NT-Authentication on WL6.0
I can't configure the console in a way to use NT-Authentication. I tried as said in Managing Security, but the Server doesn't start anymore afterwards.I'd like to know explicitly what to set in the Console to make it work. I'm close to jumping out of the window... Thanx for helping.
Hello Lars,
I have a similar requirement as stated in your email i.e enabling NT anuthentiction to be invoked from weblogic. I see that your email has been posted on July. Did you find any solution ?
Your help is very much apprecited.
Thanks
Raji
Similar Messages
-
Authentication problem w MDB on WL8.1 and JMS Queue on WL6.1
Hi,
I'm having problems with a MessageDrivenBean that is deployed on a Weblogic 8.1
server. It listens to a JMS Queue on a Weblogic 6.1 server.
I'm getting the following error message upon deployment:
[java.lang.SecurityException: Authentication for user system denied in realm wl_realm
I've made sure that both servers are installed with the user "system" and a password
of "password".
This worked fine for two WL6.1 servers.
Here's my ejb-jar.xml:
<!DOCTYPE ejb-jar PUBLIC
'-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN'
'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>
<ejb-jar>
<enterprise-beans>
<message-driven>
<ejb-name>WebResponseJMSBean</ejb-name>
<ejb-class>com.ditech.webresponse.jms.WebResponseJMSBean</ejb-class>
<transaction-type>Container</transaction-type>
<message-driven-destination>
<destination-type>javax.jms.Queue</destination-type>
</message-driven-destination>
</message-driven>
</enterprise-beans>
<assembly-descriptor>
<container-transaction>
<description>Transaction attributes for 'WebResponseJMSBean' methods</description>
<method>
<ejb-name>WebResponseJMSBean</ejb-name>
<method-name>*</method-name>
</method>
<trans-attribute>NotSupported</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
Here's my weblogic-ejb-jar.xml:
<?xml version="1.0"?>
<!DOCTYPE weblogic-ejb-jar PUBLIC
'-//BEA Systems, Inc.//DTD WebLogic 6.0.0 EJB//EN'
'http://www.bea.com/servers/wls600/dtd/weblogic-ejb-jar.dtd'>
<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>WebResponseJMSBean</ejb-name>
<message-driven-descriptor>
<destination-jndi-name>com.ditech.jms.CowResponseQueue</destination-jndi-name>
<provider-url>t3://localhost:7003</provider-url>
<connection-factory-jndi-name>com.ptp.jms.AppOnlineConnectionFactory</connection-factory-jndi-name>
</message-driven-descriptor>
<jndi-name>ejb/WebResponseJMSBean</jndi-name>
</weblogic-enterprise-bean>
</weblogic-ejb-jar>
Can anyone give me any suggestions?
Thanks in advance,
-Ben
We are facing a similar issue, between MDB's and JMS Queues on 2 separated WebLogic
8.1 domains. What I will test next week are:
1. In the domain where my MDB's are deployed, configure Foreign JMS Servers/Connection
Factories/Queues, for which passwords can be specified (not possible in weblogic-ejb-jar.xml)
2. If No.1 does not work, I will add CredentialGenerated="false" in <SecurityConfiguration>
in config.xml in both domains
3. If No. 2 still does not work, I will specify run-as principal and security-role
in my MDB DD files, and specify CredentialMapping via the WebLogic admin console.
Maybe you can try the same?
Eric Ma
"B Liu" <[email protected]> wrote:
>
>Hi,
>
>I'm having problems with a MessageDrivenBean that is deployed on a Weblogic
>8.1
>server. It listens to a JMS Queue on a Weblogic 6.1 server.
>
>I'm getting the following error message upon deployment:
>
>[java.lang.SecurityException: Authentication for user system denied in
>realm wl_realm
>
>I've made sure that both servers are installed with the user "system"
>and a password
>of "password".
>
>This worked fine for two WL6.1 servers.
>
>Here's my ejb-jar.xml:
>
><!DOCTYPE ejb-jar PUBLIC
>
>'-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN'
>
>'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>
>
>
><ejb-jar>
>
> <enterprise-beans>
>
> <message-driven>
>
> <ejb-name>WebResponseJMSBean</ejb-name>
> <ejb-class>com.ditech.webresponse.jms.WebResponseJMSBean</ejb-class>
> <transaction-type>Container</transaction-type>
> <message-driven-destination>
> <destination-type>javax.jms.Queue</destination-type>
> </message-driven-destination>
>
> </message-driven>
>
> </enterprise-beans>
>
> <assembly-descriptor>
>
> <container-transaction>
>
> <description>Transaction attributes for 'WebResponseJMSBean'
>methods</description>
> <method>
> <ejb-name>WebResponseJMSBean</ejb-name>
> <method-name>*</method-name>
> </method>
> <trans-attribute>NotSupported</trans-attribute>
>
> </container-transaction>
>
> </assembly-descriptor>
>
></ejb-jar>
>
>Here's my weblogic-ejb-jar.xml:
>
><?xml version="1.0"?>
>
>
>
><!DOCTYPE weblogic-ejb-jar PUBLIC
>
>'-//BEA Systems, Inc.//DTD WebLogic 6.0.0 EJB//EN'
>
>'http://www.bea.com/servers/wls600/dtd/weblogic-ejb-jar.dtd'>
>
>
><weblogic-ejb-jar>
>
> <weblogic-enterprise-bean>
>
> <ejb-name>WebResponseJMSBean</ejb-name>
>
> <message-driven-descriptor>
>
> <destination-jndi-name>com.ditech.jms.CowResponseQueue</destination-jndi-name>
> <provider-url>t3://localhost:7003</provider-url>
> <connection-factory-jndi-name>com.ptp.jms.AppOnlineConnectionFactory</connection-factory-jndi-name>
> </message-driven-descriptor>
>
> <jndi-name>ejb/WebResponseJMSBean</jndi-name>
>
> </weblogic-enterprise-bean>
>
></weblogic-ejb-jar>
>
>
>Can anyone give me any suggestions?
