Hundreds of roles for a J2EE application using SSO/OID
We are starting to develope a J2EE software that will have hundreds of logical roles. These logical roles must be assignable to users and groups on OID.
When prototyping this scenario, we were not able to make this work well enough. Namely, in OIDDAS (which will be used by the end users to administrate users), all the "role groups" and user groups are always shown in one listing.
Ideally, what we would want is to only have configurable user groups visible in OIDDAS and all the fine-grained roles would be assignable to users and groups separately. Tthe "Roles Assignment" section in user/group edit screen is quite close to the idea though having hundreds of low-level roles listed there will make administration a bit complex.
We have also considered hiding the raw "role groups" from OID by moving the low-level administration to Enterprise Manager, where multiple logical roles would be mapped to composite OID groups. However, we currently don't see this as a viable option since we don't want to allow normal login administrators access to OEM where they can break too many things.
How have you guys solved the problem of mapping hundreds of roles to user-configurable groups and users? What would you suggest? Is our planned approach (map logical roles to LDAP groups) the wrong way to try to solve the issue? What would be a better way?
Thanks in advance,
Keke
Hi Peter,
Thanks a lot for your post.
My requirement is such that I have to fetch nodes from WLP content management system and all the associated data (content, security related info) with that node. Since security for a particular node is in the form of roles, I need to fetch the roles list for the node under processing.
However my application requirement is such that any user can ask for retrieval of node(its contents). In that case I need to check whether user lies in the list of roles defined for the current node (node for which user asked).
Thus my requirement becomes: Checking whether a user is in the given list of roles.
A careful investigation if the API's helped me find out a method isUserInRole(role, rolemap), but this method provides information for the logged in user only.
My application will login thru admin credentials(weblogic, weblogic) and will chekc other users say bryan, linda are in the roles list of the nodes under procesing.
Please guide.
Regards,
Shakti
Similar Messages
-
Trouble deploying a J2EE application using the J2EE 6.20 Deploy Tool
I am having trouble deploying a J2EE application using the J2EE 6.20 Deploy Tool.
I successfully create the WAR/EAR files, I then select deploy and the deploy process gets to 100% before displaying an error message.
Can anybody help?
Please see Deploy Tool log entry:
01:39 - **********************************************************
05/01/17 10:19:16 - Applying user role management mappings.
05/01/17 10:19:16 - Start updating EAR-file...D:\SAP_J2EEngine6.20_Cluster\deploying\carmodeller\carmodeller.ear
05/01/17 10:19:27 - Temp files deleted...
05/01/17 10:19:27 - Ear-file updated successfully for 11375ms.
05/01/17 10:19:27 - Start deploying ...
05/01/17 10:20:15 - Ear-file uploaded to server for 47297ms.
05/01/17 10:21:47 - ERROR: ID90506: NOT Deployed. ERROR returned from deploy service :
com.inqmy.services.deploy.container.DeploymentException: Can't init application carmodeller. com.inqmy.services.servlets_jsp.server.WebApplicationException: ID17110: Error in starting application carmodeller.java.lang.NullPointerException
at com.inqmy.services.servlets_jsp.server.ServletsAndJspImpl.deploy(ServletsAndJspImpl.java:482)
at com.inqmy.services.servlets_jsp.server.WebContainer.commitDeploy(WebContainer.java:256)
at com.inqmy.services.deploy.server.DeployServiceImpl.commit(DeployServiceImpl.java:2848)
at com.inqmy.services.deploy.server.DeployServiceImpl.deploy1(DeployServiceImpl.java:512)
at com.inqmy.services.deploy.server.DeployServiceImpl.deploy(DeployServiceImpl.java:140)
at com.inqmy.services.deploy.server.DeployServiceImplp4_Skel.dispatch(DeployServiceImplp4_Skel.java:184)
at com.inqmy.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:157)
at com.inqmy.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:108)
at com.inqmy.core.service.context.container.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:36)
at com.inqmy.core.cluster.impl5.ParserRunner.run(ParserRunner.java:55)
at com.inqmy.core.thread.impl0.ActionObject.run(ActionObject.java:46)
at java.security.AccessController.doPrivileged(Native Method)
at com.inqmy.core.thread.impl0.SingleThread.run(SingleThread.java:153)
05/01/17 10:21:47 - **********************************************************Hi, it looks like the app has trouble starting up:
05/01/17 10:21:47 - ERROR: ID90506: NOT Deployed. ERROR returned from deploy service :
com.inqmy.services.deploy.container.DeploymentException: Can't init application carmodeller. com.inqmy.services.servlets_jsp.server.WebApplicationException: ID17110: Error in starting application carmodeller.java.lang.NullPointerException
Did you have any errors on the compile of the code?
