Jazn permissions

can anyone tell me how i can retrieve user permissions for a given user using the jazn api. i am using the xml provider and have successfully added users, roles etc and have granted permissions to the roles using the jazn admin tool but am struggling to obtain the permissions for the user from my code. i am using version 10.1.2 of the oas jaas provider api. a code sample would be very helpful!
while investigating the api i have comes across a couple of strange things perhaps you could explain also. if i try to use RoleManager.getGrantees() it returns a set of XMLRealmUser objects rather than Grantee objects as the documentation suggests it should, which i obviously cannot cast into into a Grantee object for further use e.g. in JAZNContext.getPolicy().getPermissions().
also, if i try to create a Grantee with...
Realm r = JAZNContext.getRealmManager().getRealm("jazn.com");
final RealmUser ru = r.getUserManager().getUser(user);
Grantee g = new Grantee( (Principal) ru);
the code does not compile as it cannot access oracle.ldap.util.Guid!? any help would be much appreciated.

Thanks Frank!
Only to make sure I understand you correctly (English is not my first language :)):
I use
package com.ssn.web.login.principals;
import [+]
public class SSNRolePrincipal implements RolePrincipal, Serializable {
...role principal class in my LoginModule.
So, for everything to work correctly you are saying that principal in system-jazn-data.xml file like
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
 <name>ONE_OF_THE_ROLES</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
...should be changed to
 <grant>
 <grantee>
 <principals>
 <principal>
 <realm-name>jazn.com</realm-name>
 <type>role</type>
 <class>com.ssn.web.login.principals.SSNRolePrincipal</class>
 <name>ONE_OF_THE_ROLES</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
Kind regards,
BB

Similar Messages

Remote Deployment permissions

Hi all,
I want to do a remote deployment from my pc to a cluster on different machines using the admin_client.jar file.
The example in the OC4J Deployment Guide is this :
java -jar admin_client.jar
deployer:oc4j:opmn://test-cycle.oracle.com/testunit
oc4jadmin_ welcome1+
-deploy
-file d:\temp\rupg\testru.ear
-deploymentName testru –bindAllWebApps
As you can see the example uses the oc4jadmin account to do a remote deployment.
That also works for me. However, when I use another test account that is not a member of the oc4j-administrators+ role (see system-jazn-data.xml) I get the following error:
+FINER: RMIConnection.writeDisconnectMessage Preparing to send disconnect message: Login failed Not authorized*+
FINE: RMIClient.lookup Failed during lookupjavax.naming.AuthenticationException: Not authorized
at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:100)
+...+
I already tried making the test account a member of the oc4j-app-administrators+ role. This gives the test account only com.evermind.server.rmi.RMIPermission Login.
However, a -validateURI or -deploy using the admin_client.jar still failes.
So my question is : Is there a list available somewhere of all the (jazn) permissions needed to do a remote deployment ? I couldn't find such a list in the deployment guide (10.1.3.4.0) ...
Regards,
Ronald Wouters

I found a solution to this problem.
The problem was that I was trying to do a remote deploy NOT to the default "home" oc4j instance but to another oc4j instance that I created in the same application server instance. I had given my test user only "RMIPermission login". However, this test user was defined only in the system-jazn-data.xml of the "home" oc4j instance.
I simply copied this xml over to the other oc4j instance, thereby setting up the same users, roles and permissions in the new oc4j instance as in the home instance.
After restarting the appserver, remote deployment using my test account worked just fine.
I'm pretty sure this is not the "official" way to do this because in a production environment you would probably not even have write permissions to the directory containing these xml files.
Can anyone tell me if the javasso stuff that I read about in the config and admin manual could be the "official" way to solve this kind of problem ? Or am I way off base here ?
Any insight would be much appreciated.
Regards.

AccessControlException: applet, BC4J(as session bean),oracle db, on same server.

my enviroment
jdev9i_902
JDK1.3
oracle 9i
oc4j(Jdeveloper oc4j)
everything is on the same machine.
I have a BC4J deployed as Session Bean(BMT) on stanalone oc4j(jdeveloper oc4j)
an applet deployed to oc4j.
( I have gone through the HOW TO: Applet Deployment for JDev 3.1)
when I try to run the applet from IE (http://myhomeURL:8888/myroot/applet.html), I get the following error:(seems like that applet thinks that oracle db is on a different server than the app-server)
java.lang.ExceptionInInitializerError: java.security.AccessControlException: access denied (java.util.PropertyPermission tunneling.shortcut read)
 at java.security.AccessControlContext.checkPermission(Unknown Source)
 at java.security.AccessController.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
 at java.lang.System.getProperty(Unknown Source)
 at java.lang.Boolean.getBoolean(Unknown Source)
 at com.evermind.server.rmi.RMIInitialContextFactory.<clinit>(RMIInitialContextFactory.java:34)
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Unknown Source)
 at com.sun.naming.internal.VersionHelper12.loadClass(Unknown Source)
 at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
 at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
 at javax.naming.InitialContext.init(Unknown Source)
 at javax.naming.InitialContext.<init>(Unknown Source)
 at oracle.jbo.client.remote.ejb.ias.AmHomeImpl.remoteLookup(AmHomeImpl.java:101)
 at oracle.jbo.client.remote.ejb.ias.AmHomeImpl.initRemoteHome(AmHomeImpl.java:68)
 at oracle.jbo.client.remote.ejb.ias.AmHomeImpl.<init>(AmHomeImpl.java:41)
 at oracle.jbo.client.remote.ejb.ias.InitialContextImpl.createJboHome(InitialContextImpl.java:17)
 at oracle.jbo.common.JboInitialContext.lookup(JboInitialContext.java:72)
 at javax.naming.InitialContext.lookup(Unknown Source)
 at oracle.jbo.common.ampool.DefaultConnectionStrategy.createApplicationModule(DefaultConnectionStrategy.java:102)
 at oracle.jbo.common.ampool.DefaultConnectionStrategy.createApplicationModule(DefaultConnectionStrategy.java:62)
 at oracle.jbo.common.ampool.ApplicationPoolImpl.instantiateResource(ApplicationPoolImpl.java:1431)
 at oracle.jbo.pool.ResourcePool.createResource(ResourcePool.java:290)
 at oracle.jbo.common.ampool.ApplicationPoolImpl.doCheckout(ApplicationPoolImpl.java:1082)
 at oracle.jbo.common.ampool.ApplicationPoolImpl.useApplicationModule(ApplicationPoolImpl.java:1669)
 at oracle.jbo.common.ampool.SessionCookieImpl.useApplicationModule(SessionCookieImpl.java:289)
 at oracle.jbo.common.ampool.SessionCookieImpl.useApplicationModule(SessionCookieImpl.java:269)
 at oracle.jbo.uicli.mom.JUMetaObjectManager.createApplicationObject(JUMetaObjectManager.java:345)
 at mypackage6.AppletBestill1View.init(AppletBestill1View.java:88)
 at sun.applet.AppletPanel.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
cheers
Russel

