Hundreds of roles for a J2EE application using SSO/OID

We are starting to develope a J2EE software that will have hundreds of logical roles. These logical roles must be assignable to users and groups on OID.
When prototyping this scenario, we were not able to make this work well enough. Namely, in OIDDAS (which will be used by the end users to administrate users), all the "role groups" and user groups are always shown in one listing.
Ideally, what we would want is to only have configurable user groups visible in OIDDAS and all the fine-grained roles would be assignable to users and groups separately. Tthe "Roles Assignment" section in user/group edit screen is quite close to the idea though having hundreds of low-level roles listed there will make administration a bit complex.
We have also considered hiding the raw "role groups" from OID by moving the low-level administration to Enterprise Manager, where multiple logical roles would be mapped to composite OID groups. However, we currently don't see this as a viable option since we don't want to allow normal login administrators access to OEM where they can break too many things.
How have you guys solved the problem of mapping hundreds of roles to user-configurable groups and users? What would you suggest? Is our planned approach (map logical roles to LDAP groups) the wrong way to try to solve the issue? What would be a better way?
Thanks in advance,
Keke

Hi Peter,
Thanks a lot for your post.
My requirement is such that I have to fetch nodes from WLP content management system and all the associated data (content, security related info) with that node. Since security for a particular node is in the form of roles, I need to fetch the roles list for the node under processing.
However my application requirement is such that any user can ask for retrieval of node(its contents). In that case I need to check whether user lies in the list of roles defined for the current node (node for which user asked).
Thus my requirement becomes: Checking whether a user is in the given list of roles.
A careful investigation if the API's helped me find out a method isUserInRole(role, rolemap), but this method provides information for the logged in user only.
My application will login thru admin credentials(weblogic, weblogic) and will chekc other users say bryan, linda are in the roles list of the nodes under procesing.
Please guide.
Regards,
Shakti

Similar Messages

  • Trouble deploying a J2EE application using the J2EE 6.20 Deploy Tool

    I am having trouble deploying a J2EE application using the J2EE 6.20 Deploy Tool.
    I successfully create the WAR/EAR files, I then select deploy and the deploy process gets to 100% before displaying an error message.
    Can anybody help?
    Please see Deploy Tool log entry:
    01:39 -  **********************************************************
    05/01/17 10:19:16 -  Applying user role management mappings.
    05/01/17 10:19:16 -  Start updating EAR-file...D:\SAP_J2EEngine6.20_Cluster\deploying\carmodeller\carmodeller.ear
    05/01/17 10:19:27 -  Temp files deleted...
    05/01/17 10:19:27 -  Ear-file updated successfully for 11375ms.
    05/01/17 10:19:27 -  Start deploying ...
    05/01/17 10:20:15 -  Ear-file uploaded to server for 47297ms.
    05/01/17 10:21:47 -  ERROR: ID90506: NOT Deployed. ERROR returned from deploy service :
                         com.inqmy.services.deploy.container.DeploymentException: Can't init application carmodeller. com.inqmy.services.servlets_jsp.server.WebApplicationException: ID17110: Error in starting application carmodeller.java.lang.NullPointerException
                              at com.inqmy.services.servlets_jsp.server.ServletsAndJspImpl.deploy(ServletsAndJspImpl.java:482)
                              at com.inqmy.services.servlets_jsp.server.WebContainer.commitDeploy(WebContainer.java:256)
                              at com.inqmy.services.deploy.server.DeployServiceImpl.commit(DeployServiceImpl.java:2848)
                              at com.inqmy.services.deploy.server.DeployServiceImpl.deploy1(DeployServiceImpl.java:512)
                              at com.inqmy.services.deploy.server.DeployServiceImpl.deploy(DeployServiceImpl.java:140)
                              at com.inqmy.services.deploy.server.DeployServiceImplp4_Skel.dispatch(DeployServiceImplp4_Skel.java:184)
                              at com.inqmy.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:157)
                              at com.inqmy.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:108)
                              at com.inqmy.core.service.context.container.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:36)
                              at com.inqmy.core.cluster.impl5.ParserRunner.run(ParserRunner.java:55)
                              at com.inqmy.core.thread.impl0.ActionObject.run(ActionObject.java:46)
                              at java.security.AccessController.doPrivileged(Native Method)
                              at com.inqmy.core.thread.impl0.SingleThread.run(SingleThread.java:153)
    05/01/17 10:21:47 -  **********************************************************

