J2EE Container Security - Duplication inevitable? (Attn: Frank)

Frank:
Just to be clear, so you are saying I will have duplication of roles in "application_roles" table and the web.xml. And, this is the only way I could "authenticate" using "application_users" table data and "authorize" using "application_roles" existing in a totally different database schema!
Hmmm. Almost seems like existence of "application_roles" table is not required in the setup I described. After authentication, I have to hit the web.xml to get the roles for the authenticated users anyway? Why bother with extra work with database? Am I right?
By the way, I am repeating my setup and your answers to refresh your memory because you get many inquiries.
UPDATE as of 14:30 pm. I think I may be showing my ignorance here. I guess user's role is decided by table "application_roles." You then use the isUserInRole() merely to set read/write/view permissions. But, I am not quite sure yet. Hence I will leave this post for your answer. I am not quite done with my analysis before deciding to change this post.
Thanks
To refresh:
My set up. I have ADFBC. I have using SRDemo with a twist. I am using your new doc "Database authentication and Auth in J2EE container managed security."- not ADF security from SRDemo's last chapter. I ignored the ADF Security part in the SRDemo. I have "application_roles" and srdemo tables in one database schema and "application_users" in a totally different schema.
You wrote:
web.xml is used to define authorization based on security constraints expressed in URL patterns. However, for each of the user roles - e.g. PRESIDENT - you need to create a role in web.xml with the same name. When you then call isUserInRole() from the JSF application then it checks web.xml for the security role and then attempts to verify that the user has this role granted. It is not obvious why web.xml needs to have the role defined. There exists a reason that however would add more to your confusion than to your success ;-)
Youcan use the same approach SRDemo uses in that you provide a managed bean with boolean methods like isPresident(), isManager() etc. The methods perform "isUserInRole()"
Then you use EL to access these methods to hide/show components

Hi
Just to be clear, so you are saying I will have duplication of roles in "application_roles" table and the web.xml. And, this is the only way I could "authenticate" using "application_users" table data and "authorize" using "application_roles" existing in a totally different database schema!
The table is the security provider wheras web.xml defines the security roles that you can work with in your program code. The J2EE servlet spec defines a separation of application roles and groups or roles in the security provider. There is an additional step between roles in web.xml and the security provider, which is that you could map the role name in web.xml to a security role name. I never tested this with custom LoginModules and for this reason the two role names match.
The goal of container managed security is that the developer can build the secure web application without having to know about the security roles defined on the security provider.
Note that anything that you call in application code within container managed security - and this is not specific to Oracle - is checked against the web.xml file which is mapped to the security provider. If e.g. you use JBoss then you could configure a database module to handle the authentication and authorization. But still the security role needs to be provided in web.xml
Frank

Similar Messages

Config Repository and Security management Tools, Attn Frank/anyone

Hi Frank:
I am trying to change permissions not from JDEV but from a "tool." Our customer might want to change permissions once delivered.
I looked over the link you sent me. I am somewhat confused. On Page 17, it says "use Application Server Control" for Users/Roles .
For policies, it says use JAAS Provider Tool (which is the command line tool, I guess). However, third column says Tools for JAAS Login Module (n/a).
I am assuming I have start start_oc4j.bat whether it is standalone or embedded.
"App Server Control" tool web-based and started via http://localhost:8888/em? Looks like there is a place to change default module. Wonder we can use the tool to set secure-web-app?
For policies, and JAAS AdminTool, how do I issue the commands. Is this the one to do with changing permissions? Do I have to specify all paths when issuing commands? Where are the commands doc?
I am testing in embedded environment, not standalone. Can I still use the above tools and how? (Any doc/examples)
Lastly, I am not even sure if I can use any of these? I use custom JAAS Login Module and the doc says "n/a". Does that mean I have to change permissions manually?
Thanks

Hi,
actually enterprise managed in OC4J might not be as powerful as EM in ApplicationServer. I never used both of them to configure security and instead used Textpad as I am feeling confident with the syntax to use.
Frank

