Selective authentication for a servlet?

I have a servlet that returns data to users from a mapping system. Most of the data are publicly accessible, so those requests need to work without any security or login challenge.
Depending on the items requested in the URI and querystring, I may need to authorize the user to see some of the data. Determining whether the request requires security uses criteria in the querystring and a bit of other logic, so I can't use security constraints in the web.xml. I set up a servlet filter that checks to see if the request requires any secure roles. I can also figure out if the user is logged in and has those roles.
I have most of the pieces I need. What baffles me is how to make a user log in to a servlet some of the time, but not other times. I've tried 2 things and hit dead ends:
1) Send back a 401 response. The browser asks them to log in and sends their username and password back in the header. (This is an URL-based RESTlike data service, so I'm using the basic browser pop-up login.) This 401 challenge gets me their info, but doesn't seem to authenticate with the container (Tomcat). With the user/pass, I can query our user database for the authentication and authorization myself, but this seems really, really ugly. Is there a way to make the container to do the authentication on a 401?
2) Use a RequestDispatcher to forward the request to another servlet mapping that does have security set up in the web.xml. Unfortunately, this bypasses the web.xml with no login challenge. The idea is that if servlet code forwards someone to another resource, you knew what you were doing and meant to send them there. Is there a way to enforce the forwarding using the web.xml settings?
The last thing I was thinking about is if there is a way to extend the security constraint to determine whether the request requires authentication or not?
thanks, David

Welcome to the Sun Forums.
One way that I can think of is that instead of sending the 401 yourself (which bypasses the container), maybe you should have your filter send back a redirect (302) to the user instead. You could redirect to either a custom login page or to a protected resource. Since a redirect results in a new request being issued by the browser, the container should be able to handle the situation from there on.

Similar Messages

How set UserName and Password for HTTP Basic Authentication for a servlet

Hi..
How set UserName and Password for HTTP Basic Authentication for a servlet in JBoss server?
Using Tomcat i can do it .(By setting roles in web.xml, and user credintails in tomcat-user.xml).
But i dont know how do it in JBOSS..
I am using Netbeans and Eclipse IDEs.. Can we do it by using them also!?
Thank u

Hi Raj,
You can do this by creating a Login screen for the users and check the authentication of each user in PAI i.e. PROCESS AFTER INPUT.
Store the user information in a database table and check the username and password when the user enters it.
You can display password as *** also. For this double click on input box designed for password and goto Display tab. Select Invisible in the list and check it.
CASE sy-ucomm.
    WHEN 'BACK'.
      LEAVE PROGRAM.
    WHEN <fcode for submit>.
      SELECT SINGLE uname pwd
       FROM <DB table>
       INTO (user, pass)
       WHERE username = user AND
               password = passwd.
      IF sy-subrc = 0.
<Go to next screen for further processing>
      ELSE.
<Display Error message and exit>
      ENDIF.
ENDCASE.
Regards,
Amit
Message was edited by:
        Amit Kumar

Site Server - Client comminucations with selective authentication

My environment has multiple domains, but I've been trying to avoid standing up an MP in each. Currently the only MP is the site server in domain1. A two-way selective authentication trust exists between the domains, users and computers from domain2
have 'allowed to authenticate' permissions on the site server and, for the most part, everything is peachy. However, this has been showing up in the CcmMessaging.log:
IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070005. Defaulting to state of 448.
[CCMHTTP] ERROR: URL=https://SCCM2012.DOMAIN1.com/ccm_system_windowsauth/request, Port=443, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
Raising event:
instance of CCM_CcmHttp_Status
   ClientID = "GUID:60A1F0BE-B65D-4F33-9CFE-B15FDE62517F";
   DateTime = "20120919152518.415000+000";
   HostName = "SCCM2012.DOMAIN1.com";
   HRESULT = "0x87d0027e";
   ProcessID = 2480;
   StatusCode = 401;
   ThreadID = 3940;
Successfully sent location services HTTPS failure message.
Post using DOMAIN2\user security context failed due to Integrated Windows Authentication failure
Post to https://SCCM2012.DOMAIN1.com/ccm_system_windowsauth/request failed with 0x80070005.
OutgoingMessage(Queue='mp_[http]mp_policymanager', ID={D6399C84-F0DE-46BD-8630-D918ECA157A5}): Will be discarded (0x80070005).
I'm not exactly sure what these errors are telling me. First, "Determining provisioning mode state failed"? I'm actually seeing that on clients in the same domain as the site server, as well. What is the client attempting to do here, and
in what security context, that it would be getting an access denied error?
Second, the other 5 lines? I'm assuming that's coming from IIS? What permissions need to exist that would not be implicit for the second domain?

Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
Since no one has answer this post, I recommend opening a support case with CSS as they can work with you to solve this problem.
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ

How to get a parameter from a HTML select list in a servlet

Hi!
I have the following problem :
In a HTML form I have the following select list:
<select name="tickets">
                                        <option value="1">1</option>
                                        <option value="2">2</option>
                                        <option value="3">3</option>
                                        <option value="4">4</option>
                                        <option value="5">5</option>
                                        <option value="6">6</option>
</select>And in the servlet I try to read the value I have selected doing : String tickB = (String) request.getParameter("tickets");But for my amazement tickB always has the value 1, althought I have selected in the list the value 2,3,4,5 or 6
�Where is the error ? �Have I to do with getParamaterValues instead getParameter to obtain the correct value?
Bye
Edited by: bladu on Jun 4, 2008 1:25 AM

Where is the error ? No error in portion of code you have shown.
But for my amazement tickB always has the value 1, althought I have selected in the list the value 2,3,4,5 or 6Are you sure there are no other form element(hidden field, text field) with same name tickets ? If you are using GET method, you may check the url to see if there are more than one parameters named tickets set in it
Have I to do with getParamaterValues instead getParameter to obtain the correct value? Not required.

User Authentication for subfolder not working in Web Browser

We are using Oracle Application Server 10.1.2.3 and Database Server 10.2.0.5 for our application.
One of the functionalities of the Application is to send emails with attachments.
The logic is that the Application would generate the attachment file on the Application Server.
Then a database package uses Oracle's utl_http package/procedures(more specifically utl_http.request_pieces where the single argument is a URL) to pick up the file from the Application Server via URL, attach the file and send the email.
Exchange and Relay Server is also set in the Application.
The problem is that the folder containing the folder which stores the attachments is having user authentication set.
Example : The main folder is /apps/interface, this folder requires a valid user when it is accessed via URL on a web browser.
Alias created in httpd.conf
Alias /int-dir/ "/apps/interface/"
The folder /apps/interface/email/ is the folder where the attachment files are generated and stored.
Application Server : 10.12.213.21
Database Server : 10.12.213.22
Email Server : 10.12.213.44
Configuration as per httpd.conf
Alias /int-dir/ "/apps/interface/"
<Location /int-dir/>
AuthName "Interface folder"
AuthType Basic
AuthUserFile "/u01/app/oracle/as10g/oasmid/Apache/Apache/conf/.htpasswd"
require user scott
</Location>
<Location /int-dir/email>
Options Indexes Multiviews IncludesNoExec
     Order deny,allow
     Deny from all
     Allow from 10.12.213.21
     Allow from 10.12.213.22
     Allow from 10.12.213.44
</Location>
Using the above configuration the Application is able to attach the files and send the email, however, when we access the following URL :
http://10.12.213.21:7778/int-dir/ - it prompts for user authentication
However if we use the following URL :
http://10.12.213.21:7778/int-dir/email/ - it does not prompt for user authentication, and all the files in the folder are displayed in the browser.
I have tried so many things including AllowOverride, .htaccess, but i am not able to get user authentication for the email folder.
Please help me if you can.
Thanking you in advance,
GLad to give any more information that i can.
dxbrocky

Thanks for your response. I fixed the problem by selecting "full site" or "full website" at bottom of the web page. After making this selection the zoom function returned. Thanks again for your interest.

Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices. Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2. We have set
up two-way forest trusts with our office domains using selective authentication. We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain. On the
server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain. However, after
installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain. It never asks for credentials for the licensing domain when we specify the objects we want to add
from the licensing domain. I simply states that the object can not be found. When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
is logged on and this is failing since this user has no rights in the licensing domain. I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has. Can somebody tell me why this is happening
and how to correct it?

Hi,
Based on my research, this is a known issue in Windows Server 2012 R2.
According to the article below: “The Selective Authentication feature of selective trusts is
not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
Release Notes: Important Issues in Windows Server 2012 R2
http://technet.microsoft.com/en-us/library/dn387077.aspx
Best Regards,
Amy Wang

Error Message: JBO-26080: Error while selecting entity for PoLines

I'm using JDev 9.0.4.
i make a VO from two EO at the BC4J level.
then i create complete struts JSP Application for this VO.
so i get a page that i can do New/Edit and Delete to each row.
when i try to do Edit for some lines (not all of them) i get this error :
Error Message: JBO-26080: Error while selecting entity for PoLines
Error Message: ORA-01722: invalid number
What does it mean ? how can i solve it ?
Thank You

