Groups Authenticated users & Everyone difference
Hi Everyone,
There are builtin groups Authenticated users & Everyone. when i check for some iviews, folders, their permissions are set to Everyone with enduser as checked and for some objects, the permissions are given as Authenticated users group with enduser as checked.
What is the difference between these two. All the ESS/MSS objects has given the permission as Authenticated users group with Enduser checked.
anyone clarify this doubt.
Regards,
EP.
Hi,
There are two kinds of Properties for an Portal Content Object,
1. Administrator Permission- create/modify/read/ permissions etc privilatges on the object. These are Design Time Permissions
2. EndUser- When a user is assigned a end User Permission, he can view the content at runtime i.e. If the iView is assigned to the User (via iView assigned to a role, and role has an entry point and assigned to the user) and he has only the end user Permission, then he can login and view the runtime content only. A kind of end user privilage.
Now,
1. Authenticated Users: the Users who have entered their logon info/ used a certificate to Login to the Portal/ to say users who have authenticated themselves to Portal are the Authenticated Users. The User Group is named so.
2. Everyone- All the Users- Authenticated or not fall in this group. Sometimes Content can be accessed directly with a URL without any Logon.
Based on who can access the End user Content, the End User permission is provided in Permission settings, i.e.in the ACL of that Object.
Hope this answers your question. Reward points for Helpful answers.
Thanks,
Vamshi
Similar Messages
-
Everyone Group vs. Authenticated Users Group
Two questions.....
1.) What is the difference between the "Everyone" group and the "Authenticated Users" group.
2) We are starting to use some new BI content (NW04s) in our federated portal and have found that we have to grant permissions to "Authenticated Users" instead of the "Everyone" group. Any ideas why?
Regards,
DianeDiane,
The following asnwer is not a SAP answer but I did a quick check on our system and:
1. the difference between the group Everyone and Authenticated users is exactly 1 user assignment.. I looked further and see that it has to do with the J2EE_GUEST user. this user is member of the group Everyone but NOT of the group Authenticated users.
2. Can not give you a sure anser on this question but maybe it has to do with security that this is needed?!?!\
Hopfully another SDN community member can fill me in here...
Good luck and Kind Regards,
Benjamin Houttuin -
Hello Everyone.
We created two Roles Role1 and Role2 for this Roles we have assigned the Group "Authenticated Users"
Now the client requirement is they wants to remove couple of users who are assigned to Role1(who belong to "Authenticated Users" group.
Though it is not a good practise One thing I can do is search for the group "Authenticated Users" in portal then choose modify and choose assigned users and remove the users from this group.So,that they can not see Role1
If I remove the users from the group "Authenticated Users" then they will not be able to see Role2 as they are removed from the "Authenticated Users" group which is assigned to Role2
Can anyone help me out regarding this issue.Hi Shailesh,
What you understood is correct ie "Both the users have been added to Role 1 and Role 2, and both the roles have been assigned to "Authenticated Group".
I tried the step what you have stated.
once I login to portal --- User administration -- identity management
search for the user.
choose modify
if I click on assigned roles I do not see either Role1 or Role2 under assigned roles
but if i click on assigned groups I see " Authenticated Users"
thanks in advance -
I am reading that the Everyone group includes the group Authenticated Users, plus the Guest account, plus the reserved accounts SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. Is this still the case in Windows 8.1?
To be clear, would Authenticated Users only include:
1) Users who login interactively, including users in Guests group (NOT the Guest account!)
2) Users who login through Terminal Services or Remote Desktop
3) Users who access resources on the computer through Microsoft Networking.
Does this imply that any file system resource that needs to be accessed by system services will have the "Everyone" group with a minimum of read access on the target folder or files?
Is there any documentation listing all file system resources that either Windows 8 or Windows 2012 system services need to have access to? I'm trying to harden my NTFS permissions and I don't want to break critical system services.
WillSorry for my dilatory reply. According to your description, I doubt there is no way to achieve your goal. As far as I know, there is no app of microsoft can manage a progress file access. What we can do is
limit User Account execute the program, such as using AppLocker, we can specific special
user execute the program.