You also want to check if the app is deployed (if so you may want to remove it before re-deploying it) -
Login module for the J2EE application
Hi ,
I am trying to use the BasicPasswordLoginModule for my J2EE application which will be deployed in the SAP J2EE engine.My application will not be accessed through the portal.
I am having a login screen in my application for which i want to use the already avaliable login module. ie.. BasicPasswordLoginModule.
When i am trying to get the login(). i am getting the following the error.
"javax.security.auth.login.LoginException: No LoginModules configured for BasicPasswordLoginModule".
Please let me know what needs to be done.
PS: The version environment is CE 7.1
Regards
Abu BakarHi Julius
I am totally confused, my application is a pure J2EE application which has only one screen which just displays the details. And i want only the login screen to be implemented. I have gone through a couple of dec from sap which tells to created a custom login module if requiredl but i want to user the FORM based authentication and use the BasicPasswordLoginModule(in-built in WAS)
All that i am doing is written a web.xml with the following information:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/home.jsp</form-login-page>
<form-error-page>/relogin.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>App_Viewer</role-name>
</security-role>
web-j2ee-engine with following information:
<security-role-map>
<role-name>App_Viewer</role-name>
<server-role-name>Administrator</server-role-name>
</security-role-map>
<login-module-configuration>
<login-module-stack>
<!-- Contains all login modules used for authentication -->
<login-module>
<!-- Contains information about one login module -->
<login-module-name>BasicPasswordLoginModule</login-module-name>
<flag>SUFFICIENT</flag>
<options>
<option>
<!-- The option UserNamePrefix determines that the user name must start with "Admin" -->
<name>UserNamePrefix</name>
<value>Admin</value>
</option>
</options>
</login-module>
</login-module-stack>
<security-policy-domain></security-policy-domain>
</login-module-configuration>
And I am not sure, if the above mentioned details are enough. My implementation code is as follows:
try {
HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
request.setAttribute(ILoginConstants.LOGON_UID_ALIAS, this.getUserName());
request.setAttribute(ILoginConstants.LOGON_PWD_ALIAS, this.getPassword());
UMFactory.getLogonAuthenticator().logon(request, response, "BasicPasswordLoginModule");
status = success;
} catch (Exception e) {
e.printStackTrace();
status = e.toString();
In the NWA i have just configured the UserNamePrefix with Admin, thats all . Since the form login authentication method is already configure with the BasicPasswordLoginModule, I left it untouched.
I also implemented a custom login module and deployed it but not sure how to use it in my code.
Please let me know if i am in the rite track. Correct me if i am wrong. At the end of the day i want to use the login screen just to get authenticated. I am also not bothered about the password changing etc.. As the users who are going to use my application are the users in the Identity Management. Few portions of my screen should be allowed to be displayed based on the roles.
PS: My application is not configured in the portal. Its an independent application deployed on the WAS(CE 7.1).
Please advice
Regards
Abu Bakar -
Building J2EE Applications using JBOSS and ECLIPSE 3.0
Hi all
i am trying to deploy a J2EE application using JBOSS3.2.5 and Eclipse 3.0.
I have written the EJB bean, home, remote and a test JSP page. Can someone tell me the exact procedure...step by step ways to deploy the JBOSS server and run my application.