Un-comment the following lines to display the stack trace
oracle.jbo.DMLException: JBO-26080: Error while selecting entity for ElcPoLines
     at oracle.jbo.server.OracleSQLBuilderImpl.doEntitySelect(OracleSQLBuilderImpl.java:832)
     at oracle.jbo.server.EntityImpl.doSelect(EntityImpl.java:4665)
     at oracle.jbo.server.EntityImpl.populate(EntityImpl.java:3845)
     at oracle.jbo.server.EntityDefImpl.findFromDatabase(EntityDefImpl.java:888)
     at oracle.jbo.server.EntityDefImpl.findByPrimaryKey(EntityDefImpl.java:943)
     at oracle.jbo.server.QueryCollection.findByKey(QueryCollection.java:2524)
     at oracle.jbo.server.ViewRowSetImpl.findByKey(ViewRowSetImpl.java:2907)
     at oracle.jbo.server.ViewObjectImpl.findByKey(ViewObjectImpl.java:6019)
     at oracle.jbo.client.JboUtil.getRowFromKey(JboUtil.java:91)
     at oracle.jbo.html.BC4JContext.getRow(BC4JContext.java:307)
     at oracle.jbo.html.struts11.actions.EditAction.populateBC4JFormBean(EditAction.java:160)
     at oracle.jbo.html.struts11.actions.EditAction.edit(EditAction.java:59)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
     at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:216)
     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
     at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:778)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:317)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:270)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:112)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:186)
     at java.lang.Thread.run(Thread.java:534)
## Detail 0 ##
java.sql.SQLException: ORA-01722: invalid number
     at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)
     at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:242)
     at oracle.jdbc.ttc7.Oall7.receive(Oall7.java:554)
     at oracle.jdbc.ttc7.TTC7Protocol.doOall7(TTC7Protocol.java:1478)
     at oracle.jdbc.ttc7.TTC7Protocol.parseExecuteFetch(TTC7Protocol.java:890)
     at oracle.jdbc.driver.OracleStatement.doExecuteQuery(OracleStatement.java:2407)
     at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:2660)
     at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:457)
     at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:387)
     at oracle.jbo.server.OracleSQLBuilderImpl.doEntitySelect(OracleSQLBuilderImpl.java:606)
     at oracle.jbo.server.EntityImpl.doSelect(EntityImpl.java:4665)
     at oracle.jbo.server.EntityImpl.populate(EntityImpl.java:3845)
     at oracle.jbo.server.EntityDefImpl.findFromDatabase(EntityDefImpl.java:888)
     at oracle.jbo.server.EntityDefImpl.findByPrimaryKey(EntityDefImpl.java:943)
     at oracle.jbo.server.QueryCollection.findByKey(QueryCollection.java:2524)
     at oracle.jbo.server.ViewRowSetImpl.findByKey(ViewRowSetImpl.java:2907)
     at oracle.jbo.server.ViewObjectImpl.findByKey(ViewObjectImpl.java:6019)
     at oracle.jbo.client.JboUtil.getRowFromKey(JboUtil.java:91)
     at oracle.jbo.html.BC4JContext.getRow(BC4JContext.java:307)
     at oracle.jbo.html.struts11.actions.EditAction.populateBC4JFormBean(EditAction.java:160)
     at oracle.jbo.html.struts11.actions.EditAction.edit(EditAction.java:59)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
     at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:216)
     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
     at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:778)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:317)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:270)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:112)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:186)
     at java.lang.Thread.run(Thread.java:534)

