One custom security realm for many wl servers?

Similar Messages

• Errors encountered while using a Custom Security Realm on a Platform Domain

  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portal application(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our application requirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user: wlisystem,
  for the servlet: ApplicationView for the webapp: /WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if the user
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: User wlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar from wlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: Authentication Failed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store to get
  rid of these errors. I would appreciate if anyone can suggest some tips or workarounds
  for configuring or creating a Custom Security Realm for Web Logic Platform Domain.
  Thanks
  Vikram

  Hello Vikram,
  Are you using the new WLS 7.0 security framework? It is not supported for
  Portal 7.0. For Portal 7.0 apps you have to use compatibility mode (6.x
  style) security.
  Ture Hoefner
  BEA Systems, Inc.
  www.bea.com
  "Vikram Datla" <[email protected]> wrote in message
  news:3e273015$[email protected]..
  >
  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portalapplication(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our applicationrequirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user:wlisystem,
  for the servlet: ApplicationView for the webapp:/WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if theuser
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: Userwlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar fromwlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: AuthenticationFailed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store toget
  rid of these errors. I would appreciate if anyone can suggest some tips orworkarounds
  for configuring or creating a Custom Security Realm for Web Logic PlatformDomain.
  >
  Thanks
  Vikram

• Accessing Custom Security Realm and NotOwnerException.

  I have installed the RDBMS example security realm, which appears to work fine. However when I attempt to access this realm from a Servlet via Realm.getRealm("name") I get an NotOwnerException being thrown.
  Ideas ?
  regards,
  Jeff.

  We did something similar in a past project, and it turned out to be more of a mess than
  it was worth it (not only the "chicken-egg" dilemma with system, guest, administrator
  users, etc., but also with various lookup and threading issues.) We ended up ripping
  out the code and writing a new one which does not use an EJB.
  EJB are supposed to be written in terms of container services (which security being one
  of the services the container provides) but in this scenario you'd be writing one of the
  container services in terms of EJBs, so it "breaks" the proper layering.
  In our case, we wanted to "encapsulate" our security code from Weblogic's propreitary
  realm mechanism, at the end we still achieved without having to create a session bean
  (sometimes regular Java classes work just fine) :-)
  regards,
  -Ade
  "watscheck" <[email protected]> wrote in message news:[email protected]..
  >
  Hi,
  i want to use a sessonEJB as my security store for the custom security realm in
  weblogic server 6.1.
  Has anyone experience with that?
  First i have to pass all filerealm users through my custom realm (csr) because
  it is not possible to authenticate the system and guest users before the sessionEJB
  itself is loaded.
  OK, but my problem is the authentication of the csr at the sessionEJB, which is
  itself secured by method-permission in it's assemblydesciptor. So i have to get
  an initialcontext with an authorized user for the sessionEJB an invoke all protected
  methods with this principal.
  But Bea WLS has a problem with propagating this user back to the actual application.
  Is there a way that the application (web-app and ejbs) is not affected by the
  authentification of the csr at the sessionEJB (security store)?
  And is it right that the new initialcontext in the csr always overrides the bea
  context and with that the servlet request of the web-app?
  thanks in advance
  watscheck

• What is the best way to deploy/update custom security realm classes to WLS 6.0?

  From the WLS 6.0 console, I see that I can specify the Java class that
  implements my custom security realm but I am wondering what is the best way
  to deploy/update this code. I don't see a way to do this from the console.
  Does this mean that I have to manually copy the class files over that
  implement my custom security realm?

