[Fwd: Client accessing MBeanHome for more than one domain receives SecurityException]

Fwd'ing to security newsgroup
-------- Original Message --------
Subject: Client accessing MBeanHome for more than one domain receives
SecurityException
Date: 4 Mar 2004 07:27:33 -0800
From: Dinesh Bhat <[email protected]>
Reply-To: Dinesh Bhat <[email protected]>
Organization: BEA NEWS SITE
Newsgroups: weblogic.developer.interest.management
Hi,
When a client accesses MBeans of more than one domains (Weblogic 8.1)
that have
different passwords, it receives a SecurityException. This occurs when
the MBeanHome
for each domain is looked up at initialization and reused for each
request ( to
access MBeans ). The security exception does not occur if the MBeanHome
for each
domain is looked up for each request. On initial review, this behavoir
seems inconsistent.
Looking up the MBeanHome for each request may introduce a significant
overhead.
I am not sure if concurrent lookups would also cause the same problem.
I have read on another post that we can work around this problem by
establishing
a trust relationship between the servers, but this may not be feasible
when one
is monitoring a lot of servers and the overhead of configuration may be
an issue.
I have attached code that can reproduce the problem.
Please advise on the correct approach.
Thanks
Dinesh Bhat
Panacya Inc.
import java.util.ArrayList;
import java.util.Set;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Hashtable;
import javax.management.MBeanServer;
import javax.naming.Context;
import weblogic.jndi.Environment;
import weblogic.management.MBeanHome;
* This class reproduces the Security Exception that is caused when a client tries to access
* MBeans of more than one domain with different weblogic passwords. Here is the stacktrace of the
* exception
* java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
     at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
     at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
     at weblogic.management.internal.AdminMBeanHomeImpl_811_WLStub.getDomainName(Unknown Source)
     at WLSecurityTest.getWeblogicInfo(WLSecurityTest.java:140)
     at WLSecurityTest.runTest(WLSecurityTest.java:75)
     at WLSecurityTest.<init>(WLSecurityTest.java:66)
     at WLSecurityTest.main(WLSecurityTest.java:51)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at com.intellij.rt.execution.application.AppMain.main(Unknown Source)
Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
     at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:682)
     at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:181)
     at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:814)
     at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:299)
     at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:920)
     at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:841)
     at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:222)
     at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
     at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:570)
     at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
     at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
     at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
     at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
* Note: the exception is caused only when the MBeanHome for each domain is cached and used for subsequent
* transactions. The exception does not occur if the MBeanHome for each domain is looked up for each transaction. This
* would significant overhead in practice. Also the transactions across the various domains occurs serially, hence
* the effect of concurrent lookups has to be tested.
* Usage:
* This class has been tested with weblogic 8.1