ADF Security to J2EE Container Managed Security Problems

Hi al!
I had ADF security enabled in my application. I've added roles and users to embedded OC4J Server Preferences..., configured authorization using pageDefs... (following the Introduction to ADF Security in JDeveloper 10.1.3.2 howto).
For the sake of friendlier user and roles management I decided to go to 2EE Container Managed Security (I want application manager in production environment to be able to manage users in only one place, not in DB table and extra for web app). I followed Frank Nimphius's Database Authentication and Authorization in J2EE Container Managed Security article.
Now I have some problems. I removed users and roles from embedded OC4J Server Preferences... (I believe this are used only for ADF security, am I right?). I can log to application with admin user account (app index page doesn't have any binds and even pageDef), but when trying to access admin pages I get 401 Unauthorized page.
What am I doing wrong, probably I've forgotten something? I'm a bit confused now with users and roles settings and ADF and container managed security.
Part of my web.xml file:
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/app/index.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication/*</url-pattern>
</servlet-mapping>
<security-role>
<description>Admins</description>
<role-name>admin_role</role-name>
</security-role>
<security-role>
<description>Users</description>
<role-name>user_role</role-name>
</security-role>
<security-role>
<role-name>oc4j-administrators</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllAdmins</web-resource-name>
<url-pattern>faces/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllUsers</web-resource-name>
<url-pattern>faces/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user_role</role-name>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>oc4j-administrators</role-name>
<role-name>user_role</role-name>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
Do I have to remove this adfAuthentication tags?
I know I've made things a bit complicated for me now and for anyone to help, but I hope I will get at least some pointers what to do now and maybe some explanation about roles in container managed security? Is it enaugh to have security constraints and roles defined in web.xml file or they have to be defined somewhere else also (beside the database)?
Thank you in advance!
Bye
PS
Maybe stack trace after login:
FINE: LoginConfigProvider.ctr: lmm=[LoginModuleManager: jznCfg=[JAZNConfig null], appConfigEntries={oracle.security.jazn.oc4j.CertificateAuthenticator=[javax.security.auth.login.AppConfigurationEntry@3625d0], oracle.security.jazn.tools.Admintool=[javax.security.auth.login.AppConfigurationEntry@eca6e7], oracle.security.jazn.oc4j.WebCoreIDSSOAuthenticator=[javax.security.auth.login.AppConfigurationEntry@c1c7c4], oracle.security.jazn.oc4j.DigestAuthenticator=[javax.security.auth.login.AppConfigurationEntry@221f81], oracle.security.wss.jaas.SAMLAuthManager=[javax.security.auth.login.AppConfigurationEntry@426e05], oracle.security.jazn.oc4j.JAZNUserManager=[javax.security.auth.login.AppConfigurationEntry@145240a], current-workspace-app=[javax.security.auth.login.AppConfigurationEntry@4120aa], oracle.security.wss.jaas.JAASAuthManager=[javax.security.auth.login.AppConfigurationEntry@1c78f98]}]
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option data_source_name = jdbc/TESTDbDS
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option table = APPLICATION_USER
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option groupMembershipTableName = APPLICATION_ROLE
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option usernameField = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option passwordField = USR_PSW
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option groupMembershipGroupFieldName = ROLE_NAME
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option user_pk_column = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option roles_fk_column = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option pw_encoding_class = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option realm_column = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option application_realm = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option casing = toupper
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]login called on DBTableLoginModule
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Calling callbackhandler ...
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username returned by callback = admin
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username changed to case as defined by toupper to ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User query string: select USR_EMAIL,USR_PSW from APPLICATION_USER where USR_EMAIL= (?)
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User primary key value found = ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Password encoded by: oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User ADMIN authenticated successfully
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Roles query string: select ROLE_NAME from APPLICATION_ROLE where USR_EMAIL= (?)
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBUser Principal Name: ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: admin_role
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Logon Successful = true
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 2 Principals after auth
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Cleaning internal state!