I am not requiring a program from Microsoft to virtualize or secure anything. It would be nice to have that but it was not the question. My question is do we have documentation about what specific security settings and user rights a new user
group needs to have to be able to execute applications while logged in?
I don't want them in Users group because that group has write access to a large part of the file system. I want to create a new NTFS group with very limited file system access, which then forces me to add that new user group into the various security
settings and user settings required to execute programs.
Such documentation has to exist somewhere....
Will -
PCD Business Objects Permissions for Authenticated users
Hi All,
I am working on SRM7.0 Business package installed on Portal NW7.01.
I wanted to understand Which permissions should i provide to "Business Objects" PCD Folder for Authenticated users.
Should it be Administrator "None" and End User "ON"
Or Should it be Administrator "Read" and End User "ON"
Regards,
Ashish ShahHi Sandeep,
I was wondering what is the need of assigning permissions to "Everyone" Group and "Authenticated Users"
2. Group: Everyone(built in group)
Administrator:Read
Enduser:checked
3. Group:: Authenticated Users(built in group)
Administrator:Read
Enduser:checked.
If i am not using Anonymous users , should i only assign this permission?
Group:: Authenticated Users(built in group)
Administrator:Read
Enduser:checked.
Regards,
Ashish Shah -
Authenticated Users Group Question
I have a quick question regarding the Authenticated Users "group". I used to be a systems administrator, but I'm a bit rusty since I've been a software developer for the last 10 years. A conflict with data center operations (DCO) group
at work lead me to get another opinion.
The question is this... is the authenticated users group a domain-level group or is there a local authenticated users group that would allow only users authenticated locally? We have a share that permits the authenticated users group access.
My opinion is that all domain users who have authenticated successfully have access to this share. The DCO group is telling me that this is the local (to the server containing the share of course) authenticated users group only.
Is there such a thing as a local-only authenticated users group? To me this doesn't even make sense, but I could very well be wrong.
Nathon Dalton
Sr. Software Engineer
Blog: http://nathondalton.wordpress.comI apologize. I don't think I explained myself correctly. Let's consider the following...
SERVER: SERVER1
DOMAIN: DOMAIN1
SHARE: \\SERVER1\SHARE1
SHARE PERMISSIONS: Authenticated Users - Full Control
Given the above information, is it possible that the Authenticated Users group will allow ONLY users that are defined on SERVER1 to access \\SERVER1\SHARE1?
My understanding is that's not possible. There's one defined Authenticated Users group and that represents ALL users that are authenticated against DOMAIN1, whether added to local groups, shares, etc.
What I'm being told however is that SHARE1 having Authenticated Users assigned is okay since only those user accounts defined on SERVER1 will be able to access it. All the users in the domain will NOT be able to access it. I think this is bogus. Am I wrong?
Nathon Dalton
Sr. Lead Developer
Blog: http://www.nathondalton.com -
Changing permission on "Everyone" group on "Users" folder to "No Access"
Hello Everyone,
I need help on changing permission on "Everyone" group on "Users" folder to "No Access" using a Terminal command line.
What i'm trying to do is assign "Everyone" group to "No Access" on "User" folder to restrict other users from going to users home folder on the computer.
Right now, when a user login he/she has the ability to view files that are not located in the documents folder
PS
Network is configured for OD/AD, home folder is located on Dell Server
Appreciate the help, Thanks very muchYou are running Oracle Linux and want to use a network volume provided by Windows 2008 to install Oracle Database.
Your problem is that you cannot set appropriate privileges on the mounted volume to perform the installation.
Is this correct?
If yes, then as far as I know, Windows file sharing is not support, even if you fix the permission issues. Your problem is the file system, which won't be Linux ext3. NFS might be supported, but I think it is not the best idea. Have you looked into iSCSI? It will allow you to mount remote disks using SCSI protocol. You could do pretty much everything with such a mounted disk that you can do with a locally attached drive, including initializing, but instead of using the local bus, it will use the TCP/IP network.