    Hi, it looks like the app has trouble starting up:
    05/01/17 10:21:47 - ERROR: ID90506: NOT Deployed. ERROR returned from deploy service :
    com.inqmy.services.deploy.container.DeploymentException: Can't init application carmodeller. com.inqmy.services.servlets_jsp.server.WebApplicationException: ID17110: Error in starting application carmodeller.java.lang.NullPointerException
    Did you have any errors on the compile of the code?
    You also want to check if the app is deployed (if so you may want to remove it before re-deploying it)

  • Login module for the J2EE application

    Hi ,
    I am trying to use the BasicPasswordLoginModule for my J2EE application which will be deployed in the SAP J2EE engine.My application will not be accessed through the portal.
    I am having a login screen in my application for which i want to use the already avaliable login module. ie.. BasicPasswordLoginModule.
    When i am trying to get the login(). i am getting the following the error.
    "javax.security.auth.login.LoginException: No LoginModules configured for BasicPasswordLoginModule".
    Please let me know what needs to be done.
    PS: The version environment is CE 7.1
    Regards
    Abu Bakar

    Hi Julius
    I am totally confused, my application is a pure J2EE application which has only one screen which just displays the details. And i want only the login screen to be implemented. I have gone through a couple of dec from sap which tells to created a custom login module if requiredl but i want to user the FORM based authentication and use the BasicPasswordLoginModule(in-built in WAS)
    All that i am doing is written a web.xml with the following information:
    <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/home.jsp</form-login-page>
       <form-error-page>/relogin.jsp</form-error-page>
       </form-login-config>
      </login-config>
      <security-role>
        <role-name>App_Viewer</role-name>
      </security-role>
    web-j2ee-engine with following information:
    <security-role-map>
              <role-name>App_Viewer</role-name>
               <server-role-name>Administrator</server-role-name>
         </security-role-map>
         <login-module-configuration>
         <login-module-stack>
         <!-- Contains all login modules used for authentication -->
              <login-module>
              <!-- Contains information about one login module -->
                   <login-module-name>BasicPasswordLoginModule</login-module-name>
                   <flag>SUFFICIENT</flag>
                   <options>
                        <option>
                        <!-- The option UserNamePrefix determines that the user name must start with "Admin" -->
                        <name>UserNamePrefix</name>
                        <value>Admin</value>
                        </option>
                   </options>
              </login-module>
         </login-module-stack>
         <security-policy-domain></security-policy-domain>
    </login-module-configuration>
    And I am not sure, if the above mentioned details are enough. My implementation code is as follows:
    try {
              HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
              HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
              request.setAttribute(ILoginConstants.LOGON_UID_ALIAS, this.getUserName());
              request.setAttribute(ILoginConstants.LOGON_PWD_ALIAS, this.getPassword());
              UMFactory.getLogonAuthenticator().logon(request, response, "BasicPasswordLoginModule");
              status = success;
         } catch (Exception e) {
              e.printStackTrace();
              status = e.toString();
    In the NWA i have just configured the UserNamePrefix with Admin, thats all . Since the form login authentication method is already configure with the BasicPasswordLoginModule, I left it untouched.
    I also implemented a custom login module and deployed it but not sure how to use it in my code.
    Please let me know if i am in the rite track. Correct me if i am wrong. At the end of the day i want to use the login screen just to get authenticated. I am also not bothered about the password changing etc.. As the users who are going to use my application are the users in the Identity Management. Few portions of my screen should be allowed to be displayed based on the roles.
    PS: My application is not configured in the portal. Its an independent application deployed on the WAS(CE 7.1).
    Please advice
    Regards
    Abu Bakar

