
http://blogs.sun.com/JohnD/page/policyagent
The quick and dirty answer to thge question is here:
http://www.sun.com/download/products.xml?id=45cb8a2a
John D. -
Custom Authentication Issue with Policy Agent
Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
NeerajHi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas -
Policy agent 2.2 amfilter local authentication with session binding failed
Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
-----------------------------------------------------------Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip -
Authorization issue with J2EE Policy Agent for AS7
Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
<filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The two resources /customer and /admin are subjected security constraints like:
<security-constraint>
<web-resource-collection>
<web-resource-name>col2</web-resource-name>
<url-pattern>/customer</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The role-to-principal mapping is done in the sun-web.xml like:
<security-role-mapping>
<role-name>customer</role-name>
<group-name>customer</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
[21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
[21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
return the correct grops viz. customer,admin,anyone.
PLEASE HELP-- Second Update --
After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
1. Some URL's has to be defined as not enforced.
com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
com.sun.am.policy.amFilter.notenforcedList[2]=*.css
com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
/opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
byPassSignon=TRUE
defaultUserid="DEFAULT_USER"
defaultPWD="your password"
signon_page=amsignin.html
signonError_page=amsignin.html
logout_page=amsignin.html
expire_page=amsignin.html
However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
Allow Public Access (cheked)
User ID : DEFAULT_USER
Password : your password
HTTP Session Inactivity : (SSO TIMEOUT)
and:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
In section "SignOn/Logout" set the following values:
Signon Page : amsignin.html
Signon Error Page : amerror.html
Logout Page : amsignout.html
Note: After making any changes on the console; restart PIA (weblogic instance).
With this the SSO with PeopleSoft is working Ok.
Message was edited by:
LpzYlnd -
Disable J2EE Local Auth Task Handler in policy agent 2.2
Hi,
Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
Thanks,
Andrei DumitruHi,
Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
Thanks,
Andrei Dumitru -
SJWS 6.1 Policy Agent getting roles
Hi,
I've installed Policy Agent 2.2 in SJWS 6.1 and authentication is working properly. I've configured nativeRealm to get the user's principal from a web application (a servlet).
In this scenarios the user has two roles (it's working on WebLogic 8.1), but the Agent doesn't receive this roles from server, and in servlet the call to the function isUserInRoles doesn't work.
Anybody knows if is it possible working with roles, using J2EE security in servlets, with Sun Java WebServer 6.1 using Policy Agent 2.2 with Access Manager?
Thanks a lot
DavidHave you also tried not to set JAVAHOME at all as mentioned in the docs?
-Bernhard
Maybe you are looking for
-
Wich one is better for home use. Nothing powerfull.
Hello People. I would like to know. Wich one is the best "all day" use Macbook. I don't use nothing special. Just Browse the web and listen to music or airplay, those things. Macbook Pro, or Macbook air?
-
Is there a way to import a skin/theme from X Pro 4.5 to Xcelcius 2008?
I have recently upgraded to 2008 & cannot import my old colour schemes. Has anybody found a solution to this?
-
Foreign Trade _ Export License Number for SED or SLI
We are not using full blown Foreign Trade. I just recently set up ECCN codes to be used on the above forms for exporting. Now I am being asked to have a way to store Export License Numbers (it is item 22 on the SED) . . . They are asking it be stor
-
TS3274 Keyboard is in middle of screen preventing me to see what I am typing
My keybboard is always in the middle of the screen preventing me to see what I am typing. Is there a reset I need to do or recalibrate
-
I open my Library and go to Preferences and find that about 20% are in English. The rest appear to be in Greek. I can't read Greek. Help, thanks