Projects Contract (R 12.1.3) Security Role Assignment

In Projects Contract (R 12.1.3), is there any way we can have contingent worker(s) in the List of Values for “Employee” in Security Role Assignment window?

Please check the Profile Option - OKE: Allow Contingent Workers
This profile option determines whether contingent workers can be granted access to contracts or not.

Similar Messages

Why security-role-assignment is required ?

Hi all.
We develop EJB application which uses:
* declarative security using <method-permission> in ejb-jar.xml
* our own RoleMapper SSP, which take mapping data from DB
(our Mapper doesn't use weblogic-ejb-jar.xml at all)
When I deploy my app without <security-role-assignment>
in weblogic-ejb-jar.xml I receive the deployment exception:
<quote>
The security-role MY_ROLE, defined in ejb-jar.xml,
is not correctly mapped to a security principal.
Make sure the security-role has a corresponding
security-role-assignment element in the
weblogic-ejb-jar.xml descriptor.
</quote>
Yes, this is absolutely correct --
I didn't define the mapping in *.xml advisedly,
because of it is defined in DB and my own Mapper
retrieves data required for role mapping from DB,
not from descriptor *.xml
Questions are:
==============
1. why <security-role-assignment> is so strictly required ? :(
2. is it possible to use declarative security with own RoleMapper ?
3. if `yes` then how to get rid of the exception ?
I have one workaround:
to add to weblogic-ejb-jar.xml fake mapping for
each EJB role used in ejb-jar.xml:
<security-role-assignment>
<role-name>MY_ROLE</role-name>
<principal-name>FaKe_Blah_bLAH</principal-name>
</security-role-assignment>
In this case all works fine,
but workaround smells very very bad :(
Thanks in advance.
Best regards,
Eugene Voytitsky

Hello,
could you provide addition information on the server version and the facets installed in the dynamic web and EAR project ?
thanks
Raj

Security-role and security-role-assignment not working in WL7.0

Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

Below are the screen shots for PFCG:

The security-role-assignment references an invalid security-role: Certifica

In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
 at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
 at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
 at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
 at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
 at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
 at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
 at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
 at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
 at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
 at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
 at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
 at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
 at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
 at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
 at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
 at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
 at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
 at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
 at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
 at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
 at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
 at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
 at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
 at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
 at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
 at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
 at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
 at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
 at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
 at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
 at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
<wls:security-role-assignment>
<wls:role-name>Certificate</wls:role-name>
<wls:externally-defined/>
</wls:security-role-assignment>
I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.

Hi,
I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
Hope it helps,
Luis

Modify security role assignment at runtime

hello,
assume following example:
In order to use declarative security on a EJB called TestBean, I secured
TestBean by using the <method-permission> tag in ejb-jar_TestBean.xml,
and grant permission to a role called adminRole
At deploy-time, a principal called adminGroup is assigned to adminRole,
using the <security-role-assigment> tag in weblogic-ejb-jar_TestBean.xml.
The methods of TestBean are invoked by a JSP (TestJSP).
This works fine.
Now I want to add a new principal to adminRole at runtime.
Is this possible as a matter of principle?
Can this be managed by TestJSP?
thanx for your help,
Michael

Hello,
could you provide addition information on the server version and the facets installed in the dynamic web and EAR project ?
thanks
Raj

Unable to assign all security roles to a user with a new custom security role

Dear All,
Happy New Year.!
I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
any desired security role to the new user.
However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
to assign some other security roles, including 'Support User Role', to new user 'y'.
I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
Appreciate any help that you can provide on the above issue.
Thanks in anticipation.

Hi,
Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
Refer:-
http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
Hope this helps!!!
Thanks,
Prasad
Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

Using weblogic security roles in authentication: weblogic 9

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
 <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
 <j2ee:welcome-file>index.html</j2ee:welcome-file>
 <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
 <j2ee:auth-method>FORM</j2ee:auth-method>
 <j2ee:form-login-config>
 <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
 <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
 </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
 <url-pattern>test.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
 <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
 <role-name>LTVORole</role-name>
 <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
 <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
 <j2ee:welcome-file>index.html</j2ee:welcome-file>
 <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
 <j2ee:auth-method>FORM</j2ee:auth-method>
 <j2ee:form-login-config>
 <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
 <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
 </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
 <url-pattern>test.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
 <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
 <role-name>LTVORole</role-name>
 <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

How to specify the security policy "Allow access to everyone" for security role in Deployment descriptor

Hi,
I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
security-role>
 <description>Authenticated</description>
 <role-name>Authenticated</role-name>
 </security-role>
This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
In weblogic, I have the following setting in weblogic.xml
<wls:security-role-assignment>
 <wls:role-name>Authenticated</wls:role-name>
 <wls:externally-defined />
 </wls:security-role-assignment>
And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
I am wondering if this setting can be specified in for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
Thanks

Hi,
You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
Hope this will solve your problem.
Regards
MuRam

Warning: EJB referenced an unknown security role?