Hi there!
I have another question about this. I've modified a bit DBRolePrincipal class to see what's going on. At the beginning of the equals(Object another) method I added this lines:
log("method equals start",0);
log("another type = " + another.getClass(), 0);
if (another instanceof Principal)
Principal mine = (Principal)another;
log("Principal mine.getName() = " + mine.getName(), 0);
The result is this output (after navigating to page that gives 401 forbidden):
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
Why is the name of ADFRolePrincipal always anyone? When I sign in with this user the output says:
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User query string: select USERNAME,PASSWORD from ACTIVE_APP_USER_V where USERNAME= (?)
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User primary key value found = admin_user
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Password encoded by: oracle.sample.dbloginmodule.util.DBLoginModuleCearTextEncoder
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User admin_user authenticated successfully
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Roles query string: select ROLE_NAME from ACTIVE_APP_ROLE_V where USERNAME= (?)
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBRole Principal Name: admin_role
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBUser Principal Name: admin_user
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Logon Successful = true
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 0 Principals before auth
07/10/12 08:46:09 [DBUserPrincipal] method equals start
07/10/12 08:46:09 [DBUserPrincipal] another type = class oracle.sample.dbloginmodule.principals.DBRolePrincipal
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Local LM commit succeeded
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 2 Principals after auth
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Cleaning internal state!
Frank, if you haven't given up on this issue yet could you please try to explain this to me? Why doesn't admin_role principal never get compared in [equals[/i] method?
Thank you!
BB

Database Auth in J2EE and Page authorization, Attn: Frank

Frank:
(1) In one of your replies to my queries, you said that page authorization and permissions (the way it is available now in a file based security where one can go to Edit Authorization on each page and grant read/write) is not available in a J2EE Container managed Security with database schema table based security provider that used custom LoginModules till JDev 11. Till then, is there an alternative way?
(2) Is a tool of some sort in the works for page authorization that can be given to customers? Otherwise it will be nightmare if customers call in and say they want to change authorizations every second and one has to go to JDeveloper to manually check the checkboxes on the pages from "Edit Authorization" and deliver another release after changes.
(3) Lastly, from your replies, it looks like LoginModules are powerful. You mentioned that you can write one to access multiple database connections to access different tables in different schema etc. is there a link to a how-to that addresses this? (Something that may apply to accessing APPLICATION_USERS in one schema and APPLICATION_ROLES and all the SRDemo tables (as a test case)in another schema. I recall it being there somewhere. I want to get "very" familiar with it. By the way, your DBTableOraDataSourcesLoginModule is working very well with the tables in my Oracle JExpress database. Thanks...
Thanks

Hi, Frank,
I followed your how-to document of Database Authentication and Authorization in J2EE Container Managed Security to set up a test application. However, I came to a point that the authentication and authorization seemed ok but received 401 unauthorized error. Here is the log I received
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
細緻: [DBTableOraDataSourceLoginModule]Logon Successful = true
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Subject contains 5 Principals after auth
2007年11月7日下午04:52:51 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
細緻: [DBTableOraDataSourceLoginModule]Cleaning internal state!
2007年11月7日下午04:52:53 oracle.adfinternal.view.faces.application.ViewHandlerImpl _checkTimestamp
資訊: ADF Faces is running with time-stamp checking enabled. This should not be used in a production environment. See the oracle.adf.view.faces.CHECK_FILE_MODIFICATION property in WEB-INF/web.xml
What may go wrong? web.xml? system-jazn-data.xml ? application.xml ? or data-sources.xml?
Your advice would be appreciated.

Security Athorization without authentication - wiill this work? Attn Frank

Hi Frank:
Fun never stops and never know what is coming.
Just when I have my nice tables set up for authentication and authorization,
now I hear that I have to test a scenario where authentication is going to be provided by an external utilty (An LDAP Server behind which PeopleSoft tables have username/pw) info. My questions are:
(1) Is it possible to turn off authentication via J2EE Container but keep Authorization on? I want the ability to use page related security roles! And, yes, there will be a table with usernames and roles as well (which is working).
Change: However, the table with usernames and passwords will be in a PeopleSoft table behind LDAP. (The authentication does work with a few tweaks in web.xml. So, can't complaint there)
(2) Is there a better solution (given the external authentication utility is a given)?
(3) Is there a way to fool JAAS to say, ok don't show the login screen but you are authorized? I now wonder what the DBTableLoginModule do? Can we tell it, "forget authentication, just get the roles?"
I really don't want to lose the authorization provided by JAAS and, not to mention, permissions (which I have not gotten to work but more about that on another post).
Thanks

