JDev EA1 Error with JAZN/Security Roles/Authentication

Similar Messages

• Using Dynamic JDBC Credentials with jazn security (web.xml) in BC

  I have followed the document “How To Support Dynamic JDBC Credentials” http://www.oracle.com/technology/products/jdev/howtos/10g/dynamicjdbchowto.html to connect to the database using Business Components, as the user who logs in the application. (Proxy)
  The only matter is that as I could see, I cannot use the application server integrated security (with roles) to protect the web resources.
  The main objective is to protect the web resources using Declarative J2EE authentication and authorization using the Data Base users (and roles). I have implemented the solution for the first part (authentication) using DBLoginModule (DBSystemLoginModule) from Frank Nimphius and Duncan Mills, it’s working OK, but I need the second part; how to use the user that is logged in as the PROXY user of the BC connection.
  Using the DBLoginModule, and the “How To Support Dynamic JDBC Credentials” separates works fine, but I can’t make them work together.

  Frank, Thanks a lot for your quick answer.
  "Maybe you should look at using database proxy users with ADF BC so you can use the J2EE authenticated user principal as the database schema to connect through. I am working on documenting this approach, which however needs some more time of writing and testing."
  Yes, that's exactly what I need!!!
  Can you give me some tips about how to do that.. Do you have any idea of when you will finish that document?.
  By the way, I'm using FORM authentication, but I don't know how to modify what’s in the “How To Support Dynamic JDBC Credentials” document, to use the J2EE authenticated user principal as the database schema to connect through.
  One of the problems is that when using this approach, I cannot get the J2EE security to redirect to the login page...
  Any help would be really appreciated

• IBots are erroring with VPD Security Enabled

  Hello,
  We are using VPD security in our implementation.We are facing a problem while scheduling the iBots it is giving follwoing error.
  Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 17001] Oracle Error code: 1017, message: ORA-01017: invalid username/password; logon denied at OCI call OCISessionBegin. [nQSError: 17014] Could not connect to Oracle database. (HY000)
  Could any one share your thoughts on this issue?
  Thanks in Advance,

  Hi,
  In your Authentication block do you have the "Required for Authentication" checkbox checked? We ran into some problems with iBots and this turned out to be the problem. When Delivers is connecting to the repository it is "impersonating" a user and so you can't authenticate to LDAP. Uncheck that and it works.
  This also causes problems when connecting using SSO.

• Using a Filter on OC4J with JAZN security enabled using LDAP

  I have a LDAP security in place on OC4J. I have to create a filter which uses the HttpRequestWrapper to do some preprocessing with the request parameters. I have all the code in place along and the Filter which uses HttpRequestWrapper. Now the problem is that the OC4J gives an error -
  Servlet error
  javax.servlet.ServletException: JAAS-OC4J: JAZNFilter.doFilter - unable to find the current servlet
  at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
  at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:16)
  at com.myapp.filter.RequestFilter.doFilter(RequestFilter.java:429)
  at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:617)
  at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
  at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:794)
  at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
  at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
  at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
  at java.lang.Thread.run(Thread.java:534)
  The error happens while executing the following line:
  chain.doFilter(new MyHttpServletRequestWrapper((HttpServletRequest) request ), response);
  The constructor call MyHttpServletRequestWrapper is successful. Something seems to be wrong as it appears the server is not able to locate the path where to forward to from within the Filter.
  If I execute the same code without the JAZN LDAP security everything works fine.
  Can anybody please provide some help to resolve this issue?

  Yeah, it's a known problem - it caught me out as well.
  The xml parser installed with OJSP is more strict than the one
  with Orion. The order of the parameters becomes important. The
  general solution is to check the dtd listed at the top of the
  xml file for the parameter order and make sure any you specify
  in the xml file are in this order.
  Your specific case: the order of session-config and
  welcome-file-list should be reveresed, ie session-config should
  come first in the web.xml file.
  Jonny

• Problem with ADF Security / SQL Authenticator after upgrade to 11.1.1.6

  Hi,
  We have an ADF application built with JDeveloper 11.1.1.2 that's been in production for a couple of years. Now we are in the process of upgrading to 11.1.1.6 so I have upgraded WLS and ADF in a test environment and re-deployed the application there. The application uses users and groups from database using SQL Authenticator configured in WLS. This worked fine in the old version but now after the upgrade we can't log in with credentials from the database. I can log in if I add a user to the default authenticator. We didn't touch any of the authenticator settings or security realm configurations during the upgrade. Both authenticators are marked as SUFFICIENT, as they have always been.
  Has something changed in the way SQL Authenticator is used since 11.1.1.2? What could be the problem?
  Regards,
  Joonas

  Answering myself here: after recreating the SQL Authenticator and the ADF Security configuration logins are working again. Don't know where the problem was though.

