JDev EA1 Error with JAZN/Security Roles/Authentication
I have a current JSF application created under JDev 10.1.3 Preview which runs fine, but under JDev EA1 it crashes.
The application has a JAZN definition with a realm and user defined. The user is also tied to a security role.
In the web.xml I have a security role defined and security constraints. I also have the security-role-mappings in the orion-application.xml for deployment which uses OID to authenticate.
This all works fine in JDev 10.1.3 preview.
When I run the application in JDev EA1, the login dialog does not appear and the application crashes because it can't authenticate who is using the application. I have deleted and recreated the Jazn user and security roles under EA1.
I have noticed that JDev is now reporting the "<security-constraint>" tag in web.xml is an error now.
Any ideas on what's wrong?
Thanks
We're using SSO, so we haven't written our own login handler. The orion-application.xml has the "<jazn-web-app auth-method="SSO"/>" tag in it. We let SSO handle the login. You can write your own login handler if you wanted to. I think there's several threads about doing it. We wanted to try and use SSO and not have to write the piece to do the login.
orion-application.xml:
<jazn provider="LDAP"
location="ldap://my.company.com:<port number>"
default-realm="my_realm_here">
<jazn-web-app auth-method="SSO"/>
</jazn>
The way we approached it, we have a User and Visit object. The User object just holds some data:
public class User implements Serializable
private String userid;
private String name;
private String email;
private Date loginTime;
The faces-config.xml is like this:
<!--========User Bean=========-->
<managed-bean>
<managed-bean-name>user</managed-bean-name>
<managed-bean-class>com.mycompany.User</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
<managed-property>
<property-name>queryService</property-name>
<value>#{queryservicebean}</value>
</managed-property>
</managed-bean>
We're using Spring to inject the "queryservicebean". You may not need this section. We're having to grab data from a database table. So you can probably skip that "<managed-property>" section.
The section I think you are really asking about is the ViewHandler. You probably need to look at extending the ViewHandler to populate your user object.
public class AuthenticatingViewHandler extends ViewHandler{...}
You will probably need to look at adding code in the createView and restoreView methods.
Something like:
public class AuthenticatingViewHandler extends ViewHandler
private final ViewHandler _base;
public AuthenticatingAurepViewHandler(ViewHandler base)
_base = base;
public UIViewRoot createView(FacesContext facesContext, String viewId)
viewId = loadUser(facesContext,viewId);
return _base.createView(facesContext, viewId);
} //END createView(FacesContext facesContext, String viewId)
public UIViewRoot restoreView(FacesContext facesContext, String viewId)
viewId = loadUser(facesContext,viewId);
return _base.restoreView(facesContext,viewId);
} //END restoreView(FacesContext facesContext, String viewId)
--Then "loadUser" would populate your User object:
public String loadUser(FacesContext facesContext, String viewId)
String userId = facesContext.getExternalContext().getRemoteUser();
User user = (User) JSFUtils.getManagedBean(ViewConstants.USER);
-- Set the userid from OID in your User object
user.setUserid(userId);
-- Note: You may need to do some parsing on your user id string from OID.
-- Do more stuff here, may switch to a differnt viewId if needed, like an error page.
return viewId;
} // END loadUser(FacesContext facesContext, String viewId)
} //END AuthenticatingViewHandler
The "JSFUtils.getManagedBean" uses the valuebinding to get the User bean from the FacesContext. We also carry a boolean isUserLoaded in the User object so we're not executing the loadUser code each time a view is rendered. The Visit object just has a navigation trace and other things of interest to us, so you may not care about it.
A lot of this is from Adam Wiener's post on Sun's JSF forum. I think there's a couple of ways to approach this, with our requirements this works out better. If anybody else has any suggestions, it would be great to hear about them.
As always, hope it helps out with what you are doing and thanks for the chocolate.
Similar Messages
-
Using Dynamic JDBC Credentials with jazn security (web.xml) in BC
I have followed the document “How To Support Dynamic JDBC Credentials” http://www.oracle.com/technology/products/jdev/howtos/10g/dynamicjdbchowto.html to connect to the database using Business Components, as the user who logs in the application. (Proxy)
The only matter is that as I could see, I cannot use the application server integrated security (with roles) to protect the web resources.