My package structure is
MyProject
ejb
client
Servlet.java
server
Bean.java
shared
home.java
remote.java
please tell the various jar files that i must include. Kindly give information about the directory structure, the xml file details and the WAR file generation
Thankz in advance
Arun :)That is a lot of stuff! At a basic level, you can create an EAR file and put it in the JBoss auto-deployment directory. In the EAR file you should have a WAR file for the web component and a JAR file for the EJB component. And inside each archive there should be a valid deployment descriptor that contains configuration data for the component. When you start up JBoss, the application will be deployed and accessible via web browser, or there will be error messages written to the server log.
-
Deploying J2ee application using JBOSS3.2.5 and Eclipse 3.0
Hi all
i am trying to deploy a J2EE application using JBOSS3.2.5 and Eclipse 3.0.
I have written the EJB bean, home, remote and a test JSP page. Can someone tell me the exact procedure...step by step ways to deploy the JBOSS server and run my application.
My package structure is
MyProject
ejb
client
Servlet.java
server
Bean.java
shared
home.java
remote.java
please tell the various jar files that i must include. Kindly give information about the directory structure, the xml file details and the WAR file generation.
i googled this topic..but i got the results for eclipse 2.0....
Thankz in advance
Arun :)Don't cross-post:
http://forum.java.sun.com/thread.jsp?thread=550678&forum=13&message=2689332
http://forum.java.sun.com/thread.jsp?thread=550673&forum=31&message=2689289 -
First J2EE Application using IDE in sdn provided example
Hi guys!
REQ! can any one suggest!
First J2EE Application using SAP Netweaver Developer Studio provided by SDN is deployed succesfully to J2EE Engine but when I run the application JSP file in URL I am getting the Error as follows:
500 Internal Server Error SAP J2EE Engine/6.40
Application error occurred during the request processiong.
Details: com.sap.engine.services.servlets_jsp.server.exceptions.WebIOException:
Error compiling [/CalculatorFdx300/CalculatorFdx300.jsp] in application [CalculatorFdx300]. The ID of this error is
Exception id: [001125B854E9005F0000039E000013CC000414755D534457].
with regards
ganeshHi Ganesh,
It seems. It can be any one of the following
1) Check the JDK Path
2) Check the JNDI name
3) Check the package structure
4) Check the client file name and other files naming convention
Hope it will resolve your problem
cheers
Jawahar Govindaraj -
Is anyone doing disaster recovery for a J2EE application?
We generally use database log shipping to maintain a standby database for our ABAP instances. We can successfully fail over our production application to our disaster recovery site with no real issues. With the J2EE instances (EP, ESS/MSS, BI, etc), we have a few concerns:
hostname cannot change, without going through a system copy procedure, so we would have to keep the hostnames in DR the same. (for example, ref: oss note 757692 - changing hostname is not supported)
fully qualified domain name - from what I understand, there are potentially issues with changing the fqdn, for example SSO certificates, BSPs, XI has issues, etc.
we can't keep both hostname and fqdn the same between DR and production, or we could never do a DR test.
Has anyone implemented disaster recovery for any SAP J2EE application that has run into these concerns and addressed them? Input would be greatly appreciated regarding how you addressed these issues, or how you architected your disaster recovery implementation.
Regards,
David Hull
The Walt Disney CompanyI haven't done this personally, but I do have some experience with these issues in different HA environments.
To your first point: You can change the hostname, note 757692 tells you exactly how to do it. However like the note says, "Changing the name of a host server in a production system is not automatically supported by SAP." When it says "supported by SAP" I think it means SAP the company, not SAP's software. So I would contact SAP to see if this configuration would be covered under your service agreement. Then you have to think about whether you want to do something that isn't "officially supported" by SAP. Also I'm sure you'll need some kind of additional licensing for the DR systems as their hardware keys will de different.
To your second point: As for SSO certs (SAP Login Tickets), I think they should still work as long as the SID and client number of the issuing system remain the same. I don't think they are hostname or fqdn dependant. For BSPs I would think they would still work as long as they use relative paths rather than absolute paths. And for XI... I have no idea what kind of issues may arise, I'm not an XI guy.
Again, I haven't done what you're describing myself. This is just based on my HA experiences.
Hope this helps a little,
Glenn -
Portal User details and credentials for a J2EE application?