Hi,
1) as said, nothing prevents you from building a JAAS LoginModule that does what you need - e.g. authenticate a user against LDAP, then connect to the database and query for his/her user roles. You can't have container managed authorization without authentication though.
There will be a change in API in JDeveloper 11 (and most likely in JDeveloper 10.1.3.4 - upcoming) that allows you to set a Subject into the OC4J context, in which case you don't need container managed autehntication. However, I don't have it tested yet and can't tell to what extend this would be useful
3) Sure, you can build a JAAS LoginModule that doesn't care for authentication. However, this doesn't work with container managed security. As far as I am aware, the only option to not show a login dialog is to use certificates. And certificates are not yet to use with custom LoginModules. So the above mentioned API - that is available as a backported patch for 10.1.3.1 - might do the trick
Frank

PAPI client is running outside a j2ee container

Hi,
I install BPM J2EE 10.3.1 for linux and weblogic 10.3 for linux on Red Hat Linux Enterprise 5. The database' version is 10.2.0.1 for windows and the database is install in window server 2003 sp1 on another machine.
I search this forum and copy and change the code. But I still get error "PAPI client is running outside a j2ee container"
The java code runs in the 3rd machine.
-------------------------java code-------------------------------------------------
Properties configuration = new Properties();
configuration.setProperty(ProcessService.DIRECTORY_ID, "Default");
configuration.setProperty(ProcessService.DIRECTORY_PROPERTIES_FILE, "F:\\share\\192.168.1.103\\directory.xml");
Properties systemProperties = System.getProperties();
systemProperties.setProperty("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
systemProperties.setProperty("java.naming.provider.url", "t3://192.168.1.103:7001");
ProcessService processService = ProcessService.create(configuration);
ConnectionPassport Conpassport = processService.createPassportWithPreset("container-auth");
Conpassport.setParticipant("jcooper");
Conpassport.setPassword("welcome1");
System.out.println("34");
Conpassport.fillPassport();
System.out.println("36");
ProcessServiceSession session = processService.createSession(Conpassport, null);
System.out.println("38");
String processName = "/processA";
Arguments arguments = Arguments.create();
System.out.println("41");
session.processCreateInstance(processName, "BeginIn", arguments);//
System.out.println("43");
-----------------------error message----------------------------------------------------
D:\JDeveloper11g_20090318\jdk160_05\bin\javaw.exe -client -classpath E:\Jdeveloper10131_20090318\jdev\mywork\GDHZDJDCIntegrationTest\HZGTprocess\classes;D:\BPM_HOME_standalone\client\papi\lib\b1oracle.jar;D:\BPM_HOME_standalone\client\papi\lib\b1util.jar;D:\BPM_HOME_standalone\client\papi\lib\b1base.jar;D:\BPM_HOME_standalone\client\papi\lib\fuegopapi-client.jar hzgtprocess.VM_192_168_1_103_linux
Creating connector [fuego:SQL]
Creating ProcessService with id 'oracle/2009-09-14 13:23:12+08:00'.
********* PAPI (Version 10.3.1.0.0 Mantainance Pack 1 Build # 98982 ) is starting *********
Local folder /tmp\system\Schema3387192-437105321\catalogs found.
Loading catalogs from local folder: /tmp\system\Schema3387192-437105321\catalogs
0 jars found locally.
[CatalogMgrCache] =======================
Registering CatalogMgr [oracle/2009-09-14 13:23:12+08:00] ...CatalogManagerCache 20195943:
Managers:
Counters:
[CatalogMgrCache] =======================
CatalogMgr [oracle/2009-09-14 13:23:12+08:00] REGISTERED!CatalogManagerCache 20195943:
Managers:
{oracle/2009-09-14 13:23:12+08:00=fuego.util.LocalCatalogManager@1cbda0a}
Counters:
ProcessService 'oracle/2009-09-14 13:23:12+08:00' created successfully.
34
36
38
41
Unreachable Engine Tolerance (seconds):
by default: 0
to be used: 0
This papi client will not cache exceptions which imply that an engine could not be reached.
A user transaction provider is not available for reading Papi News received through the JMS Topic (probable reason: PAPI client is running outside a j2ee container). Papi News will be processed anyway. Details: javax.naming.NoInitialContextException: Cannot instantiate class: weblogic.jndi.WLInitialContextFactory [Root exception is java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory]
The connection to the JMS Topic engine was completed successfully.
Exception in thread "main" fuego.papi.ProcessNotAvailableException: Process '/processA#Default-1.0' not available.
     at fuego.papi.impl.AbstractProcessLoader.createProcess(AbstractProcessLoader.java:96)
     at fuego.papi.impl.AbstractProcessLoader.createProcess(AbstractProcessLoader.java:36)
     at fuego.papi.impl.SessionProcessLoader.load(SessionProcessLoader.java:254)
     at fuego.papi.impl.ProcessManager.get(ProcessManager.java:894)
     at fuego.papi.impl.ProcessServiceImpl.getProcess(ProcessServiceImpl.java:1380)