How to setup iSCSI on Windows Server 2008 (storage server)
http://technet.microsoft.com/en-us/edge/Video/ff710316
CentOS / Red Hat Linux: Install and manage iSCSI Volume
http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-iscsi-howto.html
Edited by: Dude on Jun 23, 2011 12:08 PM -
We have following doubt regarding Authenticated User group in Windows 7
1. When this user group is added to a Drive/folder/file automatically.
2. As per our observation, mostly it shows in the drive in which OS is installed. On some machines it shows in other drives. How this is added in other automatically.
3. Another observation is, due to the presence of this group, it is possible to write a file(which is created by administrator or system) with an application which is started with Standard User token. So do we need to add any extra permission to work
our application(with standard user token) to read and write to the folder/file with Authenticated User group.
4. Is it possible that Authenticated User group will not exist in OS installed drive.
5. Is it possible that an application with standard user cannot write to a file/folder even if Authenticated User group is present for the same.
Thanks, Renjith V RHi,
To learn more about authenticated users group, you can refer to the related thread:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/e1a8e680-03a2-4690-a7e5-f17ad7389ecd/authenticated-users?forum=winserverDS
Andy Altmann
TechNet Community Support -
As I understand the AU group is made up by any user that logs in. However, it does not work when I specify access to a TAB page so is only visible for AU. In this case the TAB is also available for the PUBLIC user.
I am working with Portal 3.0 EA on an Intel/NT plataform, my question is: is this the way that was supossed to be or it is something that has to do with the version that I am using...?
ThanksI apologize. I don't think I explained myself correctly. Let's consider the following...
SERVER: SERVER1
DOMAIN: DOMAIN1
SHARE: \\SERVER1\SHARE1
SHARE PERMISSIONS: Authenticated Users - Full Control
Given the above information, is it possible that the Authenticated Users group will allow ONLY users that are defined on SERVER1 to access \\SERVER1\SHARE1?
My understanding is that's not possible. There's one defined Authenticated Users group and that represents ALL users that are authenticated against DOMAIN1, whether added to local groups, shares, etc.
What I'm being told however is that SHARE1 having Authenticated Users assigned is okay since only those user accounts defined on SERVER1 will be able to access it. All the users in the domain will NOT be able to access it. I think this is bogus. Am I wrong?
Nathon Dalton
Sr. Lead Developer
Blog: http://www.nathondalton.com -
RDBMSRealm, everyone group, guest user
Hi folks, I'm having some fun with the rdbms realm lately and have a few
questions.
We're using the RDBMSRealm example with form based auth under WLS 5.1 SP 9 and
have the following in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<description>These pages are only accessible by all authorised xyz users.</description>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>These are the roles that have access</description>
<role-name>
xyz
</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>All application users</description>
<role-name>
xyz
</role-name>
</security-role>
which basically says that every page in the web-app requires a user to be in the
xyz role and does seem to work fine.
Now, what I'd like to do is to allow everyone to access one particular page
within the application (that is, this page does not require the xyz role). So
something like the following would be great.
<security-constraint>
<web-resource-collection>
<web-resource-name>Some Particular Page</web-resource-name>
<description>This page is accessible to everyeone.</description>
<url-pattern>/particular/page.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>everyone can get at this page.</description>
<role-name>everyone</role-name>
</auth-constraint>
</security-constraint>
However, this doesn't seem to work, I get redirected to the form based login
page and once I've logged in can get to the page that I'm hoping shouldn't
require a logged in user.
So I'm wondering about the xml syntax and semantics.
- What are the rules around specific and general mappings, like will a
more specific mapping be used before falling back to the general mapping?
- Are the mappings applied in order (first to last) and the first match
taken?
- Are the rules according to section 10 of the servlet spec applicable here?
Now my problem might also be the RDBMSRealm its self -- I'm also having some
problems with the everyone group and the guest user. If I remove the first
constraint above and only include the /particular/page.jsp constraint to the
everyone group things still don't seem to work right.
I can see the realm call getGroup("everyone") and getUser("guest) but both
calls return null, since these principals are not in our database
tables. However, if I hit http://localhost:7001/AdminRealm I do see a list of
all groups that our RDBMSRealm knows about and I also see the everyone group
which contains system and guest users and so I have more questions.
