JAAS Subject with stale principals

Similar Messages

• How to get both JDNI context and JAAS Subject with EJB

  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario. The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However, in
  the typical EJB scenario, the client initializes the JNDI context, then does
  the lookup on the bean name (which implicitly does the authentication to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

  In your login module you have to authenticate the user to the Weblogic Server as
  well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
  to login a subject with Weblogic Server.
  Once logged in, any thread that is invoked within the context of a Subject.doAs
  call gets that subject associated with it.
  Hope that helps
  "Allan" <dfusdfsdfsd> wrote:
  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario.
  The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However,
  in
  the typical EJB scenario, the client initializes the JNDI context, then
  does
  the lookup on the bean name (which implicitly does the authentication
  to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

• Loading LDAP groups into WLS JAAS Subject

  Hi,
  I have a 10.1.4.3 OAM webgate+OHS setup to protect weblogic 10.3.2 as described ('1st best option') in this blog below.
  http://fusionsecurity.blogspot.com/2010/01/integrating-oracle-access-manager-oam.html
  In the weblogic security realm, I have the OAM Identity Asserter (REQUIRED), OID Authentication Provider (SUFFICIENT), Default Authenticator (SUFFICIENT), Default Identity Asserter configured in that order.
  A simple JSP app with CLIENT-CERT is deployed to the WLS. After the user is authenticated at OHS Webgate, the OAM Identity asserter is correctly asserting the user (and the obSSOCookie) as can be seen from the logs. The JSP app is getting a valid (non-anoymous) JAAS Subject with a single JAAS principal (of the user).
  But I 'm not sure it is loading the LDAP groups correctly using the OID provider. Are the LDAP groups supposed to be loaded as principals into the JAAS Subject? The user is part of many LDAP groups but only one principal (user itself) is in the JAAS Subject. Are there any additional steps to 'pair' the OAM Identity Asserter with the OID authentication provider as described in the above blog?
  I 'm using weblogic.security.Security.getCurrentSubject() to get the Subject and subject.getPrincipals() to get the principals in the JSP app.
  Thanks.

  Like I said in my post, subject.getPrincipals() has only one entry, the user id. The LDAP groups aren't in the Set returned. I 'm wondering how to debug this or fix it. I 'm wondering if I need to re-associate the domain policy store with LDAP as described here before the LDAP groups will be loaded into the subject.
  http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/cfgauthr.htm#CHDIIJDB

• Obtaining JAAS subject in a servlet.

  G'day,
  There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
  Subject s = Subject.getSubject(AccessController.getContext());
  Subject.doAs(s, new PrivilegedAction() {
    public Object run() {
      Subject s1 = Subject.getSubject(AccessController.getContext());
      AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
          Subject s2 = Subject.getSubject(AccessController.getContext());
          return null;
      return null;
  Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
  Is there a similar API for Netweaver AS Java for obtaining the JAAS subject? Or can the JAAS subject be obtained always using the standard Java API?
  Edit I put the above code into a servlet protected by BasicLoginModule, and all three subject objects (s, s1, and s2) were null. I thought that at least 's' would be non-null, but apparently not.
  --Geoff

  G'day,
  Thanks for the link to the JAAS login module section of the SAP Library documentation.
  I have already written a custom JAAS login module (which populates a subject with principals and their credentials), but I am looking for the Netweaver equivalent of JBoss's SecurityAssociation.getSubject() that can be called from any code. I did not find anything suitable while searching through the SAP Library documentation.
  However, I did stumble upon an API that might be useful:
  Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
  if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
    com.sap.security.core.IEngineResourceHelper helper =
        (com.sap.security.core.IEngineResourceHelper) object;
    Subject subject = helper.getCurrentSubject();
  The class name InternalUMFactory suggests that this API may be undocumented or unstable.
  If I have a servlet protected by the BasicLoginModule, and I authenticate to the servlet using a username/password, then the subject returned is a principal with the correct username, and with password credentials.
  If the servlet is not protected by a login module, then the subject returned is "Guest".
  If I put the servlet as an iView within a portal, then the subject returned is "Guest", even though the portal is protected by a login module and authentication is required. I thought here that the Subject for the portal would be propogated to the servlets running in that portal, but maybe my understanding is wrong.
  --Geoff

• Obtaining the JAAS subject in a portal application?