     at fuego.papi.impl.SessionProcessManager.getProcess(SessionProcessManager.java:143)
     at fuego.papi.impl.ProcessServiceSessionImpl.processGet(ProcessServiceSessionImpl.java:2665)
     at fuego.papi.impl.ProcessServiceSessionImpl.checkBeginPermissions(ProcessServiceSessionImpl.java:4286)
     at fuego.papi.impl.ProcessServiceSessionImpl.processCreateInstance(ProcessServiceSessionImpl.java:3177)
     at hzgtprocess.VM_192_168_1_103_linux.main(VM_192_168_1_103_linux.java:42)
Caused by: fuego.papi.impl.EngineNotAvailableException: Cannot reach engine 'bpmengine' at URL: ''.
     at fuego.papi.impl.EngineNotAvailableException.wrapConnectionException(EngineNotAvailableException.java:80)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.createSecureEngine(J2EEEngineAccessImpl.java:181)
     at fuego.papi.impl.ProcessServiceImpl.createSecureEngine(ProcessServiceImpl.java:1111)
     at fuego.papi.impl.ProcessServiceSessionImpl$2.run(ProcessServiceSessionImpl.java:3987)
     at fuego.papi.impl.ProcessServiceImpl.executeEngineOp(ProcessServiceImpl.java:1693)
     at fuego.papi.impl.ProcessServiceSessionImpl.getSecureEngine(ProcessServiceSessionImpl.java:3995)
     at fuego.papi.impl.AbstractProcessLoader.createProcess(AbstractProcessLoader.java:48)
     ... 9 more
Caused by: javax.naming.NoInitialContextException: Cannot instantiate class: weblogic.jndi.WLInitialContextFactory [Root exception is java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory]
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:657)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
     at javax.naming.InitialContext.init(InitialContext.java:223)
     at javax.naming.InitialContext.<init>(InitialContext.java:197)
     at fuego.util.InitialContextProvider.create(InitialContextProvider.java:44)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.createInitialContext(J2EEEngineAccessImpl.java:492)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.getInitialContext(J2EEEngineAccessImpl.java:293)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.getEngineHome(J2EEEngineAccessImpl.java:277)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.getSecureEngineInterface(J2EEEngineAccessImpl.java:333)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.createSecureEngine(J2EEEngineAccessImpl.java:178)
     ... 14 more
Caused by: java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory
     at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
     at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:247)
     at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:46)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:654)
     ... 23 more
The connectivity to the JMS Topic for the server synchronization information has been temporarily interrupted.
Details:
The connectivity to the JMS Topic has been broken due to a JNDI Context initialization problem.
Details:
javax.naming.NoInitialContextException: Cannot instantiate class: weblogic.jndi.WLInitialContextFactory [Root exception is java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory]
Caused by: Cannot instantiate class: weblogic.jndi.WLInitialContextFactory
Caused by: weblogic.jndi.WLInitialContextFactory
fuego.papi.impl.j2ee.JMSTopicLookUpException: The connectivity to the JMS Topic has been broken due to a JNDI Context initialization problem.
Details:
javax.naming.NoInitialContextException: Cannot instantiate class: weblogic.jndi.WLInitialContextFactory [Root exception is java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory]
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl$TopicSubscriberImpl.lookupTopic(J2EEEngineAccessImpl.java:665)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl$TopicSubscriberImpl.run(J2EEEngineAccessImpl.java:574)
Caused by: javax.naming.NoInitialContextException: Cannot instantiate class: weblogic.jndi.WLInitialContextFactory [Root exception is java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory]
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:657)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
     at javax.naming.InitialContext.init(InitialContext.java:223)
     at javax.naming.InitialContext.<init>(InitialContext.java:197)
     at fuego.util.InitialContextProvider.create(InitialContextProvider.java:44)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.createInitialContext(J2EEEngineAccessImpl.java:492)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl.access$1000(J2EEEngineAccessImpl.java:68)
     at fuego.papi.impl.j2ee.J2EEEngineAccessImpl$TopicSubscriberImpl.lookupTopic(J2EEEngineAccessImpl.java:660)
     ... 1 more
Caused by: java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory
     at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
     at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:247)
     at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:46)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:654)
     ... 8 more
Process exited.