Hello,
I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
In the EJB I have the following check:
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
At run time, I get the following warning in the WL window:
Fri Nov 10 12:56:58 EST 2000:
<EJB JAR deployment D:/weblogic/myserver/myBean.jar>
Warning: EJB "unu" referenced an unknown security role
However:
- the role IS defined (see ejb-jar.xml)
- has an associated principal (see weblogic-ejb-jar.xml)
- there is a principal defined in weblogic.properties
- this principal (and this role) is actually used in practice to access the
bean. Which works.
So why the warning?
Any hint appreciated,
Thanks.
ejb-jar.xml:
<assembly-descriptor>
<security-role>
<description>description of the ConspiratorRole</description>
<role-name>ConspiratorRole</role-name>
</security-role>
</assembly-descriptor>
weblogic-ejb-jar.xml:
<weblogic-ejb-jar>
<security-role-assignment>
<role-name>ConspiratorRole</role-name>
<principal-name>Conspirator</principal-name>
</security-role-assignment>
</weblogic-ejb-jar>

You should not reference the role link in you code.The role link is used to
connect the role name in you code to the
role name in your deployment descripment. Only if this link is set up as you
have done below, will the isCallerInRole return true.
- Sri
Alf wrote:
I reviewed older postings and found indications of what appears to be a bug
in WL: that isCallerInRole always return false for role names but returns
correct values if the role names are linked with a reference in
<security-role-ref>. So, according to the DTD at
http://edocs.bea.com/wle/dd/ddref.htm#1038338 I added the following in
ejb-jar.xml:
<ejb-jar>
<enterprise-beans>
<session>
<security-role-ref>
<role-name>ConspiratorRole</role-name>
<role-link>ConspiratorRoleLink</role-link>
</security-role-ref>
and added 2 lines in the bean to test the both the role and the reference
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
if (ctx.isCallerInRole("ConspiratorRoleLink"))
System.out.println ("the user is in the ConspiratorRoleLink
role");
The unexpected result was a NullPointerException at
weblogic.ejb.internal.BaseEJBContext.isCallerInRole(BaseEJBContext.java:665)
Can anyone shed some light? Thanks.
"Alf" <alf> wrote in message news:[email protected]...
Hello,
I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
In the EJB I have the following check:
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
At run time, I get the following warning in the WL window:
Fri Nov 10 12:56:58 EST 2000:
<EJB JAR deployment D:/weblogic/myserver/myBean.jar>
Warning: EJB "unu" referenced an unknown security role
However:
- the role IS defined (see ejb-jar.xml)
- has an associated principal (see weblogic-ejb-jar.xml)
- there is a principal defined in weblogic.properties
- this principal (and this role) is actually used in practice to accessthe
bean. Which works.
So why the warning?
Any hint appreciated,
Thanks.
ejb-jar.xml:
<assembly-descriptor>
<security-role>
<description>description of the ConspiratorRole</description>
<role-name>ConspiratorRole</role-name>
</security-role>
</assembly-descriptor>
weblogic-ejb-jar.xml:
<weblogic-ejb-jar>
<security-role-assignment>
<role-name>ConspiratorRole</role-name>
<principal-name>Conspirator</principal-name>
</security-role-assignment>
</weblogic-ejb-jar>

Using the deployment plan to extend the security roles

Hi,
We have an existing application that has a set of security roles defined. This app has been deployed to Weblogic.
We would like provide additional security roles through this application. Currently, we have been doing this by manually editing the web.xml and the weblogic.xml files and redeploying the app. Is there any way to achieve this using the deployment plan feature ? If yes, how do we do it?
Regds,
Mridhula