- Does CachingRealm fall back to the standard properties realm if it gets nulls
from the RDBMSDelegate?
- Does the everyone group include unauthenticated users (i.e. guest) as I'm
hoping?
I've tried adding an instance of weblogic.security.acl.Everyone to my
RDBMSDelegate class and checking if the call to getGroup is looking for
"everyone" in which case I return this instance but this doesn't seem to do
anything either. I also tried adding this everyone group to the list returned
by getGroups but that didn't help and I carried the idea through to getUser and
getUsers with a guest user but again no luck. I'm always forced to authenticate
before I can get to the page that should allow anyone (everyone) to see it.
Any help, ideas, advice, beer, etc. would be much appreciated!
Thanks,
DerekTHorner <[email protected]> writes:
RDBMSRealm, everyone group, guest user
Update-I've got it working.
AS well as the isMember change mentioned below I altered getPrincipal
for both the RDBMSRealm class
if(name.equals("guest")){return createUser("guest","guest");}
if(name.equals("everyone")){return new Everyone(this);}
and RDBMSDelegate
if(name.equals("guest")){return realm.createUser("guest","guest");}
if(name.equals("everyone")){return new
weblogic.security.acl.Everyone(realm);}
did something to RDBMSUser so that guest always authenticates
(alternatively you could put the guest user on the database, surely?)I did see various examples of the guest and everyone additions to the realm
code, but I also read some stuff that indicated that if the rdbms realm returns
null for these requests then the caching realm should fall back to the standard
properties realm which does have the guest user and everyone group defined.
With the debugging turned on this does seem to be what it does and the
guest/everyone code doesn't seem to be needed. I also checked the
http://localhost:7001/AdminRealm servlet and did see the everyone group with
system and guest users as part of it.
>
Allow guest access to the file servlet (otherwise they can't be sent any
HTML pages - my best guess would be that this is your problem).This was probably part of the problem, judging by the messages from the realm
debugging.
Also I altered weblogicURL.policy to allow 'everyone' access to the page
that was to be unrestricted - so I guess you should set
I hope this helps, if not (and you haven't already) turn on RDBMSRealm
debugging - eventually I found the information useful (in that it tends
to tell you what it has last been looking for, and the methods used)In the end, I found that specifying that the everyone group is required for a
particular resource didn't seem to work. Instead I protected the majority of my
application with a set of rules and left all other pages without any matching
rules and the guest user then seems to work ok.
The servlet 2.3 spec has an addition to the <role-name> tag which allows a * to
indicate all roles but this isn't in the 2.2 spec.
Thanks for the help!
Cheers,
Derek
>
terry
-----Original Message-----
From: THorner
I am working on something similar (although not in a war),
which isn't working yet, but I can tell you a couple of
things that I have come across.
-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Derek
Scherger
Posted At: Mon 04 June 2001 22:13
Posted To: weblogic.developer.interest.security
Conversation: RDBMSRealm, everyone group, guest user
Subject: RDBMSRealm, everyone group, guest user
Hi folks, I'm having some fun with the rdbms realm lately and
have a few
questions.
We're using the RDBMSRealm example with form based auth under
WLS 5.1 SP 9 and
have the following in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<description>These pages are only accessible by all
authorised xyz users.</description>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>These are the roles that have
access</description>
<role-name>
xyz
</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>All application users</description>
<role-name>
xyz
</role-name>
</security-role>
which basically says that every page in the web-app requires
a user to be in the
xyz role and does seem to work fine.
Now, what I'd like to do is to allow everyone to access one
particular page
within the application (that is, this page does not require
the xyz role). So
something like the following would be great.
<security-constraint>
<web-resource-collection>
<web-resource-name>Some Particular Page</web-resource-name>
<description>This page is accessible to
everyeone.</description>
<url-pattern>/particular/page.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>everyone can get at this page.</description>
<role-name>everyone</role-name>
</auth-constraint>
</security-constraint>
However, this doesn't seem to work, I get redirected to the
form based login
page and once I've logged in can get to the page that I'm
hoping shouldn't
require a logged in user.
So I'm wondering about the xml syntax and semantics.