The main objective is to protect the web resources using Declarative J2EE authentication and authorization using the Data Base users (and roles). I have implemented the solution for the first part (authentication) using DBLoginModule (DBSystemLoginModule) from Frank Nimphius and Duncan Mills, it’s working OK, but I need the second part; how to use the user that is logged in as the PROXY user of the BC connection.
Using the DBLoginModule, and the “How To Support Dynamic JDBC Credentials” separates works fine, but I can’t make them work together.Frank, Thanks a lot for your quick answer.
"Maybe you should look at using database proxy users with ADF BC so you can use the J2EE authenticated user principal as the database schema to connect through. I am working on documenting this approach, which however needs some more time of writing and testing."
Yes, that's exactly what I need!!!
Can you give me some tips about how to do that.. Do you have any idea of when you will finish that document?.
By the way, I'm using FORM authentication, but I don't know how to modify what’s in the “How To Support Dynamic JDBC Credentials” document, to use the J2EE authenticated user principal as the database schema to connect through.
One of the problems is that when using this approach, I cannot get the J2EE security to redirect to the login page...
Any help would be really appreciated -
IBots are erroring with VPD Security Enabled
Hello,
We are using VPD security in our implementation.We are facing a problem while scheduling the iBots it is giving follwoing error.
Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 17001] Oracle Error code: 1017, message: ORA-01017: invalid username/password; logon denied at OCI call OCISessionBegin. [nQSError: 17014] Could not connect to Oracle database. (HY000)
Could any one share your thoughts on this issue?
Thanks in Advance,Hi,
In your Authentication block do you have the "Required for Authentication" checkbox checked? We ran into some problems with iBots and this turned out to be the problem. When Delivers is connecting to the repository it is "impersonating" a user and so you can't authenticate to LDAP. Uncheck that and it works.
This also causes problems when connecting using SSO. -
Using a Filter on OC4J with JAZN security enabled using LDAP
I have a LDAP security in place on OC4J. I have to create a filter which uses the HttpRequestWrapper to do some preprocessing with the request parameters. I have all the code in place along and the Filter which uses HttpRequestWrapper. Now the problem is that the OC4J gives an error -
Servlet error
javax.servlet.ServletException: JAAS-OC4J: JAZNFilter.doFilter - unable to find the current servlet
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:16)
at com.myapp.filter.RequestFilter.doFilter(RequestFilter.java:429)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:617)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:794)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
The error happens while executing the following line:
chain.doFilter(new MyHttpServletRequestWrapper((HttpServletRequest) request ), response);
The constructor call MyHttpServletRequestWrapper is successful. Something seems to be wrong as it appears the server is not able to locate the path where to forward to from within the Filter.
If I execute the same code without the JAZN LDAP security everything works fine.
Can anybody please provide some help to resolve this issue?Yeah, it's a known problem - it caught me out as well.
The xml parser installed with OJSP is more strict than the one
with Orion. The order of the parameters becomes important. The
general solution is to check the dtd listed at the top of the
xml file for the parameter order and make sure any you specify
in the xml file are in this order.
Your specific case: the order of session-config and
welcome-file-list should be reveresed, ie session-config should
come first in the web.xml file.
Jonny -
Problem with ADF Security / SQL Authenticator after upgrade to 11.1.1.6
Hi,
We have an ADF application built with JDeveloper 11.1.1.2 that's been in production for a couple of years. Now we are in the process of upgrading to 11.1.1.6 so I have upgraded WLS and ADF in a test environment and re-deployed the application there. The application uses users and groups from database using SQL Authenticator configured in WLS. This worked fine in the old version but now after the upgrade we can't log in with credentials from the database. I can log in if I add a user to the default authenticator. We didn't touch any of the authenticator settings or security realm configurations during the upgrade. Both authenticators are marked as SUFFICIENT, as they have always been.
Has something changed in the way SQL Authenticator is used since 11.1.1.2? What could be the problem?