you can use the following deployment Plan xml file:
<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://www.bea.com/ns/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/deployment-plan http://www.bea.com/ns/weblogic/deployment-plan/1.0/deployment-plan.xsd">
<application-name>deploy_plan</application-name>
<variable-definition>
<variable>
*<name>RoleName</name>*
*<value>plan</value>*
</variable>
<variable>
*<name>PrincipalName</name>*
*<value>test</value>*
</variable>
</variable-definition>
<module-override>
<module-name>appA.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
 <variable-assignment>
*<name>PrincipalName</name>*
<xpath>/weblogic-web-app/security-role-assignment/[*role-name="plan"*]/principal-name</xpath>
</variable-assignment>
</module-descriptor>
<module-descriptor external="false">
<root-element>web-app</root-element>
*<uri>WEB-INF/web.xml</uri>*
 <variable-assignment>
*<name>RoleName</name>*
*<xpath>/web-app/security-constraint/auth-constraint/role-name</xpath>*
</variable-assignment>
 <variable-assignment>
*<name>RoleName</name>*
*<xpath>/web-app/security-role/role-name</xpath>*
</variable-assignment>
</module-descriptor>
<module-descriptor external="true">
<root-element>wldf-resource</root-element>
<uri>META-INF/weblogic-diagnostics.xml</uri>
</module-descriptor>
</module-override>
<config-root>E:\wls_docs\deploy_plan\plan</config-root>
</deployment-plan>
thanks,
Sandeep

Ejb security role & bea implementation

A role has been defined in ejb-jar as following:
<security-role>
<description><![CDATA[Deployer User]]></description>
<role-name>deployer</role-name>
</security-role>
<method-permission>
<description><![CDATA[Deployer Method Permission]]></description>
<role-name>deployer</role-name>
<method>
<description><![CDATA[All method for CCPStateBean]]></description>
<ejb-name>CCPStateBean</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
If the principal is included in the weblogic-ejb-jar as below, and the jndi lookup
includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
<security-role-assignment>
<role-name>deployer</role-name>
<principal-name>jzhu</principal-name>
</security-role-assignment>
The problem comes when the principal is not included as above weblogic-ejb-jar
instead a role "deployer" is defined in WLS's, The user ("jzhu") is defined in
the deployer group. And the deployer group belongs to deployer role. The defaultRoleMapper
is enabled. In this scenario, the access failed due to insufficient permission.
Can ejb-jar's role relates to WLS's role. Please advise. THX.
-John

Thanks for the information. It works. I wish bea monitor this newsgroup since this
is not in their document. By the way, the following links clarifies the relationship
between DD and admin console security configuration.
http://edocs.bea.com/wls/docs70/security/cli_apps.html#1090734
-John
"Arjuna Chala" <[email protected]> wrote:
I don't know about "defaultRoleMapper", but this works
<security-role-assignment>
<role-name>deployer</role-name>
<principal-name>deployer</principal-name>
</security-role-assignment>
where <role-name> maps to a ejb-jar role and <principal-name> maps to
a
weblogic group (in this case).
"john" <[email protected]> wrote in message
news:[email protected]..
A role has been defined in ejb-jar as following:
<security-role>
<description><![CDATA[Deployer User]]></description>
<role-name>deployer</role-name>
</security-role>
<method-permission>
<description><![CDATA[Deployer Method Permission]]></description>
<role-name>deployer</role-name>
<method>
<description><![CDATA[All method for CCPStateBean]]></description>
<ejb-name>CCPStateBean</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
If the principal is included in the weblogic-ejb-jar as below, andthe
jndi lookup
includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
<security-role-assignment>
<role-name>deployer</role-name>
<principal-name>jzhu</principal-name>
</security-role-assignment>
The problem comes when the principal is not included as aboveweblogic-ejb-jar
instead a role "deployer" is defined in WLS's, The user ("jzhu") isdefined in
the deployer group. And the deployer group belongs to deployer role.The
defaultRoleMapper
is enabled. In this scenario, the access failed due to insufficientpermission.
Can ejb-jar's role relates to WLS's role. Please advise. THX.
-John

How Does The security-role Mapping Work?

 I am studying the security part of the deployment descriptor. I am confused about
 how the mapping works.
 Suppose we have
 <security-role>
 <role-name>manager</role-name>
 </security-role>
 and
 <security-role-ref>
 <role-name>FOO</role-name>
 <role-link>manager</role-link>
 </security-role-ref>
 My first question is when a client of the servlet supplies a name for authentication,
 the name supplied should be FOO or can be, say, John Smith?
 Then, according to the Servlet Specification, a security role is a logical grouping
 of users defined by the Application Developer
 or Assembler. When the application is deployed, roles are mapped by a Deployer
 to principals or groups in the runtime environment.
 My second question is how deployer maps the role, say, manager, to principals
 or groups in the runtime environment?
 Thanks in advance.