Hi,
I am trying to access a J2EE application which is deployed in SAP Web Application Server. I want to maintain the security of this application depending the portal user. So I want to get the user id of the portal login to my J2EE application. For Example:
A user with id "super" is logging into portal I want the userid "super" in my J2EE application how to get the userid to my J2EE application's servlet. Is this possible? If possible please tell how I can acheive it?
Can I do it by creating HTTP System? If possible can u tell me where can I set the URL?
Thanks,
Ashok.hi,
Certainly you can get the user id of the portal login in your J2EE application by using UME api's
IUserFactory userFact = UMFactory.getUserFactory();
getUserFactory().getUser(String uniqueID)
getUserFactory().getUserByLogonID(String logonID)
Also have a look at this
http://help.sap.com/saphelp_nw04/helpdata/en/15/abdc3ed98f7650e10000000a114084/frameset.htm
Instead of url iview, it would be better to use AppIntegrator
Also have a look at this
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/webinars/using the user management api with ep applications.pdf
Hope it helps...
Regards,
Ganesh N
Hope it helps... -
Mapping SAP R3 role to EP role for WD ABAP Application
Hi,
I have a WD ABAP application which uses POWL component.
I have assigned this application to a role in SAP R3 system.
Now, I have created an iview in portal for this WD ABAP application.
I want to map this SAP R/3 role to Portal Role so that only people having that role can see the application on portal.
How do I handle this?
Thanks and regards,
AmeyHi,
Scenario 1:
You need to maintain 2 roles one from Portal and one from R/3
On the portal end:
Assign the role which have the WDA application to all the users who should have access.
On the R/3 end:
Assign the R/3 role which you have created to access the WDA application to all the users for whom you have added the Portal Role.
Scenario 2:
If using CUA (Central User Administration) as UME for Portal and also R/3 then you can maintain the roles from one place that is from CUA.
You create a role in CUA and this role is shown as group in Portal now add the Portal role to the group or the CUA role.
And create another role which gives access to the WDA application. Now add these 2 roles to all the users who are supposed to have access to the application.
Hope this helps.
Cheers-
Pramod -
Server Requirements for Launching J2EE Application on web
Hi,
I am new to web technologies, I apologize if I am asking a very basic question. I have a developed a J2EE Web Application for Online Assessment. I use Tomcat as server and MySQL database. I am expecting around 1000 users to simultaneously undergo our assessment. The assessment is a computerized adaptive assessment. For running the statistical calculation, I am keeping some information in the User Session, which will be around 10 Kilobytes per user.
I was trying to understand what would be the minimum system requirements (on processing speed and ram) for supporting this application.
Is storing more information of Session could be a bottle neck for me in supporting maximum concurrent users?
Anticipating your help.
Thanks
De PaulYou should just be able to put the SWF and wrapper HTML file
on the server, and it just "serves" the swf and wrapper file. I
don't think there is anything else you need, unless you are using
LifeCycle DS. -
Users for the j2ee application
hi friends,
i want to create the users for J2EE applications.
can i create the users only for j2ee engine ?
how can i create these users?
if i want to implement the sap
is it necessary to buy the licence for j2ee users?
thanks®ards,
srinivas.Hi
To create the users in J2EE applications is not an issue, but the licensing is always applicable as it is applicable for ABAP applications.
There are two ways depends on configurations:
1. If the UME store is ABAP, then you can create the users at ABAP side using SU01 and at java side using http://<hostname>:5<Systemnumber>00/useradmin
2. If the UME store is JAVA, then you can only create using http://<hostname>:5<Systemnumber>00/useradmin
The licensing for JAVA applications depends as ABAP is having, if you use it as production you have to pay the charges. Please contact your local SAP representative for further details -
Emails Architecture for big J2EE Applications
Hi all !
Need some inputs regarding design of email sending mechanism in huge J2EE applications.
We are having a medium based application (say 2 lakh subscibers) but may have a increase in
subsciber base sooner. Its a 3-tier application using Struts (JSP), EJB & Database is Oracle 8i.
