RDBMS Security realm 6.1-8.1 migration

Similar Messages

• Using RDBMS Security Realm in production?

  Hi,
  In the BEA documentation it is stated that 'The RDBMS Security Realm is an
  example and is not ment to be used in a production environment.'
  However, of the Realms that are available this one seems to be best suited
  for our needs, so I'm wondering if there is any specific reason why this
  Realm should not be used in production. Has anyone had any experience using
  it in a live environment?
  I would be thankful for any information on this.
  /Mattias Arthursson

  Hi.
  Try posting this on the security newsgroup.
  Regards,
  Michael
  Mattias Arthursson wrote:
  Hi,
  In the BEA documentation it is stated that 'The RDBMS Security Realm is an
  example and is not ment to be used in a production environment.'
  However, of the Realms that are available this one seems to be best suited
  for our needs, so I'm wondering if there is any specific reason why this
  Realm should not be used in production. Has anyone had any experience using
  it in a live environment?
  I would be thankful for any information on this.
  /Mattias Arthursson--
  Michael Young
  Developer Relations Engineer
  BEA Support

• Everyone group in an alternate RDBMS Security Realm

  We have implemented an alternate Oracle RDBMS security realm. The problem we have is that users added to the RDBMS realm do not show up in the console display of the Everyone group. Only users in the file realm show. Has anybody else experienced this behaviour? We have been able to confirm that users added to the RDBMS realm are indeed members of the Everyone group, they just don't show up as such in the console display.

  Rick Hendricks wrote:
  We have implemented an alternate Oracle RDBMS security realm. The problem we have is that users added to the RDBMS realm do not show up in the console display of the Everyone group. Only users in the file realm show. Has anybody else experienced this behaviour? We have been able to confirm that users added to the RDBMS realm are indeed members of the Everyone group, they just don't show up as such in the console display.Without looking at the code my guess would be that this is an artifact of an implementation where group "everyone" is backed by a class that always answers true to isMember() message and does not keep track of group members.
  Cheers,
  Alex

• RDBMSRealm - Cloudscape rdbms security realm

  Have a bit of a problem with the cloudscape rdbms security realm shipped with weblogic
  6.1
  I am trying the sample rdbmsrealm secuirty example in WLS6.1 SP2.
  I changed the class RDBMSRealm.java to add a public method say
  display();
  From my jsp page I have
  RDBMSRealm realm = new RDBMSRealm();
  realm.display();
  realm.getUser("jason").getName();
  When I run this I am able to access the display method, but
  the call to getUser fails with
  <Feb 27, 2002 12:58:11 PM PST> <Error> <HTTP> <[WebAppServletContext(5278096,for
  mauth,/formauth)] Servlet failed with Exception
  ERROR 40XL1: A lock could not be obtained within the time requested
  at c8e.c_.b.newException(Unknown Source)
  at c8e._g.g.lockObject(Unknown Source)
  at c8e._g.f.zeroDurationlockObject(Unknown Source)
  at c8e.as.r.lockRecordForRead(Unknown Source)
  at c8e.s.h.lockPositionForRead(Unknown Source)
  at c8e.s.d.fetchRows(Unknown Source)
  at c8e.w.g.fetchNextGroup(Unknown Source)
  at c8e.h.h.e(Unknown Source)
  at c8e.h.h.getNextRowCore(Unknown Source)
  at c8e.h.z_.getNextRow(Unknown Source)
  at c8e.k.n.movePosition(Unknown Source)
  at c8e.k.n.movePosition(Unknown Source)
  at c8e.k.n.next(Unknown Source)
  at examples.security.rdbmsrealm.RDBMSDelegate.getUser(RDBMSDelegate.java
  :270)
  In my JSP page when I
  weblogic.security.acl.CachingRealm realm =
  (weblogic.security.acl.CachingRealm) weblogic.security.acl.Security.getRealm();
  realm.getUser() works, But I am not able to access/find display()
  realm.display();
  Any suggestions would help. Thanks
  Seshadri
  <CachingRealm BasicRealm="defaultRDBMSRealmForCloudscape" Name="defaultCachingRealm"/>
  <Realm CachingRealm="defaultCachingRealm" FileRealm="wl_default_file_realm" Name="wl_default_file_realm"/>