* The class needs weblogic.jar in its classpath
* One can specify the weblogic details as System properties. The properties need to be specified in
* the following format:
* wls.host.n, wls.userId.n, wls.password.n where n is the weblogix instance number. Also specify
* the boolean system property reconnect.each.iteration to toggle between reconnecting or not reconnecting
* for each iteration. When not reconnecting for each iteration, the MBeanHome is reused and the Security Exception
* occurs.
* Following is the example of system properties
* -Dwls.host.0=localhost:7001 -Dwls.userId.0=weblogic -Dwls.password.0=weblogic
* -Dwls.host.1=localhost:7011 -Dwls.userId.1=weblogic -Dwls.password.1=weblogic1
* -Dwls.host.2=localhost:7021 -Dwls.userId.2=weblogic -Dwls.password.2=weblogic2
* -Dreconnect.each.iteration=false
public class WLSecurityTest
ArrayList wlsDetailsList = new ArrayList();
HashMap connectionMap = new HashMap();
public static void main(String[] args)
try
WLSecurityTest wlSecurityTest = new WLSecurityTest();
catch (Exception e)
e.printStackTrace();
* Constructor
* @throws Exception
public WLSecurityTest() throws Exception
int noOfTries = 10;
getWLSDetails();
for( int i=0; i <= noOfTries; i++)
runTest();
* Runs the test
private void runTest()
for (int i = 0; i < wlsDetailsList.size(); i++)
WLSDetails wlsDetails = (WLSDetails) wlsDetailsList.get(i);
getWeblogicInfo(wlsDetails);
* Get Weblogic details from System properties
* @throws Exception
private void getWLSDetails() throws Exception
wlsDetailsList = new ArrayList();
String hostKeyTmpl = "wls.host";
String userIdKeyTmpl = "wls.userId";
String passwordKeyTmpl = "wls.password";
boolean done = false;
for (int i = 0; !done; i++)
WLSDetails wlsDetails = new WLSDetails();
String hostKey = hostKeyTmpl + "." + Integer.toString(i);
String userIdKey = userIdKeyTmpl + "." + Integer.toString(i);
String passwordKey = passwordKeyTmpl + "." + Integer.toString(i);
wlsDetails.hostName = System.getProperty(hostKey);
done = (wlsDetails.hostName == null) || (wlsDetails.hostName.length() == 0);
if (!done)
wlsDetails.userId = System.getProperty(userIdKey);
wlsDetails.password = System.getProperty(passwordKey);
connect(wlsDetails);
wlsDetailsList.add(wlsDetails);
* Lookup the MBeanHome for the specified weblogic server
* @param wlsDetails
* @throws Exception
public synchronized void connect(WLSecurityTest.WLSDetails wlsDetails) throws Exception
Context ctx = null;
MBeanHome mbHomeLocal = null;
try
Environment env = new Environment();
env.setProviderUrl("t3://" + wlsDetails.hostName);
env.setSecurityPrincipal(wlsDetails.userId);
env.setSecurityCredentials(wlsDetails.password);
Hashtable hashtable = env.getProperties();
System.out.println(hashtable.toString());
ctx = env.getInitialContext();
wlsDetails._mBeanHome = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
catch (Exception e)
e.printStackTrace();
* Gets weblogic information using MBeans
* @param wlsDetails
public synchronized void getWeblogicInfo(WLSDetails wlsDetails)
try
boolean reconnectEachIteration =
Boolean.getBoolean("reconnect.each.iteration");
if( (reconnectEachIteration) || ((wlsDetails._mBeanHome == null) && (!reconnectEachIteration) ))
connect(wlsDetails);
MBeanHome mbHomeLocal = wlsDetails._mBeanHome;
String domainName = mbHomeLocal.getDomainName();
Set allMBeans = mbHomeLocal.getAllMBeans();
System.out.println("Size: " + allMBeans.size());
Set clusterMBeans = mbHomeLocal.getMBeansByType("Cluster", domainName);
System.out.println(clusterMBeans);
MBeanServer mBeanServer = mbHomeLocal.getMBeanServer();
catch (Exception ex)
ex.printStackTrace();
* Class that holds weblogic server details
class WLSDetails
String hostName = "";
String userId = "";
String password = "";
MBeanHome _mBeanHome = null;