Could this be a CLASSPATH issue?
Caused by: java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory
at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
at java.security.AccessController.doPrivileged(Native Method)

Oracle J2EE container, Web Layout, JSP, Tomcat

Please help me with the next questions:
1)Oracle DB server and Oracle J2EE container are located in different places. The jsp in Oracle report web layout was generated. I put this JSP on the Oracle J2EE container and tried to run this jsp:
http://localhost:port/reports/weblayout.jsp and got the next error:
javax.servlet.jsp.JspException
     at oracle.reports.jsp.ReportTag.doStartTag(ReportTag.java:341)
     at groups.jspService(_groups.java:55)
     at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:56)
     at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:302)
     at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:407)
     at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:330)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
     at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
     at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:243)
     at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
Do I need to deploy this jsp on Oracle J2EE container and if yes in what way?
2)can I run this jsp in Tomcat?
Thank you.

hello,
reports JSPs need the report server environment availabel and can not be deployend to a vanilla J2EE container. you can take a look at our "Tools" section of the reports page here on OTN (go to the reports homepage and click on the "search" link in the news section. there you can look for "tools and utilities" which contain instructions on how what you need to do. keep in mind though, that this is not a supported configuration. the only way to deploy a reports JSP is inside the J2EE container of the EE edition of the appliation server.
at this point we do not provide any instruction for other, non oracle, containers.
thanks,
ph.

IFS in J2EE container

Is iFS certified for runniong inside 9i appserver (J2EE container) ?
thx in advance
null

Hi,
J2EE container managed security uses role names to perform authorization. The security role is defined in the web.xml file and can be used in web applications through the isUserInRole("RoleName") method exposed on the Http Request object.
In JSF this method is exposed through
FacesContext.currentInstance().getExternalContext().isUserInRole("RoleName")
As shown in SRDemo, to declaratively use J2EE security roles in JSF, create a managed bean e.g. authzbean and create boolean methods for each of teh roles
public boolean isUserManager(){
return FacesContext.currentInstance().getExternalContext().isUserInRole("Manager")
}This method can then be accessed from EL to e.g. set the displayed property. Note that container managed authorization is different from ADF Security authorization but can be used in combination if the JAZN Realm login module is used
Frank

Java.util.concurrent.ExecutorService inside J2EE Container

I want to use the JDK 1.5 concurrency class ExecutorService for concurrent execution of data-access logic inside my oc4j web-application.
I'm using the Factory Executors.newFixedThreadPool(6) for creating a thread-pool.
I know that it's not a good practice to create new threads inside a j2ee container.
Is there anything I have to think of or beware of??
Perhaps anybody here has experience using the java.util.concurrent.Executor inside OC4J or an other j2ee container.
Thanks, Harald

Yes, I have used java.util.concurrent.Executor in weblogic 10 server.
You can really improve the performance of the EJB application if you use the thread pool carefully with limited size say 100 threads, by creating a single instance of thread pool for the whole J2EE application.
You have to control the life cycle of thread pool using the container's life cycle methods, create the thread pool only once and destroy every time you recycle your app.
Good luck with the implementation :)

JMS setExceptionListener doesn't work in a j2ee container?

