Scalability of the security realm / isUserInRole?
When callling isUserInRole(), it seems that WLS6.1sp3 wants to load all
the users in the role into memory and eventually call getUser() on each of
them. Could someone verify or debunk that this is indeed what's happening?
We have roles with thousands of users in them so the above gets very
expensive to do (even with group/user caching timeout extended.)
Are there any workarounds to improve isUserInRole performance?
thanks,
-Ade
We wanted some thread dumps at intervals, but didn't want to have to do it manually so I created a Windows Scripting Host script to perform the Ctrl-Breaks.
You may be able to do the same and execute it from a telnet command prompt (this of course assumes that you have telnet set up and also the Windows Scripting host installed).
Similar Messages
-
Hello,
I've got a SOA Suite development environment set up and whilst trying to change the weblogic password using this tutorial a problem arose with my soa managed server.
Firstly I was unable to start the Managed SOA server due to mismatching passwords, and after I modified the boot.properties file, now I cant start the usermessagingserver and soa_infra applications due to the following error:
Error 1
Getting weblogic deployment manager.
Got weblogic deployment manager.
Invoking Start Up operation.
Start Up operation for application usermessagingserver on target soa_server1 RUNNING.
Start Up operation for application usermessagingserver on target soa_server1 FAILED.
weblogic.application.ModuleException: Exception preparing module: EJBModule(sdpmessagingclient-ejb-parlayx.jar)
Unable to deploy EJB: MessagingClientParlayX from sdpmessagingclient-ejb-parlayx.jar:
The run-as security principal, 'OracleSystemUser', chosen for the EJB 'MessagingClientParlayX(Application: usermessagingserver, EJBComponent: sdpmessagingclient-ejb-parlayx.jar)' is not a valid user principal in the current security realm. Please specify a valid user principal for the EJB to use.
Getting weblogic deployment manager.
Got weblogic deployment manager.
Invoking Start Up operation.
Start Up operation for application soa-infra on target soa_server1 RUNNING.
Start Up operation for application soa-infra on target soa_server1 FAILED.
weblogic.application.ModuleException: Exception preparing module: EJBModule(hw_services_wls_ejb.jar)
Unable to deploy EJB: ASNSInteraction from hw_services_wls_ejb.jar:
The run-as security principal, 'OracleSystemUser', chosen for the EJB 'ASNSInteraction(Application: soa-infra, EJBComponent: hw_services_wls_ejb.jar)' is not a valid user principal in the current security realm. Please specify a valid user principal for the EJB to use.
I've checked both weblogic and OracleSystemUser users and their groups are (respectfully) Administrators and OracleSystemGroup.
I've searched for an answer to this problem and found this other support article but couldn't resolve the issue.
The weblogic server version is 10.3.2.0 and it's running on RedHat Linux.@Sri_Sonti
In the Admin Console, I can see both users in the security realm with the following configs:
weblogic:
all atributes with the "value" column blank
groups: Administrators
OracleSystemUser
all atributes with the "value" column blank
groups: OracleSystemGroup
Also I have not found the system-jazn-data.xml file you mentioned. In that folder there's only a readme.txt file.
Best Regards,
luismcs
Enter Cookie as format:
(ex: name=val;) separate with ';'
OKCancel -
Authentication via weblogic security realm
My servlet needs to access a session bean. The action in the session bean requires
that a user has been authorized, i.e. at some point the session been calls
String name = d_ctx.getCallerPrincipal().getName()
This name may not be null at this time.
What I would like to have is that the user executing the URL gets authenticated
by my server realm 'myrealm' and that the associated prinicpal gets passed to
the session bean. Is this possible. If so, how can the user pass along the username
and password as this query is executed programmatically?
markus
http://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff -
Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URL admins
user name and password. I want to be able to interface this connection to access
the LDAP and make changes to user information within in the ldap. Right now in
my code I make a connection to the LDAP and supply the same user name and password
set up in the LDAP security realm. I want to be able to rather then re-supply
the URL and user name and password in my code I want to be able to just get that
(or create a connection simil;ar to a jdbc connection pool) connection to the
LDAP that configured in the Security Realm. Is this possible? And how would I
go about it if so?
Thanks
Sjbthe LDAPConnection pool which is used WLS Realm is not accessible to public
for programming.
thanks
kiran
"Sjb" <[email protected]> wrote in message
news:3f5744c1$[email protected]..