  G'day,
  Is there a safe method for obtaining the JAAS subject in a portal application?
  There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
  Subject s = Subject.getSubject(AccessController.getContext());
  Subject.doAs(s, new PrivilegedAction() {
    public Object run() {
      Subject s1 = Subject.getSubject(AccessController.getContext());
      AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
          Subject s2 = Subject.getSubject(AccessController.getContext());
          return null;
      return null;
  Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
  In fact, when I try the above code in a portal application (protected by the login module used to access the portal), I get NULL value for each subject s, s1, and s2.
  I have found a Netweaver API that may be useful for obtaining the subject:
  Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
  if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
    com.sap.security.core.IEngineResourceHelper helper =
        (com.sap.security.core.IEngineResourceHelper) object;
    Subject subject = helper.getCurrentSubject();
  A portal application containing this code will display the following:
  Subject: Principal: tu-1_basic Principal: com.sap.security.api.logon.AuthSchemePrincipal@19b07b7 Private Credential: GSSCredential: name: [email protected] usage: INITIATE_AND_ACCEPT for mechs: 1.2.840.113554.1.2.2 usage:INITIATE_ONLY 1.2.840.113554.1.2.2.3 usage:INITIATE_AND_ACCEPT underlying Kerberos creds: TGT remaining lifetime = 594 Private Credential: com.sap.security.core.server.jaas.SAPLogonTicketCredential@6a527bdd
  However, the class name InternalUMFactory suggests that this API may be undocumented or unstable.
  Is there a documented API in Netweaver AS Java for obtaining the JAAS subject?
  --Geoff

  Hi,
  We can use the following API to get the current role:
  IWDNavigationHelperService wdNavHelperService =
      (IWDNavigationHelperService) WDPortalUtils.getService(IWDNavigationHelperService.KEY);
  String navNode = wdNavHelperService.getCurrentNavNode();
  Regards,
  Ganpati

• JAAS: How can I access the JAAS subject in an EJB?

  Hello,
  I try to understand the JAAS integration in J2EE 1.3.
  I know:
  J2EE defines a role-based container managed authorization for the web and ejb container. Roles, users and their relationship are defined in the realm.
  JAAS has a more sophisticated policy-based authorisation model. Since J2EE1.3 I can define a realm using JAAS having the role-based authorization of the container managed security.
  My question:
  How can I access the JAAS subject object in an EJB or servlet to use the policy-based authorization?
  Thank you for your answers
  Peter

  May be I should redefine my question:
  If I use JAAS as J2EE-Realm, how can I receive the subject?
  All JAAS-Tutorials contains code fragments like
  LoginContext lc = new LoginContext("entryFoo");
      try {
          // authenticate the Subject
          lc.login();
          System.out.println("authentication successful");
          // get the authenticated Subject
          Subject subject = lc.getSubject();But if I use JAAS as J2EE-Realm the container creates the LoginContext.
  Whom can I ask for the subject now?
  There is no such method implemented in the EJBContext, the HttpServlet or HttpServletRequest!
  Peter

• Please start posting subjects with "A1" or "K1"

  Please when you post to this forum indicate in the subject whether you are discussing an A1 or a K1. I start my posts with "A1:" in the subject.. It helps since the tablets are so different, and information for one usually doesn't' apply to the other,
  Thank you.
  Moderator note; subject edited
  IdeaPad A1-07
  iPhone 3GS

  Perhaps you could alter the subject of this posting so A1 and K1 is in the subject -- get your point across for folks not likely to click on such a vague subject:
  "Please start posting subjects with 'A1:' or 'K1:'"
  ...would be my suggestion for an altered subject of this posting...