Russel,
You are seeing bug 2087789. During JNDI lookup, certain system properties are being read. Since you are
running in a sandvox environment, AccessControl exception is being thrown.
You will have to either sign your jar files or provide a policy file on the client side which will relax
some of the restriction.
Sample Java2 policy file follows
/** Java2 policy for JAZN/OC4J **/
/** INSTRUCTIONS **/
@ /** - set ${oracle.ons.oraclehome} to your $ORACLE_HOME **/
/** this is automatically set by OPMN **/
@ /** - set ${localhost.ip} to your OC4J machine's IP address **/
@ /** - set ${oidhost.ip} to your Oid machine's IP address **/
@ grant codebase "file:${oracle.ons.oraclehome}/-" {
permission java.lang.RuntimePermission "createSecurityManager";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "*","read";
permission java.io.SerializablePermission "enableSubstitution";
/* JAAS */
grant codebase "file:${java.home}/jre/lib/ext/jaas.jar" {
permission java.security.AllPermission;
@ /* JAAS Login Modules */
grant codebase "file:${java.home}/jre/lib/ext/jaasmod.jar" {
permission java.security.AllPermission;
/* JAZN */
@ grant codebase "file:${oracle.ons.oraclehome}/j2ee/home/jazn.jar" {
permission java.security.AllPermission;
/* OC4J */
@ grant codebase "file:${oracle.ons.oraclehome}/j2ee/home/oc4j.jar" {
permission java.security.AllPermission;
/* DMS - J2EE */
@ grant codebase "file:${oracle.ons.oraclehome}/lib/dms.jar" {
permission java.security.AllPermission;
/* DMS - IAS */
@ grant codebase "file:${oracle.ons.oraclehome}/dms/lib/dms.jar" {
permission java.security.AllPermission;
/* ONS */
@ grant codebase "file:${oracle.ons.oraclehome}/opmn/lib/ons.jar" {
permission java.security.AllPermission;
/* JDBC */
@ grant codebase "file:${oracle.ons.oraclehome}/jdbc/lib/classes12.jar" {
permission java.security.AllPermission;
/* OJSP */
@ grant codebase "file:${oracle.ons.oraclehome}/j2ee/home/lib/ojsp.jar" {
permission java.security.AllPermission;
/* tools.jar - for compiling JSPs */
@ grant codebase "file:${oracle.ons.oraclehome}/j2ee/home/tools.jar" {
permission java.security.AllPermission;
/* J2EE/home */
@ grant codebase "file:${oracle.ons.oraclehome}/j2ee/home/-" {
/* DMS grants */
@ permission java.io.FilePermission "${oracle.ons.oraclehome}/j2ee/-
", "write,delete";
permission java.util.PropertyPermission "oracle.*", "read,write";
permission java.util.PropertyPermission "java.protocol.handler.pkgs",
"read,write";
permission java.util.PropertyPermission "transaction.log", "read";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission "http.singlethreaded.maxsize",
"read";
permission java.util.PropertyPermission "*", "read,write";
/* Default Grants to get things going */
permission java.security.SecurityPermission "*";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "loadLibrary.ldapjclnt9";
@ permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission
"getSubjectFromDomainCombiner";
@ permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "getPolicy";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "user.dir", "read,write";
permission java.util.PropertyPermission "java.security.auth.policy",
"read,write";
@ permission java.net.SocketPermission "*.us.oracle.com",
"accept,resolve";
@ permission java.net.SocketPermission "127.0.0.1",
"accept,connect,resolve";
@ permission java.net.SocketPermission "${localhost.ip}",
"accept,connect,resolve";
@ permission java.net.SocketPermission "${oidhost.ip}",
"accept,connect,resolve";
/* JAZN Permissions */
permission oracle.security.jazn.JAZNPermission "getCredentials";
permission oracle.security.jazn.JAZNPermission "setCredentials";
permission oracle.security.jazn.JAZNPermission "getClearCredentials";
permission oracle.security.jazn.JAZNPermission
"setClearCredentialsNoCheck";
permission oracle.security.jazn.JAZNPermission "getProperty.*";
permission oracle.security.jazn.JAZNPermission "getPolicy";
permission oracle.security.jazn.JAZNPermission "getRealmManager";
permission oracle.security.jazn.policy.AdminPermission
"java.io.FilePermission$/tmp/*$read,write";
permission oracle.security.jazn.policy.AdminPermission
"java.io.FilePermission$/teams/jazn/*$read,write";
permission oracle.security.jazn.policy.AdminPermission
"oracle.security.jazn.realm.RealmPermission$*$createRealm,dropRealm,createR
ole,dropRole,modifyRealmMetaData";
permission oracle.security.jazn.realm.RealmPermission "*",
"createRealm";
permission oracle.security.jazn.realm.RealmPermission "*",
"dropRealm";
permission oracle.security.jazn.realm.RealmPermission "*",
"createRole";
permission oracle.security.jazn.realm.RealmPermission "*", "dropRole";
permission oracle.security.jazn.realm.RealmPermission "*",
"modifyRealmMetaData";
permission oracle.security.jazn.policy.RoleAdminPermission "*";
permission oracle.security.jazn.policy.AdminPermission
"oracle.security.jazn.policy.RoleAdminPermission$*";
my enviroment
jdev9i_902
JDK1.3
oracle 9i
oc4j(Jdeveloper oc4j)
everything is on the same machine.
I have a BC4J deployed as Session Bean(BMT) on stanalone oc4j(jdeveloper oc4j)
an applet deployed to oc4j.
( I have gone through the HOW TO: Applet Deployment for JDev 3.1)
when I try to run the applet from IE (http://myhomeURL:8888/myroot/applet.html), I get the following error:(seems like that applet thinks that oracle db is on a different server than the app-server)
java.lang.ExceptionInInitializerError: java.security.AccessControlException: access denied (java.util.PropertyPermission tunneling.shortcut read)
 at java.security.AccessControlContext.checkPermission(Unknown Source)
 at java.security.AccessController.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
 at java.lang.System.getProperty(Unknown Source)
 at java.lang.Boolean.getBoolean(Unknown Source)
 at com.evermind.server.rmi.RMIInitialContextFactory.<clinit>(RMIInitialContextFactory.java:34)
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Unknown Source)
 at com.sun.naming.internal.VersionHelper12.loadClass(Unknown Source)
 at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
 at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
 at javax.naming.InitialContext.init(Unknown Source)
 at javax.naming.InitialContext.<init>(Unknown Source)
 at oracle.jbo.client.remote.ejb.ias.AmHomeImpl.remoteLookup(AmHomeImpl.java:101)
 at oracle.jbo.client.remote.ejb.ias.AmHomeImpl.initRemoteHome(AmHomeImpl.java:68)
 at oracle.jbo.client.remote.ejb.ias.AmHomeImpl.<init>(AmHomeImpl.java:41)
 at oracle.jbo.client.remote.ejb.ias.InitialContextImpl.createJboHome(InitialContextImpl.java:17)
 at oracle.jbo.common.JboInitialContext.lookup(JboInitialContext.java:72)
 at javax.naming.InitialContext.lookup(Unknown Source)
 at oracle.jbo.common.ampool.DefaultConnectionStrategy.createApplicationModule(DefaultConnectionStrategy.java:102)
 at oracle.jbo.common.ampool.DefaultConnectionStrategy.createApplicationModule(DefaultConnectionStrategy.java:62)
 at oracle.jbo.common.ampool.ApplicationPoolImpl.instantiateResource(ApplicationPoolImpl.java:1431)
 at oracle.jbo.pool.ResourcePool.createResource(ResourcePool.java:290)
 at oracle.jbo.common.ampool.ApplicationPoolImpl.doCheckout(ApplicationPoolImpl.java:1082)
 at oracle.jbo.common.ampool.ApplicationPoolImpl.useApplicationModule(ApplicationPoolImpl.java:1669)
 at oracle.jbo.common.ampool.SessionCookieImpl.useApplicationModule(SessionCookieImpl.java:289)
 at oracle.jbo.common.ampool.SessionCookieImpl.useApplicationModule(SessionCookieImpl.java:269)
 at oracle.jbo.uicli.mom.JUMetaObjectManager.createApplicationObject(JUMetaObjectManager.java:345)
 at mypackage6.AppletBestill1View.init(AppletBestill1View.java:88)
 at sun.applet.AppletPanel.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
cheers
Russel