>
Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URLadmins
user name and password. I want to be able to interface this connection toaccess
the LDAP and make changes to user information within in the ldap. Rightnow in
my code I make a connection to the LDAP and supply the same user name andpassword
set up in the LDAP security realm. I want to be able to rather thenre-supply
the URL and user name and password in my code I want to be able to justget that
(or create a connection simil;ar to a jdbc connection pool) connection tothe
LDAP that configured in the Security Realm. Is this possible? And howwould I
go about it if so?
Thanks
Sjb -
Security realm, WebLogic Portal 7.0 and Windows NT 4.0
Hello!
My name is Miriam Serrano i and I write to request aid.
I am working with WebLogic Portal version 7.0 and I need to make a Security realm
with
Windows NT 4.0 server.
In the console of weblogic if I see the NT users ,
but when I want to make enter the application of stockportal
single access with administrators and not with the other users
of the Portal groups, as I can enter with NT groups?
as I can make the security realm with Portal(users and groups)
and windows NT 4.0? exists a document?
it already makes the procedures of Security Realm with Windows NT?
but as I bind with Weblogic Portal to it?
Can I help me?
thanksHello!
My name is Miriam Serrano i and I write to request aid.
I am working with WebLogic Portal version 7.0 and I need to make a Security realm
with
Windows NT 4.0 server.
In the console of weblogic if I see the NT users ,
but when I want to make enter the application of stockportal
single access with administrators and not with the other users
of the Portal groups, as I can enter with NT groups?
as I can make the security realm with Portal(users and groups)
and windows NT 4.0? exists a document?
it already makes the procedures of Security Realm with Windows NT?
but as I bind with Weblogic Portal to it?
Can I help me?
thanks -
Configure security realm for external Access Manager in App server 8.1
Hi All,
I would like to protect my j2ee application using access manager running on an external host.
I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
external host & port of AM is:
http://svrd234d.dnn.com.au:58765
Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
classname="com.sun.amagent.as.realm.AgentRealm"
property name="jaas-context" value="agentRealm"
property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
property name="hostURL " value="http://svrd234d.dnn.com.au:58765"Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
Jerry -
Webcenter spaces user and group and WLS security realm
I want to configure external ORACLE DB,
I configed the security realm in WLS, and I can see the user and group list in WLS page, But I cant find any of them in webcenter spaces,
and also can not login with those users.
I added a user with WLS, it works well.
do I need to do other configrations?First you need to create a Administrator for this new identity stores. Weblogic user is not identified now because its not mapped by first authenticator. See Oracle WebCenter Admin Guide, section 28.4.1.1 Granting the WebCenter Spaces Administrator Role Using FusionMiddleware Control. Once you have done this step, do the same steps for other application user. For this you have to give Application role to other user so that they can login and use WebCenter Space.See Oracle WebCenter Admin Guide, Section 28.4.2.1 Granting Application Roles Using Fusion Middleware Control.
After doing above steps, restart WC_Spaces managed server. -
Security realms - provider - LDAP (OID) - error: autentication denied
I follow the link http://www.oracle.com/technology/products/jdev/tips/fnimphius/oidconfig/index.html to configure OID authentication in weblogic server. I am able to see all the OID user in the security realms (users and groups page). I change the control flag to SUFFICIENT. however, I still could not login as orcladmin. I got "The username and password has been refused by WebLogic Server". Could someone assist further on troubleshooting this issue?
I had a cheat sheet that got me through this topic which seems to have disappeared since Oracle has taken over BEA... maybe someone can help us find it again (or a similar reference) but this was the old link:
Link: [https://support.bea.com/application_content/product_portlets/support_patterns/wls/UnderstandingLDAPGroupMembershipSearchPattern.html]
In short, there are three patterns for authentication that are recognized as the defacto standards for implementation and your directory structure must conform to one of these three patterns into order for the authentication schemes to work. You have not provided enough information in your post for me to say whether or not you have met the criteria. If you can find these three patterns, you can determine if you meet them. If you fail, you will need to write a custom security authenticatio module (documented in the Weblogic documentation somewhere) to enable WL use your setup.
Hope it gets you in the right direction at least....
Keith -
How to retrieve Global Roles in a the current security realm?
Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
Thanks all...
Message was edited by:
raymondngYou can refer to the api
http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
-Ramkumar -
Adding a user to the File Security Realm
Hello,
When I attempt to add a new user to the file realm with Application Server->Security-Realms->file-> Manage Users, I get the error:
A "com.sun.enterprise.tools.guiframework.exception.FrameworkError" was caught. The message from the exception: "Unable to get View for ViewDescriptor 'fileUsers'"
The root cause is "java.lang.ArrayIndexOutOfBoundsException: 0"
See the HTML source for more detailed (stack trace) information.