JBO-26080: Error while selecting entity for VIEW

When I use the LOV, it brings up all values, except when I search for the letters "wy". It returns nothing, and when I deleted these letters and search again nothing appears and I get this error. Can anyone help, I've been looking at this for a week and have come up with nothing.
oracle.jbo.DMLException: JBO-26080: Error while selecting entity for IraPtsSponsorVw
     at oracle.jbo.server.OracleSQLBuilderImpl.doEntitySelect(OracleSQLBuilderImpl.java:888)
     at oracle.jbo.server.EntityImpl.doSelect(EntityImpl.java:5267)
     at oracle.jbo.server.EntityImpl.populate(EntityImpl.java)
     at oracle.jbo.server.EntityImpl.merge(EntityImpl.java:4746)
     at oracle.jbo.server.EntityCache.add(EntityCache.java:525)
     at oracle.jbo.server.ViewRowStorage.entityCacheAdd(ViewRowStorage.java:1710)
     at oracle.jbo.server.ViewRowImpl.entityCacheAdd(ViewRowImpl.java:2136)
     at oracle.jbo.server.ViewDefImpl.createInstanceFromResultSet(ViewDefImpl.java:1037)
     at oracle.jbo.server.ViewObjectImpl.createRowFromResultSet(ViewObjectImpl.java)
     at oracle.jbo.server.ViewObjectImpl.createInstanceFromResultSet(ViewObjectImpl.java:2650)
     at oracle.jbo.server.QueryCollection.populateRow(QueryCollection.java:1871)
     at oracle.jbo.server.QueryCollection.fetch(QueryCollection.java:1772)
     at oracle.jbo.server.QueryCollection.get(QueryCollection.java:1256)
     at oracle.jbo.server.ViewRowSetImpl.getRow(ViewRowSetImpl.java:3206)
     at oracle.jbo.server.ViewRowSetIteratorImpl.doFetch(ViewRowSetIteratorImpl.java:2755)
     at oracle.jbo.server.ViewRowSetIteratorImpl.ensureRefreshed(ViewRowSetIteratorImpl.java:2610)
     at oracle.jbo.server.ViewRowSetIteratorImpl.refresh(ViewRowSetIteratorImpl.java:2850)
     at oracle.jbo.server.ViewRowSetImpl.notifyRefresh(ViewRowSetImpl.java:1941)
     at oracle.jbo.server.ViewRowSetImpl.execute(ViewRowSetImpl.java:689)
     at oracle.jbo.server.ViewRowSetImpl.executeQueryForMasters(ViewRowSetImpl.java:769)
     at oracle.jbo.server.ViewRowSetImpl.executeQuery(ViewRowSetImpl.java:706)
     at oracle.jbo.server.ViewObjectImpl.executeQuery(ViewObjectImpl.java:3361)
     at gov.fda.cber.pts.controller.strutsactions.LovBimsSponsorAction.prepareModel(LovBimsSponsorAction.java:75)
     at oracle.adf.controller.struts.actions.DataAction.prepareModel(DataAction.java:486)
     at oracle.adf.controller.lifecycle.PageLifecycle.handleLifecycle(PageLifecycle.java:105)
     at oracle.adf.controller.struts.actions.StrutsUixLifecycle.handleLifecycle(StrutsUixLifecycle.java:70)
     at oracle.adf.controller.struts.actions.DataAction.handleLifecycle(DataAction.java:223)
     at oracle.adf.controller.struts.actions.DataAction.execute(DataAction.java:155)
     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1485)
     at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:527)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
     at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:649)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:322)
     at com.evermind.server.http.ServletRequestDispatcher.forward(ServletRequestDispatcher.java:220)
     at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
     at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1485)
     at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:527)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
     at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
     at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:16)
     at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:239)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:645)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:322)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:270)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:112)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
     at java.lang.Thread.run(Thread.java:534)
## Detail 0 ##
java.sql.SQLException: ORA-00904: "SPONSOR_COUNTRY": invalid identifier
     at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:137)
     at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:304)
     at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:271)
     at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:625)
     at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:181)
     at oracle.jdbc.driver.T4CPreparedStatement.execute_for_describe(T4CPreparedStatement.java:661)
     at oracle.jdbc.driver.OracleStatement.execute_maybe_describe(OracleStatement.java:951)
     at oracle.jdbc.driver.T4CPreparedStatement.execute_maybe_describe(T4CPreparedStatement.java:693)
     at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1057)
     at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:2901)
     at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:2942)
     at oracle.jbo.server.OracleSQLBuilderImpl.doEntitySelect(OracleSQLBuilderImpl.java:640)
     at oracle.jbo.server.EntityImpl.doSelect(EntityImpl.java:5267)
     at oracle.jbo.server.EntityImpl.populate(EntityImpl.java)
     at oracle.jbo.server.EntityImpl.merge(EntityImpl.java:4746)
     at oracle.jbo.server.EntityCache.add(EntityCache.java:525)
     at oracle.jbo.server.ViewRowStorage.entityCacheAdd(ViewRowStorage.java:1710)
     at oracle.jbo.server.ViewRowImpl.entityCacheAdd(ViewRowImpl.java:2136)
     at oracle.jbo.server.ViewDefImpl.createInstanceFromResultSet(ViewDefImpl.java:1037)
     at oracle.jbo.server.ViewObjectImpl.createRowFromResultSet(ViewObjectImpl.java)
     at oracle.jbo.server.ViewObjectImpl.createInstanceFromResultSet(ViewObjectImpl.java:2650)
     at oracle.jbo.server.QueryCollection.populateRow(QueryCollection.java:1871)
     at oracle.jbo.server.QueryCollection.fetch(QueryCollection.java:1772)
     at oracle.jbo.server.QueryCollection.get(QueryCollection.java:1256)
     at oracle.jbo.server.ViewRowSetImpl.getRow(ViewRowSetImpl.java:3206)
     at oracle.jbo.server.ViewRowSetIteratorImpl.doFetch(ViewRowSetIteratorImpl.java:2755)
     at oracle.jbo.server.ViewRowSetIteratorImpl.ensureRefreshed(ViewRowSetIteratorImpl.java:2610)
     at oracle.jbo.server.ViewRowSetIteratorImpl.refresh(ViewRowSetIteratorImpl.java:2850)
     at oracle.jbo.server.ViewRowSetImpl.notifyRefresh(ViewRowSetImpl.java:1941)
     at oracle.jbo.server.ViewRowSetImpl.execute(ViewRowSetImpl.java:689)
     at oracle.jbo.server.ViewRowSetImpl.executeQueryForMasters(ViewRowSetImpl.java:769)
     at oracle.jbo.server.ViewRowSetImpl.executeQuery(ViewRowSetImpl.java:706)
     at oracle.jbo.server.ViewObjectImpl.executeQuery(ViewObjectImpl.java:3361)
     at gov.fda.cber.pts.controller.strutsactions.LovBimsSponsorAction.prepareModel(LovBimsSponsorAction.java:75)
     at oracle.adf.controller.struts.actions.DataAction.prepareModel(DataAction.java:486)
     at oracle.adf.controller.lifecycle.PageLifecycle.handleLifecycle(PageLifecycle.java:105)
     at oracle.adf.controller.struts.actions.StrutsUixLifecycle.handleLifecycle(StrutsUixLifecycle.java:70)
     at oracle.adf.controller.struts.actions.DataAction.handleLifecycle(DataAction.java:223)
     at oracle.adf.controller.struts.actions.DataAction.execute(DataAction.java:155)
     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1485)
     at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:527)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
     at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:649)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:322)
     at com.evermind.server.http.ServletRequestDispatcher.forward(ServletRequestDispatcher.java:220)
     at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
     at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1485)
     at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:527)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
     at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
     at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:16)
     at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:239)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:645)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:322)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:270)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:112)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
     at java.lang.Thread.run(Thread.java:534)