9.0.2 JAZN SSO doasprivileged-mode=true does not work

I've been trying to deploy an application to my "fresh" 9iR2 App Server that has been installed on Solaris 8 with all the patches 9.0.2. (I also have a second Solaris 8 machine with the 9iR2 Infrastructure installed, also patched up to the latest rev of 9.0.2). I'm deploying my EAR file with the Enterprise Manager deployment tool, and it works great (except for the following problem). I want to make my servlets run in "doasprivileged-mode" as described in
http://otn.oracle.com/tech/java/oc4j/doc_library/902/servicesjun02/jaas_j2a.htm
I believe I have everything setup correctly, but when I try (in my servlet) to try to access JAAS like this:
AccessControlContext acc = AccessController.getContext()
OR, do this:
AccessController.checkPermission(new FilePermission("/tmp/test.txt", "read"));
I get the following exception in my browser and then another exception in the opmn log. I believe the root cause is this: "The system is unable to retreive the specified role(s)." But I have no idea what role it's talking about... When I run the JAZN shell commands and look around in the "llnl" realm, I see the AUTHENTICATED_USERS group and the user I'm logging into SSO as, is a member of this group.
Thanks for any info/help on this matter. Also, if someone has a working example that shows the use of the doasprivliged-mode="true" that would really help. The callerInfo and ssoInfo examples don't seem to address this additional use of the JAAS environment (past asking the HttpServletRequest for the Principal object)
--Leif
java.security.PrivilegedActionException: javax.servlet.ServletException: A JAZN internal error has occurred.
 at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:256)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAsPrivileged(Subject.java:558)
 at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:269)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java:64)
Root cause is; java.lang.IllegalStateException: A JAZN internal error has occurred.
 at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.checkValidity(LDAPGranteeEntry.java:286)
 at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.getGranteeEntry(LDAPGranteeEntry.java:297)
 at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGrantees(LDAPLocalPolicy.java:316)
 at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGranteeEntries(LDAPLocalPolicy.java:264)
 at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getPermissions(LDAPLocalPolicy.java:1029)
 at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:649)
 at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:680)
 at oracle.security.jazn.spi.PolicyProvider.getPermissions(PolicyProvider.java:218)
 at javax.security.auth.SubjectDomainCombiner$3.run(SubjectDomainCombiner.java:253)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:249)
 at java.security.AccessControlContext.goCombiner(AccessControlContext.java:516)
 at java.security.AccessControlContext.combineWithPrivilegedContext(AccessControlContext.java:305)
 at java.security.AccessControlContext.optimize(AccessControlContext.java:404)
 at java.security.AccessController.checkPermission(AccessController.java:398)
 at gov.llnl.ais.test.TestServlet.doPost(TestServlet.java:59)
 at gov.llnl.ais.test.TestServlet.doGet(TestServlet.java:44)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:244)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
 at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:252)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAsPrivileged(Subject.java:558)
 at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:269)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
 at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java:64)
I also get this exception in $ORACLE_HOME/opmn/logs/home.default_island.1
java.lang.reflect.InvocationTargetException: oracle.security.jazn.JAZNException: The system is unable to retreive the specified role(s).
 at oracle.security.jazn.spi.ldap.LDAPRealmRole.<init>(LDAPRealmRole.java:91)
 at java.lang.reflect.Constructor.newInstance(Native Method)
 at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.init(LDAPGranteeEntry.java:218)
 at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:121)
 at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:116)
 at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGrantees(LDAPLocalPolicy.java:315)
 at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGranteeEntries(LDAPLocalPolicy.java:264)
 at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getPermissions(LDAPLocalPolicy.java:1029)
 at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:649)
 at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:680)
 at oracle.security.jazn.spi.PolicyProvider.getPermissions(PolicyProvider.java:218)
 at javax.security.auth.SubjectDomainCombiner$3.run(SubjectDomainCombiner.java:253)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:249)
 at java.security.AccessControlContext.goCombiner(AccessControlContext.java:516)
 at java.security.AccessControlContext.combineWithPrivilegedContext(AccessControlContext.java:305)
 at java.security.AccessControlContext.optimize(AccessControlContext.java:404)
 at java.security.AccessController.checkPermission(AccessController.java:398)
 at gov.llnl.ais.test.TestServlet.doPost(TestServlet.java:59)
 at gov.llnl.ais.test.TestServlet.doGet(TestServlet.java:44)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:244)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
 at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
 at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:252)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAsPrivileged(Subject.java:558)
 at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:269)
 at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
 at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
 at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
 at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
 at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
Here are my XML files:
=== application.xml start ===
<?xml version="1.0" encoding="windows-1252"?>
<!DOCTYPE application PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN" "http://java.sun.com/j2ee/dtds/application_1_2.dtd">
<application>
 <display-name>TestMe</display-name>
 <module>
 <web>
 <web-uri>test.war</web-uri>
 <context-root>/testme</context-root>
 </web>
 </module>
 <security-role>
 <role-name>users</role-name>
 </security-role>
</application>
=== application.xml end ===
=== orion-application.xml start ===
<?xml version="1.0" encoding="windows-1252"?>
<!DOCTYPE orion-application PUBLIC "-//Evermind//DTD J2EE Application runtime 1.2//EN" "http://xmlns.oracle.com/ias/dtds/orion-application.dtd">
<orion-application>
 <web-module id="test" path="test.war"/>
 <security-role-mapping name="users">
 <group name="llnl/AUTHENTICATED_USERS"/>
 </security-role-mapping>
 <persistence path="persistence"/>
 <log>
 <file path="application.log"/>
 </log>
 