>
>Thanks in advance,
>-Ben
>
-
Authenticating against both RDBMS and LDAP in WL6.0
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate via LDAP;
for external users we would like to use RDBMS. In WL5.1, this looked to be
possible with the DelegatingRealm, however this has been removed in WL6.0.
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jtWe are currently deployed on WL5.1 with a similar situation as you and in
the process of migrating to WL6. We are Authenticating against LDAP and
Authorizing against RDBMS. But I can't see how you could tell it to go
one way for certain users and another for other users.
The delegatingrealm in WL5 was intended to split the responsibility of
Authenticating to one source and Authorization to another. To make this
work for your Application of splitting internal and external users
security, I suppose you can do it if you can somehow pass the information
to the Security Realm the type of the user that is logging in. Maybe you
can make this code a part of the userid such as ext_uersID or int_userID.
Doing this will allow you to filter the where the users are coming from
and Direct them to the appropriate security realm.
As far as WL6 goes, the Delegating realm class is no longer available
since the security model for WL6 is different from WL5. But you can take
a look at what they did with the RDBMSrealm example and use that. This is
what we did to make our Security work in WL6. However, you can no longer
store ACLs in the RDBMS realm in WL6.
Hopes this helps.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You will need to create a Custom Realm which delegates to both your RDBMS
and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
"Jonathan Thompson" <[email protected]> wrote in message
news:3accf1a3$[email protected]..
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate viaLDAP;
for external users we would like to use RDBMS. In WL5.1, this looked tobe
possible with the DelegatingRealm, however this has been removed in WL6.0.
>
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt
[att1.html] -
WL6.0SP1 - LDAP authentication based on LDAPAttribute values
Hi,
I have set up LDAP with Weblogic 6.0 SP1 to use web application security. It is
properly authenticating users when I specify the principals in weblogic.xml, corresponding
to role-names in web.xml.
Now, I don't have groups in my LDAP. But each user has an LDAP attribute of type
'hrrole' which can have the value 'EMP' for employees or 'MGR' for managers. I
need to protect different url patterns, based on this attribute value. Is it possible
to configure weblogic to do this?
Thanks,
SimiHi John,
I went through your detailed explanation and screen shot attached. Your config still need some changes....like scope and LDAP attribute map.
Here is a sample config that you may refer:::
- Configuration for restricting access to a particular windows group on AD
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 1
address-pools none
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
group-policy internal
group-policy attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
tunnel-group type remote-access
tunnel-group general-attributes
authentication-server-group LDAP-AD
default-group-policy noaccess
group-policy noaccess attributes
vpn-simultaneous-logins 1
If this doesn't work for you then attach "Sh run" from the ASA in your next reply and debug ldap 255.
HTH
Regards,
JK -
Platform: Windows & HPUX
Weblogic: WL6.1 sp1
JDK 1.3.x
When we upgraded from WL6.0 to WL6.1sp1, the security does not work like
it did with WL6.0.
I have implement a RDBMSrealm where authorization / ACLs are retrived and
Authentication is done through LDAP.
Symptoms:
Any user who successfully authenticates and authorized to use any page, in
our case the inital page, are able to view and access any other page(JSPs)
ignoring other security contraints specified in the Web XML.
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>index.jsp</url-pattern>
<url-pattern>login.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>ALL_USERS</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>product_instance</web-resource-name>
<url-pattern>Product.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PRICING_ADMIN</role-name>
<role-name>PRICING</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
In the example above, ALL_USERS and ADMIN are authorized to load index.jsp
and login.jsp, they should not however be able to load Product.jsp but are
able to. The second security constraint is ignored or is it looking
somewhere else for the ACL other than the custom RDBMSrealm that I
created.
This all worked flawlessly in WL6.0 and still does.
Jerrie Pineda
[att1.html]Hello Jerrie,
1. Try adding the following tags in your web.xml file :
<!-- Declare all the roles used in <auth-constraint> above -->
<security-role>
<role-name>ALL_USERS</role-name>
<role-name>ADMIN</role-name>
<role-name>PRICING</role-name>
<role-name>PRICING_ADMIN</role-name>
</security-role>
2. Check that your mapping is right in the weblogic.xml file as :
<security-role-assignment>
<role-name>ADMIN</role-name>
<principal-name>admin</principal-name>
</security-role-assignment>
I hope this helps.
Ludovic.
Developer Relations Engineer
BEA Support
<[email protected]> a écrit dans le message news: [email protected]...
Platform: Windows & HPUX
Weblogic: WL6.1 sp1
JDK 1.3.x
When we upgraded from WL6.0 to WL6.1sp1, the security does not work like it did with WL6.0.
I have implement a RDBMSrealm where authorization / ACLs are retrived and Authentication is done through LDAP.
Symptoms:
Any user who successfully authenticates and authorized to use any page, in our case the inital page, are able to view and access any other page(JSPs) ignoring other security contraints specified in the Web XML.
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>index.jsp</url-pattern>
<url-pattern>login.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>ALL_USERS</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>product_instance</web-resource-name>
<url-pattern>Product.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PRICING_ADMIN</role-name>
<role-name>PRICING</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
In the example above, ALL_USERS and ADMIN are authorized to load index.jsp and login.jsp, they should not however be able to load Product.jsp but are able to. The second security constraint is ignored or is it looking somewhere else for the ACL other than the custom RDBMSrealm that I created.
This all worked flawlessly in WL6.0 and still does.
Jerrie Pineda
[att1.html] -
SecurityException starting WL6
I changed the password for user 'system' via the console, shut down the
server and now when I restart the server, I get a:
Exception raised: java.lang.SecurityException: Authentication for user
system denied in realm weblogic
Subsequently, the server will not start. How can I get my server running
again?
Thanks
Robthis is a known issue with beasvc.exe
you may want to contact support and ask for latest beasvc.exe to
get rid of this problem.
Kumar
Roman Heinz wrote:
Hi.
WL6.0SP2
W2kSP2
JRockit 3.1.5
Our systems runs fine with JRockit when run from command line.
It fails to start with beasvc.exe with the famous:
The WL_cms service is starting.
The WL_cms service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534.
Interestingly, the cmdLine from the registry works, if I start it in
directory '[....]\wlserver6.0\'
Any clues?
Roman -
LDAP realm for authentication and ACL in Database
We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks RamUnfortunately, there is no easy way to do this in wls 6.0.
The only way to handle it is to write your own custom realm
that uses ldap for users and groups and a database for acls -
probably not a viable alternative.
-Tom
"kevin doherty" <[email protected]> wrote:
>
Jeffrey Hirsch <[email protected]> wrote:
You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
Thanks!
-kd -
I'm getting the following error when I start wl6.0. I followed the
instructions in the weblogic.policy file
about the codeBase URL's. I edited the config.xml by hand, there is no
application code yet - just
trying to start the server by itself.
Any ideas?
Thanks,
Mike
ps - it would be great if there was a place to look up error messages.
The WebLogic Server did not start up properly.
Exception raised: java.lang.SecurityException: Authentication for user
system denied in realm weblogic
java.lang.SecurityException: Authentication for user system denied in realm
weblogic
at weblogic.security.acl.Realm.authenticate(Realm.java:209)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:229)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:113)
at
weblogic.security.SecurityService.initializeSuid(SecurityService.java:293)
at
weblogic.security.SecurityService.initialize(SecurityService.java:123)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:343)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exceptionThe password is stored in "SerializedSystemIni.dat" file in encrypted format. At
this time there is no way
to recover the password (currently this is an engg issue) and the only solution is
to re-install the WLS.
Kumar
Michael Pratt wrote:
Kumar - thanks for the suggestion. I included
-Dweblogic.management.password=mypassword in the startup script.
The password is set at installation time, and I'm not sure where
it's stored by the installer. I installed 6.0 a second time since
I didn't like my original choice of directories, not sure if
that contributing to the problem.
Mike
Kumar Allamraju <[email protected]> wrote:
It appears that you haven't specified the correct password for "system"
user
while booting up WLS.
Kumar
Michael Pratt wrote:
I'm getting the following error when I start wl6.0. I followed the
instructions in the weblogic.policy file
about the codeBase URL's. I edited the config.xml by hand, there is no
application code yet - just
trying to start the server by itself.
Any ideas?
Thanks,
Mike
ps - it would be great if there was a place to look up error messages.
The WebLogic Server did not start up properly.
Exception raised: java.lang.SecurityException: Authentication for user
system denied in realm weblogic
java.lang.SecurityException: Authentication for user system denied inrealm
weblogic
at weblogic.security.acl.Realm.authenticate(Realm.java:209)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:229)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:113)
at
weblogic.security.SecurityService.initializeSuid(SecurityService.java:293)
at
weblogic.security.SecurityService.initialize(SecurityService.java:123)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:343)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception -
Configuring LDAP authentication
I've configured my weblogic 6.0 server to use LDAP authentication. The LDAP server
is NDS.
Using the wl console, I can see users and groups from the LDAP server.
I then added security constraints to my war file (in web.xml and weblogic.xml
(see attached)
When I try and access my web from the browser, I get challenged and the userid/pwd
is not accepted and eventually fails.
How do I figure out what is going wrong ? There are no diagnostics :(
Regards,
Mike
[security_constraints.txt]Adding wls60sp1_ldap.zip to the classpath made no difference at all.
How do I figure out what is goping on ?
The access logs on the LDAP server suggest that part is working but the authentication
still fails.
"Ilango Maragathavannan" <[email protected]> wrote:
>
Veena,
It is available in the download center in the site as an upgrade
patch.
Ilango
"veena" <[email protected]> wrote:
hi Ilango,
I have wl6.0 sp1. and I cannot find the jar that you are talkingabout.
I also downloaded the sp1 from bea and installed it and tried to find
the
jar file, but did not find any. Could you send it to me or post itattached
to this post.
Can anyone from bea point me to a document containing all the jars
that
are supposed to exist in you bea lib directory.
Thanks for your help.
Veena.
"Ilango Maragathavannan" <[email protected]> wrote in message
news:3af85c30$[email protected]..
Check if you have the file wls60sp1_ldap.jar in the classpath in thestartup script.
This file comes with the service pack 1
Ilango
"Mike Westaway" <[email protected]> wrote:
I've configured my weblogic 6.0 server to use LDAP authentication.
The
LDAP server
is NDS.
Using the wl console, I can see users and groups from the LDAP server.
I then added security constraints to my war file (in web.xml andweblogic.xml
(see attached)
When I try and access my web from the browser, I get challenged andthe
userid/pwd
is not accepted and eventually fails.
How do I figure out what is going wrong ? There are no diagnostics:(
Regards,
Mike -
I'm trying out WL6.0 (eval version) LDAP realm support and having trouble
getting it to work - basic auth just keeps popping the window up 3 times and
then giving up. Only pertinent message in the log is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security> <FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'> <> <> <090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite adding the following two
to the startup script cmd line and restarting the server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose=t
rue
The HTTP basic-auth dialog box is correctly showing me that I'm trying to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false" GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified that the above
server account exists AND can authenticate and retrieve account
userpasswords (yes, the server account is "cn=" while the user accounts are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same results both ways.
Any ideas???Did you use the most recent ldap patch? I could not get it to work fine
with the default wls6.0sp1, but with the ldap-patch it works fine.
AND probably even more important... change
<Realm FileRealm="..." Name=".....">
to
<Realm CachingRealm"MyCachingRealm" FileRealm="..." Name=".....">
Hope this helps...
Ronald
Sushil Pulikkal wrote:
Hi Tom,
I am using iPlanet Directory server with WL6.0 (which I presume is supported as
Netscape's is) and facing the same problem as Mike was i.e account locking after
three attempts(bottom of the message). I have created my own caching realm with
the basic realm being MyLDAPRealm.
The log gives no info other than the one about account locking.
My config.xml looks something like this -
<CachingRealm BasicRealm="MyLDAPRealm" CacheCaseSensitive="true" Name="MyCachingRealm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<LDAPRealm AuthProtocol="simple" Credential="enslaved"
GroupDN="ou=Aussies,dc=timerasolutions,dc=com"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://DJ-SUSHILP.timerasolutions.com:389"
Name="MyLDAPRealm"
Principal="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind"
UserDN="ou=Aussies,dc=timerasolutions,dc=com"
UserNameAttribute="uid"/>
The browser window does pop up, but the user id doesn't get authenticated. Is
there a way to know whether WLS is actually going to the LDAP server for authentication?
Any insight into this?
Thanks in advance,
Sushil
"Tom Moreau" <[email protected]> wrote:
Mike,
I haven't had any trouble getting the LDAPRealm to work
in WLS 6.0. Could it be that while you've created the LDAPRealmMBean,
you haven't told WLS to use it?
In other words, you can create many realm configurations then
you need to activate the one you want. If you haven't, the
we just use the file realm. The file realm won't be able
to authenticate you (since you put the info in LDAP!) and
after 3 failures, will lock out the account.
The instructions for selecting the realm are at:
http://e-docs.bea.com/wls/docs60/adminguide/index.html
See:
12. Managing Security
Specifying a Security Realm
Configuring the Caching Realm
The basic idea is:
1) create your LDAP Realm (you've already done this)
2) create a CachingRealm
3) set the CachingRealm's BasicRealm to your LDAP Realm
4) set the Security Realm's CachingRealm to your Caching Realm
5) reboot
It's pretty easy to do this through the admin console.
Otherwise, you can edit config.xml by hand.
Here's how:
<Domain>
<Security
Name="mydomain"
Realm="myRealm"
/>
<Realm
Name="myRealm"
FileRealm="myFileRealm"
CachingRealm="myCachingRealm"
/>
<FileRealm
Name="myFileRealm"
/>
<CachingRealm
Name="myCachingRealm"
BasicRealm="myLDAPRealm"
/>
<LDAPRealm
Name="myLDAPRealm"
/>
-Tom
"Mike" <[email protected]> wrote:
BTW, before someone suggests it, I found Tom Moreau's
suggestion to use:
<ServerDebug Name="examplesServer" DebugSecurityRealm="true"
/>
under the <Server> element in config.xml and restarted
with this and still
no additional
info from the LDAP realm printed about why it's not working
(nothing but the
same
locking account message mentioend below).