• Error while creating JAAS subject credentials

  Hello,
  I have a client program that runs in a separeate JVM accessing a server (on a different JVM of course). A user name and password is given as inputs to the client program. One of our testers have found out that any user name containing the "@" character seems to mess up the JAAS authentication. For example, as user names,
  sunil.com will work.
  [email protected] will not
  sunil@xyz will not.
  On the client side, I get a
  "nested exception is: org.omg.CORBA.UNKNOWN: vmcid: SUN minor code: 202 completed: Maybe" error and on the server side I see the following
  SEVERE: IOP5035: Error while creating a JAAS subject credential.
  com.sun.enterprise.iiop.security.SecurityMechanismException: Unknown realm
  at com.sun.enterprise.iiop.security.GSSUPToken.<init>(GSSUPToken.java:222)
  at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.createAuthCred(SecServerRequestInterceptor.java:387)
  at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.receive_request(SecServerRequestInterceptor.java:562)
  at com.sun.corba.ee.internal.Interceptors.InterceptorInvoker.invokeServerInterceptorIntermediatePoint(InterceptorInvoker.java:479)
  at com.sun.corba.ee.internal.Interceptors.PIORB.invokeServerPIIntermediatePoint(PIORB.java:810)
  at com.sun.corba.ee.internal.POA.GenericPOAServerSC.internalDispatch(GenericPOAServerSC.java:207)
  at com.sun.corba.ee.internal.POA.GenericPOAServerSC.dispatch(GenericPOAServerSC.java:113)
  at com.sun.corba.ee.internal.iiop.ORB.process(ORB.java:275)
  at com.sun.corba.ee.internal.iiop.RequestProcessor.process(RequestProcessor.java:83)
  at com.iplanet.ias.corba.ee.internal.iiop.ServicableWrapper.service(ServicableWrapper.java:25)
  at com.iplanet.ias.util.threadpool.FastThreadPool$ThreadPoolThread.run(FastThreadPool.java:283)
  at java.lang.Thread.run(Thread.java:536)
  Does any one know if this is expected?

  I'm not using AS.
  I have full permission on the file.
  It's not a non-English environment.
  So I feel it doesn't resemble.
  My environment is on 11.1.0.6.0 and that note applies to Version: 10.1.3.0.0 to 10.1.3.1.0
  Regards,
  S.K.
  Edited by: Santosh Kumar on Oct 7, 2009 4:25 PM

• Flash photo of distant subject with close obstacles

  I am a very inexperienced amateur user of Photoshop CS, but  I have been experimenting with a way I have devised (though I am sure it is not original) of dealing with what I imagine is not an uncommon situation, and should be most interested in comments from the experts.
  You attend an indoor event — a ceremony, a performance — and photograph the goings-on on stage, using just the flash from your camera, from a distant and poor vantage point behind other spectators. When you examine your picture, you see beautifully-lit chair-backs and rear views of people in the foreground; in the background, so dark as to be almost indiscernible, the event you wish to record for posterity.
  What to do? You open the image in Photoshop, increase the exposure-setting drastically, fiddle with white balance, contrast, saturation. You now have a decent image of your desired subject, but with huge chaIr-backs and backs of spectators' heads in almost flat, brilliant white dominating the picture. So you try cropping, but discover that there is no way of cutting out the chairs and spectators without decapitating the actors or cutting their legs off.
  Now you try darkening the chairs and spectators — with the burn tool or by selecting them with the lasso and using the Brightness/Contrast adjustment. But because the combination of close flash lighting with greatly increased exposure-setting has removed shadows and texture, you now have quite unnatural-looking flat grey obstacles in the foreground.
  This is what I have started doing: I save two versions of the image in Photoshop, one with greatly increased exposure-adjustment (as above), the other with something like the unadjusted, or even slightly reduced, exposure. It is important not to do any cropping at this stage, because the two versions of the image must be spatially identical. In the dark image, I use the lasso tool (with feathering set to about 10 px, but experimenting may be necessary) to select the foreground obstacles and copy them. (It is likely that they will be out of focus, and again experimenting with whether to select around the inside or the outside of the blurred edges is desirable.) Then I go to the bright image, select the obstacles again and paste the previously-copied, modestly dark obstacles over the brightly-lit ones.
  Now I do any cropping of the bright image that may be desirable; the dark one should be no longer required, but I keep it alive in case I have to modify my selection and try the whole thing again.
  Unless I am quite lucky, some detailed retouching with the clone stamp tool or the eye-dropper and brush may be necessary around the edges of the pasted objects. And, of course, I use duplicate layers at various stages so that I can go back if necessary. But essentially I end up with a properly-lit main subject, with natural-looking but unobtrusively dim foreground obstacles.
  Is this a common practice? Or are there better ways of dealing with such a situation?