  Thanks Danut,
  A jar file seems to be a good way to package it up but it sounds like it
  still needs to be manually copied to each Weblogic server install directory
  post-installation and whenever it is updated. I thought it would be nice to
  be able to deploy/update the custom security realm by uploading it through
  the Console just as you can with web applications and EJBs.
  Brian
  "Danut Prisacaru" <[email protected]> wrote in message
  news:3aba2db0$[email protected]..
  You have to have your Custom Realm class in the class path. I usually havea
  jar file with all the Custom Realm classes and that jar I copy it in thelib
  folder. Then I modify "startWebLogic.cmd" and I add to the classpath
  ".\lib\CustomRealm.jar"
  set
  CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;.\lib\CustomRealm.jar;
  >
  Be aware that in order to have you custom realm besides creating thecustom
  realm using the console you also have to create a custom caching andchoose
  that one as your default caching realm.
  Here is how the security settings are looking in my "config.xml"
  <CustomRealm Name="CustomRealm"
  RealmClassName="Custom.appserver.weblogic.security.CustomRealm"/>
  <CachingRealm BasicRealm="CustomRealm" CacheCaseSensitive="true"
  Name="CustomCachingRealm"/>
  <Realm CachingRealm="CustomCachingRealm" FileRealm="wl_default_file_realm"
  Name="wl_default_realm"/>
  <FileRealm Name="wl_default_file_realm"/>
  <Security GuestDisabled="false"
  Name="mydomain" PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm"/>
  Danut

• Unable to use a custom security realm with Netscape Directory Server in WebLogic 7

  I have all users and groups stored in a Netscape LDAP server (version 4.1.6 on
  Solaris 8), so I want to create a custom security realm in WebLogic 7 (also run
  on Solaris 8) which uses my LDAP server as the Authenticator. I tried this by
  using the Admin Console and followed exactly the steps in Chapter 3 of the "Managing
  WebLogic Security" doc. However, when I rebooted WebLogic and logged into the
  Admin Console again and clicked the Users node under my custom realm, I saw this
  message in the right-hand pane: "There are no Authentication providers available
  that support the creation of Users". Also, I don't see my custom realm in the
  dropdown list under mydomain -> Security tab -> General tab -> Default Realm.
  What did I do wrong? Also, where does WebLogic store the custom security realm
  info? It is definitely not in config.xml.
  Thanks,
  Eric Ma

  Thanks for the info.
  I wonder when they will fix it.
  Jakub
  U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
  news:[email protected]..
  >
  According to BEA Tech Support, a known bug prevents the WLS 7 AdminConsole from
  displying users and groups defined in Netscape Directory Server.
  Eric Ma
  "Jakub Wroniszewski" <[email protected]> wrote:
  I have the same problem.
  Any new ideas?
  Rgds,
  Jakub
  U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
  news:[email protected]..
  Now I doubt my custom security realm is actually using the NetscapeDirectory Server
  as the authenticator. Unlike in WebLogic 6.1 Admin Console, whereclicking on
  the Users node displays all users in the LDAP server, in WebLogic 7I keep
  getting
  the message "There are no Authentication providers available that
  support
  the
  creation of Users." Any suggestions?
  "Eric Ma" <[email protected]> wrote:
  Never mind. I tried again by following the steps outlined at
  http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.deve
  l
  oper.interest.security&item=8463&utag=
  and it seemed to have worked for me.
  "Eric Ma" <[email protected]> wrote:
  I have all users and groups stored in a Netscape LDAP server (version
  4.1.6 on
  Solaris 8), so I want to create a custom security realm in WebLogic7
  (also run
  on Solaris 8) which uses my LDAP server as the Authenticator. I
  tried
  this by
  using the Admin Console and followed exactly the steps in Chapter3
  of
  the "Managing
  WebLogic Security" doc. However, when I rebooted WebLogic and logged
  into the
  Admin Console again and clicked the Users node under my custom realm,
  I saw this
  message in the right-hand pane: "There are no Authentication
  providers
  available
  that support the creation of Users". Also, I don't see my customrealm
  in the
  dropdown list under mydomain -> Security tab -> General tab ->
  Default
  Realm.
  What did I do wrong? Also, where does WebLogic store the customsecurity
  realm
  info? It is definitely not in config.xml.
  Thanks,
  Eric Ma

• Sample Security realm for OpenLDAP and WLS7

  Hello,
  I would like to set up WLS 7 so it uses the Oracle implementation of OpenLDAP.
  I am looking for a Custom Security Provider for OpenLDAP for WLS7. I can not use
  the embedded LDAP as it does not allow me to programatically create new users.
  If anyone has a sample implementation, please send it to me. I would really appreciate
  it.
  Thanks
  Gavin