- What are the rules around specific and general mappings, like will a
more specific mapping be used before falling back to the
general mapping?
- Are the mappings applied in order (first to last) and the
first match
taken?
- Are the rules according to section 10 of the servlet spec
applicable here?
Now my problem might also be the RDBMSRealm its self -- I'm
also having some
problems with the everyone group and the guest user. If I
remove the first
constraint above and only include the /particular/page.jsp
constraint to the
everyone group things still don't seem to work right.
I can see the realm call getGroup("everyone") and
getUser("guest) but both
calls return null, since these principals are not in our database
tables. However, if I hit http://localhost:7001/AdminRealm I
do see a list of
all groups that our RDBMSRealm knows about and I also see the
everyone group
which contains system and guest users and so I have more questions.
- Does CachingRealm fall back to the standard properties
realm if it gets nulls
from the RDBMSDelegate?
- Does the everyone group include unauthenticated users (i.e.
guest) as I'm
hoping?
I've tried adding an instance of weblogic.security.acl.Everyone to my
RDBMSDelegate class and checking if the call to getGroup is
looking for
"everyone" in which case I return this instance but this
doesn't seem to do
anything either. I also tried adding this everyone group to
the list returned
by getGroups but that didn't help and I carried the idea
through to getUser and
getUsers with a guest user but again no luck. I'm always
forced to authenticate
before I can get to the page that should allow anyone
(everyone) to see it.
Any help, ideas, advice, beer, etc. would be much appreciated!
Thanks,
Derek -
How can I stop authenticated users from getting other user's information?
We recently discovered that it is possible for authenticated users, via KMu2019s details view, to view details about the other users that have access to the same resource as you. Our portal (7.0 sp15) is used for an external facing web site. We have secured it against anonymous users but the problem still remains for authenticated users. Here is an example:
The KM folder documents\Public Documents has been assigned read permissions for the group Everyone. An authenticated user can open the URL https://<host>/irj/go/km/navigation/documents/Public%20Documents and a list of folders are shown. The user can then select the Details from the menu for one of the folders and the Details iview is displayed. They then select the menu item Settings > Permissions and the users/groups/roles assigned to this folder are shown. The user can then select a user and view that users name and email address or the user could select a group and view for each member of the group the user id, name, and email address which could then be used to help attack the site.
So I thought it would be easy enough to disable the details view for all users but content managers or administrators but I seem to running into difficulty.
I tried disabling the Details KM command with limited success. Even with it disabled, if you know the URL for the details component you can still access it. So it seems the better option is to take away access to the details component. It seems that the users are getting access to the Details iView from the standard eu_role. If I remove the iView from this role then all user have no access to the Details in KM. I tried to add the iView to another role that content managers would have but when logged in with a user that had that other role I still was not able to access the Details iView.
This SAP Help document [http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm |http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm ]discusses the eu_role(Standard User role) and it states that
By default, the Everyone group is assigned to the Standard User role. If you choose to use the other every user roles instead, you need to remove these assignments from the Standard User role and apply them to the Every User Core and Control Center User roles.
But, when I look at what groups the role is assigned to or what roles are assigned to the Everyone group they donu2019t appear to be linked contrary to what the documentation says. So, what Iu2019m thinking here is that I can create a copy of this role and remove the Details iView from the original and then assign the copy to the content managers and administrators. Doing this causes all users to lose access, even the content managers.
I thought Iu2019d give the Security Zones a try to see if this could help me but when I take away rights from here it still allows access.
Iu2019m stumped. Iu2019m sure there is some key piece that eludes me. What can I do to allow users read only access to some KM folders and files while preventing them from viewing the permission/user details?The only 3d party apps are Hazel...
And that's your problem!
From the Hazel site's description:
Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create.
Hazel, is a prefPane so you must have some rule (or it supplied the rule as a default) to put pictures (jpg's) from your Desktop (folder) into your Pictures folder.