  • Building J2EE Applications using JBOSS and ECLIPSE 3.0

    Hi all
    i am trying to deploy a J2EE application using JBOSS3.2.5 and Eclipse 3.0.
    I have written the EJB bean, home, remote and a test JSP page. Can someone tell me the exact procedure...step by step ways to deploy the JBOSS server and run my application.
    My package structure is
    MyProject
    ejb
    client
    Servlet.java
    server
    Bean.java
    shared
    home.java
    remote.java
    please tell the various jar files that i must include. Kindly give information about the directory structure, the xml file details and the WAR file generation
    Thankz in advance
    Arun :)

    That is a lot of stuff! At a basic level, you can create an EAR file and put it in the JBoss auto-deployment directory. In the EAR file you should have a WAR file for the web component and a JAR file for the EJB component. And inside each archive there should be a valid deployment descriptor that contains configuration data for the component. When you start up JBoss, the application will be deployed and accessible via web browser, or there will be error messages written to the server log.

  • Deploying J2ee application using JBOSS3.2.5 and Eclipse 3.0

    Hi all
    i am trying to deploy a J2EE application using JBOSS3.2.5 and Eclipse 3.0.
    I have written the EJB bean, home, remote and a test JSP page. Can someone tell me the exact procedure...step by step ways to deploy the JBOSS server and run my application.
    My package structure is
    MyProject
    ejb
    client
    Servlet.java
    server
    Bean.java
    shared
    home.java
    remote.java
    please tell the various jar files that i must include. Kindly give information about the directory structure, the xml file details and the WAR file generation.
    i googled this topic..but i got the results for eclipse 2.0....
    Thankz in advance
    Arun :)

    Don't cross-post:
    http://forum.java.sun.com/thread.jsp?thread=550678&forum=13&message=2689332
    http://forum.java.sun.com/thread.jsp?thread=550673&forum=31&message=2689289

  • First J2EE Application using IDE in sdn provided example

    Hi guys!
    REQ! can any one suggest!
    First J2EE Application using SAP Netweaver Developer Studio provided by SDN is deployed succesfully to J2EE Engine but when I run the application JSP file in URL I am getting the Error as follows:
    500   Internal Server Error       SAP J2EE Engine/6.40 
      Application error occurred during the request processiong.
      Details:   com.sap.engine.services.servlets_jsp.server.exceptions.WebIOException:
      Error compiling [/CalculatorFdx300/CalculatorFdx300.jsp] in application [CalculatorFdx300].  The ID of this error is
    Exception id: [001125B854E9005F0000039E000013CC000414755D534457].
    with regards
    ganesh

    Hi Ganesh,
    It seems. It can be any one of the following
    1) Check the JDK Path
    2) Check the JNDI name
    3) Check the package structure
    4) Check the client file name and other files naming convention
    Hope it will resolve your problem
    cheers
    Jawahar Govindaraj

  • Is anyone doing disaster recovery for a J2EE application?

    We generally use database log shipping to maintain a standby database for our ABAP instances.  We can successfully fail over our production application to our disaster recovery site with no real issues.  With the J2EE instances (EP, ESS/MSS, BI, etc), we have a few concerns:
    hostname cannot change, without going through a system copy procedure, so we would have to keep the hostnames in DR the same. (for example, ref: oss note 757692 - changing hostname is not supported)
    fully qualified domain name - from what I understand, there are potentially issues with changing the fqdn, for example SSO certificates, BSPs, XI has issues, etc.
    we can't keep both hostname and fqdn the same between DR and production, or we could never do a DR test.
    Has anyone implemented disaster recovery for any SAP J2EE application that has run into these concerns and addressed them?  Input would be greatly appreciated regarding how you addressed these issues, or how you architected your disaster recovery implementation.
    Regards,
    David Hull
    The Walt Disney Company