Till now we are using Oracle jobs for submitting emails (asynchronus), it works fine for small subscriber
base but increase in subscriber base will increase load on database and we want to avoid that.
Concerned points are :
1. What architecture is followed in big J2EE applications for sending emails asynchronously ?
2. How much feasible is using JMS provided with weblogic app server for huge applications ?
3. Does using messaging queues at app server end will degrade performance considerably ?
Please see if anyone can help out in this..
Puneet GandhiI've used JMS + Weblogic (2 quad processor servers in cluster) and JMS in a system that took between 5,000 & 10,000 new users per day. It held up fine.
I'm not an architect (more of a developer), but I would create a serializable NotificationBean, send it to a MessageBean, and let the MessageBean send the email. Providing your queues are persisting and that you limit the number of MessageBeans to something reasonable, I don't see why you should have performance problems.
Alternatively if you use MQ I believe it has an email node that you can send messages to. Don't know much about this though. -
What design aids for large-scale application (using LV6i) exist?
I have a large-scale application that includes analog and digital I/O, motion control, multiple temperature readings, Ethernet communication, RS-232, DDE and ActiveX controls for communicating with other commercial software. We have to improve the system performance and ease the pain of maintaining and upgrading. What aids are there for large-scale application design and development?
This doesn't exactly count as development "tools" but I can send you copies of three papers that I found when I was just getting started with LV. They can show you how to think about your problem--and that is really the hardest (and most important) part.
Contact me directly and I'll email them to you. The archive is to large to post.
Mike...
Certified Professional Instructor
Certified LabVIEW Architect
LabVIEW Champion
"... after all, He's not a tame lion..."
Be thinking ahead and mark your dance card for NI Week 2015 now: TS 6139 - Object Oriented First Steps -
[URGENT] : ERP11i Using SSO (OID)
Greetings,
I'm using ERP 11i Suite and Oracle AS 10.1.2.0.2 with ID Management 10.1.2
1. does ERP11i users roles and responcibilities can be maintained in OID, so the user from OID be authenticated and then can use the ERP modules according to his access privillages, i mean user can see only to his portion of information which he is entitled to? i mean the user will be only maintained in OID as one centralised repository not in ERP.
if this is possible then pls provide the documentation through which it could be implemented.
Thanks & Regards,
-Tarique Abdullah-You would need to maintain roles and responsibility in EBS11i. There isn't any provision yet to manage 11i roles and responsibility in OID. You can sync users ( one way or directional) between OID and 11i.
-
Oracle Discoverer 10G and mapping Active Directory to use SSO/OID
Could anybody point me please to the right direction?
1. I've setup Oracle 10gIAS but turned off SSO and my users running discoverer /portals with no SSO.
2. My goal is to turn on SSO and synchronize it with Active directory on the windows box.
Thanks you in advanceHi Randy;
As you mention all notes refer to SSO&OID for Active Directory integration.AFAIK there is no way to do it, please log a Sr and confirm this wiht oracle support
Regard
Helios
Maybe you are looking for
-
The App "Find My Friends" in the app store is ver 4.0.1 which requires iOS 8.0.1. I wish to load onto an iPhone 4 that can only run iOS 7.1.2 Where can I find a copy of "Find My Friends" ver 3 ?
-
CU MeetingPlace Express 2.1.1.2 Compatibility with CUCM 7.1+
Afternoon all, According to Cisco's compatibilty matrix, Cisco Unified Meeting Place Express version 2.1.1.2 is only compatbile up to CUCM 7.0. I understand that CUMPE 2.1.1.2 is coming to end of sale life. However, if it currently works with CUCM 7.
-
Hello, i 'm writting my thesis in pages, and so far im in love with it, problem is that i can t seem to create sections since all referfences to it have been disabled ( button is greyed out), and i can t seem to find out how to enable it.. I need to
-
I want to install an updated version of adobe flash player. I am being asked for my password which I have forgotten. What is the best way to reset my password on my macbook pro?
-
Is it save to use win32_product to get the list installed software list on my PC? I am using "Reading the registry" method to get the list of softwares installed and it works. Just wanted to know If i can use win32_product. I find that that more easy