When I look at the file C:\Sun\AppServer\domains\samples/config/keyfile I see the new user added, but the Admin Console is not happy...
Please advise.
-- POCThere are some issues in admin gui for managing security service in beta.
I have verified that this has been fixed in FCS branch.
Since the user and password has been written to keyfile in your scenario, it may be OK.
You can try to use the user. If this is not working, then restarting the server should work.
Another way is to create user by using asadmin command. This is working fine in beta. -
What is the best way to deploy/update custom security realm classes to WLS 6.0?
From the WLS 6.0 console, I see that I can specify the Java class that
implements my custom security realm but I am wondering what is the best way
to deploy/update this code. I don't see a way to do this from the console.
Does this mean that I have to manually copy the class files over that
implement my custom security realm?Thanks Danut,
A jar file seems to be a good way to package it up but it sounds like it
still needs to be manually copied to each Weblogic server install directory
post-installation and whenever it is updated. I thought it would be nice to
be able to deploy/update the custom security realm by uploading it through
the Console just as you can with web applications and EJBs.
Brian
"Danut Prisacaru" <[email protected]> wrote in message
news:3aba2db0$[email protected]..
You have to have your Custom Realm class in the class path. I usually havea
jar file with all the Custom Realm classes and that jar I copy it in thelib
folder. Then I modify "startWebLogic.cmd" and I add to the classpath
".\lib\CustomRealm.jar"
set
CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;.\lib\CustomRealm.jar;
>
Be aware that in order to have you custom realm besides creating thecustom
realm using the console you also have to create a custom caching andchoose
that one as your default caching realm.
Here is how the security settings are looking in my "config.xml"
<CustomRealm Name="CustomRealm"
RealmClassName="Custom.appserver.weblogic.security.CustomRealm"/>
<CachingRealm BasicRealm="CustomRealm" CacheCaseSensitive="true"
Name="CustomCachingRealm"/>
<Realm CachingRealm="CustomCachingRealm" FileRealm="wl_default_file_realm"
Name="wl_default_realm"/>
<FileRealm Name="wl_default_file_realm"/>
<Security GuestDisabled="false"
Name="mydomain" PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm"/>
Danut -
Function of the default realm in security settings?
What is the function of the default realm in the security settings of the app server?
what is the effect of specifying "ldap" as the realm-name in the login-config in web.xml? When specifying ldap, but leaving the default realm on "file", ldap is not used. only when changing the default realm to ldap, ldap authentication is attempted.
Is there a way to debug the actual query that is being sent to the configured ldap server? when setting the log-level to finest, some information is provided, but not enough.
TIA
PeterHi Peter,
Specifying the realm name in the web.xml won't help. The user will be authenticated with whatever the default realm set in the AppServer. So here the realm specified in web.xml doesn't have any use.
If you want to use LDAP for your user authentication change the DefaultRealm to LDAP instead of File. Also configure the LDAPRealm properties to point to the correct directory server and directory name.
Maximum information will be logged when the LOG Level is set to FINEST and Audit is enabled in the Secuirty node of the appServer adminGUI, that will contain the default realm set and any security related activities logged.
Do the following to enabled the Maximum logging.
Open up the AdminGUI and goto the security node under the server1 instance.Click on the General tab on the right frame and set the log level to FINEST and check the Audit checkbox . Save, apply the changes and restart the AppServer .During the startup the log will show what is the default realm set.
While the application is running all the security messages will be logged.
Sankar -
Hi,
I have different sets of users coming from different databases and using different
roles mapping for each of my web applications. I would like to configure a specific
security realm per application in my weblogic server 7.0 . Is it possible ?
I try to specify the realm-name of the login-config tag from the web-xml deployement
descriptor but it doesn't make any difference. The default realm is always used.
I also would like to tell the Weblogic server to use the default realm in case
the realm isn't specified or isn't found. For example, the default would contains
my admin users.
Thanks a lot for your answer.
IzI thik this is a common mistake the ralm-name tag in the deployment descriptor is used
just by the browser for display purposes (when it opens the basic auth dialog box) so as
of now there is only 1 active realm which can have multiple providers as Kevin pointed
out
Kevin Lewis wrote:
WebLogic 7 now ignores the realm-name tag (I found that out yesterday).
My understanding is that there is only one realm active at a time for a domain
(I would be interested in being contradicted in this).
However, you can have multiple providers in each category of a realm: authentication,
authorization, etc. Therefore, what you can do is key authentication, et al,
off of some other information. We have our users enter their company, for example,
and use the TextInputCallback to get it. You could also encode something in the
initial page, based on the URL they hit, or whatever, and get that back in your
callback.