If Server version is 61.
Make user "system" password of all weblogic servers same.
If Server version above 61(70,81)
In the Security Advanced Settings un check generated credential and specify a common credentail for all the weblogic servers(domains).

Similar Messages

  • Configure workflow notification mailer for more than one domain

    Hi ,
    Is it possible to configure workflow notification mailer for two different Domains ?
    We are using more than one domain so the notifcations/mails has be to be directed to more than one domain .
    please guide me through some docs .
    Regards .

    Duplicate thread (please post only once)
    plz help me...!!!! Workflow Notification Mailer
    plz help me...!!!! Workflow Notification Mailer

  • Setting color codes for more than one photo at a time

    Is there any way to set color codes for more than one photo at a time?

    Hi John,
    I will look at keywords. My issue is speed. Right now I am culling and editing an event shoot that spanned a week with 35 separate events and more than 5000 images. So I use the fastest most convenient method I can and it still takes a long time to have a completed and final shoot. On this shoot I will end up with a final set of around 1500 images. Right now I am finishing processing a show that will hang in the Deutsches Amerikanish Zentrum in Stuttgart.
    As I am sure you are aware by now, having seen enough of my inane questions that over the last two years or since Lightroom version 1.xx if I could not figure out how to do something I skipped it. So many things in Lightroom are buried and unless you have a mind like a steel trap (and think that some of you guys in the forum do) locating how to do something is not obvious.
    For example, I only learned (in the last hour) that I could assign colors as a group of selections by using Shift + number. I found this in a side head in Martin Evenings Lightroom book. I still do not know how to find a way to display the color filter "selection" set in Library mode. Is there a way?
    To top it off, Stuttgart Media University asked me if I would add a Lightroom module to my schedule this year. Now I have a compelling reason to learn all those missing pieces that I have created workarounds for. Hence the number of posts you have been seeing from me over the past few of weeks.
    I tell my class that there are no such things as stupid questions, only questions. Now I am practicing what I have been preaching for the last gazillion years. Guys like you have been great.
    My workflow is
    1. I first separate all images by event. I do that at the time of import.
    2. I do a fast pass rejecting all the obviously bad images
    3. I do a second pass grouping the images by sub-group (speeches, people talking, performances, etc.) This is where I run out of selection methods and your key-wording could work but it would probably take too much time to establish a keyword set for a single event. Where I have more than five subgroups I set up different collection sets with one collection for each sub group. However I would like to keep a single event in one collection.
    4. I then select the images to be used by color code.
    5. Next I process the final images (crop develop etc) by collection.
    6. Last I output the set according to client requirement.
    If you have a better workflow, I am all ears.
    By the way, what is your photo specialty and where are you located?
    Jim

  • How to configure EM Grid Control for more than one databases?

    Hi,
    I'm configuring EM on Oracle 10gRel1 on Linux. I have more than one databases in the server, and I want use IE at my PC to monitor the databases on Linux server. I can configure and access the Grid Control Console by emca for first database, but cannot configure for the second one, unless I remove the first one configurration. How can I configure EM for more than one databases?
    Thanks.

    Thank you everybody.
    Yes, I'm talking about DBConsole rather than Grid Control (sorry for misuse the term). I managed to set up DB Console for every DB in the same Linux box (10Rel1). What I did is:
    1) stop db console and agent with emctl
    2) remove repository with RepManager
    3) config with emca
    Then I can monitor individual databases from my PC (but have to login with different port).
    I'm thinking mybe I should use Grid Control instead.

  • Is it possible to pay for more than one year of membership in advance? Would I be able to pay for 3 years at one time?

    Is it possible to pay for more than one year of membership in advance? Would I be able to pay for 3 years at one time?

    In individual CC the maximum purchase can be done for 1 year,
    However: An Enterprise Term License Agreement (ETLA) is ideal for organizations that manage large deployments of Adobe software and prefer a direct relationship with Adobe. An ETLA provides custom software licensing options and pricing for volume purchases, access to advanced customer support programs, and streamlined IT administration tools to package and deploy Adobe apps and services across the enterpris with an agreement of three years.
    Business Enterprise Term License Agreement | Adobe Buying Programs
    http://www.adobe.com/volume-licensing/education/enterprise-term-license-agreement.html
    Regards
    Rajshree

  • Reason for more than one sales organisation

    Hi,
    What can be the different reasons to suggest the client for more than one sales organisation.Please reply ASAP.
    Regards
    Prabudh

    hi,
    Sales orgainsation controls the entire business process.
    Example : If u have Domestic factory sale , Domestic depot sale , Export , Deemed export , intercompany sale , stock transfer  ...etc . This can be controled through maintaining different Distribution channels .
    And , the same way ,based on material group you can differ division  to have more control.
    Disadvantage : Having more sales organisations will lead to have more master data .
    saravanan

  • Creating SQL-Loader script for more than one table at a time

    Hi,
    I am using OMWB 2.0.2.0.0 with Oracle 8.1.7 and Sybase 11.9.
    It looks like I can create SQL-Loader scripts for all the tables
    or for one table at a time. If I want to create SQL-Loader
    scripts for 5-6 tables, I have to either create script for all
    the tables and then delete the unwanted tables or create the
    scripts for one table at a time and then merge them.
    Is there a simple way to create migration scripts for more than
    one but not all tables at a time?
    Thanks,
    Prashant Rane

    No there is no multi-select for creating SQL-Loader scripts.
    You can either create them separately or create them all and
    then discard the one you do not need.