  Thanks for this, Printer_Rick. The trouble, though, is that there is no
  way of adjusting exposure (as distinct from brightness, etc.) once the
  image is in .psd (or JPEG or even Photoshop Raw) format. At least that
  is the case in Photoshop CS, which is the version I have.
  Because I only have CS, and because my Nikon camera is later than the
  latest one whose Raw files Photoshop CS can handle, I have to work with
  Raw files in a rather complicated way. I have to convert them to .dng
  format by using the one version of Adobe DNG Converter that is both
  early enough to work with Photoshop CS and late enough to handle my
  camera files. Then I can open the .dng files in Photoshop and adjust
  exposure.
  I have tried to convert .psd or Photoshop Raw files back to .dng or some
  other format that will let me adjust exposure, but have failed. In any
  case the masking would not be preserved. So it would appear that until I
  can afford to upgrade to Photoshop CS4 or thereabouts, I shall not be
  able to avail myself of your simple and elegant procedure.

• How to Extract email subject with date from outlook?

  Hello,
  I am new to powershell and was wondering how i can extract the email subject with date for entire last month? i need to generate a report every month end and have to go through all the emails which can be very cumbersome at times. 
  Divyansh 
  Divyansh

   Ok i was able to find the commands but it only list email which are exactly 2 week old .. it does not list the recent items ..  
   Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
   $olFolders = "Microsoft.Office.Interop.Outlook.olDefaultFolders" -as [type] 
   $outlook = new-object -comobject outlook.application
   $namespace = $outlook.GetNameSpace("MAPI")
   $folder = $namespace.getDefaultFolder($olFolders::olFolderSentMail)
   $folder.items  | where { $_.SentOn -gt [datetime]"3/1/2014" -AND $_.On -lt [datetime]"3/25/2014" }  | Select-Object -Property Subject, SentOn, Importance, SenderName
  Divyansh

• Run JAAS Example with Tomcat 4

  Can someone explain me, how i can run the JAAS-Example from SUN with Tomcat.
  Please so that i can understand it, step by step.
  Thanks for your help and understand !!!

  Here you go:
  Environment Tomcat 4.1.10
  These steps will configure Tomcat Admin app so that it uses
  JAASRealm to authenticate.
  To keep things simple, I wrote a MyLoginModule that succeeds with username,password pair "jaas","jaas".
  Authentication information as well as role "admin" are hardcoded, so you do not have to worry about additional settings.
  So compile following files, and put them into e.q. tomcat/server/classes or jar them and put them to some place where
  tomcat finds them :
  --------my.MyLoginModule.java---------------
  package my;
  import java.util.Map;
  import java.security.Principal;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.spi.LoginModule;
  import java.io.IOException;
  public class MyLoginModule implements LoginModule {
      protected CallbackHandler callbackHandler = null;
      protected boolean committed = false;
      protected boolean debug = false;
      protected Map options = null;
      protected Principal principal = null;
      protected Map sharedState = null;
      protected Subject subject = null;
      protected void log(String message) {
          System.out.print("MyLoginModule: ");
          System.out.println(message);
      public boolean abort() throws LoginException {
          log("abort");  
          return (true);
      public boolean commit() throws LoginException {
          log("commit phase");
          // If authentication was not successful, just return false
          if (principal == null){
              log("no principal commit fails");
              return (false);
          if (!subject.getPrincipals().contains(principal))
              subject.getPrincipals().add(principal);
          // add role principals
          subject.getPrincipals().add(new MyRolePrincipal("admin"));
          committed = true;
          log("commit succesful");
          return (true);
      public void initialize(Subject subject, CallbackHandler callbackHandler,
                             Map sharedState, Map options) {
          // Save configuration values
          this.subject = subject;
          this.callbackHandler = callbackHandler;
          this.sharedState = sharedState;
          this.options = options;
     public boolean login() throws LoginException {
          log("login phase");
          // Set up our CallbackHandler requests
          if (callbackHandler == null)
              throw new LoginException("No CallbackHandler specified");
          Callback callbacks[] = new Callback[2];
          callbacks[0] = new NameCallback("Username: ");
          callbacks[1] = new PasswordCallback("Password: ", false);
          // Interact with the user to retrieve the username and password
          String username = null;
          String password = null;
          try {
              callbackHandler.handle(callbacks);
              username = ((NameCallback) callbacks[0]).getName();
              password =
                  new String(((PasswordCallback) callbacks[1]).getPassword());
          } catch (IOException e) {
              throw new LoginException(e.toString());
          } catch (UnsupportedCallbackException e) {
              throw new LoginException(e.toString());
          if (!authenticate(username,password))
              return false;
          principal  = new MyPrincipal(username);
          return true;
      public boolean logout() throws LoginException {
          subject.getPrincipals().remove(principal);
          committed = false;
          principal = null;
          return (true);
      boolean authenticate(String s,String p){
         return (s.compareTo("jaas") == 0) && (p.compareTo("jaas") == 0);  
      static public void main(String args[]) throws Exception{
          LoginContext ctx = new LoginContext("TomCatAdminApplication");
          ctx.login();
  ---------my/MyPrincipal.java-------------------
  package my;
  public class MyPrincipal implements java.security.Principal {
      String m_Name = new String("");
      public MyPrincipal(String name) {
          m_Name = name;
      public boolean equals(Object another) {
          try {
              MyPrincipal pm = (MyPrincipal)another;
              return pm.m_Name.equalsIgnoreCase(m_Name);
          } catch(Exception e){
              return false;  
      public String getName() {
          return m_Name;
      public int hashCode() {
          return m_Name.hashCode();
      public String toString() {
          return  m_Name;
  ------my/MyRolePrincipal.java-------------
  package my;
  public class MyRolePrincipal extends MyPrincipal {
      /** Creates a new instance of MyRolePrincipal */
      public MyRolePrincipal(String s) {
          super(s);
  1. Configure Tomcat Administration Application in server.xml
  <Context ..Tomcat Administration..>
       <Realm className="org.apache.catalina.realm.JAASRealm" debug="3" appName="TomCatAdminApplication" userClassNames="my.MyPrincipal" roleClassNames="my.MyRolePrincipal">
       </Realm>
  </Context>
  2. Configure the location of your JAAS configuration file in jre/lib/security/java.security
  like this:
  login.config.url.3=file:///d:/tomcats/tomcat410/auth.conf
  3. Configure JAAS - sequence for "TomCatAdminApplication" in file:///d:/tomcats/tomcat410/auth.conf
  like this:
  TomCatAdminApplication {
  my.MyLoginModule required;
  4. Thats it. Restart Tomcat, and go to admin-app with "jaas","jaas" ....debug and enjoy. After you
  got this working it is time to configure some more challenging login sequences....
  Kullervo