You can store that information in your own Principal implementation, and key off
of that in your authorization provider, going to a different database as appropriate,
or abstaining when a specific provider doesn’t have anything to say about a subject.
Anyway, there should be a way to do it, even if it's more complex than you would
have hoped.
--Kevin -
Proper security realm for ecommerce user
I would like to use j2ee security on our ecommerce site (isUserInRole, getUserPrincipal,
web.xml declarative functionality to protect resources), but my problem is not
knowing what security realm to I use to manage the user. The site has thousands
of users and they need the ability to create an account which will determine their
"role" based on what membership fee they paid. After they have an account they
can login an have access to sections of the site that are permitted to them based
on role. All the examples I've seen about weblogic security is using LDAPs or
their internal RDMS. How can I have weblogic use our own database or is there
a best practice to accomplish the task I need? Any information would be helpful!!It sounds like you have many users in your database, but not that many roles
& policies.
Probably you can use the DefaultRoleMapper and DefaultAuthorizer for your
roles & policies.
You need a database based authentication provider. Check out the sample
dbms authentication provider on the dev2dev center:
http://dev2dev.bea.com/codelibrary/code/sec_rdbms.jsp
-tm
"fed " <[email protected]> wrote in message
news:4010111d$[email protected]..
>
I would like to use j2ee security on our ecommerce site (isUserInRole,getUserPrincipal,
web.xml declarative functionality to protect resources), but my problem isnot
knowing what security realm to I use to manage the user. The site hasthousands
of users and they need the ability to create an account which willdetermine their
"role" based on what membership fee they paid. After they have an accountthey
can login an have access to sections of the site that are permitted tothem based
on role. All the examples I've seen about weblogic security is usingLDAPs or
their internal RDMS. How can I have weblogic use our own database or isthere
a best practice to accomplish the task I need? Any information would behelpful!! -
How to implement a tree like security realm?
hi all:
i am working on a project . it's a very complex one and most importantly there's
so many
functions( 1000 or more) and every fuction should be protected resources. so i have
to define many roles and map the roles to the many functions. it's a very tiring
job and
i am not sure the role to function mapping is stable one. because the mapping is
saved in
a xml file and this file is depolyed with the application, so if there s any changes
we have to redeploy all the application and restart the server.
there s still another problem. we want security realm to be a tree instead of
a flat one( weblogic's group is a flat one ) . if we assign a node to a role all
its children
belong to the same role.
so is there way to do this. any solution?
regards
daniel wangmaybe you could exploit the way ACLs have dotted names to reflect your tree
structure, so the acl root applies to all functions, root.branch1 only
applies to functions on branch branch1, and root.branch1.branch2 applies to
functions on branch2 of branch1. there´s an api that gets the most specific
acl given a path to a node.
i'm not it´s acls that you want to correspond to nodes, but maybe you can
work out some kind of scheme that gives you what you want.
andrew
"daniel" <[email protected]> escribió en el mensaje
news:3d16efc7$[email protected]..
>
hi all:
i am working on a project . it's a very complex one and mostimportantly there's
so many
functions( 1000 or more) and every fuction should be protected resources.so i have
to define many roles and map the roles to the many functions. it's a verytiring
job and
i am not sure the role to function mapping is stable one. because themapping is
saved in
a xml file and this file is depolyed with the application, so if there sany changes
we have to redeploy all the application and restart the server.
there s still another problem. we want security realm to be a treeinstead of
a flat one( weblogic's group is a flat one ) . if we assign a node to arole all
its children
belong to the same role.
so is there way to do this. any solution?
regards
daniel wang
Maybe you are looking for
-
Office 2013 Setup Logging Template %hostname% Config.xml
Hello, we want to deploy Office 2013 through SCCM with a Log-File which should be stored on a Server. To identify from which Computer the log file is, it should be named like the hostname. I have specifed the followig in the config.xml <Logging Type=
-
How to upload any file type to R/3
Please explain step by step how to upload any file type to R/3 Thanks in advance
-
Hi I was organizing pictures in iphoto. I am new at this. I was deleting a bunch of duplicate pictures and I kept getting a 'warning box" that kept asking "are you sure you want to delete?" I knew I wanted to delete all these pics so I checked the
-
Whenever i plug an auxiliary cable in to my phone only one side of the speakers or headphones work.. & my phone won't let me do anything but charge when i plug my phone into a usb port.. what is the problem?
-
Only one app wont authorize on the computer
i have windows 7- 64 bit i tried to do a backup to my iphone but it didnt worked and i think that it is because i have one app that wont authorize i have already authorized my computer but i tried again so i deauthorized my computed and authorized it