 
 <jazn provider="LDAP" default-realm="llnl" location="my-ldap-server-is-here"/>
 <namespace-access>
 <read-access>
 <namespace-resource root="">
 <security-role-mapping impliesAll="true" name="<jndi-user-role>">
 <group name="administrators"/>
 </security-role-mapping>
 </namespace-resource>
 </read-access>
 <write-access>
 <namespace-resource root="">
 <security-role-mapping impliesAll="true" name="<jndi-user-role>">
 <group name="administrators"/>
 </security-role-mapping>
 </namespace-resource>
 </write-access>
 </namespace-access>
</orion-application>
=== orion-application.xml end ===
=== orion-web.xml start ===
<?xml version="1.0"?>
<!DOCTYPE orion-web-app PUBLIC "-//Evermind//DTD Orion Web Application 2.3//EN" "http://xmlns.oracle.com/ias/dtds/orion-web.dtd">
<orion-web-app>
 <jazn-web-app auth-method="SSO" runas-mode="true" doasprivileged-mode="true"/>
</orion-web-app>
=== orion-web.xml end -===
=== web.xml start ===
<?xml version="1.0"?>
<!DOCTYPE web-app SYSTEM "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 <servlet>
 <servlet-name>TestServlet</servlet-name>
 <servlet-class>gov.llnl.ais.test.TestServlet</servlet-class>
 <security-role-ref>
 <role-name>users</role-name>
 <role-link>users</role-link>
 </security-role-ref>
 
 </servlet>
 <servlet-mapping>
 <servlet-name>TestServlet</servlet-name>
 <url-pattern>/test</url-pattern>
 </servlet-mapping>
 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>
 <error-page>
 <error-code>404</error-code>
 <location>/error.jsp</location>
 </error-page>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>authenticated</web-resource-name>
 <url-pattern>/test</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>users</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>BASIC</auth-method>
 </login-config>
 <security-role>
 <role-name>users</role-name>
 </security-role>
</web-app>
=== web.xml end ===
=== TestServlet.java start ===
package gov.llnl.ais.test;
import java.io.FilePermission;
import java.io.IOException;
import java.io.PrintWriter;
import javax.security.auth.Subject;
import javax.security.auth.SubjectDomainCombiner;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServlet;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.DomainCombiner;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import oracle.security.jazn.oc4j.JAZNUserAdaptor;
public class TestServlet extends HttpServlet {
 * Constructor for TestServlet.
 public TestServlet() {
 super();
 * @param request
 * @param response
 public void doGet(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException {
 doPost(request, response);
 public void doPost(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException {
 PrintWriter pw = response.getWriter();
 pw.println("<html><head><title>Hi</title><body>Hi there dude You are:");
 pw.println(request.getRemoteUser());
 Principal p = request.getUserPrincipal();
 if (p instanceof JAZNUserAdaptor) {
 JAZNUserAdaptor jaznuser = (JAZNUserAdaptor) p;
 pw.println(" SSO user DN [RealmPrincipal.getFullName] = " + jaznuser.getFullName() + " ");
 pw.println("Subscriber name [Realm.getName] = " + jaznuser.getRealm().getName() + " ");
 pw.println("Subscriber DN [Realm.getFullName] = " + jaznuser.getRealm().getFullName() + "");
 AccessController.checkPermission(new FilePermission("/tmp/test.txt", "read"));
 Subject subject = null;
 AccessControlContext acc = AccessController.getContext();
 subject = Subject.getSubject(acc);
 if (subject == null) {
 pw.println("Subject via AccessControlContext is null. ");
 DomainCombiner dc = acc.getDomainCombiner();
 if (dc instanceof SubjectDomainCombiner) {
 subject = ((SubjectDomainCombiner) dc).getSubject();
 if (subject == null) {
 pw.println("Subject via DomainCombiner is null. ");
 if (subject != null) {
 Set principals = subject.getPrincipals();
 Iterator principalsIterator = principals.iterator();
 while (principalsIterator.hasNext()) {
 Principal principal = (Principal) principalsIterator.next();
 pw.println("Principal: " + principal.toString() + " ");
 pw.println("</body></html>");
=== TestServlet.java end ===