  • Perform VENDOR EVALUATION for MORE THAN ONE VENDORS at a time

    Hello all,
    Please guide for any process where i can perform Vendor Evaluation for MORE THAN ONE vendors AT A TIME.
    At my location there are around thousand vendors, which are to be evaluated, and difficult to perform the evaluation process one-by-one.
    (ME61/ME62/ME63)
    Detailed replies with various possibilities would be highly appreciated.
    Thanks & Regards,
    Joy Ghosh

    The vendor evaluation for some thousand vendors at the same time has already been in SAP long before they developed LSMW. The purpose of LSMW is to load data from a legacy system, of course you can (mis-)use it for a lot other things.
    But you should not always use LSMW if you are to lazy to go thru the SAP standard menu to find a transaction like ME6G
    There you define a job that runs RM06LBAT report.
    You first have to define a selection variant for this report. this can be done in SE38 by entering the report name, select variant, clicking display, then entering a name for the variant and clicking Create.

  • Setting Equalizer for more than one song at a time

    Is there any way to set the equalizer setting for more than one song at a time. For example, if I have a classical music album with 10 songs, can I set the equalizer for "classical" for all 10 songs at once? It's a pain to have to do it for each one individually. I tried using the "shift" key, but to no avail.
    Thanks,
    Joe The Author

    highlight all the songs you want then right click and go to get info. in the options tab at the top there is an equalizer preset option.

  • Master_detail for more than one record at a time

    Hi,
    How can i display master_detail records for more than one records at a time, for example, i have two tables A and B , A has username and role and B has username and profile. here i wanted to display 10 users at a time on my 6i form with username, role and profile.
    i have created a master-detail relation ship with these tables when i'm executing F8 on blcok A , it displays 10 records on BlockA but, only one at a time on block B, how can i display all corresponding records on block B at a time.
    Thanks for your help.Bcj

    Thanks Roberts, that was realy informative due to some doubts i would like to confirm my requirements , i have two blocks A and B and each master record has only one detail record. but i wanted to display at least 10 master_detail relationships(records) on the form at a time, i would like to know is it possible to do without creating any table or view for example,
    data in table A,
    username role
    AAA R1
    BBB R2
    CCC R3
    data in table B,
    username profile
    AAA P1
    BBB P2
    CCC P3
    i wanted to display it on form like below,
    username role profile
    AAA R1 P1
    BBB R2 P2
    CCC R3 P3
    Also would like to know that how can i select data from dba_users, any restriction is there on forms 6i, i can select it on sqlplus.
    Thanks Again, Bcj

  • Can we use same program ID for more than one RFC scenarios

    Hi experts,
                I am working on a RFC to FILE scenario. I have created one TCP/IP connection in SM59 with a program ID. Can we use this program ID for more than one scenario. I have written code as below
    data: iquote type standard table of ZIQMD initial size 0,
          IPRODUCT type standard table of ZPMS initial size 0,
          wa_quote type ZIQMD,
          wa_PRODUCT type ZPMS.
    CALL FUNCTION 'Z_CBT_RFC_QUOTEMASTER'
      TABLES
        I_QUOTE       = iquote          .
    CALL FUNCTION 'Z_CBT_RFC_QUOTEMASTER' in background task DESTINATION
    'ID4'
      TABLES
        I_QUOTE       = iquote          .
      COMMIT WORK.
    CALL FUNCTION 'Z_CBT_RFC_PRODUCTMASTER'
      TABLES
        IPRODUCT       = IPRODUCT          .
    CALL FUNCTION 'Z_CBT_RFC_PRODUCTMASTER' in background task DESTINATION
    'ID4'
      TABLES
        IPRODUCT       = IPRODUCT          .
        COMMIT WORK.
    when i am executing the code like this. i am able to send the data to 'Z_CBT_RFC_QUOTEMASTER'  , but iam not getting data  for 'Z_CBT_RFC_PRODUCTMASTER'  interface. ID4 is the connection that i have created in SM59. with program ID as ABCD.
                  Can i use the same connection for all interfaces.Please help in this, if we can use same connection for all interfaces. then how to make changes in XI.
    Thanks in advance.
    Thanks & Regards,
    Poorna.