Open your System Preferences and Hazel in there and either turn off Hazel or change or delete the appropriate rule covering this situation. -
Is there a way to tell if a user has authenticated with OID? Example a shadow group of OID users that the person becomes a member of automatically when the user logs in and then looses membership when their session expires or they log out? I am running into cases where I want access to things granted based solely on authenticated or not but I have yet to find a way to do inside of BI Publisher's permissions structure other than the use of such a group. I noticed the AUTHENTICATED_USERS group but tests revealed that it is not working as required. Any sugestions?
BIP authorization model is user -> roles -> folders -> reports. When integrated with LDAP-compliant directory (such as OID), a BIP role translates to a directory group and vice versa: http://download.oracle.com/docs/cd/E12844_01/doc/bip.1013/e12188/T421739T475591.htm
The case of reports that need to be restricted to the specific user group implies that you create this particular group (say Sales) in the directory and BIP makes it a role. So now you've got role "Sales" in BIP, you assign folders A, B and C to that role and publish reports for Sales to those folders.
The case of reports that need to be available to all authenticated users is a little harder. If you only need online reports (no Excel Analyzer or Online
Analyzer), you may be in luck. BIP standalone gives all authenticated users a built-in role that allows them to view online reports (and do nothing else). BIP enterprise - not sure. A more 'portable' solution is to create a group Everyone in the directory and add users to it. This will get tedious for a lot of users but you can do it with a script. Perhaps there's a better solution - inquire in the BIP forum (BI Publisher -
"Authenticated Users" vs. "Users"
I'm setting up a profiles structure on a server starting with the master folder that'll house all the profile subfolders. the default permissions on a newly created folder always has the admins and creator/owner and system accounts, but by default
it also has Users. Yet in some pre-existing installations I've come across I've seen Authenticated Users put there instead, so the admin must have had a reason.
So the question is, what's the difference? Since any domain user would have to authenticate to get into any resourcse anyway, is this not just the same thing? What would be a scenario whereby you should use one over the other?
Thanks!Authenticated user group is builtin user group & any user created in domain default became member of this group, where as you can't see or manually modify authenticated user group to add or remove members. Authenticated user group can't be added into
user created groups like Global/Domain local/Universal group but it can be added to built in domain local group in AD. Even it contains member of trusted forest. Authenticated user group membership is controller by OS.
Domain user group is a global group & it too contains all the users from domain where as its member can be managed like manually can be added or removed by administrators. Domain user group is visible in ADUC console.
http://technet.microsoft.com/en-us/library/cc756898%28WS.10%29.aspx
Regards
Awinish Vishwakarma| CHECK MY BLOG
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Can you create a group of users in Messenger
Currently the last post of information in reference to my question shows as follows:
there is not a way to create a group. From the client side, you can
create folders and organize users that way. From the server side, you
can add an eDir group object to the contact list but it will
automatically be broken out by user rather than just adding the group
object.
If you are interested in a group in Messenger so that you can chat with
more than one person at a time, currently you can do that by inviting
users to her chat, or by highlighting multiple users and then clicking
on Send Message. That will automatically invite everyone to the chat.
I will submit an enhancement request.
Has Novell or anyone released a way to do this as of yet or a new version that has this enhancement, this post was back in 2005 so I don't know if it was ever done and I have searched for it in the Novell Documentation, maybe I missed it..
Thanks
PaulIn article <[email protected]>, Pbolin260 wrote:
> Has Novell or anyone released a way to do this as of yet or a new
> version that has this enhancement, this post was back in 2005 so I don't
> know if it was ever done and I have searched for it in the Novell
> Documentation, maybe I missed it..
>
I've not heard of that capability. The enhancement request is a good
idea. Would be nice to be able to make folders of groups of users too.
Craig Johnson
Novell Support Connection SysOp -
Workspace Credential Conflict between Logged-in User and the Authenticated User
Hi there,
I am running LiveCycle ES Update1 SP2 with Process Management component on WIN/JBoss/SQL Server 2005.
I have been encountering user credential conflicts from time to time, but it has not been consistent and the problem manifested in various ways, such as:
- problem when logging in with error "An error occurred retrieving tasks." on the login screen
- user logs in successfully but is showing somebody else queue(s) with his/her own queue with no task in there
- fails to claim task from group queue.
The stacktrace from the server.log file I collected from a production system shows the exception below.