More info...
When I go into the JAZN tool via:
java -jar jazn.jar -shell
Then do this:
JAZN:> cd realms/llnl/roles/AUTHENTICATED_USERS
JAZN:llnl> ls permissions
java.lang.reflect.InvocationTargetException: oracle.security.jazn.JAZNException: The system is unable to retreive the specified role(s).
at oracle.security.jazn.spi.ldap.LDAPRealmRole.<init>(LDAPRealmRole.java:91)
at java.lang.reflect.Constructor.newInstance(Native Method)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.init(LDAPGranteeEntry.java:218)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:121)
at oracle.security.jazn.spi.ldap.LDAPGranteeEntry.<init>(LDAPGranteeEntry.java:116)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGrantees(LDAPLocalPolicy.java:315)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getGranteeEntries(LDAPLocalPolicy.java:264)
at oracle.security.jazn.spi.ldap.LDAPLocalPolicy.getPermissions(LDAPLocalPolicy.java:1029)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:649)
at oracle.security.jazn.spi.ldap.LDAPJAZNPolicy.getPermissions(LDAPJAZNPolicy.java:680)
at oracle.security.jazn.tools.Admintool.listRolePerms(Admintool.java:1140)
at oracle.security.jazn.tools.Admintool.processArgs(Admintool.java:404)
at oracle.security.jazn.tools.Admintool.lsCommand(Admintool.java:2782)
at oracle.security.jazn.tools.Admintool.shell(Admintool.java:2399)
at oracle.security.jazn.tools.Admintool.processArgs(Admintool.java:230)
at oracle.security.jazn.tools.Admintool.main(Admintool.java:123)
A JAZN internal error has occurred.
What could be causing this problem? It seems to be the same error that I'm getting in the OPMN log.
Thanks!
--Leif

Jazn-data. xml has 3 errors on newly created portal app

I just created a new portal app and my jazn-data.xml has 3 errors right off the bat.
1. element attributes not expected
2. element functions not expected
3. Element system-policy not expected
Why am I getting these errors.

Are you sure? Cause somebody told me the same thing about my css files. But then somebody suggested I check the ADF Faces Extension and the errors went away and my skins were able to be applied.
Also I created a user how the Portal Framework tutorial told me too and when I login as that user all the files I am bringing in from the content server won't display, all my panel links disappear and I get this error when I log in as content admin:
oracle.webcenter.content.integration.RepositoryException: Sep 14, 2012 9:53:59 AM oracle.webcenter.content.integration.spi.ucm.UCMBridge getUCMAccessLevel
SEVERE: Cannot get security info for node ID: /UCM/0
Caused by: oracle.webcenter.content.integration.RepositoryException: oracle.stellent.ridc.protocol.ServiceException: Could not calculate the user's permissions. User 'contentadmin' cannot be retrieved.
Edited by: beachw08 on Sep 14, 2012 6:54 AM
Edited by: beachw08 on Sep 14, 2012 10:38 AM

What is app-jazn-data.xml

Hello
What is app-jazn-data.xml. Do modifications in system-jazn-data.xml automatically update app-jazn-data.xml?
Thanks

Hi,
app-jazn-data.xml contains a copy of all security permissions set with ADF Security, This is a convenience file for you to import to system-jazn-data.xml on the target system or import to OID.
So the answer is, no - you have to manually update system-jazn-data.xml or OID (using the migration tool)
Frank

ADF security : JAZN-LDAP

Hi,
We are working on the development of an application with Oracle ADF (JDev 10.1.3).
We implemented security with lightweight XML provider and it's working perfectly.
Next month we will deploy our application and so we will use a LDAP server.
Is it easy to jump from XML to LDAP?
Do we just have to select LDAP prodiver in the security wizard and then to map application groups to LDAP groups in the orion-application.xml file?
With this solution, is it still possible to edit authorizations at design time for pages, iterators, etc ?
Thanks in advance for your help!

Hi,
you didn't read the documentation, do you ? Anyway, the LDAP upload is a bit difference from how you imagine it
- ADF Security permissions are written to the workspaces' \.adf\META-INF\app-jazn-data.xml file. So in fact you don't change the security settings for your project in JDeveloper. This means it remains for future addition
- You use a migration utility provided by OC4J Security to create an XLIFF file out of \.adf\META-INF\app-jazn-data.xml
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/configxml.htm#CIHIFGBJ
- Then you upload this to OID
Frank