Hi Frank thanks for responding,
I actually figured it out. I thinkt he problem was that the VO didnt not have a primary key to reference a specific row and was throwing an error. I used ROWID and it works fine now.
Thank you.

Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
Jochen

Hi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen

Radius authentication for the browser-based webtop

Hiya all,
With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
SSGD version:
Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
Architecture code: i3so0510
This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
I have the radius-module running for authentication of a single directory with the apache-config-lines:
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch "/secure">
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthName "Radius authentication for SGD"
Authtype Basic
AuthRadiusAuthoritative on
AuthRadiusCookieValid 540
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
Changing the JkLogLevel to debug gives the following info in the JkLogFile:
Radius authentication:
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
With the password-authentication file:
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
Any help will be usefull since I am allready stuck on this problem for a couple of days :(
Thanks,
Remold | Everett

I got response from the Fat Bloke on the mailing list.
Adding the following line in the apache httpd.conf seams to help and resolved my problem:
Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
Thanks The Fat Bloke !!
- Remold
These instructions are for a 4.2 SGD installation using SGD's third
party web authentication with mod_auth_radius.so (www.freeradius.org).
With 4.2 Sun didn't distribute enough of the Apache configured tree
to enable the use of axps to build the mod_auth_radius module, 4.3 is
better - Sun now install a modified axps and include files, I haven't
tried this with 4.3 yet though.
I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
So, this is how we got this working with Radius (tested with SBR
server and freeradius.org server.)
Install SGD in the usual way.
Enable 3rd party authentication:
According to:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/
webauth_config_browser.html
Configure the Tomcat component of the Secure Global Desktop Web
Server to
trust the web server authentication. On each array member, edit the
/opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
following attribute to the connector element (<Connector>) for the
Coyote/JK2 AJP 1.3 Connector:
tomcatAuthentication="false"
# cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
conf/server.xml

