Policy Director Custom Realm for Weblogic
I would like more information on how the Policy Director custom Realm for Weblogic
works. What all methods are implemented and so on. If anyone could send me the source
code of the custom Realm that would be of great help.
Thanks in advance,
Krish
Well, once again, I'm going to have to provide my own answer.
After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
In addition to the very helpful info I have found at:
http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
<sun-application>
<realm>mycustrealm</realm>
<security-role-mapping>
<role-name>mycust_role</role-name>
<group-name>mycust_group</group-name>
</security-role-mapping>
</sun-application>
Similar Messages
-
Custom Realm for SJSAS 9.x using JAAS documentation too vague
Hello there,
I am trying to implement a custom realm for a particular web application on my SJSAS 9.x server. So far I have been unsuccessful and receive the following message in my server.log:
[#|2006-10-20T13:51:56.390-0300|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=11;_ThreadName=httpWorkerThread-8080-1;javious;|SEC5046: Audit: Authentication refused for [javious].|#]
The documentation I have been using for reference is at:
http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view#beabs
However, I have a number of questions.
First of all, this section referenced by the URL above is identified as "Creating a custom realm". Then the second sentence of this section states "Note that client-side JAAS login modules are not suitable for use with the Application Server". Does this not mean that JAAS login modules are not suitable for use with SJSAS web applications since they are components of the Application Server? Is there a reason for providing information on creating a custom realm for this application server in which it is not suitable for? Why isn't it suitable for the application server? What if I want to implement my own realm for my web application so that I can maintain my application users separately in another application?
Secondly, this section explains that I can create a custom realm simply by creating a custom JAAS login module and a custom realm class. It then goes on to explain how to construct these classes and what to include in them. Notably, the documentation states the following:
The authenticateUser() method must end with the following sequence:
String[] grpList;
// populate grpList with the set of groups to which
// _username belongs in this realm, if any
return commitUserAuthentication(_username, _password,
_currentRealm, grpList);Having looked at the API for authenticateUser I discovered that it is a void method, however the documentation states to return a value from "commitUserAuthentication(..). Also, my commitUserAuthentication method only excepts a single argument of type String[] representing a list of group names, therefore I am unable to supply the additional arguments as documented. This is confusing.
Once finished reading the documentation, I am left hanging with hardly a clue as to what to do with these two new classes. Now having implemented a custom login module on Tomcat 5.x in earlier days, I did happen to have some experience to know to edit the security.properties, policy, and login.conf files. So anyhow from here I end up stumbling blindly through configuration of my domain1/login.conf and domain1/server.policy files. I also attempted to add my new realm within the admin console under security/realms and dropped my new jar file (with two classes) into the app server lib directory.
All in all, this completely fails to work. I have even placed System.out.println statements in all of my implemented methods and none of this actually shows up in my server.log file. Why is this section so vague? Why isn't there a step-by-step example from start to finish of how to implement a simple custom realm in SJSAS9?
Does anybody have any helpful suggestions?Well, once again, I'm going to have to provide my own answer.
After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
In addition to the very helpful info I have found at:
http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
<sun-application>
<realm>mycustrealm</realm>
<security-role-mapping>
<role-name>mycust_role</role-name>
<group-name>mycust_group</group-name>
</security-role-mapping>
</sun-application> -
SUn Policy Agent 2.2 for Weblogic 92
We are using SUN POlicy agent 2.2. (for Weblogic) for Access Manager 6.3
For this particular application I intermittantly get SSOToken invald message
Its a sporadic behavior (sometimes work sometime does not)
error -
02/02/2007 12:22:41:057 PM EST: Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
SSOTokenValidator.validate(): Exception caught
com.iplanet.sso.SSOException: AQIC5wM2LY4Sfcw k8CIsj Jujq92ltM5fNZJxh2qFYpAyw=@AAJTSQACMDE=# Invalid session ID.AQIC5wM2LY4Sfcw k8CIsj Jujq92ltM5fNZJxh2qFYpAyw=@AAJTSQACMDE=#check the patch level of AM 6.3, it should be higher than 1
-
Weblogic700 sp4 custom realm for SAM authentication
we have an applicaiton running on WL7.0 sp4 which will be protected by sun access manager 7.1, but in the domain config we need to create a realm that authentication provider will be SAMAuthentication , I want to know whether we need to create a custom realm or we can create iplanet realm.
Well, once again, I'm going to have to provide my own answer.
After much waiting and then deciding to invest much time researching documentation and tracking down information to assist in my solution, I have manage to find the golden egg for my own recipe of a solution.
In addition to the very helpful info I have found at:
http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
I have mange to get my custom realm to work with the additional configuration of my sun-application.xml for my ear file. Even though I only wanted to specify my custom realm for my web.xml file, it turns out that in addition to this, I had to also define it in my sun-application.xml file (manually in XML text mode - within Netbeans 5.5) as follows:
<sun-application>
<realm>mycustrealm</realm>
<security-role-mapping>
<role-name>mycust_role</role-name>
<group-name>mycust_group</group-name>
</security-role-mapping>
</sun-application> -
Creating a custom realm for tomcat. Help and suggestions please.
Has anybody ever created a custom realm to authenticate users in tomcat.
I would like to use form based login with my own realm.
The form requires 3 fields to log in (hence the custom realm) . I would also like to be able to use the built-in functions like isuserinrole.
If anybody has experience with this or knows of a place where to get valuable information please let me know.
Thanks in advance!Hi
Tomcatx.x.x uses the realm sandbox security tecnique
1)In you'r abcd/web-inf/WEB.xml file
write the realm config scripts for the required
jsp/servlet pages[similar will be found in
Tomcat/webapps/examples/web-inf/web.xml]
2)In Tomcatx.x.x/conf/tomcat_users.xml
declare the realm id/pass/roles
3)If still not able to do then study the web.xml (pdf)
avaliable at websiter http://www.moreservlets.com -
Issues while setting up custom authenticator for weblogic
whene can I find sample source code for setting up the custom authenticator.
send a test mail at [email protected], will send u d source code!!
-
Using fileReamd + custom realm w/ WLS6
Hi,
I would like to write a custom realm for WLS6.0, but I would like to
delegate to the fileRealm for WebLogic accounts, such as 'system'. Can
anyone suggest a straightforward way to accomplish this?
Thanks,
Dhiren
Dhiren Patel -- Sr. Web Architect -- Align Technology, Inc.Duh. Momentary lapse of reason, please disregard.
Dhiren
Dhiren Patel wrote:
Hi,
I would like to write a custom realm for WLS6.0, but I would like to
delegate to the fileRealm for WebLogic accounts, such as 'system'. Can
anyone suggest a straightforward way to accomplish this?
Thanks,
Dhiren
Dhiren Patel -- Sr. Web Architect -- Align Technology, Inc.--
Dhiren Patel -- Sr. Web Architect -- Align Technology, Inc. -
auth-method BASIC with custom realm
I've set up my web.xml with <auth-method>BASIC, and I've defined a custom realm
for authentication. When I enter a valid userid/password at login, I can trace
authUserPassword() in my custom realm, and I can see that it is returning an object
which is a subclass of weblogic.security.acl.User, as it should. However, rather
than acknowledging a successful login and moving on, the login dialog is redisplayed,
(minus password). Further attempts to enter the same userid/password don't invoke
authUserPassword(), presumably since the "failed" login is still cached. What
am I missing?Have a look in the web server log to see under what account the failed
accesses took place, that will help in identifying the cause.
"Bill Welch" <[email protected]> wrote in message
news:3b2a6431$[email protected]..
>
I've set up my web.xml with <auth-method>BASIC, and I've defined a customrealm
for authentication. When I enter a valid userid/password at login, I cantrace
authUserPassword() in my custom realm, and I can see that it is returningan object
which is a subclass of weblogic.security.acl.User, as it should. However,rather
than acknowledging a successful login and moving on, the login dialog isredisplayed,
(minus password). Further attempts to enter the same userid/passworddon't invoke
authUserPassword(), presumably since the "failed" login is still cached.What
am I missing? -
Custom Realm Bug in WebLogic SP3?
I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
receiving a ClassCastException when invoking the checkPermission
method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
This code worked fine in SP1. It seems that other developers
have experienced this problem when applying service packs to
WebLogic 5. Any one else encountering this problem with
WebLogic 6 and what is the workaround? (Stack trace attached)
TIA
[aclimplexception.txt]I was unable to determine the cause of the problem, but I was
able to identify that AclImpl was changed between SP1 and SP3.
I updated SP3's weblogic.jar with the weblogic.security.acl.AclImpl
class in the weblogic.jar from SP1 and the exception went away.
I did not see anything in the release notes for SP2 and SP3
that indicate what may have changed. Does anyone know?
"Jason Southern" <[email protected]> wrote:
>
>
>
I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
receiving a ClassCastException when invoking the checkPermission
method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
This code worked fine in SP1. It seems that other developers
have experienced this problem when applying service packs to
WebLogic 5. Any one else encountering this problem with
WebLogic 6 and what is the workaround? (Stack trace attached)
TIA -
Help with Weblogic 6 sp1 Custom Realm !!!!
We are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
security realm)
We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
move to ejb2.0 once we can get our custom security working.
The JDBC connection pools are fine.
Our custom security realm uses LDAP for user authentication and an Oracle table
for authorization (acls).
Earlier, I wrote to the board and received the below following instructions to
use our existing custom realm in wl 60. You can read below, but I followed these
instructions on Solaris 5.6.
1. I ensured the SunOS patches were up to date.
2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
the 5.1 classes over to wl6.
3. We copied our custom realm properties file to the weblogic root and/or the
config subdirectory (tried them both).
4. We ensured the security realm class we wrote is in the classpath (we bunch
all our serverside classes in a jar file anyway).
5. Then we created a custom realm via the console – name BFXRealm and it’s
class name <package>.BFXRealm, left configuration box blank.
6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
as the custom realm, BFXRealm. All of the enable caches are checked to true.
7. Then we set the default realm to the BFXCachingRealm.
Now, when we perform a query, the everyone group should be implied. We don’t
implement LDAP lookup on queries. If I try to run a query from a client, I see
the client box connecting with the server:
Last line - you can see the client box connecting to the server -
<May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
<May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
on port 7001>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
on port 7002>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
descriptor limits of - soft: '1024', hard: '1024'>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
file descriptor limit of: '1024' open sockets/files.>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
POSIX reader threads>
<May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
/opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
<May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
The client receives the error:
javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
Authentication
for user aws4270 denied in realm weblogic
It’s as if the fileRealm.properties is only being looked at. We do not
use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
For “fun”, I added a user to the fileRealm.properties file via the
console and ran a client query. It worked.
But when I tried to call an ejbCreate from the client, I received these errors
from the server:
BFXSecurityRealmException is a custom exception we have written. A query works
but a create does not - obviously cannot get to acl in database (?)
and why the ejb20 errors? We just want to start with ejb 1.1
In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
= bioseq, project = HIPPI, permission = create
<May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The client receives the error:
java.rmi.RemoteException: EJB Exception:; nested exception is:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
o
ccurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
Thanks,
Anne
Subject: Re: Do Custom Security Realms have to use Mbeans?
Date: 17 May 2001 06:38:23 -0800
From: "Tom Moreau" <[email protected]>
Newsgroup: weblogic.developer.interest.security
Yes this can be done. Here's how:
1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
2) I'll assume that your custom realm has some kind of properties file from which
it reads its configuration data. Let's call this file "YourCustomRealm.properties"
3) Copy YourCustomRealm.properties to every machine that you're running wls on
(you are probably already doing this today).
4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
start wls (you should already be doing this today)
5) In 5.1, there used to be some utility classes that customers used for their
custom realms - something about Pools & Factories. These have been renamed in
6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
pull out these classes and add them to your classpath for 6.0.
6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
Leave the configuration data section blank.
7) In the console, configure your custom realm as the alternate realm. That is,
create a caching realm and set it's basic realm to your custom realm, then set
the realm's caching realm to the caching realm you just created.
I'm pretty sure this should work for you. We did this to provide a patch that
let 6.0 users uses the LDAPRealm rewrite from 5.1.
The downside is that you don't get single point of administration - that is, you
have to make your custom realm's configuration data (YourCustomRealm.properties)
available on all the machines you're running WLS on. If you rework your custom
realm, then the configuration data gets put in the custom realm configuration
you create via the console and automatically copied to other machines for you.
- TomWe are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
security realm)
We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
move to ejb2.0 once we can get our custom security working.
The JDBC connection pools are fine.
Our custom security realm uses LDAP for user authentication and an Oracle table
for authorization (acls).
Earlier, I wrote to the board and received the below following instructions to
use our existing custom realm in wl 60. You can read below, but I followed these
instructions on Solaris 5.6.
1. I ensured the SunOS patches were up to date.
2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
the 5.1 classes over to wl6.
3. We copied our custom realm properties file to the weblogic root and/or the
config subdirectory (tried them both).
4. We ensured the security realm class we wrote is in the classpath (we bunch
all our serverside classes in a jar file anyway).
5. Then we created a custom realm via the console – name BFXRealm and it’s
class name <package>.BFXRealm, left configuration box blank.
6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
as the custom realm, BFXRealm. All of the enable caches are checked to true.
7. Then we set the default realm to the BFXCachingRealm.
Now, when we perform a query, the everyone group should be implied. We don’t
implement LDAP lookup on queries. If I try to run a query from a client, I see
the client box connecting with the server:
Last line - you can see the client box connecting to the server -
<May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
<May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
on port 7001>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
on port 7002>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
descriptor limits of - soft: '1024', hard: '1024'>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
file descriptor limit of: '1024' open sockets/files.>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
POSIX reader threads>
<May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
/opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
<May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
The client receives the error:
javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
Authentication
for user aws4270 denied in realm weblogic
It’s as if the fileRealm.properties is only being looked at. We do not
use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
For “fun”, I added a user to the fileRealm.properties file via the
console and ran a client query. It worked.
But when I tried to call an ejbCreate from the client, I received these errors
from the server:
BFXSecurityRealmException is a custom exception we have written. A query works
but a create does not - obviously cannot get to acl in database (?)
and why the ejb20 errors? We just want to start with ejb 1.1
In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
= bioseq, project = HIPPI, permission = create
<May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The client receives the error:
java.rmi.RemoteException: EJB Exception:; nested exception is:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
o
ccurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
Thanks,
Anne
Subject: Re: Do Custom Security Realms have to use Mbeans?
Date: 17 May 2001 06:38:23 -0800
From: "Tom Moreau" <[email protected]>
Newsgroup: weblogic.developer.interest.security
Yes this can be done. Here's how:
1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
2) I'll assume that your custom realm has some kind of properties file from which
it reads its configuration data. Let's call this file "YourCustomRealm.properties"
3) Copy YourCustomRealm.properties to every machine that you're running wls on
(you are probably already doing this today).
4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
start wls (you should already be doing this today)
5) In 5.1, there used to be some utility classes that customers used for their
custom realms - something about Pools & Factories. These have been renamed in
6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
pull out these classes and add them to your classpath for 6.0.
6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
Leave the configuration data section blank.
7) In the console, configure your custom realm as the alternate realm. That is,
create a caching realm and set it's basic realm to your custom realm, then set
the realm's caching realm to the caching realm you just created.