Intermittent oracle.security.jazn.spi.xml.XMLJAZNPolicy null pointer excep

hi,
in my application I am using container and ADF security. Sometimes I get following exception but not always!? What could be the cause?
(I added a new role with three members - 1 user and two sub-roles. I configured these sub-roles in web.xml as regular roles and also configured ADF security for the role and its subroles)
java.lang.NullPointerException
 at oracle.security.jazn.spi.xml.XMLJAZNPolicy.getPermissions(XMLJAZNPolicy.java:593)
 at oracle.security.jazn.spi.xml.XMLJAZNPolicy.getPermissions(XMLJAZNPolicy.java:574)
 at oracle.security.jazn.spi.Java2PolicyProvider.getPermissions(Java2PolicyProvider.java:313)
 at oracle.security.jazn.spi.PolicyProvider.getPermissions(PolicyProvider.java:202)
 at javax.security.auth.SubjectDomainCombiner$3.run(SubjectDomainCombiner.java:357)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.SubjectDomainCombiner.combineJavaxPolicy(SubjectDomainCombiner.java:353)
 at javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:191)
 at java.security.AccessControlContext.goCombiner(AccessControlContext.java:390)
 at java.security.AccessControlContext.optimize(AccessControlContext.java:304)
 at java.security.AccessController.getContext(AccessController.java:385)
 at java.lang.Thread.init(Thread.java:332)
 at java.lang.Thread.<init>(Thread.java:416)
 at oracle.webcache.adf.cache.basiccache.BasicCacheImpl$VGCThread.<init>(BasicCacheImpl.java:1439)
 at oracle.webcache.adf.cache.basiccache.BasicCacheImpl.<init>(BasicCacheImpl.java:121)
 at oracle.webcache.adf.cache.basiccache.BasicCacheManager.createBasicCacheInstance(BasicCacheManager.java:71)
 at oracle.webcache.adf.cache.httpcache.HTTPCacheImpl.<init>(HTTPCacheImpl.java:96)
 at oracle.webcache.adf.cache.httpcache.HTTPCacheFactory.createHTTPCache(HTTPCacheFactory.java:66)
 at oracle.webcache.adf.cache.httpcache.HTTPCacheFactory.createHTTPCache(HTTPCacheFactory.java:47)
 at oracle.webcache.adf.filter.PageCache.<init>(PageCache.java:218)
 at oracle.webcache.adf.filter.PageCache.getInstance(PageCache.java:255)
 at oracle.webcache.adf.filter.PageCache.getInstance(PageCache.java:276)
 at oracle.adf.view.faces.webcache.component.UICache.getFragmentFromCache(UICache.java:514)
 at oracle.adf.view.faces.webcache.component.UICache.encodeBegin(UICache.java:170)
 at oracle.adfinternal.view.faces.uinode.UIComponentUINode._renderComponent(UIComponentUINode.java:297)
 at oracle.adfinternal.view.faces.uinode.UIComponentUINode.render(UIComponentUINode.java:262)
 at oracle.adfinternal.view.faces.uinode.UIComponentUINode.render(UIComponentUINode.java:239)
 at oracle.adfinternal.view.faces.ui.composite.ContextPoppingUINode$ContextPoppingRenderer.render(ContextPoppingUINode.java:224)
 at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:346)
 at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:301)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.renderChild(BaseRenderer.java:412)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.renderNamedChild(BaseRenderer.java:384)
 at oracle.adfinternal.view.faces.ui.laf.base.desktop.PageHeaderLayoutRenderer.renderContent(PageHeaderLayoutRenderer.java:404)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.render(BaseRenderer.java:81)
 at oracle.adfinternal.view.faces.ui.laf.base.xhtml.XhtmlLafRenderer.render(XhtmlLafRenderer.java:69)
 at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:346)
 at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:301)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.renderChild(BaseRenderer.java:412)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.renderIndexedChild(BaseRenderer.java:330)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.renderIndexedChild(BaseRenderer.java:222)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.renderContent(BaseRenderer.java:129)
 at oracle.adfinternal.view.faces.ui.BaseRenderer.render(BaseRenderer.java:81)
 at oracle.adfinternal.view.faces.ui.laf.base.xhtml.XhtmlLafRenderer.render(XhtmlLafRenderer.java:69)
 at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:346)
 at oracle.adfinternal.view.faces.ui.BaseUINode.render(BaseUINode.java:301)
 at oracle.adfinternal.view.faces.ui.composite.UINodeRenderer.renderWithNode(UINodeRenderer.java:90)
 at oracle.adfinternal.view.faces.ui.composite.UINodeRenderer.render(UINodeRenderer.java:36)
 at oracle.adfinternal.view.faces.ui.laf.oracle.desktop.PageLayoutRenderer.render(PageLayoutRenderer.java:76)
 at oracle.adfinternal.view.faces.uinode.UIXComponentUINode.renderInternal(UIXComponentUINode.java:177)
 at oracle.adfinternal.view.faces.uinode.UINodeRendererBase.encodeEnd(UINodeRendererBase.java:53)
 at oracle.adf.view.faces.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:624)
 at oracle.adfinternal.view.faces.renderkit.RenderUtils.encodeRecursive(RenderUtils.java:54)
 at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.encodeChild(CoreRenderer.java:242)
 at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.encodeAllChildren(CoreRenderer.java:265)
 at oracle.adfinternal.view.faces.renderkit.core.xhtml.PanelPartialRootRenderer.renderContent(PanelPartialRootRenderer.java:65)
 at oracle.adfinternal.view.faces.renderkit.core.xhtml.BodyRenderer.renderContent(BodyRenderer.java:117)
 at oracle.adfinternal.view.faces.renderkit.core.xhtml.PanelPartialRootRenderer.encodeAll(PanelPartialRootRenderer.java:147)
 at oracle.adfinternal.view.faces.renderkit.core.xhtml.BodyRenderer.encodeAll(BodyRenderer.java:60)
 at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.delegateRenderer(CoreRenderer.java:281)
 at oracle.adfinternal.view.faces.renderkit.core.xhtml.DocumentRenderer.encodeAll(DocumentRenderer.java:60)
 at oracle.adfinternal.view.faces.renderkit.core.CoreRenderer.encodeEnd(CoreRenderer.java:169)
 at oracle.adf.view.faces.component.UIXComponentBase.encodeEnd(UIXComponentBase.java:624)
 at javax.faces.webapp.UIComponentTag.encodeEnd(UIComponentTag.java:645)
 at javax.faces.webapp.UIComponentTag.doEndTag(UIComponentTag.java:568)
 at oracle.adf.view.faces.webapp.UIXComponentTag.doEndTag(UIXComponentTag.java:100)
...