  It is possible to create new users programatically in embedded LDAP. Here
  is an example
  package test.jmx;
  import javax.naming.Context;
  import javax.naming.NamingException;
  import javax.naming.AuthenticationException;
  import javax.naming.CommunicationException;
  import weblogic.jndi.Environment;
  import weblogic.management.*;
  import weblogic.management.security.authentication.*;
  import weblogic.security.providers.authentication.*;
  import javax.management.*;
  import weblogic.management.configuration.*;
  import weblogic.management.runtime.*;
  import java.util.*;
  public class Test {
  public static void main(String[] args) {
  String url = "t3://localhost:7001"; //URL of the Administration server
  String username = "weblogic";
  String password = "weblogic";
  MBeanHome home = null;
  SecurityConfigurationMBean conBean;
  weblogic.management.security.RealmMBean realmBean;
  AuthenticationProviderMBean authBean;
  AuthenticationProviderMBean[] authBeans;
  DefaultAuthenticatorMBean defBean;
  try {
  Environment env = new Environment();
  env.setSecurityPrincipal(username);
  env.setSecurityCredentials(password);
  env.setProviderUrl(url);
  Context ctx = env.getInitialContext();
  home = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
  System.out.println("Got the MBeanHome: " + home);
  System.out.println("\n\n");
  WebLogicObjectName objName = new
  WebLogicObjectName("mydomain:Name=mydomain,Type=SecurityConfiguration");
  conBean = (SecurityConfigurationMBean) home.getMBean(objName);
  System.out.println("Security configuration MBean: " + conBean);
  System.out.println("\n\n"); realmBean = conBean.findDefaultRealm();
  System.out.println("Got the default realm: " + realmBean);
  System.out.println("\n\n");
  authBeans = realmBean.getAuthenticationProviders(); //is it the
  defaultAuthenticationProviderMBean???
  defBean = (DefaultAuthenticatorMBean)authBeans[0];
  defBean.createUser("test","weblogic","just a test of wls70 security");
  System.out.println("\ncreate successfully!");
  System.out.println("\n\n");
  } catch (Exception e) { e.printStackTrace(); } } }
  "Gavin" <[email protected]> wrote in message
  news:[email protected]...
  >
  Hello,
  I would like to set up WLS 7 so it uses the Oracle implementation ofOpenLDAP.
  I am looking for a Custom Security Provider for OpenLDAP for WLS7. I cannot use
  the embedded LDAP as it does not allow me to programatically create newusers.
  >
  If anyone has a sample implementation, please send it to me. I wouldreally appreciate
  it.
  Thanks
  Gavin

• How can i open my iphone if some one but wrong password for many time?

  how can i open my iphone if some one but wrong password for many time (i want my files) ?

  See here
  http://support.apple.com/kb/HT1212

• How can one use one specific security realm per application ? The realm-name attribute of the login-config tag of web.xml does not make any difference

  Hi,
  I have different sets of users coming from different databases and using different
  roles mapping for each of my web applications. I would like to configure a specific
  security realm per application in my weblogic server 7.0 . Is it possible ?
  I try to specify the realm-name of the login-config tag from the web-xml deployement
  descriptor but it doesn't make any difference. The default realm is always used.
  I also would like to tell the Weblogic server to use the default realm in case
  the realm isn't specified or isn't found. For example, the default would contains
  my admin users.
  Thanks a lot for your answer.
  Iz

  I thik this is a common mistake the ralm-name tag in the deployment descriptor is used
  just by the browser for display purposes (when it opens the basic auth dialog box) so as
  of now there is only 1 active realm which can have multiple providers as Kevin pointed
  out
  Kevin Lewis wrote:
  WebLogic 7 now ignores the realm-name tag (I found that out yesterday).
  My understanding is that there is only one realm active at a time for a domain
  (I would be interested in being contradicted in this).
  However, you can have multiple providers in each category of a realm: authentication,
  authorization, etc. Therefore, what you can do is key authentication, et al,
  off of some other information. We have our users enter their company, for example,
  and use the TextInputCallback to get it. You could also encode something in the
  initial page, based on the URL they hit, or whatever, and get that back in your
  callback.
  You can store that information in your own Principal implementation, and key off
  of that in your authorization provider, going to a different database as appropriate,
  or abstaining when a specific provider doesn’t have anything to say about a subject.
  Anyway, there should be a way to do it, even if it's more complex than you would
  have hoped.
  --Kevin