<Connector port="8009" minProcessors="5" maxProcessors="75"
tomcatAuthentication="false"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="0"
useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
"By default, for security reasons, Secure Global Desktop
Administrators can't
log in to the browser-based webtop with web server authentication.
The standard
login page always displays for these users even if they have been
authenticated
by the web server. To change this behavior, run the following command:"
# tarantella config edit --tarantella-config-login-thirdparty-
allowadmins 1
Without this, after authenticating via webauth, the user will be
prompted for a
second username and password combination.
# /opt/tarantella/bin/tarantella objectmanager &
# /opt/tarantella/bin/tarantella arraymanager &
In Array Manager:
Select "Secure Global Desktop Login" on left side and click
"Properites" at bottom
Under "Secure Global Desktop Login Properties"
cd /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
edit httpd.conf:
### For SGD Apache based authentication
Include conf/httpd4radius.conf
at the end of httpd.conf add:
Alias /sgd "/opt/tarantella/webserver/tomcat/
5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
# cat httpd4radius.conf
LoadModule radius_auth_module libexec/mod_auth_radius.so
AddModule mod_auth_radius.c
# Add to the BOTTOM of httpd.conf
# If we're using mod_auth_radius, then add it's specific
# configuration options.
<IfModule mod_auth_radius.c>
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
# Use localhost, the old RADIUS port, secret 'testing123',
# time out after 5 seconds, and retry 3 times.
AddRadiusAuth radiusserver:1812 testing123 5:3
# AuthRadiusBindAddress <hostname/ip-address>
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
# the special value of 0 (zero) means the cookie is valid forever.
AddRadiusCookieValid 5
</IfModule>
<LocationMatch /radius >
Order Allow,Deny
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch /sgd >
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
Put appropriate mod_auth_radius.so into
/opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
# mkdir /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
# cat /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
<HTML>
<HEAD>
<TITLE> Test Page for RADIUS authentication </TITLE>
</HEAD>
<BODY>
<B> You have reached the test page for RADIUS authentication.
</BODY>
</HTML>
I hope this helps!
-FB

Radius or LDAP (not Oracle LDAP) authentication for GridControl

I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
Questions for all:
Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?

<QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
Amen.
Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
I'll keep the thread updated if I see results from our SR.

AAA authentication for networking devices using ACS 4.1 SE

Hi!!!
I want to perform AAA authentication for networking devices using ACS 4.1 SE.
I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
For all users i need to have different privilege levels based upon which access will be granted.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

Pradeep,
Are you planning MAC authentication for some users while using EAP for others?
For MAC authentication, just use the following in your AP.
aaa authentication login mac_methods group radius
In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
In your SSID configuration, under client authentication settings,
check "open authentication" and also select "MAC Authentication" from the drop-down list.
If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
You will not need to change anything in XP.
NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
HTH

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

Setting Basic Authentication for Web Service in WLS 6.1

Hi,
I am trying to set-up a Basic Username/Password authentication for a Web Service
that is hosted in WLS 6.1.
How do I go about doing that? Also once I get the username and password, how do
I pass that info
to the SOAP servlet to do the authentication? Can you give me some pointers on
this?
Thanks
Madhu

How do you want to do it? Through use of client.jar for the service or
directly? Here is how I do it directly:
String auth = "guest", pwd = "guest";
URL url = new URL("http://localhost:7001");
URL cmdURL = new URL(url.toString()+"/systemtest/TestWebService");
HttpURLConnection conn = (HttpURLConnection) cmdURL.openConnection();
String encAuth =
new BASE64Encoder().encode((auth + ":" + pwd).getBytes());
// BASE64Encode distributes long strings on multiple
// lines; we don't like that, no siree
int it = 0;
while ((it = encAuth.indexOf('\n')) != -1
|| (it = encAuth.indexOf('\r')) != -1) {
encAuth = encAuth.substring(0, it) +
encAuth.substring(it + 1);
conn.setRequestProperty("Authorization", "Basic " + encAuth);
conn.setRequestProperty("Content-Type", "text/xml");
conn.setRequestProperty("SOAPAction", cmdURL.toString());
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setUseCaches(false);
OutputStream oStr = conn.getOutputStream();
String cmd =
"<?xml version=\"1.0\" ?>\n"
+ "<soap:Envelope xmlns:soap=\"http://schemas.xmls"
+ "oap.org/soap/envelope/\"><soap:Body>"
+ "<ping><arg0>false</arg0></ping>"
+ "</soap:Body></soap:Envelope>";
oStr.write(cmd.getBytes());
oStr.close();
InputStream iStr = conn.getInputStream();
byte[] buffer = new byte[1024];
while (true) {
int size = iStr.read(buffer);
if (size == -1)
break;
System.out.println(new String(buffer, 0, size));
ThorAAge

Java.lang.SecurityException: Authentication for user system denied in realm wl_realm