Regards,
JoonasAnswering myself here: after recreating the SQL Authenticator and the ADF Security configuration logins are working again. Don't know where the problem was though.
-
Installing Exchange 2010 on Server 2008 R2 Get error with Hub Transport Role
Hub Transport Role
Failed
Error:
The following error was generated when "$error.Clear();
install-MsiPackage `
-PackagePath ($RoleInstallPath + "TransportRoles\agents\Hygiene\ASEntIRS.MSI") `
-LogFile ($RoleSetupLoggingPath + "\InstallASEntIRS.msilog") `
-PropertyValues ("ALLUSERS=1") `
-UpdatesDir $RoleUpdatesDir
" was run: "Installing product D:\Program Files\Microsoft SQL Server\Microsoft\Exchange Server\V14\TransportRoles\agents\Hygiene\ASEntIRS.MSI failed. Fatal error during installation. Error code is 1603.".
Installing product D:\Program Files\Microsoft SQL Server\Microsoft\Exchange Server\V14\TransportRoles\agents\Hygiene\ASEntIRS.MSI failed. Fatal error during installation. Error code is 1603.
Fatal error during installation
Elapsed Time: 00:00:01
Client Access Role
CancelledHi,
From the description, I recommend you copy the Exchange installation files to the local machine, or download a fresh copy of Exchange 2010 and then reinstall it.
Besides, please ensure that you install Exchange 2010 on 64-bit edition of Windows Server 2008 R2 Standard with SP1 or Windows Server 2008 R2 Enterprise with SP1.
If the issue persists, please refer to the following KB further troubleshooting.
You receive error 1603 when you try to install the Exchange Server 2010 RU1
https://support.microsoft.com/kb/981474
Hope it helps.
If you need further assistance, please feel free to let me know.
Best regards,
Amy
Amy Wang
TechNet Community Support -
ORA-06502: PL/SQL error with dimensions and roles
Hi everyone,
When executing a mapping that loads a cube we are always getting that ORA-06502: PL/SQL error character string buffer too small
The cube contains a number of dimensions, some of them with roles. We've checked that the error appears when we use two different lookup operators to fill dimension atributtes in the cube and its correspondent role. If we map dimension attributes with lookup operator, and the role attributes with constants, the mapping executes without any error. Moreover, even thought it doesnt make any sense, if we map the role dimension attributes with a lookup operator linked to a different dimension, it works too.
We think that this could be due to attributes names, maybe they are too long, but we have tried to make them shorter and still getting the same error.
Any ideas of what could be happening?
Thank you so much in advance.The return datatype in a PLSQL function is unconstrained. Which means it does not have a size.
The size is declared on the receiving end.
What size variable are you trying to return your value into?
Here is an example...
SQL>create or replace function my_func
2 return varchar2
3 is
4 begin
5 return USER;
6 end;
7 /
Function created.
SQL>declare
2 my_string varchar2(30);
3 begin
4 my_string := my_func;
5 end;
6 /
PL/SQL procedure successfully completed.
SQL>declare
2 my_string varchar2(3);
3 begin
4 my_string := my_func;
5 end;
6 /
declare
ERROR at line 1:
ORA-06502: PL/SQL: numeric or value error: character string buffer too small
ORA-06512: at line 4 -
Dimension Selector Error with Dimensional Security Set
I have the following dimensional security applied:
INDEX USER
CASE SOLFAE
SELECT Solution Below 'SOL-_FINANCE_&_ACCOUNTING_EXCELLENC'
SELECT Geography
SELECT Industry
SELECT Resource_Job_Function
SELECT Resource_Proficiency
SELECT Resource_Solution 'RS-_FINANCE_&_ACCOUNTING_EXCELLENC'
SELECT Resource_Solution Plus 'RS-_FINANCE_&_ACCOUNTING_EXCEL_PIM'
ENDINDEX
When I use the dimensional selector in the IP user interface (connecting to PAS with SOLFAE user id), I get the following error:
CAL062:
R is Not a Member of RESOURCE_SOLUTION
CAL062:
INTERNALAUDIT is Not a Member of RESOURCE_SOLUTION
However, when I remove the dimensional security on the RESOURCE_SOLUTION dimension, the dimension selector works fine. Does anyone out there have any insight into what may be causing this error. We are running SSM 7.0 SP7.