• Installing Exchange 2010 on Server 2008 R2 Get error with Hub Transport Role

  Hub Transport Role
  Failed
  Error:
  The following error was generated when "$error.Clear();
            install-MsiPackage `
            -PackagePath ($RoleInstallPath + "TransportRoles\agents\Hygiene\ASEntIRS.MSI") `
            -LogFile ($RoleSetupLoggingPath + "\InstallASEntIRS.msilog") `
            -PropertyValues ("ALLUSERS=1") `
            -UpdatesDir $RoleUpdatesDir
          " was run: "Installing product D:\Program Files\Microsoft SQL Server\Microsoft\Exchange Server\V14\TransportRoles\agents\Hygiene\ASEntIRS.MSI failed. Fatal error during installation. Error code is 1603.".
  Installing product D:\Program Files\Microsoft SQL Server\Microsoft\Exchange Server\V14\TransportRoles\agents\Hygiene\ASEntIRS.MSI failed. Fatal error during installation. Error code is 1603.
  Fatal error during installation
  Elapsed Time: 00:00:01
  Client Access Role
  Cancelled

  Hi,
  From the description, I recommend you copy the Exchange installation files to the local machine, or download a fresh copy of Exchange 2010 and then reinstall it.
  Besides, please ensure that you install Exchange 2010 on 64-bit edition of Windows Server 2008 R2 Standard with SP1 or Windows Server 2008 R2 Enterprise with SP1.
  If the issue persists, please refer to the following KB further troubleshooting.
  You receive error 1603 when you try to install the Exchange Server 2010 RU1
  https://support.microsoft.com/kb/981474
  Hope it helps.
  If you need further assistance, please feel free to let me know.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• ORA-06502: PL/SQL error with dimensions and roles

  Hi everyone,
  When executing a mapping that loads a cube we are always getting that ORA-06502: PL/SQL error character string buffer too small
  The cube contains a number of dimensions, some of them with roles. We've checked that the error appears when we use two different lookup operators to fill dimension atributtes in the cube and its correspondent role. If we map dimension attributes with lookup operator, and the role attributes with constants, the mapping executes without any error. Moreover, even thought it doesnt make any sense, if we map the role dimension attributes with a lookup operator linked to a different dimension, it works too.
  We think that this could be due to attributes names, maybe they are too long, but we have tried to make them shorter and still getting the same error.
  Any ideas of what could be happening?
  Thank you so much in advance.

  The return datatype in a PLSQL function is unconstrained. Which means it does not have a size.
  The size is declared on the receiving end.
  What size variable are you trying to return your value into?
  Here is an example...
  SQL>create or replace function my_func
    2  return varchar2
    3  is
    4  begin
    5    return USER;
    6  end;
    7  /
  Function created.
  SQL>declare
    2    my_string varchar2(30);
    3  begin
    4    my_string := my_func;
    5  end;
    6  /
  PL/SQL procedure successfully completed.
  SQL>declare
    2    my_string varchar2(3);
    3  begin
    4    my_string := my_func;
    5  end;
    6  /
  declare
  ERROR at line 1:
  ORA-06502: PL/SQL: numeric or value error: character string buffer too small
  ORA-06512: at line 4