I have just upgraded to Oracle SOA suite 10.1.3.1.0 from Oracle BPEL 10.1.2.0.2
I have redeployed a servlet which I had running on my previous oc4j server.
However when my servlet now attempts to send a jms message to the server I get an exception raised:
QueueConnection[Oc4jJMS.Connection.ghc-pc029.5a62f421:10f2ebe2218:-8000.333]: cannot invoke method "setExceptionListener" within the J2EE container.
Please could you explain why the below method can not be invoked in a J2EE container.
javax.jms.QueueConnection#setExceptionListener(ExceptionListener listener)
(retrieved from com.evermind.server.rmi.RMIInitialContextFactory)
Is this a defect? regression? or limitation?
Thanks,
Peter

Peter,
Is this a defect? regression? or limitation?Creating exception listeners is explicitely prohibited by the J2EE 1.4 specs (see http://java.sun.com/j2ee/j2ee-1_4-fr-spec.pdf, section 6.6, page 103).
We had to enforce this in 10.1.3.1 to be compliant and pass the Compatibility Test Suite (CTS). The idea is that all connection-related tasks are delegated to the container. WHile making things simpler, it also certainly removes some flexibility.
Hope this makes sense.
/Demed

Using JCo as an RFCServer in a J2EE Container (Threading Issue)

Hello,
I want to use JCo as an RFCServer in a J2EE Container
(e.g. JBoss, BEA WLS or WAS6.40).
Threrefore I use a the JCo.Server class
as shown in Example5 in the JCo Examples.
But the JCo.Server class starts a thread (JCo.ServerThread) for each Server(Listener).
According to the J2EE specs it is not allowed
to start (user) threads in a J2EE Container,
because the container does the whole thread
manangement/lifecycle.
If JCo creates threads on its own, this might
lead to erros. For Example: BEA WLS stores
information in ThreadLocal variables and if you
call a SessionBean from the JCoServer.handleRequest method
the Container will (perhaps) fail, because the
thread created by JCo does not have the ThreadLocals
needed by the container.
I know that there is the IServerThread interface in JCo,
but I don't know how to use it in a J2EE Container.
What is the correct way to implement a JCo Server
in a J2EE container?
Does anyone know a working solution of a JCo Server
in the BEA Application Server?
Thanks,
Joachim

Joachim,
As you wrote, it may not be a good idea to use JCO.Server's inside a J2EE container; i suggest you to build an 'adapter' for this purpose.
An adapter is a program that can listen for any type of event and, once the event has been identified (type and specific data), the adapter will handle it accordingly.
In this case, you can create a program that starts a JCO.Server (as in Example5) and use JMS to send messages (built from the info gathered from the JCO.Function call) to a Message Driven Bean in the J2EE container.
Hope this helps.
RaTB

How to use EntityManager in a thread inside a J2EE container

Hi,
I'm looking for a usage pattern to use an EntityManager inside a thread of J2EE container. I used injection to inject an EntityManager in a EJB3 service and I can use the em with no problem. But the problem occurs when the service spin a thread and operations of the EntityManager (which is obtained using JNDI lookup ) inside that thread always fails.
What is the correct usage pattern to obtain/use an EntityManager inside a thread of a J2EE container?
Thanks.

What you are trying to do should work as long as you are using the Measurement Studio C++ classes in MStudio version 6.0 or later.
What version of Measurement Studio are you using? Could you post a simple program that demonstrates the problem?
There is a fundamental limitation in Windows that prevents you from using a Window handle (HWND) in a different thread than the one that created it. However, the Measurement Studio C++ classes (e.g. CNiGraph) are designed to automatically handle accessing the underlying handle from multiple threads. This is done through standard COM marshaling mechanisms and was implemented in version 6.0 of Measurement Studio.
David Rohacek
National Instruments

How to run ejb application OC4J J2EE Container

Hi all,
I unable run ejb applications in OC4J J2EE Container.
I have configure following files.
in config directory
Server.xml
I have .ear file if configured in server.xml. this .ear copied into home/application directory
I have create following deployment discriptor file.
in META-INF for ejb.
ejb-jar.xml
application.xml
I have specify all ejb classes details in ejb-jar.xml
Please help me .How to run ejbs with jsp and application client.Which files shall i configure.
Thnaks,

Hi all,
I unable run ejb applications in OC4J J2EE Container.
I have configure following files.
in config directory
Server.xml
I have .ear file if configured in server.xml. this .ear copied into home/application directory
I have create following deployment discriptor file.
in META-INF for ejb.
ejb-jar.xml
application.xml
I have specify all ejb classes details in ejb-jar.xml
Please help me .How to run ejbs with jsp and application client.Which files shall i configure.
Thnaks,

Suspend a method execution inside J2EE container

Hi,
I'm implementing a method that sends and resends payment transactions. The method resides in POJO java class and is going to be called from a Session EJB. When the same transaction has to be resent (accoring to some rules), we have to wait several milliseconds before doing it.
I know that threading should not be used directly inside a J2EE container, so what would be the way to implement the waiting before resending a transaction?
Thank you very much.