 Thanks a lot, Udit.
 "Udit Singh" <[email protected]> wrote:
 >
 >Hello,
 >The role-name is mapped to principals or gruops based on the security-role-assignment
 >entrires in weblogic.xml. Let us say you have a role-name FOO and you
 >want to
 >assing this role to users John and Mark. You need to make this entry
 >in weblogic.xml-
 ><security_role_assignment>
 > <role-name>FOO</role-name>
 > <principal-name>John</principal-name>
 > <principal-name>Mark</principal-name>
 > </security_role_assignment>
 >
 >so now actually the user need to supply John or Mark as user name at
 >the time
 >of authentication . Hope it helps.
 >
 >Udit
 >
 >
 >"[email protected]" entrance wrote:
 >>
 >>I am studying the security part of the deployment descriptor. I am confused
 >>about
 >>how the mapping works.
 >>Suppose we have
 >><security-role>
 >><role-name>manager</role-name>
 >></security-role>
 >>
 >>and
 >>
 >><security-role-ref>
 >><role-name>FOO</role-name>
 >><role-link>manager</role-link>
 >></security-role-ref>
 >>
 >>My first question is when a client of the servlet supplies a name for
 >>authentication,
 >>the name supplied should be FOO or can be, say, John Smith?
 >>
 >>Then, according to the Servlet Specification, a security role is a logical
 >>grouping
 >>of users defined by the Application Developer
 >>or Assembler. When the application is deployed, roles are mapped by
 >a
 >>Deployer
 >>to principals or groups in the runtime environment.
 >>
 >>My second question is how deployer maps the role, say, manager, to principals
 >>or groups in the runtime environment?
 >>
 >>Thanks in advance.
 >>
 >>
 >>
 >

Invalid Security role-name error in Web Project

Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN
This error directs me to the following code in web.xml
<security-constraint>
 <display-name>Default JSP Security Constraints</display-name>
 <web-resource-collection>
 <web-resource-name>Portlet Directory</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
I have tried out the following things to resolve this issue :
1) Remove the role manually(as suggested by various people in other J2EE forums), but then some other error came in to picture
2)Then I added the following code in web.xml
<security-role>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
 java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
 1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
3) I had also added the following code in web-j2ee-engine.xml
<security-role-map>
 <role-name>PEHNTAHO_ADMIN</role-name>
 <server-role-name>all</server-role-name>
 </security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
Sruti

Hi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============

Advice needed: what does your company log for SAP security role changes?

My client has a situation where for many years, they never logged changes to SAP security roles. By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!! Sadly their ticketing system is terrible, completely free-form text and not even searchable.
Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system? I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations. It's really weird but they will get into big trouble eventually without any logs for security changes!

Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I have questions:
a) Do you want to make things straight
b) Do you want to implement a versioning mechanism
c) You cannot implement anything technical, but you`re asking about best "paper" practise?
The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
PFCG transaction usage will be curtailed to minimum if implemented fully.
Do we really want to do things "outside" PFCG?
@all:
a) do you guys use custom approval workflows for roles?
b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
c) who is a friend of GRC here, raise your hand
Cheers Otto
p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

Shared JNDI view among security role

Hi,
We're working on project which needs to expose EJB across different Apps( EAR) in the same OC4J. To my knowledge, in order for those Apps to be able to access the JNDI entry for the exposed EJB, there could be follwing options.
* To enable JNDI entries to be global visiblle. so Bean can be accessible from all other App. This should not be a preferred option since we should not mandate that.
* Whichever app need to access the EJB, it should set the JNDI env to add the credential & JNDI provider URL.of the EJB so the EJB is accessible from those Apps. This adds up the complexity of the configuration for the EJB client.
Would like to see if there's such option to create certain kind of grouping so we can have all the Apps in the same group (e.g. with the same security role) to share the view of JNDI entries so that EJB clients don't need to maintain the credential & provider URL in order to access an EJB across Apps(EAR). Or any other option?
thanks
-Calvin

Calvin,
You can group your client applications together. Here is what you need to do:
1. Deploy your EJB's
2. When you deploy your client applications, under parent application choose the name of your EJB application. This way OC4J knows that the client application is a trusted source (i.e. a child of the parent) and it will not ask you for the credentials. You can then use the JNDI name of the resource that you are looking up.
When you choose the parent application, your server.xml will change and it will get a parent attribute:
<application name="clientapp" path="../applications/clientapp.ear" parent="EJBAppName" auto-start="true" />
Hope this helps.
Regards,
Deepak

Projects Contract (R 12.1.3) Security Role Assignment

Similar Messages

Maybe you are looking for