• Proper security realm for ecommerce user

  I would like to use j2ee security on our ecommerce site (isUserInRole, getUserPrincipal,
  web.xml declarative functionality to protect resources), but my problem is not
  knowing what security realm to I use to manage the user. The site has thousands
  of users and they need the ability to create an account which will determine their
  "role" based on what membership fee they paid. After they have an account they
  can login an have access to sections of the site that are permitted to them based
  on role. All the examples I've seen about weblogic security is using LDAPs or
  their internal RDMS. How can I have weblogic use our own database or is there
  a best practice to accomplish the task I need? Any information would be helpful!!

  It sounds like you have many users in your database, but not that many roles
  & policies.
  Probably you can use the DefaultRoleMapper and DefaultAuthorizer for your
  roles & policies.
  You need a database based authentication provider. Check out the sample
  dbms authentication provider on the dev2dev center:
  http://dev2dev.bea.com/codelibrary/code/sec_rdbms.jsp
  -tm
  "fed " <[email protected]> wrote in message
  news:4010111d$[email protected]..
  >
  I would like to use j2ee security on our ecommerce site (isUserInRole,getUserPrincipal,
  web.xml declarative functionality to protect resources), but my problem isnot
  knowing what security realm to I use to manage the user. The site hasthousands
  of users and they need the ability to create an account which willdetermine their
  "role" based on what membership fee they paid. After they have an accountthey
  can login an have access to sections of the site that are permitted tothem based
  on role. All the examples I've seen about weblogic security is usingLDAPs or
  their internal RDMS. How can I have weblogic use our own database or isthere
  a best practice to accomplish the task I need? Any information would behelpful!!

• How to configure security realm for Active Directory ?

  Hi,
  Can any body suggest how to configure security realm in weblogic 8.1
  I have simple login page where in user can enter his credentials, and i have MS-Active Directory where we maintain all users.
  users who loged into web application has to be authenticated from Active Directory.
  please suggest what are the steps that we need to follow
  thanks in advance

  Hi Sankar,
  You can login to the weblogic server admin console and create a new realm.
  Once you have created the realm you can add the authentication provider.You add the Active Authentication Provider.But you must have the the configuration inforamation of MS AD.You can read my blog http://dev2dev.bea.com/blog/bishnu_kumar/
  where the integration is with iPlanet LDAP.Steps will be similar.
  You must have a login portlet in your portal application and that should have been in accordance with j2ee security standards.For example you may use basic authentication or userlogin control or p13n API
  Regards
  Bishnu

• Configure security realm for external Access Manager in App server 8.1

  Hi All,
  I would like to protect my j2ee application using access manager running on an external host.
  I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
  external host & port of AM is:
  http://svrd234d.dnn.com.au:58765
  Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
  classname="com.sun.amagent.as.realm.AgentRealm"
  property name="jaas-context" value="agentRealm"
  property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
  property name="hostURL " value="http://svrd234d.dnn.com.au:58765"

  Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
  If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
  Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
  Jerry

• Groups possible for many managed servers?

  Hi,
  we have to manage 30+ servers in 6 different locations.
  In Microsoft Remote Desktop for Mac V 8.0.15 there is only one main group called "My Desktops" and all servers are listed in this group. I don't see a function to add more groups to have a ordered list. Is this possible?

  Hi,
  Sorry to say but still there is no such way to add other group in ordered list.  
  Thanks for your understanding!
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How to set up different realms for each server ?

  I am using weblogic 6 sp1.I have a domain with several servers. i want to assoicate or use different custom security realm for each server.However -on weblogic console- there is no 'Target' tab in the Security node ,and no way to set up multiple Security nodes.How ca i do this (or can i)?