  "Seshadri" <[email protected]> wrote:
  >
  Have a bit of a problem with the cloudscape rdbms security realm shipped
  with weblogic
  6.1
  I am trying the sample rdbmsrealm secuirty example in WLS6.1 SP2.
  I changed the class RDBMSRealm.java to add a public method say
  display();
  From my jsp page I have
  RDBMSRealm realm = new RDBMSRealm();
  realm.display();
  realm.getUser("jason").getName();
  When I run this I am able to access the display method, but
  the call to getUser fails with
  <Feb 27, 2002 12:58:11 PM PST> <Error> <HTTP> <[WebAppServletContext(5278096,for
  mauth,/formauth)] Servlet failed with Exception
  ERROR 40XL1: A lock could not be obtained within the time requested
  at c8e.c_.b.newException(Unknown Source)
  at c8e._g.g.lockObject(Unknown Source)
  at c8e._g.f.zeroDurationlockObject(Unknown Source)
  at c8e.as.r.lockRecordForRead(Unknown Source)
  at c8e.s.h.lockPositionForRead(Unknown Source)
  at c8e.s.d.fetchRows(Unknown Source)
  at c8e.w.g.fetchNextGroup(Unknown Source)
  at c8e.h.h.e(Unknown Source)
  at c8e.h.h.getNextRowCore(Unknown Source)
  at c8e.h.z_.getNextRow(Unknown Source)
  at c8e.k.n.movePosition(Unknown Source)
  at c8e.k.n.movePosition(Unknown Source)
  at c8e.k.n.next(Unknown Source)
  at examples.security.rdbmsrealm.RDBMSDelegate.getUser(RDBMSDelegate.java
  :270)
  In my JSP page when I
  weblogic.security.acl.CachingRealm realm =
  (weblogic.security.acl.CachingRealm) weblogic.security.acl.Security.getRealm();
  realm.getUser() works, But I am not able to access/find display()
  realm.display();
  Any suggestions would help. Thanks
  Seshadri
  <CachingRealm BasicRealm="defaultRDBMSRealmForCloudscape" Name="defaultCachingRealm"/>
  <Realm CachingRealm="defaultCachingRealm" FileRealm="wl_default_file_realm"
  Name="wl_default_file_realm"/>

• Weblogic security realm mapping to DB

  I have one question about Weblogic 7.01 security.
  I have created USER, GROUP and ROLES table in my RDBMS.
  Can I use the RDBMS realm if my users are in a database
  table already? Can I tune Weblogic security realm to my database tables?
  Any advice or links will be very appreciate.
  Thanks a lot for any help, Volodymyr Shram.

  Thanks, criokeeper for your fast answer.
  Woould you so kind to explain me one moment.
  At http://e-docs.bea.com/wls/docs70/ConsoleHelp/domain_rdbmsrealm_config_general.html I found that "To use the RDBMS security realm, you need to use Compatibility security. The use of the RDBMS security realm is deprecated in WebLogic Server 7.0."
  What does that means? Have I use the Compatibility security or it's jaust for ver. 6.x to ver.7.0 migration?
  Thanks a lot for your answer.
  Regards, Volodymyr.

• RDBMS Security Store supporting multiple domains

  Can one instance of the RDBMS Security Store be utilized to support multiple WLS 10.3.2 domains?
  I have several 10.3.2 domains, all of which have clusters and role requirements? The documentation 'suggests' one Store per domain, but all of the tables in the schema contain DOMN (domain) and REALMN (realm) columns that would seem to indicate domain independence. It would be nice to be able to manage one Store schema that supports several Domains.

  Hi,
  The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
  The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
  Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
  It is just the replacement for Embedded LDAP.
  Thanks & Regards,
  Murali.
  ============

• Fusion Middlewar Enterprise Manager & RDBMS Security Store

  Hello,
  when using a weblogic soa domain configured with the realm to use RDBMS Security Store or adding a new SQLAuthProvider into the realm, the Fusion Middleware Enterprise manager does not show status of servers and deployed components anymore. Everything is red and the status column shows a clock.
  It seems that Enterprise Manager Application does not work (cannot retrieve status of servers and deployed components) when using a SQL Auth provider or RDBMS Security store.
  Does anyone have the same problem??
  Database used: oracle 11g. SOA Suite 11.1.1.6
  Thanks.
  Alexander
  Edited by: user13290225 on Nov 1, 2012 7:55 AM
  Edited by: user13290225 on Nov 1, 2012 7:55 AM

  I have cleared the tmp Folder under the Admin Server Directory and restarted the server..but still facing the same error..How to resolve the error *"oracle.adf.share.security.authentication.AuthenticationServlet"*

• Accessing Custom Security Realm and NotOwnerException.