I am experiencing this error when a servlet or JSP is preloaded on the web
server and the init method of the preloaded item results in a call to the
app server. If I don't preload and then manually invoke the JSP or servlet
after the web server completely loads the call to the app server does not
produce the exception. The only security differences between the web and
app servers are the console and system passwords. I can fix the problem by
making the passwords (system and console) the same across the board, but
find it hard to believe that this is the true solution. I would prefer
sticking with the default security settings.
I've poured through hundreds of messages. I can find similar problems but
not this exact problem.
Any ideas would truly be appreciated!
More information:...
App and Web server are both wls 6.1.1.0 running on the same SUN Solaris box.
Both are using the basic, out of the box, security.
The App server has SSL disabled.
The exception reported in the app server's log is:
java.lang.SecurityException: Authentication for user system denied in realm
wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.security.acl.internal.Security.verify(Security.java:87)
at
weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:235)
at
weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:2
2)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The exception reported in the web server's log is:
java.lang.SecurityException: Authentication for user system denied in realm
wl_realm
at
weblogic.rmi.internal.BasicOutboundRequest.sendReceive(BasicOutboundRequest.
java:85)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:255)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:222)
at weblogic.rmi.internal.ProxyStub.invoke(ProxyStub.java:35)
at $Proxy54.lookup(Unknown Source)
at
weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at
com.qwest.tmmt.manager.client.MDMAdapter.getEJBHome(MDMAdapter.java:197)
at
com.qwest.tmmt.manager.client.MDMAdapter.<init>(MDMAdapter.java:64)
at
com.qwest.tmmt.manager.client.ManagerFactory.createMetaDataManager(ManagerFa
ctory.java:305)
at
com.qwest.insite.util.ClientMetaDataCache.<init>(ClientMetaDataCache.java:53
at
com.qwest.insite.util.ClientMetaDataCache.getInstance(ClientMetaDataCache.ja
va:106)
at
com.qwest.insite.metadata.startup.MetaDataServlet.init(MetaDataServlet.java:
30)
at
weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:700)
at
weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:643)
at
weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:588)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletC
ontext.java:2203)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlets(WebAppServlet
Context.java:2147)
at
weblogic.servlet.internal.WebAppServletContext.init(WebAppServletContext.jav
a:884)
at
weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletContext.j
ava:807)
at
weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:421)
at weblogic.j2ee.WebAppComponent.deploy(WebAppComponent.java:74)
at weblogic.j2ee.Application.addComponent(Application.java:160)
at weblogic.j2ee.J2EEService.addDeployment(J2EEService.java:117)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:329)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:144)
at
weblogic.management.mbeans.custom.WebServer.addWebDeployment(WebServer.java:
76)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy33.addWebDeployment(Unknown Source)
at
weblogic.management.configuration.WebServerMBean_CachingStub.addWebDeploymen
t(WebServerMBean_CachingStub.java:1094)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:315)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(Deployment
Target.java:279)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(D
eploymentTarget.java:233)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deploym
entTarget.java:193)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy32.updateDeployments(Unknown Source)
at
weblogic.management.configuration.ServerMBean_CachingStub.updateDeployments(
ServerMBean_CachingStub.java:2734)
at
weblogic.management.mbeans.custom.ApplicationManager.startConfigManager(Appl
icationManager.java:362)
at
weblogic.management.mbeans.custom.ApplicationManager.start(ApplicationManage
r.java:154)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy45.start(Unknown Source)
at
weblogic.management.configuration.ApplicationManagerMBean_CachingStub.start(
ApplicationManagerMBean_CachingStub.java:480)
at
weblogic.management.Admin.startApplicationManager(Admin.java:1151)
at weblogic.management.Admin.finish(Admin.java:570)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:506)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:203)
at weblogic.Server.main(Server.java:35)
Thanks,
Jed Zimmer