Thanks ahead of time for your help!
Edited by: Jason Allen on Oct 29, 2010 10:12 PMI think that it may be the "&" in the dimension member names. I'll test on Monday, and repost. In the meantime, if anyone has additional insight, please reply to this post.
-
Creating bootable TS media with limited security role
Hi
We're giving our remote engineers the ability to perform OS deployment. Part of this task will require them to be able to create their bootable USB task sequence media.
We've created a security scope relevant for the engineers location. Their local DP, and the relevant boot image, have been added to this scope.
When we run the Create TS Media wizard (running with the permissions the engineer has) we can choose the boot image and DP as expected. However, when we try to select Management Points, none are listed.
We can't find anything pertaining to scoping Management Points, so what else could we be missing?
Thanks in advance for any advice.That's exactly what I was trying to refer at. You could add an additional scope and add it to their administrative user,
or also add their scope to the primary site server object. Another option to limit their options is to create another scope and role (with only read permissions) and add them together to the administrative user.
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude
I can't see an option to add a scope to the primary site server object.
However, I looked in Administration -> Site Configuration -> Sites and when selecting the site name I was able to add the engineer's scope to that. That seems to have done the trick. There's now more things visible to the engineers than
I'd wanted them to see, but it's all read-only so no risk I guess. -
I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service. This is apparent when executing a search, accessing
the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site. I've looked at the certificate assigned to that site and everything appears to be in order.
It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID="10212" ThreadID="10328" />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID="<SP SERVICE ACCOUNT>" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2"><STS CERT THUMBPRINT></Data>
<Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>Hi Darren,
This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
More information:
http://support.microsoft.com/kb/2545744
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support -
PLS-00201: identifier error with grnats to roles
Hi all,
Consider the following: In schema AA I have several tables and packages. All grants (select, insert, update, delete for tables en execute for packages) are set to roles. User BB got the role contaning all those grants. Furthermore, for all objects in schema AA there are public synonyms. Also, user BB got our developer role to create things and a directly granted 'execute any procedure' privilege (forgot why).
If user BB runs the application, no problems, grants take good care. But if user BB creates an object and wants to refer to schama AA objects, eg.
DECLARE
t_var USERAA_TABLE.identifier%TYPE;
BEGIN
END;I get the "PLS-00201: identifier '...' must be declared" error during compilation. Why is this? And, in our 8.1.7 database the above setup compiles without problems.
I sure don't hope I have to grant directly to developers, since I would like to control this using roles instead of maintaining all developers users.
Anyone? What am I missing here?
Regards,
MichielThanks,
The USERAA_TABLE (which is owned by user AA) indeed has a (public) synonym.
If this is true (grant directly for compiling in Pl/Sql), I think this is a horrible step (since this was not the case in Oracle 8.1.7).
Our application is in schema AA, developers first deploy into their own schema, eg. schema BB (say: one package of the application). When you run the application inside schema BB the altered package is used and the rest of the application is used from schema AA, perfectly for testing. When all is to our satisfaction the DBAs deploy into schema BB (I know, the above does not completly apply when packages are fired from within table triggers).
Schema BB now doesn't compile anymore, because all grants are passed via roles and not direclty. Certainly a big drawback if you have a lot of tables and developers.
Does anyone have encountered these problems? -
EA1 - Error with exporting output to xls
Hi,
I've experiencing error when I try to export output to xls format.
Error data showed below.
