NT Security Realm Question

Similar Messages

• Weblogic security authentication; question to interact with the realm

  Hi, I have a quick question about weblogic security authentication....
  We are using weblogic 81sp3. We have user-group info in an Novell eDirectory LDAP server.
  Currently, a Novell Authenticator provider is configured under : Security > Realms > myRealm > Providers > Authentication This tells Weblogic from where to get the user and groups. Weblogic caches this information of the logged on users for certain time ( example : 60 secs ) after which it cleans the cache for all inactive users. We want to interact with the Weblogic cache. Add more user profile information to this cache and use it in our application .
  Does somebody know how to programmatically interact with Weblogic user-group cache - read , write , update and delete user-group info in cache and control time to live for the cache ?

  already checked
  TTLCache class which weblogic provides. But they seem to depracetd it
  help ?

• Using LDAP as security realm

  Hi,
  Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
  for Weblogic Personalization and Commerce 3.5.
  Using the WLCS console, I've modified the config.xml file and following
  elements are added:
  <LDAPRealm AuthProtocol='simple' Credential='admin'
  GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
  GroupUsernameAttribute='uniquemember'
  LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
  Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
  UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
  UserNameAttribute='uid'/>
  <CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
  Name='wlcsCachingRealm'/>
  But when we try to restart the WLCS, it throws java exceptions that context
  is not initialized and I get the following error
  <Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
  ser
  ver: 'Fatal initialization exception
  Throwable: weblogic.security.ldaprealm.LDAPException: could not get
  context - wi
  th nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
  Credential
  s]]]
  weblogic.security.ldaprealm.LDAPException: could not get context - with
  nested e
  xception:
  I tried using Windows NT as a security realm but that gave me errors too.
  Does anyone has any experience using anything other than the default Realm?
  Any help would be appreciated. Thanks!
  Asim Raja
  [email protected]

  I'm not sure, but I suspect you can't
  since this would create a circular dependency -
  your realm would rely on the upper level security
  checking calls but those calls would rely on your
  realm.
  My suggestion is to give it a try and see what
  happens.
  -Tom
  Ozcan ADIYAMAN <[email protected]> wrote:
  Hi ,
  I am implementing a simple custom security realm using LDAP as the
  security store and I can see the users, groups and acls from the admin
  console.
  My question is (a custom realm newbie question) ;
  Is it possible to use weblogic.security.acl.Security with my custom
  realm to check permissions, get the current user,etc.,
  OR
  is this class ONLY used with default realms (when ACL is stored in a
  file) ?
  Thanks
  Ozcan

• OWSM security for a OSB service- authenticate from weblogic security realms

  Hello,
  I have a requirement to add security to a OSB service.
  The user details are configured in weblogic security realms. lets say there are ten different users.
  I need to protect my osb service using OWSM policy & the policy should be configured to authenticate the user from realms.
  I am new to OWSM & wondering if this is possible?
  Can the experts please direct me to any docs or steps?
  Thanks
  Ganesh

  Hi,
  Thanks for the links.
  I followed the blog and configured it using oracle/wss_username_token_service_policy.
  Now my requirement is to send the username,password from proxy to business and to the BPEL. (the bpel needs this username /password & and in header)
  The issue I am facing is the proxy service is not sending the soap header details to business service.
  I dont want to make the proxy as passthrough. (ie set Process WS-Security Header to NO)
  I have to authorize on proxy level and then send the same credential details to business service?
  So the question is, how can I retrieve the header after osb process it?
  Can anyone please help me here?
  Thanks
  Ganesh