You're correct. I meant the DOMAIN_SYSTEM_PASSWORD password in my
<domain-name>domain.ksh file. The DOMAIN_SYSTEM_PASSWORD value (if
specified) has to match the system user's password or else the server will
not start/stop.
I have determined more since my post. A startup class also produces the
same error. I have minimized my environments as follows and still receive
the exception, and a soon as I synchronize the system users' passwords on
the app/web server the problem goes away. Or, I can keep the passwords
different and just not access the app server EJBs until after the web server
finished loading, which also causes the error to go away. I'm just confused
about what I might be doing wrong.
Steps to produce the error:
App server:
- Installed from 6.1.1.0 from scratch and started it up.
- Changed the system user's password from the admin console, persisting the
changes.
- Modified logging settings to see more info in the log files.
- Disabled instrument stack traces.
- Stopped/Started the app server
Web server:
- Installed from 6.1.1.0 from scratch and started it up.
- Modified logging settings to see more info in the log files.
- Disabled instrument stack traces.
- Added a servlet to the DefaultWebApp_insiteserver application
- specified name and class
- the load on startup setting defaulted to zero, which will cause the
preloading
- Added 3 jar files to the classpath to support the EJB call
- Stopped/Started the web server
When the web server loads the servlet loads and tries to locate the EJB on
the app server. The app server throws the security exception. The app/web
servers are both running on the same SUN box, have the same IP address
(different ports) and I'm using non-SSL. Each server is it's own WLS
environment. The only installed file that is shared it the
weblogic_domain_registry.dat file in the root directory. As for security,
I'm doing nothing except changing one password (system user on the app
server).
I then tried to manually upgrade the app/web servers to 6.1.2.0 by updating
the WEBLOGIC_ROOT in the respective xxxxdomain.ksh files. Same problem.
I then cleanly reinstalled the app/web servers using version 6.1.2.0 and
configured as above. Same problem.
Let me know if I need to provide additional details.
Thanks,
Jed Zimmer
"Joseph Nguyen" <[email protected]> wrote in message
news:[email protected]...
>
"Jed Zimmer" <[email protected]> wrote in message
news:[email protected]...
I am experiencing this error when a servlet or JSP is preloaded on the
web
server and the init method of the preloaded item results in a call tothe
app server. If I don't preload and then manually invoke the JSP orservlet
after the web server completely loads the call to the app server does
not
produce the exception. The only security differences between the weband
app servers are the console and system passwords. I can fix the problemby
making the passwords (system and console) the same across the board, but
find it hard to believe that this is the true solutionI don't quite understand what you mean by "console" password? Are you
talking about the admin console? If so then it's confusing because youhave
to log into the console using the system user. If you can clarify morehere
it would great.
Joseph Nguyen
BEA Support
. I would prefer
sticking with the default security settings.
I've poured through hundreds of messages. I can find similar problems
but
not this exact problem.
Any ideas would truly be appreciated!
More information:...
App and Web server are both wls 6.1.1.0 running on the same SUN Solarisbox.
Both are using the basic, out of the box, security.
The App server has SSL disabled.
The exception reported in the app server's log is:
java.lang.SecurityException: Authentication for user system denied inrealm
wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
atweblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:125)
atweblogic.security.acl.internal.Security.verify(Security.java:87)
at
weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:235)
at
weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:2
2)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The exception reported in the web server's log is:
java.lang.SecurityException: Authentication for user system denied inrealm
wl_realm
at
weblogic.rmi.internal.BasicOutboundRequest.sendReceive(BasicOutboundRequest.
java:85)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:255)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:222)
at weblogic.rmi.internal.ProxyStub.invoke(ProxyStub.java:35)
at $Proxy54.lookup(Unknown Source)
at
weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at
com.qwest.tmmt.manager.client.MDMAdapter.getEJBHome(MDMAdapter.java:197)
at
com.qwest.tmmt.manager.client.MDMAdapter.<init>(MDMAdapter.java:64)
at
com.qwest.tmmt.manager.client.ManagerFactory.createMetaDataManager(ManagerFa
ctory.java:305)
at
com.qwest.insite.util.ClientMetaDataCache.<init>(ClientMetaDataCache.java:53
at
com.qwest.insite.util.ClientMetaDataCache.getInstance(ClientMetaDataCache.ja
va:106)
at
com.qwest.insite.metadata.startup.MetaDataServlet.init(MetaDataServlet.java:
30)
at
weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:700)
at
weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:643)
at
weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:588)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletC
ontext.java:2203)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlets(WebAppServlet
Context.java:2147)
at
weblogic.servlet.internal.WebAppServletContext.init(WebAppServletContext.jav
a:884)
at
weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletContext.j
ava:807)
at
weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:421)
at weblogic.j2ee.WebAppComponent.deploy(WebAppComponent.java:74)
at weblogic.j2ee.Application.addComponent(Application.java:160)
at weblogic.j2ee.J2EEService.addDeployment(J2EEService.java:117)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:329)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:144)
at
weblogic.management.mbeans.custom.WebServer.addWebDeployment(WebServer.java:
76)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy33.addWebDeployment(Unknown Source)
at
weblogic.management.configuration.WebServerMBean_CachingStub.addWebDeploymen
t(WebServerMBean_CachingStub.java:1094)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:315)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(Deployment
Target.java:279)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(D
eploymentTarget.java:233)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deploym
entTarget.java:193)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy32.updateDeployments(Unknown Source)
at
weblogic.management.configuration.ServerMBean_CachingStub.updateDeployments(
ServerMBean_CachingStub.java:2734)
at
weblogic.management.mbeans.custom.ApplicationManager.startConfigManager(Appl
icationManager.java:362)
at
weblogic.management.mbeans.custom.ApplicationManager.start(ApplicationManage
r.java:154)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy45.start(Unknown Source)
at
weblogic.management.configuration.ApplicationManagerMBean_CachingStub.start(
ApplicationManagerMBean_CachingStub.java:480)
at
weblogic.management.Admin.startApplicationManager(Admin.java:1151)
at weblogic.management.Admin.finish(Admin.java:570)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:506)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:203)
at weblogic.Server.main(Server.java:35)
Thanks,
Jed Zimmer

Selective authentication for a servlet?

Similar Messages

Maybe you are looking for