Is the source for the LDAP realm available so I can debug
it myself or has
anybody
written their own LDAP realm that they'd be willing to
share with the group?
Thanks again,
...Mike
"Mike" <[email protected]> wrote in message
news:[email protected]...
Ok I've verified that the -Dweblogic.security.ldaprealm.verbose
probably
won't
work with 6.0 (old 5.x and previous style property),
but I can't figure
out
what
replaced it, to figure out why the LDAP realm isn't
working for me...
The property mapping guide at:
http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
shows that things like weblogic.security.ldaprealm.url
changed to LDAPURL in config.xml (without telling
you that this resides as an XML attribute of
<Domain><LDAPRealm ... /></Domain> although that's
easy enough to find by looking through the example
LDAP realm.
It then says that weblogic.security.ldaprealm.verbose
has changed to "Debug" in config.xml, but doesn't
say whether that's a "Debug" XML attribute on one
of the XML elements in there, or whether it's an
XML node itself, or where in the config.xml doc
it goes... It doesn't work as an attribute of
<LDAPRealm ...> (server won't start with it there)
and it doesn't show up at all in the DTD for config.xml
so I'm assuming the mapping doc at the above url is
wrong. Anybody know what this really became in 6.0?
I've tried setting StdoutDebugEnabled="true" in config.xml
and turning the logging level all the way up to see
everything, but even
then all I
get is the account locked message, not why it's failing
to authenticate
via
LDAP...
Any other ideas?
"Mike" <[email protected]> wrote in message
news:[email protected]...
I'm trying out WL6.0 (eval version) LDAP realm support
and having
trouble
getting it to work - basic auth just keeps popping
the window up 3 times
and
then giving up. Only pertinent message in the log
is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security>
<FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'>
<> <>
<090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite
adding the following
two
to the startup script cmd line and restarting the
server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose
=t
rue
The HTTP basic-auth dialog box is correctly showing
me that I'm trying
to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false"
GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified
that the above
server account exists AND can authenticate and retrieve
account
userpasswords (yes, the server account is "cn=" while
the user accounts
are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same
results both ways.
Any ideas??? -
No Authentication required, if the req. from IIS
Hello,
I'm using third party authentication tool and it requires, IIS to run as
webserver. So I use IIS +WL6.1.
The authentication will be done, before the request is forwarded to WL.
So I don't want WL to pop-up a login dialog box, when I'm using IIS+WL. But in
my web.xml, I use security-constraint to protect my resource, if I'm using just
WL6.1. How can I tell WL that if the request is from IIS, then don't pop-up the
login box (Basic authentication) and use it only when I'm using just WL.
thanks for your time & help.
VijayHi Utpal,
Thanks. But I've certain concerns.
If the IIS & WL are running in the same box, then I can check with port # &
ip address in combn. But still, I don't want to hardcode the ip address, so I'm
thinking, I can make it as a configurable. In this case, it will be easy to break.
If the administrator,set the port # of WL in the configuration as the port where
IIS runs (either by mistake or intentionally), then in my connection filter, if
I check for this port, it will be ok and let in (which it shouldn't be).
Thanks.
Vijay
"Utpal" <[email protected]> wrote:
we have ConnectionEvent,how can I know whether the requestis from IIS or any other webserverWell, if you know ip address of the box where IIS is running, using
connection
filter you can isolate the requests that come from the IIS, right ?
Based on that decision, you could right the code which handles the request
as you
want.
-utpal -
Sample portal startup authentication problem
Hi, I'm having problems getting the Avitek sample portal to run.
When I start the portal via the start script it boots WLS (WL6.1SP1),
prompting for the system password. This is rejected as shown below. I don't
have any problems starting the standard stock portal demo entering the same
password, so it is something specific with the Avitek portal. I've tried
running it on both a Solaris and w2k box with exactly the same result. I've
set up a simple password, ie 'password' for wls. Have found that if I use
the password 'weblogic' it will then boot. However then when I try to run
the loadads script, I get another authentication error.
Thanks, Peter Vines.
Console messages:
Enter password to boot WebLogic server:
Starting WebLogic Server ....
<Feb 8, 2002 11:25:52 AM GMT> <Notice> <Management> <Loading configuration
file
.\config\sampleportalDomain\config.xml ...>
<Feb 8, 2002 11:26:20 AM GMT> <Emergency> <Security> <Authentication
failure - r
eenter password to boot weblogic server:>
<Feb 8, 2002 11:26:26 AM GMT> <Emergency> <Security> <Authentication
failure - r
eenter password to boot weblogic server:>
<Feb 8, 2002 11:26:28 AM GMT> <Emergency> <Server> <Unable to initialize the
ser
ver: 'Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user system
denied
java.lang.SecurityException: Authentication for user system denied
at
weblogic.security.SecurityService.initializeSuid(SecurityService.java
:375)
at
weblogic.security.SecurityService.initialize(SecurityService.java:118
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:390)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
'>
The WebLogic Server did not start up properly.
Exception raised: java.lang.SecurityException: Authentication for user
system de
nied
java.lang.SecurityException: Authentication for user system denied
at
weblogic.security.SecurityService.initializeSuid(SecurityService.java
:375)
at
weblogic.security.SecurityService.initialize(SecurityService.java:118
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:390)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exceptionThe release notes for Linux say that the install fails to reset the
passwords for all but the portalDomain. Perhaps it's the same on other
platforms.
Peter Vines wrote:
Solved problem by reinstalling everything (WLS, WLPS, Avitek) from scratch
and using the system password 'weblogic'. Not sure why it works, but it
does.
Peter.
"Peter Vines" <[email protected]> wrote in message
news:[email protected]...
Hi, I'm having problems getting the Avitek sample portal to run.
When I start the portal via the start script it boots WLS (WL6.1SP1),
prompting for the system password. This is rejected as shown below. I
don't
have any problems starting the standard stock portal demo entering the
same
password, so it is something specific with the Avitek portal. I've tried
running it on both a Solaris and w2k box with exactly the same result.
I've
set up a simple password, ie 'password' for wls. Have found that if I use
the password 'weblogic' it will then boot. However then when I try to run
the loadads script, I get another authentication error.
Thanks, Peter Vines.
Console messages:
Enter password to boot WebLogic server:
Starting WebLogic Server ....
<Feb 8, 2002 11:25:52 AM GMT> <Notice> <Management> <Loading configuration
file
.\config\sampleportalDomain\config.xml ...>
<Feb 8, 2002 11:26:20 AM GMT> <Emergency> <Security> <Authentication
failure - r
eenter password to boot weblogic server:>
<Feb 8, 2002 11:26:26 AM GMT> <Emergency> <Security> <Authentication
failure - r
eenter password to boot weblogic server:>
<Feb 8, 2002 11:26:28 AM GMT> <Emergency> <Server> <Unable to initialize
the
ser
ver: 'Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user system
denied
java.lang.SecurityException: Authentication for user system denied
at
weblogic.security.SecurityService.initializeSuid(SecurityService.java
:375)
at
weblogic.security.SecurityService.initialize(SecurityService.java:118
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:390)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
'>
The WebLogic Server did not start up properly.
Exception raised: java.lang.SecurityException: Authentication for user
system de
nied
java.lang.SecurityException: Authentication for user system denied
at
weblogic.security.SecurityService.initializeSuid(SecurityService.java
:375)
at
weblogic.security.SecurityService.initialize(SecurityService.java:118
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:390)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
> -
Jes2005Q4 AccessManager console Authentication failed
Hi,
I have installed Jes2005Q4(DirectoryServer,AdministrationServer,ApplicationServer,AccessManager) in solaris 9.after starting everything when I am going to access the following page I got the Authentication failed error.
http://andaman.miel.mot.com:8080/amserver/UI/Login?gx_charset=UTF-8
Below is the amconfig script.please give me solution asap.i am struggling a lot
BASEDIR=/apps/vendor/jes
SERVER_HOST=andaman.miel.mot.com
SERVER_PORT=8080
SERVER_PROTOCOL=http
CONSOLE_HOST=$SERVER_HOST
CONSOLE_PORT=$SERVER_PORT
CONSOLE_PROTOCOL=$SERVER_PROTOCOL
CONSOLE_REMOTE=false
DS_HOST=andaman.miel.mot.com
DS_PORT=389
DS_DIRMGRDN="cn=Directory Manager"
DS_DIRMGRPASSWD=admin123
ROOT_SUFFIX="dc=miel,dc=mot,dc=com"
COOKIE_DOMAIN=.mot.com
# ADMINPASSWD, the amadmin password, and AMLDAPUSERPASSWD, the amldapuser passwo
rd, must be set to different values
ADMINPASSWD=admin123
AMLDAPUSERPASSWD=ldapadmin123
CONSOLE_DEPLOY_URI=/amconsole
SERVER_DEPLOY_URI=/amserver
PASSWORD_DEPLOY_URI=/ampassword
COMMON_DEPLOY_URI=/amcommon
COOKIE_DOMAIN=.mot.com
JAVA_HOME=/usr/jdk/entsys-j2se
AM_ENC_PWD=""
PLATFORM_LOCALE=en_US
NEW_OWNER=root
#### Linux installations probably would want to set NEW_GROUP as root as the san
e default value.
NEW_GROUP=other
XML_ENCODING=ISO-8859-1
NEW_INSTANCE=false
############### Web Container type required #######################
# WL6 => weblogic 6.x
# WL8 => weblogic 8.x
# WAS4 => websphere 4.0.5
# WAS5 => websphere 5.x
# WS6 => s1ws 6.1
# AS7 => s1as 7.0
# AS8 => s1as 8.1
WEB_CONTAINER=AS8
############### Required for Web Server ################################
WS61_INSTANCE=https-$SERVER_HOST
WS61_HOME=/opt/SUNWwbsvr
WS61_PROTOCOL=$SERVER_PROTOCOL
WS61_HOST=$SERVER_HOST
WS61_PORT=$SERVER_PORT
WS61_ADMINPORT=8888
WS61_ADMIN="admin"
############### Required for App Server 8.x ################################
AS81_HOME=/apps/vendor/jes/SUNWappserver/appserver
AS81_PROTOCOL=$SERVER_PROTOCOL
AS81_HOST=$SERVER_HOST
AS81_PORT=$SERVER_PORT
AS81_ADMINPORT=4849
AS81_ADMIN=admin
AS81_ADMINPASSWD="admin123"
AS81_ADMIN=admin
AS81_ADMINPASSWD="admin123"
AS81_INSTANCE=server
AS81_DOMAIN=domain1
AS81_INSTANCE_DIR=/apps/vendor/jes/SUNWappserver/domains/domain1
AS81_DOCS_DIR=/apps/vendor/jes/SUNWappserver/domains/domain1/docroot
AS81_IS_SECURE=false
AS81_ADMIN_IS_SECURE=true
############### Required for SSL enabled ################################
SSL_PASSWORD="sample" # used in auto'ly restart container
DIRECTORY_MODE=1
USER_NAMING_ATTR=uid
ORG_NAMING_ATTR=o
ORG_OBJECT_CLASS=sunismanagedorganization
USER_OBJECT_CLASS=inetorgperson
DEFAULT_ORGANIZATION=We faced a similar problem recently and we would like to document the solution for it. The root cause of the problem was traced to the absence of certain index configurations in the Directory Server. Because of this Access Manager was unable to fetch certain data from the backend directory during authentication.
At the time of configuration, Access Manager creates certain indexes in the LDAP Directory under the node: cn=index,cn=<databaseName>,cn=ldbm database,cn=plugins,cn=config.
where <databaseName> is the name of the database storing your Access Manager tree e.g. userRoot.
The indexes are created from the file - /etc/opt/SUNWam/config/ldif/index.ldif.
So if you are facing authentication failure problem - please cross check against the index.ldif file and verify the creation of each index. If index on a specific attribute is missing follow the steps below to resolve this issue:
* Use ldapmodify to upload the file /etc/opt/SUNWam/config/ldif/index.ldif onto each DS instance
ldapmodify -h <host> -p <port> -D "cn=directory manager" -w <pwd> -a -c -f /etc/opt/SUNWam/config/ldif/index.ldif
* Run the command db2index.pl to generate new set of indexes to be maintained by the server.
Regards,
Chetan Mutalik Desai
Persistent Systems -
How to Configure RDBMS Realm on WL6.0
We are trying to replace the default File Realm on WL6.0 with RDBMS Realm. We
have put the userId/password pairs in fnxuser table of the database, also we put
"reserve" permission for weblogic. jdbc.connectionPool.fnxconnection in the acl2entries
table (but for whatever reason, the fnxconnection setup won't show up when we
bring up acl config page in the console, just those defaults show up such as weblogic.jdbc.connectionPool,
weblogic.jdbc.connectionPool.oraPool, weblogic.jdbc.connectionPool.testPool).
When we log in using one of the valid userid/password in the fnxuser table on
the jsp page, we got the following error message:
LoginBean::loginAttempt() - get DB name : dev711
LoginBean::checkAccountStatus: Naming error:javax.naming.AuthenticationException
[Root exception is java.lang.SecurityException:Authentication for user bobdev
denied in realm weblogic]
We have a Java Bean Login Bean to get the JNDI context, the code is as follows:
Context ctx = FnxJndi.getJndiInitialContext(null);
if (sDatabase != null)
sDbname = sDatabase;
else
sDbname = (String) ctx.lookup(FnxJndi.getDefaultDbJndiKey());
System.out.println("LoginBean::loginAttempt() - get DB name : "+sDbname);
FnxJndi.deepBind(ctx, FnxJndi.constructUserDbnameJndiKey(sUsername), sDbname);
The following is part of our config.xml. Is there something we did wrong or we
missed? Any help is highly appreciated.
Thanks in advance.