  Main reason why is this:
  Imagine situation I have 2 servers A and B both of them bellongs to domain SomeDomain.
  Server A is as WebServer and server B hosts all EJBs. And server A is outside
  firewall (does not have DB access). But i would like to use RDBMS realm so what
  to do in this situation. Place both servers in different domains and in server
  A install proxy realm for RDBS realm ?
  "Tom Moreau" <[email protected]> wrote:
  >
  You can't have a different realm for each
  server. There is only one realm for all
  servers - think of it as there is only
  one set of authentication & authorization
  information (that is users/groups/permissions)
  and it applies to all servers.
  Why do you want each server to have its
  own realm? If someone tries to log in,
  do you want WLS to automatically route
  them to a server who is capable of logging
  them in? I'm having trouble understanding
  why you want this feature.
  Thanks,
  -Tom Moreau
  Rachel <[email protected]> wrote:
  I am using weblogic 6 sp1.I have a domain with several servers. i want
  to assoicate or use different custom security realm for each server.However
  -on weblogic console- there is no 'Target' tab in the Security node
  ,and no way to set up multiple Security nodes.How ca i do this (or can
  i)?

• JSF 2.0 Custom security tag

  We are migrating a JSF 1.2 application to JSF 2.0. Earlier we have developed a custom security by extending BodyTagSupport. In JSF 2.0 I have replaced BodyTagSupport with TagSupport and no compilation issues. In my taglib.xml if I configure this Tag with a handler-class[Which is how it was earlier] While running I am getting a class cast exception of not able to cast to TagHandler and If I configure this tag as component[I extended UIComponentELTag] I am getting error message as not able to cast to UIComponent.
  Has any one developed a custom security tag, for examle check user role and if allowed dynamically display set of buttons or skip the particualr body part completely. By doStartTag()[EVAL_BODY_INCLUDE/SKIP_BODY]?
  Edited by: user11864278 on Apr 14, 2011 1:07 PM

  We are not extending TagHandler, I am trying to develop a custom EL Body tag that was earlier done with BodyTagSupport in JSF 1.2. In JSF 2.0 I believe I need to do this by extedning FacetTag in JSF 2.0, when I extend FacetTag and register it as a <handler-class> in taglib.xml I get a TagHandler class cast exception, as by default any Tag configured as Handler-class get cast into TAGHANDLER in JSF 2.0.
  To make my question better, How can I develop a custom tag extending FacetTag?

• Using LDAP as security realm

  Hi,
  Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
  for Weblogic Personalization and Commerce 3.5.
  Using the WLCS console, I've modified the config.xml file and following
  elements are added:
  <LDAPRealm AuthProtocol='simple' Credential='admin'
  GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
  GroupUsernameAttribute='uniquemember'
  LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
  Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
  UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
  UserNameAttribute='uid'/>
  <CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
  Name='wlcsCachingRealm'/>
  But when we try to restart the WLCS, it throws java exceptions that context
  is not initialized and I get the following error
  <Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
  ser
  ver: 'Fatal initialization exception
  Throwable: weblogic.security.ldaprealm.LDAPException: could not get
  context - wi
  th nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
  Credential
  s]]]
  weblogic.security.ldaprealm.LDAPException: could not get context - with
  nested e
  xception:
  I tried using Windows NT as a security realm but that gave me errors too.
  Does anyone has any experience using anything other than the default Realm?
  Any help would be appreciated. Thanks!
  Asim Raja
  [email protected]

  I'm not sure, but I suspect you can't
  since this would create a circular dependency -
  your realm would rely on the upper level security
  checking calls but those calls would rely on your
  realm.
  My suggestion is to give it a try and see what
  happens.
  -Tom
  Ozcan ADIYAMAN <[email protected]> wrote:
  Hi ,
  I am implementing a simple custom security realm using LDAP as the
  security store and I can see the users, groups and acls from the admin
  console.
  My question is (a custom realm newbie question) ;
  Is it possible to use weblogic.security.acl.Security with my custom
  realm to check permissions, get the current user,etc.,
  OR
  is this class ONLY used with default realms (when ACL is stored in a
  file) ?
  Thanks
  Ozcan