• Dimension Selector Error with Dimensional Security Set

  I have the following dimensional security applied:
  INDEX USER
  CASE SOLFAE
  SELECT Solution Below 'SOL-_FINANCE_&_ACCOUNTING_EXCELLENC'
  SELECT Geography
  SELECT Industry
  SELECT Resource_Job_Function
  SELECT Resource_Proficiency
  SELECT Resource_Solution 'RS-_FINANCE_&_ACCOUNTING_EXCELLENC'
  SELECT Resource_Solution Plus 'RS-_FINANCE_&_ACCOUNTING_EXCEL_PIM'
  ENDINDEX
  When I use the dimensional selector in the IP user interface (connecting to PAS with SOLFAE user id), I get the following error:
  CAL062:
  R is Not a Member of RESOURCE_SOLUTION
  CAL062:
  INTERNALAUDIT is Not a Member of RESOURCE_SOLUTION
  However, when I remove the dimensional security on the RESOURCE_SOLUTION dimension, the dimension selector works fine.  Does anyone out there have any insight into what may be causing this error.  We are running SSM 7.0 SP7.
  Thanks ahead of time for your help!
  Edited by: Jason Allen on Oct 29, 2010 10:12 PM

  I think that it may be the "&" in the dimension member names.  I'll test on Monday, and repost.  In the meantime, if anyone has additional insight, please reply to this post.

• Creating bootable TS media with limited security role

  Hi
  We're giving our remote engineers the ability to perform OS deployment.  Part of this task will require them to be able to create their bootable USB task sequence media.
  We've created a security scope relevant for the engineers location.  Their local DP, and the relevant boot image, have been added to this scope.
  When we run the Create TS Media wizard (running with the permissions the engineer has) we can choose the boot image and DP as expected.  However, when we try to select Management Points, none are listed.
  We can't find anything pertaining to scoping Management Points, so what else could we be missing?
  Thanks in advance for any advice.

  That's exactly what I was trying to refer at. You could add an additional scope and add it to their administrative user,
  or also add their scope to the primary site server object. Another option to limit their options is to create another scope and role (with only read permissions) and add them together to the administrative user.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude
  I can't see an option to add a scope to the primary site server object.
  However, I looked in Administration -> Site Configuration -> Sites and when selecting the site name I was able to add the engineer's scope to that.  That seems to have done the trick.  There's now more things visible to the engineers than
  I'd wanted them to see, but it's all read-only so no risk I guess.

• Errors with SharePoint Security Token Service: "The revocation function was unable to check revocation for the certificate"

  I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
  Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
  The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service.  This is apparent when executing a search, accessing
  the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site.  I've looked at the certificate assigned to that site and everything appears to be in order. 
  It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
  What I’ve tried so far:
  I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config.  Both appear to be configured correctly such that the root CAs can be validated.
  Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause.  I’ve also verified the service accounts reporting the error, do have access to the configuration database.
  Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
  MS Tech note.
  So far nothing has worked.  Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
  Log Name:      Application
  Source:        Microsoft-SharePoint Products-SharePoint Foundation
  Date:          2/20/2015 11:19:41 AM
  Event ID:      8311
  Task Category: Topology
  Level:         Error
  Keywords:      
  User:          <SP SERVICE ACCOUNT>
  Computer:      <SHAREPOINTSERVER>
  Description:
  An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
  CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
      <EventID>8311</EventID>
      <Version>14</Version>
      <Level>2</Level>
      <Task>13</Task>
      <Opcode>0</Opcode>
      <Keywords>0x4000000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
      <EventRecordID>1611121</EventRecordID>
      <Correlation />
      <Execution ProcessID="10212" ThreadID="10328" />
      <Channel>Application</Channel>
      <Computer><SHAREPOINTSERVER></Computer>
      <Security UserID="<SP SERVICE ACCOUNT>" />
    </System>
    <EventData>
      <Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string2"><STS CERT THUMBPRINT></Data>
      <Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  </Data>
    </EventData>
  </Event>

  Hi Darren,
  This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
  In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
  $rootCert = (Get-SPCertificateAuthority).RootCertificate
  New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
  After running the above commands, perform an IISReset on all servers in the farm.
  More information:
  http://support.microsoft.com/kb/2545744
  Best Regards,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• PLS-00201: identifier error with grnats to roles

  Hi all,
  Consider the following: In schema AA I have several tables and packages. All grants (select, insert, update, delete for tables en execute for packages) are set to roles. User BB got the role contaning all those grants. Furthermore, for all objects in schema AA there are public synonyms. Also, user BB got our developer role to create things and a directly granted 'execute any procedure' privilege (forgot why).
  If user BB runs the application, no problems, grants take good care. But if user BB creates an object and wants to refer to schama AA objects, eg.
  DECLARE
    t_var  USERAA_TABLE.identifier%TYPE;
  BEGIN
  END;I get the "PLS-00201: identifier '...' must be declared" error during compilation. Why is this? And, in our 8.1.7 database the above setup compiles without problems.
  I sure don't hope I have to grant directly to developers, since I would like to control this using roles instead of maintaining all developers users.
  Anyone? What am I missing here?
  Regards,
  Michiel

  Thanks,
  The USERAA_TABLE (which is owned by user AA) indeed has a (public) synonym.
  If this is true (grant directly for compiling in Pl/Sql), I think this is a horrible step (since this was not the case in Oracle 8.1.7).
  Our application is in schema AA, developers first deploy into their own schema, eg. schema BB (say: one package of the application). When you run the application inside schema BB the altered package is used and the rest of the application is used from schema AA, perfectly for testing. When all is to our satisfaction the DBAs deploy into schema BB (I know, the above does not completly apply when packages are fired from within table triggers).
  Schema BB now doesn't compile anymore, because all grants are passed via roles and not direclty. Certainly a big drawback if you have a lot of tables and developers.
  Does anyone have encountered these problems?

• EA1 - Error with exporting output to xls

  Hi,
  I've experiencing error when I try to export output to xls format.
  Error data showed below.
  OS Win XP Pro SP2
  DB Oracle 11g
  Export Data -> xls
  Output -> Clipboard or File
  java.lang.NumberFormatException
       at java.math.BigDecimal.<init>(BigDecimal.java:368)
       at java.math.BigDecimal.<init>(BigDecimal.java:647)
       at oracle.dbtools.raptor.format.ExcelFormatter.printColumn(ExcelFormatter.java:170)
       at oracle.dbtools.raptor.format.ui.TableFormatterWrapper.print(TableFormatterWrapper.java:114)
       at oracle.dbtools.raptor.format.ResultsFormatter.print(ResultsFormatter.java:173)
       at oracle.dbtools.raptor.format.ResultsFormatter$1.doWork(ResultsFormatter.java:133)
       at oracle.ide.dialogs.ProgressRunnable.run(ProgressRunnable.java:161)
       at oracle.ide.dialogs.ProgressBar.run(ProgressBar.java:615)
       at java.lang.Thread.run(Thread.java:595)
  Message was edited by:
  msutic

  This bug was logged and fixed last week, but did not make the build you have. This fix will be in the next Early Adopter drop. I am unable to give you the bug number at this point.
  Regards
  Sue

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• OIM 11g R2 - SOA error with Auto Approval

  Hi,
  I am trying to provision a resource through catalog wizard as an end user .I have created both Operational Level and Request level approval policies with Auto Approval Enabled.The RequestID is getting generated but I am getting the following error in screen
  [Security:090304]Authentication Failed: User SOAAdminPassword javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User SOAAdminPassword denied
  May I know where should I go and change the SOAAdmin Password ?.Thanks.

  I've run into the same error with oim 11gr2 bp04:
  <Mar 18, 2013 11:07:09 AM CDT> <Notice> <Stdout> <BEA-000000> <<Mar 18, 2013 11:07:09 AM CDT> <Error> <oracle.soa.services.identity>
  <BEA-000000> <<oracle.tip.pc.services.identity.jps.AuthenticationServiceImpl.authenticateUser()> authentication FAILED>>
  <Mar 18, 2013 11:07:09 AM CDT> <Notice> <Stdout> <BEA-000000> <<Mar 18, 2013 11:07:09 AM CDT> <Error> <oracle.soa.services.identity>
  <BEA-000000> <<.> Identity Service Authentication failure.
  Identity Service Authentication failure.
  Either the user name or password is incorrect. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
  ORABPEL-10528
  Identity Service Authentication failure.
  Identity Service Authentication failure.
  Either the user name or password is incorrect. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
       at oracle.tip.pc.services.identity.jps.JpsProvider.authenticateUser(JpsProvider.java:2337)
  Caused By: javax.security.auth.login.LoginException: [Security:090304]Authentication Failed: User SOAAdminPassword javax.security.auth.login.FailedLoginException:
  [Security:090302]Authentication Failed: User SOAAdminPassword denied
       at oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule.login(JpsUserAuthenticationLoginModule.java:71)
       ...Did you find what the issue is? I'm finding scant information about this user named "SOAAdminPassword" (who makes up these usernames :-/).

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG: