Problem in security roles

Similar Messages

• Problem with Security Role mapping and LDAP

  Hi,
  In Oracle Internet Directory I've created a group called OIDGroup1.OIdGroup1 has 2 users : OIDuser1 and OIDuser2.
  OIDGroup1 is mapped to EjbRole1 (is a security role defined in ejb-jar.xml, EjbRole1 can do everything in the application).Now if I login as OIDuser1 or OIDuser2, application said that the user does not
  have authorization to execute some method. The mapping in my orion-application.xml is :
  <security-role-mapping name="EjbRole1">
  <group name="admin/OIDGroup1"/>
  </security-role-mapping>
  <jazn provider="LDAP" location="ldap://myhost:4032"><jazn-web-app auth-method="SSO"/></jazn>
  if I modified orion-application.xml like this :
  <security-role-mapping name="EjbRole1">
  <group name="admin/OIDGroup1"/>
  <user name="admin/OIDuser1"/>
  </security-role-mapping>
  then login as OIDuser1, it works. But it does not work with OIDuser2.
  That's is a problem for me because our customer can not manage the user/group
  easily : each time they have a a new user, instead of simply adding this user
  in the OIDGroup1 (with graphic interface of OIDAS), they have to modify
  orion-application.xml.
  Do you have any idea ?
  Thanks in advance
  regards

  I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

• Problem with security role

  Hello,
  I have Enterpise Portal 7.0 SP13 instance (only Java stack installed). My enviroment is AIX 5.3 and Oracle 10.
  This instance has a lot of security alerts in the default trace log, like this:
  #1.5^H#C2B30000C03D006400000039000A9084000443246AFD6467#1199723599717#com.sap.engine.services.security.roles.SecurityRoleImpl##com.sap.engine.services.security.roles.SecurityRoleImpl#j2ee_admin#1208####41667d10bd3e11dccc51c2b30000c03d#SAPEngine_Application_Thread[impl:3]_5##0#0#Error#1#/System/Security/Audit/J2EE#Java###:Authorization check for caller assignment to J2EE security role [ : ].#3#ACCESS.ERROR#SAP-J2EE-Engine#guests#
  Anyone knows what is it?
  Regards
  Rodrigo

  I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

• Problem mapping LoginModule roles to ejb security roles

  I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
  PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
  LoginContext lc = new LoginContext("current-workspace-app", cbh);
  lc.login();
  I then perform a lookup on a bean using the same user:
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
  env.put("java.naming.security.principal",username);
  env.put("java.naming.security.credentials",password);
  env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
  Context ic = new InitialContext(env);
  final SessionEJBHome sessionEJBHome =
  (SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
  Finally, I create an instance of the bean and call a method of this bean.
  SessionEJB sessionEJB;
  sessionEJB = sessionEJBHome.create( );
  sessionEJB.testMe( );
  I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
  "username is not allowed to call this EJB method"
  When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
  Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
  Thanks
  PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Map security roles to group within LDAP using external 3rd Party LDAP

  I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
  Any help would be greatly appreciated.
  Log.xml log entry that confirms webtA is communicating successfully with AD.
  SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  Error reported in the log
  <MESSAGE>
  <HEADER>
  <TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
  <COMPONENT_ID>j2ee</COMPONENT_ID>
  <MSG_TYPE TYPE="TRACE"></MSG_TYPE>
  <MSG_LEVEL>16</MSG_LEVEL>
  <HOST_ID>F2287032-W</HOST_ID>
  <HOST_NWADDR>30.30.16.14</HOST_NWADDR>
  <MODULE_ID>security</MODULE_ID>
  <THREAD_ID>14</THREAD_ID>
  <USER_ID>wmgraham</USER_ID>
  </HEADER>
  <CORRELATION_DATA>
  <EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  Web.xml Logical Role definition
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>allpages</web-resource-name>
  <url-pattern>/servlet/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>WEBTA_J2EE_USER</role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <role-name>WEBTA_J2EE_USER</role-name>
  </security-role>
  Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
  <security-role-mapping name="WEBTA_J2EE_USER">
  <group name="webta"/> <-- Group defined in AD -->
  </security-role-mapping>

  What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
  When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
  In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
  Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

• Invalid Security role-name error in Web Project

  Hi All,
  I have imported a J2EE application project built in JBOSS into NWDS 7.1.
  While building the project i get the following error
  <b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
  This error directs me to the following code in web.xml
  <security-constraint>
            <display-name>Default JSP Security Constraints</display-name>
            <web-resource-collection>
                 <web-resource-name>Portlet Directory</web-resource-name>
                 <url-pattern>/jsp/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <b><role-name>PEHNTAHO_ADMIN</role-name></b>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
  <b>I have tried out the following things to resolve this issue :</b>
  <b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
  <b>2)Then I added the following code in web.xml</b>
  <security-role>
            <role-name>PEHNTAHO_ADMIN</role-name>
       </security-role>
  Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
  Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
       java.rmi.RemoteException:  class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
  sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
  version status: HIGHER
  deployment status: Admitted
  description:
            1. Error:
  Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
  ERRORS:
  Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
       <!-- whole web.xml-->
  </web-app>
  " is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
  WARNINGS:
  Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
  <b>3) I had also added the following code in web-j2ee-engine.xml</b>
  <security-role-map>
            <role-name>PEHNTAHO_ADMIN</role-name>
            <server-role-name>all</server-role-name>
       </security-role-map>
  but still i get the same deployment error.
  Please help me in resolving this problem.
  Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
  Thanks and Regards,
  Sruti

  Hi Malathy,
  Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
  Could you please let us know you created a roles named users in WLS ?
  Thanks & Regards,
  Murali.
  ============

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• Need api for changing security role in web.xml !!

  My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
  I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
  Do I need to provide any more information ? Let me know
  Thanks,
  Karthick

  why and when do you change security-role? try to use ant task (perhaph you need xpath also). it´s the better when you perform task about life´s cycle of application.
  please, describe your problem.
  of course in you change web.xml you must restart the application.

• Web Service authentication by security role

  I define an web service with authentication by security role.
  I access web service via web dynpro model in EP7.
  It appear below error:
  <b>Exception on execution of web service with WSDL URL 'http://XXX:50000/XXX/Config1?wsdl ' with operation 'XXXXXXXX' in interface 'XXXVi_Document'</b>
  how should i do to solve this problem ?

  Hi WU,
              Use this code with ur webservice & check the error in log file.May be we will get some more info abt this.
  This code will be in execute method
  Request_XXX reqData = new Request_XXXdbModel);
  reqData.wdSetInvocationLogEnabled(true);
  in the catch block give this
  logger.traceThrowableT(
       Severity.ERROR,
       wdComponentAPI.getApplication().getDeployableObjectPart().getName(),
       ex);
       //if (logger.beDebug()) {
       logger.fatalT(requestModel.wdGetRequestLog());
       logger.fatalT(requestModel.wdGetResponseLog());
       logger.fatalT(requestModel.associatedModelClassInfo().getModelInfo().toString());
       logger.fatalT(requestModel.toString());
  request model is ue model & ex is the exception in catch block.
  execute the application after this change & check the server log.In case u r not able to find out the problem,send the stach trace.
  regards
  Sumit

• Redirecting user to acustom page depending on security role after glassfish

  Hi,
  I have a JSF application using glassfish authentication mechanism. I'm planning to use a jdbc realm and form based authentication (I'm using a jsp page to get username and password) . I have 3 different user roles (student, admin and staff)
  However I cannot find how to redirect a user to a different page (Ex: staff report page if the logged in user is in the security role staff). I have configured sun-web.xml and web.xml to map the roles and groups. The problem is after authentication the user is always redirected back to the home page, which is the login page. I understand this is how the glassfish authentication works by default. But is there a way to navigate the user to a different page depending on his role.
  I'm new to EJB security. Please help me on this subject. Thanks a lot in advance.

  Check this blog post, which provides an alternate solution (You can choose the best possible solution based on your use-case).
  http://andrejusb.blogspot.com/2007/10/security-in-oracle-adf-and-automatic.html
  Thanks,
  Navaneeth

• How to specify the security policy "Allow access to everyone" for security role in Deployment descriptor

  Hi,
  I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
  security-role>
          <description>Authenticated</description>
          <role-name>Authenticated</role-name>
      </security-role>
  This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
  In weblogic, I have the following setting in weblogic.xml
  <wls:security-role-assignment>
          <wls:role-name>Authenticated</wls:role-name>
          <wls:externally-defined />
      </wls:security-role-assignment>
  And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
  I am wondering if this setting can be specified in  for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
  Thanks

  Hi,
  You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
  And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
  Hope this will solve your problem.
  Regards
  MuRam

• SDK C# - query Security Role Properties like Views, Tasks etc

  Hi,
  i have a Problem with getting information from the securityroles in SCSM. In C# i cant get the views, Tasks, templates etc. which are in the security roles. Can anybody give me a hint how i can query this configuration in c#.
  Thank you in advance.

  So the "real need" is that your security roles are confusing and not well defined, so to address this, you'd like to make or find a tool that tells you quickly roles a given user is in, then you could go about troubleshooting
  the security issue.
  I'd like to offer an alternative: fix your security roles.
  a ideal* service manager implementation has 3 security roles.
  Administrators, who can see and manage everything,  
  Analysts, who can work incidents complete activities and shepherd things through the process, but can't really change how the system operates
  Everyone Else, who get
  implied permissions and not much else.
  Sometimes those roles are broken out into different responsibility groups, which are queue filtered, but typically those are the three classes of people in service manager.
  Those roles groups should be applied to the departmental or job groups that correspond to the people who do this job, i.e. you work in the helpdesk, therefore you get helpdesk rights in SCSM.
  If you are going to stray from this ideal, you should have a good reason for it.
  *note: ideal is not "most" or even "a good", ideal is exactly what it sounds like, an ideal goal state that isn't restricted to practical needs. Practical business needs are going to modify this ideal, but it isn't going
  to change the goal, just how close you can get.

• How reusable is a security role

  Can I copy one from one org to another?  More specifically, since the set of custom entities don't match, am I creating a problem or opportunity for collision by copying a security role from one org to another?  Are custom entities managed by
  guid or entityTypeCode within the security role?

  I've just done a test and managed to import a role that was controlling access to an entity present on the origin CRM but not present on the destination CRM. the import went though without errors. the role was created on the destination, but the role's
  settings for the custom entity disappear. So, even if that may not break the system, it Can cause confusion. Specially if you are moving across DEV, TEAST and PROD systems. Not a good practice.
  I Hope I could help. If I have answered please mark as 'Answer'. If was just helpful, please vote. Thanks and happy coding! Bruno Lucas, http://dynamicday.wordpress.com/

• Showing or hiding buttons/ enabling text boxes depending upon security role in Portal

  Hi All,
  Is it possible to show or hide ceratin text box or buttons depending on the security
  role of the user ? Let's suppose we have screen with buttons update, delete. Now
  we want that when a administrator logs in he will see a screen with data in editable
  text boxes and update and delete button. In case of normal user, only the phone
  no. will be editable and he can't see the delete button.
  Is it possible using portal feature ?
  Any suggestion is welcome.
  TIA,
  Sudarson

  Sudarson,
  Not that I know of. If you'd like to eloborate on the feature you're
  building I can log an enhancement request for you.
  Sincerely,
  Daniel Selman
  "sudarson" <[email protected]> wrote in message
  news:3c5f698e$[email protected]..
  >
  Hi Daniel,
  Thanks for the reply. I think, I should elaborate my query.
  Yeah, programattically we can do the stuff. But my question is that isthere any
  such feature in weblogic portal so that in stead of using is UserInRoleand doing
  it programatically, we can do it thru portal, thus having bettermaintainability.
  >
  Regards,
  Sudarson
  "Daniel Selman" <[email protected]> wrote:
  Sudarson,
  Yes this is possible. You can programmatically check the logged in user's
  role within your JSP and react accordingly (all standard J2EE). You
  should
  do this with caution however as you could quickly create a maintenance
  problem for yourself. Declarative security externalizes all security
  settings (groups. permissions etc.) away from application code and is
  usually to be preferred.
  Programmatic security through EJB mechanisms such as the SessionContext
  isCallerInRole and getCallerPrincipal methods and web-tier methods
  getRemoteUser, isUserInRole and getUserPrincipal.
  http://java.sun.com/j2ee/j2sdkee/techdocs/guides/ejb/html/Security5.html
  Sincerely,
  Daniel Selman
  "sudarson" <[email protected]> wrote in message
  news:3c5e81cf$[email protected]..
  Hi All,
  Is it possible to show or hide ceratin text box or buttons dependingon
  the security
  role of the user ? Let's suppose we have screen with buttons update,delete. Now
  we want that when a administrator logs in he will see a screen withdata
  in editable
  text boxes and update and delete button. In case of normal user, onlythe
  phone
  no. will be editable and he can't see the delete button.
  Is it possible using portal feature ?
  Any suggestion is welcome.
  TIA,
  Sudarson

• ADF security roles

  Security roles, created for my application in web.xml file aren't shown in authorithation editor for container neither in Authorithation tab for model components !
  Where the problem could be?

  Hi Frank!
  oc4j-app-administrators is a role in system--jazn-data.xml and my roles manager and staff also. I don't know where to switch between global OC4J user/roles settings and workspace specific but my roles are present in both places of Embeded OC4J server preferences( in system-jazn-data.xml and in <My project>-jazn-data.xml ).
  But my roles still unvisible in "Authorization editor" .