Yes, I have used java.util.concurrent.Executor in weblogic 10 server.
You can really improve the performance of the EJB application if you use the thread pool carefully with limited size say 100 threads, by creating a single instance of thread pool for the whole J2EE application.
You have to control the life cycle of thread pool using the container's life cycle methods, create the thread pool only once and destroy every time you recycle your app.
Good luck with the implementation :)

Cannot invoke method "setMessageListener" within the J2EE container.

I use TopicSubscriber.setMessageListener method to convert messages to my own type, but oc4j jms throws following exception:
javax.jms.JMSException: TopicSubscriber[Oc4jJMS.Consumer.ypchang-cn.12da4a6:111d4f12137:-8000.94,Topic[CreatedSponsorTopic],null,null,false]: cannot invoke method "setMessageListener" within the J2EE container.
     at com.evermind.server.jms.JMSUtils.make(JMSUtils.java:1072)
     at com.evermind.server.jms.JMSUtils.toJMSException(JMSUtils.java:1152)
     at com.evermind.server.jms.JMSUtils.toJMSException(JMSUtils.java:1123)
     at com.evermind.server.jms.JMSUtils.assertNotContainer(JMSUtils.java:1538)
     at com.evermind.server.jms.EvermindMessageConsumer.setMessageListener(EvermindMessageConsumer.java:217)
     at com.firepond.bcmf.bus.BusSubscriberImpl.setMessageListener(BusSubscriberImpl.java:397)
OC4J JMS doesn't support user defined MessageListener?????!!!!!!!!!!
Who can help me out?
Thanks!

Hi,
I am facing the same problem did you got any solution for it.
I am getting the following error message too:
Exception in Constructor
javax.jms.JMSException: QueueReceiver[Oc4jJMS.Consumer.ssipl-wrkst-139.-7dd2dd24:1122873d95f:-8000.269,Queue[360Transaction]]: cannot invoke method "setMessageListener" within the J2EE container.
     at com.evermind.server.jms.JMSUtils.make(JMSUtils.java:1072)
     at com.evermind.server.jms.JMSUtils.toJMSException(JMSUtils.java:1152)
     at com.evermind.server.jms.JMSUtils.toJMSException(JMSUtils.java:1123)
     at com.evermind.server.jms.JMSUtils.assertNotContainer(JMSUtils.java:1538)
     at com.evermind.server.jms.EvermindMessageConsumer.setMessageListener(EvermindMessageConsumer.java:217)
     at com.skillnetinc.storehub.connector.pos.publisher.ejb.publishTransactionWithSalesAudit.PublishTransactionWithSalesAuditBean.<init>(PublishTransactionWithSalesAuditBean.java:94)
     at PublishTransactionWithSalesAuditBean_RemoteProxy_1dpbn83.OC4J_createBeanInstance(Unknown Source)
     at com.evermind.server.ejb.StatelessSessionBeanPool.createContextImpl(StatelessSessionBeanPool.java:37)
     at com.evermind.server.ejb.BeanPool.createContext(BeanPool.java:418)
     at com.evermind.server.ejb.BeanPool.allocateContext(BeanPool.java:244)
     at com.evermind.server.ejb.StatelessSessionEJBHome.getContextInstance(StatelessSessionEJBHome.java:25)
     at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:86)
     at PublishTransactionWithSalesAuditBean_RemoteProxy_1dpbn83.invoke(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at com.evermind.server.rmi.RmiMethodCall.run(RmiMethodCall.java:53)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
     at java.lang.Thread.run(Thread.java:595)

J2EE Container Security - Duplication inevitable? (Attn: Frank)

Similar Messages

Maybe you are looking for