Hi,
ADF Security configures with permissions and thus doesn't need the roles to be available in web.xml (unless the roles are used for container managed authorization as well). Note that the default behavior of OC4J is that changes in the configuration files are picked up upon restart (for performance reasons you don' want to change this setting). So just make sure OC4J is stopped before re-running an application.
Frank

Setting permissions at entity object level using JAAS and LDAP

Hi,
I am using ldap-based provider for authorizaton. Every thing works fine. Authorization works fine based on the roles created in web.xml file.
Could you please let me know how I can define permissions at entity object level when using ldap based provider.
Following line is the permission created for an entity object (SpcStrBdgt) when using XML-based provider.
<permission>
<class>oracle.jbo.server.security.jazn.JboJAZNEntityPermission</class> <name>model.SpcStrBdgt/READONLY</name>
</permission>
Above is defined in jazn-data.xml file.How can I define the same thing when using ldap-based provider?
Thanks,
Seatre

Hi,
There is an enhancement request Bug2692994 for this feature.
Thanks,
Yvonne

WebCenter/ADF Bounded Task Flow Permissions 11.1.1.4

Hello All,
I'm seeing some strange behavior related to permission on bounded task flows within a WebCenter Portal Application created with the 11.1.1.4 WC extensions.
I created a bounded task flow and added a view activity and a return activity to it. I have provided "Administrator", "anonymous-role", and "authenticated-role" application roles with view permissions for the task flow resource in "jazn-data.xml". I also added the page related to the view activity in the bounded task flow to my page hierarchy file "page.xml", and provided users with view permissions there.
What I'm seeing is that anonymous users can view pages in this bounded task flow just fine, but authenticated "Administrator" role users cannot.
Am I missing a configuration setting somewhere?
Thanks

Certainly... I've uploaded the sample application here: http://rapidshare.com/files/456317758/WebCenterTestApp.zip
To make this simple, I've used the OOB, pre-configured, Web Center Portal application template with default project files. Run the "home.jspx" page. I've removed the customization panel and added a button command whose action invokes the control flow to the task flow call activity for the bounded task flow. The task flow has a single page, and I have it being displayed as an inline pop-up... just for fun.
Before you login, click on the button to see how the anonymous user can view the bounded task flow page. After you return from the task flow, login and verify that the admin user sees the app auth error page in the dialog instead.
I've configured one admin user in jazn-data.xml: myadmin/myadmin1
Cheers

SECURITY: permissions not allowed with ExecuteWithParams action

Hello,
I followed Frank Nimphius guide to get a secured web application based on adf bc
and it seems to work ! (thank you Frank)
i'm using a custom login module with a database containing users and roles. i can authenticate and be authorized for all actions that are necessary except for one (executewithparams) which is used on many pages, in spite of permissions "update" put on all the pagedef components.
not using this action would make the application complety unusable.
I've read that it is a bug but how can i fix it without recoding the function, have i to wait Jdev11 (we are going to deploy soon) and if i must recode this function how can i do?
thanks for your help
Mathieu

Hi Guys,
I think I am facing the same problem, and I am using the latest JDeveloper 10.1.3.3.0.
My page is using an iterator based on the ExecuteWithParams method of a ViewObject.
The page works correctly until I apply security. Than I get "no rows yet" in my ADF tables. I believe I set all the permissions possible, I am setting them using the Edit Authorization wizard, also manually editing the system-jazn-data.xml, using wildcards. Of course other tables based on View objects are working.
This is kind of urgent, a show stopper for a demo application.
Thanks,
Istvan

JAAS/JAZN: LDAPLoginModule doesn't work with servlet RunAs() security mode

Just thought I'd post this here too, in case any developers actually read this list or in case someone else has run into a similar issue or has any ideas...
I'm having a problem where whenever I use Oracle 10gAS's LDAPLoginModule at the same time as RunAs() mode OC4J crashes.
Application is UIX/Struts for the view layer and ADF BC for the model layer. It is being developed in JDeveloper 10g (10.1.2.0.0) and deployed on 10gAS (10.1.2.0.0)
I am using JAAS (JAZN) for authentication. I am using a custom JAAS LoginModule for the app: "oracle.security.jazn.login.module.LDAPLoginModule". Instructions for using the module are documented in the OC4J Security Guide, Chapter 9 "Configuring External LDAP
Providers":
http://download-east.oracle.com/docs/cd/B14099_07/web.1012/b14013/ldap3rdparty.h
tm#sthref500
This is working fine - I can successfully authenticate against my LDAP server.
In order to retrieve security credentials (i.e. the Subject) while in the Model later, I am running the servlet in doAs() mode, also known as "runas-mode". This is documented in Chapter 4:
http://download-east.oracle.com/docs/cd/B14099_07/web.1012/b14013/genconfig.htm#
sthref322
This works great - when I authenticate against the local XML file I can successfully run the application and retrieve the Subject and Principals.
The problem is that whenever I try to use both of these at the same time the application will not run. I have attached a trace with JAAS/JAZN debug messages enabled.
It appears to be failing in the process of creating the BC Application Module. Apparently when it creates a new thread to monitor the application module pool, in the process of establishing JAAS permissions for the new thread it attempts to retrieve the REALM from the oracle.security.jazn.realm.LDAPPrincipal object -- which is an unsupported function when the Principal was generated by an LDAPLoginModule. For some reason this error crashes the entire process.
You can see a trace of my program here:
http://www.asugroup.com/jazn-errorlog.txt
This should be simple to reproduce by simply creating an ADF BC application, modifying orion-web.xml so that the servlet is in runas-mode, and modifying $ORACLE_HOME/j2ee/home/config/jazn-data.xml to use the LDAPLoginModule.
All I can figure is that it must be a "bug" (or unsupported functionality) in 10gAS. WHY in the world is 10g failing on the getRealm() function of a Principal that it setup itself? Any suggestions or help would be appreciated. The only solution I can think of at this point is to throw Oracle's LoginModule implementation right out the window and write my own... although I don't even know if that will work yet.
Jeremy