I'm pretty sure this should work for you. We did this to provide a patch that
let 6.0 users uses the LDAPRealm rewrite from 5.1.
The downside is that you don't get single point of administration - that is, you
have to make your custom realm's configuration data (YourCustomRealm.properties)
available on all the machines you're running WLS on. If you rework your custom
realm, then the configuration data gets put in the custom realm configuration
you create via the console and automatically copied to other machines for you.
- Tom -
Hi,
We have created a WebLogic Platform Domain. A WebLogic Portal application(Portal
7.0) and some Web Service apps are running on this domain.
We have created a Custom Security Realm b'cos of our application requirements
and now when I startup the Platform Domain, I see lot of errors.
Some of the errors typically are
"<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user: wlisystem,
for the servlet: ApplicationView for the webapp: /WLI_AI_Workshop_Control_Web,
could not be resolved to a valid user in the system. Please check if the user
exists.
javax.security.auth.login.LoginException: Authentication Failed: User wlisystem
denied in Realm Adapter realm weblogic"
or
Unable to deploy EJB: wlai-eventprocessor-ejb.jar from wlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
weblogic.ejb20.interfaces.PrincipalNotFoundException: Authentication Failed: User
wlisystem denied in Realm Adapter realm weblogic
Do we have to create any predefined user accounts in the Security Store to get
rid of these errors. I would appreciate if anyone can suggest some tips or workarounds
for configuring or creating a Custom Security Realm for Web Logic Platform Domain.
Thanks
Vikramwith 7.0 try to create system in your custom realm.. that may help.
-kiran
"Vikram" <[email protected]> wrote in message
news:[email protected]...
>
Kiran,
First time around, the Custom realm was not authenticating the user. I gotthe
code to authenticate the user successfully. Now the WebLogic serverwouldn't even
start. It would give me an error message which says "User System is notauthorized
to boot Weblogic Server". For your reference, I am attaching the Log file.My
custom realm classes output some debugging statements in the log file.From the
log file u will see that the users are getting authenticated successfully.
Please let me know if you have a custom realm working for you. I might bemissing
something.
Appreciate your help.
Thanks
Vikram
"kirann" <[email protected]> wrote:
does your realm able to authenticate user "wlisystem".
thanks
kiran
"Vikram Datla" <[email protected]> wrote in message
news:[email protected]...
Hi,
We have created a WebLogic Platform Domain. A WebLogic Portalapplication(Portal
7.0) and some Web Service apps are running on this domain.
We have created a Custom Security Realm b'cos of our applicationrequirements
and now when I startup the Platform Domain, I see lot of errors.
Some of the errors typically are
"<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-asuser:
wlisystem,
for the servlet: ApplicationView for the webapp:/WLI_AI_Workshop_Control_Web,
could not be resolved to a valid user in the system. Please check ifthe
user
exists.
javax.security.auth.login.LoginException: Authentication Failed: Userwlisystem
denied in Realm Adapter realm weblogic"
or
Unable to deploy EJB: wlai-eventprocessor-ejb.jar fromwlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
weblogic.ejb20.interfaces.PrincipalNotFoundException: AuthenticationFailed: User
wlisystem denied in Realm Adapter realm weblogic
Do we have to create any predefined user accounts in the Security Storeto
get
rid of these errors. I would appreciate if anyone can suggest sometips or
workarounds
for configuring or creating a Custom Security Realm for Web Logic
Platform
Domain.
Thanks
Vikram -
One custom security realm for many wl servers?
Is it possible to use one custom security realm for many weblogic servers...ie
one login for all application on different weblogic server.Is it possible to use one custom security realm for many weblogic servers...ie
one login for all application on different weblogic server. -
WebLogic Server doesn't start after configuring a Custom Realm
Hi,
We are having problems getting WebLogic server to startup after configuring a
Custom Realm. It outputs the error message "User System not authorized to boot
WebLogic Server. Security Excpetion".