• RDBMS Security realm 6.1-8.1 migration

  I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
  Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
  I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
  Security' node appearing in the left-hand console pane. The contents of the Users
  and Groups nodes visible under this node look correct (ie as defined in the underlying
  database).
  However, to get to this point I had to initially hardwire the values for the database
  driver, url, user and password as these were null when obtained from the associated
  RDBMSRealmMBean object, causing the server to fail to start. This enabled me
  to bootstrap the process so that I could use the console to enter these values
  on the Database tab for the Realm I had defined for Compatibility Security. I
  see no mention of this step in the instructions referred to above and therefore
  missed out this vital step.
  When WLS8.1 starts it displays:
  <date&time> <Notice> <Security> <BEA-090082> <Security initializing using security
  realm myrealm.>
  myrealm is a Realm listed under Security but I would have expected the realm to
  be the specially-defined realm associated with Compatibility Security. So, question
  number 1 - does this output from WLS indicate that it is using the Compatibility
  Security realm or the default realm?
  Although the console displays the expected set of users and groups , my application
  is failing to associate a user with a 'role' - the Groups node shows that user
  U is in group G but when the application invokes the SessionContext method isCallerInRole(String
  role) where the caller is U and the role is G the result of the invocation is
  false. Question number 2 - why does this not return true in this case?
  Note, this code (that I have inherited) worked fine in WLS6.1 and the only significant
  change I needed to make for WLS8.1 is in the wrapper classes, in particular the
  code to get the required RDBMSRealmMBean. Having now successfully got hold of
  this object I would have expected the rest of the code to work fine (ok, 'expected'
  is a bit optimisitic - but I'm not aware that there are any functional differences
  beyond obtaining the RDBMSRealmMBean object).
  Many thanks in advance for any assistance with this.
  David

  Mehrshad
  I wasn't involved in the original WL6.1 code development but this is based on
  the example code that BEA provide with the WLS6.1 installation - it should therefore
  be visible at ~bea/wlserver6.1/samples/examples/security/rdbmsrealm
  HTH
  David
  "Mehrshad Setayesh" <[email protected]> wrote:
  >
  David:
  I am trying to do the same thing and can not find which RealmClassName
  to use
  in 8.1. In our previous version, 6.1, I was using com.bea.wlpi.rdbmsrealm.RDBMSRealm.
  What is the mapping
  Java class in 8.1? Thanks.
  Regards
  Mehrshad
  "David Franklin" <[email protected]> wrote:
  I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
  Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
  I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
  Security' node appearing in the left-hand console pane. The contents
  of the Users
  and Groups nodes visible under this node look correct (ie as defined
  in the underlying
  database).
  However, to get to this point I had to initially hardwire the values
  for the database
  driver, url, user and password as these were null when obtained from
  the associated
  RDBMSRealmMBean object, causing the server to fail to start. This enabled
  me
  to bootstrap the process so that I could use the console to enter these
  values
  on the Database tab for the Realm I had defined for Compatibility Security.
  I
  see no mention of this step in the instructions referred to above and
  therefore
  missed out this vital step.
  When WLS8.1 starts it displays:
  <date&time> <Notice> <Security> <BEA-090082> <Security initializingusing
  security
  realm myrealm.>
  myrealm is a Realm listed under Security but I would have expected the
  realm to
  be the specially-defined realm associated with Compatibility Security.
  So, question
  number 1 - does this output from WLS indicate that it is using the Compatibility
  Security realm or the default realm?
  Although the console displays the expected set of users and groups ,
  my application
  is failing to associate a user with a 'role' - the Groups node shows
  that user
  U is in group G but when the application invokes the SessionContextmethod
  isCallerInRole(String
  role) where the caller is U and the role is G the result of the invocation
  is
  false. Question number 2 - why does this not return true in this case?
  Note, this code (that I have inherited) worked fine in WLS6.1 and the
  only significant
  change I needed to make for WLS8.1 is in the wrapper classes, in particular
  the
  code to get the required RDBMSRealmMBean. Having now successfully got
  hold of
  this object I would have expected the rest of the code to work fine(ok,
  'expected'
  is a bit optimisitic - but I'm not aware that there are any functional
  differences
  beyond obtaining the RDBMSRealmMBean object).
  Many thanks in advance for any assistance with this.
  David

• Weblogic security realm mapping to DB

  I have one question about Weblogic 7.01 security.
  I have created USER, GROUP and ROLES table in my RDBMS.
  Can I use the RDBMS realm if my users are in a database
  table already? Can I tune Weblogic security realm to my database tables?
  Any advice or links will be very appreciate.
  Thanks a lot for any help, Volodymyr Shram.