ok, so i know that this isn't metalink... but i'm pretty sure this is either a "bug" or "unsupported feature" -- although now that i've looked a bit deeper i'm guessing it has something to do with the "role.mapping.dynamic" flag too. (Haven't tested it yet but I think it might work fine if I put the roles in the local XML file.)
Anyway, if anyone's interested, here's detailed steps so you - YES YOU! - can reproduce the problem yourself if the desire grips you. :)
I put this together for the TAR but figured there's some useful information in here (e.g. the debugging stuff) so it might be helpful for someone in the future to post it here too.
1. Open or create any ADF BC project in JDeveloper. It can be ANY project as long as it uses ADF BC for the MODEL layer.
2. Add orion-web.xml to the VIEW project if it's not already there.
2a) Right click on orion-web.xml and select Properties
2b) In the "JAZN" section, select the checkbox "Run as Mode"
3. Edit web.xml to require authorization to run the app.
3a) Right click on web.xml and select Properties
3b) Under the "security roles" section add the name of an group you're a member of on the LDAP server. Only include the relative name of the group - not the full LDAP distinguished name. Also, convert the name to lowercase.
3c) Under "security constraints" add a new constraint.
3d) In the constraint, make a new resource collection called "everything" and add the URL pattern "/".
3e) In the constraint, go to the authorization tab and select your LDAP group name.
3f) Go to the "Login Configuration" section of web.xml and choose HTTP Basic Authentication. Leave the realm blank.
4. Add orion-application.xml to the project if it's not already there. Configure the "JAZN" tag as follows:
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true" />
</jazn>
3. Deploy the application to Oracle 10g Application Server.
4. On the application server, edit the file $ORACLE_HOME/j2ee/home/config/jazn-data.xml
4a) In the section jazn-data/jazn-loginconfig add a new "application" section for your application. See below for example.
4b) Make sure the "name" of your application matches the deployment name in your EAR file for the project you deployed.
5. I recommend enabling JAZN debugging. See below for instructions on that.
6. Restart OC4J if you already haven't - to make sure it rereads the config, then try to run your application.
SAMPLE JAZN-DATA.XML (CUSTOMIZE FOR YOUR LDAP SERVER)
<jazn-data>
<jazn-loginconfig>
<application>
<name>your_j2ee_deployed_application_name</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>oracle.security.jaas.ldap.provider.url</name>
<value>ldap://10.1.1.7:389</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.user</name>
<value>cn=stoneware,ou=stoneware,ou=okemos,ou=mi,ou=et,o=ou1</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.credential</name>
<value>!yourpassword</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.type</name>
<value>other</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.searchbase</name>
<value>o=ou1</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.name.attribute</name>
<value>cn</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.object.class</name>
<value>inetOrgPerson</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.searchbase</name>
<value>o=ou1</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.name.attribute</name>
<value>cn</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.object.class</name>
<value>groupOfNames</value>
</option>
<option>
<name>oracle.security.jaas.ldap.membership.searchscope</name>
<value>direct</value>
</option>
<option>
<name>oracle.security.jaas.ldap.member.attribute</name>
<value>member</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</jazn-data>
for Sun Java System Application Server and Microsoft Active Directory examples see:
http://download-east.oracle.com/docs/cd/B14099_07/web.1012/b14013/ldap3rdparty.htm#sthref500
ENABLING JAZN DEBUGGING MESSAGES ON ORACLE 10G APPLICATION SERVER
1. Login to Enterprise Manager 10g Application Server Control
2. If you are part of a farm you will get a list of instances. Select the instance your app is deployed on.
3. In the "System Components" section of the home page, click on your OC4J instance (default name is "home").
4. In the OC4J home, click on the "Administration" tab.
5. Select "Server Properties" from the Instance Properties section.
6. In the Command Line Options section, there is an option called "Java Options".
7. At the end of the "Java Options", append the text "-Djazn.debug.log.enable=true"
8. When prompted, restart the OC4J instance.
Debug information is captured by OPMN and stored in a log file. The log file can be found in the directory $ORACLE_HOME/opmn/logs
The default name (if your instance name is "home") is "OC4J~home~default_island~1"

Roles and permissions

I have a couple of questions.
1. How would I go about fitting a custom permission resolver for SOA suite ?
2. Is there a way to print the roles,users and permissions to debug ? My roles could be in LDAP or a database but permissions are in system-jazn-data.xml. Why are these permissions stored in a XML file ?
Mohan

Where do the LDAP implementation classes write their logs ?
My worklist application writes logs to orabpel.log like the following.
<2009-05-16 16:46:44,954> <DEBUG> <collaxa.cube.services> <LDAPUtil::getJNDIContext> JNDI Connection received
My bpel console hits openldap but does not write log the same way. It shows that the user does not have enough privileges. So basically I don't see what is being done by my LDAP classes.

Jazn-loginconfig data not copied to system-jazn-data on deployment

Hi all!
There are a lot of threads about deployment and security, but I still haven't found a solution to my problem. I've specified l login configuration in my orion-application file like:
<jazn-loginconfig>
<application>
<name>MyApplication</name>
<login-modules>
<login-module>
<class>myclass.MyLoginModule</class>
<control-flag>required</control-flag>
<options> ...
I also specified application's own jazn-datain this file. When deploying on standalone oc4j through AS Control I have to select custom security provider and manually enter options. If I do that everything works OK, permissions are read from my jazn-data file, that is deployed with application.
Is there a way to get login configuration from orion-application file in JDeveloper to system-jazn-data file on standalone oc4j when deploying an application?
Thank you!
BB

Hello BB,
(1) Create the orion-application.xml file in the Deployment project
I have a separate Deployment project. In this project I created the orion-application.xml file in the META-INF directory. Double click on the Deployment description to see where the META-INF directory should be placed.
If your Project Content/Java Content directory is c:\Application\src, then the META-INF should be c:\Application\src\META-INF
Copy/create the orion-application.xml file in this directory
(2) Create a META-INF group in the EAR deployment descriptor
In the deployment profile I added a file group META-INF
(3) Add the orion-application.xml to the META-INF group
Click on filters and add the orion-application.xml
(4) Create the EAR file with the deployment descriptor
Open the EAR file, the orion-application.xml file should be, directly visible, in the META-INF directory.
(5) Deploy the EAR file
Now it should work.
Regards Leon

Is it possible to secure Forms Servlet with a realm/jazn/jaas???

Hi,
Does anyone know how to secure the forms servlet (frmservlet 11g) with something like a realm or jazn/jaas ?
What I would like to do is just permit access to the frmservlet with a simple login jsp page that would forbidden access to frmservlet for people that we're not authenticated... and with this i would not need the SSO...
Regards
Ricardo

Hi,
But the forms app is deployed as an ear file and there's an web.xml config for this app in the container... so... i guess that theorically it's possible isn't it?
Take a look: http://java.dzone.com/articles/understanding-web-security
Regards
Ricardo
Edited by: user12015527 on 15/Fev/2010 7:22

Jazn permissions

Similar Messages

Maybe you are looking for