OS Win XP Pro SP2
DB Oracle 11g
Export Data -> xls
Output -> Clipboard or File
java.lang.NumberFormatException
at java.math.BigDecimal.<init>(BigDecimal.java:368)
at java.math.BigDecimal.<init>(BigDecimal.java:647)
at oracle.dbtools.raptor.format.ExcelFormatter.printColumn(ExcelFormatter.java:170)
at oracle.dbtools.raptor.format.ui.TableFormatterWrapper.print(TableFormatterWrapper.java:114)
at oracle.dbtools.raptor.format.ResultsFormatter.print(ResultsFormatter.java:173)
at oracle.dbtools.raptor.format.ResultsFormatter$1.doWork(ResultsFormatter.java:133)
at oracle.ide.dialogs.ProgressRunnable.run(ProgressRunnable.java:161)
at oracle.ide.dialogs.ProgressBar.run(ProgressBar.java:615)
at java.lang.Thread.run(Thread.java:595)
Message was edited by:
msuticThis bug was logged and fixed last week, but did not make the build you have. This fix will be in the next Early Adopter drop. I am unable to give you the bug number at this point.
Regards
Sue -
Unable to assign all security roles to a user with a new custom security role
Dear All,
Happy New Year.!
I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
any desired security role to the new user.
However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
to assign some other security roles, including 'Support User Role', to new user 'y'.
I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
Appreciate any help that you can provide on the above issue.
Thanks in anticipation.Hi,
Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
Refer:-
http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
Hope this helps!!!
Thanks,
Prasad
Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question -
OIM 11g R2 - SOA error with Auto Approval
Hi,
I am trying to provision a resource through catalog wizard as an end user .I have created both Operational Level and Request level approval policies with Auto Approval Enabled.The RequestID is getting generated but I am getting the following error in screen
[Security:090304]Authentication Failed: User SOAAdminPassword javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User SOAAdminPassword denied
May I know where should I go and change the SOAAdmin Password ?.Thanks.I've run into the same error with oim 11gr2 bp04:
<Mar 18, 2013 11:07:09 AM CDT> <Notice> <Stdout> <BEA-000000> <<Mar 18, 2013 11:07:09 AM CDT> <Error> <oracle.soa.services.identity>
<BEA-000000> <<oracle.tip.pc.services.identity.jps.AuthenticationServiceImpl.authenticateUser()> authentication FAILED>>
<Mar 18, 2013 11:07:09 AM CDT> <Notice> <Stdout> <BEA-000000> <<Mar 18, 2013 11:07:09 AM CDT> <Error> <oracle.soa.services.identity>
<BEA-000000> <<.> Identity Service Authentication failure.
Identity Service Authentication failure.
Either the user name or password is incorrect. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
ORABPEL-10528
Identity Service Authentication failure.
Identity Service Authentication failure.
Either the user name or password is incorrect. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider.authenticateUser(JpsProvider.java:2337)
Caused By: javax.security.auth.login.LoginException: [Security:090304]Authentication Failed: User SOAAdminPassword javax.security.auth.login.FailedLoginException:
[Security:090302]Authentication Failed: User SOAAdminPassword denied
at oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule.login(JpsUserAuthenticationLoginModule.java:71)
...Did you find what the issue is? I'm finding scant information about this user named "SOAAdminPassword" (who makes up these usernames :-/). -
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
Maybe you are looking for
-
In-app purchase of Hellfire coins taken out of bank through Paypal, even though there was a balance left over from a gift Card in app store.
-
Dear All, I'm having problems withthe following code, basically i want all the Producer and Consumer threads to terminate by dying naturally in a controlled fashion. Is there a way that the consumer will know when to terminate consuming from the buff
-
Converting .mkv to mp4 to work on Xbox 360
Using the passthrough method on Quicktime but the resulting file does not playback on my xbox 360. However using the Windows app XenonMKV, the resulting file works. Anyone know how to get all .mkv files through Quicktime to work? Maybe a Xbox 360 pre
-
Is this an error message? A notice?? What does it mean?
Every day for the last two weeks or so I've been having the same thing happen. When I leave my computer on but unattended for several hours (maybe 6+, like while I'm at work or sleeping), when I come back to the computer, there's a message on my desk
-
Why i cant manage the listener by EM ?
dear, i'm trying to remotely manage the listener.ora file for a Database 10g instance called FINANCEIRA ( the OS that i'm using is the Windows ), using for that the EM Database Control. I am following the steps below for that: 1) access the Net Servi