    Just tried this and I can confirm that my earlier understanding was correct!
    One of my colleagues confused me out and the conclusion is,
    1. You need a separate TCP IP Connection for every interface with a Unique program ID.
    Regards
    Bhavesh

  • Help me to search on calendar for more than one year

    I desparately need to be able to search on calendar for more than one year., which was taken away on the new operating system.  I have kept personal memories of my husband on there in the notes sections on days when we did things. ( I have also kept all kinds of personal notes, like doctor records or conversations, in the notes of events/dates.) it is a huge loss for me not to be able to search my calendar for more than one year. Is there any way I can do this?

    Jens,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://forums.novell.com/

  • How do people register for more than one person on a form?

    We had a lot of complaints last year from organizations who sent several employees to our training.  It took a long time for them to process these one at a time.  How do people register for more than one person on a form?

    Hi thearcca,
    This entirely depends on the form you create, you can add multiple choice button and ask for the no. of employees the organization wants to register.
    Also, you can add corresponding text field for the names.
    Thanks,
    Vikrantt Singh

  • How can I see if my program is for more than one user? We think we have bought in design for more users, but can not find out how to get in for more than one?

    How can I see if my program is for more than one user? We think we have bought in design for more users, but can not find out how to get in for more than one?

    If you bought a CC for team, you can log in at http://adobe.com and insert the e-mail that you gave at the moment at the purchase and than you can manage and see you product/plan/team.
    If I was not clear you can use the following link to help you solving your issue:
    Creative Cloud Help | Manage your Creative Cloud for teams membership
    If your not clear about this situation, contact with an agent of Adobe, by chat or phone. Use the following link to see the type of support you have on this matter:
    http://adobe.com/getsupport
    I think this will help you.
    Regards

  • Add Suppporting Details for more than one periods at the same time for the same Account in Planning.

    As we know, in planning form, we can add supporting details to one cell for the level 0 members intersections.
    But can we do that as below:
    add supporting details for more than one cells at the same time?
    I tried to do that in workspace and smartview, neither is working.(my workspace version 11.1.2.2.300.20)
    I wonder if i am not with the right version, because i don't know how to get the below.
    Can any one explain?
    Thank you.

    Hi,
    I have tried in Smartview for a simple form where my period dimension was in columns and accounts in rows.
    You need to select multiple period and select supporting details, it will show those selected period for which you can add the supporting details.
    You can add these details and then submit the data in the form.
    Regards,
    Sourabh

Maybe you are looking for

  • Output determination for PO

    Hi, I don't have much knowledge,waht are the steps and settings  required to maintain output determination for purchase order and material document. Thank you.

  • 107 MB File - was not able to process thru File Adapter

    Hi All, I tried to send one 107 MB file using file adapter. But was getting error as "not able to write on the integration server".It seemed like XI was not able to process file with that much size...as when we did split up the file into smaller ones

  • Inconsistency with maintenance cycle and task list phases in ChaRM

    Hi Experts, I'm deploying ChaRM with SolMan 4.0 SP09. I was testing a scenario where there are more than one maintenance project open for same landscape (different logical components but values are the same). I have been using maintenance cycle docum

  • I can't install the Aperture trial download.

    The aperture installer tells me it can't locate data it needs. I downloaded Prokit 5.1; it won't install because it says it needs 5.0.  Downloaded 5.0, installed, still 5.1 won't install.  Help!!

  • Presenter Desktop Software cannot be installed

    Hi, today I have received a BB Presenter. I followed the instructions of the Get Started manual and wanted to intall the Presenter Desktop Software. When I downloaded the software from the web site I got a PresenterDN.rar file but no exe. The Present