For debugging purposed we had our Custom Realm classes output some debug statements
to the console. From the output it was apparent that all the users were getting
authenticated properly including System, Administrator, wliSystem etc. But after
the initial authentications we get this error message. I am attaching the log
file for your reference. Do we have to implement Authorization also (by implementing
ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used only for
authentication.
Appreciate any feedback on the cause of the problem.
Thanks
Vikram
[test.log]Thanks Deyan. I will give it a try and let you know.
"Deyan D. Bektchiev" <[email protected]> wrote:
Vikram,
You should make your user that you use to startup the server a member
of
the Administrators group.
In other words there should be a Principal "Administrators" in the
Subject that your LoginModule returns.
I'm not sure if you can configure this afterwards but this is how it's
done out of the box.
Dejan
Vikram wrote:
Mike,
We are working with a Platform domain on Weblogic 7.0. When you implementa custom
realm it can be implemented just for authentication and not for authorization.
In our case we used the Custom Realm only for authentication. ACLs storeall the
authorization information. We assumed that the standard Weblogic useraccounts
like system, administrator are already part of the ACLs with the appropriateprivileges.
Please let me know if you have any suggestions.
Thanks
Vikram
"mike" <[email protected]> wrote:
You mix up authentication and authorization. The fact that a user is
a valid user
(authentication) does not guarantee that he/she can perform a certain
action (authorization).
The second is defined by ACLs or something, which is probably (most
likely)
not
set in your case. To go on ranting I need to know which version youare
on (looks
like 7, grey area for me).
"Vikram" <[email protected]> wrote:
Hi,
We are having problems getting WebLogic server to startup after configuring
a
Custom Realm. It outputs the error message "User System not authorized
to boot
WebLogic Server. Security Excpetion".
For debugging purposed we had our Custom Realm classes output some
debug
statements
to the console. From the output it was apparent that all the userswere
getting
authenticated properly including System, Administrator, wliSystemetc.
But after
the initial authentications we get this error message. I am attaching
the log
file for your reference. Do we have to implement Authorization also
(by
implementing
ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used
only for
authentication.
Appreciate any feedback on the cause of the problem.
Thanks
Vikram -
Admin Console Integration for Users in a Custom Realm
We are implementing a custom realm and are having troubles getting our Users to
show up in the User list.
Our user class extends weblogic.security.acl.User, and is forced to use the default
CTOR because our data access layer requires it.
Unfortunately, getName() returns null if the User(String) constructor is not used.
Furthermore, Identity::setName() is final, so it seems as though there is no
way to set the user's name after construction.
I am correct in this?
If so, any thoughts on whether it is worth going down the path of making my user
class implement Principal instead of extending weblogic.security.acl.User? I
would be forced to try to guess at what methods in User are required to integrate
with the admin console, I believe. I have not been able to find any documentation
that specifies what api/contract the console uses when it attempts to display
user, role, acl information for a custom realm.
Any advice would be greatly appreciated.
-chrisMy comments mixed with your text
"Chris Goodacre" <[email protected]> wrote:
>
We are implementing a custom realm and are having troubles getting our
Users to
show up in the User list.
Our user class extends weblogic.security.acl.User, and is forced to use
the default
CTOR because our data access layer requires it.
Unfortunately, getName() returns null if the User(String) constructor
is not used.Yes.
Furthermore, Identity::setName() is final, so it seems as though there
is no
way to set the user's name after construction.
I am correct in this?Yes. Changing a user's name on a constructed user object is like mutating that
user to another user - a security hole. It isn't allowed.
>
If so, any thoughts on whether it is worth going down the path of making
my user
class implement Principal instead of extending weblogic.security.acl.User?I'd try to stay with extending weblogic.security.acl.User, but also implement
weblogic.security.acl.CredentialChanger, so you can change passwords through the
console (otherwise you get NullPointerExceptions).
You really want to get around not being able to supply a user name as part of
the ctor.