Has anybody else encountered the similar problem?
It looks to me that it doesn't log out cleanly and some kind of caching is done on the authenticated session and is not cleaned up properly on user logout.
2009-07-10 15:05:13,955 ERROR [com.adobe.workspace.AssemblerUtility] ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
2009-07-10 15:05:13,955 INFO [STDOUT] [LCDS] [ERROR] Exception when invoking service 'remoting-service': flex.messaging.MessageException: ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
incomingMessage: Flex Message (flex.messaging.messages.RemotingMessage)
operation = submitWithData
clientId = F3D2CDD0-330F-F00B-C710-5AF3F7CB4138
destination = task-actions
messageId = 7E385A6B-E4E6-3A81-CD6A-630DF4FAE5BB
timestamp = 1247202313955
timeToLive = 0
body = null
hdr(DSEndpoint) = workspace-polling-amf
hdr(DSId) = F3C38977-171B-7BED-3B16-F3A5FE419479
Exception: flex.messaging.MessageException: ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
at com.adobe.workspace.AssemblerUtility.createMessageException(AssemblerUtility.java:369)
at com.adobe.workspace.AssemblerUtility.checkParameters(AssemblerUtility.java:561)
at com.adobe.workspace.tasks.TaskActions.callSubmitService(TaskActions.java:788)
at com.adobe.workspace.tasks.TaskActions.submitWithData(TaskActions.java:773)
at sun.reflect.GeneratedMethodAccessor941.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at flex.messaging.services.remoting.adapters.JavaAdapter.invoke(JavaAdapter.java:421)
at flex.messaging.services.RemotingService.serviceMessage(RemotingService.java:183)
at flex.messaging.MessageBroker.routeMessageToService(MessageBroker.java:1495)
at flex.messaging.endpoints.AbstractEndpoint.serviceMessage(AbstractEndpoint.java:882)
at flex.messaging.endpoints.amf.MessageBrokerFilter.invoke(MessageBrokerFilter.java:121)
at flex.messaging.endpoints.amf.LegacyFilter.invoke(LegacyFilter.java:158)
at flex.messaging.endpoints.amf.SessionFilter.invoke(SessionFilter.java:44)
at flex.messaging.endpoints.amf.BatchProcessFilter.invoke(BatchProcessFilter.java:67)
at flex.messaging.endpoints.amf.SerializationFilter.invoke(SerializationFilter.java:146)
at flex.messaging.endpoints.BaseHTTPEndpoint.service(BaseHTTPEndpoint.java:278)
at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:315)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at com.adobe.workspace.events.RemoteEventClientLifeCycle.doFilter(RemoteEventClientLifeCycle .java:138)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja va:159)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11P rotocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
KendyI am having the same server issue and i cant get hold of SP3 to fix it. can anyone tell me how to fix this problem or provided a link where i can get SP3 from? Ive spent most of the day on the phone to Adobe Support and they have been unable to provide me with a link to the service pack.
Maybe you are looking for
-
Hello all, I was wondering if there is a such a thing a dock connecter adapter for my Iphone 4. Most accessories I have support the older generations of the Iphone and Ipod. For example, my car deck (Pioneer AVH-P4000DVD) will play audio and video th
-
I have an existing Ibook that I created. I wanted to copy the whole book and rename it. Then modify several pages. Is that possible?
-
Rule Based ATP- Error in calling up function 'BAPI_APOATP_CHECK' in APO ser
Hi Experts I hae configured Rule Based ATP with Multi-Level ATP check. I have completed all configuration required for Rule Based ATP but still facing an error " Error in calling up function 'BAPI_APOATP_CHECK' in APO server 'SC5CLNT001': Check instr
-
I have the Ensight app of Secret Photo+Folder and only have pics on a secret folder and not in regular photo folder to avoid others from seeing private pics(hence the reason for the app). However, since the death of the screen, I cannot get to the f
-
Is het geschikt voor Mac Os 10.3.9?
<blockquote>Locking duplicate thread.<br> Please continue here: [[/questions/852833]]</blockquote> Ik gebruik een mac G5, kan ik dan wel updaten?