    I haven't done this personally, but I do have some experience with these issues in different HA environments.
    To your first point:  You can change the hostname, note 757692 tells you exactly how to do it.  However like the note says, "Changing the name of a host server in a production system is not automatically supported by SAP."  When it says "supported by SAP" I think it means SAP the company, not SAP's software.  So I would contact SAP to see if this configuration would be covered under your service agreement.  Then you have to think about whether you want to do something that isn't "officially supported" by SAP.  Also I'm sure you'll need some kind of additional licensing for the DR systems as their hardware keys will de different.
    To your second point:  As for SSO certs (SAP Login Tickets), I think they should still work as long as the SID and client number of the issuing system remain the same.  I don't think they are hostname or fqdn dependant.  For BSPs I would think they would still work as long as they use relative paths rather than absolute paths.  And for XI... I have no idea what kind of issues may arise, I'm not an XI guy.
    Again, I haven't done what you're describing myself.  This is just based on my HA experiences.
    Hope this helps a little,
    Glenn

  • Portal User details and credentials for a J2EE application?

    Hi,
    I am trying to access a J2EE application which is deployed in  SAP Web Application Server. I want to maintain the security of this application depending the portal user. So I want to get the user id of the portal login to my J2EE application. For Example:
    A user with id "super" is logging into portal I want the userid "super" in my J2EE application how to get the userid to my J2EE application's servlet. Is this possible? If possible please tell how I can acheive it?
    Can I do it by creating HTTP System? If possible can u tell me where can I set the URL?
    Thanks,
    Ashok.

    hi,
    Certainly you can get the user id of the portal login in your J2EE application by using UME api's
    IUserFactory userFact = UMFactory.getUserFactory();
    getUserFactory().getUser(String uniqueID)
    getUserFactory().getUserByLogonID(String logonID)
    Also have a look at this
    http://help.sap.com/saphelp_nw04/helpdata/en/15/abdc3ed98f7650e10000000a114084/frameset.htm
    Instead  of url iview, it would be better to use AppIntegrator
    Also have a look at this
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/webinars/using the user management api with ep applications.pdf
    Hope it helps...
    Regards,
    Ganesh N
    Hope it helps...

  • Mapping SAP R3 role to EP role for WD ABAP Application

    Hi,
    I have a WD ABAP application which uses POWL component.
    I have assigned this application to a role in SAP R3 system.
    Now, I have created an iview in portal for this WD ABAP application.
    I want to map this SAP R/3 role to Portal Role so that only people having that role can see the application on portal.
    How do I handle this?
    Thanks and regards,
    Amey

    Hi,
    Scenario 1:
    You need to maintain 2 roles one from Portal and one from R/3
    On the portal end:
    Assign the role which have the WDA application to all the users who should have access.
    On the R/3 end:
    Assign the R/3 role which you have created to access the WDA application to all the users for whom you have added the Portal Role.
    Scenario 2:
    If using CUA (Central User Administration) as UME for Portal and also R/3 then you can maintain the roles from one place that is from CUA.
    You create a role in CUA and this role is shown as group in Portal now add the Portal role to the group or the CUA role.
    And create another role which gives access to the WDA application. Now add these 2 roles to all the users who are supposed to have access to the application.
    Hope this helps.
    Cheers-
    Pramod

  • Server Requirements for Launching J2EE Application on web

    Hi,
    I am new to web technologies, I apologize if I am asking a very basic question. I have a developed a J2EE Web Application for Online Assessment. I use Tomcat as server and MySQL database. I am expecting around 1000 users to simultaneously undergo our assessment. The assessment is a computerized adaptive assessment. For running the statistical calculation, I am keeping some information in the User Session, which will be around 10 Kilobytes per user.
    I was trying to understand what would be the minimum system requirements (on processing speed and ram) for supporting this application.
    Is storing more information of Session could be a bottle neck for me in supporting maximum concurrent users?
    Anticipating your help.
    Thanks
    De Paul

    You should just be able to put the SWF and wrapper HTML file
    on the server, and it just "serves" the swf and wrapper file. I
    don't think there is anything else you need, unless you are using
    LifeCycle DS.

  • Users for the j2ee application

    hi friends,
    i want to create the users for J2EE applications.
    can i create the users only for j2ee engine ?
    how can i create these users?
    if i want to implement the sap
    is it necessary to buy the licence for j2ee users?
    thanks&regards,
    srinivas.