  I have installed the RDBMS example security realm, which appears to work fine. However when I attempt to access this realm from a Servlet via Realm.getRealm("name") I get an NotOwnerException being thrown.
  Ideas ?
  regards,
  Jeff.

  We did something similar in a past project, and it turned out to be more of a mess than
  it was worth it (not only the "chicken-egg" dilemma with system, guest, administrator
  users, etc., but also with various lookup and threading issues.) We ended up ripping
  out the code and writing a new one which does not use an EJB.
  EJB are supposed to be written in terms of container services (which security being one
  of the services the container provides) but in this scenario you'd be writing one of the
  container services in terms of EJBs, so it "breaks" the proper layering.
  In our case, we wanted to "encapsulate" our security code from Weblogic's propreitary
  realm mechanism, at the end we still achieved without having to create a session bean
  (sometimes regular Java classes work just fine) :-)
  regards,
  -Ade
  "watscheck" <[email protected]> wrote in message news:[email protected]..
  >
  Hi,
  i want to use a sessonEJB as my security store for the custom security realm in
  weblogic server 6.1.
  Has anyone experience with that?
  First i have to pass all filerealm users through my custom realm (csr) because
  it is not possible to authenticate the system and guest users before the sessionEJB
  itself is loaded.
  OK, but my problem is the authentication of the csr at the sessionEJB, which is
  itself secured by method-permission in it's assemblydesciptor. So i have to get
  an initialcontext with an authorized user for the sessionEJB an invoke all protected
  methods with this principal.
  But Bea WLS has a problem with propagating this user back to the actual application.
  Is there a way that the application (web-app and ejbs) is not affected by the
  authentification of the csr at the sessionEJB (security store)?
  And is it right that the new initialcontext in the csr always overrides the bea
  context and with that the servlet request of the web-app?
  thanks in advance
  watscheck

• Can we share one single RDBMS security store across multiple domains ?

  Can we share one single RDBMS security store across multiple weblogic domains? The idea is to utilize the same set of users and group defined in Weblogic Security Realms across multiple weblogic domains. Is it possible ? are there any risk ?
  i am using Oracle WebLogicServer11gR1 (10.3.6) Generic with Coherence.

  Hi,
  The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
  The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
  Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
  It is just the replacement for Embedded LDAP.
  Thanks & Regards,
  Murali.
  ============

• Extend Weblogic domain RDBMS security store

  Hello experts,
  I want to include the RDBMS security store option to my domain. However, it is a fact that this option is not available when extending an existing domain and it is only available when creating a new one.
  Therefore, I created a new domain (with the RDBMS option) and I imported the realm of my default domain. The problem is that the default instance of BI <BI_HOME>/instances/instance1 is associated with the old domain, and when I login to the Enterprise Manager, the overview page indicates that there is no data to display, since no Presentation services are available.
  I can create a new instance of the BI, by using the config.sh command, and select the Scale out BI system option, in order to create instance 2. My question is, how to associate the new domain of weblogic with the new instance of BI?
  I would appreciate your help since no available solution is found, and I spent weeks on these issue.
  Thanks
  Angelina

  Zakir,
  Probably better asked on the WLS forum.
  John

• How to implement a tree like security realm?

  hi all:
  i am working on a project . it's a very complex one and most importantly there's
  so many
  functions( 1000 or more) and every fuction should be protected resources. so i have
  to define many roles and map the roles to the many functions. it's a very tiring
  job and
  i am not sure the role to function mapping is stable one. because the mapping is
  saved in
  a xml file and this file is depolyed with the application, so if there s any changes
  we have to redeploy all the application and restart the server.
  there s still another problem. we want security realm to be a tree instead of
  a flat one( weblogic's group is a flat one ) . if we assign a node to a role all
  its children
  belong to the same role.
  so is there way to do this. any solution?
  regards
  daniel wang

  maybe you could exploit the way ACLs have dotted names to reflect your tree
  structure, so the acl root applies to all functions, root.branch1 only
  applies to functions on branch branch1, and root.branch1.branch2 applies to
  functions on branch2 of branch1. there´s an api that gets the most specific
  acl given a path to a node.
  i'm not it´s acls that you want to correspond to nodes, but maybe you can
  work out some kind of scheme that gives you what you want.
  andrew
  "daniel" <[email protected]> escribió en el mensaje
  news:3d16efc7$[email protected]..
  >
  hi all:
  i am working on a project . it's a very complex one and mostimportantly there's
  so many
  functions( 1000 or more) and every fuction should be protected resources.so i have
  to define many roles and map the roles to the many functions. it's a verytiring
  job and
  i am not sure the role to function mapping is stable one. because themapping is
  saved in
  a xml file and this file is depolyed with the application, so if there sany changes
  we have to redeploy all the application and restart the server.
  there s still another problem. we want security realm to be a treeinstead of
  a flat one( weblogic's group is a flat one ) . if we assign a node to arole all
  its children
  belong to the same role.
  so is there way to do this. any solution?
  regards
  daniel wang

• How to retrieve Global Roles in a the current security realm?

  Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
  I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
  Thanks all...
  Message was edited by:
  raymondng

  You can refer to the api
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
  -Ramkumar

• Adding a user to the File Security Realm

  Hello,
  When I attempt to add a new user to the file realm with Application Server->Security-Realms->file-> Manage Users, I get the error:
  A "com.sun.enterprise.tools.guiframework.exception.FrameworkError" was caught. The message from the exception: "Unable to get View for ViewDescriptor 'fileUsers'"
  The root cause is "java.lang.ArrayIndexOutOfBoundsException: 0"
  See the HTML source for more detailed (stack trace) information.
  When I look at the file C:\Sun\AppServer\domains\samples/config/keyfile I see the new user added, but the Admin Console is not happy...
  Please advise.
  -- POC

  There are some issues in admin gui for managing security service in beta.
  I have verified that this has been fixed in FCS branch.
  Since the user and password has been written to keyfile in your scenario, it may be OK.
  You can try to use the user. If this is not working, then restarting the server should work.
  Another way is to create user by using asadmin command. This is working fine in beta.

• Errors encountered while using a Custom Security Realm on a Platform Domain

  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portal application(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our application requirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user: wlisystem,
  for the servlet: ApplicationView for the webapp: /WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if the user
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: User wlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar from wlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: Authentication Failed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store to get
  rid of these errors. I would appreciate if anyone can suggest some tips or workarounds
  for configuring or creating a Custom Security Realm for Web Logic Platform Domain.
  Thanks
  Vikram

  Hello Vikram,
  Are you using the new WLS 7.0 security framework? It is not supported for
  Portal 7.0. For Portal 7.0 apps you have to use compatibility mode (6.x
  style) security.
  Ture Hoefner
  BEA Systems, Inc.
  www.bea.com
  "Vikram Datla" <[email protected]> wrote in message
  news:3e273015$[email protected]..
  >
  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portalapplication(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our applicationrequirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user:wlisystem,
  for the servlet: ApplicationView for the webapp:/WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if theuser
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: Userwlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar fromwlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: AuthenticationFailed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store toget
  rid of these errors. I would appreciate if anyone can suggest some tips orworkarounds
  for configuring or creating a Custom Security Realm for Web Logic PlatformDomain.
  >
  Thanks
  Vikram

• What is the best way to deploy/update custom security realm classes to WLS 6.0?

  From the WLS 6.0 console, I see that I can specify the Java class that
  implements my custom security realm but I am wondering what is the best way
  to deploy/update this code. I don't see a way to do this from the console.
  Does this mean that I have to manually copy the class files over that
  implement my custom security realm?

  Thanks Danut,
  A jar file seems to be a good way to package it up but it sounds like it
  still needs to be manually copied to each Weblogic server install directory
  post-installation and whenever it is updated. I thought it would be nice to
  be able to deploy/update the custom security realm by uploading it through
  the Console just as you can with web applications and EJBs.
  Brian
  "Danut Prisacaru" <[email protected]> wrote in message
  news:3aba2db0$[email protected]..
  You have to have your Custom Realm class in the class path. I usually havea
  jar file with all the Custom Realm classes and that jar I copy it in thelib
  folder. Then I modify "startWebLogic.cmd" and I add to the classpath
  ".\lib\CustomRealm.jar"
  set
  CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;.\lib\CustomRealm.jar;
  >
  Be aware that in order to have you custom realm besides creating thecustom
  realm using the console you also have to create a custom caching andchoose
  that one as your default caching realm.
  Here is how the security settings are looking in my "config.xml"
  <CustomRealm Name="CustomRealm"
  RealmClassName="Custom.appserver.weblogic.security.CustomRealm"/>
  <CachingRealm BasicRealm="CustomRealm" CacheCaseSensitive="true"
  Name="CustomCachingRealm"/>
  <Realm CachingRealm="CustomCachingRealm" FileRealm="wl_default_file_realm"
  Name="wl_default_realm"/>
  <FileRealm Name="wl_default_file_realm"/>
  <Security GuestDisabled="false"
  Name="mydomain" PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm"/>
  Danut