Ting
<Realm CachingRealm="CachingRealm" Name="RdbmsRealm"/>
<FileRealm Name="wl_default_file_realm"/>
<CachingRealm ACLCacheSize="1000" BasicRealm="RdbmsRealm"
CacheCaseSensitive="true" GroupCacheSize="20"
Name="CachingRealm" PermissionCacheSize="100" UserCacheSize="1000"/>
<JDBCConnectionPool CapacityIncrement="10"
DriverName="com.sybase.jdbc.SybDriver" InitialCapacity="40"
MaxCapacity="500" Name="fnxconnection"
Properties="user=d711dbo;password=fnxltd;server=SYB_AXE"
RefreshMinutes="0" Targets="tingserver" URL="jdbc:sybase:Tds:axe:5000"/>
<JDBCDataSource JNDIName="fnxdatasource" Name="fnxjdbcdatasource"
PoolName="fnxconnection" Targets="tingserver"/>
<RDBMSRealm DatabaseDriver="com.sybase.jdbc.SybDriver"
DatabasePassword="fnxltd" DatabaseURL="jdbc:sybase:Tds:axe:5000"
DatabaseUserName="d711dbo" Name="RdbmsRealm"
RealmClassName="com.fnx.util.security.rdbmsrealm.RDBMSRealm" SchemaProperties="getGroupMembers=SELECT
GM_GROUP, GM_MEMBER from group2members WHERE GM_GROUP = ?;addGroupMember=INSERT
INTO group2members values (?, ?) WHERE GM_GROUP = ?;getUser=SELECT rtrim(user_ID),
rtrim(user_ID) FROM fnxuser WHERE user_ID = ?;getPermission=SELECT DISTINCT A_PERMISSION
FROM acl2entries WHERE A_PERMISSION=?;getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION
FROM acl2entries ORDER BY A_NAME, A_PRINCIPAL;getUsers=SELECT rtrim(user_ID),
rtrim(user_ID) FROM fnxuser;getGroups=SELECT GM_GROUP, GM_MEMBER FROM group2members;getPermissions=SELECT
DISTINCT A_PERMISSION FROM acl2entries;getAclEntries=SELECT A_NAME, A_PRINCIPAL,
A_PERMISSION FROM acl2entries WHERE A_NAME = ? ORDER BY A_PRINCIPAL;newUser=insert
into fnxuser values (?, ?);removeGroupMember=DELETE group2members WHERE GM_GROUP
= ? and GM_MEMBER = ?"/>
<PasswordPolicy Name="wl_default_password_policy"/>Please look into the previous posting of yours.
-utpal
"Amit" <[email protected]> wrote in message
news:[email protected]..
>
Hi,
I want to store user id, password, roles in the DB tables and providewebbased
forms to create/modify user.
How do I implement security relam for users stored in the DB table?
Thanks and Regards,
Amit -
Programmatically logging in or artificial form authentication
A nice one for Friday afternoon here :)
Is there a way to programmatically log a principal into the servlet
container in weblogic. The Form based authentication and siblings don't work
in my particular case because the user is keyed on 2 values, instead of
simply a 'username'. ie - username and account number.
So I'm using my userbean to look up the principal associated with the user
and I would like to programmatically assicate the principal with the session
(or whatever they are associated with normally).
One other idea is to submit an artificially created form based login
request... ie submit the information normally associated with a form
authorization POST to the server. Any ideas on how to go about doing that?
Thanks in advance.I guess I need to know if "j_security_check" can be used as a request dispatcherYes you can, I've done it on WL6.0 SP1.
"zeppelin71" <[email protected]> wrote:
Stumbled upon the following method as well:
weblogic.servlet.security.ServletAuthentication.weak(java.lang.String
username, java.lang.String password, javax.servlet.http.HttpSession session)
looks interesting.
"mblumrich" <[email protected]> wrote in message
news:[email protected]..
How does this sound? After finding the principal name associated withthe
user who is trying to log on, I do the following:
req.setAttribute("j_username",principalName);
// forward the new form data to the container
getServletConfig().getServletContext().getRequestDispatcher("j_security_chec
k").forward(req,res);
I'm a few days away from being able to check if this will work... Iguess
I
need to know if "j_security_check" can be used as a request dispatcher....
"mblumrich" <[email protected]> wrote in message
news:3b057c8a$[email protected]..
A nice one for Friday afternoon here :)
Is there a way to programmatically log a principal into the servlet
container in weblogic. The Form based authentication and siblings
don't
work
in my particular case because the user is keyed on 2 values, instead
of
simply a 'username'. ie - username and account number.
So I'm using my userbean to look up the principal associated withthe
user
and I would like to programmatically assicate the principal withthe
session
(or whatever they are associated with normally).
One other idea is to submit an artificially created form based login
request... ie submit the information normally associated with a form
authorization POST to the server. Any ideas on how to go about doing
that?
Thanks in advance.
Maybe you are looking for
-
I did a quick search of the forum and did not see an answer for this. I am trying to run serialver on a class, but when I do I get the following error: Exception in thread "main" java.lang.NoClassDefFoundError: javax/servlet/http/HttpSessionBindingLi
-
SAPf180p - Log for balancesheet adjustment
Hi all, I am trying to generate a B/S adjustment log and have therefore run sapf180p. we haven't run this program before. I am having problems running the program. It states that nothing was selected even when i have entered all the details. As this
-
Mac OS 10.8.1 and airport express
I recently upgraded to 10.8.1 and my airport has been kind of fussy so I reset it and tried re-installing the utility, but it says that Mac OS 10.8.1 isn't supported so I can't install it. Is there anything I can do?
-
'no trouble found' happened again
I just noticed using the link to check on my repair status for my ipod nano, that it is being returned to me for the second time unrepaired with the explanation 'no trouble found'. I returned my nano (2nd generation)(under warranty) because the right
-
ASR 1002 cisco IOS hashing code is not macthed with cisco CODE ???!!
Hi im not sure if i tested correctly or not Name of the ios on the router : asr1000rp1-adventerprisek9.03.11.00.S.154-1.S-std.bin i dd verify command to my ios of the router and here is the result : verification testing on the router : Embedded Hash