    Hi
    To create the users in J2EE applications is not an issue, but the licensing is always applicable as it is applicable for ABAP applications.
    There are two ways depends on configurations:
    1. If the UME store is ABAP, then you can create the users at ABAP side using SU01 and at java side using http://<hostname>:5<Systemnumber>00/useradmin
    2. If the UME store is JAVA, then you can only create using http://<hostname>:5<Systemnumber>00/useradmin
    The licensing for JAVA applications depends as ABAP is having, if you use it as production you have to pay the charges. Please contact your local SAP representative for further details

  • Emails Architecture for big J2EE Applications

    Hi all !
    Need some inputs regarding design of email sending mechanism in huge J2EE applications.
    We are having a medium based application (say 2 lakh subscibers) but may have a increase in
    subsciber base sooner. Its a 3-tier application using Struts (JSP), EJB & Database is Oracle 8i.
    Till now we are using Oracle jobs for submitting emails (asynchronus), it works fine for small subscriber
    base but increase in subscriber base will increase load on database and we want to avoid that.
    Concerned points are :
    1. What architecture is followed in big J2EE applications for sending emails asynchronously ?
    2. How much feasible is using JMS provided with weblogic app server for huge applications ?
    3. Does using messaging queues at app server end will degrade performance considerably ?
    Please see if anyone can help out in this..
    Puneet Gandhi

    I've used JMS + Weblogic (2 quad processor servers in cluster) and JMS in a system that took between 5,000 & 10,000 new users per day. It held up fine.
    I'm not an architect (more of a developer), but I would create a serializable NotificationBean, send it to a MessageBean, and let the MessageBean send the email. Providing your queues are persisting and that you limit the number of MessageBeans to something reasonable, I don't see why you should have performance problems.
    Alternatively if you use MQ I believe it has an email node that you can send messages to. Don't know much about this though.

  • What design aids for large-scale application (using LV6i) exist?

    I have a large-scale application that includes analog and digital I/O, motion control, multiple temperature readings, Ethernet communication, RS-232, DDE and ActiveX controls for communicating with other commercial software. We have to improve the system performance and ease the pain of maintaining and upgrading. What aids are there for large-scale application design and development?

    This doesn't exactly count as development "tools" but I can send you copies of three papers that I found when I was just getting started with LV. They can show you how to think about your problem--and that is really the hardest (and most important) part.
    Contact me directly and I'll email them to you. The archive is to large to post.
    Mike...
    Certified Professional Instructor
    Certified LabVIEW Architect
    LabVIEW Champion
    "... after all, He's not a tame lion..."
    Be thinking ahead and mark your dance card for NI Week 2015 now: TS 6139 - Object Oriented First Steps

  • [URGENT] : ERP11i Using SSO (OID)

    Greetings,
    I'm using ERP 11i Suite and Oracle AS 10.1.2.0.2 with ID Management 10.1.2
    1. does ERP11i users roles and responcibilities can be maintained in OID, so the user from OID be authenticated and then can use the ERP modules according to his access privillages, i mean user can see only to his portion of information which he is entitled to? i mean the user will be only maintained in OID as one centralised repository not in ERP.
    if this is possible then pls provide the documentation through which it could be implemented.
    Thanks & Regards,
    -Tarique Abdullah-

    You would need to maintain roles and responsibility in EBS11i. There isn't any provision yet to manage 11i roles and responsibility in OID. You can sync users ( one way or directional) between OID and 11i.

  • Oracle Discoverer 10G and mapping Active Directory to use SSO/OID

    Could anybody point me please to the right direction?
    1. I've setup Oracle 10gIAS but turned off SSO and my users running discoverer /portals with no SSO.
    2. My goal is to turn on SSO and synchronize it with Active directory on the windows box.
    Thanks you in advance

    Hi Randy;
    As you mention all notes refer to SSO&OID for Active Directory integration.AFAIK there is no way to do it, please log a Sr and confirm this wiht oracle support
    Regard
    Helios

Maybe you are looking for