  Thanks, criokeeper for your fast answer.
  Woould you so kind to explain me one moment.
  At http://e-docs.bea.com/wls/docs70/ConsoleHelp/domain_rdbmsrealm_config_general.html I found that "To use the RDBMS security realm, you need to use Compatibility security. The use of the RDBMS security realm is deprecated in WebLogic Server 7.0."
  What does that means? Have I use the Compatibility security or it's jaust for ver. 6.x to ver.7.0 migration?
  Thanks a lot for your answer.
  Regards, Volodymyr.

• Is this possible to use no default security realm?

  Hi,
  I created new security ReadOnlySQLAuthentication provider in the default realm and it works. Now I have all the users from all applications in one realm. If they use the same enterprise roles, user can log to one application with login and password from another application. To prevent it I created another security realm. I've added ReadOnlySQLAuthentication provider, set in my application new realm name - in jazn-data.xml and web.xml. But it doesn't work. My questions are:
  It is possible to use few realms? So one application will use default realm, another no default realm.
  If so, how to bind an application to no default realm?
  Bart

  Hi,
  A WLS instance only supports a single realm. So the answer unfortunately is no (was different with OC4J)
  Frank

• How to implement a tree like security realm?

  hi all:
  i am working on a project . it's a very complex one and most importantly there's
  so many
  functions( 1000 or more) and every fuction should be protected resources. so i have
  to define many roles and map the roles to the many functions. it's a very tiring
  job and
  i am not sure the role to function mapping is stable one. because the mapping is
  saved in
  a xml file and this file is depolyed with the application, so if there s any changes
  we have to redeploy all the application and restart the server.
  there s still another problem. we want security realm to be a tree instead of
  a flat one( weblogic's group is a flat one ) . if we assign a node to a role all
  its children
  belong to the same role.
  so is there way to do this. any solution?
  regards
  daniel wang

  maybe you could exploit the way ACLs have dotted names to reflect your tree
  structure, so the acl root applies to all functions, root.branch1 only
  applies to functions on branch branch1, and root.branch1.branch2 applies to
  functions on branch2 of branch1. there´s an api that gets the most specific
  acl given a path to a node.
  i'm not it´s acls that you want to correspond to nodes, but maybe you can
  work out some kind of scheme that gives you what you want.
  andrew
  "daniel" <[email protected]> escribió en el mensaje
  news:3d16efc7$[email protected]..
  >
  hi all:
  i am working on a project . it's a very complex one and mostimportantly there's
  so many
  functions( 1000 or more) and every fuction should be protected resources.so i have
  to define many roles and map the roles to the many functions. it's a verytiring
  job and
  i am not sure the role to function mapping is stable one. because themapping is
  saved in
  a xml file and this file is depolyed with the application, so if there sany changes
  we have to redeploy all the application and restart the server.
  there s still another problem. we want security realm to be a treeinstead of
  a flat one( weblogic's group is a flat one ) . if we assign a node to arole all
  its children
  belong to the same role.
  so is there way to do this. any solution?
  regards
  daniel wang

• How to retrieve Global Roles in a the current security realm?

  Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
  I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
  Thanks all...
  Message was edited by:
  raymondng

  You can refer to the api
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
  -Ramkumar

• Adding a user to the File Security Realm

  Hello,
  When I attempt to add a new user to the file realm with Application Server->Security-Realms->file-> Manage Users, I get the error:
  A "com.sun.enterprise.tools.guiframework.exception.FrameworkError" was caught. The message from the exception: "Unable to get View for ViewDescriptor 'fileUsers'"
  The root cause is "java.lang.ArrayIndexOutOfBoundsException: 0"
  See the HTML source for more detailed (stack trace) information.
  When I look at the file C:\Sun\AppServer\domains\samples/config/keyfile I see the new user added, but the Admin Console is not happy...
  Please advise.
  -- POC

  There are some issues in admin gui for managing security service in beta.
  I have verified that this has been fixed in FCS branch.
  Since the user and password has been written to keyfile in your scenario, it may be OK.
  You can try to use the user. If this is not working, then restarting the server should work.
  Another way is to create user by using asadmin command. This is working fine in beta.

• Errors encountered while using a Custom Security Realm on a Platform Domain

  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portal application(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our application requirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user: wlisystem,
  for the servlet: ApplicationView for the webapp: /WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if the user
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: User wlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar from wlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: Authentication Failed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store to get
  rid of these errors. I would appreciate if anyone can suggest some tips or workarounds
  for configuring or creating a Custom Security Realm for Web Logic Platform Domain.
  Thanks
  Vikram

  Hello Vikram,
  Are you using the new WLS 7.0 security framework? It is not supported for
  Portal 7.0. For Portal 7.0 apps you have to use compatibility mode (6.x
  style) security.
  Ture Hoefner
  BEA Systems, Inc.
  www.bea.com
  "Vikram Datla" <[email protected]> wrote in message
  news:3e273015$[email protected]..
  >
  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portalapplication(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our applicationrequirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user:wlisystem,
  for the servlet: ApplicationView for the webapp:/WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if theuser
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: Userwlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar fromwlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: AuthenticationFailed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store toget
  rid of these errors. I would appreciate if anyone can suggest some tips orworkarounds
  for configuring or creating a Custom Security Realm for Web Logic PlatformDomain.
  >
  Thanks
  Vikram

• What is the best way to deploy/update custom security realm classes to WLS 6.0?

  From the WLS 6.0 console, I see that I can specify the Java class that
  implements my custom security realm but I am wondering what is the best way
  to deploy/update this code. I don't see a way to do this from the console.
  Does this mean that I have to manually copy the class files over that
  implement my custom security realm?

  Thanks Danut,
  A jar file seems to be a good way to package it up but it sounds like it
  still needs to be manually copied to each Weblogic server install directory
  post-installation and whenever it is updated. I thought it would be nice to
  be able to deploy/update the custom security realm by uploading it through
  the Console just as you can with web applications and EJBs.
  Brian
  "Danut Prisacaru" <[email protected]> wrote in message
  news:3aba2db0$[email protected]..
  You have to have your Custom Realm class in the class path. I usually havea
  jar file with all the Custom Realm classes and that jar I copy it in thelib
  folder. Then I modify "startWebLogic.cmd" and I add to the classpath
  ".\lib\CustomRealm.jar"
  set
  CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;.\lib\CustomRealm.jar;
  >
  Be aware that in order to have you custom realm besides creating thecustom
  realm using the console you also have to create a custom caching andchoose
  that one as your default caching realm.
  Here is how the security settings are looking in my "config.xml"
  <CustomRealm Name="CustomRealm"
  RealmClassName="Custom.appserver.weblogic.security.CustomRealm"/>
  <CachingRealm BasicRealm="CustomRealm" CacheCaseSensitive="true"
  Name="CustomCachingRealm"/>
  <Realm CachingRealm="CustomCachingRealm" FileRealm="wl_default_file_realm"
  Name="wl_default_realm"/>
  <FileRealm Name="wl_default_file_realm"/>
  <Security GuestDisabled="false"
  Name="mydomain" PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm"/>
  Danut

• Not able to get rid of security-related questions in runtime

  Hi,
  I am simply using NetBeans 6.0.1 and the emulator QwertyDevice and the emulator platform WTK 2.5.2 for CLDC.
  I have chosen Alias as trusted in the signing option in the project configuration page. however still I am getting security confirmation questions in runtime to access the local files for instance.
  Would anyone please advise me how to get rid of that?
  Also I have deployed the application on SonyEricsson k800i and would like to get rid of the security confirmations on that device as well. What is the guideline?
  Thank you

  Right clicking on it is not even an option, just hovering over it seems to induce a "nuclear" reset of the whole desktop and graphic card on the iMac.
  Have meanwhile found a possible solution by erasing the dock preference file in the user/library/preferences folder to reset the dock to it's default state. Will try this out through a Skype conversation with that Buddy.
  Was seen here :
  https://discussions.apple.com/message/16447109#16447109
  Thank you for stepping in. Good to know that people are still willing to help in this community.
  Greetz to the UK from France

• Authentication via weblogic security realm

            My servlet needs to access a session bean. The action in the session bean requires
            that a user has been authorized, i.e. at some point the session been calls
            String name = d_ctx.getCallerPrincipal().getName()
            This name may not be null at this time.
            What I would like to have is that the user executing the URL gets authenticated
            by my server realm 'myrealm' and that the associated prinicpal gets passed to
            the session bean. Is this possible. If so, how can the user pass along the username
            and password as this query is executed programmatically?
            markus
            

  http://www.weblogic.com/docs51/classdocs/API_acl.html
  Michael Girdley
  BEA Systems Inc
  "gennot" <[email protected]> wrote in message
  news:[email protected]..
  Could you send me the complete URL of these example, please?
  Thanks
  Enrico
  Michael Girdley <[email protected]> wrote in message
  39b87078$[email protected]..
  The passing of the client's certificate should be automatic to WebLogic.We
  have an example of getting the client side certificate from inside of
  WebLogic in our documentation.
  This does not require for SSL to be used from the Web server to
  WebLogic.
  >>
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Bob Simonoff" <[email protected]> wrote in message
  news:[email protected]..
  I have read through the docs and haven't found anything that would
  address
  the following confusion:
  Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
  the back end application server (obviously). I have the need to use 2way
  SSL authentication. As I understand it the following applies:
  Client (browser) has a certificate as does the web server. Theyauthenticate
  each other.
  Now, the web server and weblogic need to communicate. WebLogic, in our
  environment does authentication via the security realm.
  What do I have to do to get the the web server (Apache or IPlanet) to
  communicate the client's certificate to WebLogic so the WebLogic canperform
  the authentication?
  Does the communication between the web server and WebLogic also need
  to
  be
  SSL?
  Thanks
  Bob Simonoff

• LDAP Security Realm

  Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URL admins
  user name and password. I want to be able to interface this connection to access
  the LDAP and make changes to user information within in the ldap. Right now in
  my code I make a connection to the LDAP and supply the same user name and password
  set up in the LDAP security realm. I want to be able to rather then re-supply
  the URL and user name and password in my code I want to be able to just get that
  (or create a connection simil;ar to a jdbc connection pool) connection to the
  LDAP that configured in the Security Realm. Is this possible? And how would I
  go about it if so?
  Thanks
  Sjb

  the LDAPConnection pool which is used WLS Realm is not accessible to public
  for programming.
  thanks
  kiran
  "Sjb" <[email protected]> wrote in message
  news:3f5744c1$[email protected]..
  >
  Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URLadmins
  user name and password. I want to be able to interface this connection toaccess
  the LDAP and make changes to user information within in the ldap. Rightnow in
  my code I make a connection to the LDAP and supply the same user name andpassword
  set up in the LDAP security realm. I want to be able to rather thenre-supply
  the URL and user name and password in my code I want to be able to justget that
  (or create a connection simil;ar to a jdbc connection pool) connection tothe
  LDAP that configured in the Security Realm. Is this possible? And howwould I
  go about it if so?
  Thanks
  Sjb