I
would be forced to try to guess at what methods in User are required
to integrate
with the admin console, I believe. I have not been able to find any
documentation
that specifies what api/contract the console uses when it attempts to
display
user, role, acl information for a custom realm.
Any advice would be greatly appreciated.
-chris1. Your realm should extend AbstractManageableRealm and implement DebuggableRealm
if you want to integrate with the console.
2. The only contract is to implement all the methods!
3. Check the type of the user and group objects being passed to your realm - if
they're not your user and group type, reject the call.
4. The documentation is indeed terrible, and often wrong. The examples shipped
are incomplete (the RBDMS realm shipped has approx 1/3 of the functionality).
You'll get good with jad.
Should all be better in 7.0 with JAAS. The realm interfaces is a dog.
Good luck,
simon. -
Hi,
I have several questions regarding this topic:
1) Does Weblogic 5.1 supports Custom Tags ? If so, are there any known
problems ?
2) Does Weblogic come with any tag libraries (for loops, if, etc) and where
can I get them ?
3) Are there any tag libraries out there (JRun, for example) that have been
successfully run on Weblogic ?
Any help would be much appreciated.
Thanks,
Jamie
As there seems to be general interest, a link would probably be a great
help.
Regards
Daniel Hoppe
-----Original Message-----
From: Michael Girdley [mailto:[email protected]]
Posted At: Friday, August 25, 2000 8:03 AM
Posted To: jsp
Conversation: Custom JSP Tags for Weblogic
Subject: Re: Custom JSP Tags for Weblogic
Please see the documentation:
http://www.weblogic.com/docs51/resources.html
Michael Girdley
BEA Systems Inc
"Jamie" <[email protected]> wrote in message
news:[email protected]...
> Update
> =======
>
> Weblogic Portal has some Tag libraries. I've downloaded the trial
version
> of
> the Weblogic Commerce Server. How do I get the tag libraries and use
them
> on WL 5.1 ?
>
> Answers to original post still wanted
>
> Thanks,
>
> Jamie
>
> Jamie <[email protected]> wrote in message
> news:[email protected]...
> > Hi,
> >
> > I have several questions regarding this topic:
> >
> > 1) Does Weblogic 5.1 supports Custom Tags ? If so, are there any
known
> > problems ?
> >
> > 2) Does Weblogic come with any tag libraries (for loops, if, etc)
and
> where
> > can I get them ?
> >
> > 3) Are there any tag libraries out there (JRun, for example) that
have
> been
> > successfully run on Weblogic ?
> >
> >
> > Any help would be much appreciated.
> >
> > Thanks,
> >
> > Jamie
> >
> >
>
>
Maybe you are looking for
-
Firefox freezing, and eventually crashing when opening a tab?
Just yesterday this started, at first youtube videos froze the browser (but I could still hear them playing) and now I can't even open a tab without firefox freezing and just eventually having to end the process. It was working perfectly before yeste
-
Use of "Archive Source Files with Errors" for BIC module error
Hi All, I have Edi file to Idoc scenario , where i am using SEEBURGER BICXIADAPTER.MODULE. My question is if the input file caught in error with BIC Module e.g "MP: exception caught with cause Error in BICMODULE-module:Temporary error: BIC XI Adapter
-
Hi My XI system is set-up with alerts frame-work and we are able to raise almost all the system generated alerts. But we are facing one issue with JMS channel alerts. Lets me explain the problem. We have a JMS channel connected to JMS Server and we a
-
Locked Screen Play different Music - iOS 7
Hello all, On my iPhone 4 under since I updated to iOS 7 I have been unable to restart music from where I left off from the lock screen. For example, I am listening to Track A in the music player and I stop the music while in the Music player. I don'
-
Equium M50-163 Bluetooth Enabled??
Everytime i try and set up my bluetooth application,i get a warning box popping up saying "Bluetooth Not Ready" I belive i have to purchase aditional Bluetooth equipment for my laptop. Anyone had this problem before or any ideas on what i need to get