• The weblogic.security.Security.runAs() and JAAS Subject

  Let say that I have Java client with some JAAS code that authenticates
  the user. The LoginContext generates a Subject containing the Principal
  name of the authenticated user, but also some private credentials that
  makes the Subject secure.
  Now I want to call an EJB on WLS.
  Having JNDI (EJB) code inside a PriviledgesAction and using the
  weblogic.security.Security.runAs() method, I assume that the Subject is
  sent over the wire with the EJB call. If not, please correct me.
  Question is: How does WLS authenticate this call? What modules are
  called? IdentityAsserter? LoginModule? Is the Subject simply assumed
  "valid"? Any documentation describing how this is done?
  /Bo

  Hi,
  Problem is solved, we also got security exception when we tried to call MBeans.For this to work we have to set
  -Dweblogic.disableMBeanAuthorization=true in weblogic startup script so that our application can access MBeans.
  Thanks
  girish

• JAAS, Subject and credentials

  Hi,
  I have to write a security framework for my J2EE application and it has to be
  portable between appservers. I`m thinking about using JAAS and programmatic security.
  I`ve written a LoginModule that does user authetication and loads all user credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is there a way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo

  Hi,
  That's what I think too. I guess the only way to get the credentials is to
  use a weblogic specific class that allows you to login an user from a servlet/jsp.
  It does returns the Subject instead of a principal, so you can get the credentials...
  seems like we'd need to change the J2EE api to further integrate JAAS with it.
  Welll... back to handling security on my own :\
  Regards,
  Leonardo Bueno
  "Utpal" <[email protected]> wrote:
  I think EJBContext.getCallerPrincipal() and
  HttpServletRequest.getRemoteUser() are the only method
  to get the principal. I don't think subject can be accessed in the
  EJB/Servlet using standard APIs.
  -utpal
  "Leonardo Bueno" <[email protected]> wrote in message
  news:3ef74da0$[email protected]..
  Hi,
  I have to write a security framework for my J2EE application and ithas to
  be
  portable between appservers. I`m thinking about using JAAS andprogrammatic security.
  I`ve written a LoginModule that does user authetication and loads alluser
  credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is therea
  way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo

• CBO behaviour with stale statistics

  Hi,
  our company sells an application based on an Oracle database. One of our customers has reported what I regard as odd behaviour from the CBO. I wonder if anyone here can confirm my understanding of how the CBO uses statistics to determine the optimal execution plan.
  The reported issue is this:
  There are a number of large (100 million rows+) tables in the application, these are partitioned by date and are subject to both inserts and updates although and although theoretically any date could be the subject of a change, these tend to concentrated towards the most recent dates. The customer analyses the tables with a sample size of 25% every few days. They claim that if they do not do this then the CBO starts choosing very non-optimal plans and this gets worse the longer that they leave it.
  As I understand it the CBO will use the statistics on a table. Even if those statistics are stale it does not have anything better to base a decision on so it must use the statistics that are there. In which case even though a plan may be chosen that is non-optimal given a new set of data, it should choose the same plan each time given the same query and the same set of statistics.
  Any thoughts?

  qwe10730 wrote:
  As I understand it the CBO will use the statistics on a table. Even if those statistics are stale it does not have anything better to base a decision on so it must use the statistics that are there. In which case even though a plan may be chosen that is non-optimal given a new set of data, it should choose the same plan each time given the same query and the same set of statistics.
  This could be a case of the query only looking the same. As you said, most of the action is about the last few days.
  If they only collect statistics every few days then as time passes they are going to be running queries about data that doesn't appear to exist.
  If you have queries for a single recent partition, then Oracle could produce a plan based on its expectation of a complete absence of data. If you have queries for yesterday's data when the statistics haven't been updated since last week Oracle will produce a plan based on the fact that the volume of data is probably less than it would have been a week ago. (etc.....)
  Doug Burns has started an interesting series of posts on partitioned tables and statistics - it may not cover all the details you need at present (he's only published 5 of a possible 10 posts so far). I've listed them here: http://jonathanlewis.wordpress.com/2010/03/17/partition-stats/ but the first one is here: http://oracledoug.com/serendipity/index.php?/archives/1562-Statistics-on-Partitioned-Tables-Part-1.html
  Regards
  Jonathan Lewis
  http://jonathanlewis.wordpress.com
  http://www.jlcomp.demon.co.uk
  To post code, statspack/AWR report, execution plans or trace files, start and end the section with the tag {noformat}{noformat} (lowercase, curly brackets, no spaces) so that the text appears in fixed format.
  There is a +"Preview"+ tab at the top of the text entry panel. Use this to check what your message will look like before you post the message. If it looks a complete mess you're unlikely to get a response. (Click on the +"Plain text"+ tab if you want to edit the text to tidy it up.)
  +"Science is more than a body of knowledge; it is a way of thinking"+
  +Carl Sagan+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Propagating JAAS Subject for startup classes

  Do startup classes have to login before they can access secured
  resources in WLS 6.0? I notice that WLS 6.0 asks for a password before
  starting the server. Is the "subject" created by that login somehow
  propagated to startup class threads (and their thread offspring) or does
  this have to be done manually?
  I want to try to set up startup classes using a security style similar
  to the Unix init process. It starts up as root and then starts its
  services/daemons using something like:
  su - foo-user foo-daemon
  The foo-daemon runs as foo-user and, in Unix, so does every process
  forked by the foo-daemon. I would like to use a parallel approach in
  WLS. Can it be done?
  Thanks,
  Tim Taylor

  Hi,
  That's what I think too. I guess the only way to get the credentials is to
  use a weblogic specific class that allows you to login an user from a servlet/jsp.
  It does returns the Subject instead of a principal, so you can get the credentials...
  seems like we'd need to change the J2EE api to further integrate JAAS with it.
  Welll... back to handling security on my own :\
  Regards,
  Leonardo Bueno
  "Utpal" <[email protected]> wrote:
  I think EJBContext.getCallerPrincipal() and
  HttpServletRequest.getRemoteUser() are the only method
  to get the principal. I don't think subject can be accessed in the
  EJB/Servlet using standard APIs.
  -utpal
  "Leonardo Bueno" <[email protected]> wrote in message
  news:3ef74da0$[email protected]..
  Hi,
  I have to write a security framework for my J2EE application and ithas to
  be
  portable between appservers. I`m thinking about using JAAS andprogrammatic security.
  I`ve written a LoginModule that does user authetication and loads alluser
  credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is therea
  way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo