My own Realm instead of Custom Realm extends IASRealm ?

Similar Messages

• How to access "Alternative Realm" or "Custom Realm" from components like Servlet ?

  Hello,
  Says if I have alternative realm or my custom realm which implement
  "ManageableRealm" interface. How can I access the realm from other
  component, like Servlet or EJB in same WLS ? I tried using code like this
  BasicRealm realm =
  Realm.getRealm("XmlRealm","weblogic","myclass.DebugRealm");
  if (realm != null) {
  Class realmClass = realm.getClass();
  out.println("Realm is " + realmClass.getName());
  Which "myclass.DebugRealm" is classname of my own realm. This realm works
  fine when using for authentication and authorization. But when I run this
  code on servlet, it seems that it doesn't return the realm it created when
  starting WLS, I mean the one that served authentication and authorization.
  But it create a new instance of this class (I knew it 'cos I put debug
  message in its constructor). So how can I get reference to the realm
  instance which is created when starting WLS ?
  Thank you in an advance,
  Siros

  Hello again,
  Sorry to say that now I've got the way. I post here again for someone who
  may face that same problem.
  So strange that, I just changed the realm name in below code to "custom" and
  then it works !! My realm is extended from "AbstractListableRealm" class and
  I think I named my realm as "XmlRealm" in it constructor by call
  super("XmlRealm");
  But seems like its "getName()" method always return "custom", so in servlet
  code, it' rather be.
  BasicRealm realm = Realm.getRealm("custom");
  if (realm != null) {
  Class realmClass = realm.getClass();
  out.println("Realm is " + realmClass.getName());
  This works fine and no instance of realm is created. Anyway I saw that
  constructor of "AbstractListableRealm" take String argument for "name" of
  the realm. So why it's always "custom" ???
  Comments are welcome,
  Siros
  "Siros Supavita" <[email protected]> wrote in message
  news:[email protected]..
  Hello,
  Says if I have alternative realm or my custom realm which implement
  "ManageableRealm" interface. How can I access the realm from other
  component, like Servlet or EJB in same WLS ? I tried using code like this
  BasicRealm realm =
  Realm.getRealm("XmlRealm","weblogic","myclass.DebugRealm");
  if (realm != null) {
  Class realmClass = realm.getClass();
  out.println("Realm is " + realmClass.getName());
  Which "myclass.DebugRealm" is classname of my own realm. This realm works
  fine when using for authentication and authorization. But when I run this
  code on servlet, it seems that it doesn't return the realm it created when
  starting WLS, I mean the one that served authentication and authorization.
  But it create a new instance of this class (I knew it 'cos I put debug
  message in its constructor). So how can I get reference to the realm
  instance which is created when starting WLS ?
  Thank you in an advance,
  Siros

• Help with Weblogic 6 sp1 Custom Realm !!!!

  We are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
  security realm)
  We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
  move to ejb2.0 once we can get our custom security working.
  The JDBC connection pools are fine.
  Our custom security realm uses LDAP for user authentication and an Oracle table
  for authorization (acls).
  Earlier, I wrote to the board and received the below following instructions to
  use our existing custom realm in wl 60. You can read below, but I followed these
  instructions on Solaris 5.6.
  1. I ensured the SunOS patches were up to date.
  2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
  the 5.1 classes over to wl6.
  3. We copied our custom realm properties file to the weblogic root and/or the
  config subdirectory (tried them both).
  4. We ensured the security realm class we wrote is in the classpath (we bunch
  all our serverside classes in a jar file anyway).
  5. Then we created a custom realm via the console &#8211; name BFXRealm and it&#8217;s
  class name <package>.BFXRealm, left configuration box blank.
  6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
  as the custom realm, BFXRealm. All of the enable caches are checked to true.
  7. Then we set the default realm to the BFXCachingRealm.
  Now, when we perform a query, the everyone group should be implied. We don&#8217;t
  implement LDAP lookup on queries. If I try to run a query from a client, I see
  the client box connecting with the server:
  Last line - you can see the client box connecting to the server -
  <May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
  <May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
  <May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
  configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
  at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
  <May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
  on port 7001>
  <May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
  on port 7002>
  <May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
  descriptor limits of - soft: '1024', hard: '1024'>
  <May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
  file descriptor limit of: '1024' open sockets/files.>
  <May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
  POSIX reader threads>
  <May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
  /opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
  <May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
  The client receives the error:
  javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
  Authentication
  for user aws4270 denied in realm weblogic
  It&#8217;s as if the fileRealm.properties is only being looked at. We do not
  use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
  For &#8220;fun&#8221;, I added a user to the fileRealm.properties file via the
  console and ran a client query. It worked.
  But when I tried to call an ejbCreate from the client, I received these errors
  from the server:
  BFXSecurityRealmException is a custom exception we have written. A query works
  but a create does not - obviously cannot get to acl in database (?)
  and why the ejb20 errors? We just want to start with ejb 1.1
  In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
  = bioseq, project = HIPPI, permission = create
  <May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  occurred.
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  occurred.
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
  at java.lang.reflect.Method.invoke(Native Method)
  at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
  at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
  at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
  at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
  at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
  at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
  at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  The client receives the error:
  java.rmi.RemoteException: EJB Exception:; nested exception is:
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  o
  ccurred.
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  occurred.
  HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
  Thanks,
  Anne
  Subject: Re: Do Custom Security Realms have to use Mbeans?
  Date: 17 May 2001 06:38:23 -0800
  From: "Tom Moreau" <[email protected]>
  Newsgroup: weblogic.developer.interest.security
  Yes this can be done. Here's how:
  1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
  2) I'll assume that your custom realm has some kind of properties file from which
  it reads its configuration data. Let's call this file "YourCustomRealm.properties"
  3) Copy YourCustomRealm.properties to every machine that you're running wls on
  (you are probably already doing this today).
  4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
  start wls (you should already be doing this today)
  5) In 5.1, there used to be some utility classes that customers used for their
  custom realms - something about Pools & Factories. These have been renamed in
  6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
  pull out these classes and add them to your classpath for 6.0.
  6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
  Leave the configuration data section blank.
  7) In the console, configure your custom realm as the alternate realm. That is,
  create a caching realm and set it's basic realm to your custom realm, then set
  the realm's caching realm to the caching realm you just created.
  I'm pretty sure this should work for you. We did this to provide a patch that
  let 6.0 users uses the LDAPRealm rewrite from 5.1.
  The downside is that you don't get single point of administration - that is, you
  have to make your custom realm's configuration data (YourCustomRealm.properties)
  available on all the machines you're running WLS on. If you rework your custom
  realm, then the configuration data gets put in the custom realm configuration
  you create via the console and automatically copied to other machines for you.
  - Tom

  We are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
  security realm)
  We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
  move to ejb2.0 once we can get our custom security working.
  The JDBC connection pools are fine.
  Our custom security realm uses LDAP for user authentication and an Oracle table
  for authorization (acls).
  Earlier, I wrote to the board and received the below following instructions to
  use our existing custom realm in wl 60. You can read below, but I followed these
  instructions on Solaris 5.6.
  1. I ensured the SunOS patches were up to date.
  2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
  the 5.1 classes over to wl6.
  3. We copied our custom realm properties file to the weblogic root and/or the
  config subdirectory (tried them both).
  4. We ensured the security realm class we wrote is in the classpath (we bunch
  all our serverside classes in a jar file anyway).
  5. Then we created a custom realm via the console &#8211; name BFXRealm and it&#8217;s
  class name <package>.BFXRealm, left configuration box blank.
  6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
  as the custom realm, BFXRealm. All of the enable caches are checked to true.
  7. Then we set the default realm to the BFXCachingRealm.
  Now, when we perform a query, the everyone group should be implied. We don&#8217;t
  implement LDAP lookup on queries. If I try to run a query from a client, I see
  the client box connecting with the server:
  Last line - you can see the client box connecting to the server -
  <May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
  <May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
  <May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
  configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
  at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
  <May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
  on port 7001>
  <May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
  on port 7002>
  <May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
  descriptor limits of - soft: '1024', hard: '1024'>
  <May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
  file descriptor limit of: '1024' open sockets/files.>
  <May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
  POSIX reader threads>
  <May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
  /opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
  <May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
  The client receives the error:
  javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
  Authentication
  for user aws4270 denied in realm weblogic
  It&#8217;s as if the fileRealm.properties is only being looked at. We do not
  use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
  For &#8220;fun&#8221;, I added a user to the fileRealm.properties file via the
  console and ran a client query. It worked.
  But when I tried to call an ejbCreate from the client, I received these errors
  from the server:
  BFXSecurityRealmException is a custom exception we have written. A query works
  but a create does not - obviously cannot get to acl in database (?)
  and why the ejb20 errors? We just want to start with ejb 1.1
  In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
  = bioseq, project = HIPPI, permission = create
  <May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  occurred.
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  occurred.
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
  at java.lang.reflect.Method.invoke(Native Method)
  at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
  at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
  at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
  at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
  at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
  at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
  at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
  at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  The client receives the error:
  java.rmi.RemoteException: EJB Exception:; nested exception is:
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  o
  ccurred.
  com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
  occurred.
  HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
  Thanks,
  Anne
  Subject: Re: Do Custom Security Realms have to use Mbeans?
  Date: 17 May 2001 06:38:23 -0800
  From: "Tom Moreau" <[email protected]>
  Newsgroup: weblogic.developer.interest.security
  Yes this can be done. Here's how:
  1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
  2) I'll assume that your custom realm has some kind of properties file from which
  it reads its configuration data. Let's call this file "YourCustomRealm.properties"
  3) Copy YourCustomRealm.properties to every machine that you're running wls on
  (you are probably already doing this today).
  4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
  start wls (you should already be doing this today)
  5) In 5.1, there used to be some utility classes that customers used for their
  custom realms - something about Pools & Factories. These have been renamed in
  6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
  pull out these classes and add them to your classpath for 6.0.
  6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
  Leave the configuration data section blank.
  7) In the console, configure your custom realm as the alternate realm. That is,
  create a caching realm and set it's basic realm to your custom realm, then set
  the realm's caching realm to the caching realm you just created.
  I'm pretty sure this should work for you. We did this to provide a patch that
  let 6.0 users uses the LDAPRealm rewrite from 5.1.
  The downside is that you don't get single point of administration - that is, you
  have to make your custom realm's configuration data (YourCustomRealm.properties)
  available on all the machines you're running WLS on. If you rework your custom
  realm, then the configuration data gets put in the custom realm configuration
  you create via the console and automatically copied to other machines for you.
  - Tom

• WebLogic Server doesn't start after configuring a Custom Realm

  Hi,
  We are having problems getting WebLogic server to startup after configuring a
  Custom Realm. It outputs the error message "User System not authorized to boot
  WebLogic Server. Security Excpetion".
  For debugging purposed we had our Custom Realm classes output some debug statements
  to the console. From the output it was apparent that all the users were getting
  authenticated properly including System, Administrator, wliSystem etc. But after
  the initial authentications we get this error message. I am attaching the log
  file for your reference. Do we have to implement Authorization also (by implementing
  ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used only for
  authentication.
  Appreciate any feedback on the cause of the problem.
  Thanks
  Vikram
  [test.log]

  Thanks Deyan. I will give it a try and let you know.
  "Deyan D. Bektchiev" <[email protected]> wrote:
  Vikram,
  You should make your user that you use to startup the server a member
  of
  the Administrators group.
  In other words there should be a Principal "Administrators" in the
  Subject that your LoginModule returns.
  I'm not sure if you can configure this afterwards but this is how it's
  done out of the box.
  Dejan
  Vikram wrote:
  Mike,
  We are working with a Platform domain on Weblogic 7.0. When you implementa custom
  realm it can be implemented just for authentication and not for authorization.
  In our case we used the Custom Realm only for authentication. ACLs storeall the
  authorization information. We assumed that the standard Weblogic useraccounts
  like system, administrator are already part of the ACLs with the appropriateprivileges.
  Please let me know if you have any suggestions.
  Thanks
  Vikram
  "mike" <[email protected]> wrote:
  You mix up authentication and authorization. The fact that a user is
  a valid user
  (authentication) does not guarantee that he/she can perform a certain
  action (authorization).
  The second is defined by ACLs or something, which is probably (most
  likely)
  not
  set in your case. To go on ranting I need to know which version youare
  on (looks
  like 7, grey area for me).
  "Vikram" <[email protected]> wrote:
  Hi,
  We are having problems getting WebLogic server to startup after configuring
  a
  Custom Realm. It outputs the error message "User System not authorized
  to boot
  WebLogic Server. Security Excpetion".
  For debugging purposed we had our Custom Realm classes output some
  debug
  statements
  to the console. From the output it was apparent that all the userswere
  getting
  authenticated properly including System, Administrator, wliSystemetc.
  But after
  the initial authentications we get this error message. I am attaching
  the log
  file for your reference. Do we have to implement Authorization also
  (by
  implementing
  ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used
  only for
  authentication.
  Appreciate any feedback on the cause of the problem.
  Thanks
  Vikram

• Custom Realm

  I would want to write a Custom Security Realm, that uses
  - NT domain for authentication and
  - RDBMS realm for authorization
  I do not see any API to access NT Domain users, should I use JCOM
  Kindly Suggest. Thank you

  Aseem,
  Did you configure the Caching and file realms with your custom realm?
  See also:
  http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1069864
  Hope this helps,
  Bart
  Aseem Rastogi wrote:
  Hi All,
  I wrote a Custom Realm, according to the specification given on the
  Weblogic WebSite. Now i have a problem testing it, It seems that My
  Custom Realm is not being called. Any pointers on How to test Custom
  realm.
  thanx
  aseem

• Admin Console Integration for Users in a Custom Realm

  We are implementing a custom realm and are having troubles getting our Users to
  show up in the User list.
  Our user class extends weblogic.security.acl.User, and is forced to use the default
  CTOR because our data access layer requires it.
  Unfortunately, getName() returns null if the User(String) constructor is not used.
  Furthermore, Identity::setName() is final, so it seems as though there is no
  way to set the user's name after construction.
  I am correct in this?
  If so, any thoughts on whether it is worth going down the path of making my user
  class implement Principal instead of extending weblogic.security.acl.User? I
  would be forced to try to guess at what methods in User are required to integrate
  with the admin console, I believe. I have not been able to find any documentation
  that specifies what api/contract the console uses when it attempts to display
  user, role, acl information for a custom realm.
  Any advice would be greatly appreciated.
  -chris

  My comments mixed with your text
  "Chris Goodacre" <[email protected]> wrote:
  >
  We are implementing a custom realm and are having troubles getting our
  Users to
  show up in the User list.
  Our user class extends weblogic.security.acl.User, and is forced to use
  the default
  CTOR because our data access layer requires it.
  Unfortunately, getName() returns null if the User(String) constructor
  is not used.Yes.
  Furthermore, Identity::setName() is final, so it seems as though there
  is no
  way to set the user's name after construction.
  I am correct in this?Yes. Changing a user's name on a constructed user object is like mutating that
  user to another user - a security hole. It isn't allowed.
  >
  If so, any thoughts on whether it is worth going down the path of making
  my user
  class implement Principal instead of extending weblogic.security.acl.User?I'd try to stay with extending weblogic.security.acl.User, but also implement
  weblogic.security.acl.CredentialChanger, so you can change passwords through the
  console (otherwise you get NullPointerExceptions).
  You really want to get around not being able to supply a user name as part of
  the ctor.
  I
  would be forced to try to guess at what methods in User are required
  to integrate
  with the admin console, I believe. I have not been able to find any
  documentation
  that specifies what api/contract the console uses when it attempts to
  display
  user, role, acl information for a custom realm.
  Any advice would be greatly appreciated.
  -chris1. Your realm should extend AbstractManageableRealm and implement DebuggableRealm
  if you want to integrate with the console.
  2. The only contract is to implement all the methods!
  3. Check the type of the user and group objects being passed to your realm - if
  they're not your user and group type, reject the call.
  4. The documentation is indeed terrible, and often wrong. The examples shipped
  are incomplete (the RBDMS realm shipped has approx 1/3 of the functionality).
  You'll get good with jad.
  Should all be better in 7.0 with JAAS. The realm interfaces is a dog.
  Good luck,
  simon.

• Custom Realm Bug in WebLogic SP3?

  I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
  receiving a ClassCastException when invoking the checkPermission
  method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
  This code worked fine in SP1. It seems that other developers
  have experienced this problem when applying service packs to
  WebLogic 5. Any one else encountering this problem with
  WebLogic 6 and what is the workaround? (Stack trace attached)
  TIA
  [aclimplexception.txt]

  I was unable to determine the cause of the problem, but I was
  able to identify that AclImpl was changed between SP1 and SP3.
  I updated SP3's weblogic.jar with the weblogic.security.acl.AclImpl
  class in the weblogic.jar from SP1 and the exception went away.
  I did not see anything in the release notes for SP2 and SP3
  that indicate what may have changed. Does anyone know?
  "Jason Southern" <[email protected]> wrote:
  >
  >
  >
  I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
  receiving a ClassCastException when invoking the checkPermission
  method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
  This code worked fine in SP1. It seems that other developers
  have experienced this problem when applying service packs to
  WebLogic 5. Any one else encountering this problem with
  WebLogic 6 and what is the workaround? (Stack trace attached)
  TIA

• Debugging a custom realm in WLS 6.1

  Hi all. I'm trying to find out how to debug my custom realm. I first implemented
  the DebuggableRealm and put log.debug calls in my realm. I then set the realm.debug
  property to "true" when I start the server. Is that it? The javadocs on debugging
  are very sparse. I wasn't able to find a javadoc for weblogic.logging.LogOutputStream.
  I also found a DebugSecurityRealm attribute in the ServerDebug element in config.xml
  but am thinking this is old (from 5.X?).
  Are there any other documents I should be looking at? Thanks!
  jeff

  Thanks very much, Utpal.
  I still can't find the class (or even the package for that matter) at
  http://e-docs.beasys.com/wls/docs61/javadocs/index.html
  And that sort of mystifies me. Still, your answer solves my current problem.
  I still don't fully understand the ConfigurationMBean
  stuff as a whole, and how they get bound to a particular realm; i.e. Do I need
  to write a MyRealmConfigurationMBean, and if so, how do
  I bind it to MyRealm?
  Note that the code I originally cited casted a BasicRealm return type to a BasicRealmMBean;
  It's not immediately apparent why one is
  even castable to the other, since they are two interfaces that
  are not on the same inheritance line (I don't think).
  Thanks for your time. I appreciate your help.
  -chris
  Finally,
  "Utpal" <[email protected]> wrote:
  Check this out
  C:\opt\bea\wls61sp2\config\mydomain>javap weblogic.server.Server
  Compiled from Server.java
  public final class weblogic.server.Server extends java.lang.Object {
  public static final java.lang.String DEFAULT_PROTOCOL;
  public static final int DEFAULT_PORT;
  public static weblogic.management.configuration.ServerMBean getConfig();
  public static weblogic.management.configuration.ServerDebugMBean
  getDebug();
  public static weblogic.management.configuration.SecurityMBean
  getSecurityCon
  fig();
  public static void initialize();
  It's weblogic.server.Server class.
  -utpal

• Authorization with custom realm

  Hello,
  I have created a custom realm to access user and role information stored in a database. It is working fine for authentication. However, the Subject, Principal, and roles/groups do not seem to be used for later authorization steps. How should this information be stored so that the containers can access it?
  In particular, when enabling security constraints in web.xml to limit the access of a particular url to a particular role, that url can never be accessed. The server generates messages implying that the user is not logged in:
  Checking Web Permission with Principals : null
  Checking with Principal : nonlogin-principal
  Any suggestions on how to appropriately store the login information would be appreciated.
  Thanks!

  I have had a custom realm that handles ACLs since 5.1. My question is I want to
  mix it with the out-of-the box ldaprealm v2. I was hoping for a failover mechanism
  where I can supply a custom realm that knows how to authorize and leave it up
  to the canned ldaprealm to authenticate. The filerealm behaves in such a manner,
  does it not.
  I will try your idea about extending the ldaprealm. But, the challenge will be
  in dealing with the delegate.
  "Utpal" <[email protected]> wrote:
  If you extend the weblogic.security.ldaprealmv2.LDAPRealm and implements
  newAcl, deleteAcl, newPermission,
  setPermission etc, I think it's doable.
  =========
  public class weblogic.security.ldaprealmv2.LDAPRealm extends
  weblogic.security.a
  cl.AbstractListableRealm implements weblogic.security.acl.DebuggableRealm
  =========
  -utpal
  "Utpal" <[email protected]> wrote in message
  news:[email protected]..
  Why don't you use the Custom Security Realm? You can construct an ACLin a
  custom seecurity realm.
  http://edocs.beasys.com/wls/docs61/security/prog.html#1042361
  -utpal
  "Ziad Kurdi" <[email protected]> wrote in message
  news:3c9b4c80$[email protected]..
  Is there a way in 6.1 to use the supplied LDAP Realm V2 for
  authentication
  and
  managing groups, but enhance it with ACL's (stored in a database)
  for
  authorization?
  Obviously, I would like to take advantage of the server's caching
  realm
  capabilities.
  I currently running a custom realm (from 5.1 which works in 6.1)
  that
  mixes LDAP
  authentication, group management, and DB ACL's for authorization,
  but I
  no
  longer
  wish to capture the user's password (due to sorporate policies) and
  would
  like
  to avoid maitaining the authentication code.
  Thanks in advance for any assistance.

• Creating a custom realm for tomcat. Help and suggestions please.

  Has anybody ever created a custom realm to authenticate users in tomcat.
  I would like to use form based login with my own realm.
  The form requires 3 fields to log in (hence the custom realm) . I would also like to be able to use the built-in functions like isuserinrole.
  If anybody has experience with this or knows of a place where to get valuable information please let me know.
  Thanks in advance!

  Hi
  Tomcatx.x.x uses the realm sandbox security tecnique
  1)In you'r abcd/web-inf/WEB.xml file
  write the realm config scripts for the required
  jsp/servlet pages[similar will be found in
    Tomcat/webapps/examples/web-inf/web.xml]
  2)In Tomcatx.x.x/conf/tomcat_users.xml
  declare the realm id/pass/roles
  3)If still not able to do then study the web.xml (pdf)
  avaliable at websiter http://www.moreservlets.com

• Custom Realm for SJSAS 9.x using JAAS documentation too vague

  Hello there,
  I am trying to implement a custom realm for a particular web application on my SJSAS 9.x server. So far I have been unsuccessful and receive the following message in my server.log:
  [#|2006-10-20T13:51:56.390-0300|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=11;_ThreadName=httpWorkerThread-8080-1;javious;|SEC5046: Audit: Authentication refused for [javious].|#]
  The documentation I have been using for reference is at:
  http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view#beabs
  However, I have a number of questions.
  First of all, this section referenced by the URL above is identified as "Creating a custom realm". Then the second sentence of this section states "Note that client-side JAAS login modules are not suitable for use with the Application Server". Does this not mean that JAAS login modules are not suitable for use with SJSAS web applications since they are components of the Application Server? Is there a reason for providing information on creating a custom realm for this application server in which it is not suitable for? Why isn't it suitable for the application server? What if I want to implement my own realm for my web application so that I can maintain my application users separately in another application?
  Secondly, this section explains that I can create a custom realm simply by creating a custom JAAS login module and a custom realm class. It then goes on to explain how to construct these classes and what to include in them. Notably, the documentation states the following:
  The authenticateUser() method must end with the following sequence:
  String[] grpList;
  // populate grpList with the set of groups to which
  // _username belongs in this realm, if any
  return commitUserAuthentication(_username, _password,
    _currentRealm, grpList);Having looked at the API for authenticateUser I discovered that it is a void method, however the documentation states to return a value from "commitUserAuthentication(..). Also, my commitUserAuthentication method only excepts a single argument of type String[] representing a list of group names, therefore I am unable to supply the additional arguments as documented. This is confusing.
  Once finished reading the documentation, I am left hanging with hardly a clue as to what to do with these two new classes. Now having implemented a custom login module on Tomcat 5.x in earlier days, I did happen to have some experience to know to edit the security.properties, policy, and login.conf files. So anyhow from here I end up stumbling blindly through configuration of my domain1/login.conf and domain1/server.policy files. I also attempted to add my new realm within the admin console under security/realms and dropped my new jar file (with two classes) into the app server lib directory.
  All in all, this completely fails to work. I have even placed System.out.println statements in all of my implemented methods and none of this actually shows up in my server.log file. Why is this section so vague? Why isn't there a step-by-step example from start to finish of how to implement a simple custom realm in SJSAS9?
  Does anybody have any helpful suggestions?

  Well, once again, I'm going to have to provide my own answer.
  After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
  In addition to the very helpful info I have found at:
  http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
  I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
  <sun-application>
      <realm>mycustrealm</realm>
      <security-role-mapping>
          <role-name>mycust_role</role-name>
          <group-name>mycust_group</group-name>
      </security-role-mapping>
  </sun-application>

• Weblogic700 sp4 custom realm for SAM authentication

  we have an applicaiton running on WL7.0 sp4 which will be protected by sun access manager 7.1, but in the domain config we need to create a realm that authentication provider will be SAMAuthentication , I want to know whether we need to create a custom realm or we can create iplanet realm.

  Well, once again, I'm going to have to provide my own answer.
  After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
  In addition to the very helpful info I have found at:
  http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
  I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
  <sun-application>
      <realm>mycustrealm</realm>
      <security-role-mapping>
          <role-name>mycust_role</role-name>
          <group-name>mycust_group</group-name>
      </security-role-mapping>
  </sun-application>

• Policy Director Custom Realm for Weblogic

  I would like more information on how the Policy Director custom Realm for Weblogic
  works. What all methods are implemented and so on. If anyone could send me the source
  code of the custom Realm that would be of great help.
  Thanks in advance,
  Krish

  Well, once again, I'm going to have to provide my own answer.
  After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
  In addition to the very helpful info I have found at:
  http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
  I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
  <sun-application>
      <realm>mycustrealm</realm>
      <security-role-mapping>
          <role-name>mycust_role</role-name>
          <group-name>mycust_group</group-name>
      </security-role-mapping>
  </sun-application>

• Custom Realm using LDAP?

  Hi,
  has anyone implemented a custom realm using LDAP? I was suprised to learn that
  ACLs are not supported in the LDAPRealm. Our corporate direction is to have a
  central LDAP security store - including ACLs. Unfortunately the LDAP server is
  MS SiteServer! Anyway, I assume this means I need to implement a custom realm
  - unless there is an alternative.
  -chris

  You are correct - you'll need to write a custom
  realm to do this.
  -Tom
  "Chris Jones" <[email protected]> wrote:
  >
  Hi,
  has anyone implemented a custom realm using LDAP? I was suprised to
  learn that
  ACLs are not supported in the LDAPRealm. Our corporate direction is
  to have a
  central LDAP security store - including ACLs. Unfortunately the LDAP
  server is
  MS SiteServer! Anyway, I assume this means I need to implement a custom
  realm
  - unless there is an alternative.
  -chris

• Sun java system application server 8 custom realm lock the admin console up

  Hi:
  I implemented a custome realm. After I installed the custom realm to Sun App server 8 PE, I can get into the admin console any more. According to the log, the user is authenticated. However, this user isn't in write group to access the admin console. What would be the user group in a custom realm to access admin console?
  In version 7, even you set up custom realm the admin console still not affected by the custom realm. Why is the admin console in version 8 picking up custom realm?
  Thanks.

  Previous reply was quite misleading - there is no such thing as default admin password for standalone installation of Application Server. Default values only apply to Application Server installation installed through Creator or NetBeans installer.
  Otherwise, you have to specify admin user name and password at installation time. Admin username value is defaulted to "admin" so unless you changed it in your installation that should still apply. You had to enter explicit password values.
  If you forgot those, you can either uninstall and reinstall or you can take a look at Troubleshooting Guide for instructions on reseting admin authentication:
  http://docs.sun.com/source/817-6085/troubleshooting.html#1026910